Abstract
After years of the attempt to replace password with other alternatives such as biometrics and smart cards, password is still the most pervasive user authentication mechanism. The password checking authentication is widely used for financial services, online social networks, and many other applications. This paper aims to analyze the security of a <i>password checker</i> qualitatively and quantitatively, and show how to improve it. <i>Qualitative</i> security analysis, in which it does not allow any information flow from secret date to public data, considers that the password checker is not a secure process. Therefore, an alternative analysis for the password checker is to analyze <i>quantitatively,</i> i.e., quantifying its information flow and determining how much secret information has been leaked. This method can be used to decide whether we can tolerate small leakages. A quantitative security analysis can be seen as a generalization of a qualitative one. To improve the security of the password checker, we propose a <i>noisy-output</i> policy, i.e., a situation where a system operator is able to add noise to the output: instead of always producing the exact outcomes, the system sometimes reports noisy outcomes. The noisy outcomes reduce the correlation between the output and the input, and thus reduce the leakage.
Published Version
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call