
NSF Org: |
OAC Office of Advanced Cyberinfrastructure (OAC) |
Recipient: |
|
Initial Amendment Date: | September 4, 2015 |
Latest Amendment Date: | September 4, 2015 |
Award Number: | 1547435 |
Award Instrument: | Standard Grant |
Program Manager: |
Rob Beverly
OAC Office of Advanced Cyberinfrastructure (OAC) CSE Directorate for Computer and Information Science and Engineering |
Start Date: | January 1, 2016 |
End Date: | December 31, 2018 (Estimated) |
Total Intended Award Amount: | $249,603.00 |
Total Awarded Amount to Date: | $249,603.00 |
Funds Obligated to Date: |
|
History of Investigator: |
|
Recipient Sponsored Research Office: |
160 ALDRICH HALL IRVINE CA US 92697-0001 (949)824-7295 |
Sponsor Congressional District: |
|
Primary Place of Performance: |
444 Computer Science Bldg Irvine CA US 92697-9016 |
Primary Place of
Performance Congressional District: |
|
Unique Entity Identifier (UEI): |
|
Parent UEI: |
|
NSF Program(s): | Cybersecurity Innovation |
Primary Program Source: |
|
Program Reference Code(s): |
|
Program Element Code(s): |
|
Award Agency Code: | 4900 |
Fund Agency Code: | 4900 |
Assistance Listing Number(s): | 47.070 |
ABSTRACT
Password authentication is a critical vulnerability in cyberinfrastructure because typical passwords are memorable and easily guessed, leaving them vulnerable to malicious actors. One well-recognized method for strengthening the password security is Two-Factor Authentication (TFA), in which the password is complemented by an additional authentication factor such as a mobile phone or a dedicated token (e.g., a USB dongle). However, current TFA mechanisms do not offer sufficient security and usability. This project breaks new ground towards improving both of these aspects. It designs, implements and evaluates TFA schemes that not only protect against on-line guessing attacks, but also against off-line dictionary attacks in case of server or mobile device compromise. Moreover, the project aims to do so without degrading usability compared to password-only authentication. The creation of formal security models for TFA schemes allow for better understanding of TFA security in general. The resulting research prototypes will be of immense value in future research on building resilient and usable authentication services. The project integrates research into educational activities in the form of advanced curriculum development as well as high school and K-12 student mentoring in the area of Identity and Access Management.
The design of new TFA protocols offers security against on-line guessing and offline dictionary attacks. The project formally proves the security of these protocols in a strong security model for TFA protocols that is being introduced as an extension to well-established password-authenticated key exchange (PAKE) models. The goal is to design the TFA protocols in a modular way, allowing for the use of independent device and server components, and enabling the use of the developed schemes with existing password protocols and without the need to modify the server software. Moreover, the research involves developing and testing TFA systems which will instantiate the proposed protocols. The goal is a TFA systems design that utilizes automated and user-transparent data channel between the mobile device and the client, falling back to localized wireless radio communication only when such a channel is unavailable. Such construction would provide high usability since the user experience of the login process would be almost equivalent to password-only authentication. Finally, the project involves conducting rigorous usability studies in the lab environment and field settings to evaluate the performance, usability, and adoption potential of the proposed approaches.
PUBLICATIONS PRODUCED AS A RESULT OF THIS RESEARCH
Note:
When clicking on a Digital Object Identifier (DOI) number, you will be taken to an external
site maintained by the publisher. Some full text articles may not yet be available without a
charge during the embargo (administrative interval).
Some links on this page may take you to non-federal websites. Their policies may differ from
this site.
PROJECT OUTCOMES REPORT
Disclaimer
This Project Outcomes Report for the General Public is displayed verbatim as submitted by the Principal Investigator (PI) for this award. Any opinions, findings, and conclusions or recommendations expressed in this Report are those of the PI and do not necessarily reflect the views of the National Science Foundation; NSF has not approved or endorsed its content.
In this project we developed cryptographic protocols which improve the security of authentication of users to servers and server to users over the internet. Today users typically authenticate to servers by sending their passwords over a TLS connection, possibly attaching a short one-time PIN generated by a "second factor" authentication device.
The two possibly weakest aspects of this authentication method is that (1) if a user is tricked into communicating with a spoofed server the user will send his/her password to the attacker, and (2) servers store databases of hashed passwords of all their users, and if a server is broken into by hackers, which happens routinly, the hackers can recover passwords of most users via so-called Offline Dictionary Attack, i.e. by hashing password candidates and comparing to the password hashes stored by the server. In this project we developed several novel practical cryptographic protocols which eliminate both of these weaknesses. Moreover, several protocols we developed can be integrated with current authentication infrastructure to enable easier adoption of our methods, and we are currently proposing to IETF to adopt some of these protocols as TLS extensions.
We believe that the three most transformative aspects of our work are: First, we developed practical password-authentication protocols in the client-server setting which improve upon the current authentication methods by protecting the user's password even if the user is tricked into authenticating to a spoofed server. Second, we developed several efficient methods for effectively splitting, a.k.a. "secret-sharing", of hashed passwords stored by the server, so that server compromise will no longer enable Offline Dictionary Attacks against users' passwords. Third, we showed how to efficiently apply both of these security benefits to practical two-factor authentication protocols.
Last Modified: 04/10/2019
Modified by: Stanislaw M Jarecki
Please report errors in award information by writing to: awardsearch@nsf.gov.