In an article titled Password-Based Authentication: Preventing Dictionary Attacks published in the June issue of Computer magazine, S. Chakrabarti and M. Singhal describe a series of password protocols often used to authenticate users over the Internet.
The authors describe and analyze several heuristic measures developed to prevent man in the middle, on-line and off-line dictionary attacks. Their conclusion is that there is no proof that these password protocols are provably secure (not even computationally) in the standard model. That means, there is not even guarantee of (computational) security such as the one provided by the widely accepted assumptions that:
- factoring the product of two large primes is hard;
- computing the discrete logarithm is hard;
- there exists a good pseudo-random permutation such as the AES cipher.
The authors also analyze external measures designed to prevent or make computationally very expensive the large number of trials necessary for a dictionary attack. They conclude that measures such as account locking and Reverse Turing Test (colorful images with distorted text or Captchas) need to be carefully used to offer a good balance between security and convenience for the user.
Password-based authentication is susceptible to attack is used on insecure communication channels like the Internet. Researchers have engineered several protocols to prevent attacks, but we still need formal models to analyze and aid in the effective design of acceptable password protocols geared to prevent dictionary attacks.
Filed under: Authentication, InSecurity
