Conducting research is the signature of the Master of Science in Security Informatics (MSSI) program experience at Johns Hopkins University Information Security Institute (JHUISI). Students present their research as capstone projects. Students pursue independent research on a question or problem of their choice, engage with the scholarly debates in the relevant disciplines, and – with the guidance of a faculty mentor – produce a substantial paper that reflects a deep understanding of the topic. In this article, we review snapshots of students’ latest research in secure identity management and password protection authentication in Fall 2016.

JHUISI’s Seth Nielson and Johns Hopkins University Applied Physics Lab’s Maria Vachino co-mentored Asmaa Aljohani, Yue Zhu, and Gyan Namdhari, three MSSI students on research about securing identities in transactions; the capstone research paper is called Identity-Enabled Transactions Based on the EMVCo Payment Tokenization Specification. “Relying on her [Maria Vachino] insights and guidance on these problems, the students developed a prototype mechanism for proving identity attributes using a mechanism similar to Apple Pay or Android Pay. A person could use this technology to prove, for example, that they’re old enough to purchase alcohol without having to reveal any of the other details about themselves unlike showing ID which typically reveals sensitive details such as a home address or even medical limitations,” said Nielson.

The framework aims at facilitating consistent, secure and globally interoperable digital payments when using a mobile handset, tablet, personal computer or other smart devices. To ensure secure identity transactions, the students designed and implemented an identity-enabled transaction system based on the EMVCo payment tokenization technologies. In particular, the proposed system uses the tokenization concept that is adopted by major mobile payment technologies to assure both the security and privacy of identity-enabled transactions. To learn more about the capstone project, Identity-Enabled Transactions Based on the EMVCo Payment Tokenization Specification, click here.

“Combining Zero-Knowledge Proofs and sequentially memory hard functions is a simple idea, but it adds provable hardness against offline dictionary attacks to the password authentication game,” said MSSI student Gijs Van Laer. The latest research of Gijs and his two teammates, Rono Dasgupta and Aditya Patil, titled Harden Zero Knowledge Password Proofs Against Offline Dictionary Attacks, proposes a novel authentication protocol that is proven hard against offline dictionary attacks.

Traditional authentication systems offer ease of use but the security they provide often proves to be inadequate. Hackers use means to gain access to company servers and steal entire databases of password hashes. These hashes are then subject to offline dictionary attacks resulting in the disclosure of millions of passwords. Such password breaches have become commonplace and have caused several major companies to face major losses. Password reuse is a common practice among users and a password breach disclosing a single password on a particular service could result in a user also losing access to their other accounts. In a concrete instantiation of the protocol, the students use Schnorr’s Zero Knowledge Password Proof combined with the Fiat-Shamir Heuristic for the Zero Knowledge Password Proof and scrypt for the sequentially memory hard hash function. Their project was mentored by Professor Matthew Green. To learn more about the capstone project, Zero Knowledge Password Proofs Against Offline Dictionary Attacks, click here.

To check out other Capstone Research projects, click here.