CICI: Secure Data Architecture: Improving the Security and Usability of Two-Factor Authentication for Cyberinfrastructure

CICI：安全数据架构：提高网络基础设施双因素身份验证的安全性和可用性

• 批准号: 1547435
• 负责人: Stanislaw Jarecki
• 金额: $ 24.96万
• 依托单位: University of California-Irvine
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2016
• 资助国家: 美国
• 起止时间: 2016-01-01 至 2018-12-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1547435&HistoricalAwards=false
• 关键词: CICI; Secure; Data; Architecture; Improving

Password authentication is a critical vulnerability in cyberinfrastructure because typical passwords are memorable and easily guessed, leaving them vulnerable to malicious actors. One well-recognized method for strengthening the password security is Two-Factor Authentication (TFA), in which the password is complemented by an additional authentication factor such as a mobile phone or a dedicated token (e.g., a USB dongle). However, current TFA mechanisms do not offer sufficient security and usability. This project breaks new ground towards improving both of these aspects. It designs, implements and evaluates TFA schemes that not only protect against on-line guessing attacks, but also against off-line dictionary attacks in case of server or mobile device compromise. Moreover, the project aims to do so without degrading usability compared to password-only authentication. The creation of formal security models for TFA schemes allow for better understanding of TFA security in general. The resulting research prototypes will be of immense value in future research on building resilient and usable authentication services. The project integrates research into educational activities in the form of advanced curriculum development as well as high school and K-12 student mentoring in the area of Identity and Access Management.The design of new TFA protocols offers security against on-line guessing and offline dictionary attacks. The project formally proves the security of these protocols in a strong security model for TFA protocols that is being introduced as an extension to well-established password-authenticated key exchange (PAKE) models. The goal is to design the TFA protocols in a modular way, allowing for the use of independent device and server components, and enabling the use of the developed schemes with existing password protocols and without the need to modify the server software. Moreover, the research involves developing and testing TFA systems which will instantiate the proposed protocols. The goal is a TFA systems design that utilizes automated and user-transparent data channel between the mobile device and the client, falling back to localized wireless radio communication only when such a channel is unavailable. Such construction would provide high usability since the user experience of the login process would be almost equivalent to password-only authentication. Finally, the project involves conducting rigorous usability studies in the lab environment and field settings to evaluate the performance, usability, and adoption potential of the proposed approaches.

密码认证是网络基础设施中的一个关键漏洞，因为典型的密码容易被记住，而且很容易被猜到，这使它们容易受到恶意行为者的攻击。一种公认的加强密码安全性的方法是双因素身份验证（TFA），其中密码由额外的身份验证因素补充，例如移动电话或专用令牌（例如USB加密狗）。然而，目前的TFA机制不能提供足够的安全性和可用性。这个项目为改善这两个方面开辟了新天地。它设计，实现和评估TFA方案，不仅可以防止在线猜测攻击，还可以防止离线字典攻击，以防服务器或移动设备受损。此外，与纯密码身份验证相比，该项目的目标是在不降低可用性的情况下这样做。为TFA方案创建正式的安全模型可以更好地理解TFA安全性。由此产生的研究原型将对未来构建弹性和可用的认证服务的研究具有巨大的价值。该项目以高级课程开发的形式将研究整合到教育活动中，并在身份和访问管理领域为高中和K-12学生提供指导。新的TFA协议的设计提供了针对在线猜测和离线字典攻击的安全性。该项目在TFA协议的强大安全模型中正式证明了这些协议的安全性，该模型是作为已建立的密码认证密钥交换（PAKE）模型的扩展引入的。目标是以模块化的方式设计TFA协议，允许使用独立的设备和服务器组件，并使开发的方案能够与现有的密码协议一起使用，而无需修改服务器软件。此外，研究还涉及开发和测试TFA系统，以实例化所提出的协议。目标是TFA系统设计利用移动设备和客户端之间的自动化和用户透明的数据通道，仅在该通道不可用时才退回到本地化的无线无线电通信。这种结构将提供高可用性，因为登录过程的用户体验几乎等同于纯密码身份验证。最后，该项目涉及在实验室环境和现场设置中进行严格的可用性研究，以评估所建议方法的性能、可用性和采用潜力。

项目成果

Password-Authenticated Public-Key Encryption

• DOI: 10.1007/978-3-030-21568-2_22
• 发表时间: 2019-06
• 期刊: IACR Cryptol. ePrint Arch.
• 作者: Tatiana Bradley;J. Camenisch;Stanislaw Jarecki;Anja Lehmann;G. Neven;Jiayu Xu