KOÇ UNIVERSITY
GRADUATE SCHOOL OF SCIENCES & ENGINEERING
COMPUTER SCIENCE AND ENGINEERING
MS THESIS DEFENSE BY DEVRİŞ İŞLER
Title: Distributed Single Password Protocols
Speaker: Devriş İşler
Time: July 12, 2018, 11:00 am
Place: ENG208
Koç University
Rumeli Feneri Yolu
Sariyer, İstanbul
Thesis Committee Members:
Assist. Prof. Alptekin Küpçü (Advisor, Koç University)
Assist. Prof. Aykut Çoşkun (Koç University)
Prof. Dr. Kemal Bıçakcı (TOBB University of Economics and Technology)
Abstract:
Passwords are the most widely used form of online user authentication. In a traditional setup, the user, who has a human-memorable low entropy password, wants to authenticate with a login server. Unfortunately, existing solutions in this setting are either non-portable or insecure against many attacks, including phishing, man-in-the-middle, honeypot, and offline dictionary attacks. Distributed single password protocols are proposed to overcome challenges of traditional password protocols that are vulnerable to aforementioned attacks. Distributed single password protocols (DiSPP) provide provable security against these attacks by additionally employing a storage provider (either a cloud storage or a mobile device for portability). While they ensure provable security, they allow a user securely to use one single low-entropy human memorable password for all her accounts and remember only one single password (and a username). In this thesis, we introduce a framework for DiSPP to exploit alternative cryptographic schemes as a way to obtain secure distributed single password protocols with a different tradeoffs among update on server-side, requirement on network channel (between user and login server), and performance evaluation. The existing solutions are considered to illustrate the proposed framework. Later on, we introduce a secure DiSPP instantiation derived from our framework enhancing existing DiSPP solutions. We define ideal and real world indistinguishability for DiSPP, and formally prove security of our proposed solution via ideal-real simulation. Finally, we implement two DiSPPs (one of them is our proposed solution) and assess their usability with their counterparts (traditional password and two-factor authentication). We conclude that DiSPP systems overall constitute a usable alternative to existing solutions that do not provide offine dictionary attack protection.