WEAKNESSES OF BACKUP AUTHENTICATION MECHANISMS

Weaknesses Of Backup Authentication Mechanisms In The Social Networking Age



Abstract

Authentication ensures that system's resources are not obtained fraudulently by illegal users. Password authentication is one of the simplest and the most convenient authentication mechanisms over insecure networks. The problem of password authentication in an insecure networks is present in many application areas. Since computing resources have grown tremendously, password authentication is more frequently required in areas such as computer networks, wireless networks, remote login, operation systems, and database management systems. Many schemes based on cryptography have been proposed to solve the problem. However, previous schemes are vulnerable to various attacks and are neither efficient, nor user friendly. Users cannot choose and change their passwords at will. In this paper, we propose a new password authentication scheme to achieve the all proposed requirements. Furthermore, our scheme can support the Diffie-Hellman key agreement protocol over insecure networks. Chapter I: Introduction

Password authentication is one of the simplest and the most convenient authentication mechanisms over insecure networks. It provides the legal users to use the resources of the remote systems. Many Internet applications are based on password authentication, for example, remote login, government organizations, private corporations, database management systems, and school systems. However, the current Internet environment is vulnerable to various attacks such as replay attack, guessing attack, modification attack, and stolenverifier attack. Therefore, a number of researchers have proposed several password authentication schemes for secure login of legal users.

In traditional password authentication scheme, each user has an identifier (ID) and a password (PW). If a user wants to login to a remote server, he/she submit his/her ID and PW to the server. A simplest authentication approach is to store and maintain a password table including users' IDs and PWs in the remote server. Upon receipt of user's ID and PW, the remote server searches the password table to check whether or not the submitted ID and PW match with those stored in the password table. Once the ID and PW match the corresponding pair stored in the server's password table, the user will be granted access to the server's facilities. Since the user's password is stored in plain-text form in password table, this approach is vulnerable to the revelation of the passwords. An intruder can impersonate a legal user by stealing the user's ID and PW from the password table. This attack is called stolen-verifier attack. Besides, two disadvantages are found in this approach. One is that the system load is very high. If a lot of users register with the system, the password table will become big and hard to maintain. The other is an intruder can intercept a user's ID and PW from the Internet and then replay it later to login. This attack is called the replay attack. To prevent the password table from stealing by others, password is usually hashed or

encrypted inside the computer. However, the transmission of unencrypted password could be stolen by wire ...