Abstract
Pinkas and Sander’s (2002) login protocol protects against online guessing attacks by employing human-in-the-loop techniques (also known as Reverse Turing Tests or RTTs). We first note that this, and other protocols involving RTTs, are susceptible to minor variations of well-known middle-person attacks, and suggest techniques to address such attacks. We then present complementary modifications in what we call a history-based protocol with RTT’s. Preliminary analysis indicates that the new protocol offer opportunities for improved security, improved user-friendliness (fewer RTTs to legitimate users), and greater flexibility (e.g. in customizing protocol parameters to particular situations).
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Abadi, M., Burrows, M., Manasse, M., Wobber, T.: Moderately Hard, Memorybound Functions. In: NDSS 2003, San Diego (February 2003)
Anderson, R.: Security Engineering: A Guide to Building Dependable Distributed Systems. Wiley, Chichester (2001)
Bellovin, S., Merritt, M.: Encrypted Key Exchange: Password-Based Protocols Secure Against Dictionary Attack. In: Proc. IEEE Symp. Research in Security and Privacy, Oakland (May 1992)
Byers, S., Rubin, A., Kormann, D.: Defending Against an Internet-based Attack on the Physical World. In: Workshop on Privacy in the Electronic Society (WPES 2002), Washington D.C. (November 21, 2002)
CAPTCHA Project web site (first appeared: 2000), http://www.captcha.net/
Diffie, W., Hellman, M.: New Directions in Cryptography. IEEE Trans. Info. Theory 22, 644–654 (1976)
Diffie, W., van Oorschot, P.C., Wiener, M.J.: Authentication and Authenticated Key Exchange. Designs, Codes and Cryptography 2, 107–125 (1992)
Dwork, C., Naor, M.: Pricing via Processing or Combatting Junk Mail. In: Brickell, E.F. (ed.) CRYPTO 1992. LNCS, vol. 740, pp. 137–147. Springer, Heidelberg (1993)
Password Usage, Federal Information Processing Standards Publication 112, U.S. Department of Commerce, NIST (1985)
Automated Password Generator, FIPS Pub 112, U.S. Dept. Commerce (1993)
Ford, W., Kaliski, B.: Server-Assisted Generation of a Strong Secret from a Password. In: 9th Int’l Workshop on Enabling Technologi (WET-ICE 2000), IEEE, Los Alamitos (2000)
Gong, L.: Verifiable-text attacks in cryptographic protocols. In: 1990 IEEE INFOCOM, pp. 686–693 (1990)
Gong, L., Lomas, T., Needham, R., Saltzer, J.: Protecting poorly chosen secrets from guessing attacks. IEEE J. Selected Areas Comm. 11, 648–656 (1993)
Jablon, D.: Strong password-only authenticated key exchange. ACM Computer Communcations Review (October 1996)
Juels, A., Brainard, J.: Client puzzles: A cryptographic defense against connection depletion attacks. In: Proceedings of the 1999 ISOC Network and Distributed System Security Symposium, pp. 151–165 (1999)
Kaufman, C., Perlman, R., Speciner, M.: Network Security: Private Communication in a Public World, 2nd edn. Prentice Hall, Englewood Cliffs (2002)
Lomas, T., Gong, L., Saltzer, J., Needham, R.: Reducing risks from poorly chosen keys. Operating Systems Review 13, 14–18 (presented at 1989 ACM Symp. on Operating Systems Principles)
Menezes, A., van Oorschot, P., Vanstone, S.: Handbook of Applied Cryptography. CRC Press, Boca Raton (1997)
Naor, M.: Verification of a human in the loop or Identification via the Turing Test. unpublished manuscript (1997), Online version available at http://www.wisdom.weizmann.ac.il/~naor/PAPERS/human.ps
Pinkas, B., Sander, T.: Securing Passwords Against Dictionary Attacks. In: 2000 ACM Conf. on Computer and Communications Security, Wash. D.C. (2002)
von Ahn, L.: Eurocrypt 2003 presentation of [22], Warsaw, Poland (May 6, 2003)
von Ahn, L., Blum, M., Hopper, N., Langford, J.: CAPTCHA: Using Hard AI Problems for Security. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, Springer, Heidelberg (2003)
Wu, T.: The secure remote password protocol. In: Internet Society, Network and Distributed System Security symposium, NDSS 1998 (1998)
Wolverton, T.: Hackers find new way to bilk eBay users, CNET news.com 03/25/02
Yan, J.: A Note on Proactive Password Checking. In: Proc. 2001 ACM New Security Paradigms Workshop, New Mexico, USA (September 2001)
Yan, J., Blackwell, A., Anderson, R., Grant, A.: The Memorability and Security of Passwords – Some Empirical Results, Tech. Report 500, Computer Lab, Cambridge (2000), http://www.ftp.cl.cam.ac.uk/ftp/rja14/tr500.pdf
Zimmermann, P.: The Official PGP User’s Guide. MIT Press, Cambridge (1995)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2004 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Stubblebine, S., van Oorschot, P.C. (2004). Addressing Online Dictionary Attacks with Login Histories and Humans-in-the-Loop. In: Juels, A. (eds) Financial Cryptography. FC 2004. Lecture Notes in Computer Science, vol 3110. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-27809-2_5
Download citation
DOI: https://doi.org/10.1007/978-3-540-27809-2_5
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-22420-4
Online ISBN: 978-3-540-27809-2
eBook Packages: Springer Book Archive