the enrolment procedure for the respective variant of the (t, n)-threshold verification scheme is applied (i.e. either the matrix M is generated using the method described in section 7.2.1 or the encrypted shares ci are created using the method described in section 7.2.2) and the result stored alongside the value s.
Authentication and Verification. For the authentication, the system generates a set of t challenges. Each challenge is represented by one grid (including the respective password element it contains). The t challenges are displayed to the user who clicks the image ˆe0i belonging to the password. Then, analogously to the enrolment, the indices j and k are concatenated to form the elements e0i = j.k and then hashed to derive the values e0i. The e0i are then used as input for the verification procedure of the respective (t, n)-threshold verification variant (i.e. to solve the linear system of equations M x0= y0for x0or use Lagrange interpolation to restore a00). As last step, it is verified that the value s0= KDF (x0) or s0= KDF (a00) (depending on the used variant) matches the previously stored s. If the two values match, the user has entered the correct authorised subset as response to the challenges and the authentication attempt is successful.
8.2 Use Case 2: Partial Passwords
This section presents the second use case for the (t, n)-threshold verification scheme: partial passwords. Par- tial passwords are a special form of authentication based on text passwords. When using partial passwords, the users are required to enter only a randomly chosen subset of the password’s characters instead of the complete password. In that, partial passwords are the result of a straight forward application of portfolio authentication to text passwords. Figure 8.2 depicts the procedure as seen by the user on a banking website. Sometimes this technique is also used in two-factor schemes [88]. This section outlines how to apply the (t, n)-threshold verification scheme to partial passwords.
In the following, first the enrolment and then the authentication and verification procedures are described, when applying (t, n)-threshold verification to partial passwords. Figure 8.3 depicts an example of the full procedure for the first variant of (t, n)-threshold verification.
Enrolment. First, the textual password P is split up into its characters and each character ˆeiis concatenated with its index i in the password to create the elements ei = ˆei.i. This step ensures, that in order to guess a share, not only the right character, but also its correct position in the password is required. Following the procedure of (t, n)-threshold verification, these elements are hashed to generate the derivatives ei. Thereafter, the shared secret x or a0 (depending on the used variant) is chosen and its derivative s = KDF (x) or
(1)
(3)
(2)
Figure 8.2: A typical login procedure using partial passwords: (1) the user specifies her/his user name (Id in this example), (2) the user clicks "Next" to proceed to the password entry, (3) randomly selected characters of the password have to be entered (in this example, the first, second, fifth, and twelfth character). Screenshots from https: //aliorbank.pl/hades/do/Login (accessed on 2017-01-24).
8 Use Cases of the (t,n)-threshold Verification Scheme
Recurring during every authentication attempt of the user
Verification
Enr
olment
Creation of (t,n)-threshold verification
information verification informationStored (t,n)-threshold (t,n)-threshold verification
(t,n)-threshold Verification
Steps
Authorisation
User password with 6 characters
Password elements after individual application of appropriate KDF
User chooses and enters password “Pass#1”
…
!!!"""!#!#!#"#"#"###11#1#!#!#!111 !!!
Authentication
4 user responses to challenges
Identification
Authentication scheme poses 4 challenges to user
User responses after individual application of appropriate KDF Termination ̅" #= %&'(). 1) ̅"#= %&'(1.6) !′#= %. 1 !′#= %. 2 !′#= #.5 !′#= 1.6 … ̅"′$= &'(("′$) ̅"′$= &'(("′$)
Figure 8.3: Overview the different phases of the authentication procedure when applying the (t, n)-threshold verification scheme to partial passwords.
s= KDF (a0) (depending on the used variant) stored for later verification. Using these values ei and either
x or a0 (depending on the used variant), the enrolment procedure for the respective variant of the (t, n)-
threshold verification scheme is applied (i.e. either the matrix M is generated using the method described in section 7.2.1 or the encrypted shares ci are created using the method described in section 7.2.2) and the result stored alongside the value s. Note that the storage verification information allows determining the length of the password through the number of rows in M or number of encrypted shares ci. However, as becomes apparent from figure 8.2 this does not reveal information about the password which is not visible on the login interface anyway and therefore does not impair the security properties of partial passwords.
Authentication and Verification. To authenticate a user, the system generates a challenge by randomly selecting t positions i ∈ {1, 2, . . . , n} in the password, where n= |P |. This challenge is displayed to the user who has to enter the respective characters ˆe0i of the password. Then, analogously to the enrolment, the pair of ˆe0i (supplied by the user) and the respective i (supplied by the server) are concatenated and hashed on the server to derive the values e0i. These values are then used as input for the verification procedure of the respective (t, n)-threshold verification variant (i.e. to solve the linear system of equations M x0 = y0 for x0 or use Lagrange interpolation to restore a00). In the last step, it is verified that the value s0= KDF (x0) or s0= KDF (a00) (depending on the used variant) matches the previously stored s. If the two hashes match, the user has entered the correct authorised subset and the authentication attempt is successful.