Print Email Facebook Twitter HPAKE Title HPAKE: Honey Password-authenticated Key Exchange for Fast and Safer Online Authentication Author Li, Wenting (Peking University) Wang, Ping (National Engineering Research Center for Software Engineering) Liang, K. (TU Delft Cyber Security) Date 2023 Abstract Password-only authentication is one of the most popular secure mechanisms for real-world online applications. But it easily suffers from a practical threat - password leakage, incurred by external and internal attackers. The external attacker may compromise the password file stored on the authentication server, and the insider may deliberately steal the passwords or inadvertently leak the passwords. So far, there are two main techniques to address the leakage: Augmented password-authentication key exchange (aPAKE) against insiders and honeyword technique for external attackers. But none of them can resist both attacks. To fill the gap, we propose the notion of <italic>honey PAKE (HPAKE)</italic> that allows the authentication server to detect the password leakage and achieve the security beyond the traditional bound of aPAKE. Further, we build an HPAKE construction on the top of the honeyword mechanism, honey encryption, and OPAQUE which is a standardized aPAKE. We formally analyze the security of our design, achieving the insider resistance and the password breach detection. We implement our design and deploy it in the real environment. The experimental results show that our protocol only costs 71.27 ms for one complete run, within 20.67 ms on computation and 50.6 ms on communication. This means our design is secure and practical for real-world applications. Subject Passwordhoneywordleakage detectionpassword-authenticated key exchange To reference this document use: http://resolver.tudelft.nl/uuid:1300c1d6-d3e6-4c4c-8c1a-41893b4bba8e DOI https://doi.org/10.1109/TIFS.2022.3214729 Embargo date 2023-08-24 ISSN 1556-6013 Source IEEE Transactions on Information Forensics and Security, 18, 1596-1609 Bibliographical note Green Open Access added to TU Delft Institutional Repository 'You share, we take care!' - Taverne project https://www.openaccess.nl/en/you-share-we-take-care Otherwise as indicated in the copyright section: the publisher is the copyright holder of this work and the author uses the Dutch legislation to make this work public. Part of collection Institutional Repository Document type journal article Rights © 2023 Wenting Li, Ping Wang, K. Liang Files PDF HPAKE_Honey_Password_Auth ... cation.pdf 2.08 MB Close viewer /islandora/object/uuid:1300c1d6-d3e6-4c4c-8c1a-41893b4bba8e/datastream/OBJ/view