Informatica

After Morris and Thompson wrote the first paper on password security in 1979, strict password policies have been enforced to make sure users follow the rules on passwords. Many such policies require users to select and use a system-generated password. The objective of this paper is to analyse the effectiveness of strict password management policies with respect to how users remember system-generated passwords of different textual types – plaintext strings, passphrases, and hybrid graphical-textual PsychoPass passwords. In an experiment, participants were assigned a random string, passphrase, and PsychoPass passwords and had to memorize them. Surprisingly, no one has remembered either the random string or the passphrase, whereas only 10% of the participants remembered their PsychoPass password. The policies where administrators let systems assign passwords to users are not appropriate. Although PsychoPass passwords are easier to remember, the recall rate of any system-assigned password is below the acceptable level. The findings of this study explain that system-assigned strong passwords are inappropriate and put unacceptable memory burden on users.

This paper presents an entire chaos-based biometric remote user authentication scheme on tokens without using passwords. The proposed scheme is based on the chaotic hash function and chaotic pseudo-random number generator to provide secure mutual authentication over an insecure channel between the user and remote server. Compared with the related biometric authentication schemes, the proposed scheme does not require the user password to provide convenience to users. It also does not require time synchronization or delay-time limitations between the user and remote server to resolve time synchronization problems.

With rapid growth of mobile wireless networks, handheld devices are popularly used by people and many mobile applications have been rapidly developed. Considering the limited computing capability of smart cards or mobile devices, the security scheme design suitable for these mobile devices is a nontrivial challenge. A user authentication scheme is a mechanism to authenticate a remote user over an open network. In 2006, Das et al. proposed an identity (ID)-based remote user authentication scheme with smart cards using bilinear pairings. Unfortunately, their scheme is insecure against forgery attack. Recently, Giri and Srivastava proposed an improved scheme to overcome the forgery attack. The computational cost required by the Giri–Srivastava scheme is expensive, especially for smart cards with limited computing capability. In addition, the Giri–Srivastava scheme is unable to be used for a multi-server environment. This paper presents an efficient and secure ID-based remote user authentication scheme using bilinear pairings. Based on the computational Diffie–Hellman assumption, we show that the proposed scheme is secure against existential forgery on adaptively chosen-message and ID attack in the random oracle model. As compared with the recently proposed pairing-based authentication schemes, our scheme has better performance in term of the computational cost and it is suitable for a multi-server environment in distributed networks. Performance analysis and experimental data of related pairing operations on smartcards are given to demonstrate that our scheme is well suited for mobile devices with limited computing capability.

The invention of public-key cryptography makes many new network applications, such as electronic commerce (CE), possible. However, the widely used Internet is open and unprotected. Therefore, verifying the legitimacy of an individual's public key is very important. Most of the key authentication schemes require one or more trustworthy authorities to authenticate the key of a user. Consequently, the system security is mainly dependent on the honesty of these third parties. Unfortunately, a security solution in wide area networks (for example, the Internet) often cannot be applied to local area networks directly without any modification. Sometimes, a complete rebuild is necessary, especially for performance criteria consideration. In this paper, we propose two simple key authentication schemes that require no certification authorities for computer systems in local area networks, in which a host is responsible for user authentication and it uses a designated password authentication mechanism.

Yamaguchi, Okayama, and Miyahara proposed a simple but efficient authentication system, SPLICE/AS. In this article, we show that their method is vulnerable to the guessing attack. An attacker can obtain the password, private-key, and public-key of the user. To overcome the vulnerability of SPLICE/AS to the guessing attack, we propose an improvement of their system. In our scheme, we not only prevent the guessing attack to obtain secret messages but also enhance the security of the SPLICE/AS authentication system in WIDE.