A User Authentication Scheme Not Requiring Secrecy in the Computer
Date: August 1974 Publication: Communications of the ACM, Volume 17 Issue 8 Page(s): 437 - 442 Publisher: ACM Source 1: http://www.learningace.com/doc/4497486/c4f55386fc155587fea0ca4168a1139f/p437-evans Source 2: http://dx.doi.org/10.1145/361082.361087 - Subscription or payment required Abstract or Summary:
In many computer operating systems a user authenticates himself by entering a secret password known solely to himself and the system. The system compares this password with one recorded in a Password Table which is available to only the authentication program. The integrity of the system depends on keeping the table secret. In this paper a password scheme is presented which does not require secrecy in the computer. All aspects of the system, including all relevant code and data bases, may be known by anyone attempting to intrude. The scheme is based on using a function H which the would-be intruder is unable to invert. This function is applied to the user's password and the result compared to a table entry, a match being interpreted as authentication of the user. The intruder may know all about H and have access to the table, but he can penetrate the system only if he can invert H to determine an input that produces a given output. This paper discusses issues surrounding selection of a suitable H. Two different plausible arguments are given that penetration would be exceedingly difficult, and it is then argued that more rigorous results are unlikely. Finally, some human engineering problems relating to the scheme are discussed. Do you have additional information to contribute regarding this research paper? If so, please email siteupdates@passwordresearch.com with the details.
<-- Back to Authentication Research Paper Index |