Presentation is loading. Please wait.

Presentation is loading. Please wait.

Single Password, Multiple Accounts

Published byÉlise François Modified over 6 years ago

Similar presentations

Presentation on theme: "Single Password, Multiple Accounts"— Presentation transcript:

1 Single Password, Multiple Accounts
Mohamed G. Gouda, Alex X. Liu, Lok M. Leung, Mohamed A. Alam Department of Computer Sciences The University of Texas at Austin June, 2005

2 Multiple Accounts Most users have multiple accounts on Internet
Bank: Travel: Each account requires a password Insecure common practice: same password for all accounts To steal someone’s password, attackers can: set up a malicious server, or break into a low security server

3 Single Password Protocol (SPP)
Allow a server to authenticate a client (without server knowing the client’s password at any time) Can counter the following: Malicious server attacks Password file attacks Message log attacks Server spoofing attacks

4 SPP Version 1 Currently used in HTTP
Communication is encrypted using session key (SSL) Vulnerable to malicious server attacks C knows P S stores MD(P) C  S: C, P

5 SPP Version 2 Use challenge/response
Vulnerable to password file attacks C knows P S stores n, MD(n|P) C  S: C C  S: n C  S: MD(n|P)

6 SPP Version 3 Vulnerable to message log file attacks C knows P
S stores n, MD2(n|P) C  S: C C  S: n C  S: MD(n|P)

7 SPP Version 4 Vulnerable to server spoofing attacks C knows P
S stores ni, MD2(ni|P) C  S: C C  S: ni C  S: MD(ni|P), ni+1, MD2(ni+1|P)

8 Server Spoofing Attacks
Malicious server S knows: ni, MD2(ni|P) Benign server S’ knows: mi’, MD2(mi|P) C S S’ C C mi mi MD(mi|P), mi+1, MD2(mi+1|P) MD(mi|P), mi+1, MD2(mi+1|P)

9 Final Version SPP Two techniques: C knows P S stores ni, MD2(ni|S|P)
Challenge/Response One-time server-specific tickets C knows P S stores ni, MD2(ni|S|P) C  S: C C  S: ni C  S: MD(ni|S|P), ni+1, MD2(ni+1|S|P)

10 Related Work: One-Time Password Protocols
Use different password for each authentication Protocols: [Lamport 81] [Rubin 95] Motivation: prevent eavesdropping Invented before SSL

11 Related Work: Strong Password Protocols
Strong security properties Protocols: [Bellovin 92-EKE] [Wu 98-SRP]… Motivation Establish a session key (SPP uses SSL) Prevent dictionary attacks (SPP uses single strong password) Computational intensive (Not suitable for web) modular exponentiations, asymmetric encryptions/decryptions

12 Related Work: Single Sign-on Protocols
Use one central server to authenticates clients for multiple servers. Thus one password/user. Protocols: Microsoft Password Protocol Disadvantages: Single point of failure Lacks of wide deployment High incentive for attackers

13 Conclusions Single Password Protocol (SPP) is Simple Efficient Secure

Download ppt "Single Password, Multiple Accounts"

Similar presentations

Encrypting Wireless Data with VPN Techniques

Encrypting Wireless Data with VPN Techniques
Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).

Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).
Avoid data leakage, espionage, sabotage and other reputation and business risks without losing employee performance and mobility.

Avoid data leakage, espionage, sabotage and other reputation and business risks without losing employee performance and mobility.
SSL Protocol By Oana Dini. Overview Introduction to SSL SSL Architecture SSL Limitations.

SSL Protocol By Oana Dini. Overview Introduction to SSL SSL Architecture SSL Limitations.
CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.

CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.
CMSC 414 Computer (and Network) Security Lecture 26 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 26 Jonathan Katz.
 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.

 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.
File Transfer Methods : A Security Perspective. What is FTP FTP refers to the File Transfer Protocol, one of the protocols within the TCP/IP protocol.

File Transfer Methods : A Security Perspective. What is FTP FTP refers to the File Transfer Protocol, one of the protocols within the TCP/IP protocol.
CMSC 414 Computer (and Network) Security Lecture 21 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 21 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 17 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 17 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 16 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 16 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 16 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 16 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
Department of Computer Sciences The University of Texas at Austin A Secure Cookie Protocol Alex X. Liu Department of Computer Sciences The University of.

Department of Computer Sciences The University of Texas at Austin A Secure Cookie Protocol Alex X. Liu Department of Computer Sciences The University of.
CMSC 414 Computer and Network Security Lecture 23 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 23 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 17 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 17 Jonathan Katz.
Enterprise Single Sign On Identity management for web applications.

Enterprise Single Sign On Identity management for web applications.
Secure Remote Access to an Internal Web Server Christian Gilmore, David Kormann, and Aviel D. Rubin ATT Labs - Research “The security policy usually amounts.

Secure Remote Access to an Internal Web Server Christian Gilmore, David Kormann, and Aviel D. Rubin ATT Labs - Research “The security policy usually amounts.
Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department

Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department
Strong Password Protocols

Strong Password Protocols

Similar presentations

Ads by Google