Out-of-band authentication model with hashcash brute-force prevention

George Violaris, Ioanna Dionysiou

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

Successful out-of-band authentication in popular languages such as PHP has proven to be problematic and in many ways unsafe as dynamically typed languages allow for more than one ways of doing things, and the standards set out are usually not followed. It is true that out-of-band authentication using SMS messaging enhances the security of simple passwords specified by users, however many times the handling of the One-Time-Passwords (OTP) on the server side is done with disregard of the ways an attacker can bypass the requirement for such a feature. It is therefore essential to find ways which the OTP cannot be brute-forced or circumvented, by providing mechanisms such as automatic purging of OTPs from the database and enhancing the safety of the server traffic handling as well as the HTTP form submission requests and responses with a library known as Hash cash. By using this method, a potential attacker would be met by a time-consuming challenge, which would leave any sort of brute-force, denial of service or requirement circumvention attacks impractical for gaining access to a PHP login system. Furthermore, the usage of Hash cash for credential retransmission and re-authentication for vital aspects of the user's workflow while authenticated, make such as system much more impenetrable than using simple out-of-band or other two-factor authentication schemes.

Original languageEnglish
Title of host publicationProceedings - 16th IEEE International Conference on High Performance Computing and Communications, HPCC 2014, 11th IEEE International Conference on Embedded Software and Systems, ICESS 2014 and 6th International Symposium on Cyberspace Safety and Security, CSS 2014
PublisherInstitute of Electrical and Electronics Engineers Inc.
Pages794-801
Number of pages8
ISBN (Electronic)9781479961238
DOIs
Publication statusPublished - 9 Mar 2014
Event16th IEEE International Conference on High Performance Computing and Communications, HPCC 2014, 11th IEEE International Conference on Embedded Software and Systems, ICESS 2014 and 6th International Symposium on Cyberspace Safety and Security, CSS 2014 - Paris, France
Duration: 20 Aug 201422 Aug 2014

Other

Other16th IEEE International Conference on High Performance Computing and Communications, HPCC 2014, 11th IEEE International Conference on Embedded Software and Systems, ICESS 2014 and 6th International Symposium on Cyberspace Safety and Security, CSS 2014
CountryFrance
CityParis
Period20/08/1422/08/14

Cite this

Violaris, G., & Dionysiou, I. (2014). Out-of-band authentication model with hashcash brute-force prevention. In Proceedings - 16th IEEE International Conference on High Performance Computing and Communications, HPCC 2014, 11th IEEE International Conference on Embedded Software and Systems, ICESS 2014 and 6th International Symposium on Cyberspace Safety and Security, CSS 2014 (pp. 794-801). [7056834] Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/HPCC.2014.133
Violaris, George ; Dionysiou, Ioanna. / Out-of-band authentication model with hashcash brute-force prevention. Proceedings - 16th IEEE International Conference on High Performance Computing and Communications, HPCC 2014, 11th IEEE International Conference on Embedded Software and Systems, ICESS 2014 and 6th International Symposium on Cyberspace Safety and Security, CSS 2014. Institute of Electrical and Electronics Engineers Inc., 2014. pp. 794-801
@inproceedings{fb4f782f10304827ab145446deaebb2a,
title = "Out-of-band authentication model with hashcash brute-force prevention",
abstract = "Successful out-of-band authentication in popular languages such as PHP has proven to be problematic and in many ways unsafe as dynamically typed languages allow for more than one ways of doing things, and the standards set out are usually not followed. It is true that out-of-band authentication using SMS messaging enhances the security of simple passwords specified by users, however many times the handling of the One-Time-Passwords (OTP) on the server side is done with disregard of the ways an attacker can bypass the requirement for such a feature. It is therefore essential to find ways which the OTP cannot be brute-forced or circumvented, by providing mechanisms such as automatic purging of OTPs from the database and enhancing the safety of the server traffic handling as well as the HTTP form submission requests and responses with a library known as Hash cash. By using this method, a potential attacker would be met by a time-consuming challenge, which would leave any sort of brute-force, denial of service or requirement circumvention attacks impractical for gaining access to a PHP login system. Furthermore, the usage of Hash cash for credential retransmission and re-authentication for vital aspects of the user's workflow while authenticated, make such as system much more impenetrable than using simple out-of-band or other two-factor authentication schemes.",
author = "George Violaris and Ioanna Dionysiou",
year = "2014",
month = "3",
day = "9",
doi = "10.1109/HPCC.2014.133",
language = "English",
pages = "794--801",
booktitle = "Proceedings - 16th IEEE International Conference on High Performance Computing and Communications, HPCC 2014, 11th IEEE International Conference on Embedded Software and Systems, ICESS 2014 and 6th International Symposium on Cyberspace Safety and Security, CSS 2014",
publisher = "Institute of Electrical and Electronics Engineers Inc.",

}

Violaris, G & Dionysiou, I 2014, Out-of-band authentication model with hashcash brute-force prevention. in Proceedings - 16th IEEE International Conference on High Performance Computing and Communications, HPCC 2014, 11th IEEE International Conference on Embedded Software and Systems, ICESS 2014 and 6th International Symposium on Cyberspace Safety and Security, CSS 2014., 7056834, Institute of Electrical and Electronics Engineers Inc., pp. 794-801, 16th IEEE International Conference on High Performance Computing and Communications, HPCC 2014, 11th IEEE International Conference on Embedded Software and Systems, ICESS 2014 and 6th International Symposium on Cyberspace Safety and Security, CSS 2014, Paris, France, 20/08/14. https://doi.org/10.1109/HPCC.2014.133

Out-of-band authentication model with hashcash brute-force prevention. / Violaris, George; Dionysiou, Ioanna.

Proceedings - 16th IEEE International Conference on High Performance Computing and Communications, HPCC 2014, 11th IEEE International Conference on Embedded Software and Systems, ICESS 2014 and 6th International Symposium on Cyberspace Safety and Security, CSS 2014. Institute of Electrical and Electronics Engineers Inc., 2014. p. 794-801 7056834.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

TY - GEN

T1 - Out-of-band authentication model with hashcash brute-force prevention

AU - Violaris, George

AU - Dionysiou, Ioanna

PY - 2014/3/9

Y1 - 2014/3/9

N2 - Successful out-of-band authentication in popular languages such as PHP has proven to be problematic and in many ways unsafe as dynamically typed languages allow for more than one ways of doing things, and the standards set out are usually not followed. It is true that out-of-band authentication using SMS messaging enhances the security of simple passwords specified by users, however many times the handling of the One-Time-Passwords (OTP) on the server side is done with disregard of the ways an attacker can bypass the requirement for such a feature. It is therefore essential to find ways which the OTP cannot be brute-forced or circumvented, by providing mechanisms such as automatic purging of OTPs from the database and enhancing the safety of the server traffic handling as well as the HTTP form submission requests and responses with a library known as Hash cash. By using this method, a potential attacker would be met by a time-consuming challenge, which would leave any sort of brute-force, denial of service or requirement circumvention attacks impractical for gaining access to a PHP login system. Furthermore, the usage of Hash cash for credential retransmission and re-authentication for vital aspects of the user's workflow while authenticated, make such as system much more impenetrable than using simple out-of-band or other two-factor authentication schemes.

AB - Successful out-of-band authentication in popular languages such as PHP has proven to be problematic and in many ways unsafe as dynamically typed languages allow for more than one ways of doing things, and the standards set out are usually not followed. It is true that out-of-band authentication using SMS messaging enhances the security of simple passwords specified by users, however many times the handling of the One-Time-Passwords (OTP) on the server side is done with disregard of the ways an attacker can bypass the requirement for such a feature. It is therefore essential to find ways which the OTP cannot be brute-forced or circumvented, by providing mechanisms such as automatic purging of OTPs from the database and enhancing the safety of the server traffic handling as well as the HTTP form submission requests and responses with a library known as Hash cash. By using this method, a potential attacker would be met by a time-consuming challenge, which would leave any sort of brute-force, denial of service or requirement circumvention attacks impractical for gaining access to a PHP login system. Furthermore, the usage of Hash cash for credential retransmission and re-authentication for vital aspects of the user's workflow while authenticated, make such as system much more impenetrable than using simple out-of-band or other two-factor authentication schemes.

UR - http://www.scopus.com/inward/record.url?scp=84949924204&partnerID=8YFLogxK

U2 - 10.1109/HPCC.2014.133

DO - 10.1109/HPCC.2014.133

M3 - Conference contribution

AN - SCOPUS:84949924204

SP - 794

EP - 801

BT - Proceedings - 16th IEEE International Conference on High Performance Computing and Communications, HPCC 2014, 11th IEEE International Conference on Embedded Software and Systems, ICESS 2014 and 6th International Symposium on Cyberspace Safety and Security, CSS 2014

PB - Institute of Electrical and Electronics Engineers Inc.

ER -

Violaris G, Dionysiou I. Out-of-band authentication model with hashcash brute-force prevention. In Proceedings - 16th IEEE International Conference on High Performance Computing and Communications, HPCC 2014, 11th IEEE International Conference on Embedded Software and Systems, ICESS 2014 and 6th International Symposium on Cyberspace Safety and Security, CSS 2014. Institute of Electrical and Electronics Engineers Inc. 2014. p. 794-801. 7056834 https://doi.org/10.1109/HPCC.2014.133