Sciweavers

ACSAC
2008
IEEE

pwdArmor: Protecting Conventional Password-Based Authentications

13 years 10 months ago
pwdArmor: Protecting Conventional Password-Based Authentications
pwdArmor is a framework for fortifying conventional password-based authentications. Many password protocols are performed within an encrypted tunnel (e.g., TLS) to prevent the exposure of the password itself, or of material for an offline password guessing attack. Failure to establish, or to correctly verify, this tunnel completely invalidates its protections. The rampant success of phishing demonstrates the risk of relying solely on the user to ensure that a tunnel is established with the correct entity. pwdArmor wraps around existing password protocols. It thwarts passive attacks and improves detection, by both users and servers, of man-in-the-middle attacks. If a user is tricked into authenticating to an attacker, instead of the real server, the user’s password is never disclosed. Although pwdArmor does not require an encrypted tunnel, it gains added protection from active attack if one is employed; even if the tunnel is established with an attacker and not the real server. Thes...
Timothy W. van der Horst, Kent E. Seamons
Added 28 May 2010
Updated 28 May 2010
Type Conference
Year 2008
Where ACSAC
Authors Timothy W. van der Horst, Kent E. Seamons
Comments (0)