A Critical Security Analysis of the Password-Based Authentication Honeywords System Under Code-Corruption Attack

Interdisciplinary Research Group in Socio-technical Cybersecurity

A Critical Security Analysis of the Password-Based Authentication Honeywords System Under Code-Corruption Attack

Ziya Alper Genç, Gabriele Lenzini, Peter Y. A. Ryan, Itzel Vazquez Sandoval
Abstract:
Password-based authentication is a widespread method to access into systems, thus password files are a valuable resource often target of attacks. To detect when a password file has been stolen, Juels and Rivest introduced the Honeywords System in 2013. The core idea is to store the password with a list of decoy words that are ``indistinguishable'' from the password, called honeywords. An adversary that obtains the password file and, by dictionary attack, retrieves the honeywords can only guess the password when attempting to log in: but any incorrect guess will set off an alarm, warning that file has been compromised. In a recent conference paper, we studied the security of the Honeywords System in a scenario where the intruder also manages to corrupt the server's code (with certain limiting assumptions); we proposed an authentication protocol and proved it secure despite the corruption. In this extended journal version, we detail the analysis and we extend it, under the same attacker model, to the other two protocols of the original Honeywords System, the setup and change of password. We formally verify the security of both of them; further, we discuss that our design suggests a completely new approach that diverges from the original idea of the Honeywords System but indicates an alternative way to authenticate users which is robust to server's code-corruption.
Authors:
Ziya Alper Genç, Gabriele Lenzini, Peter Y. A. Ryan, Itzel Vazquez Sandoval
Publication date:
July, 2019
Published in:
Communications in Computer and Information Science
Reference:
Genç, Z. A., Lenzini, G., Ryan, P. Y., & Sandoval, I. V. (2018, January). A Critical Security Analysis of the Password-Based Authentication Honeywords System Under Code-Corruption Attack. In International Conference on Information Systems Security and Privacy (pp. 125-151). Springer, Cham.

Get in touch with us

SnT – Interdisciplinary Centre for Security, Reliability and Trust
29, Avenue J.F Kennedy L-1855 Luxembourg
info-irisc-lab@uni.lu