User Password Research Articles

The Cloud Offers Opportunity for Oil and Gas Cybersecurity

This article, written by JPT Technology Editor Chris Carpenter, contains highlights of paper SPE 191563, “Cyber Security, the Cloud, and Oil and Gas,” by Peter Black, SPE, EnergySys, prepared for the 2018 SPE Annual Technical Conference and Exhibition, Dallas, 24–26 September. The paper has not been peer reviewed. The rapid acceleration in the adoption of cloud services has increased the focus on cybersecurity. While data protection and privacy have always been key concerns in the oil and gas industry, they frequently have been achieved by isolating networks and strengthening perimeter defenses. However, this approach has allowed poor practices in many areas. The author argues that the advent of cloud technology should not be regarded as a further challenge to security, but an opportunity to revitalize and improve a•company’s defenses dramatically. Introduction Computer security involves a web of trust between operating systems, hypervisors, applications, networks, employees, contractors, and administrators (Fig. 1). This system must guard against intentional and unintentional breaches and attacks by malicious actors who might be individuals, corporations, or even governments. The directionality of this trust relationship is complex: for example, an application must establish a user’s identity to determine what level of trust to apply to their actions; a user must trust that an application will not distribute entered information illicitly. Traditional models for network protection typically have focused on perimeter security. This focus frequently has allowed multiple attack vectors to be ignored or left unaddressed. Companies often maintain robust firewall policies alongside poor password-management practices. In addition, many commercial software packages for the industry have implemented their own authentication systems, making a multiplicity of different user identifiers and passwords•unavoidable.• Defining the Cloud The cloud is not, in and of itself, about technology. Fundamentally, it is about a different approach to the consumption of computing services, one in which services are provided on a utility basis. A 2011 paper authored by members of the US•National Institute of Standards and Technology (NIST) provided one of the most commonly cited definitions of cloud computing. Their five essential characteristics of the cloud are not about technology, but about the nature of the•service.• On-demand self-service. This means that consumers (or end users) can provision computing capabilities, such as servers and storage and application features, without needing to contact a service provider. Broad network access. This characteristic implies that the access to services is through standard mechanisms and does not require specialist or proprietary technology. Resource pooling. Resources such as computing power or network storage are shared among multiple users or tenants. Measured service. Use of computing resources is measured and controlled to benefit the provider and the consumer. Rapid elasticity. The resources provisioned by a user, in a self-service model, can be scaled up or down to meet demand in an apparently unlimited fashion.

PILOT: Password and PIN information leakage from obfuscated typing videos1

This paper studies leakage of user passwords and PINs based on observations of typing feedback on screens or from projectors in the form of masked characters that indicate keystrokes. To this end, we developed an attack called Password and Pin Information Leakage from Obfuscated Typing Videos (PILOT). Our attack extracts inter-keystroke timing information from videos of password masking characters displayed when users type their password on a computer, or their PIN at an ATM. We conducted several experiments in various attack scenarios. Results indicate that, while in some cases leakage is minor, it is quite substantial in others. By leveraging inter-keystroke timings, PILOT recovers 8-character alphanumeric passwords in as little as 19 attempts. When guessing PINs, PILOT significantly improved on both random guessing and the attack strategy adopted in our prior work [4]. In particular, we were able to guess about 3% of the PINs within 10 attempts. This corresponds to a 26-fold improvement compared to random guessing. Our results strongly indicate that secure password masking GUIs must consider the information leakage identified in this paper.

МОДЕЛЮВАННЯ ТА ДОСЛІДЖЕННЯ АВТЕНТИФІКАТОРА ВЕБ-САЙТІВ НА ОСНОВІ SRP-ПРОТОКОЛУ

Проведено аналіз моделювання та дослідження автентифікатора веб-сайтів на основі SRP-протоколу. Доведено що запропонований підхід є стійким до атак посередника. Клієнт, за протоколом SRP не відправляє пароль користувача на сервер, а обчислює на його основі ключ. Маючи верифікатор пароля, отриманий при реєстрації, сервер також може обчислити цей ключ. По відкритому каналу передається не сам ключ, а спеціальні перевірочні значення. Розроблено мобільний клієнтський додаток для ОС Adroid та фремворк для серверу на мові PHP. Додаток виконує процедури реєстрації та автентифікації користувача відповідно до протоколу SRP. Оскільки передбачається, що користувач буде працювати із веб-сайтом з іншого пристрою, додаток генерую спеціальне значення ключа доступу на основі ключа сесії. Для доступу до сайту з будь-якого пристрою у формі автентифікації клієнт вводить значення не самого паролю, а ключ доступу, який надсилається на сервер і перевіряється.

Preliminary study on EEG based typing biometrics for user authentication using nonlinear features

The application of password usage in databased user authentication method is unsafe, due to higher chance of off-line guessing attacks. Hackers are able to save our personal information and can detect them until the perfect match is acquired. Thus, the aim of this research is to examine EEG signals during typing task from three engineering students (right handed) with age of between 19 to 23 years old to identify the regular human typing pattern to differentiate between one user to another. All the subjects were asked to perform three times typing tasks for 5 minutes with rest in between for 30 seconds. The subjects were required to rest before and after performing the typing tasks for one minute. Truscan EEG device (Deymed Diagnostic, Alien Technic, Czech Republic) with frequency sampling of 1024 Hz and 19 channels was used. This study applied Infinite Impulse Response (IIR) notch filter to remove 50Hz powerline artefacts and proposed the implementation of nonlinear features such as Distribution Entropy (DistEn) and Approximate Entropy (ApEn). The features were extracted from channels F3 and F4. The extracted entropies features vector are used as an input to k-Nearest Neighbour (kNN) classifier. As a conclusion, the kNN and LDA classifier giving promising accuracy which are 82.22% (F3), 88.52% (F4), 94.81% (F3 and F4) and 80.37% (F3), 81.48% (F4), 89.63% (F3 and F4) respectively.

Security Login System on Mobile Application with Implementation of Advanced Encryption Standard (AES) using 3 Keys Variation 128-bit, 192-bit, and 256-bit

The development of mobile applications is unbalanced with the level of its security which is vulnerable to hacker attacks. Some important things that need to be considered in the security of mobile applications are login and database system. A login system that used the database as user authentication and passwords are very vulnerable to be hacking. In securing data, various ways had been developed including cryptography. Cryptographic algorithms used in securing passwords usually used MD5 encryption. However, MD5 as a broader encryption technique is very risky. Therefore, the level of login system security in an android application is needed to embed the Advanced Encryption Standard (AES) algorithm in its process. The AES algorithm was applied using variations of 3 keys 128-bit, 192-bit, and 256-bit. Security level testing was also conducted by using 40 SQL Injection samples which the system logins without security obtained 27.5% that be able to enter the system compared to the result of login systems that use AES algorithm 128-bit, 192-bit or 256-bit was obtained 100% that cannot enter into the system. The estimation of the average encryption process of AES 128, 192 and 256 bits are 5.8 seconds, 7.74 seconds, and 9.46 seconds.

Understanding user passwords through password prefix and postfix (P3) graph analysis and visualization

While other authentication methods exist, passwords are still the dominant way for user authentication and system security. Over the years, passwords have become long and complex thanks to security policy and awareness. However, the security of user passwords remains unclear. Therefore, understanding users passwords is vital to improve the strength of passwords and system security in general. In this paper, we investigate one specific pattern, i.e., the prefix and postfix of user passwords. To facilitate password prefix and postfix (P3) analysis, we propose both hierarchical segmentation / optimization algorithms and password prefix/postfix graphs (P3G) construction and P3G visualizations. Through case study over real-world user passwords, we demonstrate P3 analysis and visualization are effective in identifying unique patterns for different user categories. The results suggest strong correlations between prefix/postfix and their context in user passwords.

Enhancing Cloud Storage Privacy (CSP) Based on Hybrid Cryptographic Techniques

Cloud computing has emerged as a new technology model for providing customized, high quality and reliable services for clients over the Internet. These clients can rent the services as long as they need rather than owning and maintaining large expensive IT infrastructure. One of the most used cloud services is the cloud storage as it provides storage on demand service. Nevertheless, due to the structure of cloud services which may not fully be managed by the cloud clients, the privacy and security of cloud storage become a significant challenge. Most of the previous works on the cloud security trying to solve the security challenges with data encryption techniques. However, these solutions do not protect data from being exposed or read by the server administrator or owner. In this paper, we have proposed a hybrid novel solution referred to as Cloud Storage Privacy (CSP) paradigm to enhance the privacy policies for cloud storage. This framework solution combines three of the superior cryptographic techniques: RSA, AES and Block-Chain. The solution not only secures the asset in the cloud but also protects the asset from unauthorized server access and improving user password protection. We have compared the proposed solution with the best based on our knowledge cloud storage services which are Google Drive and Dropbox in terms of performance and security. The result shows that the proposed solution outperforms existing services.

Digital forensic analysis of encrypted database files in instant messaging applications on Windows operating systems: Case study with KakaoTalk, NateOn and QQ messenger

Instant messaging applications store users' personal data (e.g., user profile, chat messages, photos and video clips). Because those data typically include privacy sensitive information, most instant messaging applications are trying to protect the stored data in an encrypted form so that the authorized messaging application itself can only access the data. In this paper, we analyzed the locations and file formats of personal data files in three instant messaging applications (KakaoTalk, NateOn, and QQ) which are the most popularly used in China and South Korea. We particularly examined the encryption and decryption procedures for internal databases in those messaging applications through reverse-engineering. Our analysis results demonstrate how the database files of those instant messaging applications are stored and encrypted. Moreover, in the cases of KakaoTalk and NateOn applications, we found that their encrypted database files can successfully be recovered without requiring user password. We also found that QQ messenger stores the encryption key for the database files into an external server. This implementation may raise another privacy concern because users’ personal data can be freely accessed by the service provider without user consent.

Frequency of compromised passwords used by students and staff of Asia Pacific College: an analysis using NIST SP 800-63B and pwned passwords

The National Institute of Standards and Technology (NIST) released new guidelines in June of 2017 that recommended new standards for managing and accepting user passwords. Among the new guidelines is a requirement that verifiers should check if a user’s supplied password is compromised – that is, already listed in previous breach corpuses. Using a corpus of 320 million breached passwords, the researchers conducted an experiment to gauge what percentage of the population of their home institution, Asia Pacific College, use compromised passwords. The study found that 16.72% overall – or 1 in 6 people – were using passwords that are part of the 320M breach corpus. This paper also provides a methodology that other institutions and companies can use to conduct the same analysis in order to gather data specific to their population that can guide the improvement of their password policies and related IT security services.

Eye gesture blink password: a new authentication system with high memorable and maximum password length

Authentication systems in which eye is used for entering the password are categorized into two gaze-based and gesture-based groups. In the accurate point-of-regard gaze measurements, a key subject with gaze-based authentication schemes is needed. Gesture-based systems are based on identifying the eye movement tracking, hence, there is no need to estimate the precise point of the user’s vision. Although gesture-based systems are superior to gaze-based methods, they are not appropriate and applicable in remembering the equivalent gesture of any suitable number due to the high memory overhead. This paper introduces the new Eye Gesture Blink Password authentication system (EGBP). The system is based on four basic ideas: system design, the algorithm of finding fixations without having to track pupils in all frames, allowing users to blink as part of the password and the new method of finding the user password using the angle formed between the fixations. EGBP has several basic advantages compared to existing authentication systems including the no need for a commercial eye tracker that lowers the system’s cost, removing the calibration step that increases the speed and requires less processing, and choosing a maximum length code that reduces the likelihood of the likeness of the selected password and increases security. The possibility of simply memorizing the password because of the possibility of blinking and user’s high-speed input is another advantage of this system.

SPSR-FSPG: A Fast Simulative Password Set Generation Algorithm

Identity authentication is a main line of defense for network security, and passwords have long been the mainstream of identity authentication. In the field of password security research, large-scale password datasets have played an important role in the efficiency evaluation of password attack algorithms, the feasibility detection of password strength meters, and the correction of password probability models. However, due to user privacy, timeliness, effectiveness and other factors, it is still very difficult for researchers to obtain real large-scale user plaintext passwords. Based on this, this paper proposes a fast simulative password set generation algorithm based on structure partitioning and string recombination, denoted as SPSR-FSPG. The algorithm uses the probability context-free grammar to model the structure of the password, and constructs a string generation model based on the recurrent neural network to generate different types of strings, so as to learn the character composition of the password in the original dataset. In addition, the model fully considers the user's password reuse and modification behavior. Finally, the method is verified by experiment on six real Chinese and English password sets. The results show that the generation rate of SPSR-FSPG is faster than other algorithms. In terms of true password coverage, the SPSR-FPSG simulative password set is increased by 11.36% and 17.5, respectively, relative to SPPG and PCFG, and is increased by about 122.73% and 130.3%, respectively, compared to OMEN and 4-Markov. And the fit of the Zipf distribution is maintained at a level above 0.95, it is better than 0.9 of SPPG. At the same time, the SPPR-FPSG simulative password set is closer to the real password set in terms of length and character composition.

Low-Overhead Remote User Authentication Protocol for IoT Based on a Fuzzy Extractor and Feature Extraction

The Internet of things (IoT) is a system of smart technologies and services that mutually communicate data between users and devices or between devices via the Internet. Since data are shared between a remote user and various sensing devices over a network, it is essential to design a secure, lightweight and efficient remote user authentication protocol for the IoT environment. In the context of security and network privacy, mutual authentication is necessary for securely accessing the services of the IoT environment. However, the IoT faces substantial new challenges realizing mutual authentication due to IoT devices constraints. In this paper, we present a lightweight, robust and secure authentication protocol that satisfies constraints on IoT devices. The proposed protocol is based on level 3 feature extraction, fuzzy extraction of the user's biometrics, one-way hash functions and XOR operations and includes (1) three-factor authentication (user password, biometrics and smart devices), (2) mutual authentication, (3) a session key, and (4) key freshness. Furthermore, we have used the Burrows-Abadi-Needham logic to prove the authentication of our proposed protocol. In addition, our proposed protocol does not require additional hardware or a resource-constrained cryptosystem, and for that reason; hence, it has the lowest computational cost on the IoT nodes (0.003_ms), the lowest total computational cost (0.071_ms), and the lowest communication cost (2784 bits) compared with other relevant works. Moreover, we have conducted an informal security analysis to prove its ability to withstand well-known malicious attacks, such as replay attacks, impersonation attacks, password change attacks, man-in-the-middle (MITM) attacks, and denial of service (DOS) attacks.

APPLYING EMPIRICAL THRESHOLDING ALGORITHM FOR A KEYSTROKE DYNAMICS BASED AUTHENTICATION SYSTEM

Through the application of a password-based authentication technique, users are granted permission to access a secure system when the username and password matches with that logged in database of the system. Furthermore, anyone who provides the correct username and password of a valid user will be able to log in to the secure network. In current circumstances, impostors can hack the system to obtain a user’s password, while it has also been easy to find out a person’s private password. Thus, the existing structure is exceptionally flawed. One way to strengthen the password-based authentication technique, is by keystroke dynamics. In the proposed keystroke dynamics based authentication system, despite the password match, the similarity between the typing pattern of the typed password and password samples in the training database are verified. The timing features of the user’s keystroke dynamics are collected to calculate the threshold values. In this paper, a novel algorithm is proposed to authenticate the legal users based on the empirical threshold values. The first step involves the extraction of timing features from the typed password samples. The password training database for each user is constructed using the extracted features. Moreover, the empirical threshold limits are calculated from the timing features in the database. The second step involves user authentication by applying these threshold values. The experimental analyses are carried out in MATLAB simulation, and the results indicate a significant reduction in false rejection rate and false acceptance rate. The proposed methodology yields very low equal error rate of 0.5% and the authentication accuracy of 99.5%, which are considered suitable and efficient for real-time implementation. The proposed method can be a useful resource for identifying illegal invasion and is valuable in securing the system as a correlative or substitute form of client validation.

A Novel Authentication Mechanism to Prevent Unauthorized Service Access for Mobile Device in Distributed Network

The growth of distributed computer networks (DCN) is simple for the user to share information and computing capabilities with the host. User identification is an essential access control mechanism for the client-server networking architecture. The perception of single sign-on allows a legitimate user to access a different service provider on a DCN using a single session key. Recently, several user identification techniques being proposed for DCN. Unfortunately, the existing proposals cannot maintain user anonymity when the majority of probable attacks. In addition, the further time synchronization mechanism they use can result in widespread overhead costs. To overcome these shortcomings, we propose a novel authentication mechanism to prevent unauthorized service access for a mobile device in distributed networks. The mechanism implements methods to generate securely encrypted keys using RSA algorithm to validate the authentication of user login id and password. Later, it implements a secure session key generation using DH algorithm which allows accessing the different services without repeating the authentication mechanism. An experimental evaluation was performed to measure execution time overhead for the registration process, an authentication process, session key generation process and Service Request Performance. The comparison results with existing authentication mechanism show an improvisation in all the measures.

Implementasi Enkripsi Data Secure Hash Algorithm (SHA-256) dan Message Digest Algorithm (MD5) pada Proses Pengamanan Kata Sandi Sistem Penjadwalan Karyawan

There are various types of encryption that can be used, for example MD5 and SHA-256. However, using MD5 or SHA-256 alone is not safe enough because it can be solved by using a brute force attack. The method of working is very simple is to try all possible combinations. This study aims to develop MD5 and SHA256 collaboration methods. Encryption is applied to the user's password on the web login system. Simulation results can be tested by measuring resistance to brute force attacks and the value of the avalanche effect (AE). From the results of the tests carried out by using attack software, the results of the application are quite safe from brute force attacks. From the AE test obtained the result with an AE value of 71% which means that the encoding result is good enough.

A Security Analysis Method for Security Protocol Implementations Based on Message Construction

Security protocols are integral to the protection of cyberspace against malicious attacks. Therefore, it is important to be confident in the security of a security protocol. In previous years, people have worked on security of security protocol abstract specification. However, in recent years, people have found that this is not enough and have begun focusing on security protocol implementation. In order to evaluate the security of security protocol implementations, in this paper, firstly, we proposed the Message Construction to Security Protocol Implementation (MCSPI), a message construction method based on application programming interface (API) traces, which automatically generates the constructed client valid request messages. Then, we presented the Security Analysis Scheme (SAS), a security analysis scheme that generates an abstract model of a security protocol server. Next, we proposed a security analysis method to evaluate the security of security protocol implementations on the basis of constructed client request messages generated with MCSPI, corresponding to the server-side response message and server-side abstract model produced by SAS. Finally, we implemented the Security Protocol Implementation Analysis (SPIA) tool to generate client valid request messages and a server-side abstract model to assist in evaluating security protocol implementations. In our experiments, we tested Tencent QQ mail system version 2017 and RSAAuth system and found that RSAAuth is vulnerable and its server has only security checks for user password, while Tencent QQ mail system version 2017 is more secure and has strong security restrictions at server-side besides security checks for user password.

Optimizing a Password Hashing Function with Hardware-Accelerated Symmetric Encryption

Password-based key derivation functions (PBKDFs) are commonly used to transform user passwords into keys for symmetric encryption, as well as for user authentication, password hashing, and preventing attacks based on custom hardware. We propose two optimized alternatives that enhance the performance of a previously published PBKDF. This design is based on (1) employing a symmetric cipher, the Advanced Encryption Standard (AES), as a pseudo-random generator and (2) taking advantage of the support for the hardware acceleration for AES that is available on many common platforms in order to mitigate common attacks to password-based user authentication systems. We also analyze their security characteristics, establishing that they are equivalent to the security of the core primitive (AES), and we compare their performance with well-known PBKDF algorithms, such as Scrypt and Argon2, with favorable results.

Hybrid Secure Authentication and Key Exchange Scheme for M2M Home Networks

In this paper, we analyzed Sun et al.’s scheme which proposes an M2M (Machine-to-Machine) secure communication scheme by using existing TD SCMA (Time Division-Synchronous Code Division Multiple Access) networks. They offer a password-based authentication and key establishment protocol for mutual authentication. Moreover, their proposed secure channel establishment protocol uses symmetric cryptography and one-way hash algorithms and they considered using their protected channel model for mobile users and smart home networks. In this paper, we propose to complete the missing part of Sun et al.’s scheme. This can occur by addressing privacy-preserving and message modification protection. Moreover, improvements can be made to MITM (Man-In-The-Middle) attack resistance, anomaly detection and DoS (Denial-of-Service) attacks with timing. ECDH (Elliptic Curve Diffie Hellman) cryptography based protected cipher-key exchange operation used on initial setup and key-injection operations to provide secure user registration, user password change and home gateway network join phases. We simulated both the proposed and Sun et al.’s schemes. We analyzed Sun et al.’s scheme for performance, network congestion and resource usage. Missing privacy-preserving was analyzed and compared with the GLARM scheme, and the storage cost of each phase was analyzed according to Ferrag et al.’s survey proposal. In Sun et al.’s scheme, future work for the security architecture of the home network is related to Li et al.’s protocol being implemented in our proposed design.

2FA Might Be Secure, But It’s Not Usable: A Summative Usability Assessment of Google’s Two-factor Authentication (2FA) Methods

Computer security experts recommend that people use two-factor authentication (2FA) on password protected systems to help keep hackers out. Providing two pieces of information to verify a person’s identity adds extra security to an account. However, it is not clear if the added security and procedures impact system usability. This paper aims to answer this question by assessing per ISO 9241-11’s suggested measurements the usability of Google’s optional 2FA methods. We found few differences across four different 2FA methods when comparing efficiency, effectiveness and satisfaction measures—illustrating that one method is not necessarily more or less usable then another. Overall, the measures indicated that the systems’ usability needed to be improved, especially with regard to the initial setup of 2FA. In conclusion, developers need to focus more attention on making 2FA easier and faster to use, especially since it is often optional for password users, yet makes accounts significantly more secure.

An exploratory study of cyber hygiene behaviors and knowledge

End users’ cyber hygiene often plays a large role in cybersecurity breaches. Therefore, we need a deeper understanding of the user differences that are associated with either good or bad hygiene and an updated perspective on what users do to promote good hygiene (e.g., employ firewall and anti-virus applications). Those individuals with good cyber hygiene follow best practices for security and protect their personal information. This exploratory study of cyber hygiene knowledge and behavior offers information that designers and researchers can employ to improve users’ hygiene practices. We surveyed 268 participants about their knowledge of concepts, their knowledge of threats, and their behaviors related to cyber hygiene. Further, we asked participants about their previous training and experiences. Notably, the participants represent a large cross section from age 18 to 55+. We addressed inconsistencies in the literature, we provide up-to-date information on behaviors and on users’ knowledge about password usage and phishing, and we explored the impact of age, gender, victim history, perceived expertise, and training on cyber hygiene.