Skip to main content
SpringerLink
Log in

Can “Something You Know” Be Saved?

  • Conference paper
Information Security (ISC 2008)

Part of the book series: Lecture Notes in Computer Science ((LNISA,volume 5222))

Included in the following conference series:

Abstract

“Something you know,” in the form of passwords, has been the cornerstone of authentication for some time; however the inability to survive replay attack threatens this state of affairs. While “something you know” may always be used in addition to “something you have” we examine whether it can be salvaged as the solo factor for authentication. A recent surge of interest in Challenge Response authentication schemes raises the question whether a secret shared between the user and the server can allow secure access even in the presence of spyware.

Our conclusion is negative. Assuming only a limit on the amount that a user can remember and calculate we find that any scheme likely to be usable is too easily brute forced if the attacker observes several logins. This is true irrespective of the details of the scheme. The vital parameter is the number of bits of the secret involved in each bit of the response. When this number is too low the scheme is easily brute-forced, but making it high makes the scheme unworkable for the user. Our conclusion is that single factor “something you know” schemes have a fundamental weakness unless the number of logins the attacker observes can be restricted.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. http://www.rsasecurity.com

  2. Herley, C., Florêncio, D.: How To Login From an Internet Café without Worrying about Keyloggers. In: Symp. on Usable Privacy and Security (2006)

    Google Scholar 

  3. Cheswick, W.: Johnny Can Obfuscate: Beyond Mother’s Maiden Name. In: Proc. Usenix HotSec (2006)

    Google Scholar 

  4. Florêncio, D., Herley, C.: One-Time Password Access to Any Server Without Changing the Server. In: Wu, T.-C., Lei, C.-L., Rijmen, V., Lee, D.-T. (eds.) ISC 2008. LNCS, vol. 5222, pp. 401–420. Springer, Heidelberg (2008)

    Google Scholar 

  5. Florêncio, D., Herley, C.: KLASSP: Entering Passwords on a Spyware Infected Machine. In: Jesshope, C., Egan, C. (eds.) ACSAC 2006. LNCS, vol. 4186. Springer, Heidelberg (2006)

    Google Scholar 

  6. Florêncio, D., Herley, C., Coskun, B.: Do Strong Web Passwords Accomplish Anything? In: Proc. Usenix Hot Topics in Security (2007)

    Google Scholar 

  7. Golle, P., Wagner, D.: Cryptanalysis of a Cognitive Authentication Scheme. In: Symp. on Security and Privacy (2007)

    Google Scholar 

  8. Haller, N.: The S/KEY One-Time Password System. In: Proc. ISOC Symposium on Network and Distributed System Security (1994)

    Google Scholar 

  9. Herley, C., Florêncio, D.: Phishing as a Tragedy of the Commons. In: NSPW 2008, Lake Tahoe, CA (2008)

    Google Scholar 

  10. Jermyn, I., Mayer, A., Monrose, F., Reiter, M.K., Rubin, A.D.: The Design and Analysis of Graphical Passwords. In: Usenix Security (1999)

    Google Scholar 

  11. Lamport, L.: Password Authentication with Insecure Communication. Communications of the ACM (1981)

    Google Scholar 

  12. Lei, M., Xiao, Y., Vrbsky, S., Li, C.-C., Liu, L.: A Virtual Password Scheme to Protect Passwords. In: Proceedings of IEEE ICC (2008)

    Google Scholar 

  13. Lim, J.: Defeat spyware with anti-screen capture technology using visual persistence. In: SOUPS (2007)

    Google Scholar 

  14. Pashalidis, A., Mitchell, C.J.: Impostor: A single sign-on system for use from untrusted devices. In: Proceedings of IEEE Globecom (2004)

    Google Scholar 

  15. Pering, T., Sundar, M., Light, J., Want, R.: Photographic Authentication through Untrusted Terminals. IEEE Security and Privacy (2003)

    Google Scholar 

  16. Suo, X., Zuo, Y., Owen, G.S.: Graphical Passwords: a Survey. In: ACSAC (2005)

    Google Scholar 

  17. Weinshall, D.: Cognitive Authentication Schemes Safe Against Spyware. In: Symp. on Security and Privacy (2006)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Polytechnic University, Brooklyn, NY,  

    Baris Coskun

  2. Microsoft Research, Redmond, WA,  

    Cormac Herley

Authors
  1. Baris Coskun
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Cormac Herley
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Tzong-Chen Wu Chin-Laung Lei Vincent Rijmen Der-Tsai Lee

Rights and permissions

Reprints and permissions

Copyright information

© 2008 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Coskun, B., Herley, C. (2008). Can “Something You Know” Be Saved?. In: Wu, TC., Lei, CL., Rijmen, V., Lee, DT. (eds) Information Security. ISC 2008. Lecture Notes in Computer Science, vol 5222. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-85886-7_29

Download citation

  • DOI: https://doi.org/10.1007/978-3-540-85886-7_29

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-85884-3

  • Online ISBN: 978-3-540-85886-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation