CICI: Secure Data Architecture: Improving the Security and Usability of Two-Factor Authentication for Cyberinfrastructure

CICI：安全数据架构：提高网络基础设施双因素身份验证的安全性和可用性

• 批准号: 1547350
• 负责人: Nitesh Saxena
• 金额: $ 24.97万
• 依托单位: University of Alabama at Birmingham
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2016
• 资助国家: 美国
• 起止时间: 2016-01-01 至 2021-06-30
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1547350&HistoricalAwards=false
• 关键词: CICI; Secure; Data; Architecture; Improving

Password authentication is a critical vulnerability in cyberinfrastructure because typical passwords are memorable and easily guessed, leaving them vulnerable to malicious actors. One well-recognized method for strengthening the password security is Two-Factor Authentication (TFA), in which the password is complemented by an additional authentication factor such as a mobile phone or a dedicated token (e.g., a USB dongle). However, current TFA mechanisms do not offer sufficient security and usability. This project breaks new ground towards improving both of these aspects. It designs, implements and evaluates TFA schemes that not only protect against on-line guessing attacks, but also against off-line dictionary attacks in case of server or mobile device compromise. Moreover, the project aims to do so without degrading usability compared to password-only authentication. The creation of formal security models for TFA schemes allow for better understanding of TFA security in general. The resulting research prototypes will be of immense value in future research on building resilient and usable authentication services. The project integrates research into educational activities in the form of advanced curriculum development as well as high school and K-12 student mentoring in the area of Identity and Access Management.The design of new TFA protocols offers security against on-line guessing and offline dictionary attacks. The project formally proves the security of these protocols in a strong security model for TFA protocols that is being introduced as an extension to well-established password-authenticated key exchange (PAKE) models. The goal is to design the TFA protocols in a modular way, allowing for the use of independent device and server components, and enabling the use of the developed schemes with existing password protocols and without the need to modify the server software. Moreover, the research involves developing and testing TFA systems which will instantiate the proposed protocols. The goal is a TFA systems design that utilizes automated and user-transparent data channel between the mobile device and the client, falling back to localized wireless radio communication only when such a channel is unavailable. Such construction would provide high usability since the user experience of the login process would be almost equivalent to password-only authentication. Finally, the project involves conducting rigorous usability studies in the lab environment and field settings to evaluate the performance, usability, and adoption potential of the proposed approaches.

密码认证是网络基础设施中的一个关键漏洞，因为典型的密码容易记忆且容易被猜测，使其容易受到恶意行为者的攻击。一种公认的加强密码安全性的方法是双因素身份验证（TFA），其中密码由额外的身份验证因素（例如移动的电话或专用令牌（例如，USB加密狗）。然而，目前的TFA机制不提供足够的安全性和可用性。该项目为改善这两个方面开辟了新的天地。设计、实现并评估了TFA方案，该方案不仅能抵抗在线猜测攻击，还能抵抗服务器或移动终端受到攻击时的离线字典攻击。此外，该项目的目标是这样做，而不降低可用性相比，密码只有身份验证。为TFA方案创建正式的安全模型，可以更好地理解TFA的安全性。由此产生的研究原型将是巨大的价值，在未来的研究建设弹性和可用的认证服务。该项目以高级课程开发以及高中和K-12学生在身份和访问管理领域的指导的形式将研究融入教育活动。新的TFA协议的设计提供了对在线猜测和离线字典攻击的安全性。该项目正式证明了这些协议的安全性，在一个强大的安全模型TFA协议，被引入作为一个扩展，完善的密码认证密钥交换（PAKE）模型。目标是以模块化的方式设计TFA协议，允许使用独立的设备和服务器组件，并使开发的方案能够与现有的密码协议一起使用，而无需修改服务器软件。此外，研究涉及开发和测试TFA系统，将实例化所提出的协议。 目标是一种TFA系统设计，其利用移动终端和客户端之间的自动化和用户透明的数据信道，仅当这样的信道不可用时才退回到局部无线电通信。这种构造将提供高可用性，因为登录过程的用户体验将几乎等同于仅密码认证。最后，该项目涉及在实验室环境和现场环境中进行严格的可用性研究，以评估所提出的方法的性能，可用性和采用潜力。