ACE Seminar: Threshold Single Password Authentication

Speaker: Devris Isler

Date/Time: 31-Jul-2017, 12:30 UTC

Venue: Roberts 309



Passwords are the most widely used form of online user authentication. In a traditional setup, the user, who has a human-memorable low entropy password, wants to authenticate with a login server. Unfortunately, existing solutions in this setting are either nonportable or insecure against many attacks, including phishing, man-in- the-middle, honeypot, and offline dictionary attacks. Three previous studies (Acar et al. 2013, Bicakci et al. 2011, and Jarecki et al. 2016) provide solutions secure against offline dictionary attacks by additionally employing a storage provider (either a cloud storage or a mobile device for portability). These works provide solutions where offline dictionary attacks are impossible as long as the adversary does not corrupt both the login server and the storage provider. For the first time, improving these previous works, we provide a more secure generalized solution employing multiple storage providers, where our solution is proven secure against offline dictionary attacks as long as the adversary does not corrupt the login server and threshold-many storage providers. We define ideal and real world indistinguishability for threshold single password authentication (Threshold SPA) schemes, and formally prove security of our solution via ideal-real simulation. Our solution provides security against all the above-mentioned attacks, including phishing, man-in-the-middle, honeypot, and offline dictionary attacks, and requires no change on the server side. Thus, our solution can immediately be deployed via a browser extension (or a mobile application) and support from some storage providers. We further argue that our protocol is efficient and scalable, and provide performance evaluation.


Devris Isler (was supposed to be named Dervi? by his parents but thanks to the registrar, his name turned into Devri?), is currently an M.Sc. student at Koç University, ?stanbul and a member of Cryptography, Security, and Privacy Research Group where he is honored to work under the supervision of Assist. Prof. Alptekin Küpçü. His research topic is mainly password authentication (though always having fun in security and cryptography). During his bachelor study, he spent 3 months on summer research internship (2014), supervised by Assoc. Prof. Mohammad Mannan at Concordia University, Montreal, Canada, and was awarded by Mitacs Globalink Summer Research Internship Program, and he also worked on secure multi-party computation under the supervisions of Assoc. Prof. Serdar Pehlivano?lu, and Assist. Prof. Mehmet Ercan Nergiz.

Add to Calendar

This page was last modified on 27 Mar 2014.