About OpenKnowledge@NAU | For NAU Authors

Methods to secure access control and encryption based on physical unclonable function

Assiri, Sareh (2022) Methods to secure access control and encryption based on physical unclonable function. Doctoral thesis, Northern Arizona University.

[thumbnail of Assiri_2022_methods_secure_access_control_encryption_based_on_physical.pdf] Text
Assiri_2022_methods_secure_access_control_encryption_based_on_physical.pdf - Published Version
Restricted to Repository staff only

Download (7MB) | Request a copy


Too many cyber-attacks succeed by hacking password databases and stealing users’credentials; hacking databases means the users’ information becomes compromised. Frequent cyberattacks happen because of a lack of password protection in databases or by the interception of passwords over networks. A particularly significant vulnerability to cyberattacks occurs when the same user’s credentials are exposed and sent multiple times in the same format over networks, which helps hackers intercept and infer the password. This dissertation presents and demonstrates tangible solutions to mitigate risks of hackers obtaining passwords, whether stored in databases or intercepted when sent over networks. Protecting users’ credentials stored in databases with encryption is known to mitigate theft, as long as the cryptographic keys are not exposed. One-way encryption based on hash functions has been suggested as a solution to secure password manager databases. However, when rainbow table mechanisms were launched, they made it so that hash functions were no longer able to secure password manager databases. Rainbow tables allow hackers to find matches between password hashes in the password manager database and the rainbow table; consequently, the password can be compromised. Accordingly, salting the password before feeding it to the hash function has been recommended. However, because the salt must be unique and stored somewhere in the system, it is also easy to obtain and use the salt with the rainbow table’s passwords to crack the password. On account of this, the issue of securing password manager databases still needs a deep investigation to find a rational solution to mitigate this problem. The solutionsoffered in this dissertation are based on utilizing physically unclonable functions (PUFs). PUF challenges replace the output of a hash function with salt in the database, and without having the same PUF, it will be hard to understand the database’s content. Stealing the PUF is hard because it is in the hardware. Usually, an image of a PUF’s challenges and corresponding responses are generated at enrollment time and stored on the server; the physical PUF will generate the same responses to each challenge every time authentication is needed on the client side. Innovatively, this dissertation shows that physical PUFs have also been utilized on the server-side. To obtain the message digest (MD) from the password hash, each of the several bits in the MD points to one address in the PUF, and the output of the PUF is stored in the database; therefore, it will encrypt the password as one-way encryption based on the PUF output. Storing the PUF output in the database makes the password unreadable, makes retrieval of the password difficult, and makes the rainbow table not work. Additionally, a homomorphic password method is proposed to mitigate the issue of repeating the same password multiple times during the day or at a specific time for users’ online accounts, which might make passwords vulnerable to exposure. Securing users’ credentials while sending them via networks will decrease the ability to easily intercept and steal them. This dissertation shows a newly invented method; the server authenticates clients without ever knowing their passwords. During enrollment, users subject their passwords to multiple hashing cycles, typically 1000 times, the resulting MDs are communicated to the server. Rather than storing these MDs, the server uses them to find addresses in the PUF, which generates data streams stored for future authentication. The authentication cycles use the following steps: i) The users hash their passwords multiple times, at levels lower than the one used during enrollment; ii) The server generates data streams from the physical elements at the address extracted from the MD and compares it to the data streams stored during enrollment, and iii) The server reiterates the previous step by incrementally hashing the resulting MD to find a match, or it rejects the password. During subsequent authentication cycles, the users again hash their passwords multiple times but at levels lower than the ones used during the previous cycles. Thereby, it becomes pointless for third parties to intercept previously hashed passwords; they are never used twice. Hacking a database containing the data streams extracted from the PUF during enrollment is also pointless without also having access to the devices. In this entire homomorphic protocol, the users are the only ones who know their passwords. Therefore, this research provides an analysis of the benefit of hash functions when used on both the client and the server sides to generate a one-time password each time the user wants to log on to the system. The benefit of that is to confuse the man in the middle, which means that the man in the middle will not be able to learn from the network flow because, each authentication time, new encryption of the hash of the password will be sent. Moreover, this dissertation shows a simulation prototype for how the password manager protocol can work depending on the SHA-3-512, SRAM, and ReRAM PUF. In addition, the work shows how to encrypt the database content of the password manager by using both ReRAM and SRAM PUF. Furthermore, this work provides a software solution for the noise in both ReRAM and SRAM PUF to reduce the rate of false rejections for the actual user and false acceptance for the non-existing user. This work also provides a solution to guarantee authentication still works if the PUF does not work or is compromised. Again, this research delivers techniques to generate one-time passwords and to authenticate passwords without storing passwords in the database. Another branch of this research is the process of using PUFs to encrypt messages without using cryptography keys. There is significant interest in encryption without using traditional cryptography keys because key generation, key distribution, and key storage in key cryptography are incredibly complex. Also, many issues with keys can help a hacker extract keys, such as attacks based on differential power analysis. Another reason for keyless encryption is protecting internet of thing (IoTs) devices. Because IoTs devices have limitations in power and memory, the long-secret keys and some strong cryptographic schemes are difficult to implement. However, ReRAM PUFs can be applied to keyless encryption protocol, and the ReRAM PUFs can replace traditional cryptography keys. This work covers keyless encryption protocol implementation and solutions to mitigate the ReRAM PUF’s erratic nature. Finally, this work covers the evaluation of a keyless encryption protocol against frequency analysis attacks.

Item Type: Thesis (Doctoral)
Publisher’s Statement: © Copyright is held by the author. Digital access to this material is made possible by the Cline Library, Northern Arizona University. Further transmission, reproduction or presentation of protected items is prohibited except with permission of the author.
Keywords: Hide password in database; One time password; One Way Encryption; Password Manager and PUF; Physical Unclonable Function; SRAM PUF and Hash Function; Cyber security
Subjects: Q Science > QA Mathematics
Q Science > QA Mathematics > QA76 Computer software
NAU Depositing Author Academic Status: Student
Department/Unit: Graduate College > Theses and Dissertations
College of Engineering, Informatics, and Applied Sciences > School of Informatics, Computing, and Cyber Systems
Date Deposited: 13 Jul 2022 17:06
Last Modified: 13 Jul 2022 17:06
URI: https://openknowledge.nau.edu/id/eprint/5842

Actions (login required)

IR Staff Record View IR Staff Record View


Downloads per month over past year