Cryptography and Expanded Password System
Prof. Hideki Imai, who pushed my back to move ahead confidently in 2001 when he was the chair of Japan’s CRYPTREC, used to emphasize repeatedly how critical it is to get the credential data hashed whether online or offline. It is from him that I learnt about Deffie-Hellman Key Exchange, Elliptic Curve Cryptography, etc.
We jointly tried the methodology of using the high-entropy credential data generated by
Expanded Password System (EPS) as the seed of RSA key pair; the user's private key does not physically exist anywhere in the universe, but it can be re-generated in-the-fly out of the images that the user picks up for authentication for each login. It proved to work on the internet.
Thereafter, we took up the experiment of incorporating EPS into PAKE. We were able to demonstrate that it worked with no friction in the lab environment.
These projects, sponsored by government agencies, were completed in 2003 – 2004. In retrospect, we seem to have started these forward-looking projects a bit too early.
Cryptography helps EPS, and EPS helps Cryptography.
Seemingly Fatal Drawbacks of Pictorial Password – Shoulder Surfing & Low Entropy
We have been advocating Expanded Password System that accepts images as well as texts from 2001. We have since kept hearing our proposition blamed for two major ‘drawbacks’ of using images – Shoulder Surfing and Low Entropy. So many people are still misguided to take it for granted as if it were the case.
The fact is that threats of shoulder surfing can be mitigated with ease by some simple techniques - images to get shrunk prior to tapping, texts allocated to images for quiet typing and so on at the end of developers, with the simplest solution being just looking around you before tapping the images at the end of users. How can it be a fatal drawback?
Another seemingly serious problem of low entropy can be eliminated at the end of developers without giving any extra burden on users.
With Expanded Password System, each image or character is presented by the image identifier data which can be of any length. Assume that your password is “CBA123” and that the image ‘C’ is identified as X4s& eI0w, and so on.
When you input CBA123, the authentication data that the server receives is not the easy-to-break“CBA123”, but something like “X4s&eI0wdoex7RVb%9Ub3mJvk…………..” which could be automatically altered periodically or at each access where desired, all without involving users.
Passwords of sufficient entropy, if properly hashed, can stand fierce brute force attacks. How can it be a fatal drawback?
Hitoshi Kokumaiの記事
ブログを見るI got interested in this article -on the password problem · “Tech Q&A” · https://www.unionleader.c ...
Today's topic is this report - “How blockchain technology can create secure digital identities” · h ...
There is actually a valid methodology that enable us to maximize the entropy of the secret credentia ...
関連プロフェッショナル
この職種に興味がある方はこちら
-
美容師 スタイリスト
次の場所にあります: Whatjobs JP C2 - 15時間前
charmant シェルマン Osaka, 日本**【募集内容】**:**職種/役職** · 美容師/スタイリスト · **雇用形態** · パート・アルバイト · **正社員登用可能性** · あり(過去3年登用実績1人) · **試用期間** · 1~3ヵ月間 · **【給与】**:**給与** · 時給1,200円~1,500円 · ※諸手当は含みません · **一律支給手当** · - 役職手当3,000円~1万円 · **その他手当** · - 通勤手当 上限あり実費支給 1万円まで (電車通勤のみ) · **賞与** · あり · **昇給** · あり · 50万円から歩合発生 指名、フ ...
-
寄付金受付スタッフ
次の場所にあります: Whatjobs JP C2 - 15時間前
株式会社フロンティアダイレクト 関西エリア採用担当 大阪市 西成区, 日本【職種名】 · 学生・フリーター大歓迎【時1700~2000円◎国連食糧支援機関イベントスタッフ】@大阪市西成区 · **仕事内容**: · \ 学生&フリーター歓迎 / · " 飢餓をゼロに " · " 飢餓と貧困をなくすこと " · を目的に街頭で寄付金を募集◎ · (1)ここでしかできない唯一の経験 · ̄ ̄ ̄ ̄ ̄ ̄ ̄ ̄ ̄ ̄ ̄ ̄ ̄ ̄ ̄ ̄ · 数ある国連の中で、 · 唯一の食料支援機関の寄付金申込を受付。 · (※金銭の受授なし/お申込受付まで) · 他では経験できない国連や国際社会に携わるお仕事♪ · 就活を控えた学生 ...
-
ネイリスト
次の場所にあります: beBee S2 JP - 5日前
Rose by M(ローズ バイ エム ウィッシュ)太田川店 東海市, 日本 正社員 アルバイト 業務委託更新日: · 【業務内容】ネイリストとしてのサロンワーク全般 · 【雇用形態】 正社員 アルバイト 業務委託 · 【勤務地】名鉄太田川駅から徒歩1分のトータルビューティーサロン · 【給与】【正社員】 · ■経験者 · 月給 209,000円~220,000円+歩合+販売手当+指名手当 · ■未経験者 · 月給 202,000円~+歩合+販売手当+指名手当 · 【アルバイト】 · 時給 1,027円~1,300円 · 【業務委託】 · 技術売上40%~50%バック · 【試用期間中給与】■経験者 · 変動なし · ■未経験者 · 時給 1,027円 · ...
コメント
Hitoshi Kokumai
3年前 #4
Hitoshi Kokumai
3年前 #3
Thanks Zacharias. I am sorry to be very late in coming back to you. I had missed your comment. I would like to believe that cybersecurity people will come to comprehend the meaning of our proposition when they have come out of the pitfall of wrongly perceived security effects of password-less authentication and password-killer biometrics. As for the subject of cryptographic keys, you might be interested in my recent article "Account Recovery by Expanded Password System".https://www.bebee.com/producer/@hitoshi-kokumai/account-recovery-with-expanded-password-system
Debesh Choudhury
3年前 #2
Zacharias 🐝 Voulgaris
3年前 #1