Universal Key to Authentication Authority with Human-Computable OTP Generator
Sławomir Matelski
DOI: http://dx.doi.org/10.15439/2022F71
Citation: Proceedings of the 17th Conference on Computer Science and Intelligence Systems, M. Ganzha, L. Maciaszek, M. Paprzycki, D. Ślęzak (eds). ACSIS, Vol. 30, pages 663–671 (2022)
Abstract. The subject of this paper is an enhanced alternativeto the Multi-Factor Authentication (MFA) methods. The improvement lies in the elimination of any supplementary gadgets/devices or theft-sensitive biometric data, by substituting it with direct human-computer authentication optionally supplemented by cognitive biometric. This approach remains secure also in untrusted systems or environments. It allows only one secret as a universal private key for all obtainable online accounts. However, the features of this new solution pretend it to be used by the Authentication Authority with the Single-Sign-On (SSO) method of identity and access management, rather than for individual services. This secret key is used by our innovative challengeresponse protocol for human-generated One-Time Passwords (OTP) based on a hard lattice problem with noise introduced by our new method which we call Learning with Options (LWO). This secret has the form of an outline like a kind of handwritten autograph, designed in invisible ink. The password generation process requires following such an invisible contour, similar to a manual autograph, and it can also be done offline on paper documents with an acceptable level of security and usability meeting the requirements for post-quantum symmetric cyphers and commercial implementation also in the field of IoT.
References
- T. Matsumoto, H. Imai. Human Identification Through Insecure Channel. EUROCRYPT 1991. https://doi.org/10.1007/3-540-46416-6 35
- N. Hopper and M. Blum. A Secure Human-Computer Authentication Scheme. Lecture Notes in Computer Science, 2248, 2000.
- S. Li, H.-Y. Shum. Secure Human-Computer Identification (Interface) Systems against Peeping Attacks: SecHCI. IACR’s Cryptology ePrint Archive: Report 2005/268.
- D. Weinshall. Cognitive authentication schemes safe against spyware. IEEE Symposium on Security and Privacy (S&P), 2006.
- H. J. Asghar, J. Pieprzyk, H. Wang. A New Human Identification Protocol and Coppersmith’s Baby-Step Giant-Step Algorithm. Applied Cryptography and Network Security, 349-366, 2010.
- M. Monteiro, K. Kahatapitiya, H. J. Asghar, K. Thilakarathna, T. Rakotoarivelo, D. Kaafar, S. Li, R. Steinfeld, J. Pieprzyk. Foxtail+: A Learning with Errors-based Authentication Protocol for Resource-Constrained Devices. IACR’s Cryptology ePrint Archive, Report 2020/261.
- J. Blocki, M. Blum, A. Datta., S. Vempala. Toward human computable passwords.. ITCS 2017. https://doi.org/10.4230/LIPIcs.ITCS.2017.10
- M. Blum, S. Vempala. Publishable humanly usable secure password creation schemas. AAAI Conference on Human Computation and Crowdsourcing, HCOMP, 32–41, 2015.
- H. J. Asghar, R. Steinfeld, S. Li, M. A. Kaafar, J. Pieprzyk. On the Linearization of Human Identification Protocols: Attacks Based on Linear Algebra, Coding Theory, and Lattices. IEEE Transactions on Information Forensics and Security, 10(8), 1643–1655, 2015.
- S. Samadi, S. Vempala, A. T. Kalai. Usability of humanly computable passwords. In arXiv preprint https://arxiv.org/abs/1712.03650, 2017.
- A. Juels and S. Weis. Authenticating Pervasive Devices with Human Protocols, Advances in Cryptology - CRYPTO 2005, vol 3621.
- Q. Yan , J. Han , Y. Li , R. H. Deng. On Limitations of Designing Usable Leakage Resilient Password Systems: Attacks, Principles and Usability.19th Network and Distributed System Security Symposium (NDSS), 2012.
- S. Wiedenbeck, J. Waters, L. Sobrado, and J.-C. Birget. Design and evaluation of a shoulder-surfing resistant graphical password scheme. In Proceedings of the working conference on Advanced visual interfaces, pages 177–184, 2006. https://doi.org/10.1145/1133265.1133303
- J. Alwen, S. Krenn, K. Pietrzak, D. Wichs. Learning with Rounding, Revisited. Advances in Cryptology - CRYPTO 2013.
- A. Bogdanov, S. Guo, D. Masny, S. Richelson, A. Rosen. On the Hardness of Learning with Rounding over Small Modulus, Cryptology ePrint Archive, Report 2015/769.
- I. Dumontheila. Development of abstract thinking during childhood and adolescence: The role of rostrolateral prefrontal cortex. Developmental Cognitive Neuroscience, 57–76, 2014.
- S. Patil, S. Mercy, N. Ramaiah. A brief survey on password authentication. International Journal of Advance Research, Ideas and Innovations in Technology, 4(3), 943-946, 2018.
- F. Wang, L. Leng, A. Teoh, J. Chu. Palmprint False Acceptance Attack with a Generative Adversarial Network (GAN). Applied Sciences, 10. 8547, 2020. https://doi.org/10.3390/app10238547
- S. Brostoff, P. Inglesant, A. Sasse. Evaluating the usability and security of a graphical one-time PIN system, Proceedings of the BCS-HCI 2010, Dundee, United Kingdom, 2010.
- R. Jhawar, P. Inglesant, N. Courtois and M. A. Sasse. Strengthening the security of graphical one-time PIN authentication. 5th International Conference on Network and System Security, 2011.
- Z. Golebiewski, K. Majcher, F. Zagorski, M. Zawada. Practical Attacks on HB/HB+ Protocols. ePrint Archive, Report 2008/241.
- K. Sadeghi, A. Banerjee, J. Sohankar and S. K. S. Gupta. Geometrical Analysis of Machine Learning Security in Biometric Authentication Systems, 16th IEEE International Conference on Machine Learning and Applications (ICMLA), 309-314, 2017.
- Y. Sadqi, Y. Belfaik, S. Safi. Web OAuth-based SSO Systems Security., Proceedings of the 3rd International Conference on Networking, Information Systems Security. NISS 2020.
- A. F. Baig, S. Eskeland. Security, Privacy, and Usability in Continuous Authentication. A Survey. Sensors 21, 5967, 2021.
- “Project lab for i-Chip authentication”. (Mar. 3, 2022). [Online]: https://www.researchgate.net/profile/i-Chip-Authentication