In the digital age, phishing attacks have been a persistent security threat leveraged by traditional password management systems that are not able to verify the authenticity of websites. This paper presents an approac...In the digital age, phishing attacks have been a persistent security threat leveraged by traditional password management systems that are not able to verify the authenticity of websites. This paper presents an approach to embedding sophisticated phishing detection within a password manager’s framework, called PhishGuard. PhishGuard uses a Large Language Model (LLM), specifically a fine-tuned BERT algorithm that works in real time, where URLs fed by the user in the credentials are analyzed and authenticated. This approach enhances user security with its provision of real-time protection from phishing attempts. Through rigorous testing, this paper illustrates how PhishGuard has scored well in tests that measure accuracy, precision, recall, and false positive rates.展开更多
Identity authentication is the first line of defense for network security.Passwords have been the most widely used authentication method in recent years.Although there are security risks in passwords,they will be the ...Identity authentication is the first line of defense for network security.Passwords have been the most widely used authentication method in recent years.Although there are security risks in passwords,they will be the primary method in the future due to their simplicity and low cost.Considering the security and usability of passwords,we propose AvoidPwd,which is a novel mnemonic password generation strategy that is based on keyboard transformation.AvoidPwd helps users customize a“route”to bypass an“obstacle”and choose the characters on the“route”as the final password.The“obstacle”is a certain word using any language and the keys adjacent to the“obstacle”are typed with the“Shift”key.A two-part experiment was conducted to examine the memorability and security of the AvoidPwd strategy with other three password strategies and three leaked password sets.The results showed that the passwords generated by the AvoidPwd strategy were more secure than the other leaked password sets.Meanwhile,AvoidPwd outperformed the KbCg,SpIns,and Alphapwd in balancing security and usability.In addition,there are more symbols in the character distribution of AvoidPwd than the other strategies.AvoidPwd is hopeful to solve the security problem that people are difficult to remember symbols and they tend to input letters and digits when creating passwords.展开更多
Alphanumerical usernames and passwords are the most used computer authentication technique.This approach has been found to have a number of disadvantages.Users,for example,frequently choose passwords that are simple t...Alphanumerical usernames and passwords are the most used computer authentication technique.This approach has been found to have a number of disadvantages.Users,for example,frequently choose passwords that are simple to guess.On the other side,if a password is difficult to guess,it is also difficult to remember.Graphical passwords have been proposed in the literature as a potential alternative to alphanumerical passwords,based on the fact that people remember pictures better than text.Existing graphical passwords,on the other hand,are vulnerable to a shoulder surfing assault.To address this shoulder surfing vulnerability,this study proposes an authentication system for web-applications based on visual cryptography and cued click point recall-based graphical password.The efficiency of the proposed system was validated using unit,system and usability testing measures.The results of the system and unit testing showed that the proposed system accomplished its objectives and requirements.The results of the usability test showed that the proposed system is easy to use,friendly and highly secured.展开更多
Text-based passwords are heavily used to defense for many web and mobile applications. In this paper, we investigated the patterns and vulnerabilities for both web and mobile applications based on conditions of the Sh...Text-based passwords are heavily used to defense for many web and mobile applications. In this paper, we investigated the patterns and vulnerabilities for both web and mobile applications based on conditions of the Shannon entropy, Guessing entropy and Minimum entropy. We show how to substantially improve upon the strength of passwords based on the analysis of text-password entropies. By analyzing the passwords datasets of Rockyou and 163.com, we believe strong password can be designed based on good usability, deployability, rememberbility, and security entropies.展开更多
This paper proposes a scheme for password management by storing password encryptions on a server. The method involves having the encryption key split into a share for the user and one for the server. The user’s share...This paper proposes a scheme for password management by storing password encryptions on a server. The method involves having the encryption key split into a share for the user and one for the server. The user’s share shall be based solely on a selected passphrase. The server’s share shall be generated from the user’s share and the encryption key. The security and trust are achieved by performing both encryption and decryption on the client side. We also address the issue of countering dictionary attack by providing a further enhancement of the scheme.展开更多
With the rapid development of information technology, demand of network & information security has increased. People enjoy many benefits by virtue of information technology. At the same time network security has b...With the rapid development of information technology, demand of network & information security has increased. People enjoy many benefits by virtue of information technology. At the same time network security has become the important challenge, but network information security has become a top priority. In the field of authentication, dynamic password technology has gained users’ trust and favor because of its safety and ease of operation. Dynamic password, SHA (Secure Hash Algorithm) is widely used globally and acts as information security mechanism against potential threat. The cryptographic algorithm is an open research area, and development of these state-owned technology products helps secure encryption product and provides safeguard against threats. Dynamic password authentication technology is based on time synchronization, using the state-owned password algorithm. SM3 hash algorithm can meet the security needs of a variety of cryptographic applications for commercial cryptographic applications and verification of digital signatures, generation and verification of message authentication code. Dynamic password basically generates an unpredictable random numbers based on a combination of specialized algorithms. Each password can only be used once, and help provide high safety. Therefore, the dynamic password technology for network information security issues is of great significance. In our proposed algorithm, dynamic password is generated by SM3 Hash Algorithm using current time and the identity ID and it varies with time and changes randomly. Coupled with the SM3 hash algorithm security, dynamic password security properties can be further improved, thus it effectively improves network authentication security.展开更多
To achieve privacy and authentication sinmltaneously in mobile applications, various Three-party Password-authenticated key exchange (3PAKE) protocols have been proposed. However, some of these protocols are vulnera...To achieve privacy and authentication sinmltaneously in mobile applications, various Three-party Password-authenticated key exchange (3PAKE) protocols have been proposed. However, some of these protocols are vulnerable to conventional attacks or have low efficiency so that they cannot be applied to mobile applications. In this paper, we proposed a password-authenticated multiple key exchange protocol for mobile applications using elliptic curve cryptosystem. The proposed protocol can achieve efficiency, reliability, flexibility and scalability at the same time. Compared with related works, the proposed protocol is more suitable and practical for mobile applications.展开更多
Mobile Ad hoc NETwork (MANET) is a part of the Internet of Things (IoT). In battlefield communication systems, ground soldiers, tanks, and unmanned aerial vehicles comprise a heterogeneous MANET. In 2006, Byun et ...Mobile Ad hoc NETwork (MANET) is a part of the Internet of Things (IoT). In battlefield communication systems, ground soldiers, tanks, and unmanned aerial vehicles comprise a heterogeneous MANET. In 2006, Byun et al. proposed the first constant-round password-based group key ex- change with different passwords for such net- works. In 2008, Nam et al. discovered the short- comings of the scheme, and modified it. But the works only provide the group key. In this paper, we propose a password-based secure communication scheme for the loT, which could be applied in the battlefield communication systems and support dy- namic group, in which the nodes join or leave. By performing the scheme, the nodes in the heteroge- neous MANET can realize secure broadcast, secure unicast, and secure direct communication across realms. After the analyses, we demonstrate that the scheme is secure and efficient.展开更多
Android applications are associated with a large amount of sensitive data,therefore application developers use encryption algorithms to provide user data encryption,authentication and data integrity protection.However...Android applications are associated with a large amount of sensitive data,therefore application developers use encryption algorithms to provide user data encryption,authentication and data integrity protection.However,application developers do not have the knowledge of cryptography,thus the cryptographic algorithm may not be used correctly.As a result,security vulnerabilities are generated.Based on the previous studies,this paper summarizes the characteristics of password misuse vulnerability of Android application software,establishes an evaluation model to rate the security level of the risk of password misuse vulnerability and develops a repair strategy for password misuse vulnerability.And on this basis,this paper designs and implements a secure container for Android application software password misuse vulnerability:CM-Droid.展开更多
Because cross-realm C2C-PAKE (client-to-client password authenticated key exchange) protocols can not resist some attacks, this paper writes up new attacks on two representative protocols, then designs a new cross-r...Because cross-realm C2C-PAKE (client-to-client password authenticated key exchange) protocols can not resist some attacks, this paper writes up new attacks on two representative protocols, then designs a new cross-realm C2C-PAKE protocol with signature and optimal number of rounds for a client (only 2-rounds between a client and a server). Finally, it is proved that the new protocol can be resistant to all known attacks through heuristic analysis and that it brings more security through the comparisons of security properties with other protocols.展开更多
We presented a simple and efficient password-based encrypted key exchange protocol that allows a user to establish secure session keys with remote servers from client terminals in low resource environments. He does no...We presented a simple and efficient password-based encrypted key exchange protocol that allows a user to establish secure session keys with remote servers from client terminals in low resource environments. He does not need to carry smart card storing his private information but just needs to know his identity and password. For this purpose, the scheme was implemented over elliptic curves because of their well-known advantages with regard to processing and size constraints. Furthermore, the scheme is provably secure under the assumptions that the hash function closely behaves like a random oracle and that the elliptic curve computational Diffie-Hellman problem is difficult.展开更多
This paper analyzes the security performance of a latest proposed remote two-factor user authentication scheme and proposes an improved scheme based on the dynamic ID to avoid the attacks it suffers. Besides this, in ...This paper analyzes the security performance of a latest proposed remote two-factor user authentication scheme and proposes an improved scheme based on the dynamic ID to avoid the attacks it suffers. Besides this, in our proposed scheme the password is no longer involved in the calculation of verification phase which makes our scheme more secure and costs less than the old one. At last we analyze the performance of our proposed scheme to prove it provides mutual authentication between the user and the server. Moreover, it also resists password guessing attack, server and user masquerade attack and replay attack effectively.展开更多
Communication technology has advanced dramatically amid the 21st century,increasing the security risk in safeguarding sensitive information.The remote password authentication(RPA)scheme is the simplest cryptosystem th...Communication technology has advanced dramatically amid the 21st century,increasing the security risk in safeguarding sensitive information.The remote password authentication(RPA)scheme is the simplest cryptosystem that serves as the first line of defence against unauthorised entity attacks.Although the literature contains numerous RPA schemes,to the best of the authors’knowledge,only few schemes based on the integer factorisation problem(IFP)and the discrete logarithm problem(DLP)that provided a provision for session key agreement to ensure proper mutual authentication.Furthermore,none of the previous schemes provided formal security proof using the random oracle model.Therefore,this study proposed an improved RPA scheme with session key establishment between user and server.The design of the proposed RPA scheme is based on the widely established Dolev-Yao adversary model.Moreover,as the main contribution,a novel formal security analysis based on formal definitions of IFP and DLP under the random oracle model was presented.The proposed scheme’s performance was compared to that of other similar competitive schemes in terms of the transmission/computational cost and time complexity.The findings revealed that the proposed scheme required higher memory storage costs in smart cards.Nonetheless,the proposed scheme is more efficient regarding the transmission cost of login and response messages and the total time complexity compared to other scheme of similar security attributes.Overall,the proposed scheme outperformed the other RPA schemes based on IFP and DLP.Finally,the potential application of converting the RPA scheme to a user identification(UI)scheme is considered for future work.Since RPA and UI schemes are similar,the proposed approach can be expanded to develop a provably secure and efficientUI scheme based on IFP and DLP.展开更多
The pattern password method is amongst the most attractive authentication methods and involves drawing a pattern;this is seen as easier than typing a password.However,since people with visual impairments have been inc...The pattern password method is amongst the most attractive authentication methods and involves drawing a pattern;this is seen as easier than typing a password.However,since people with visual impairments have been increasing their usage of smart devices,this method is inaccessible for them as it requires them to select points on the touch screen.Therefore,this paper exploits the haptic technology by introducing a vibration-based pattern password approach in which the vibration feedback plays an important role.This approach allows visually impaired people to use a pattern password through two developed vibration feedback:pulses,which are counted by the user,and duration,which has to be estimated by the user.In order to make the proposed approach capable to prevent shoulder-surfing attacks,a camouflage pattern approach is applied.An experimental study is conducted to evaluate the proposed approach,the results of which show that the vibration pulses feedback is usable and resistant to shoulder-surfing attacks.展开更多
文摘In the digital age, phishing attacks have been a persistent security threat leveraged by traditional password management systems that are not able to verify the authenticity of websites. This paper presents an approach to embedding sophisticated phishing detection within a password manager’s framework, called PhishGuard. PhishGuard uses a Large Language Model (LLM), specifically a fine-tuned BERT algorithm that works in real time, where URLs fed by the user in the credentials are analyzed and authenticated. This approach enhances user security with its provision of real-time protection from phishing attempts. Through rigorous testing, this paper illustrates how PhishGuard has scored well in tests that measure accuracy, precision, recall, and false positive rates.
基金supported in part by the National Natural Science Foundation of China (No. 61803149 and No. 61977021)in part by the Technology Innovation Special Program of Hubei Province (No. 2020AEA008)in part by the Hubei Province Project of Key Research Institute of Humanities and Social Sciences at Universities (Research Center of Information Management for Performance Evaluation)
文摘Identity authentication is the first line of defense for network security.Passwords have been the most widely used authentication method in recent years.Although there are security risks in passwords,they will be the primary method in the future due to their simplicity and low cost.Considering the security and usability of passwords,we propose AvoidPwd,which is a novel mnemonic password generation strategy that is based on keyboard transformation.AvoidPwd helps users customize a“route”to bypass an“obstacle”and choose the characters on the“route”as the final password.The“obstacle”is a certain word using any language and the keys adjacent to the“obstacle”are typed with the“Shift”key.A two-part experiment was conducted to examine the memorability and security of the AvoidPwd strategy with other three password strategies and three leaked password sets.The results showed that the passwords generated by the AvoidPwd strategy were more secure than the other leaked password sets.Meanwhile,AvoidPwd outperformed the KbCg,SpIns,and Alphapwd in balancing security and usability.In addition,there are more symbols in the character distribution of AvoidPwd than the other strategies.AvoidPwd is hopeful to solve the security problem that people are difficult to remember symbols and they tend to input letters and digits when creating passwords.
文摘Alphanumerical usernames and passwords are the most used computer authentication technique.This approach has been found to have a number of disadvantages.Users,for example,frequently choose passwords that are simple to guess.On the other side,if a password is difficult to guess,it is also difficult to remember.Graphical passwords have been proposed in the literature as a potential alternative to alphanumerical passwords,based on the fact that people remember pictures better than text.Existing graphical passwords,on the other hand,are vulnerable to a shoulder surfing assault.To address this shoulder surfing vulnerability,this study proposes an authentication system for web-applications based on visual cryptography and cued click point recall-based graphical password.The efficiency of the proposed system was validated using unit,system and usability testing measures.The results of the system and unit testing showed that the proposed system accomplished its objectives and requirements.The results of the usability test showed that the proposed system is easy to use,friendly and highly secured.
文摘Text-based passwords are heavily used to defense for many web and mobile applications. In this paper, we investigated the patterns and vulnerabilities for both web and mobile applications based on conditions of the Shannon entropy, Guessing entropy and Minimum entropy. We show how to substantially improve upon the strength of passwords based on the analysis of text-password entropies. By analyzing the passwords datasets of Rockyou and 163.com, we believe strong password can be designed based on good usability, deployability, rememberbility, and security entropies.
文摘This paper proposes a scheme for password management by storing password encryptions on a server. The method involves having the encryption key split into a share for the user and one for the server. The user’s share shall be based solely on a selected passphrase. The server’s share shall be generated from the user’s share and the encryption key. The security and trust are achieved by performing both encryption and decryption on the client side. We also address the issue of countering dictionary attack by providing a further enhancement of the scheme.
文摘With the rapid development of information technology, demand of network & information security has increased. People enjoy many benefits by virtue of information technology. At the same time network security has become the important challenge, but network information security has become a top priority. In the field of authentication, dynamic password technology has gained users’ trust and favor because of its safety and ease of operation. Dynamic password, SHA (Secure Hash Algorithm) is widely used globally and acts as information security mechanism against potential threat. The cryptographic algorithm is an open research area, and development of these state-owned technology products helps secure encryption product and provides safeguard against threats. Dynamic password authentication technology is based on time synchronization, using the state-owned password algorithm. SM3 hash algorithm can meet the security needs of a variety of cryptographic applications for commercial cryptographic applications and verification of digital signatures, generation and verification of message authentication code. Dynamic password basically generates an unpredictable random numbers based on a combination of specialized algorithms. Each password can only be used once, and help provide high safety. Therefore, the dynamic password technology for network information security issues is of great significance. In our proposed algorithm, dynamic password is generated by SM3 Hash Algorithm using current time and the identity ID and it varies with time and changes randomly. Coupled with the SM3 hash algorithm security, dynamic password security properties can be further improved, thus it effectively improves network authentication security.
基金Acknowledgements This work was supported by the National Natural ScienceFoundation of China under Grants No. 60873191, No. 60903152, No. 60821001, and the Beijing Natural Science Foundation under Grant No. 4072020.
文摘To achieve privacy and authentication sinmltaneously in mobile applications, various Three-party Password-authenticated key exchange (3PAKE) protocols have been proposed. However, some of these protocols are vulnerable to conventional attacks or have low efficiency so that they cannot be applied to mobile applications. In this paper, we proposed a password-authenticated multiple key exchange protocol for mobile applications using elliptic curve cryptosystem. The proposed protocol can achieve efficiency, reliability, flexibility and scalability at the same time. Compared with related works, the proposed protocol is more suitable and practical for mobile applications.
基金supported by National Natural Science Foundation of China(Grant Nos.60873191,60903152,61003286,60821001)
文摘Mobile Ad hoc NETwork (MANET) is a part of the Internet of Things (IoT). In battlefield communication systems, ground soldiers, tanks, and unmanned aerial vehicles comprise a heterogeneous MANET. In 2006, Byun et al. proposed the first constant-round password-based group key ex- change with different passwords for such net- works. In 2008, Nam et al. discovered the short- comings of the scheme, and modified it. But the works only provide the group key. In this paper, we propose a password-based secure communication scheme for the loT, which could be applied in the battlefield communication systems and support dy- namic group, in which the nodes join or leave. By performing the scheme, the nodes in the heteroge- neous MANET can realize secure broadcast, secure unicast, and secure direct communication across realms. After the analyses, we demonstrate that the scheme is secure and efficient.
基金This work is supported by The National Natural Science Foundation of China (Nos.U1536121,61370195).
文摘Android applications are associated with a large amount of sensitive data,therefore application developers use encryption algorithms to provide user data encryption,authentication and data integrity protection.However,application developers do not have the knowledge of cryptography,thus the cryptographic algorithm may not be used correctly.As a result,security vulnerabilities are generated.Based on the previous studies,this paper summarizes the characteristics of password misuse vulnerability of Android application software,establishes an evaluation model to rate the security level of the risk of password misuse vulnerability and develops a repair strategy for password misuse vulnerability.And on this basis,this paper designs and implements a secure container for Android application software password misuse vulnerability:CM-Droid.
基金the National Natural Science Foundation of China (2007AA01Z431)
文摘Because cross-realm C2C-PAKE (client-to-client password authenticated key exchange) protocols can not resist some attacks, this paper writes up new attacks on two representative protocols, then designs a new cross-realm C2C-PAKE protocol with signature and optimal number of rounds for a client (only 2-rounds between a client and a server). Finally, it is proved that the new protocol can be resistant to all known attacks through heuristic analysis and that it brings more security through the comparisons of security properties with other protocols.
基金Supported by the National Natural Science Foun-dation of China (60473021)
文摘We presented a simple and efficient password-based encrypted key exchange protocol that allows a user to establish secure session keys with remote servers from client terminals in low resource environments. He does not need to carry smart card storing his private information but just needs to know his identity and password. For this purpose, the scheme was implemented over elliptic curves because of their well-known advantages with regard to processing and size constraints. Furthermore, the scheme is provably secure under the assumptions that the hash function closely behaves like a random oracle and that the elliptic curve computational Diffie-Hellman problem is difficult.
基金Supported by Natural Science Funds of Shanxi Province(No. 2010021016-3)
文摘This paper analyzes the security performance of a latest proposed remote two-factor user authentication scheme and proposes an improved scheme based on the dynamic ID to avoid the attacks it suffers. Besides this, in our proposed scheme the password is no longer involved in the calculation of verification phase which makes our scheme more secure and costs less than the old one. At last we analyze the performance of our proposed scheme to prove it provides mutual authentication between the user and the server. Moreover, it also resists password guessing attack, server and user masquerade attack and replay attack effectively.
基金This research is funded by UKM under Grant No.GUP-2020-029.
文摘Communication technology has advanced dramatically amid the 21st century,increasing the security risk in safeguarding sensitive information.The remote password authentication(RPA)scheme is the simplest cryptosystem that serves as the first line of defence against unauthorised entity attacks.Although the literature contains numerous RPA schemes,to the best of the authors’knowledge,only few schemes based on the integer factorisation problem(IFP)and the discrete logarithm problem(DLP)that provided a provision for session key agreement to ensure proper mutual authentication.Furthermore,none of the previous schemes provided formal security proof using the random oracle model.Therefore,this study proposed an improved RPA scheme with session key establishment between user and server.The design of the proposed RPA scheme is based on the widely established Dolev-Yao adversary model.Moreover,as the main contribution,a novel formal security analysis based on formal definitions of IFP and DLP under the random oracle model was presented.The proposed scheme’s performance was compared to that of other similar competitive schemes in terms of the transmission/computational cost and time complexity.The findings revealed that the proposed scheme required higher memory storage costs in smart cards.Nonetheless,the proposed scheme is more efficient regarding the transmission cost of login and response messages and the total time complexity compared to other scheme of similar security attributes.Overall,the proposed scheme outperformed the other RPA schemes based on IFP and DLP.Finally,the potential application of converting the RPA scheme to a user identification(UI)scheme is considered for future work.Since RPA and UI schemes are similar,the proposed approach can be expanded to develop a provably secure and efficientUI scheme based on IFP and DLP.
文摘The pattern password method is amongst the most attractive authentication methods and involves drawing a pattern;this is seen as easier than typing a password.However,since people with visual impairments have been increasing their usage of smart devices,this method is inaccessible for them as it requires them to select points on the touch screen.Therefore,this paper exploits the haptic technology by introducing a vibration-based pattern password approach in which the vibration feedback plays an important role.This approach allows visually impaired people to use a pattern password through two developed vibration feedback:pulses,which are counted by the user,and duration,which has to be estimated by the user.In order to make the proposed approach capable to prevent shoulder-surfing attacks,a camouflage pattern approach is applied.An experimental study is conducted to evaluate the proposed approach,the results of which show that the vibration pulses feedback is usable and resistant to shoulder-surfing attacks.