CICI: Secure Data Architecture: Improving the Security and Usability of Two-Factor Authentication for Cyberinfrastructure

CICI：安全数据架构：提高网络基础设施双因素身份验证的安全性和可用性

• 批准号: 1547350
• 负责人: Nitesh Saxena
• 金额: $ 24.97万
• 依托单位: University of Alabama at Birmingham
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2016
• 资助国家: 美国
• 起止时间: 2016-01-01 至 2021-06-30
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1547350&HistoricalAwards=false
• 关键词: CICI; Secure; Data; Architecture; Improving

Password authentication is a critical vulnerability in cyberinfrastructure because typical passwords are memorable and easily guessed, leaving them vulnerable to malicious actors. One well-recognized method for strengthening the password security is Two-Factor Authentication (TFA), in which the password is complemented by an additional authentication factor such as a mobile phone or a dedicated token (e.g., a USB dongle). However, current TFA mechanisms do not offer sufficient security and usability. This project breaks new ground towards improving both of these aspects. It designs, implements and evaluates TFA schemes that not only protect against on-line guessing attacks, but also against off-line dictionary attacks in case of server or mobile device compromise. Moreover, the project aims to do so without degrading usability compared to password-only authentication. The creation of formal security models for TFA schemes allow for better understanding of TFA security in general. The resulting research prototypes will be of immense value in future research on building resilient and usable authentication services. The project integrates research into educational activities in the form of advanced curriculum development as well as high school and K-12 student mentoring in the area of Identity and Access Management.The design of new TFA protocols offers security against on-line guessing and offline dictionary attacks. The project formally proves the security of these protocols in a strong security model for TFA protocols that is being introduced as an extension to well-established password-authenticated key exchange (PAKE) models. The goal is to design the TFA protocols in a modular way, allowing for the use of independent device and server components, and enabling the use of the developed schemes with existing password protocols and without the need to modify the server software. Moreover, the research involves developing and testing TFA systems which will instantiate the proposed protocols. The goal is a TFA systems design that utilizes automated and user-transparent data channel between the mobile device and the client, falling back to localized wireless radio communication only when such a channel is unavailable. Such construction would provide high usability since the user experience of the login process would be almost equivalent to password-only authentication. Finally, the project involves conducting rigorous usability studies in the lab environment and field settings to evaluate the performance, usability, and adoption potential of the proposed approaches.

密码身份验证是网络基础结构中的一个关键漏洞，因为典型的密码令人难忘，并且容易猜测，因此它们容易受到恶意演员的影响。增强密码安全性的一种良好认可的方法是两因素身份验证（TFA），其中密码以其他身份验证因子（例如手机或专用令牌）（例如USB Dongle）进行补充。但是，当前的TFA机制无法提供足够的安全性和可用性。该项目打破了改善这两个方面的新基础。它设计，实施和评估不仅可以防止在线猜测攻击的TFA方案，还可以在服务器或移动设备妥协的情况下进行离线词典攻击。此外，与仅密码身份验证相比，该项目旨在这样做而不会降低可用性。为TFA方案创建形式的安全模型，可以更好地了解TFA安全性。在建立弹性和可用身份验证服务的未来研究中，由此产生的研究原型将具有巨大的价值。该项目以高级课程开发以及高中和K-12学生指导的形式将研究整合到身份和访问管理领域。新的TFA协议的设计为在线猜测和离线词典攻击提供了安全性。该项目正式在TFA协议的强安全模型中正式证明了这些协议的安全性，该协议正在引入，该模型是针对良好的密码实体构造的密钥交换（PAKE）模型的扩展。目标是以模块化的方式设计TFA协议，允许使用独立的设备和服务器组件，并启用具有现有密码协议的开发方案的使用，而无需修改服务器软件。此外，该研究涉及开发和测试TFA系统，这些系统将实例化提议的协议。 目标是一种TFA系统设计，该设计利用移动设备和客户端之间的自动化和用户透明的数据通道，仅在无法使用该通道时落入局部无线无线电通信。由于登录过程的用户体验几乎等同于仅密码的身份验证，因此这种构造将提供高可用性。最后，该项目涉及在实验室环境和现场设置中进行严格的可用性研究，以评估拟议方法的性能，可用性和采用潜力。