15,894 Hits in 3.2 sec

Protocols for Checking Compromised Credentials [article]

Lucy Li, Bijeeta Pal, Junade Ali, Nick Sullivan, Rahul Chatterjee, Thomas Ristenpart
2019 arXiv   pre-print
We refer to such services as compromised credential checking (C3) services.  ...  To prevent credential stuffing attacks, industry best practice now proactively checks if user credentials are present in known data breaches.  ...  ACKNOWLEDGMENTS We would like to thank the authors of [45] for sharing their work with us prior to publication. is work was supported in part by NSF grants CNS-1564102, CNS-1514163, and CNS-1704527.  ... 
arXiv:1905.13737v3 fatcat:gi2kw7snqnfzjm2hey7yugs52u

Securing Password Authentication for Web-based Applications [article]

Teik Guan Tan and Pawel Szalachowski and Jianying Zhou
2020 arXiv   pre-print
We identify four properties that encapsulate the requirements to stop web-based password phishing, and propose a secure protocol to be used with a new credential field that complies with the four properties  ...  This vulnerability can be exploited for phishing attacks as the web authentication process is not end-to-end secured from each input password field to the web server.  ...  A comparison is made for the password verification use-case for the following three protocols: -Proposed credential protocol in Section 5.  ... 
arXiv:2011.06257v1 fatcat:l4xha34lunahrkuouigp4tbq34

OpenID Security Analysis and Evaluation

San-Tsai Sun, Konstantin Beznosov
2010 Zenodo  
OpenID is a promising user-centric Web single sign-on protocol.  ...  To the end, I will demonstrate the attack vectors employed in the evaluation process and discuss our proposed countermeasure for the current OpenID-enabled websites and future OpenID specification.  ...  threat assumptions • RP, IdP, user machine, and browser are not compromised • RP, IdP are not malicious • user credentials on IdPs are secured • cookies in the browser are secured (integrity and  ... 
doi:10.5281/zenodo.3264502 fatcat:eetpkw3otfeqjabiadf7crf4ny

A modular eballot system - V0.6 [article]

Andrea Pasquinucci
2006 arXiv   pre-print
We consider a reasonably simple voting system which can be implemented for web-based ballots.  ...  Due to weak-eligibility and vote-selling, this system cannot be used for political or similar ballots.  ...  Lanzi for discussions, and H. Bechmann-Pasquinucci for inspiring remarks.  ... 
arXiv:cs/0611066v2 fatcat:qfl2hpqjwbf7hlgamlkofe4dtm

Towards User-Friendly Credential Transfer on Open Credential Platforms [chapter]

Kari Kostiainen, N. Asokan, Alexandra Afanasyeva
2011 Lecture Notes in Computer Science  
In this paper we present a practical credential transfer protocol that can be implemented using devices available today.  ...  Our protocol makes credential transfer user-friendly with delegated, automatic re-provisioning, and can be integrated to a typical device initialization process.  ...  cannot credential fidelity for credentials that are provisioned after the OS compromise.  ... 
doi:10.1007/978-3-642-21554-4_23 fatcat:t2oqcuxrbff3nfe5rf464u75vu

An Improved Privacy-Preserving Navigation Protocol in {VANET}s

Wonjun Cho, Youngho Park, Chul Sur, Kyung Hyune Rhee
2013 Journal of Wireless Mobile Networks, Ubiquitous Computing, and Dependable Applications  
In particular, we focus on eliminating the system master secret distribution and update procedures for anonymous credential acquisition, and the need of an additional tamperproof device to use and store  ...  Recent advance of vehicular technology offers opportunities for developing new navigation systems to overcome the problems of popular global positioning system (GPS) based navigation systems.  ...  generation of time stamp and check valid time of credentials.  ... 
doi:10.22667/jowua.2013.12.31.080 dblp:journals/jowua/ChoPSR13 fatcat:6zpqxidc5feate3ycr6j3qfxhm

Risks of the Passport single signon protocol

David P Kormann, Aviel D Rubin
2000 Computer Networks  
We examine the Passport single signon protocol, and identify several risks and attacks.  ...  Passport is a protocol that enables users to sign onto many different merchants' web pages by authenticating themselves only once to a common server.  ...  Attacks In this section, we look at some specific attacks on the Passport protocol that can result in compromise of user credentials and wallet information.  ... 
doi:10.1016/s1389-1286(00)00048-7 fatcat:ajwfrtzt5zczzfp23hsusjlqxy

Single-Message Credential-Hiding Login [article]

Kevin Lewi, Payman Mohassel, Arnab Roy
2020 IACR Cryptology ePrint Archive  
We also construct a variant of credential-hiding login for fuzzy secrets (e.g. biometrics), proven secure based on the Learning With Errors (LWE) assumption.  ...  The typical login protocol for authenticating a user to a web service involves the client sending a password over a TLS-secured channel to the service, occasionally deployed with the password being prehashed  ...  of the equality checks done by passwords to Hamming distance checks for approximate equality.  ... 
dblp:journals/iacr/LewiMR20 fatcat:i67anvpzgzff3jvg5h3wuvhl3y

Secure Authentication Protocol Based on Machine-metrics and RC4-EA Hashing

Ashraf Aboshosha, Kamal A. ElDahshan, Eman K. Elsayed, Ahmed A. Elngar
2016 International Journal of Network Security  
Also, it offers strong protection against several attacks such as credential compromising attacks.  ...  Thus, machine-merics based authentication for machine can be looked as an analog of biometric-based authentication for human.  ...  Moreover, this protocol helps to overcome many challenging attacks such as phishing attacks and credential compromising attacks.  ... 
dblp:journals/ijnsec/AboshoshaEEE16 fatcat:qkrpv6etffedpkizb4fbpmbptm

Might I Get Pwned: A Second Generation Compromised Credential Checking Service [article]

Bijeeta Pal, Mazharul Islam, Marina Sanusi, Nick Sullivan, Luke Valenta, Tara Whalen, Christopher Wood, Thomas Ristenpart, Rahul Chattejee
2022 arXiv   pre-print
To defend against these attacks, recently deployed compromised credential checking (C3) services provide APIs that help users and companies check whether a username, password pair is exposed.  ...  These services however only check if the exact password is leaked, and therefore do not mitigate credential tweaking attacks - attempts to compromise a user account with variants of a user's leaked passwords  ...  Acknowledgements We thank the anonymous reviewers for their insightful comments and suggestions, as well as Adam Oest for his work as shepherd for the paper.  ... 
arXiv:2109.14490v2 fatcat:xgwtow5hyvdvbnsf6dnlbtrgsi

A Protocol for Anonymous and Accurate E-Polling [chapter]

Danilo Bruschi, Igor Nai Fovino, Andrea Lanzi
2005 Lecture Notes in Computer Science  
In this paper we propose a simple protocol for an accurate and anonymous e-polling system.  ...  Contrarily to e-voting protocols, they are characterized by less stringent security requirements in particular they can tolerate errors affecting a small percentage of votes, without the compromision of  ...  compromised.  ... 
doi:10.1007/978-3-540-32257-3_11 fatcat:vb62dktjqfhgndjtrpv3dauf6u

SET Cardholder Registration: The Secrecy Proofs [chapter]

Lawrence C. Paulson
2001 Lecture Notes in Computer Science  
This work was funded by the epsrc grant GR/R01156/01 Verifying Electronic Commerce Protocols.  ...  Tramontano for their many months devoted to understanding the SET specifications. (By contrast, the secrecy proofs reported above took only days.)  ...  Model checking is excellent for debugging a protocol, finding attacks in seconds [6, 7] .  ... 
doi:10.1007/3-540-45744-5_2 fatcat:i4agcbz7v5ba3n2qgpigpkvxie

TRIP: Trustless Coercion-Resistant In-Person Voter Registration [article]

Louis-Henri Merino, Simone Colombo, Jeff Allen, Vero Estrada-Galiñanes, Bryan Ford
2022 arXiv   pre-print
We conduct a preliminary usability study among 41 participants at a university and found that 42.5% of participants rated TRIP a B or higher in usability, a promising result for a voter registration scheme  ...  TRIP optimizes the tallying process by limiting the number of credentials a voter can receive and capping the number of votes that a credential can cast per election.  ...  Student Program, the Swiss Government Excellence Scholarships for Foreign Scholars, the AXA Research Fund, and the US ONR grant N000141912361.  ... 
arXiv:2202.06692v1 fatcat:uxxotxp2v5fabef2oadf7g5ge4

Practical and Privacy-Preserving TEE Migration [chapter]

Ghada Arfaoui, Saïd Gharout, Jean-François Lalande, Jacques Traoré
2015 Lecture Notes in Computer Science  
The proposed protocol has been successfully validated by AVISPA, an automated security protocol validation tool.  ...  However, TEE profile migration implies security and privacy issues in particular for TEE profiles that require explicit agreement of the service provider.  ...  It should also check whether source or target TEE are compromised 6 for example using the remote attestation protocols of Baiardi et al. [6] .  ... 
doi:10.1007/978-3-319-24018-3_10 fatcat:r4cmbmel6nfg7d7rfawakmvysm

Implementation Aspects of Anonymous Credential Systems for Mobile Trusted Platforms [chapter]

Kurt Dietrich, Johannes Winter, Granit Luzhnica, Siegfried Podesser
2011 Lecture Notes in Computer Science  
We thank the anonymous reviewers for their helpful comments. This work has been supported in part by the European Commission through the FP7 programme under contract 257433 SEPIA.  ...  The Issuer The issuer is responsible for generating the group credentials and for issuing the credentials to client platforms.  ...  that the TPM keys are compromised).  ... 
doi:10.1007/978-3-642-24712-5_4 fatcat:qs6d4c5u7nhh5erfbmqfh2ag4m
« Previous Showing results 1 — 15 out of 15,894 results