Authors: Jaryn Shen; Qingkai Zeng
Addresses: State Key Laboratory for Novel Software Technology, and Department of Computer Science and Technology, Nanjing University, Nanjing 210023, China ' State Key Laboratory for Novel Software Technology, and Department of Computer Science and Technology, Nanjing University, Nanjing 210023, China
Abstract: This paper proposes to address online and offline attacks to passwords without increasing users' efforts in choosing and memorising their passwords. In CSPS, a password consists of two parts, a user-chosen short password and a server-generated long password. The short password should be memorised and secured by its user while the long password be encrypted and stored on the server side. To keep the secret key for protecting the long password secure, an additional sever is introduced to store the secret key and provide encryption/decryption services. On top of balloon, CSPS integrates expensive hash with secure encryption. It is mathematically proved that computationally unbounded attackers cannot succeed in offline dictionary or brute-force attacks or a combination of offline and online attacks. The criteria of security are established, which quantifies the security. To our best knowledge, CSPS is the first technique to make security quantifiable in password authentication mechanisms.
Keywords: password; attack; password-guessing; authentication; balloon hashing; hash function; encryption; web service.
International Journal of Information and Computer Security, 2019 Vol.11 No.3, pp.255 - 274
Received: 24 Feb 2018
Accepted: 24 Feb 2018
Published online: 10 Apr 2019 *