Hidden credential retrieval from a reusable password

Boyen, Xavier (2009) Hidden credential retrieval from a reusable password. In Li, Wanging, Susilo, Willy, & Tupakula, Udaya (Eds.) Proceedings of the 4th International Symposium on Information, Computer, and Communications Security, ACM, Sydney, NSW, pp. 228-238.

View at publisher


We revisit the venerable question of access credentials management, which concerns the techniques that we, humans with limited memory, must employ to safeguard our various access keys and tokens in a connected world. Although many existing solutions can be employed to protect a long secret using a short password, those solutions typically require certain assumptions on the distribution of the secret and/or the password, and are helpful against only a subset of the possible attackers. After briefly reviewing a variety of approaches, we propose a user-centric comprehensive model to capture the possible threats posed by online and offline attackers, from the outside and the inside, against the security of both the plaintext and the password. We then propose a few very simple protocols, adapted from the Ford-Kaliski server-assisted password generator and the Boldyreva unique blind signature in particular, that provide the best protection against all kinds of threats, for all distributions of secrets. We also quantify the concrete security of our approach in terms of online and offline password guesses made by outsiders and insiders, in the random-oracle model. The main contribution of this paper lies not in the technical novelty of the proposed solution, but in the identification of the problem and its model. Our results have an immediate and practical application for the real world: they show how to implement single-sign-on stateless roaming authentication for the internet, in a ad-hoc user-driven fashion that requires no change to protocols or infrastructure.

Impact and interest:

9 citations in Scopus
Search Google Scholar™

Citation counts are sourced monthly from Scopus and Web of Science® citation databases.

These databases contain citations from different subsets of available publications and different time periods and thus the citation count from each is usually different. Some works are not in either database and no count is displayed. Scopus includes citations from articles published in 1996 onwards, and Web of Science® generally from 1980 onwards.

Citations counts from the Google Scholar™ indexing service can be viewed at the linked Google Scholar™ search.

ID Code: 69183
Item Type: Conference Paper
Refereed: Yes
Keywords: Stateless Roaming Credentials, Reusable Passwords, Online Authentication, Partially Trusted Servers
DOI: 10.1145/1533057.1533089
ISBN: 9781605583945
Divisions: Current > Schools > School of Electrical Engineering & Computer Science
Current > QUT Faculties and Divisions > Science & Engineering Faculty
Copyright Owner: Copyright 2009 ACM
Deposited On: 26 Mar 2014 03:59
Last Modified: 09 Apr 2014 22:00

Export: EndNote | Dublin Core | BibTeX

Repository Staff Only: item control page