Paper 1
Password Authentication Schemes: Current Status and Key Issues

Why?

By the title I thought this would be a good overview of password schemes. More like a tutorial or a good chapter out of a security book. Also, this paper was published in an internal journal which I thought might give it a broader view of the area.

Quick Assessment

The paper is not very good. I found its organization very poor and those areas it emphasized and those it deemphasized seem backwards. Yet, there is some interesting material which could lead to a reasonable discussion.... They do not fulfill their statement:
In this paper, we shall present the result of our survey through all currently available password-authentication-related schemes and get them classified in terms of several crucial criteria.

Comments

  • Password authentication is one of the simplest and the most convenient authentication mechanisms to deal with secret data over insecure networks.

  • Two problems with the current system of ID/PW:
    1. The revelation of the passwords can be seen by the administrator of the server because the password table is in plain-text format.
    2. The other problem is that an intruder can impersonate a legal user by stealing the user's ID and PW from the password table.

    In two paragraphs they mention encrypted passwords and hashes as ways to avoid these issues. Also Lamport's proposed one-time password with one-way hash function against replay attacks. Mention is then made of a number of protocols to handle problems with this approach.

  • The follow paragraphs run through a whole bunch of references to RSA, ElGamal, and Hash based password schemes. Unclear to me why this stream of references is presented here?

  • They then present: Security Requirements and Definitions and An Ideal Password Authentication Scheme
    Refer to paper No discussion on whether these are complete, where they came from, etc.

  • Section 2 is a quick overview of RSA, ElGamal, and One-Way Hash Schemes

  • Section 3 is stream of quick steps in each of the authentication schemes...goes on for ever....

  • Section 4 is a list of tables comparing each scheme against the early requirements and goals. There is never any discussion of how Section 4 came to be created. It is interesting, but useless.

  • Figure 1 is very telling...

    Mike Erlinger

    Last Modified Thursday, 23-Mar-2006 08:39:11 PST