On the Fly Access Request Authentication: Two-Layer Password-Based Access Control Systems for Securing Information

Muhammed Jassem Al-Muhammed, Ahmad Daraiseh


In the digital era, most of our highly sensitive documents are stored in computers. These documents are in a great threat unless protected using appropriate measures. Despite their several imperfections, passwords are becoming the de-facto mechanism for securing documents stored in local directories or on the websites. In this scheme users protect their documents using passwords. In order for such scheme to work, the passwords must be stored in the file system either in plain or hashed form so that they can be used as references when information is requested. This paper proposes innovative password-based protection system. Although the proposed system uses passwords for document protection, it proposes a completely different way of using and managing these passwords. Our system protects a stored document in terms of both the document itself and the password. Both the document’s content and the password are used along with random noises to generate security code that serves as a reference when the document is requested. The security code is neither reversible nor reproducible without a full knowledge of the password and the content of the document. The users of our system keep their passwords and provide them only when they first store the document and when they later request document retrieval. The passwords are never stored neither in their plain nor hashed forms. Experiments with our prototype implementation showed that our protection scheme is effective and passed important security tests.


password-based security; information security; document protection; access control; security code; passcodes.

Full Text:



D. Silver, S. Jana, and D. Boneh, E. Chen and C. Jackson, Password Managers: Attacks and Defenses, In Proceedings of the 23rd USENIX Security Symposium (San Diego, CA) August 20–22, 2014.

S-N Hsu and Y-C Hou, A Document Protection Scheme using Innocuous Messages as Camouflage, WSEAS TRANSACTIONS on Information Science and Applications, No. 4, Vol. 6, pp. 694703, April 2009

C.H. Lin and T.C. Lee, A Confused Document Encrypting Scheme and Its Implementation, Computers & Security Journal, Vol.17, No.6, pp.543-551, 1998

A. Greenberg. Password Manager LastPass Got Breached Hard, June 2015. https://www.wired.com/2015/06/hack-brief-password-manager-lastpass-got-breached-hard.

J. Alex Halderman , Brent Waters , Edward W. Felten, A convenient method for securely managing passwords, Proceedings of the 14th international conference on World Wide Web, May, 2005, Chiba, Japan doi:10.1145/1060745.1060815

J. Bonneau. Guessing Human-Chosen Secrets. PhD dissertation, University of Cambridge, 2012

D. Llewellyn-Jone and G. Ryme, Cracking PwdHash: A Brute-force Attack on Client-side Password Hashing, Proceeding of 11th International Conference on Passwords (Passwords16 Bochum), December, 2016

B. Ross, C. Jackson, N. Miyake, D. Boneh, J. C. Mitchell, Stronger Password Authentication Using Browser Extensions. In 14th USENIX Security Symposium, 2005. http://crypto.stanford.edu/PwdHash/

D. Silver, S. Jana, D. Boneh, E. Chen, C. Jackson, Password Managers: Attacks and Defenses, pp. 449464. USENIX Association, 2014. https://www.usenix.org/ node/184476

E. Stobert, R. Biddle, Expert Password Management, pp. 3–20. Springer International Publishing, Cham, 2016. http://dx.doi.org/10.1007/ 978-3-319-29938-9_1

B. Ur, F. Alfieri, M Aung, L. Bauer, N. Christin, J. Colnago, L. Faith Cranor, H. Dixon, P. E. Naeini, H. Habib, N. Johnson, W. Melicher, Design and Evaluation of a Data-Driven Password Meter, Proceedings of the 2017 SIGCHI Conference on Human Factors in Computing Systems (CHI '17), May 2017.

K-P. Yee and K. Sitake. Passpet: Convenient Password Management and Phishing Protection. In Proceedings of the second symposium on Usable privacy and security (SOUPS'06). ACM, New York, NY, pp. 3243, 2006. DOI=http://dx.doi.org/10.1145/1143120.1143126

J. Daemen and V. Rijmen. Advanced Encryption Standard (AES), 2001. http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf/, November 2001.

W. Stallings, Cryptography and Network Security: Principles and Practice, 7th edition, Pearson publishers, 2016.

M. J. Al-Muhammed, Zitar, R.A., ï«â€“Lookback Random-Based Text Encryption Technique, Journal of King Saud University-Computer and Information Sciences, 2017. doi: https://doi.org/10.1016/j.jksuci.2017.10.002

S. Gueron, S. Johnson, and J. Walker, SHA-512/256, In: Latifi, S. (ed.) Information Technology: New Generations–ITNG 2011. pp. 354–358. IEEE Computer Society, 2011.

Computer Security Resource Center https://csrc.nist.gov/csrc/media/publications/fips/180/2/archive/2002-08-01/documents/fips180-2.pdf

Different versions of SHA-x, https://csrc.nist.gov.

C. Dobraunig, M. Eichlseder, and F. Mendel. Analysis of SHA-512/224 and SHA-512/256. In International Conference on the Theory and Application of Cryptology and Information Security, pp. 612–630, Springer, 2014.

R. Rivest, The MD5 Message Digest Algorithm, IETF RFC 1321, 1992

V. Lyubashevsky, D. Micciancio, C, Peikert, and A. Rosen, SWIFFT: A Modest Proposal for FFT Hashing, 2008

Pierre LEcuyer. Random Number Generation. In James E. Gentle Wolf-gang Karl Hrdle Yuichi Mori, editor, Handbook of Computational Statistics, Springer Handbooks, chapter 3, pages 3571. Springer Berlin Heidel-berg, 2012.

G. Marsaglia, Xorshift RNGs, Journal of Statistical Software, 2003

https://passwordsgenerator.net/, accessed March, 17-31, 2018

J. Nechvatal A. Rukhin, J. Soto and et al. A Statistical Test Suite for Random and Pseudorandom Number Generators for Cryptographic Applications. Special publication 800-22, National Institute of Standards and Technology (NIST), 2010

M. Sýs and Z. Rïha. Faster Randomness Testing with the NIST Statistical Test Suite. In Schaumont P. (eds) Chakraborty R.S., Matyas V., editor, Security, Privacy, and Applied Cryptography Engineering, volume 8804 of Lecture Notes in Computer Science, pages 272284. Springer, Cham, 2014.

Minitab 17 Statistical Software. Website, 2016. www.minitab.com.

R. Hranický, P. Matoušek, O. Ryšavý, and V. Veselý. Experimental Evaluation of Password Recovery in Encrypted Documents. In: Proceedings of ICISSP 2016. Roma: SciTePress - Science and Technology Publications, pp. 299306, 2016.

M. Golla, B. Beuscher, and M. Dürmut, On the Security of Cracking-Resistant Password Vaults. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security (CCS '16). ACM, New York, NY, USA, 12301241. 2016. DOI: https://doi.org/10.1145/2976749.2978416

H. Bojinov, E. Bursztein, X. Boyen, and D. Boneh. Kamouflage: Loss-resistant Password Management. In European Conference on Research in Computer Security, pp. 286–302. Springer, 2010.

A. Juels and T. Ristenpart. Honey Encryption: Security Beyond the Brute-Force Bound. In Advances in CryptologyEUROCRYPT, pp. 293–310. Springer, 2014.

R. Chatterjee, J. Bonneau, A. Juels, and T. Ristenpart. Cracking-Resistant Password Vaults using Natural Language Encoders. In IEEE Security and Privacy, pp. 481–498, 2015. Available at (April 2018) https://eprint.iacr.org/2015/788, as of August 16, 2016.

M. Dürmuth, F. Angelstorf, C. Castelluccia, D. Perito, and A. Chaabane. OMEN: Faster Password Guessing Using an Ordered Markov Enumerator. In International Symposium on Engineering Secure Software and Systems, pp. 119–132. Springer, 2015.

DOI: http://dx.doi.org/10.18517/ijaseit.8.6.6329


  • There are currently no refbacks.

Published by INSIGHT - Indonesian Society for Knowledge and Human Development