Enhancing Passwords Security Using Deceptive Covert Communication

Abstract : The use of deception to enhance security has shown promising results as a defensive technique. In this paper we present an authentication scheme that better protects users’ passwords than in currently deployed password-based schemes, without taxing the users’ memory or damaging the user-friendliness of the login process. Our scheme maintains comparability with traditional password-based authentication, without any additional storage requirements, giving service providers the ability to selectively enroll users and fall-back to traditional methods if needed. The scheme utilizes the ubiquity of smartphones; however, unlike previous proposals it does not require registration or connectivity of the phones used. In addition, no long-term secrets are stored in any user’s phone, mitigating the consequences of losing it. Our design significantly increases the difficulty of launching a phishing attack by automating the decisions of whether a website should be trusted and introducing additional risk at the adversary side of being detected and deceived. In addition, the scheme is resilient against Man-in-the-Browser (MitB) attacks and compromised client machines. We also introduce a covert communication mechanism between the user’s client and the service provider. This can be used to covertly and securely communicate the user’s context that comes with the use of this mechanism. The scheme also incorporates the use of deception that makes it possible to dismantle a large-scale attack infrastructure before it succeeds. As an added feature, the scheme gives service providers the ability to have full-transaction authentication.With the use of our scheme, passwords are no longer communicated in plaintext format to the server, adding another layer of protection when secure channels of communication are compromised. Moreover, it gives service providers the ability to deploy risk-based authentication. It introduces the ability to make dynamic multi-level access decisions requiring extra authentication steps when needed. Finally, the scheme’s covert channel mechanisms give servers the ability to utilize a user’s context information — detecting the use of untrusted networks or whether the login was based on a solicitation email.
Type de document :
Communication dans un congrès
Hannes Federrath; Dieter Gollmann. 30th IFIP International Information Security Conference (SEC), May 2015, Hamburg, Germany. IFIP Advances in Information and Communication Technology, AICT-455, pp.159-173, 2015, ICT Systems Security and Privacy Protection. 〈10.1007/978-3-319-18467-8_11〉
Liste complète des métadonnées

Littérature citée [20 références]  Voir  Masquer  Télécharger

https://hal.inria.fr/hal-01345103
Contributeur : Hal Ifip <>
Soumis le : mercredi 13 juillet 2016 - 10:56:27
Dernière modification le : mercredi 13 juillet 2016 - 11:18:42

Fichier

337885_1_En_11_Chapter.pdf
Fichiers produits par l'(les) auteur(s)

Licence


Distributed under a Creative Commons Paternité 4.0 International License

Identifiants

Citation

Mohammed Almeshekah, Mikhail Atallah, Eugene Spafford. Enhancing Passwords Security Using Deceptive Covert Communication. Hannes Federrath; Dieter Gollmann. 30th IFIP International Information Security Conference (SEC), May 2015, Hamburg, Germany. IFIP Advances in Information and Communication Technology, AICT-455, pp.159-173, 2015, ICT Systems Security and Privacy Protection. 〈10.1007/978-3-319-18467-8_11〉. 〈hal-01345103〉

Partager

Métriques

Consultations de la notice

54