Creative Writing

A zero knowledge probabilistic login protocol

A zero knowledge probabilistic login protocol
of 13
All materials on our website are shared by users. If you have any questions about copyright issues, please report us to resolve them. We are always happy to assist you.
Related Documents
  Computers & Security, 11 (1992) 733-745 A Zero Knowledge Probabilistic Login Protocol Dimitris Gritzalis1t2, Sokratis Katsi kasl s2 and Stefanos Gritzalis2t3 ’ Univenip of zyxwvutsrqponmlkjihgfedcbaZYXWVUTSRQPONMLKJIHGFEDCBA he Aegean, Department ofMaathemabcs, Karlovasi 83200, Samos, Greece 2 Technological Educational Institute ofAthens, Department of Informatics, Ag. Spyridonos Str., Aegaleo GR 122 10, Athens, Greece ‘Management and Informarion Technologies ConsullanLc SA, 187 Ionia.s Ave., N. Ionia 1423 I, Athens, Greece In the first part of this paper two techniques for system authen- tication via a password are analyzed. The first is a probabilistic protocol for the improvement of the login security mechanism and the second is a zero knowledge model for system authend- cation. Their major advantages and disadvantages are identified and commented upon. In the second part of the paper, a new protocol is proposed as a combination of the two, which estab- lishes a new approach which is quite effective in the case of system-to-system authentication. This protocol avoids some of the limitations of the previously mentioned two techniques, while at the same time manages to merge several of the advan- tages of both. Keywordc Login, Authentication, Passwords, Network security, Access control. 1. Introduction zyxwvutsrqponmlkjihgfedcbaZYXWVUTSRQPONMLKJIHGFEDCBA W zyxwvutsrqponmlkjihgfedcbaZYXWVUTSRQPONMLKJIHGFEDCBA ith the increasing use of computer systems and their interconnection to local and wide area networks, appropriate security measures and techniques continue to grow more and more important. While research continues on methods aiming at building more sophisticated methods of Correspondence lo: D. Gritzalis, Technological Educational Insti- tute of Athens, Department of Informatics, Ag. Spyridonos Str., Aegaleo GR 122 IO, Athens, Greece. authentication, password mechanisms remain the predominant method of positively identifying computer systems and computer system users. In the case of networks, passwords are almost the sole mechanism used to control access. The GAD Internet report found that some 30% of the con- tents of the Internet password files could be guessed by using the account name of a user as well as a few variations of personal information pertain- ing to that user. Another report on network secur- ity, compiled by Computer World in 1989, stated that there are some 22.5 million PCs in the United States and about 20% (4.5 million) of them are linked in networks. Many of these stand-alone units and LANs are also linked to mainframes. Therefore, it becomes evident that practically every penetration of a computer system, linked or not to a network, relies at some stage on the ability of the penetrator to compromise a password. In this paper a new approach for the authentication of a computer system’s identity via a password will be proposed. Thi s approach is based on the synthe- sis of a zero knowledge proof idea [l] and an improvement of the idea of using passwords based 0167-4049/92/ 5.00 0 1992, Elsevier Science Publishers Ltd.  D. Gritzalis et aLlZero Knowledge Probabilistic Login Protocol zyxwvutsrqponmlkjih on a probabilistic protocol [2]. Specifically, a com- bination of these two methods will be described and the development of a zero knowledge proba- bilistic protocol will be presented. 2. Authentication Via a Password The key element in access control is the establish- ment of a positive and unique identification for each user to whom access is to be granted [3]. This is usually called authentication. In order to imple- ment an authentication mechanism, one must determine what information is to be used to vali- date the user. This information should be some- thing “the user knows” (i.e. a password), “the user has” (i.e. a token), “the user is” (i.e. some measurable physical characteristic measured using biometrics), or “how the user responses to a stimulus” (i.e. signature dynamics products), or “where a user is, in relation to an anticipated location” (i.e. auto- matic dial-back products) [4,5]. Note that the term “user” is used herein to signify either a person or a system, attempting to gain access to some system. The first of the above methods of authentication requires the user who attempts to validate his identity (the Prover) to provide appropriate infor- mation or to respond to questions posed by the system which is being requested to grant permis- sion (the Skeptic). Such a typical procedure, a password system, is summed up in [3]: “A user typically logs onto a system and then provides a nominal identity, such as a user name and/or pass- word. The system then requests a password which serves to verify the user’s identity.” Password mechanisms suffer from the same prob- lems as any other technique which uses the user or the system knowledge as proof of their identity. Namely, if a penetrator finds, guesses or steals a password, then he is able to claim that he really is the user, until the password changes. In a survey [6] on the passwords in use in a univer- sity timesharing environment, it was proved that- left to their own-people are not careful about passwords. They rely on easy-to-remember pass- words and, unless forced to, they do not change them regularly. They also prefer short passwords (three to five characters). Only a small number of users seek complex passwords using combinations of numbers and letters. The majority of passwords in use are as unique as the people who created them. About 30% of all the passwords that are user- created are true English words. It has been proposed [7] that if L is the lifetime of a password, R is the number of guesses a penetrator may make per unit time, and S the number of all possible passwords allowed in a computer system, then the probability P that a password can be guessed within its lifetime is -expressed by: P= LX&. Therefore, in order to decrease this probabil- ity one should either reduce the password lifetime or increase the number of possible passwords or limit the maximum number of guesses a penetrator may make per unit time. The first two of the above options are easy to implement but may render poor results. Changing passwords very often (i.e. reducing L) usually leads to easy-to-guess new passwords [8]. On the other hand, larger numbers of possible passwords (i.e. increasing S) minimally affect qualified penetrators and do not effectively stand against fast processors [2, 6, 81. Therefore, the number of guesses a pene- trator is allowed to make per unit time is a crucial factor. Every penetrator aims at establishing false positive identification. In other words, he expects to com- promise the system as soon as he guesses the correct password. There are several ways to achieve this, the most common among them being to try an exhaustive search among all possible passwords or to use a limited vocabulary [4, 61 to reduce the maximum number of trial-and-error attempts or even to try some “obvious” passwords. Whichever option the penetrator may elect to exercise, he has to operate on an assumption of certainty. Namely, if the password is wrong then access will be denied; ifit is correct then access will be granted. Therefore, in order to discourage pene- 734  trators, one may violate the assumption of cer- tainty, thus making the required number of guesses larger, while at the same time decreasing signifi- cantly the maximum number of unsuccessful attempts that may be performed per time unit. This idea led to the development of probabilistic protocols, one of which will be discussed in the next section. 3. A Probabilistic Protocol The idea of using a probabilistic protocol for improving password-based security has been recently expressed [2]. According to this protocol the designer of a password scheme has the ability to introduce uncertainty into the correcmess of a password (after it has been tried) by sometimes denyin permission even when the password entere B is correct. This uncertainty aims at avoid- ing errors of type II, namely the error of granting access to a non-authorized user (whereas error type I is to deny access to a legitimate user). For example, if a Prover validates his identity using the correct password, then the Skeptic may grant permission with a (static) probability of, say, 0.95. This means that in five out of a hundred attempts to login, the user will be asked to re-enter the pass- word as if it was wrong. In this case, if the Prover is authorized it is likely that he will repeat the same password. On the other hand, if the password has been used by a penetrator, then it is more likely that he will try a different one, thus making false positive authentication more difficult to establish. Nevertheless, a penetrator can improve his chances of compromising the system by repeatedly entering the same password, although this procedure increases the time required to try all possible pass- words. To remedy this, a penalty scheme may be incorporated into the protocol (see Procedure zyxwvutsrqponmlkjihgfedcbaZYXWVUTSRQPONMLKJIHGFEDCBA ). This scheme makes use of a penalty factor which may be equal to the number of times that the correct password must be entered in order for the user to gain access to the system. This factor could also depend on the past history of tried passwords, Computers and Security, Vol. 7 7, No. 8 P iif that history bein on the couple o H formally expressed by a metric d the correct password (so) and the entered password (s). Such a metric could be d(s,s,) = 1~ s,l, if s and s,, were numbers, or the Hamming distance if they were alphanumeric strings. Procedure 1 implements this protocol; therein, s denotes the correct password, s,, the entered pass- word, zyxwvutsrqponmlkjihgfedcbaZYXWVUTSRQPONMLKJIH  the time units that the system remains at zero state between two consecutive login attempts, zyxwvutsrqponmlkjihg 1 the penalty factor, and P (I) denotes a penalty function, which must be decreasing in zyxwvutsrqponmlkjihgfedcbaZ , with values ranging in [0, 11. Finally, k serves for increasing the penalty when the Prover attempts to login with the correct password whereas the pass- word that he entered in the previous attempt was incorrect. For example, k could be equal to d(s,s,) (see Procedure zyxwvutsrqponmlkjihgfedcbaZYXWVUTSRQPONM ). A simulation of this protocol is presented in Fig. 1. In both figures the user attempts to enter the system for four consecutive times using a wrong password. Then he enters the correct password repeatedly, until permission to access is granted. The protocol simulated in Fig. l(a) uses a static penalty function, where n is the sequential number of the user’s attempt to enter the system and Pr, = min{P,, 1) is the probability to succeed doing so. P, is an auxiliary function which is defined in Table 1 (the intervals are defined heuristically). From Fig. 1 (a) it is evident that, when the user starts entering the correct password (fifth attempt), then the probability to actually login the system increases quite slowly, tending to create an error of type I (denial of access to a legitimate user). On the other hand, the protocol simulated in Fig. I (b) uses a dynamic penalty function. In this case n is the sequential number of the user’s attempt to enter the system, Pr, = min{ P,, I} is the probability to succeed doing so, z is the total number of the entered incorrect passwords and a the total number of entered correct passwords. Parameter I equals 1, 735  D. Gritzalis et al.lZero Knowledge Probabilistic Login Protocol zyxwvutsrqponmlkjih Procedure 1: dynamicprobabilisticprotocol zyxwvutsrqponmlkjihgfedcbaZYXWVUTSRQPONMLKJI Algorithm: “Dynamic probabilistic protocol” Define s0 Define T Define P (I) Define k Input s Depending on d(s,r,) Do Case zyxwvutsrqponmlkjihgfedcbaZYXWVUTSRQPONMLKJIHGFEDCBA : zyxwvutsrqponmlkjihgfedcbaZYXWVUTSRQPONMLKJIHGFEDCBA ncertainty Procedure If d(s,s,) = 0 AND (this is the first attempt) OR d(s,s,) = 0 (for the previous attempt) then Permission: = “Yes” with probability P (I) Case 2: Protection Procedure If d(s,s,) = 0 AND (d(s,s,) 0 for the previous attempt) then Permission: = “Yes” with probability P (1+ k) Case 3: Wrong Password Procedure If d(s,s,) z o then Permission: = “No” Wait at zero for T time units Endcase Output Permission if the total number of incorrect passwords is 0, else it equals z. Finally, parameter k equals 1 if the total number of correct passwords is 0, else it equals 1/2a. The function is defined in Table 2 (the inter- vals are defined heuristically). In this case (Fig. 1 (b)), the Skeptic’s response to the Prover is significantly different. After four con- secutive attempts to login with incorrect pass- words, the user entered the correct one. The first response of the Skeptic was to assume that the Prover entered another randomly chosen password. Therefore the probability of the Prover to enter was not really increased. But since the Prover con- tinued using the correct password, the Skeptic increased his probability of logging in, according to the dynamic penalty function. We conclude that the dynamic penalty function is more effective than the static one, although both of them rely heavily on the specific technological and operational environment where they are applied. 736  Computers and Security, Vol. II, No. 8 zyxwvutsrqponmlkj SYSTEtl zyxwvutsrqponmlkjihgfedcbaZYXWVUTSRQPONMLKJIHGFEDCBA SER her id 7 :chrir : User Pasruord 7 test Non Authorized User I Attempt No 8 ;: 1.88 0.90 0 c 8.88 ; ; 8.78 8.68 ES I s 0.58 L . 8.48 I a.30 ;k 8.28 8.18 G e.ea vi NUllBER of ATTEtlPTS I: 812345678 “NUHBER f ATTEHPTS . ^ I._. . .r. L Fig. 1. a) Simulation using a static penalty funcnon. b) Simulanon usmg a dynamic penalty tuncnon. zyxwvutsrqponmlkjihgfedcbaZYXW Nevertheless, although this protocol seems to be with the expected Skeptic. Moreover, another effective, it fails to propose methodologies for disadvantage is that it requires the password to be Skeptic authentication. In other words, it fails to transmitted from the Prover to the Skeptic. It is provide an answer to the question of how the true that, regardless of how effective the password Prover knows whether he is in fact communicating mechanism is, how good the choice of passwords is, 737
Related Search
We Need Your Support
Thank you for visiting our website and your interest in our free products and services. We are nonprofit website to share and download documents. To the running of this website, we need your help to support us.

Thanks to everyone for your continued support.

No, Thanks