100% found this document useful (1 vote)

590 views15 pages

Authentication by Encrypted Negative Password PDF

This document proposes a new password authentication framework called Encrypted Negative Password (ENP) that aims to securely store passwords. The ENP framework first hashes the received plain password, then converts it to a negative password before encrypting it using a symmetric key algorithm like AES. This makes ENPs difficult to crack from offline attacks by resisting precomputation attacks through lookup tables or rainbow tables. ENP provides stronger password protection than hashed passwords alone under dictionary attacks since there are multiple corresponding ENPs for each plain password. The ENP framework can be integrated into existing authentication systems without additional elements like salts.

Uploaded by

NationalinstituteDsnr

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

100% found this document useful (1 vote)

590 views15 pages

Authentication by Encrypted Negative Password PDF

Uploaded by

NationalinstituteDsnr

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 15

This article has been accepted for publication in a future issue of this journal, but has not been

fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TIFS.2018.2844854, IEEE
Transactions on Information Forensics and Security
1

Authentication by Encrypted Negative Password

Wenjian Luo, Senior Member, IEEE, Yamin Hu, Hao Jiang, and Junteng Wang

Abstract—Secure password storage is a vital aspect in systems hand, when carrying out an online guessing attack, there
based on password authentication, which is still the most widely is usually a limit to the number of login attempts [13].
used authentication technique, despite its some security flaws. In However, passwords may be leaked from weak systems [14].
this paper, we propose a password authentication framework
that is designed for secure password storage and could be Vulnerabilities are constantly being discovered, and not all
easily integrated into existing authentication systems. In our systems could be timely patched to resist attacks, which gives
framework, first, the received plain password from a client is adversaries an opportunity to illegally access weak systems
hashed through a cryptographic hash function (e.g., SHA-256). [15]. In fact, some old systems are more vulnerable due to
Then, the hashed password is converted into a negative password. their lack of maintenance. Finally, since passwords are often
Finally, the negative password is encrypted into an Encrypted
Negative Password (abbreviated as ENP) using a symmetric-key reused, adversaries may log into high security systems through
algorithm (e.g., AES), and multi-iteration encryption could be cracked passwords from systems of low security.
employed to further improve security. The cryptographic hash After obtaining authentication data tables from weak sys-
function and symmetric encryption make it difficult to crack tems, adversaries can carry out offline attacks [16]. Passwords
passwords from ENPs. Moreover, there are lots of corresponding in the authentication data table are usually in the form of
ENPs for a given plain password, which makes precomputation
attacks (e.g., lookup table attack and rainbow table attack) hashed passwords [17]. However, because processor resources
infeasible. The algorithm complexity analyses and comparisons and storage resources are becoming more and more abundant,
show that the ENP could resist lookup table attack and provide hashed passwords cannot resist precomputation attacks, such
stronger password protection under dictionary attack. It is worth as rainbow table attack and lookup table attack [18].
mentioning that the ENP does not introduce extra elements (e.g., Note that there is a trend of generalization of adversaries,
salt); besides this, the ENP could still resist precomputation
attacks. Most importantly, the ENP is the first password pro- because anyone could obtain access to information on vul-
tection scheme that combines the cryptographic hash function, nerabilities from vulnerability databases, such as the Open
the negative password and the symmetric-key algorithm, without Source Vulnerability Database (OSVDB), National Vulnera-
the need for additional information except the plain password. bility Database (NVD), and the Common Vulnerabilities and
Index Terms—Authentication, dictionary attack, lookup table Exposures (CVE) [19], and then make use of these information
attack, negative database, secure password storage. to crack systems. Moreover, they could download and use
attack tools without the need for very professional security
I. I NTRODUCTION knowledge. Some powerful attack tools, such as hashcat [20],
RainbowCrack [21] and John the Ripper [22], provide a variety
WING to the development of the Internet, a vast number
O of online services have emerged, in which password
authentication is the most widely used authentication tech-
of functions, such as multiple hash algorithms, multiple attack
models, multiple operating systems, and multiple platforms,
which raises a higher demand for secure password storage.
nique, for it is available at a low cost and easy to deploy In these situations, attacks are usually carried out as follows.
[1], [2]. Hence, password security always attracts great in- First, adversaries precompute a lookup table, where the keys
terest from academia and industry [3]. Despite great research are the hash values of elements in a password list containing
achievements on password security, passwords are still cracked frequently-used passwords, and the records are the correspond-
since users’ careless behaviors [4]. For instance, many users ing plain passwords in the password list. Next, they obtain an
often select weak passwords [5], [6]; they tend to reuse authentication data table from low security systems. Then, they
same passwords in different systems [7]–[10]; they usually set search for the plain passwords in the lookup table by matching
their passwords using familiar vocabulary for its convenience hashed passwords in the authentication data table and the keys
to remember [11], [12]. In addition, system problems may in the lookup table. Finally, the adversaries log into higher
cause password compromises. It is very difficult to obtain security systems through cracked usernames and passwords,
passwords from high security systems. On the one hand, so that they could steal more sensitive information of users and
stealing authentication data tables (containing usernames and obtain some other benefits. A considerable number of attacks
passwords) in high security systems is difficult. On the other are carried out in this way, so that adversaries could obtain
This study is supported in part by the National Natural Science Foundation passwords at a low cost, which is advantageous to their goals.
of China (No. 61175045). (Corresponding author: Wenjian Luo) One of the main reasons for the success of the above lookup
Wenjian Luo, Yamin Hu, Hao Jiang, and Junteng Wang are with the table attack is that the corresponding hashed password is
School of Computer Science and Technology, the University of Science
and Technology of China, Hefei 230027, Anhui, China. They are also with determined for a given plain password. Therefore, the lookup
Anhui Province Key Laboratory of Software Engineering in Computing and table could be quickly constructed, and the size of the lookup
Communication, the University of Science and Technology of China, Hefei table could be sufficiently large, which results in a high success
230027, Anhui, China.
Email: [email protected], [email protected], rate of cracking hashed passwords.
[email protected], [email protected]. Typical password protection schemes include hashed pass-

1556-6013 (c) 2018 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TIFS.2018.2844854, IEEE
Transactions on Information Forensics and Security
2

word, salted password and key stretching. Among these itself without introducing extra elements (e.g., salt).
schemes, hashed password would be gradually eliminated for To summarize, the main contributions of this paper are as
its vulnerability for precomputation attacks. Although salted follows:
password could resist precomputation attacks, it introduces
(1) We propose a password protection scheme called ENP,
an extra element (i.e., salt) and could not resist dictionary
and we propose two implementations of the ENP: ENPI
attack. In addition, salt tends to be implemented by mistake
and ENPII, including their generation algorithms and
(such as salt reuse and short salt). Key stretching schemes,
verification algorithms. Furthermore, a password au-
such as bcrypt [23], scrypt [24] and Argon2 [25] (the winner
thentication framework based on the ENP is presented.
of Password Hashing Competition [26]), are used to defend
(2) We analyze and compare the attack complexity of
against dictionary attack. Although key stretching schemes
hashed password, salted password, key stretching and
provide stronger password protection than salted password
the ENP. The results show that the ENP could resist
under dictionary attack, they impose an extra burden on
lookup table attack without the need for extra elements
programmers for configuring more parameters. In addition,
and provide stronger password protection under dictio-
they also use salt to resist precomputation attacks. Besides
nary attack.
these schemes, some other password protection schemes were
proposed. In [17], a scheme based on MD5 was proposed. The remainder of this paper is organized as follows. In
It is a variant of salted password, where the salt is two Section II, we introduce related work, including the hashed
random strings. Although it could resist lookup table attack password, salted password, key stretching, and the NDB. In
and make dictionary attack difficult, it introduces many pa- Section III, we describe the proposed framework. In Section
rameters, which makes it complicated and inconvenient to use. IV, we give two implementations of the ENP. In Section V, we
In [27], dynamic salt generation and placement are used to analyze the attack complexity of the ENP. In Section VI, we
improve password security. Essentially, this scheme is also a compare hashed password, salted password and key stretching
variant of salted password, where the salt is a random string with the ENP and illustrate the advantages of the ENP. Our
that is dependent on the original password. Consequently, it conclusions and future work follow in Section VII.
could resist lookup table attack, however it could not defend
against dictionary attack and also introduces an extra element
II. R ELATED W ORK
(i.e., salt). In [28], improved dynamic Key-Hashed Message
Authentication Code function (abbreviated as d-HMAC) was A. Typical Password Protection Schemes
proposed for password storage. It is also a variant of salted
password, where the salt is the user’s public key, and it 1) Hashed Password: The simplest scheme to store pass-
introduces a secret key, which makes it inconvenient to use. words is to directly store plain passwords. However, this
In summary, although some new password protection schemes scheme presents a problem that once adversaries obtain the
were proposed, they are similar to typical password protection authentication data table, all passwords are immediately com-
schemes essentially. Therefore, in Section VI, without loss promised. To safely store passwords, a common scheme is to
of generality, we only compare the typical password schemes hash passwords using a cryptographic hash function [17], be-
with our scheme. cause it is infeasible to directly recover plain passwords from
In this paper, a password protection scheme called En- hashed passwords. The cryptographic hash function quickly
crypted Negative Password (abbreviated as ENP) is proposed, maps data of arbitrary size to a fixed-size sequence of bits. In
which is based on the Negative Database (abbreviated as the authentication system using the hashed password scheme,
NDB) [29]–[32], cryptographic hash function and symmetric only hashed passwords are stored. However, hashed passwords
encryption, and a password authentication framework based on cannot resist lookup table attack [17]. Furthermore, rainbow
the ENP is presented. The NDB is a new security technique table attack is more practical for its space-time tradeoff [18].
that is inspired by biological immune systems [29] and has Processor resources and storage resources are becoming richer,
a wide range of applications [33]–[36]. Symmetric encryp- which makes the precomputed tables used in the above two
tion is usually deemed inappropriate for password protection. attacks sufficiently large, so that adversaries could obtain a
Because the secret key is usually shared by all encrypted higher success rate of cracking hashed passwords.
passwords and stored together with the authentication data 2) Salted Password: To resist precomputation attacks, the
table, once the authentication data table is stolen, the shared most common scheme is salted password [17]. In this scheme,
key may be stolen at the same time [37]. Thus, these passwords the concatenation of a plain password and a random data
are immediately compromised. However, in the ENP, the (called salt) is hashed through a cryptographic hash function.
secret key is the hash value of the password of each user, The salt is usually generated at random, which ensures that the
so it is almost always different and does not need to be hash values of the same plain passwords are almost always
specially generated and stored. Consequently, the ENP enables different. The greater the size of the salt is, the higher the
symmetric encryption to be used for password protection. password security is. However, under dictionary attack, salted
As an implementation of key stretching [38], multi-iteration passwords are still weak. Note that compared with salted
encryption is introduced to further improve the strength of password, the ENP proposed in this paper guarantees the
ENPs. Compared with the salted password scheme and key diversity of passwords without the need for extra elements
stretching, the ENP guarantees the diversity of passwords by (e.g., salt).

3) Key Stretching: To resist dictionary attack, key stretching TABLE I

[38], which converts weak passwords to enhanced passwords, A N EXAMPLE OF THE COMPLETE SINGLE NDB.
was proposed. Key stretching could increase the time cost
DB U-DB NDB
required to every password attempt, so that the power of
defending against dictionary attack is increased. In the ENP 0000 0001 “0*01”
proposed in this paper, like key stretching, multi-iteration 0010 “001*”
encryption is used to further improve password security under 0011 “01*0”
dictionary attack, and compared with key stretching, the ENP 0100 “01*1”
does not introduce extra elements (e.g., salt). 0101 “100*”
0110 “110*”
0111 “1*10”
B. Negative Database 1000 “1*11”
In the NDB, the compression of the complement of a 1001
positive database (denoted as DB) is stored. As described in 1010
[30], U = {0, 1}n denotes the universal set of n-bit sequences; 1011
x ∈ U denotes an n-bit sequence; DB = {x1 , x2 , · · · , xm } 1100
denotes a positive database that contains m entries; then N DB 1101
stores the compression (implemented using the wildcard ‘*’) 1110
of (U − DB). 1111
Some concepts of NDB are given below. Every entry in an
NDB contains three symbols: ‘0’, ‘1’, and ‘*’. The symbol ‘0’
only match the bit 0, and the symbol ‘1’ only match the bit 1; by a variant of the prefix algorithm, which is the first part
The symbol ‘*’ can match either the bit 0 or 1. Every entry in of the hybrid algorithm in [42]. Note that, in order to clearly
an NDB consists of two kinds of positions: specified positions represent various sequences, we use “the sequence of symbols”
and unspecified positions. Positions where the symbols are ‘0’ to clearly represent the concatenation of symbols (i.e., ‘0’,
or ‘1’ are called specified positions, while positions where the ‘1’, or ‘*’), “the sequence of bits” to clearly represent the
symbols are ‘*’ are called unspecified positions. Accordingly, concatenation of bits (i.e., 0 or 1), which may be converted to
both ‘0’ and ‘1’ are specified symbols, and the ‘*’ is the hex form for short, and “the sequence of characters” to clearly
unspecified symbol. A sequence of bits is covered by one entry represent the concatenation of characters (for passwords, these
in an NDB; that is to say, the bits of the sequence are matched characters usually include uppercase letters, lowercase letters,
by the symbols of the entry at the specified positions. If a numerals and special characters). In addition, the sequence
sequence of bits is covered by one entry in an NDB, we say of symbols or characters is enclosed within a pair of double
that the sequence is covered by the NDB. If an NDB covers quotation marks, while the sequence of bits is not enclosed
every entry in the (U-DB), we say that the NDB is complete; by any punctuation; similarly, the single symbol or character
otherwise, it is incomplete. The NDB converted from a DB is enclosed within a pair of single quotation marks, while the
with only one entry is called the single NDB; otherwise, it is single bit is not enclosed by any punctuation.
called the multiple NDB. As a form of negative representations of information, NDB
There are two types of NDB generation algorithms, one for [29]–[32] has been used in various fields, such as authenti-
single NDBs and one for multiple NDBs. In the first type, cation [33], [34], [45], biometric recognition [35], [46], and
clause distribution control algorithm [39], 1-hidden algorithm information hiding [36]. The fields related to our work are
[40], 2-hidden algorithm [40], q-hidden algorithm [41], hybrid introduced as follows. In [33] and [34], NDB was used to
algorithm [42], p-hidden algorithm [43], and K-hidden algo- protect the original authentication data table as an additional
rithm [44] were proposed successively. In the second type, protection layer. In [35] and [46], NDB was used to protect
the prefix algorithm [30], Randomize NDB (abbreviated as biometric data while supporting effective recognition. In [45],
RNDB) [30], multiple-solution algorithm [36] were proposed a one-time password authentication scheme based on NDB
successively; certainly, these algorithms could also be used to was proposed. In all of the above authentication methods,
generate single NDBs. passwords are protected by the difficulty of reversing NDB.
Among NDBs generated by these generation algorithms, However, such reversal difficulty needs to be further improved.
under certain conditions, some are hard-to-reverse, and others On the contrary, in the ENP proposed in this paper, the original
are easy-to-reverse. In our work, we employ two easy-to- plain passwords could be converted from ENPs; passwords
reverse complete single NDB generation algorithms (i.e., the are protected by cryptographic hash function and symmetric
prefix algorithm with permutation, see Algorithm A.1 in the encryption; authentication is based on the comparison between
Appendix, and the variant of the prefix algorithm, see Algo- the hash value of the plain password from a client and the
rithm A.2 in the Appendix) to generate negative passwords. hashed password corresponding to some ENP on the server.
An example is given to illustrate the complete single NDB in
Table I. As represented in Table I, the database (i.e., DB) only III. T HE P ROPOSED F RAMEWORK
contains one entry, and every entry in (U-DB) is covered by the The proposed framework includes two phases: the regis-
NDB (i.e., the NDB is complete). Here, the NDB is generated tration phase and authentication phase. When adopting our

TABLE II
S OME MATCHES OF CRYPTOGRAPHIC HASH FUNCTIONS AND 9"$*
SYMMETRIC - KEY ALGORITHMS .

'8!32&'!""()*%
Cryptographic hash functions Symmetric-key algorithms #bits

MD5* AES/IDEA/CAST-256/RC6 128 /01#$2134!13)2&5!1!&6!78$ !"#

SHA-1* CAST-256 160

;<=&+%!1!. #!"#$%&'!""()*%&+,$-.
SHA-224/SHA3-224 CAST-256 224
5$4*-'1
SHA-256/SHA3-256 AES/CAST-256/RC6 256

SHA-384/SHA3-384 RC5 384 2$>!13?$&'!""()%&!2%&#!"#$%&'!""()%

SHA-512/SHA3-512 RC5 512 3"&")8013)2:

* Although MD5 and SHA-1 could not resist collision attack [47], they
could still be used in our framework, since they still resist preimage attack !44$'1&)*&*$@$41&*$A0$"1
[48]. Despite this, we recommend the use of SHA-2 (including SHA-224,
SHA-256, SHA-384 and SHA-512) and SHA-3 (including SHA3-224,
SHA3-256, SHA3-384 and SHA3-512). 9"$*

Fig. 2. The data flow diagram of the verification procedure of the ENP.

5"$*
A. Registration Phase
'4!/.&'!""()*% The registration phase is divided into six steps.
(1) On the client side, a user enters his/her username and
!"# password. Then, the username and plain password are
transmitted to the server through a secure channel;
#!"#$%&'!""()*% (2) If the received username exists in the authentication
data table, “The username already exists!” is returned,
&6$.$*!-$&7$8!-/9$&:!""()*% which means that the server has rejected the registra-
tion request, and the registration phase is terminated;
.$8!-/9$&'!""()*%&;%!-!<&!.%&#!"#$%&'!""()*%&;=$>< otherwise, go to Step (3);
(3) The received password is hashed using the selected
?.0*>'- cryptographic hash function;
(4) The hashed password is converted into a negative
?7:
password using an NDB generation algorithm (i.e.,
Algorithm A.1 or Algorithm A.2 in the Appendix);
+,-#$.-/0!-/).&1!-!&2!34$
(5) The negative password is encrypted to an ENP using
the selected symmetric-key algorithm, where the key
Fig. 1. The data flow diagram of the generation procedure of the ENP. is the hash value of the plain password. Here, as an
additional option, multi-iteration encryption could be
used to further enhance passwords;
(6) The username and the resulting ENP are stored in the
framework to protect passwords in an authentication data table, authentication data table and “Registration success” is
the system designer must first select a cryptographic hash returned, which means that the server has accepted the
function and a symmetric-key algorithm, where the condition registration request.
that must be satisfied is that the size of the hash value of the
selected cryptographic hash function is equal to the key size of
B. Authentication Phase
the selected symmetric-key algorithm. For convenience, some
matches of cryptographic hash functions and symmetric-key The authentication phase is divided into five steps.
algorithms are given in Table II. In addition, cryptographic (1) On the client side, a user enters his/her username and
hash functions and symmetric-key algorithms that are not password. Then, the username and plain password are
listed here could also be used in the ENP, which adequately transmitted to the server through a secure channel;
indicates the flexibility of our framework. The proposed frame- (2) If the received username does not exist in the au-
work is based on the ENP; hence, for better understanding, the thentication data table, then “Incorrect username or
data flow diagram of the generation procedure of the ENP is password!” is returned, which means that the server
shown in Fig. 1, and the data flow diagram of the verification has rejected the authentication request, and the authen-
procedure of the ENP is shown in Fig. 2. tication phase is terminated; otherwise, go to Step (3);

(3) Search the authentication data table for the ENP corre- done by the NDB generation algorithm itself, and not
sponding to the received username; dependent on extra elements.
(4) The ENP is decrypted (one or more times according to (2) The value space of negative passwords for a hashed
the encryption setting in the registration phase) using password is big enough for resisting precomputation
the selected symmetric-key algorithm, where the key is attacks (the analyses are presented in Section V).
the hash value of the plain password; thus, the negative (3) The NDB generation algorithms are simple and effi-
password is obtained; cient. As shown in the pseudo-code of the NDB gen-
(5) If the hash value of the received password is not the eration algorithms (i.e., Algorithm A.1 and Algorithm
solution of the negative password (verified by Algo- A.2, in the Appendix), these algorithms are easy to im-
rithm 1 or Algorithm 2), then “Incorrect username or plement and analyze; thus, it helps achieve confidence
password!” is returned, which means that the server on the use of the ENP; based on random permutation
has rejected the authentication request, and the authen- and inverse permutation, randomness is introduced to
tication phase is terminated; otherwise, “Authentication implement reversible one-to-many mapping, which is
success” is returned, which means that the server has straightforward and efficient.
accepted the authentication request. Before encryption, every entry in a negative password is
encoded as the concatenation of two-bit pairs. The two-bit
C. Encrypted Negative Password pairs have four forms: 00, 01, 10, and 11, where 00 denotes
the symbol ‘0’, 01 denotes the symbol ‘1’, and both 10 and
ENPs could be obtained through the following steps (see 11 denote the symbol ‘*’. For example, the sequence of bits
Fig. 1). The received plain password (i.e., a sequence of 00101101 denotes the entry “0**1”. Note that the symbol
characters) from a client is first hashed using a cryptographic ‘*’ is denoted by either 10 or 11 randomly instead of just
hash function. Next, the hashed password is converted into a 10 or 11, which ensures that any sequence of bits can be a
negative password using an NDB generation algorithm (i.e., legal negative password. As a result, under dictionary attack,
Algorithm A.1 or Algorithm A.2 in the Appendix). Then, adversaries cannot exclude any password in the password list
the negative password is encrypted using a symmetric-key based on the form of the negative password (i.e., not including
algorithm. Thus, the ENP is obtained. The solution of the 10 or 11).
negative password is the hash value of the received plain Moreover, multi-iteration encryption could be introduced to
password. further improve ENPs strength, which is an implementation
In the above processing, each component (i.e., the cryp- of the key stretching technique. The greater the number of
tographic hash function, the symmetric-key algorithm, and encryptions is, the more secure the ENPs are; however, the
the NDB generation algorithm) is indispensable. The cryp- authentication speed decreases. The system designer must
tographic hash function converts plain passwords to hashed balance the speed of authentication against password security,
passwords; the fixed length property of resulting hashed pass- and then selects a proper number of encryptions.
words offers convenience for the subsequent encryption, since
the length requirement for the secret key in the symmetric-
IV. T WO I MPLEMENTATIONS OF
key algorithm; and other properties (such as avalanche effect
E NCRYPTED N EGATIVE PASSWORD
and collision resistance) are also crucial factors of employing
the cryptographic hash function. The reasons for employing In this section, we propose two implementations of the
the symmetric-key algorithm are given below. The conversion ENP, including their generation algorithms and verification
from a hashed password to a negative password is not irre- algorithms. The first implementation is based on the prefix
versible; therefore, if no encryption, when an adversary obtains algorithm [30], and we call it ENPI; the second one is based
a negative password, the adversary immediately obtains the on a variant of the prefix algorithm [42], and we call it ENPII.
corresponding hashed password, which makes the strength of
the ENP equivalent to that of the hashed password essentially. A. ENPI
However, when adopting encryption, the adversary does not In ENPI, we employ the prefix algorithm [30] with permuta-
know the key (i.e., the hashed password converted from the tion (i.e., Algorithm A.1 in the Appendix) to generate negative
original plain password), so the adversary could not decrypt passwords (i.e., NDBs). Negative passwords generated by the
the ENP to get the negative password. prefix algorithm are deterministic and complete [30]. The
The NDB generation algorithm is selected for converting conversation from a hashed password (i.e., a sequence of bits)
a hashed password to the corresponding negative password; to an negative password using the prefix algorithm is one-to-
there are several reasons listed below. one; therefore, the random permutation operation is employed
(1) The NDB generation algorithm is a one-to-many map- to make the conversation from a hashed password to a negative
ping; simultaneously, it is reversible; additionally, while password one-to-many by randomly reordering the bits of the
keeping the one-to-many relationship, it does not intro- sequence. The permutation is usually written as a tuple. For
duce extra elements (such as salt). Specifically, given a instance, “abc” is permuted to “cab” by the permutation (3, 1,
hashed password, there are lots of corresponding nega- 2), since ‘c’ in “cab” is the 3rd element in “abc”, ‘a’ is the
tive passwords; a negative password has one and only 1st element, and ‘b’ is the 2nd element. A negative password
one corresponding hashed password; this conversion is in ENPI contains exactly m entries, where m is the size of

the hashed password; thus, the permutation is represented by Algorithm 1 ENPI Verification Algorithm
a tuple with m elements. Input: a hashed password hashP ;
An example is shown in Table III to illustrate the diversity of a negative password np
ENPI, where two examples (represented in hex form) of ENPI Output: true or false
converted from the plain password “password” are listed. 1: m ← LENGTH (hashP )
1) Generation Algorithm: In ENPI, Algorithm A.1 is em- 2: for i ← 1 to m with stepsize of 1 do
ployed to convert a hashed password to a negative password, 3: if NUMBERO F SP(npi ) 6= i then
where the input s is the hash value of the received plain pass- 4: return false
word, and the output ndb is the resulting negative password. 5: end if
The generation procedure of ENPI is shown by an example in 6: end for
Table IV, where the plain password “password” is converted 7: for i ← 1 to m with stepsize of 1 do
into an ENP through the processes of SHA-256, permutation, 8: if NUMBERO F SP(npi ) 6= 1 then
the prefix algorithm, inverse permutation, encoding, and AES 9: return false
encryption (the concatenation of sequences of the encoded 10: end if
negative password is encrypted through CBC mode); here, the 11: k ← INDEX O F SP(npi )
permutation is (201, 237, 97, 67, 172, 140, 9, 190, 36, 187, 12: x[k] ← ¬TO B IT(npi [k])
135, 178, 216, 222, 167, 230, 169, 49, 66, 214, 175, 98, 113, 13: for j ← i + 1 to m with stepsize of 1 do
34, 93, 11, 43, 111, 23, 40, 250, 63, 130, 215, 94, 90, 176, 14: if npj [k] 6= TO S YMBOL(x[k]) then
37, 38, 83, 27, 7, 141, 99, 10, 177, 107, 131, 217, 101, 120, 15: return false
254, 32, 242, 115, 174, 233, 58, 157, 15, 194, 46, 184, 253, 16: end if
200, 168, 236, 148, 104, 2, 17, 124, 20, 202, 80, 6, 70, 192, 17: npj [k] ←‘*’
208, 118, 180, 226, 211, 203, 225, 209, 29, 65, 136, 228, 51, 18: end for
8, 235, 96, 227, 60, 181, 26, 72, 129, 126, 77, 188, 127, 198, 19: end for
210, 159, 1, 74, 3, 185, 103, 170, 114, 47, 244, 64, 78, 18, 20: if x = hashP then
25, 162, 155, 109, 76, 116, 164, 12, 108, 232, 246, 87, 21, 21: return true
154, 161, 240, 42, 59, 134, 35, 142, 95, 143, 173, 71, 179, 22: else
88, 229, 147, 41, 238, 61, 158, 146, 138, 196, 212, 204, 197, 23: return false
241, 182, 85, 30, 55, 186, 234, 91, 52, 13, 73, 28, 199, 218, 24: end if
206, 163, 205, 56, 213, 39, 221, 82, 4, 224, 156, 193, 256,
248, 62, 219, 165, 48, 151, 54, 149, 231, 239, 132, 195, 102,
125, 75, 92, 57, 128, 105, 44, 69, 220, 19, 14, 112, 86, 255, index of the only specified position in x; TO B IT(sym) at Line
33, 166, 79, 53, 31, 24, 84, 100, 223, 117, 122, 5, 160, 153, 12 converts the symbol sym to the corresponding bit (i.e., ‘0’
45, 191, 183, 121, 245, 207, 145, 133, 189, 123, 247, 50, 251, to 0 and ‘1’ to 1; before conversion, the symbol sym has
144, 139, 68, 110, 81, 252, 137, 249, 171, 152, 106, 243, 119, ensured to be ‘0’ or ‘1’); conversely, TO S YMBOL(b) at Line
22, 150, 16, 89). 14 converts the bit b to the corresponding symbol (i.e., 0 to
2) Verification Algorithm: After a user submits his/her ‘0’ and 1 to ‘1’). Satisfying the conditions at Lines 3, 8, and
username and plain password, the server first finds the corre- 14 illustrates that np is not an output of Algorithm A.1, i.e.,
sponding ENP in the authentication data table according to the np is a illegal negative password in ENPI, and the algorithm
username. Next, the plain password is hashed and the ENP is is terminated in advance. If the negative password is legal,
decrypted. Then, the hashed password is verified to determine when judging the legitimacy, the negative password is solved,
whether it is the solution of the negative password decrypted and then we determine whether the solution and the hashed
from the ENP. password are equal.
The responsibility of the ENP verification algorithm is The verification procedure of ENPI is shown by an example
to verify whether a hashed password is the solution of a in Table V, where an ENP (converted from the plain password
negative password. Before verifying the correctness, the ENP “password”) is converted into a sequence of bits (i.e., x)
verification algorithm needs to verify whether the inputted through the processes of AES decryption (the key is the
negative password is legal. From Algorithm A.1, it can be hash value of “password”), decoding, and solving the negative
inferred that a legal negative password in ENPI satisfies three password; the numbers 1, 2, · · · , 256 correspond to i at Line
conditions: (1) the ith entry has i specified positions, (2) for 7 in Algorithm 1, and the np and x following the i are the
each entry, there is only one specified symbol that does not current states of the negative password and the solution of the
match the corresponding bit of the original hashed password, negative password after the ith pass in the loop at Lines 7–19
and these specified symbols are at different positions, and (3) in Algorithm 1; and the final x is equal to the hash value of
the specified positions of any entry (except the first entry) the plain password “password”.
cover that of its preceding one.
The pseudo-code of the ENPI verification algorithm is
shown in Algorithm 1, where npi is the ith entry in np; B. ENPII
NUMBERO F SP(x) at Lines 3 and 8 counts the number of By comparison with ENPI, more randomization is intro-
specified positions in x; INDEX O F SP(x) at Line 11 finds the duced into ENPII, which is based on a variant of the prefix

TABLE III
T HE DIVERSITY OF ENPI.

Example 1 Example 2
286B51A725585A8673C12C0546527C12DBD56FDB4AC40D5D17D205577CB9D7EE 01178ABF97F3229B21BEB04D30816E6C060AF05E1F6BD563BC88B603050AA4B0
1 1
A37A3D4529B5F1C21E5342C70023DB86AC086F3DDE42577500DBEE0E4AF8DE76 C0B30E044A904A3C3A56FEE4FA4342FA22A5FABE17DDC2208B46180FCAD48D60
E79E9A9B2D57F48A76F641B5769840719B54F659234B4B05A4755CA9F143B310 5F0E5902FAB912AF6CFC2328AFE96B27E04BC26887A58B774F64BFDF4B569866
2 2
05F44FF189AAFEC194768236C421D314AD53064FE9A2B8F72711DEC58571F9A2 40C35BC9FD4651F9FCDBA5BCF8F57D1E5EB3CE336CC890E9B97C63AE14F1CE2F
1A8E9764D3D953D7BBF630132507C4FF48F0DB1D082C180575AFDC69268A02E1 0AC96B68AB8423B9D9C6115CFC12A81546C8F647A6D9C289946914B2221BCE5A
3 3
3DFC1CFAEF3CC637B4C0D1979EA848443C15637A9A618AD536EA36A4ED105CDB D726CC4E076AFC98CCC20293EDC38E8E25B6F7104A1BB556C52B10911CEB7110
··· ······ ··· ······
9785D274D99C13FA98511956835F7D33DEA711B6BB49DA3FD6C1AFAD2D517286 29731731DAF4FDC07DC104C3A386D1D81429D910F889EB197A9F6C90BFFFFD22
254 254
90A89E41FB18CC31740E11D5F5246AA8FC7F6F51919F421E6342051F2745A31A 9D79BE43BD02ABF616065C03D8C92015F866A98BD868662746D6815F389C48BD
9C4F7281500214BCF0A908EF3085BD85785C9C21DA2AEC31A42B527DF798F965 7451B1E4FD091B3F736CDB2697BCF6088E222A3094AD0DA1A85AEE952268B81D
255 255
85BAC8816281A3F9C5511BC683E6AF87B4639B64D01135F38BB50AB8BAC23E4A B1FF40D5B5F1D65F9C96A232392336EF857F2AF122FCF7A189B7B3A69EB03C78
31A5A3A25AB81B74F7C61E7CB0A71CE04CCF864350878843EF13A60B003674C4 4255789DA4736ACF9BAD51DB06A60DAACB6810BB4C6F526F5369253ED74D60A5
256 256
59364AB5FE2AC5302DABE22FF74AE9C7DF2DCB279A9B5C68CDE8F500A630EC2C B04E7CE836E29ED1A2A596DE91FF52484122E878FB5C4443F24E9B3E6CF47A0F

TABLE IV
T HE GENERATION PROCEDURE OF ENPI.

Plain password “password”

01011110100010000100100010011000110110100010100000000100011100010101000111010000111001010110111110001101110001100010100100100111
Hashed password 01110011011000000011110100001101011010101010101110111101110101100010101000010001111011110111001000011101000101010100001011011000

Hashed password 00100011101010111011100110110010111111010100010101100110011000110011110000010010101001101100010110101011010010100000101110010000

after π 10010010100010101111010101001101000101011111010011011000000110011001110000110010001010000000110110110000000110001111101111000100

“1*******************************************************************************************************************************
1
********************************************************************************************************************************”
“01******************************************************************************************************************************
2
********************************************************************************************************************************”
“000*****************************************************************************************************************************
3
Negative password ********************************************************************************************************************************”
··· ······
before π 0 “00100011101010111011100110110010111111010100010101100110011000110011110000010010101001101100010110101011010010100000101110010000
254
100100101000101011110101010011010001010111110100110110000001100110011100001100100010100000001101101100000001100011111011110000**”
“00100011101010111011100110110010111111010100010101100110011000110011110000010010101001101100010110101011010010100000101110010000
255
1001001010001010111101010100110100010101111101001101100000011001100111000011001000101000000011011011000000011000111110111100011*”
“00100011101010111011100110110010111111010100010101100110011000110011110000010010101001101100010110101011010010100000101110010000
256
10010010100010101111010101001101000101011111010011011000000110011001110000110010001010000000110110110000000110001111101111000101”
“********************************************************************************************************************************
1
************************************************************************1*******************************************************”
“********************************************************************************************************************************
2
************************************************************************0***********************************1*******************”
“************************************************************************************************0*******************************
3
Negative password ************************************************************************0***********************************0*******************”
··· ······
after π 0 “010111101000100*010010001001100011011010001010000000010001110001010100011101000011100101*110111110001101110001100010100100100111
254
01110011011000000011100100001101011010101010101110111101110101100010101000010001111011110111001000011101000101010100001011011000”
“0101111010001001010010001001100011011010001010000000010001110001010100011101000011100101*110111110001101110001100010100100100111
255
01110011011000000011110100001101011010101010101110111101110101100010101000010001111011110111001000011101000101010100001011011000”
“01011110100010000100100010011000110110100010100000000100011100010101000111010000111001011110111110001101110001100010100100100111
256
01110011011000000011110100001101011010101010101110111101110101100010101000010001111011110111001000011101000101010100001011011000”
1 EEFBFBBBEABAAFBABAEEEFBEFBBBFEBAEFAEEFFABEEEAABFAFBFEEBAFAFEFEBEBEBAFBBFFEBBFFBBAEABFBFEABEAAEABBEFE6FEABAFEAABEAFAAEBBBBFBAEAFE
2 BAABBFEFAEBEBEBBEBBFFEFBFBAFFEAFEFAFBFBBEAABBEEEFFBFAFFBAAEFAEABBEABEABFEEEEEBEFEBBEBAFAAAAABAABBBBE3AAAEEEABAAFAEBBBF6AEBBFAAFB
Negative password 3 EBAFAAFEABEFABFFAFBABABAAEAEFEBEFAFABBEEFABAEFEA2FABBEEBBABAABBFAFABBEBFEEEFFEEFAAFBFFABEBEBAABBBFBB3FAFAAEBEBEFABFABB3BBFEABAAE
··· ······
after encoding 254 11544043104041405144044000101501110151005411D45540515014044104151505140005410051144444454551511404440101545515040151011110045140
255 11544041104041405144044000101501110151005411945540515014044104151505140005510051144444454551511404440101545515040151011110045140
256 11544040104041405144044000101501110151005411545540515014044104151505140005510051144444454551511404440101545515040151011110045140
1 286B51A725585A8673C12C0546527C12DBD56FDB4AC40D5D17D205577CB9D7EEA37A3D4529B5F1C21E5342C70023DB86AC086F3DDE42577500DBEE0E4AF8DE76
2 E79E9A9B2D57F48A76F641B5769840719B54F659234B4B05A4755CA9F143B31005F44FF189AAFEC194768236C421D314AD53064FE9A2B8F72711DEC58571F9A2
3 1A8E9764D3D953D7BBF630132507C4FF48F0DB1D082C180575AFDC69268A02E13DFC1CFAEF3CC637B4C0D1979EA848443C15637A9A618AD536EA36A4ED105CDB
ENP ··· ······
254 9785D274D99C13FA98511956835F7D33DEA711B6BB49DA3FD6C1AFAD2D51728690A89E41FB18CC31740E11D5F5246AA8FC7F6F51919F421E6342051F2745A31A
255 9C4F7281500214BCF0A908EF3085BD85785C9C21DA2AEC31A42B527DF798F96585BAC8816281A3F9C5511BC683E6AF87B4639B64D01135F38BB50AB8BAC23E4A
256 31A5A3A25AB81B74F7C61E7CB0A71CE04CCF864350878843EF13A60B003674C459364AB5FE2AC5302DABE22FF74AE9C7DF2DCB279A9B5C68CDE8F500A630EC2C

algorithm [30] (i.e., Algorithm A.2 in the Appendix), which word, where the input s is the hash value of the received
has been proven to be complete [42] and is easy to solve. A plain password, and the output ndb is the resulting negative
negative password in ENPII contains exactly m + 4 entries, password.
where m is the size of the hashed password, and every entry 2) Verification Algorithm: In this subsection, we propose
has exactly three specified positions. Besides the permutation, a method for verifying whether a hashed password is the
more randomization is introduced during the conversion from solution of a negative password in ENPII.
an entry to an entry that only contains three specified positions. Firstly, the ENPII verification algorithm verifies whether
1) Generation Algorithm: In ENPII, Algorithm A.2 is the inputted negative password is legal. From Algorithm A.2,
employed to convert a hashed password to a negative pass- it can be inferred that a legal negative password in ENPII

TABLE V
T HE VERIFICATION PROCEDURE OF ENPI.

1 286B51A725585A8673C12C0546527C12DBD56FDB4AC40D5D17D205577CB9D7EEA37A3D4529B5F1C21E5342C70023DB86AC086F3DDE42577500DBEE0E4AF8DE76
2 E79E9A9B2D57F48A76F641B5769840719B54F659234B4B05A4755CA9F143B31005F44FF189AAFEC194768236C421D314AD53064FE9A2B8F72711DEC58571F9A2
3 1A8E9764D3D953D7BBF630132507C4FF48F0DB1D082C180575AFDC69268A02E13DFC1CFAEF3CC637B4C0D1979EA848443C15637A9A618AD536EA36A4ED105CDB
ENP ··· ······
254 9785D274D99C13FA98511956835F7D33DEA711B6BB49DA3FD6C1AFAD2D51728690A89E41FB18CC31740E11D5F5246AA8FC7F6F51919F421E6342051F2745A31A
255 9C4F7281500214BCF0A908EF3085BD85785C9C21DA2AEC31A42B527DF798F96585BAC8816281A3F9C5511BC683E6AF87B4639B64D01135F38BB50AB8BAC23E4A
256 31A5A3A25AB81B74F7C61E7CB0A71CE04CCF864350878843EF13A60B003674C459364AB5FE2AC5302DABE22FF74AE9C7DF2DCB279A9B5C68CDE8F500A630EC2C
1 EEFBFBBBEABAAFBABAEEEFBEFBBBFEBAEFAEEFFABEEEAABFAFBFEEBAFAFEFEBEBEBAFBBFFEBBFFBBAEABFBFEABEAAEABBEFE6FEABAFEAABEAFAAEBBBBFBAEAFE
2 BAABBFEFAEBEBEBBEBBFFEFBFBAFFEAFEFAFBFBBEAABBEEEFFBFAFFBAAEFAEABBEABEABFEEEEEBEFEBBEBAFAAAAABAABBBBE3AAAEEEABAAFAEBBBF6AEBBFAAFB
Negative password 3 EBAFAAFEABEFABFFAFBABABAAEAEFEBEFAFABBEEFABAEFEA2FABBEEBBABAABBFAFABBEBFEEEFFEEFAAFBFFABEBEBAABBBFBB3FAFAAEBEBEFABFABB3BBFEABAAE
··· ······
after decryption 254 11544043104041405144044000101501110151005411D45540515014044104151505140005410051144444454551511404440101545515040151011110045140
255 11544041104041405144044000101501110151005411945540515014044104151505140005510051144444454551511404440101545515040151011110045140
256 11544040104041405144044000101501110151005411545540515014044104151505140005510051144444454551511404440101545515040151011110045140
“********************************************************************************************************************************
1
************************************************************************1*******************************************************”
“********************************************************************************************************************************
2
************************************************************************0***********************************1*******************”
“************************************************************************************************0*******************************
3
Negative password ************************************************************************0***********************************0*******************”
··· ······
after decoding “010111101000100*010010001001100011011010001010000000010001110001010100011101000011100101*110111110001101110001100010100100100111
254
01110011011000000011100100001101011010101010101110111101110101100010101000010001111011110111001000011101000101010100001011011000”
“0101111010001001010010001001100011011010001010000000010001110001010100011101000011100101*110111110001101110001100010100100100111
255
01110011011000000011110100001101011010101010101110111101110101100010101000010001111011110111001000011101000101010100001011011000”
“01011110100010000100100010011000110110100010100000000100011100010101000111010000111001011110111110001101110001100010100100100111
256
01110011011000000011110100001101011010101010101110111101110101100010101000010001111011110111001000011101000101010100001011011000”
“********************************************************************************************************************************
1
************************************************************************1*******************************************************”
“********************************************************************************************************************************
2
************************************************************************************************************1*******************”
np ··· ······
i=1 “0101111010001001010010001001100011011010001010000000010001110001010100011101000011100101*110111110001101110001100010100100100111
255
011100110110000000111101000011010110101010101011101111011101011000101010*0010001111011110111001000011101000101010100001011011000”
“01011110100010000100100010011000110110100010100000000100011100010101000111010000111001011110111110001101110001100010100100100111
256
011100110110000000111101000011010110101010101011101111011101011000101010*0010001111011110111001000011101000101010100001011011000”
________________________________________________________________________________________________________________________________
x ________________________________________________________________________0_______________________________________________________
“********************************************************************************************************************************
1
************************************************************************1*******************************************************”
“********************************************************************************************************************************
2
************************************************************************************************************1*******************”
np ··· ······
i=2 “0101111010001001010010001001100011011010001010000000010001110001010100011101000011100101*110111110001101110001100010100100100111
255
011100110110000000111101000011010110101010101011101111011101011000101010*00100011110111101110010000111010001*1010100001011011000”
“01011110100010000100100010011000110110100010100000000100011100010101000111010000111001011110111110001101110001100010100100100111
256
011100110110000000111101000011010110101010101011101111011101011000101010*00100011110111101110010000111010001*1010100001011011000”
________________________________________________________________________________________________________________________________
x ________________________________________________________________________0___________________________________0___________________

··· ······
“********************************************************************************************************************************
1
************************************************************************1*******************************************************”
“********************************************************************************************************************************
2
************************************************************************************************************1*******************”
np ··· ······
i = 255 “***************1****************************************************************************************************************
255
********************************************************************************************************************************”
“****************************************************************************************1***************************************
256
********************************************************************************************************************************”
0101111010001000010010001001100011011010001010000000010001110001010100011101000011100101_110111110001101110001100010100100100111
x 01110011011000000011110100001101011010101010101110111101110101100010101000010001111011110111001000011101000101010100001011011000
“********************************************************************************************************************************
1
************************************************************************1*******************************************************”
“********************************************************************************************************************************
2
************************************************************************************************************1*******************”
np ··· ······
i = 256 “***************1****************************************************************************************************************
255
********************************************************************************************************************************”
“****************************************************************************************1***************************************
256
********************************************************************************************************************************”
01011110100010000100100010011000110110100010100000000100011100010101000111010000111001010110111110001101110001100010100100100111
x 01110011011000000011110100001101011010101010101110111101110101100010101000010001111011110111001000011101000101010100001011011000

satisfies four conditions: (1) every entry has three specified and these specified symbols are at different positions, and (4)
positions, (2) the last six entries can be merged into two after merging, any specified position (except the one where the
entries, (3) after merging, the last entry has one specified symbol does not match the corresponding bit of the original
position; the penultimate entry has two specified positions; for hashed password) of any entry (except the last one) must also
each entry, there is only one specified symbol that does not be a specified position of its latter any entry.
match the corresponding bit of the original hashed password, The pseudo-code of the ENPII verification algorithm is

shown in Algorithm 2, where NUMBERO F DS(x, y) at Lines Algorithm 2 ENPII Verification Algorithm
7 and 14 counts the number of different symbols between x Input: a hashed password hashP ;
and y (Note that ‘*’ and ‘0’ or ‘1’ are different); MERGE(x, y) a negative password np
at Lines 10, 11, 12, and 17 constructs one entry that has the Output: true or false
symbol ‘*’ at the position where x (or y) has the symbol 1: m ← LENGTH (hashP )
‘0’, and y (or x) has the symbol ‘1’, and the same symbols 2: for i ← 1 to m + 4 with stepsize of 1 do
at other positions with x and y (Before merging, we have 3: if NUMBERO F SP(npi ) 6= 3 then
ensured that x and y have different specified symbols at only 4: return false
one specified position and the same symbols at the other 5: end if
positions). Satisfying the conditions at Lines 3, 7, 14, 20, and 6: end for
26 illustrates that np is not an output of Algorithm A.2, i.e., the 7: if NUMBERO F DS(npm−1 , npm ) 6= 1 or
np is a illegal negative password in ENPII, and the algorithm is NUMBERO F DS(npm+1 , npm+2 ) 6= 1 or
terminated in advance. If the negative password is legal, when NUMBERO F DS(npm+3 , npm+4 ) 6= 1
judging the legitimacy, the negative password is solved, and then
then the solution and hashed password are tested for equality. 8: return false
9: else

C. The performances of ENP 10: npm−1 ← MERGE(npm−1 , npm )

11: npm+1 ← MERGE(npm+1 , npm+2 )
From the pseudo-code of Algorithm A.1, Algorithm 1, 12: npm+3 ← MERGE(npm+3 , npm+4 )
Algorithm A.2 and Algorithm 2, we could know that the 13: end if
time complexity of the generations of both ENPI and ENPII 14: if NUMBERO F DS(npm+1 , npm+3 ) 6= 1 then
is O(m2 ), and the time complexity of the verifications of 15: return false
both ENPI and ENPII is also O(m2 ), where m is the length 16: else
of the hashed password in the ENP. Since the length of the 17: npm ← MERGE(npm+1 , npm+3 )
hashed passwords in the ENP is smaller, the generation and 18: end if
verification of the ENP are efficient. 19: for i ← m to 1 with stepsize of −1 do
20: if NUMBERO F SP(npi ) 6= 1 then
V. A NALYSES 21: return false
22: end if
A. Notation
23: k ← INDEX O F SP(npi )
For convenience, we first introduce notation that will be 24: x[k] ← ¬TO B IT(npi [k])
used in this section and Section VI. 25: for j ← i − 1 to 1 with stepsize of −1 do
• Nd : the number of elements in a password list; 26: if npj [k] 6= TO S YMBOL(x[k]) or ‘*’ then
• Np : the number of passwords to be cracked; 27: return false
• Th : the time spent on executing a cryptographic hash 28: end if
function; 29: npj [k] ← ‘*’
• Tks : the time spent on executing a key stretching algo- 30: end for
rithm; 31: end for
• Te : the time spent on executing the encryption of a 32: if x = hashP then
symmetric-key algorithm; 33: return true
• Td : the time spent on executing the decryption of a 34: else
symmetric-key algorithm; 35: return false
• Tm hash : the time spent on determining whether two 36: end if
hash values match;
• Tm ks : the time spent on determining whether two pass-
words enhanced by a key stretching algorithm match;
• Tm N P : the time spent on determining whether a hashed lookup table attack, rainbow table attack, or advanced dic-
password matches a negative password, i.e., whether the tionary attack (widely used in hashcat [20]). According to
hashed password is the solution of the negative password; whether the precomputation technique is used, these attacks
• l: the size of the salt (usually is sufficiently large); could be divided into two categories: the first includes lookup
• m: the size of the hash value (usually is 128, 160, 256, table attack and rainbow table attack, and the second includes
or 512 bits). brute force attack, dictionary attack, reverse lookup table
attack, and advanced dictionary attack. In the first category,
owing to the precomputation technique, both lookup table
B. Attack Models attack and rainbow table attack are effective methods to
After obtaining an authentication data table, in order to quickly crack lots of passwords, and the latter could attempt
crack the passwords in the table, adversaries may adopt brute more possible passwords for its space-time tradeoff. In the
force attack, dictionary attack, lookup table attack, reverse second category, all four attacks simply attempt every possible

password in the password list, and the difference of these a plain password is equal to the number of permutations, which
four attacks is the construction of the password list. The is calculated by
password list in brute force attack consists of all combinations
of characters in a given character set; the password list NEN P I = m!. (1)
in dictionary attack and reverse lookup table attack usually
Besides the random permutation, the randomization during
consists of frequently-used passwords; advanced dictionary
encoding ‘*’ further improves the diversity of ENPs. However,
attack exploits users’ habits of constructing passwords, so that
for the simplification of analyses, this randomization is not
it could construct more complicated and effective password
counted. The same simplification is performed for ENPII.
candidates. In addition, the reverse lookup table attack could
In the case of ENPII, the conversion from a hashed pass-
simultaneously find passwords of several users for reusability
word to a negative password in ENPII is considered to include
of passwords. Without loss of generality, we select lookup
two steps below.
table attack (from the first category) and dictionary attack
(from the second category) to analyze the effectiveness of (1) The hashed password is converted into a negative
our scheme. The detailed descriptions of these two attacks password in ENPI;
are given below. (2) The resulting negative password is converted into a
1) Lookup Table Attack: When carrying out lookup ta- negative password in ENPII.
ble attack, an adversary first prepares a password list, that Both Step (1) and Step (2) cause diversity of ENPs. There-
usually consists of frequently-used passwords, concatenations fore, the number of ENPs converted from a plain password is
of words in a vocabulary list, etc. Then, a lookup table is calculated by
constructed, where the keys are encrypted passwords converted
from elements in the password list by an encryption algorithm, m−1 m−2 m−2
NEN P II = ∗ ∗
and the records are the corresponding plain passwords (i.e., 1 1 1
the elements in the password list). After these preparations m−1 (2)
m−2 Y i
are complete, the adversary steals an authentication data table ∗ ∗ ∗ m!,
in some way (assuming that the encryption algorithm used in 1 i=2
2
this authentication data table is the same as that used in the
where the first part (i.e., m−1
m−2 m−2 m−2
1 ∗ 1 ∗ 1 ∗ 1 ∗
prepared lookup table). Finally, for every encrypted password m−1
Q i
in the authentication data table, the adversary searches for the 2 ) is the number of the negative passwords in ENPII
original plain password by matching the encrypted password i=2
converted from a negative password in ENPI, and the second
and the keys in the lookup table. Note that the adversary could part (i.e., m!) is the number of negative passwords in ENPI
shorten the search time by adopting binary search algorithm converted from a hashed password. Each part of Equation
or the data structure of hash table. (2) is caused by the randomness in the code of Algorithm
2) Dictionary Attack: When carrying out dictionary attack,
on below. The m−1 ∗ m−2

A.2, which we expand 1 1 in
an adversary first steals an authentication data table. Next, m−1
m−2 m−2
1 ∗ 1 ∗ 1 is caused by the randomness in the
the adversary prepares the same password list with lookup
code at Line 20; the last m−2
m−1 m−2 m−2
1 in 1 ∗ 1 ∗ 1
table attack. Finally, for every encrypted password in the
is caused by the randomness in the code at Line 24; the
authentication data table, the adversary converts each element
subsequent m−2 1 is caused by the randomness in the code
in the password list to ciphertext (assuming that the adversary
at Line 15; the 2i is caused by the randomness in the code
knows the encryption algorithm used in the authentication
at Line 7.
data table) and determines whether the ciphertext matches
To
simplify Equation (2), we substitute Equation (3) and
the encrypted password. If a match is found, the adversary m
immediately obtains the original plain password (i.e., the 1 = m into Equation (2). Thus, we obtain Equation (4).

current element in the password list).

m−1
Y
i (m − 1)!(m − 2)!
C. Attack Complexity Analyses = (3)
i=2
2 2m−2
In this subsection, we first explain that the ENP is able to
resist lookup table attack. Then we analyze the attack com- NEN P II = {(m − 1) ∗ (m − 2) ∗ (m − 2)}
plexity of the ENP under dictionary attack, which meanwhile
(m − 1)!(m − 2)!
serves as the basis for the next section. ∗ (m − 2) ∗ ∗ m!
1) Lookup Table Attack: If an adversary intends to crack 2m−2
(m − 2)3 (m − 1)!(m − 1)!m! (4)
ENPs using lookup table attack, because there are lots of =
2 m−2
corresponding ENPs for a given plain password, the adversary
must first compute all possible ENPs for every element in the [(m − 2)m!]3
= (m−2) 2
password list. Thus, we first calculate the number of possible 2 m
ENPs converted from a plain password in the cases of both In conclusion, under lookup table attack, the size of the
ENPI and ENPII. lookup table (i.e., space complexity) is (Nd ∗ m!) when
3
In the case of ENPI, the random permutation causes the adopting ENPI to protect passwords or (Nd ∗ [(m−2)m!]
2(m−2) m2
)
diversity of ENPs. Hence, the number of ENPs converted from when adopting ENPII. Note that the size of the lookup table

increases quickly with the size of the hashed password. The 2) Salted Password: In order to resist lookup table attack,
size of the hash password is usually 128, 160, 256, or 512, so salt is introduced to improve the security of hashed passwords
that the size of the lookup table is too big to be precomputed [17]. Salted passwords can be calculated by
for the limits of storage resources. Therefore, the ENP is able
hashPsalt = HASH (pplain ||salt), (6)
to resist lookup table attack.
2) Dictionary Attack: If adversaries intend to crack ENPs where “||” is a concatenation operator, and hashPsalt is the
using dictionary attack, for each ENP in the authentication salted password. Note that the salt can also be on the left of
data table, they verify every password in the password list. pplain .
They first hash the password in the password list to a hashed In the case of salted passwords, the parameter of the
password. Next, they decrypt the ENP, where the key is the cryptographic hash function is the concatenation of a plain
hashed password. Then, they determine whether the hashed password and a salt. The size of the salt is usually sufficiently
password is the solution of the negative password using large, and the salt usually is generated at random; hence,
Algorithm 1 or Algorithm 2; the success indicates that the the salted passwords of the same plain passwords are almost
adversaries crack this ENP. From the above procedure, we always different. When the size of salt is l, the value space
could conclude that the time complexity of cracking passwords of the salt is 2l ; hence, if an adversary intends to crack
is O(Nd ∗ Np ∗ (Th + Td + Tm N P )); when multi-iteration passwords using lookup table attack, the size of the lookup
encryption is employed, the time complexity is O(Nd ∗ Np ∗ table is Nd ∗2l . Note that the size of the lookup table increases
(Th +n∗Td +Tm N P )), where n is the number of decryptions. exponentially with the size of the salt. When the size of the
salt is sufficiently large, the size of the lookup table is too
VI. D ISCUSSION big to precompute the lookup table for the limits of storage
In order to further highlight the advantages of our scheme, resources. Therefore, salted passwords are able to resist lookup
in this section, we analyze and compare the attack complexity table attack. Also, since the lookup table cannot be prepared
of our scheme with that of typical password storage schemes in advance, the adversary cannot reduce the time complexity
(i.e., hashed password, salted password and key stretching) by adopting binary search algorithm or hash table.
under lookup table attack and dictionary attack. However, after an adversary gathers salted passwords and
their corresponding salts, the adversary may adopt dictionary
A. Attack Complexity Analyses attack to crack passwords. For a given salted password and
1) Hashed Password: Hashed password [17] is a widely its salt, the adversary must hash every concatenation of each
used scheme to protect passwords in an authentication data element in the password list and the salt, and then determine
table. Hashed passwords can be calculated by whether the result matches the original salted password. Since
the number of concatenations is Nd for a given salted pass-
hashP = HASH (pplain ), (5)
word, the time complexity of cracking all passwords using
where HASH is a cryptographic hash function, such as SHA- dictionary attack is O(Nd ∗ Np ∗ (Th + Tm hash )).
256, pplain is a plain password, and hashP is the hash value 3) Key Stretching: Key stretching is the technique that
of pplain . makes passwords more secure by increasing the time used
In the hashed password scheme, the passwords in the au- to test every password in the password list. The relevant
thentication data table are the hash values of plain passwords. algorithms include bcrypt [23], scrypt [24] and Argon2 [25],
Hashed passwords could be easily cracked by precomputation etc. Generally, the function that enhances passwords using the
attacks, and the reasons are as follows. For a given plain key stretching algorithm could be expressed as
password, the corresponding hashed password is determined,
ksPsalt = KS(“cost f actor”, pplain , salt), (7)
so that adversaries could precompute the hash values of
all elements in the password list; these hashed passwords where KS is a key stretching algorithm; the “cost factor”
constitute the keys of the lookup table, and the records are denotes parameters used to control the usage of computing
the corresponding elements in the password list. Therefore, resources (including processor and memory) in each run of the
the time complexity of precomputing the lookup table is key stretching algorithm; ksPsalt is the password enhanced by
O(Nd ∗ Th ), and the size of the lookup table is Nd . The the key stretching algorithm.
lookup table could be reused. After constructing the lookup As with the salted password scheme, salt is also used in the
table, when a linear search algorithm is adopted to search key stretching scheme to increase the diversity of passwords.
hashed passwords in the lookup table, the time complexity Besides adding some randomness through salt, one of the
of cracking passwords is O(Nd ∗ Np ∗ Tm hash ). In addition, most significant features of the key stretching scheme is the
smart adversaries could sort the hashed passwords in the controllability for the usage of computing resources in every
lookup table, then adopt binary search algorithm to shorten run. Hence, the generation of the lookup table under the key
the search time; in this case, the time complexity of cracking stretching scheme could be more difficult than that under
passwords is O(log(Nd )∗Np ∗Tm hash ). Furthermore, through the salted password scheme. Consequently, the key stretching
the data structure of hash table, the time complexity of scheme could better resist lookup table attack.
cracking passwords could be decreased to O(1∗Np ∗Tm hash ). In addition, the controllability for the usage of computing
Therefore, hashed passwords are vulnerable under lookup table resources is also important for resisting dictionary attack.
attack. Under the key stretching scheme, the time complexity of

TABLE VI
T HE COMPARISONS OF ATTACK COMPLEXITY.

Lookup table attack Dictionary attack

Schemes
Time complexity* Space complexity Time complexity Space complexity

Hashed password O(Nd ∗ Np ∗ Tm hash ) O(Nd ) O(Nd ∗ Np ∗ (Th + Tm hash )) O(1)

Salted password O(Nd ∗ 2l ∗ Np ∗ Tm hash ) O(Nd ∗ 2l ) O(Nd ∗ Np ∗ (Th + Tm hash )) O(l)

Key stretching O(Nd ∗ 2l ∗ Np ∗ Tm ks ) O(Nd ∗ 2l ) O(Nd ∗ Np ∗ (Tks + Tm ks )) O(l)

ENPI O(Nd ∗ m! ∗ Np ∗ Tm NP ) O(Nd ∗ m!) O(Nd ∗ Np ∗ (Th + [n∗]Td + Tm N P )) O(m2 )

3 3
[(m−2)m!] [(m−2)m!]
ENPII O(Nd ∗ ∗ Np ∗ Tm NP ) O(Nd ∗ ) O(Nd ∗ Np ∗ (Th + [n∗]Td + Tm N P )) O(m2 )
2(m−2) m2 2(m−2) m2

* The time complexity under lookup table attack is based on linear search algorithm, and considers that the lookup table has been generated.

cracking passwords using dictionary attack is O(Nd ∗ Np ∗ ENP does that through multi-iteration encryption (i.e., in-
(Tks + Tm ks )); the value of Tks is controllable and could be creasing the n in the time complexity of cracking ENPs
large; and the larger Tks (i.e., the higher resource cost) in every using dictionary attack; thus, at the time of cracking ENPs,
password attempt makes it more difficult to crack passwords adversaries need to execute the decryption the equal number of
using dictionary attack. times with the encryption; the greater the number of encryption
times is, the more difficult it is to crack ENPs using dictio-
nary attack), while key stretching does that through raising
B. Comparisons
higher resource demands (i.e., increasing the Tks ), including
In order to clearly compare the attack complexity of hashed processor resources and memory resources. In addition, the
password, salted password, key stretching and the ENP, the latest key stretching algorithms, such as Argon2 [25], employ
time complexity and space complexity under lookup table the memory-hard function [49] to defend against hardware
attack and dictionary attack are listed in Table VI. approaches based on FPGAs, GPUs, or ASICs. Since the
1) Under Lookup Table Attack: Table VI shows that, under flexibility of our scheme, the key stretching algorithm could
lookup table attack, the space requirement of hashed password replace the cryptographic hash function in our scheme as
could be easily satisfied, and the time complexity is also a component to make the ENP feasible to resist hardware
low, so it is the most vulnerable password protection scheme approaches. Moreover, by comparison with the key stretching
among these schemes. However, it is difficult to meet the space scheme, the ENP takes advantage of symmetric encryption
requirements of salted password, key stretching, and the ENP; to protect passwords, which further improves the strength
consequently, they could resist lookup table attack. In addition, of passwords; and the ENP does not introduce salt to resist
the space complexity of the ENP (both ENPI and ENPII) is precomputation attacks, which is the unique advantage of our
larger than that of salted password and key stretching when scheme.
l = m, which makes the ENP better protected against lookup
table attack than salted password and key stretching. It is
worth mentioning that the ENP could guarantee the diversity of C. Advantages
encrypted passwords by itself; that is to say, our scheme could 1) No Dependence on Salt: Adding salts is a widely used
resist lookup table attack without introducing extra elements method to resist precomputation attacks, however, it tends to
(e.g., salt). be implemented by mistake (such as salt reuse and short salt),
2) Under Dictionary Attack: By comparison with lookup which poses a potential security exposure and puts higher
table attack, nothing (such as the lookup table) needs to be requirement on programmers. In addition, programmers need
precomputed and stored under dictionary attack; the only thing to pay attention to the storage and usage of salts. Conversely,
that adversaries need to do is to attempt every password in the ENP only needs to select a pair of cryptographic hash
the password list for cracking passwords. Hence, our focus function and symmetric-key algorithm without the need for
for attack complexity analyses under dictionary attack is on extra elements (such as salt), which indicates that our scheme
the time complexity. From Table VI, we could see that the is programmer-friendly.
time complexity of the ENP is obviously higher than that of 2) Resistance to Lookup Table Attack: Given a plain pass-
hashed password and salted password (since Th + [n∗]Td + word, there are lots of corresponding ENPs, i.e., the ENPs
Tm N P is larger than Th + Tm hash ); consequently, the ENP converted from the same password are almost always different,
has higher security than hashed password and salted password which makes it effectively resist lookup table attack. Further-
under dictionary attack. more, for the same passwords of a user in different systems,
The thing that we could do to defend against dictionary because the corresponding ENPs are almost always different,
attack is to increase the time used to test every possible even if an adversary obtains two ENPs in different authentica-
password, and then make dictionary attack ineffective. The tion data tables from different systems, the adversary cannot

determine whether the original plain passwords corresponding Algorithm A.1 Prefix Algorithm with Permutation
to the two ENPs are the same. Input: a sequence of bits s
3) Resistance to Dictionary Attack: In the ENP, multi- Output: an NDB ndb
iteration encryption is used to defend against dictionary attack 1: ndb ← an empty list
by making every password attempt consume more time. Even 2: permutedBits ← π(s)
though hardware approaches are used, the passwords generated 3: m ← LENGTH (permutedBits)
by our scheme are still strong, since our scheme could not 4: for i ← 1 to m with stepsize of 1 do
only increase the number of encryptions, but also replace the 5: x ← CREATE S EQUENCE O F S YMBOLS(m)
cryptographic hash function with a key stretching algorithm. 6: for j ← 1 to i − 1 with stepsize of 1 do
7: x[j] ← TO S YMBOL(permutedBits[j])
VII. C ONCLUSIONS AND F UTURE W ORK 8: end for
In this paper, we proposed a password protection scheme 9: x[i] ← TO S YMBOL(¬(permutedBits[i]))
called ENP, and presented a password authentication frame- 10: for j ← i + 1 to m with stepsize of 1 do
work based on the ENP. In our framework, the entries in the 11: x[j] ← ‘*’
authentication data table are ENPs. In the end, we analyzed 12: end for
13: APPEND (ndb, π 0 (x))
and compared the attack complexity of hashed password,
14: end for
salted password, key stretching and the ENP. The results show
15: return ndb
that the ENP could resist lookup table attack and provide
stronger password protection under dictionary attack. It is
worth mentioning that the ENP does not need extra elements Algorithm A.2 Variant of the Prefix Algorithm
(e.g., salt) while resisting lookup table attack. Input: a sequence of bits s
In the future, other NDB generation algorithms will be Output: an NDB ndb
studied and introduced to the ENP to further improve password 1: ndb ← an empty list
security. Furthermore, other techniques, such as multi–factor 2: permutedBits ← π(s)
authentication and challenge–response authentication, will be 3: m ← LENGTH (permutedBits)
introduced into our password authentication framework. 4: for i ← m to 3 with stepsize of −1 do
5: x ← CREATE S EQUENCE O F S YMBOLS(m)
A PPENDIX 6: x[i] ← TO S YMBOL(¬(permutedBits[i]))
In this part, we provide the details of the prefix algorithm 7: j ← RAND(1, i − 1); k ← RAND(1, i − 1) (k 6= j)
[30] with permutation (used in ENPI) and a variant of the 8: x[j] ← TO S YMBOL(permutedBits[j])
prefix algorithm (used in ENPII) that is the first part of the 9: x[k] ← TO S YMBOL(permutedBits[k])
hybrid algorithm [42]. The purpose of writing this appendix 10: APPEND (ndb, π 0 (x))
is to present a self-contained paper for better understanding. 11: end for
The pseudo-code of the prefix algorithm with permutation 12: x ← CREATE S EQUENCE O F S YMBOLS (m)
is shown in Algorithm A.1, and the pseudo-code of the variant 13: x[1] ← TO S YMBOL (permutedBits[1])
of the prefix algorithm is shown in Algorithm A.2. For both 14: x[2] ← TO S YMBOL (¬(permutedBits[2]))
Algorithm A.1 and Algorithm A.2, the input s is a sequence 15: j = RAND (3, m)
of bits, and the output ndb is the resulting negative database 16: x[j] ← ‘0’; APPEND (ndb, π 0 (x))
(NDB) that contains many sequences of symbols (i.e., ‘0’, 17: x[j] ← ‘1’; APPEND (ndb, π 0 (x))
‘1’, or ‘*’). In the ENP proposed in this paper, the hash value 18: x ← CREATE S EQUENCE O F S YMBOLS (m)
(represented as a sequence of bits; as the input of Algorithm 19: x[1] ← TO S YMBOL (¬(permutedBits[1]))
A.1 or Algorithm A.2) of the plain password received from 20: j ← RAND (2, m); k ← RAND (2, m) (k 6= j)
a client is converted to a negative password (as the output 21: x[j] ← ‘0’; x[k] ← ‘0’; APPEND (ndb, π 0 (x))
of Algorithm A.1 or Algorithm A.2) by Algorithm A.1 or 22: x[j] ← ‘0’; x[k] ← ‘1’; APPEND (ndb, π 0 (x))
Algorithm A.2. 23: x[k] = ‘*’
In Algorithm A.1, π(s) at Line 2 denotes a random per- 24: k ← RAND (2, m) (k 6= j)
mutation for the input s, and π 0 (s) at Line 13 is its inverse 25: x[j] ← ‘1’; x[k] ← ‘0’; APPEND (ndb, π 0 (x))
permutation; permutedBits at Line 2 denotes the sequence of 26: x[j] ← ‘1’; x[k] ← ‘1’; APPEND (ndb, π 0 (x))
bits permuted from the input s; LENGTH(x) at Line 3 counts 27: return ndb
the number of bits in x; CREATE S EQUENCE O F S YMBOLS(m)
at Line 5 returns a sequence of symbols of length m that only
consists of the symbol ‘*’; TO S YMBOL(b) at Lines 7 and 9 In Algorithm A.2, more randomization is introduced at
converts the bit b to the corresponding symbol (i.e., 0 to ‘0’ Lines 7, 15, 20, and 24; RAND(x, y) at Lines 7, 15, 20, and
and 1 to ‘1’); A PPEND(ndb, x) at Line 13 appends x to the end 24 returns a random integer value which is uniformly drawn
of the ndb list. Note that, at the beginning of the algorithm, s from the interval [x, y]. The code at Lines 4–11 generates the
is randomly permuted (i.e., π(s)); accordingly, the entries to 1st to (m − 2)th entries, the code at Lines 12–17 generates
append to ndb must be permuted in reverse (i.e., π 0 (s)). the (m − 1)th to mth entries, and the code at Lines 18–26

generates the (m + 1)th to (m + 4)th entries. [25] A. Biryukov, D. Dinu, and D. Khovratovich, “Argon2: New generation
of memory-hard functions for password hashing and other applications,”
in Proceedings of 2016 IEEE European Symposium on Security and
R EFERENCES Privacy, Mar. 2016, pp. 292–302.
[26] “Password Hashing Competition,” https://password-hashing.net/.
[1] J. Bonneau, C. Herley, P. C. van Oorschot, and F. Stajano, “Passwords [27] S. Boonkrong and C. Somboonpattanakit, “Dynamic salt generation and
and the evolution of imperfect authentication,” Communications of the placement for secure password storing,” IAENG International Journal
ACM, vol. 58, no. 7, pp. 78–87, Jun. 2015. of Computer Science, vol. 43, no. 1, pp. 27–36, 2016.
[2] M. A. S. Gokhale and V. S. Waghmare, “The shoulder surfing resis- [28] M. Najjar, “Using improved d-HMAC for password storage,” Computer
tant graphical password authentication technique,” Procedia Computer and Information Science, vol. 10, no. 3, pp. 1–9, Jul. 2017.
Science, vol. 79, pp. 490–498, 2016. [29] F. Esponda, E. S. Ackley, S. Forrest, and P. Helman, “Online negative
[3] J. Ma, W. Yang, M. Luo, and N. Li, “A study of probabilistic password databases,” in Proceedings of Artificial Immune Systems. Springer
models,” in Proceedings of 2014 IEEE Symposium on Security and Berlin Heidelberg, 2004, pp. 175–188.
Privacy, May 2014, pp. 689–704. [30] F. Esponda, S. Forrest, and P. Helman, “Enhancing privacy through
[4] A. Adams and M. A. Sasse, “Users are not the enemy,” Communications negative representations of data,” Department of Computer Science,
of the ACM, vol. 42, no. 12, pp. 40–46, Dec. 1999. University of New Mexico, Tech. Rep., 2004.
[5] E. H. Spafford, “Opus: Preventing weak password choices,” Computers [31] F. Esponda, “Negative representations of information,” Ph.D. disserta-
& Security, vol. 11, no. 3, pp. 273–278, 1992. tion, University of New Mexico, Albuquerque, NM, USA, 2005.
[6] Y. Li, H. Wang, and K. Sun, “Personal information in passwords and [32] F. Esponda, S. Forrest, and P. Helman, “Negative representations of
its security implications,” IEEE Transactions on Information Forensics information,” International Journal of Information Security, vol. 8, no. 5,
and Security, vol. 12, no. 10, pp. 2320–2333, Oct. 2017. pp. 331–345, Oct. 2009.
[7] D. Florencio and C. Herley, “A large-scale study of web password [33] D. Dasgupta and R. Azeem, “An investigation of negative authentica-
habits,” in Proceedings of the 16th International Conference on World tion systems,” in Proceedings of the 3rd International Conference on
Wide Web. ACM, 2007, pp. 657–666. Information Warfare and Security, Apr. 2008, pp. 117–126.
[8] R. Shay, S. Komanduri, A. L. Durity, P. S. Huh, M. L. Mazurek, S. M. [34] D. Dasgupta and S. Saha, “A biologically inspired password authentica-
Segreti, B. Ur, L. Bauer, N. Christin, and L. F. Cranor, “Designing tion system,” in Proceedings of the 5th Annual Workshop on Cyber
password policies for strength and usability,” ACM Transactions on Security and Information Intelligence Research: Cyber Security and
Information and System Security, vol. 18, no. 4, pp. 13:1–13:34, May Information Intelligence Challenges and Strategies. ACM, 2009, pp.
2016. 41:1–41:4.
[9] D. Wang, D. He, H. Cheng, and P. Wang, “fuzzyPSM: A new password [35] D. Zhao, W. Luo, R. Liu, and L. Yue, “Negative iris recognition,” IEEE
strength meter using fuzzy probabilistic context-free grammars,” in Transactions on Dependable and Secure Computing, vol. 15, no. 1, pp.
Proceedings of 2016 46th Annual IEEE/IFIP International Conference 112–125, Jan. 2018.
on Dependable Systems and Networks, Jun. 2016, pp. 595–606. [36] R. Liu, W. Luo, and L. Yue, “Hiding multiple solutions in a hard 3-SAT
[10] H. M. Sun, Y. H. Chen, and Y. H. Lin, “oPass: A user authentication formula,” Data & Knowledge Engineering, vol. 100, pp. 1–18, 2015.
protocol resistant to password stealing and password reuse attacks,” [37] S. Boonkrong, “Security of passwords,” Information Technology Jour-
IEEE Transactions on Information Forensics and Security, vol. 7, no. 2, nal, vol. 8, no. 2, pp. 112–117, Jul.–Dec. 2012.
pp. 651–663, Apr. 2012. [38] J. Kelsey, B. Schneier, C. Hall, and D. Wagner, “Secure applications of
[11] M. Zviran and W. J. Haga, “Password security: An empirical study,” low-entropy keys,” in Proceedings of Information Security. Springer
Journal of Management Information Systems, vol. 15, no. 4, pp. 161– Berlin Heidelberg, 1998, pp. 121–134.
185, 1999. [39] W. Barthel, A. K. Hartmann, M. Leone, F. Ricci-Tersenghi, M. Weigt,
[12] P. Andriotis, T. Tryfonas, and G. Oikonomou, “Complexity metrics and and R. Zecchina, “Hiding solutions in random satisfiability problems:
user strength perceptions of the pattern-lock graphical authentication A statistical mechanics approach,” Physical review letters, vol. 88, p.
method,” in Proceedings of Human Aspects of Information Security, 188701, Apr. 2002.
Privacy, and Trust. Springer International Publishing, 2014, pp. 115– [40] D. Achlioptas, H. Jia, and C. Moore, “Hiding satisfying assignments:
126. Two are better than one,” Journal of Artificial Intelligence Research,
[13] D. P. Jablon, “Strong password-only authenticated key exchange,” SIG- vol. 24, no. 1, pp. 623–639, Nov. 2005.
COMM Computer Communication Review, vol. 26, no. 5, pp. 5–26, Oct. [41] F. Esponda, E. S. Ackley, P. Helman, H. Jia, and S. Forrest, “Protecting
1996. data privacy through hard-to-reverse negative databases,” International
[14] J. Jose, T. T. Tomy, V. Karunakaran, A. K. V, A. Varkey, and N. C. Journal of Information Security, vol. 6, no. 6, pp. 403–415, Oct. 2007.
A., “Securing passwords from dictionary attack with character-tree,” in [42] R. Liu, W. Luo, and X. Wang, “A hybrid of the prefix algorithm and
Proceedings of 2016 International Conference on Wireless Communica- the q-hidden algorithm for generating single negative databases,” in
tions, Signal Processing and Networking, Mar. 2016, pp. 2301–2307. Proceedings of 2011 IEEE Symposium on Computational Intelligence
[15] A. Arora, A. Nandkumar, and R. Telang, “Does information security in Cyber Security, Apr. 2011, pp. 31–38.
attack frequency increase with vulnerability disclosure? an empirical [43] R. Liu, W. Luo, and L. Yue, “The p-hidden algorithm: hiding single
analysis,” Information Systems Frontiers, vol. 8, no. 5, pp. 350–362, databases more deeply,” Immune Computation, vol. 2, no. 1, pp. 43–55,
Dec. 2006. Mar. 2014.
[16] R. Song, “Advanced smart card based password authentication protocol,” [44] D. Zhao, W. Luo, R. Liu, and L. Yue, “A fine-grained algorithm for
Computer Standards & Interfaces, vol. 32, no. 5, pp. 321–325, 2010. generating hard-toreverse negative databases,” in Proceedings of 2015
[17] M. C. Ah Kioon, Z. S. Wang, and S. Deb Das, “Security analysis of International Workshop on Artificial Immune Systems, Jul. 2015, pp.
MD5 algorithm in password storage,” in Proceedings of Instruments, 1–8.
Measurement, Electronics and Information Engineering. Trans Tech [45] D. Zhao and W. Luo, “One-time password authentication scheme
Publications, Oct. 2013, pp. 2706–2711. based on the negative database,” Engineering Applications of Artificial
[18] P. Oechslin, “Making a faster cryptanalytic time-memory trade-off,” in Intelligence, vol. 62, pp. 396–404, 2017.
Proceedings of Advances in Cryptology - CRYPTO 2003. Springer [46] J. Bringer and H. Chabanne, “Negative databases for biometric data,”
Berlin Heidelberg, 2003, pp. 617–630. in Proceedings of the 12th ACM Workshop on Multimedia and Security.
[19] S. Noel, M. Elder, S. Jajodia, P. Kalapa, S. O’Hare, and K. Prole, ACM, 2010, pp. 55–62.
“Advances in topological vulnerability analysis,” in Proceedings of [47] J. Liang and X. Lai, “Improved collision attack on hash function MD5,”
2009 Cybersecurity Applications Technology Conference for Homeland Journal of Computer Science and Technology, vol. 22, no. 1, pp. 79–87,
Security, Mar. 2009, pp. 124–129. Jan. 2007.
[20] “Hashcat,” https://hashcat.net/hashcat/. [48] Y. Sasaki and K. Aoki, “Finding preimages in full MD5 faster than
[21] “RainbowCrack,” http://project-rainbowcrack.com/. exhaustive search,” in Proceedings of Advances in Cryptology - EURO-
[22] “John the Ripper,” http://www.openwall.com/john/. CRYPT 2009. Springer Berlin Heidelberg, 2009, pp. 134–152.
[23] N. Provos and D. Mazières, “A future-adaptive password scheme,” in [49] D. Boneh, H. Corrigan-Gibbs, and S. Schechter, “Balloon hashing: A
Proceedings of the Annual Conference on USENIX Annual Technical memory-hard function providing provable protection against sequential
Conference. USENIX Association, 1999, pp. 32–32. attacks,” in Proceedings of Advances in Cryptology – ASIACRYPT 2016.
[24] “RFC 7914: The scrypt Password-Based Key Derivation Function,” Springer Berlin Heidelberg, 2016, pp. 220–248.
https://tools.ietf.org/html/rfc7914.

Wenjian Luo received his BS and PhD degrees from Hao Jiang received his BS degree from the Depart-
the Department of Computer Science and Technol- ment of Computer Science and Technology, North
ogy, University of Science and Technology of China, China Electric Power University, Baoding, China in
Hefei, China in 1998 and 2003, respectively. He 2014. He is currently working toward a PhD degree
is currently an associate professor of the School at the School of Computer Science and Technology,
of Computer Science and Technology, University University of Science and Technology of China,
of Science and Technology of China. His current Hefei, China. His current research interests include
research interests include machine learning and data information security, data privacy, and computational
mining, information security and data privacy, com- intelligence.
putational intelligence and applications.

Yamin Hu received his BE degree from the Col- Junteng Wang received his BE degree from the
lege of Information Engineering, Northwest A&F School of Information Science and Technology, Uni-
University, Yangling, China in 2016. He is currently versity of Science and Technology of China, Hefei,
working toward a master’s degree at the School of China in 2017. He is currently working toward a
Computer Science and Technology, University of master’s degree at the School of Computer Science
Science and Technology of China, Hefei, China. and Technology, University of Science and Technol-
His current research interests include information ogy of China. His current research interests include
security and data privacy. information security and data privacy.

DCF Valuation Procter Gamble 1 - 1712693877056
No ratings yet
DCF Valuation Procter Gamble 1 - 1712693877056
8 pages
DR Lal Path Labs Financial Model - Ayushi Jain
No ratings yet
DR Lal Path Labs Financial Model - Ayushi Jain
45 pages
Introduction To The Threat Landscape 2.0 Lesson Scripts
No ratings yet
Introduction To The Threat Landscape 2.0 Lesson Scripts
39 pages
India Consumer Electricals - Sector Report - 29-04-2022 - Systematix
No ratings yet
India Consumer Electricals - Sector Report - 29-04-2022 - Systematix
185 pages
Financial Modeling of TCS Lock
No ratings yet
Financial Modeling of TCS Lock
62 pages
Modeling of Arduino-Based Prepaid Energy Meter Using GSM Technology
0% (1)
Modeling of Arduino-Based Prepaid Energy Meter Using GSM Technology
3 pages
Password
No ratings yet
Password
157 pages
Hack Fb Online) 2 Minutes Using Our Site: ► (Get-Now) ◄【Hack Facebook Account 】【
No ratings yet
Hack Fb Online) 2 Minutes Using Our Site: ► (Get-Now) ◄【Hack Facebook Account 】【
3 pages
1 s2.0 S2772801322000185 Main 2
No ratings yet
1 s2.0 S2772801322000185 Main 2
17 pages
Pentacool Soft Drink Manufcatruing Project Report
No ratings yet
Pentacool Soft Drink Manufcatruing Project Report
36 pages
A Comparative Financial Analysis of Soft Drink Industry
100% (1)
A Comparative Financial Analysis of Soft Drink Industry
41 pages
Design of Pilot Plant For The Production of Essential Oil From Eucalyptus Leaves
No ratings yet
Design of Pilot Plant For The Production of Essential Oil From Eucalyptus Leaves
5 pages
Hero MotoCorp LTD
No ratings yet
Hero MotoCorp LTD
10 pages
Materials With Zero Stock
100% (1)
Materials With Zero Stock
58 pages
ValueInvesting - Io - Financials & Models Template
No ratings yet
ValueInvesting - Io - Financials & Models Template
66 pages
Financial - CocaCola
No ratings yet
Financial - CocaCola
45 pages
Parent, Inc Actual Financial Statements For 2012 and Olsen
No ratings yet
Parent, Inc Actual Financial Statements For 2012 and Olsen
23 pages
Marketing Management: An Interim Report On
No ratings yet
Marketing Management: An Interim Report On
23 pages
Understanding The Glycerol Market
No ratings yet
Understanding The Glycerol Market
22 pages
Sports and Energy Drinks in India
No ratings yet
Sports and Energy Drinks in India
3 pages
Screener ROIC
No ratings yet
Screener ROIC
21 pages
Equity Valuation Case Study
No ratings yet
Equity Valuation Case Study
112 pages
HDFC Securities Initiating Coverage On Swiggy With 5% DOWNSIDE Relegated
No ratings yet
HDFC Securities Initiating Coverage On Swiggy With 5% DOWNSIDE Relegated
39 pages
Creative Analysis of Financial Report
No ratings yet
Creative Analysis of Financial Report
31 pages
(Manuscript) Development of Essential Oil Extraction Machine That Utilize Direct Steam Distillation
No ratings yet
(Manuscript) Development of Essential Oil Extraction Machine That Utilize Direct Steam Distillation
107 pages
Soonicorn Report - v7
No ratings yet
Soonicorn Report - v7
56 pages
ITC Limited Valuation
No ratings yet
ITC Limited Valuation
73 pages
Tata Motors
No ratings yet
Tata Motors
19 pages
Stalwart of Bio-Economy Revolution!
No ratings yet
Stalwart of Bio-Economy Revolution!
22 pages
Mindtree: Reference Model
100% (1)
Mindtree: Reference Model
54 pages
Case Study - Financial Statements & Future Prospects
No ratings yet
Case Study - Financial Statements & Future Prospects
8 pages
Ratio Modeling & Pymamid of Ratios - Complete
No ratings yet
Ratio Modeling & Pymamid of Ratios - Complete
28 pages
Final Thesis - Pro Forma and Valuation - SIDO - IJ - 3Q24
No ratings yet
Final Thesis - Pro Forma and Valuation - SIDO - IJ - 3Q24
125 pages
Exercises LBO
No ratings yet
Exercises LBO
2 pages
Tata Motors Valuation
No ratings yet
Tata Motors Valuation
38 pages
Seminar On Equity Research Dion Presentation ANMI
No ratings yet
Seminar On Equity Research Dion Presentation ANMI
23 pages
Case 1 SwanDavis
0% (1)
Case 1 SwanDavis
4 pages
Common Loan Application Form Under Pradhan Mantri MUDRA Yojana
No ratings yet
Common Loan Application Form Under Pradhan Mantri MUDRA Yojana
4 pages
Valuation
0% (1)
Valuation
7 pages
La Opala IC
No ratings yet
La Opala IC
45 pages
AC Penetration Accross Countries
No ratings yet
AC Penetration Accross Countries
21 pages
Financial Modeling Dabur Template-DCF
No ratings yet
Financial Modeling Dabur Template-DCF
87 pages
Multicolor Free Professional PestelPEST Analysis Graph
No ratings yet
Multicolor Free Professional PestelPEST Analysis Graph
1 page
Stern School of Business Chemtura
No ratings yet
Stern School of Business Chemtura
32 pages
Mini Case Chapter 3 Final Version
No ratings yet
Mini Case Chapter 3 Final Version
14 pages
Sugar Project Question
100% (1)
Sugar Project Question
22 pages
SEMrush Holdings, Inc - The Traffic Think Tank Acquisition Could Be A Game Changer (02 - 23) - 25-Feb-2023
No ratings yet
SEMrush Holdings, Inc - The Traffic Think Tank Acquisition Could Be A Game Changer (02 - 23) - 25-Feb-2023
21 pages
Indian Energy Drink (XXX)
No ratings yet
Indian Energy Drink (XXX)
24 pages
Financial Modeling & Equity Valuation - Finatics
No ratings yet
Financial Modeling & Equity Valuation - Finatics
3 pages
Business Analysis & Valuation Fcfe: Free Cash Flow
No ratings yet
Business Analysis & Valuation Fcfe: Free Cash Flow
63 pages
MV FM Amar Raja Model Class
No ratings yet
MV FM Amar Raja Model Class
14 pages
Welcome To Your Portfolio Dashboard!: Instruct Ions
No ratings yet
Welcome To Your Portfolio Dashboard!: Instruct Ions
227 pages
Merger and Acquisition Analysis P&G
100% (1)
Merger and Acquisition Analysis P&G
1 page
Is BSE-SENSEX Over/undervalued As of Sep 30, 2009?: To Download Word Document
No ratings yet
Is BSE-SENSEX Over/undervalued As of Sep 30, 2009?: To Download Word Document
8 pages
LBO
No ratings yet
LBO
5 pages
33 Industry Research Report
No ratings yet
33 Industry Research Report
97 pages
Reliance Industries DCF
No ratings yet
Reliance Industries DCF
35 pages
Home Capital Group Initiating Coverage (HCG-T)
No ratings yet
Home Capital Group Initiating Coverage (HCG-T)
68 pages
IEA CCUS Projects Database 2024
No ratings yet
IEA CCUS Projects Database 2024
102 pages
Financial Model For Value Retailing
No ratings yet
Financial Model For Value Retailing
1,643 pages
R34 Private Company Valuation Q Bank PDF
No ratings yet
R34 Private Company Valuation Q Bank PDF
5 pages
2022 V13i7150
No ratings yet
2022 V13i7150
7 pages
Authentication by Encrypted Negative Password
No ratings yet
Authentication by Encrypted Negative Password
3 pages
Kali Linux, Ethical Hacking And Pen Testing For Beginners
From Everand
Kali Linux, Ethical Hacking And Pen Testing For Beginners
BHARAT NISHAD
No ratings yet
A Study On Depository System With Reference To Axis Bank Limited
No ratings yet
A Study On Depository System With Reference To Axis Bank Limited
1 page
Assessing The Effectiveness of Riparian Restoration Projects Using Landsat and Preception Data From The Cloud Computing Application
No ratings yet
Assessing The Effectiveness of Riparian Restoration Projects Using Landsat and Preception Data From The Cloud Computing Application
5 pages
A Data Mining Based Model For Detection of Fraudulent Behaviour in Water Consumption
No ratings yet
A Data Mining Based Model For Detection of Fraudulent Behaviour in Water Consumption
7 pages
IJTRD163
No ratings yet
IJTRD163
5 pages
BCA Project List
No ratings yet
BCA Project List
1 page
Pat Anja
No ratings yet
Pat Anja
1 page
Intelligent Letter Box Using Arduino and GSM1554330059
No ratings yet
Intelligent Letter Box Using Arduino and GSM1554330059
2 pages
Heart Beat Monitoring and Intimate by GSM at Abnormal Condition1522869000
No ratings yet
Heart Beat Monitoring and Intimate by GSM at Abnormal Condition1522869000
2 pages
Social Distancing Monitoring Robot For Queue
No ratings yet
Social Distancing Monitoring Robot For Queue
2 pages
Future of Depository With Introduction of Payment Bank: A Game Changer To Capital Market
No ratings yet
Future of Depository With Introduction of Payment Bank: A Game Changer To Capital Market
1 page
Voice Controlled Robotic Vehicle1534238864
No ratings yet
Voice Controlled Robotic Vehicle1534238864
2 pages
Final DMT Report PDF
No ratings yet
Final DMT Report PDF
27 pages
Sensor Guided Robotics Using Ir Sensors and by Programming Micro Controller1550049190
No ratings yet
Sensor Guided Robotics Using Ir Sensors and by Programming Micro Controller1550049190
1 page
Opinion Minning On Feedback Management System
No ratings yet
Opinion Minning On Feedback Management System
10 pages
ECE517 Project Fall2019 PDF
No ratings yet
ECE517 Project Fall2019 PDF
1 page
A Synopsis On: Consumer's Perception Towards Packaged Cold-Pressed Juices and Brand " PVT LTD
No ratings yet
A Synopsis On: Consumer's Perception Towards Packaged Cold-Pressed Juices and Brand " PVT LTD
3 pages
Harmonic Mitigation Using 36-Pulse AC-DC Converter For Direct Torque Controlled Induction Motor Drives
No ratings yet
Harmonic Mitigation Using 36-Pulse AC-DC Converter For Direct Torque Controlled Induction Motor Drives
10 pages
Fabrication of Motorized Barrel Lifter
100% (1)
Fabrication of Motorized Barrel Lifter
1 page
A Study On Budgetary Control at HDFC1567681191 PDF
No ratings yet
A Study On Budgetary Control at HDFC1567681191 PDF
28 pages
Constructionprojectmanagemen PDF
No ratings yet
Constructionprojectmanagemen PDF
1 page
Budgets and Budgetary Control of NFC (Nuclear Fuel Complex) 1583247683
No ratings yet
Budgets and Budgetary Control of NFC (Nuclear Fuel Complex) 1583247683
52 pages
Audit Objectives Relating To Subversive Threats
No ratings yet
Audit Objectives Relating To Subversive Threats
2 pages
Security & Compliance Quick Reference Guide
No ratings yet
Security & Compliance Quick Reference Guide
27 pages
NIST Lightweight Cryptography Standardization Process
No ratings yet
NIST Lightweight Cryptography Standardization Process
18 pages
Road Map For Cyber Securiity
No ratings yet
Road Map For Cyber Securiity
5 pages
Aadhar Compliance Checklist
100% (1)
Aadhar Compliance Checklist
8 pages
Social Media Privacy
No ratings yet
Social Media Privacy
12 pages
Indo-US Cyber Security Seminar - Internet Threats
No ratings yet
Indo-US Cyber Security Seminar - Internet Threats
22 pages
KeeLoq25C3 3
No ratings yet
KeeLoq25C3 3
18 pages
CyberSecurity (Infosys) - 1
No ratings yet
CyberSecurity (Infosys) - 1
1 page
The Role of Cybersecurity and Blockchain
No ratings yet
The Role of Cybersecurity and Blockchain
15 pages
9.3.1. A Secure Conversation Using Public-Key Cryptography
No ratings yet
9.3.1. A Secure Conversation Using Public-Key Cryptography
4 pages
CEH Module 00 - Welcome To Certified Ethical Hacker Class!
No ratings yet
CEH Module 00 - Welcome To Certified Ethical Hacker Class!
28 pages
Final Exam No2 2021
No ratings yet
Final Exam No2 2021
2 pages
Cyber Security Threats 2017: Cloudnexus and First Resource Insurance Group February 2017
No ratings yet
Cyber Security Threats 2017: Cloudnexus and First Resource Insurance Group February 2017
23 pages
Pnpki Vinset 2.0
No ratings yet
Pnpki Vinset 2.0
34 pages
CS315 MidTerm (1-72) Topics Yasir Ejaz-Compressed
No ratings yet
CS315 MidTerm (1-72) Topics Yasir Ejaz-Compressed
1,454 pages
Chapter 8b: Acknowledgement
No ratings yet
Chapter 8b: Acknowledgement
29 pages
FinalExam Cryptography
No ratings yet
FinalExam Cryptography
1 page
Hydra
No ratings yet
Hydra
3 pages
Data Security Standard: Payment Card Industry (PCI)
No ratings yet
Data Security Standard: Payment Card Industry (PCI)
9 pages
CCNASv2 InstructorPPT CH1
No ratings yet
CCNASv2 InstructorPPT CH1
67 pages
Lecture # 5: by Mr. Fasee Ullah CUSIT, Peshawar
No ratings yet
Lecture # 5: by Mr. Fasee Ullah CUSIT, Peshawar
13 pages
CSA CCMv4.0 Final 031521
No ratings yet
CSA CCMv4.0 Final 031521
222 pages
Poojitha
No ratings yet
Poojitha
7 pages
Report 2020 Crowd Strike Services Cyber Front Lines
No ratings yet
Report 2020 Crowd Strike Services Cyber Front Lines
38 pages
CSCU Flyer
No ratings yet
CSCU Flyer
1 page
Unit 4 - Digital Signature and Authentication Protocols
No ratings yet
Unit 4 - Digital Signature and Authentication Protocols
43 pages

Authentication by Encrypted Negative Password PDF

Uploaded by

Authentication by Encrypted Negative Password PDF

Uploaded by

This article has been accepted for publication in a future issue of this journal, but has not been

Authentication by Encrypted Negative Password

3) Key Stretching: To resist dictionary attack, key stretching TABLE I

MD5* AES/IDEA/CAST-256/RC6 128 /01#$2134!13)2&5!1!&6!78$ !"#

SHA-1* CAST-256 160

SHA-384/SHA3-384 RC5 384 2$>!13?$&'!""()*%&!2%&#!"#$%&'!""()*%

SHA-512/SHA3-512 RC5 512 3"&")8013)2:

Plain password “password”

Hashed password 00100011101010111011100110110010111111010100010101100110011000110011110000010010101001101100010110101011010010100000101110010000

C. The performances of ENP 10: npm−1 ← MERGE(npm−1 , npm )

current element in the password list).

Lookup table attack Dictionary attack

Hashed password O(Nd ∗ Np ∗ Tm hash ) O(Nd ) O(Nd ∗ Np ∗ (Th + Tm hash )) O(1)

Salted password O(Nd ∗ 2l ∗ Np ∗ Tm hash ) O(Nd ∗ 2l ) O(Nd ∗ Np ∗ (Th + Tm hash )) O(l)

Key stretching O(Nd ∗ 2l ∗ Np ∗ Tm ks ) O(Nd ∗ 2l ) O(Nd ∗ Np ∗ (Tks + Tm ks )) O(l)

ENPI O(Nd ∗ m! ∗ Np ∗ Tm NP ) O(Nd ∗ m!) O(Nd ∗ Np ∗ (Th + [n∗]Td + Tm N P )) O(m2 )

You might also like

SHA-384/SHA3-384 RC5 384 2$>!13?$&'!""()%&!2%&#!"#$%&'!""()%