TY - GEN
T1 - Secure password pocket for distributed web services
AU - Koo, Jae Hyung
AU - Lee, Dong Hoon
PY - 2005
Y1 - 2005
N2 - Password authentication (PA) is a general and well-known technique to authenticate a user who is trying to establish a connection in distributed web services. The main idea of PA is to remove complex information from users so that they can log on servers only with a human-memorable password at anywhere. So far, many papers have been proposed to set up security requirements and improve the efficiency of PA. Most papers consider practical attacks such as password guessing, impersonation and server compromise which occur frequently in the real world. However, they missed an important and critical risk. A revealed password of a user from a server may affect other servers because most people tend to use a same password on different servers. This enables anyone who obtains a password to easily log onto other servers. In this paper, we first introduce a new notion, called "password pocket" which randomizes user's password even if he/she types a same password on different servers. When our password pocket is used, an exposed password does not affect other servers any more. The cost of a password pocket is extremely low since it needs to store only one random number securely.
AB - Password authentication (PA) is a general and well-known technique to authenticate a user who is trying to establish a connection in distributed web services. The main idea of PA is to remove complex information from users so that they can log on servers only with a human-memorable password at anywhere. So far, many papers have been proposed to set up security requirements and improve the efficiency of PA. Most papers consider practical attacks such as password guessing, impersonation and server compromise which occur frequently in the real world. However, they missed an important and critical risk. A revealed password of a user from a server may affect other servers because most people tend to use a same password on different servers. This enables anyone who obtains a password to easily log onto other servers. In this paper, we first introduce a new notion, called "password pocket" which randomizes user's password even if he/she types a same password on different servers. When our password pocket is used, an exposed password does not affect other servers any more. The cost of a password pocket is extremely low since it needs to store only one random number securely.
UR - http://www.scopus.com/inward/record.url?scp=33745352074&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=33745352074&partnerID=8YFLogxK
U2 - 10.1007/11577188_47
DO - 10.1007/11577188_47
M3 - Conference contribution
AN - SCOPUS:33745352074
SN - 354029810X
SN - 9783540298106
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 327
EP - 334
BT - Network and Parallel Computing - IFIP International Conference, NPC 2005, Proceedings
T2 - IFIP International Conference on Network and Parallel Computing, NPC 2005
Y2 - 30 November 2005 through 3 December 2005
ER -