Award Abstract # 1547435
CICI: Secure Data Architecture: Improving the Security and Usability of Two-Factor Authentication for Cyberinfrastructure

NSF Org: OAC
Office of Advanced Cyberinfrastructure (OAC)
Recipient: UNIVERSITY OF CALIFORNIA IRVINE
Initial Amendment Date: September 4, 2015
Latest Amendment Date: September 4, 2015
Award Number: 1547435
Award Instrument: Standard Grant
Program Manager: Rob Beverly
OAC
 Office of Advanced Cyberinfrastructure (OAC)
CSE
 Directorate for Computer and Information Science and Engineering
Start Date: January 1, 2016
End Date: December 31, 2018 (Estimated)
Total Intended Award Amount: $249,603.00
Total Awarded Amount to Date: $249,603.00
Funds Obligated to Date: FY 2015 = $249,603.00
History of Investigator:
  • Stanislaw Jarecki (Principal Investigator)
    stanislawjarecki@gmail.com
Recipient Sponsored Research Office: University of California-Irvine
160 ALDRICH HALL
IRVINE
CA  US  92697-0001
(949)824-7295
Sponsor Congressional District: 47
Primary Place of Performance: The Regents of the University of California
444 Computer Science Bldg
Irvine
CA  US  92697-9016
Primary Place of Performance
Congressional District:
47
Unique Entity Identifier (UEI): MJC5FCYQTPE6
Parent UEI: MJC5FCYQTPE6
NSF Program(s): Cybersecurity Innovation
Primary Program Source: 01001516DB NSF RESEARCH & RELATED ACTIVIT
Program Reference Code(s): 7434
Program Element Code(s): 802700
Award Agency Code: 4900
Fund Agency Code: 4900
Assistance Listing Number(s): 47.070

ABSTRACT

Password authentication is a critical vulnerability in cyberinfrastructure because typical passwords are memorable and easily guessed, leaving them vulnerable to malicious actors. One well-recognized method for strengthening the password security is Two-Factor Authentication (TFA), in which the password is complemented by an additional authentication factor such as a mobile phone or a dedicated token (e.g., a USB dongle). However, current TFA mechanisms do not offer sufficient security and usability. This project breaks new ground towards improving both of these aspects. It designs, implements and evaluates TFA schemes that not only protect against on-line guessing attacks, but also against off-line dictionary attacks in case of server or mobile device compromise. Moreover, the project aims to do so without degrading usability compared to password-only authentication. The creation of formal security models for TFA schemes allow for better understanding of TFA security in general. The resulting research prototypes will be of immense value in future research on building resilient and usable authentication services. The project integrates research into educational activities in the form of advanced curriculum development as well as high school and K-12 student mentoring in the area of Identity and Access Management.

The design of new TFA protocols offers security against on-line guessing and offline dictionary attacks. The project formally proves the security of these protocols in a strong security model for TFA protocols that is being introduced as an extension to well-established password-authenticated key exchange (PAKE) models. The goal is to design the TFA protocols in a modular way, allowing for the use of independent device and server components, and enabling the use of the developed schemes with existing password protocols and without the need to modify the server software. Moreover, the research involves developing and testing TFA systems which will instantiate the proposed protocols. The goal is a TFA systems design that utilizes automated and user-transparent data channel between the mobile device and the client, falling back to localized wireless radio communication only when such a channel is unavailable. Such construction would provide high usability since the user experience of the login process would be almost equivalent to password-only authentication. Finally, the project involves conducting rigorous usability studies in the lab environment and field settings to evaluate the performance, usability, and adoption potential of the proposed approaches.

PUBLICATIONS PRODUCED AS A RESULT OF THIS RESEARCH

Note:  When clicking on a Digital Object Identifier (DOI) number, you will be taken to an external site maintained by the publisher. Some full text articles may not yet be available without a charge during the embargo (administrative interval).

Some links on this page may take you to non-federal websites. Their policies may differ from this site.

Bradley, Tatiana and Camenisch, Jan and Jarecki, Stanislaw and Lehmann, Anja and Neven, Gregory and Xu, Jiayu "Password-Authenticated Public-Key Encryption" Applied Cryptography and Network Security - 17th International Conference, ACNS 2019 , v.11464 , 2019 https://doi.org/10.1007/978-3-030-21568-2_22 Citation Details
Maliheh Shirvanian, Stanislaw Jarecki, Hugo Krawczyk, Nitesh Saxena "SPHINX: A Password Store that Perfectly Hides Passwords from Itself" 37th IEEE International Conference on Distributed Computing Systems, ICDCS , 2017 , p.1094 10.1109/ICDCS.2017.64
Stanislaw Jarecki, Aggelos Kiayias, Hugo Krawczyk, Jiayu Xu "Highly-Efficient and Composable Password-Protected Secret Sharing (Or: How to Protect Your Bitcoin Wallet Online)" EuroS&P , 2016 , p.144 978-1-5090-1751-5
Stanislaw Jarecki, Aggelos Kiayias, Hugo Krawczyk, Jiayu Xu "Highly-Efficient and Composable Password-Protected Secret Sharing (Or: How to Protect Your Bitcoin Wallet Online)" IEEE European Symposium on Security and Privacy, EuroS&P , 2016 , p.276 10.1109/EuroSP.2016.30
Stanislaw Jarecki, Aggelos Kiayias, Hugo Krawczyk, Jiayu Xu "TOPPSS: Cost-Minimal Password-Protected Secret Sharing Based on Threshold OPRF" Applied Cryptography and Network Security - 15th International Conference (ACNS) , 2017 , p.39 10.1007/978-3-319-61204-1_3
Stanislaw Jarecki and Hugo Krawczyk and Jason K. Resch "Threshold Partially-Oblivious PRFs with Applications to Key Management" {IACR} Cryptology ePrint Archive , v.2018 , 2018 , p.733
Stanislaw Jarecki, Hugo Krawczyk, Maliheh Shirvanian, Nitesh Saxena "Device-Enhanced Password Protocols with Optimal Online-Offline Protection" AsiaCCS , 2016 , p.177 978-1-4503-4233-9
Stanislaw Jarecki, Hugo Krawczyk, Maliheh Shirvanian, Nitesh Saxena "Device-Enhanced Password Protocols with Optimal Online-Offline Protection" Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security (AsiaCCS) , 2017 , p.177 10.1145/2897845.2897880

PROJECT OUTCOMES REPORT

Disclaimer

This Project Outcomes Report for the General Public is displayed verbatim as submitted by the Principal Investigator (PI) for this award. Any opinions, findings, and conclusions or recommendations expressed in this Report are those of the PI and do not necessarily reflect the views of the National Science Foundation; NSF has not approved or endorsed its content.

In this project we developed cryptographic protocols which improve the security of authentication of users to servers and server to users over the internet.  Today users typically authenticate to servers by sending their passwords over a TLS connection, possibly attaching a short one-time PIN generated by a "second factor" authentication device.

The two possibly weakest aspects of this authentication method is that (1) if a user is tricked into communicating with a spoofed server the user will send his/her password to the attacker, and (2) servers store databases of hashed passwords of all their users, and if a server is broken into by hackers, which happens routinly, the hackers can recover passwords of most users via so-called Offline Dictionary Attack, i.e. by hashing password candidates and comparing to the password hashes stored by the server. In this project we developed several novel practical cryptographic protocols which eliminate both of these weaknesses.  Moreover, several protocols we developed can be integrated with current authentication infrastructure to enable easier adoption of our methods, and we are currently proposing to IETF to adopt some of these protocols as TLS extensions. 

We believe that the three most transformative aspects of our work are: First, we developed practical password-authentication protocols in the client-server setting which improve upon the current authentication methods by protecting the user's password even if the user is tricked into authenticating to a spoofed server.  Second, we developed several efficient methods for effectively splitting, a.k.a. "secret-sharing", of hashed passwords stored by the server, so that server compromise will no longer enable Offline Dictionary Attacks against users' passwords. Third, we showed how to efficiently apply both of these security benefits to practical two-factor authentication protocols.


Last Modified: 04/10/2019
Modified by: Stanislaw M Jarecki

Please report errors in award information by writing to: awardsearch@nsf.gov.

Print this page

Back to Top of page