HPAKE: Honey Password-Authenticated Key Exchange for Fast and Safer Online Authentication | IEEE Journals & Magazine | IEEE Xplore
Access provided by:

MIT Libraries

Sign Out
Access provided by:

MIT Libraries

Sign Out
ADVANCED SEARCH
Journals & Magazines >IEEE Transactions on Informat... >Volume: 18

HPAKE: Honey Password-Authenticated Key Exchange for Fast and Safer Online Authentication

PDF
Wenting Li; Ping Wang; Kaitai Liang
All Authors

Abstract:

Password-only authentication is one of the most popular secure mechanisms for real-world online applications. But it easily suffers from a practical threat - password lea...Show More

Metadata

Abstract:

Password-only authentication is one of the most popular secure mechanisms for real-world online applications. But it easily suffers from a practical threat - password leakage, incurred by external and internal attackers. The external attacker may compromise the password file stored on the authentication server, and the insider may deliberately steal the passwords or inadvertently leak the passwords. So far, there are two main techniques to address the leakage: Augmented password-authentication key exchange (aPAKE) against insiders and honeyword technique for external attackers. But none of them can resist both attacks. To fill the gap, we propose the notion of honey PAKE (HPAKE) that allows the authentication server to detect the password leakage and achieve the security beyond the traditional bound of aPAKE. Further, we build an HPAKE construction on the top of the honeyword mechanism, honey encryption, and OPAQUE which is a standardized aPAKE. We formally analyze the security of our design, achieving the insider resistance and the password breach detection. We implement our design and deploy it in the real environment. The experimental results show that our protocol only costs 71.27 ms for one complete run, within 20.67 ms on computation and 50.6 ms on communication. This means our design is secure and practical for real-world applications.
Published in: IEEE Transactions on Information Forensics and Security ( Volume: 18)
Page(s): 1596 - 1609
Date of Publication: 18 October 2022

ISSN Information:

DOI: 10.1109/TIFS.2022.3214729

Funding Agency:

Contents

I. Introduction

Password-only authentication (PoA), which has great advantages on usability and deployability, is one of the most popular online authentication methods [1]. It has been attracting attentions from academia, and recently many research works have been proposed in this field [2], [3], [4]. But PoA does easily suffer from password leakage. Billions of personal and business passwords have been compromised by hackers [5] which yields a considerable amount of users’ privacy leakage and financial loss, for example, Yahoo made 3 billion accounts exposed [6] and it finally agreed to settle for 117.5 million US dollars [7]. The password leakage, in practice, may be caused by: 1) active external attacks (e.g., SQL injection), or 2) the internal design flaws and software bugs (for instance, GitHub records passwords in plaintext [8]). It is not trivial to handle these attacks in the context of PoA.

Contact IEEE to Subscribe
More Like This
A Novel Two-Server Password Authentication Scheme with Provable Security

2010 10th IEEE International Conference on Computer and Information Technology

Published: 2010

Server-Aided Keyword Search Encryption With Password-Hardened Encryption

2024 5th International Symposium on Computer Engineering and Intelligent Communications (ISCEIC)

Published: 2024

Show More

References

References is not available for this document.

IEEE Account

Purchase Details

Profile Information

Need Help?

A not-for-profit organization, IEEE is the world's largest technical professional organization dedicated to advancing technology for the benefit of humanity.
© Copyright 2025 IEEE - All rights reserved. Use of this web site signifies your agreement to the terms and conditions.