An increasingly common mechanism is to ask for several pieces of security information ratherthan one. A call center might ask not just for your mother’s maiden name, a password, and theamount of your last purchase, but also your dog’s nickname and your favourite color. Suchschemes need careful evaluation of their usability and effectiveness using the tools of appliedpsychology. Design such a password protocol and evaluate its usability and effectiveness. (Averbal text description is enough.) (500 words)
Passwords, Access Control, and Distributed Systems
Password Protocol and its Usability & Effectiveness
Passwords are critical in ensuring security of data stored in computers and network systems. A poor choice of passwords may lead to unauthorized access of data which may be highly sensitive, leading to financial losses (Anderson, 2010). Users of various systems are responsible for creating strong passwords which are not vulnerable to security threats posed by hackers and unauthorized users. The following is a design of a password protocol and an analysis of its usability and effectiveness.
The following password protocol can be used in cases where the password cannot be sent in plain text.
- The client should be able to generate hash from user passwords by use of a password-based key derivation function of 2 (pbkdf2), and capable of handling 68,000 rounds.
- The client should be capable of using the aforementioned hash to encrypt the private key as a passphrase using an advanced encryprion standard (AES) 128 in the OpenSSH format. The OpenSSH format enhances connectivity during remote login while using the SSH protocol. This eliminates critical security issues such as connection hijacking and eavesdropping.
- Lastly under registration, the client should be able to pass the encrypted private key, password-based key derivation function 2 (pbkdf2), username and the public key to the specified server.
- In the initial step, the client should request the private key (encrypted) when providing login name. In addition, the client should request the pbkdf2 salt also when providing the login name.
- In this step, the client should produce hash from password, and by making use of the pbkdf2 and 68000 rounds as well as the salt all derived from the server.
- The client uses the pbkdf hash in the decryption of the private key.
- The client at this point should ask for a particular challenge from the respective server.
- In this step the server should respond by sending a challenge that was requested in the previous part. The challenge should be encrypted by application of a user public key. This uses the cryptography.
- At this point the client should decrypt the sent challenge to plaintext which is the forwarded to the server.
- The server at this point generates token directed to the client for use.
This design of password protocol can be used in cases where there is need for user authentication without the need to send the actual password. In applying this protocol, the user would not be able to receive the password in plaintext for authentication purposes. The effectiveness of this protocol is that it cannot allow eavesdropping. Therefore, the system is immune to any dictionary attacks that may be instituted by an eavesdropper. Another effectiveness of this kind of protocol is that it can enable users to provide authentication details by themselves to the server. Lastly, it is possible to control the number of password guesses that a user can make (Anderson, 2010).
In conclusion, password protection is critical in the current environment where hackers are developing new tricks on a daily basis. The use of hashing has become a common method of enhancing password protection. The password protocol above utilizes the hashing technique to enhance security of passwords.
Anderson, R. (2010). Security Engineering: A Guide to Building Dependable Distributed Systems (2nd Edition). Hoboken, NJ: John Wiley & Sons.