Cryptanalysis of a Honeyword System in the IoT Platform

Abstract

Password is one of the most well-known authentication methods in accessing many Internet of Things (IoT) devices. The usage of passwords, however, inherits several drawbacks and emerging vulnerabilities in the IoT platform. However, many solutions have been proposed to tackle these limitations. Most of these defense strategies suffer from a lack of computational power and memory capacity and do not have immediate cover in the IoT platform. Motivated by this consideration, the goal of this article is fivefold. First, we analyze the feasibility of implementing a honeyword-based defense strategy to prevent the latest developed server-side threat on the IoT domain’s password. Second, we perform thorough cryptanalysis of a recently developed honeyword-based method to evaluate its advancement in preventing the threat and explore the best possible way to incorporate it in the IoT platform. Third, we verify that we can add a honeyword-based solution to the IoT infrastructure by ensuring specific guidelines. Fourth, we propose a generic attack model, namely, <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">matching attack</i> utilizing the compromised password file to perform the security check of any legacy-UI approach for meeting the all essential flatness security criterion. Last, we compare the matching attack’s performance with the corresponding one of a benchmark technological methods over the legacy-UI model and confirm that our attack has 5%–22% more vulnerable than others.