New type of cryptography that can better resist "dictionary attacks"

August 5, 2014

Cryptographers in China have have developed a new type of cryptography that can better resist so-called offline "dictionary attacks", denial of service (DoS) hacks, and cracks involving eavesdroppers. Their approach, reported in the International Journal of Electronic Security and Digital Forensics, extends and improves a type of cryptography that uses an intractable mathematical problem as its basis.

Public-key uses the complexity of certain mathematical problems that would take even a supercomputer many years to solve, to lock up data that only a person with the private key can unlock. Early public-key systems used the problem of finding the prime factors of a very large integer. More recent protocols exploit the problem of finding the discrete logarithm of a random elliptic curve element with respect to a publicly known base point. This is the "elliptic curve discrete logarithm problem" and is an example of a that is essentially impossible to solve at the highest level without an array of supercomputers and tens of thousands of years at one's disposal. And, yet, it is very efficient in terms of computation to implement and encrypt data.

Unfortunately, encryption systems always have loopholes and can always succumb to bugs or attacks on the computer system on which they run. The most recent form of elliptical encryption widely used for internet logins and other applications can be breached by a so-called offline dictionary attack that simply tests every possible key, or , non-complex passwords thus succumbing the quickest. More the protocol can be attacked by an eavesdropper who monitors and replicates password entry by users or otherwise breaks the system, through a , attack allowing entry via the backdoor.

Pengshuai Qiao of North China University of Water Resources and Electric Power, in Zhengzhou, and Hang Tu of Wuhan University, Wuhan, China, explain that two fundamental requirements of secure communications over an insecure public network are password authentication and password updating. Previous researchers have extended password authentication and update schemes based on elliptic curve cryptography to the point where they are entirely robust against replay attack, man-in-the-middle attack, modification attack and other potential breaches. However, this system, developed by computer scientists Hafizul Islam of the Birla Institute of Technology and Science in Pilani and GP Biswas of the Indian School of Mines, Dhanbad, India, failed to defend against offline password guessing attack and stolen-verifier attack.

Qiao and Tu have now devised an algorithm for on elliptic curve cryptography that precludes such security breaches by using a four-phase approach: registration phase, password authentication phase, password change phase and session key distribution phase. These are the same steps used with the Islam-Biswas scheme but Qiao and Tu add two additional calculations on the user side for the final single-session password. This change means that offline dictionary attacks will never succeed because even if the hacker guesses the user's password they will not have the necessary algorithm to recalculate the actual session password used each time by the user. The same addition also thwarts stolen-verifier attacks, because even if a third-party has access to the verification protocol used by the system, they would still need to be able to do the one-time additional pair of calculations for the given session.

The team's initial testing of the new system bodes well for secure implementation on a wide range of platforms for everything from mobile banking to web logins.

Explore further: Passwords no more? Researchers develop mechanisms that enable users to log in securely without passwords

More information: Qiao, P. and Tu, H. (2014) 'A security enhanced password authentication and update scheme based on elliptic curve cryptography', Int. J. Electronic Security and Digital Forensics, Vol. 6, No. 2, pp.130-139. … icle.php?artid=63109

Related Stories

WPA2 wireless security cracked

March 20, 2014

There are various ways to protect a wireless network. Some are generally considered to be more secure than others. Some, such as WEP (Wired Equivalent Privacy), were broken several years ago and are not recommended as a way ...

Geographical passwords worth their salt

February 14, 2014

It's much easier to remember a place you have visited than a long, complicated password, which is why computer scientist Ziyad Al-Salloum of ZSS-Research in Ras Al Khaimah, UAE, is developing a system he calls geographical ...

Recommended for you

A not-quite-random walk demystifies the algorithm

December 15, 2017

The algorithm is having a cultural moment. Originally a math and computer science term, algorithms are now used to account for everything from military drone strikes and financial market forecasts to Google search results.

US faces moment of truth on 'net neutrality'

December 14, 2017

The acrimonious battle over "net neutrality" in America comes to a head Thursday with a US agency set to vote to roll back rules enacted two years earlier aimed at preventing a "two-speed" internet.

FCC votes along party lines to end 'net neutrality' (Update)

December 14, 2017

The Federal Communications Commission repealed the Obama-era "net neutrality" rules Thursday, giving internet service providers like Verizon, Comcast and AT&T a free hand to slow or block websites and apps as they see fit ...

The wet road to fast and stable batteries

December 14, 2017

An international team of scientists—including several researchers from the U.S. Department of Energy's (DOE) Argonne National Laboratory—has discovered an anode battery material with superfast charging and stable operation ...


Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.