New type of cryptography that can better resist "dictionary attacks"

August 5, 2014

Cryptographers in China have have developed a new type of cryptography that can better resist so-called offline "dictionary attacks", denial of service (DoS) hacks, and cracks involving eavesdroppers. Their approach, reported in the International Journal of Electronic Security and Digital Forensics, extends and improves a type of cryptography that uses an intractable mathematical problem as its basis.

Public-key uses the complexity of certain mathematical problems that would take even a supercomputer many years to solve, to lock up data that only a person with the private key can unlock. Early public-key systems used the problem of finding the prime factors of a very large integer. More recent protocols exploit the problem of finding the discrete logarithm of a random elliptic curve element with respect to a publicly known base point. This is the "elliptic curve discrete logarithm problem" and is an example of a that is essentially impossible to solve at the highest level without an array of supercomputers and tens of thousands of years at one's disposal. And, yet, it is very efficient in terms of computation to implement and encrypt data.

Unfortunately, encryption systems always have loopholes and can always succumb to bugs or attacks on the computer system on which they run. The most recent form of elliptical encryption widely used for internet logins and other applications can be breached by a so-called offline dictionary attack that simply tests every possible key, or , non-complex passwords thus succumbing the quickest. More the protocol can be attacked by an eavesdropper who monitors and replicates password entry by users or otherwise breaks the system, through a , attack allowing entry via the backdoor.

Pengshuai Qiao of North China University of Water Resources and Electric Power, in Zhengzhou, and Hang Tu of Wuhan University, Wuhan, China, explain that two fundamental requirements of secure communications over an insecure public network are password authentication and password updating. Previous researchers have extended password authentication and update schemes based on elliptic curve cryptography to the point where they are entirely robust against replay attack, man-in-the-middle attack, modification attack and other potential breaches. However, this system, developed by computer scientists Hafizul Islam of the Birla Institute of Technology and Science in Pilani and GP Biswas of the Indian School of Mines, Dhanbad, India, failed to defend against offline password guessing attack and stolen-verifier attack.

Qiao and Tu have now devised an algorithm for on elliptic curve cryptography that precludes such security breaches by using a four-phase approach: registration phase, password authentication phase, password change phase and session key distribution phase. These are the same steps used with the Islam-Biswas scheme but Qiao and Tu add two additional calculations on the user side for the final single-session password. This change means that offline dictionary attacks will never succeed because even if the hacker guesses the user's password they will not have the necessary algorithm to recalculate the actual session password used each time by the user. The same addition also thwarts stolen-verifier attacks, because even if a third-party has access to the verification protocol used by the system, they would still need to be able to do the one-time additional pair of calculations for the given session.

The team's initial testing of the new system bodes well for secure implementation on a wide range of platforms for everything from mobile banking to web logins.

Explore further: Distributed Credential Protection: Trying to beat the hackers and protect our passwords

More information: Qiao, P. and Tu, H. (2014) 'A security enhanced password authentication and update scheme based on elliptic curve cryptography', Int. J. Electronic Security and Digital Forensics, Vol. 6, No. 2, pp.130-139.

Related Stories

Geographical passwords worth their salt

February 14, 2014

It's much easier to remember a place you have visited than a long, complicated password, which is why computer scientist Ziyad Al-Salloum of ZSS-Research in Ras Al Khaimah, UAE, is developing a system he calls geographical ...

WPA2 wireless security cracked

March 20, 2014

There are various ways to protect a wireless network. Some are generally considered to be more secure than others. Some, such as WEP (Wired Equivalent Privacy), were broken several years ago and are not recommended as a way ...

Recommended for you

Tiny diatoms boast enormous strength

February 8, 2016

Diatoms are single-celled algae organisms, around 30 to 100 millionths of a meter in diameter, that are ubiquitous throughout the oceans. These creatures are encased within a hard shell shaped like a wide, flattened cylinder—like ...

Claims for solar cell efficiency put to test at NREL

February 8, 2016

The sheet of paper taped to the door of Keith Emery's office tells the story. On the paper is a simple fever chart showing the improvements made in increasing the efficiency of two dozen types of solar cells. Some of the ...

Search engines will know what you want ... sooner

February 8, 2016

If you enter "Oklahoma" in a search engine, you might get a travelogue, news about the oil industry, Oklahoma State football scores or an article on Rodgers and Hammerstein musicals. What appears at the top of the list might ...


Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.