TY - GEN
T1 - A Novel Approach for Protecting Legacy Authentication Databases in Consideration of GDPR
AU - Blue, Juanita
AU - Furey, Eoghan
N1 - Publisher Copyright:
© 2018 IEEE.
PY - 2018/11/9
Y1 - 2018/11/9
N2 - The upcoming implementation of the European Union General Data Protection Regulation (GDPR) will require many organisations throughout the EU to comply with new requirements that are intended to better protect personal data. Large increases in responsibility, penalties and fines will place great pressure on organisations to ensure they are compliant and adequately protect user data that is associated with online accounts. Non-compliant legacy databases are those that store authentication credentials in plaintext or utilizing obsolete one-way encryption techniques that fail to adhere to best practice guidelines. Companies who remain reliant on these vulnerable systems will be forced to reconsider and improve their architecture, or risk the exposure of personal data and the debilitating penalties that will also be incurred. Authentication databases are frequently a target of attack as they potentially provide an avenue to commit further, more lucrative crimes. Lacking or substandard implementations have cultivated an environment where authentication databases and the data stored therein are insecure. This was demonstrated in the 2016 exposure of a breach experienced by Yahoo where approximately one billion user credentials were stolen. The global technology company was found to be using obsolete security mechanisms to protect user passwords. This paper offers a novel solution for improving the protection of currently non-compliant legacy authentication databases stored on Apache servers. The method applies best practice mechanisms in the form of salt, one-way encryption (hashing) and iterations to both pre-existing and newly created passwords held within the databases. The proposed solution can be implemented server-side, with little alteration to the existing infrastructure and unbeknownst to the user. It possesses the potential to improve system security, preserve privacy, and aid implementation of GDPR requirements.
AB - The upcoming implementation of the European Union General Data Protection Regulation (GDPR) will require many organisations throughout the EU to comply with new requirements that are intended to better protect personal data. Large increases in responsibility, penalties and fines will place great pressure on organisations to ensure they are compliant and adequately protect user data that is associated with online accounts. Non-compliant legacy databases are those that store authentication credentials in plaintext or utilizing obsolete one-way encryption techniques that fail to adhere to best practice guidelines. Companies who remain reliant on these vulnerable systems will be forced to reconsider and improve their architecture, or risk the exposure of personal data and the debilitating penalties that will also be incurred. Authentication databases are frequently a target of attack as they potentially provide an avenue to commit further, more lucrative crimes. Lacking or substandard implementations have cultivated an environment where authentication databases and the data stored therein are insecure. This was demonstrated in the 2016 exposure of a breach experienced by Yahoo where approximately one billion user credentials were stolen. The global technology company was found to be using obsolete security mechanisms to protect user passwords. This paper offers a novel solution for improving the protection of currently non-compliant legacy authentication databases stored on Apache servers. The method applies best practice mechanisms in the form of salt, one-way encryption (hashing) and iterations to both pre-existing and newly created passwords held within the databases. The proposed solution can be implemented server-side, with little alteration to the existing infrastructure and unbeknownst to the user. It possesses the potential to improve system security, preserve privacy, and aid implementation of GDPR requirements.
KW - authentication
KW - encryption
KW - passwords
KW - salt
KW - user-credentials
UR - http://www.scopus.com/inward/record.url?scp=85058475093&partnerID=8YFLogxK
U2 - 10.1109/ISNCC.2018.8531022
DO - 10.1109/ISNCC.2018.8531022
M3 - Conference contribution
AN - SCOPUS:85058475093
T3 - 2018 International Symposium on Networks, Computers and Communications, ISNCC 2018
BT - 2018 International Symposium on Networks, Computers and Communications, ISNCC 2018
PB - Institute of Electrical and Electronics Engineers Inc.
T2 - 2018 International Symposium on Networks, Computers and Communications, ISNCC 2018
Y2 - 19 June 2018 through 21 June 2018
ER -