A future-adaptive password scheme
作者: David Mazières , Niels Provos
DOI:
关键词: Password 、 Password policy 、 One-time password 、 S/KEY 、 Zero-knowledge password proof 、 Cognitive password 、 Password strength 、 Computer science 、 Computer security 、 Password cracking
摘要: Many authentication schemes depend on secret passwords. Unfortunately, the length and randomness of user-chosen passwords remain fixed over time. In contrast, hardware improvements constantly give attackers increasing computational power. As a result, password such as traditional UNIX user-authentication system are failing with time. This paper discusses ways building systems in which security keeps up speeds. We formalize properties desirable good system, show that cost any secure scheme must increase improves. present two algorithms adaptable cost--eksblowfish, block cipher purposefully expensive key schedule, bcrypt, related hash function. Failing major breakthrough complexity theory, these should allow password-based to adapt well into future.
acm.org 参考文章(12)
Michael George Luby, None, Pseudorandomness and Cryptographic Applications ,(1996)
Tatu Ylönen, SSH: secure login connections over the internet usenix security symposium. pp. 4- 4 ,(1996)
Bruce Schneier, Description of a New Variable-Length Key, 64-bit Block Cipher (Blowfish) fast software encryption. pp. 191- 204 ,(1993) , 10.1007/3-540-58108-1_24
Eli Biham, A Fast New DES Implementation in Software fast software encryption. pp. 260- 272 ,(1997) , 10.1007/BFB0052352
Thomas D. Wu, The Secure Remote Password Protocol. network and distributed system security symposium. ,(1998)
Shai Halevi, Hugo Krawczyk, Public-key cryptography and password protocols computer and communications security. pp. 122- 131 ,(1998) , 10.1145/288090.288118
Steven M. Bellovin, Michael Merritt, Augmented encrypted key exchange: a password-based protocol secure against dictionary attacks and password file compromise computer and communications security. pp. 244- 250 ,(1993) , 10.1145/168588.168618
S. Patel, Number theoretic attacks on secure password schemes ieee symposium on security and privacy. pp. 236- 247 ,(1997) , 10.1109/SECPRI.1997.601340
Robert Morris, Ken Thompson, Password security Communications of the ACM. ,vol. 22, pp. 594- 597 ,(1979) , 10.1145/359168.359172
S.M. Bellovin, M. Merritt, Encrypted key exchange: password-based protocols secure against dictionary attacks ieee symposium on security and privacy. pp. 72- 84 ,(1992) , 10.1109/RISP.1992.213269