Simple arithmetic for faster, more secure websites

Classic user identification requires the remote user sending a username and a password to the system to which they want to be authenticated. The system looks up the username in its locally stored database and if the password submitted matches the stored password, then access is granted. This method for identification works under the assumption that there exist no malicious users and that their local terminals cannot be infected by viruses.

Increasingly, however, these assumptions are too naïve. Not all users can be assumed to have good intentions. Technology continuously facilitates the capture of transactions in wireless channels. Usernames and passwords can therefore be easily obtained by malicious third parties (other users or viruses) and be used for illegal accesses to systems.

Now, Nikolaos Bardis of the University of Military Education, in Vari, Greece and colleagues there and at the Polytechnic Institute of Kiev, in Ukraine, have developed an innovative approach to logins, which implements the advanced concept of zero knowledge identification. The system is based on a set of relatively simple mathematical functions, known as one-way Boolean operators, to verify a login rather than the standard encryption-decryption calculations used today. The team explains that preliminary testing shows that their approach to a login algorithm could be hundreds or thousands of times faster than conventional logins. Importantly, the system will reduce the overall computing requirements on the provider side of the system as well as making logins much more secure.

"The efficiency of information security algorithms is defined based on two factors: the level of security and the amount of computational resources required for the implementation of the security functions," Bardis and colleagues explain in the latest issue of the International Journal of Multimedia Intelligence and Security.

Underpinning any information security algorithm is an analytically insoluble mathematical problem that can be defined as a function applied to "x" to give "y"; Y = F(X). The function is made to be so complex that reversing it is impossible, like trying to unmix different coloured paints in a pot. Asymmetric cryptographic algorithms (public key encryption algorithms) use this approach and are common in web browser logins and access systems for many different types of database. This type of login requires a lot of computational power and is inherently slow. The team points out that a Boolean function can be just as sophisticated but requires a fraction of the computational power and so could be much, much faster.

Zero order user authentication schemes supply the user with a special function that produces an extremely large number of different results for all its possible inputs. A set of inputs that produce a common result is selected. These inputs are the user's passwords. A new user registers by submitting to the system their function and the common result. The user authenticates for a normal session using each password only once. The user provides the password at the beginning of each session. The system calculates the value produced when this password is used as input to the function. If this is equal to the common result, then authentication is successful and access is granted. Someone that is trying to gain access without the necessary knowledge (an illicit user) will practically have to try all possible password combinations, before reaching the correct one.

Normally, the functions used involve raising large numbers to large powers and dividing large numbers to find their remainder. These are operations make processors of ordinary computer systems run very slow and impose a significant burden even on larger information systems with large numbers of users. The proposed scheme uses systems of non-linear Boolean equations to construct the unique function. Boolean equations process binary data, using simple binary operations between bits. Such an operation is the eXclusive OR operation (XOR). Calculations are hence much simpler for the simple reason that it is much easier to calculate a logic expression than to raise a 100 digit number to a 10 digit power and then divide the result by another large number. The series of exchanges for registration and authentication is the same as before. However the inputs and the common results are binary vectors.

"Zero knowledge user identification solves the security issues by using passwords that change for every session and are not known to the system beforehand. The system can only check their validity," team member Nikolaos Doukas explains. "The proposed scheme has potential use in any system where malicious users have incentives to gain illegal access and perform actions they are not entitled to. The number of such systems increases rapidly as information gains value," he concludes.