Private Password Auditing

Amrit Kumar 1 Cédric Lauradoux 1
1 PRIVATICS - Privacy Models, Architectures and Tools for the Information Society
Inria Grenoble - Rhône-Alpes, CITI - CITI Centre of Innovation in Telecommunications and Integration of services
Abstract : Password is the foremost mean to achieve data and computer secu- rity. Hence, choosing a strong password which may withstand dictionary attacks is crucial in establishing the security of the underlying system. In order to en- sure that strong passwords are chosen, and that they are periodically updated, system administrators often rely on password auditors. Several tools aimed at preventing password misuse have been designed to aid auditors in their task. We however show that the objective remains a far cry as these tools essentially reveal the digests corresponding to weak passwords. As a case study, we discuss the issues with Blackhash, and develop the notion of Private Password Auditing — a mechanism that does not require the system administrator to reveal pass- word digests to an external auditor and symmetrically the dictionaries remain private to the auditor. We further present constructions based on Private Set Intersection and its variants, and evaluate a proof-of-concept implementation.
Type de document :
Communication dans un congrès
International Conference on PASSWORDS 2014, Dec 2014, Trondheim, Norway. Lecture Notes in Computer Science
Liste complète des métadonnées

https://hal.inria.fr/hal-01199156
Contributeur : Cédric Lauradoux <>
Soumis le : mardi 15 septembre 2015 - 08:25:20
Dernière modification le : mercredi 18 novembre 2015 - 01:12:37

Identifiants

  • HAL Id : hal-01199156, version 1

Collections

Citation

Amrit Kumar, Cédric Lauradoux. Private Password Auditing. International Conference on PASSWORDS 2014, Dec 2014, Trondheim, Norway. Lecture Notes in Computer Science. 〈hal-01199156〉

Partager

Métriques

Consultations de la notice

102