LIU Dong, CHEN Jing, DU Ruiying, ZHANG Huanguo. Enhancing Security of the Reduced-Operation Two-Factor Authentication by Using Ambient WiFi[J]. Chinese Journal of Electronics, 2018, 27(3): 625-633. doi: 10.1049/cje.2018.03.004
Citation: LIU Dong, CHEN Jing, DU Ruiying, ZHANG Huanguo. Enhancing Security of the Reduced-Operation Two-Factor Authentication by Using Ambient WiFi[J]. Chinese Journal of Electronics, 2018, 27(3): 625-633. doi: 10.1049/cje.2018.03.004

Enhancing Security of the Reduced-Operation Two-Factor Authentication by Using Ambient WiFi

doi: 10.1049/cje.2018.03.004
Funds:  This work is supported by the National Natural Science Foundation of China (No.61572380, No.61772383, No.61702379, No.U1536204), and the Major State Basic Research Development Program of China (No.2014CB340600).
More Information
  • Corresponding author: CHEN Jing (corresponding author) was born in 1981. He is a professor in Computer School, Wuhan University. He has published more than 90 research papers in many international journals and conferences, such as IEEE Transactions on Information Forensic & Security, IEEE Transactions on Parallel and Distributed Systems, IEEE Transactions on Mobile Computing, IEEE Transactions on Computers, INFOCOM, SECON, TrustCom. His research interests include network security and cloud security. (Email:chenjing@whu.edu.cn)
  • Received Date: 2017-07-31
  • Rev Recd Date: 2017-12-01
  • Publish Date: 2018-05-10
  • Recently several reduced-operation two Factor authentication (2FA) methods have been proposed to improve the usability of traditional 2FA. The existing works cannot protect the user's password from online guessing attack and offline dictionary attack. They cannot resist the identity fraud attack caused by co-located attackers who have obtained the victim's password. To solve these problems, we provide a WiFi-based 2FA approach which can enhance security of the reduced-operation 2FA but not increase the complexity of the operation for a user. We analyze our approach's security in terms of identity fraud attack resistance, salt guessing attack resistance, and password guessing attack resistance. We also implement a prototype system and test its performance in various scenarios, e.g. lab, library, and dormitory. The security analysis and experimental results show the effectiveness of our scheme for authentication.
  • loading
  • A. Czeskis, M. Dietz, D. Wallach, et al., "Strengthening user authentication through opportunistic cryptographic identity assertions", Proc. of the 2012 ACM conference on Computer and communications, Raleigh, NC, USA, 2012.
    Nikolaos Karapanos, Claudio Marforio, Claudio Soriente, et al., "Sound-proof:Usable two-factor authentication based on ambient sound", Proc. of USENIX Security Symposium, Washington D.C, USA, 2015.
    B. Ur, S.M. Segreti, L. Bauer, N. Christin, et al., "Real-world accuracies and biases in modeling password", Proc. of USENIX Security Symposium, Washington D.C., USA, 2015.
    D. Wang, Z. Zhang, P. Wang, et al., "Targeted online password guessing:an underestimated threat", Proc. of the 23rd ACM Conference on Computer and Communications Security (CCS16), Vienna, Austria, pp.1-13, 2012.
    W. Melicher, B. Ur, S. Segreti, et al., " Fast, lean and accurate:Modeling password guessability using neural networks", Proc. of USENIX Security Symposium, Austin, TX, USA, pp.1-17, 2016.
    Mike Kelly, "eHarmony password dump analysis", htps://www.trustwave.com/Resources/SpiderLabs-Blog/eHarmonyPassword-Dump-Analysis, 2012-6-25.
    D. Florêncio, et al., "An administrator's guide to Internet password research", Proc. of the 28th USENIX Conference on Large Installation System Administration, Seattle, WA, USA, pp.35-52, 2014.
    G. Zhang, D. Fan, Y. Zhang, et al., "A provably secure general construction for key exchange protocols using smart card and password", Chinese Journal of Electronics, Vol.26, No.2, pp.271-278, 2017.
    A. DAS, J. BONNEAU, M. CAESAR, et al., "The tangled web of password reuse", Proc. of Network and Distributed System Security Symposium, 2014.
    I. Fette and A. Melnikov, "The WebSocket protocol (RFC 6455)", http://tools.ietf.org/html/rfc6455, 2011.
    M. Georgiev, S. Iyengar, S. Jana, et al., "The most dangerous code in the world:Validating SSL certificates in non-browser software", Proc. of the 2012 ACM conference on Computer and communications, Raleigh, NC, USA, 2012.
    S. Fahl, M. Harbach, T. Muders, et al., "Why eve and mallory love android:An analysis of android SSL (In) security", Proc. of the 2012 ACM conference on Computer and communications, Raleigh, NC, USA, 2012.
    D. Sounthiraraj, J. Sahs, G. Greenwood, et al., "Smv-hunter:Large scale, automated detection of ssl/tls man-in-the-middle vulnerabilities in Android apps", Proc. of Network and Distributed System Security, San Diego, California, USA, 2014.
    S. Hallsteinsen, I. Jorstad and D-V. Thanh, "Using the mobile phone as a security token for unified authentication", Proc. of International Conference on Systems and Networks Communications, pp.425-434, 2005.
    B. Reaves, N. Scaife, D. Tian, et al., "Sending out an SMS:Characterizing the security of the SMS ecosystem with public gateways", Proc. of IEEE Symp. Secur. Privacy (SP), San Jose, CA, USA, pp.339-356, 2016.
    M. Shirvanian, S. Jarecki, N. Saxena, et al., " Two-factor authentication resilient to server compromise using mixbandwidth devices", Proc. of Network and Distributed System Security, San Diego, California, USA, 2014.
    A. Juels and M. Sudan, "A fuzzy vault scheme", Designs Codes & Cryptography, Vol.38, No.2, pp.237-257, 2006.
    Krumm, John, and K. Hinckley, " The NearMe wireless proximity server", Proc. of Ubiquitous Computing, International Conference, Nottingham, UK, 2004.
    A. Varshavsky, A. Scannell, A. LaMarca, et al., "Proximitybased authentication of mobile devices", International Journal of Security & Networks, Vol.4, No.1/2, pp.4-16, 2009.
    M. Shirvanian, S. Jarecki, N. Saxena, et al., "Comparing and fusing different sensor modalities for relay attack resistance in zero-interaction authentication", Proc. of IEEE International Conference on Pervasive Computing and Communications, Budapest, Hungary, pp.163-171, 2014.
    U. Uludag, S. Pankanti and A. Jain, "Fuzzy vault for fingerprints", International Conference on Audio-and Video-Based Biometric Person Authentication, New York, USA, pp.310-319, 2005.
    K. Nandakumar, A. Jain and S. Pankanti, "Fingerprint-based fuzzy vault:Implementation and performance", IEEE Transactions on Information Forensics and Security, Vol.2, No.4, pp.744-757, 2007.
    V. Brindha, K. Deepikapriya and R. Dhivya, "Biometric template security using fuzzy vault", Proc. of International Symposium on Consumer Electronics, pp.384-387, 2011.
    Y. Xie, H. Wen, B. Wu, et al., "A modified hierarchical attribute-based encryption access control method for mobile cloud computing", The IEEE Transactions on Cloud Computing, Vol.13, No.9, pp.1-9, 2015.
  • 加载中

Catalog

    通讯作者: 陈斌, bchen63@163.com
    • 1. 

      沈阳化工大学材料科学与工程学院 沈阳 110142

    1. 本站搜索
    2. 百度学术搜索
    3. 万方数据库搜索
    4. CNKI搜索

    Article Metrics

    Article views (123) PDF downloads(212) Cited by()
    Proportional views
    Related

    /

    DownLoad:  Full-Size Img  PowerPoint
    Return
    Return