pwdArmor: Protecting Conventional Password-Based Authentications

pwdArmor: Protecting Conventional Password-Based Authentications

pwdArmor is a framework for fortifying conventional password-based authentications. Many password protocols are performed within an encrypted tunnel (e.g., TLS) to prevent the exposure of the password itself, or of material for an offline password guessing attack. Failure to establish, or to correct...

Ausführliche Beschreibung

Gespeichert in:
Bibliographische Detailangaben
Hauptverfasser: Seamons, Kent E., van der Horst, Timothy W.
Format: Tagungsbericht
Sprache:eng
Schlagworte:
Application software
Authentication
Computer security
Cryptography
Internet
Protection
Protocols
Public key
Web server
Wrapping
Online-Zugang:Volltext bestellen
Tags: Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
container_end_page 452
container_issue
container_start_page 443
container_title
container_volume
creator Seamons, Kent E.
van der Horst, Timothy W.
description pwdArmor is a framework for fortifying conventional password-based authentications. Many password protocols are performed within an encrypted tunnel (e.g., TLS) to prevent the exposure of the password itself, or of material for an offline password guessing attack. Failure to establish, or to correctly verify, this tunnel completely invalidates its protections. The rampant success of phishing demonstrates the risk of relying solely on the user to ensure that a tunnel is established with the correct entity. pwdArmor wraps around existing password protocols. It thwarts passive attacks and improves detection, by both users and servers, of man-in-the middle attacks. If a user is tricked into authenticating to an attacker, instead of the real server, the user's password is never disclosed. Although pwdArmor does not require an encrypted tunnel, it gains added protection from active attack if one is employed; even if the tunnel is established with an attacker and not the real server. These assurances significantly reduce the effectiveness of password phishing. Wrapping a protocol with pwdArmor requires no modification to the underlying protocol or to its existing database of password verifiers.
doi_str_mv 10.1109/ACSAC.2008.46
format Conference Proceeding
fullrecord <record><control><sourceid>ieee_6IE</sourceid><recordid>TN_cdi_ieee_primary_4721579</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><ieee_id>4721579</ieee_id><sourcerecordid>4721579</sourcerecordid><originalsourceid>FETCH-LOGICAL-i175t-40ac01ed6d322325406ca5c7b97d86c46ee8820a19af4331d33f842ae5bc00883</originalsourceid><addsrcrecordid>eNotj8tKAzEUQIMPsK0uXbmZH8h4b24eE1eOgy8oWFDXJU0yOtLOlGS0-PdadHUWBw4cxs4RSkSwl3XzXDelAKhKqQ_YRCijuUWgQzYFo60iKQ0dsQmCJm6VMCdsmvMHAFprcMKut7tQp82QropFGsbox65_K5qh_4r92A29WxcLl_NuSIHfuBxDUX-O73vn3d7nU3bcunWOZ_-csde725fmgc-f7h-bes47NGrkEpwHjEEHEoKEkqC9U96srAmV9lLHWFUCHFrXSiIMRG0lhYtq5X_vKpqxi79uF2NcblO3cel7KY1AZSz9AKTjShk</addsrcrecordid><sourcetype>Publisher</sourcetype><iscdi>true</iscdi><recordtype>conference_proceeding</recordtype></control><display><type>conference_proceeding</type><title>pwdArmor: Protecting Conventional Password-Based Authentications</title><source>IEEE Electronic Library (IEL) Conference Proceedings</source><creator>Seamons, Kent E. ; van der Horst, Timothy W.</creator><creatorcontrib>Seamons, Kent E. ; van der Horst, Timothy W.</creatorcontrib><description>pwdArmor is a framework for fortifying conventional password-based authentications. Many password protocols are performed within an encrypted tunnel (e.g., TLS) to prevent the exposure of the password itself, or of material for an offline password guessing attack. Failure to establish, or to correctly verify, this tunnel completely invalidates its protections. The rampant success of phishing demonstrates the risk of relying solely on the user to ensure that a tunnel is established with the correct entity. pwdArmor wraps around existing password protocols. It thwarts passive attacks and improves detection, by both users and servers, of man-in-the middle attacks. If a user is tricked into authenticating to an attacker, instead of the real server, the user's password is never disclosed. Although pwdArmor does not require an encrypted tunnel, it gains added protection from active attack if one is employed; even if the tunnel is established with an attacker and not the real server. These assurances significantly reduce the effectiveness of password phishing. Wrapping a protocol with pwdArmor requires no modification to the underlying protocol or to its existing database of password verifiers.</description><identifier>ISSN: 1063-9527</identifier><identifier>ISBN: 0769534473</identifier><identifier>ISBN: 9780769534473</identifier><identifier>EISSN: 2576-9103</identifier><identifier>DOI: 10.1109/ACSAC.2008.46</identifier><language>eng</language><publisher>IEEE</publisher><subject>Application software ; Authentication ; Computer security ; Cryptography ; Internet ; Protection ; Protocols ; Public key ; Web server ; Wrapping</subject><ispartof>2008 Annual Computer Security Applications Conference (ACSAC), 2008, p.443-452</ispartof><woscitedreferencessubscribed>false</woscitedreferencessubscribed></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><linktohtml>$$Uhttps://ieeexplore.ieee.org/document/4721579$$EHTML$$P50$$Gieee$$H</linktohtml><link.rule.ids>309,310,777,781,786,787,2052,27906,54901</link.rule.ids><linktorsrc>$$Uhttps://ieeexplore.ieee.org/document/4721579$$EView_record_in_IEEE$$FView_record_in_$$GIEEE</linktorsrc></links><search><creatorcontrib>Seamons, Kent E.</creatorcontrib><creatorcontrib>van der Horst, Timothy W.</creatorcontrib><title>pwdArmor: Protecting Conventional Password-Based Authentications</title><title>2008 Annual Computer Security Applications Conference (ACSAC)</title><addtitle>ACSAC</addtitle><description>pwdArmor is a framework for fortifying conventional password-based authentications. Many password protocols are performed within an encrypted tunnel (e.g., TLS) to prevent the exposure of the password itself, or of material for an offline password guessing attack. Failure to establish, or to correctly verify, this tunnel completely invalidates its protections. The rampant success of phishing demonstrates the risk of relying solely on the user to ensure that a tunnel is established with the correct entity. pwdArmor wraps around existing password protocols. It thwarts passive attacks and improves detection, by both users and servers, of man-in-the middle attacks. If a user is tricked into authenticating to an attacker, instead of the real server, the user's password is never disclosed. Although pwdArmor does not require an encrypted tunnel, it gains added protection from active attack if one is employed; even if the tunnel is established with an attacker and not the real server. These assurances significantly reduce the effectiveness of password phishing. Wrapping a protocol with pwdArmor requires no modification to the underlying protocol or to its existing database of password verifiers.</description><subject>Application software</subject><subject>Authentication</subject><subject>Computer security</subject><subject>Cryptography</subject><subject>Internet</subject><subject>Protection</subject><subject>Protocols</subject><subject>Public key</subject><subject>Web server</subject><subject>Wrapping</subject><issn>1063-9527</issn><issn>2576-9103</issn><isbn>0769534473</isbn><isbn>9780769534473</isbn><fulltext>true</fulltext><rsrctype>conference_proceeding</rsrctype><creationdate>2008</creationdate><recordtype>conference_proceeding</recordtype><sourceid>6IE</sourceid><sourceid>RIE</sourceid><recordid>eNotj8tKAzEUQIMPsK0uXbmZH8h4b24eE1eOgy8oWFDXJU0yOtLOlGS0-PdadHUWBw4cxs4RSkSwl3XzXDelAKhKqQ_YRCijuUWgQzYFo60iKQ0dsQmCJm6VMCdsmvMHAFprcMKut7tQp82QropFGsbox65_K5qh_4r92A29WxcLl_NuSIHfuBxDUX-O73vn3d7nU3bcunWOZ_-csde725fmgc-f7h-bes47NGrkEpwHjEEHEoKEkqC9U96srAmV9lLHWFUCHFrXSiIMRG0lhYtq5X_vKpqxi79uF2NcblO3cel7KY1AZSz9AKTjShk</recordid><startdate>200812</startdate><enddate>200812</enddate><creator>Seamons, Kent E.</creator><creator>van der Horst, Timothy W.</creator><general>IEEE</general><scope>6IE</scope><scope>6IL</scope><scope>CBEJK</scope><scope>RIE</scope><scope>RIL</scope></search><sort><creationdate>200812</creationdate><title>pwdArmor: Protecting Conventional Password-Based Authentications</title><author>Seamons, Kent E. ; van der Horst, Timothy W.</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-LOGICAL-i175t-40ac01ed6d322325406ca5c7b97d86c46ee8820a19af4331d33f842ae5bc00883</frbrgroupid><rsrctype>conference_proceedings</rsrctype><prefilter>conference_proceedings</prefilter><language>eng</language><creationdate>2008</creationdate><topic>Application software</topic><topic>Authentication</topic><topic>Computer security</topic><topic>Cryptography</topic><topic>Internet</topic><topic>Protection</topic><topic>Protocols</topic><topic>Public key</topic><topic>Web server</topic><topic>Wrapping</topic><toplevel>online_resources</toplevel><creatorcontrib>Seamons, Kent E.</creatorcontrib><creatorcontrib>van der Horst, Timothy W.</creatorcontrib><collection>IEEE Electronic Library (IEL) Conference Proceedings</collection><collection>IEEE Proceedings Order Plan All Online (POP All Online) 1998-present by volume</collection><collection>IEEE Xplore All Conference Proceedings</collection><collection>IEEE Electronic Library (IEL)</collection><collection>IEEE Proceedings Order Plans (POP All) 1998-Present</collection></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext_linktorsrc</fulltext></delivery><addata><au>Seamons, Kent E.</au><au>van der Horst, Timothy W.</au><format>book</format><genre>proceeding</genre><ristype>CONF</ristype><atitle>pwdArmor: Protecting Conventional Password-Based Authentications</atitle><btitle>2008 Annual Computer Security Applications Conference (ACSAC)</btitle><stitle>ACSAC</stitle><date>2008-12</date><risdate>2008</risdate><spage>443</spage><epage>452</epage><pages>443-452</pages><issn>1063-9527</issn><eissn>2576-9103</eissn><isbn>0769534473</isbn><isbn>9780769534473</isbn><abstract>pwdArmor is a framework for fortifying conventional password-based authentications. Many password protocols are performed within an encrypted tunnel (e.g., TLS) to prevent the exposure of the password itself, or of material for an offline password guessing attack. Failure to establish, or to correctly verify, this tunnel completely invalidates its protections. The rampant success of phishing demonstrates the risk of relying solely on the user to ensure that a tunnel is established with the correct entity. pwdArmor wraps around existing password protocols. It thwarts passive attacks and improves detection, by both users and servers, of man-in-the middle attacks. If a user is tricked into authenticating to an attacker, instead of the real server, the user's password is never disclosed. Although pwdArmor does not require an encrypted tunnel, it gains added protection from active attack if one is employed; even if the tunnel is established with an attacker and not the real server. These assurances significantly reduce the effectiveness of password phishing. Wrapping a protocol with pwdArmor requires no modification to the underlying protocol or to its existing database of password verifiers.</abstract><pub>IEEE</pub><doi>10.1109/ACSAC.2008.46</doi><tpages>10</tpages></addata></record>
fulltext fulltext_linktorsrc
identifier ISSN: 1063-9527
ispartof 2008 Annual Computer Security Applications Conference (ACSAC), 2008, p.443-452
issn 1063-9527
2576-9103
language eng
recordid cdi_ieee_primary_4721579
source IEEE Electronic Library (IEL) Conference Proceedings
subjects Application software
Authentication
Computer security
Cryptography
Internet
Protection
Protocols
Public key
Web server
Wrapping
title pwdArmor: Protecting Conventional Password-Based Authentications
url https://sfx.bib-bvb.de/sfx_tum?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2025-01-20T12%3A56%3A33IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-ieee_6IE&rft_val_fmt=info:ofi/fmt:kev:mtx:book&rft.genre=proceeding&rft.atitle=pwdArmor:%20Protecting%20Conventional%20Password-Based%20Authentications&rft.btitle=2008%20Annual%20Computer%20Security%20Applications%20Conference%20(ACSAC)&rft.au=Seamons,%20Kent%20E.&rft.date=2008-12&rft.spage=443&rft.epage=452&rft.pages=443-452&rft.issn=1063-9527&rft.eissn=2576-9103&rft.isbn=0769534473&rft.isbn_list=9780769534473&rft_id=info:doi/10.1109/ACSAC.2008.46&rft_dat=%3Cieee_6IE%3E4721579%3C/ieee_6IE%3E%3Curl%3E%3C/url%3E&disable_directlink=true&sfx.directlink=off&sfx.report_link=0&rft_id=info:oai/&rft_id=info:pmid/&rft_ieee_id=4721579&rfr_iscdi=true