Volume 87,
November 2019
, 101411
Author links open overlay panel, , , ,
Abstract
Honey encryption (HE) is a novel password-based encryption scheme that is secure against brute-force attacks even if users’ passwords have min-entropy. However, in HE, decryption with an incorrect key produces fake messages that appear valid. Hence, password typographical errors may confuse even legitimate users. This has been one of the most challenging problems in HE. To tackle this challenge, we propose three types of protocols that enable legitimate users to detect password typographical errors in HE. We conducted a theoretical analysis and performed an IRB-approved user study with 150 participants to compare the performance of each scheme. We also analyzed the security of the proposed schemes against online and offline brute-force attacks. The results from the user study and theoretical analysis show that the proposed schemes can effectively solve the typographical error problem of HE, which can detect typographical errors with 99% accuracy.
Introduction
Password-based encryption (PBE) (Abadi, Warinschi, 2005, Kaliski) is one of the most widely used encryption algorithms for securing data by exploiting user-supplied password as an encryption key. However, most users tend to choose passwords that are easy to remember (Taneski, Hericko, Brumen, 2014, Wiedenbeck, Waters, Birget, Brodskiy, Memon, 2005). This causes password strength to be weaker and produces low-entropy passwords, leaving PBE vulnerable to online and offline guessing attacks (Gennaro, Lindell, 2003, Kelsey, Schneier, Hall, Wagner, 1997). Recently, Juels and Ristenpart proposed a novel encryption scheme called honey encryption (HE) (Juels and Ristenpart, 2014). Although users’ chosen passwords are used to encrypt private data as in PBE, HE can provide stronger security beyond unbounded brute-force attacks by employing Distribution-Transforming Encoder (DTE) frameworks. DTE can be designed for specific applications (e.g., credit card numbers and genomic data protection (Huang, Ayday, Fellay, Hubaux, Juels, 2015, Juels, Ristenpart, 2014)).
However, HE has some limitations in detecting typographical errors in a password, which is the most challenging problem to solve. The main problem of password typographical errors in HE is that they may confuse legitimate users because decrypted ciphertext with an incorrect key produces valid-looking but incorrect messages even to legitimate users who own the messages. Therefore, legitimate users can be also confused and misled by the produced fake messages owing to their typographical errors in their passwords. In fact, in many systems, users commonly make mistakes when typing their passwords. According to a recent study (Chatterjee etal., 2016), 42% of workers in the experiment tended to make at least one typographical error per 100,000 submissions (Chatterjee etal., 2016). Therefore, the password typographical error problem should be addressed in order to improve security strength and usability in HE.
Although some of the previous research addressed the importance of this password typographical error problem in HE (Huang, Ayday, Fellay, Hubaux, Juels, 2015, Juels, Ristenpart, 2014, Juels, Rivest, 2013), the researchers simply made suggestions about how to solve the typographical error problem in general rather than providing any concrete scheme construction with formal security proof or performance analysis.
In this paper, we propose the following three different typographical error detection schemes in HE and present the respective threat models to solve the password typographical error problem: (1) a one-factor scheme, (2) a two-factor scheme, and (3) a hash-based scheme. The one-factor scheme is designed for a conventional client-server model. While it is the simplest yet, it is the most efficient scheme among the three approaches. However, it suffers from a comparatively higher false positive rate than the other schemes.
To improve the one-factor scheme, the two-factor scheme is designed as an extended system with an additional database manager. The two-factor scheme provides higher typographical error detection accuracy by utilizing additional side information in the form of a personal identification number (PIN). However, this may burden users by forcing them to memorize the side information in addition to the password.
The hash-based scheme solves the side information issue of the two-factor scheme by exploiting online message verification in the same system environment as the two-factor scheme. The online verification protocol guarantees message recovery (MR) security, while not relying on additional side information except the password itself. The contributions of this paper are summarized as follows:
- •
We propose three different practical typographical error detection schemes as well as threat models to tackle challenging problems in HE. The proposed schemes enable a user to detect broader types of password typographical errors than the previously discussed generic typographical error-correction schemes (Chatterjee etal., 2016). In addition, our schemes provide high resiliency against typographical errors.
- •
We analyze the performance and message recovery (MR) security of each scheme in a formal game-based model in consideration of online and offline brute-force attacks.
- •
We compare the empirical performance of each scheme through a user study approved by our Institutional Review Board (IRB) with 150 participants. The results show that our schemes can detect typographical error with high accuracy, which demonstrates that the proposed schemes are highly usable.
- •
To the best of our knowledge, this is the first paper that has proposed detailed schemes to resolve the typographical error problem in HE with formal security proofs and analyses.
The remainder of this paper is organized as follows. Section2 presents the background of our research. Section3 describes the system and security goals. In Section4, we propose three typographical error-resilient solutions for HE. Then, we analyze the false positive rate, false negative rate, and typographical error detection accuracy of the proposed solutions in Section5. In Section6, we further discuss the limitations of our current work, and summarize our findings. Finally, Section7 offers our conclusions.
Section snippets
Background
In this section, we briefly introduce research that is directly relevant to the honey encryption scheme and its typographical error problem.
System description and security goals
In this section, we describe the overall system architecture, and formally define notations we use in this work. In addition, we explain the details of the threat models we consider and the security goals we aim to achieve for each approach.
Proposed schemes
In this section, we propose three typographical error-resilient solutions for HE for different system environments: a one-factor scheme, a two-factor scheme, and a hash-based scheme. For each scheme, we describe the details of the system model, threat model, and protocol construction. Then, we analyze the pros and cons of each scheme in this section.
Theoretical typographical error detection accuracy
The typographical error detection accuracy is defined in terms of the following true positive and true negative:
- •
True positive. The probability of determining that a user made typographical errors in a password when he did enter an invalid password.
- •
True negative. The probability of determining that a user typed a valid password when he did enter the original password.
- •
Typographical error detection accuracy. The sum of true positive and true negative.
By calculating the typographical error
Summary, discussion, and limitations
The typographical error problem is one of the major challenges and open problems of the HE scheme. It is a clearly defined problem but is also difficult to solve. We discuss the reasons for the difficulty of solving the typographical error problem in the HE scheme. We make the following two assumptions:
- •
The only difference between a legitimate user and an adversary is that only the legitimate user knows the original password.
- •
The HE scheme assumes a powerful adversary who is allowed to take an
Conclusions
HE is a novel encryption scheme that provides security beyond the brute-force bound. However, it has a typographical error problem in that password typographical errors may confuse legitimate users because decryption produces fake, yet valid appearing messages even when incorrect keys are used. For this reason, typographical error handling is a more critical and challenging problem for HE than for other password-based schemes. In this paper, we proposed three different schemes: a one-factor
Acknowledgment
This work was supported by a National Research Foundation of Korea (NRF) grant funded by the Korean government (MSIP) (No. 2016R1A2A2A05005402 and 2017R1C1B5076474). This work was also supported by an Institute for Information & Communications Technology Promotion (IITP) grant funded by the Korean government (MSIP) (No. 2017-0-00380, Development of next generation user authentication), and the ICT Consilience Creative program (IITP-2017-R0346-16-1007).
Hoyul Choi is currently pursuing the M.S. degree in Department of Computer Science and Engineering, College of Informatics, Korea University, Republic of Korea.
References (32)
- M. Keith et al.
The usability of passphrases for authentication: an empirical field study
Int J Hum-Comput Stud
(2007)
- MiaoM. et al.
Secure multi-server-aided data deduplication in cloud computing
Pervasive Mob Comput
(2015)
- S. Wiedenbeck et al.
Passpoints: design and longitudinal evaluation of a graphical password system
Int Jf Hum-Comput Studs
(2005)
- M. Abadi et al.
Password-based encryption analyzed
Automata, languages and programming
(2005)
- G.V. Bard
Spelling-error tolerant, order-independent pass-phrases via the Damerau–Levenshtein string-edit distance metric
Proceedings of the Fifth Australasian symposium on ACSW frontiers-Volume 68
(2007)
- M. Bellare et al.
Multi-instance security and its application to password-based cryptography
Proceedings of the advances in cryptology–CRYPTO 2012
(2012)
- J. Bonneau
The science of guessing: analyzing an anonymized corpus of 70 million passwords
Proceedings of the 2012 IEEE symposium on security and privacy (SP)
(2012)
- M. Buhrmester et al.
Amazon’s mechanical turk: a new source of inexpensive, yet high-quality, data?
Perspectives on psychological science
(2011)
- R. Chatterjee et al.
password typos and how to correct them securely
Proceedings of the 2016 IEEE symposium on security and privacy (SP)
(2016)
- ChatterjeeR. et al.
Password checking
Proceedings of the ACM SIGSAC conference on computer and communications security
(2017)
Password typos resilience in honey encryption
Proceedings of the international conference on information networking (ICOIN)
(2017)
A large-scale study of web password habits
Proceedings of the international conference on World Wide Web
(2007)
Error-tolerant password recovery
Proceedings of the ACM SIGSAC conference on computer and communications security
(2001)
A framework for password-based authenticated key exchange
Proceedings of the advances in cryptology, EUROCRYPT 2003
(2003)
Genoguard: protecting genomic data against brute-force attacks
Proceedings of the ieee symposium on security and privacy (SP), 2015
(2015)
Surpass: system-initiated user-replaceable passwords
Proceedings of the 22nd ACM SIGSAC conference on computer and communications security
(2015)
Cited by (2)
An Efficient Privacy Preserving Algorithm for Cloud Users
2021, Communications in Computer and Information Science
Providing information security using honey encryption
2020, Advances in Mathematics: Scientific Journal
Recommended articles (6)
Research article
Vulnerability prediction capability: A comparison between vulnerability discovery models and neural network models
Computers & Security, Volume 87, 2019, Article 101596
In this paper, we introduce an approach for predicting the cumulative number of software vulnerabilities that is in most cases more accurate than vulnerability discovery models (VDMs). Our approach uses a neural network model (NNM) to model the nonlinearities associated with vulnerability disclosure. Nine common VDMs were used to compare their prediction capability with our approach. The different models were applied to vulnerabilities associated with eight well-known software (four operating systems and four web browsers). The models were assessed in terms of prediction accuracy and prediction bias. Out of eight software we analyzed, the NNM outperformed the VDMs in all the cases in terms of prediction accuracy, and provided smaller values of absolute average bias in seven cases. This study shows that NNMs are promising for accurate predictions of software vulnerabilities disclosures.
Research article
Quasi-purification of mixed game strategies: Sub-optimality of equilibria in security games
Computers & Security, Volume 87, 2019, Article 101575
Security resources, such as security personnel and surveillance devices, are scarce and usually expensive. Suppose that a defender (e.g., a security officer) must choose among several possible resource-allocations, and relies on game-theory for an optimal choice. If the optimum exists only in randomized strategies, then the defender needs to “purify” the resource assignment, hoping to retain the best protection. We experimentally study the validity of this procedure here: we define a set of actions for the defender, against a fixed set of actions for the attacker and compute an optimized defense. Then, we convert this randomized defense strategy into a (consistent) security resource allocation that we add to the defender’s action set. If this new defense action is optimal, it should outperform all previous defenses. We find that, unexpectedly, is not always the case!
Our contribution is two counterexamples to the following intuition: first, if we optimize a defense using game theory, then adopting the result as (the best) action against the attacker should outperform all other possible defenses. In our (counter-)example setting, this intuition is empirically refuted. The second counterexample exhibits the attribution of this suboptimality to the game-theoretic model as being flawed: the phenomenon is observed in classical games, but not in a distribution-valued game based on the identical setting. This reveals that “optimality” of a defense is not the same as optimizing a security score, since the means by which security is quantified and optimized play a much deeper role than intuitively expected.
Research article
Using memory propagation tree to improve performance of protocol fuzzer when testing ICS
Computers & Security, Volume 87, 2019, Article 101582
Protocol fuzzers are widely used for finding vulnerabilities and security bugs in the program. The main techniques used by protocol fuzzers can be divided into 2 categories: generation-based and mutation-based fuzzing. The generation-based fuzzing generates data messages using an official specification (i.e., grammar), while the mutation-based fuzzing performs random transformations on a prepared message. But these two types of fuzzing techniques are ineffective or inefficient when testing industrial control system (ICS), because many ICS protocols are unknown, undocumented or proprietary. The generation-based fuzzing cannot work well without specifications, while the mutation-based fuzzing cannot achieve high branch coverage. In this paper, we present Miff (abbreviation of the system using “M”P tree to “i”mprove per“f”ormance of “f”uzzer) that aims at automatically abstracting data models from ICS messages. The data model generated by Miff can be used to direct protocol fuzzers to test ICS. Miff has three processing stages: (1) by instrumenting and monitoring program execution, Miff obtains the execution context information, builds memory propagation (MP) tree for every byte in the message, and identifies protocol field boundaries based on the similarity between MP trees; (2) by using information-theoretic measures, Miff infers the type of every field; (3) according to analysis results of the first two stages, Miff decides the mutation strategy for every field, which combines with the field boundary and type information to form the data model. We have implemented a prototype of Miff and applied it into 4 open-source protocol fuzzers. Our experimental results show that, Miff can enable the generation-based fuzzing to test ICS even if the specification is absent, and improve the performance of the mutation-based fuzzing to achieve higher branch coverage with less test cases.
Research article
Online sequential attack detection for ADS-B data based on hierarchical temporal memory
Computers & Security, Volume 87, 2019, Article 101599
In the next generation air traffic surveillance, ADS-B is the primary surveillance method to improve situation awareness capabilities. But ADS-B protocol is absent of sufficient security considerations, especially for data integrity and authentication. As a result, attack patterns on ADS-B data are emerging and efficient attack detection strategies are in great demand to enhance data security. To decrease the time delay of detection, enhance accuracy and mitigate the concept drift impacts, the online sequential attack detection strategy based on hierarchical temporal memory are proposed. By applying binary encoding, ADS-B data is transformed into sparse distribution representation with temporal and spatial correlations. The encoded data is push into hierarchical temporal memory and online learning schemes are established for the ADS-B stream data. With the sequential ADS-B data, hierarchical temporal memory is updated and used to generate the deviations between predictions and original values for the corresponding ADS-B data. Designing and applying deviation analysis, sequential analysis and adaptive threshold check, the differences between normal and novelty are magnified and easy to be distinguished. According to experimental analysis, the attack detection strategy is efficient on processing time and accuracy.
Research article
Plaintext recovery attacks against linearly decryptable fully homomorphic encryption schemes
Computers & Security, Volume 87, 2019, Article 101587
Homomorphic encryption primitives have the potential to be the main enabler of privacy preserving computation delegation to cloud environments. One of the strategies which has been explored to reduce their significant computational overhead with respect to cleartext computation is the one of the so-called noise-free homomorphic encryption schemes. In this work, we present an attack against fully homomorphic encryption primitives where a distinguisher for a single plaintext value exists. As our case studies, we employ two noise-free homomorphic encryption schemes where such a property holds, providing detailed attack procedure against them. We validate the effectiveness and performance of our attacks on prototype implementations of the said schemes, and suggest a countermeasure tailored to the schemes at hand.
Research article
Attack trees in Isabelle extended with probabilities for quantum cryptography
Computers & Security, Volume 87, 2019, Article 101572
In this paper, we present a proof calculus for Attack Trees and how its application to Quantum Cryptography is made possible by extending the framework to probabilistic reasoning on attacks. Attack trees are a well established and useful model for the construction of attacks on systems since they allow a stepwise exploration of high level attacks in application scenarios. Using the expressiveness of Higher Order Logic in Isabelle, we succeed in developing a generic theory of attack trees with a state-based semantics based on Kripke structures and CTL. The resulting framework allows mechanically supported logic analysis of the meta-theory of the proof calculus of attack trees and at the same time the developed proof theory enables application to case studies. A central correctness and completeness result proved in Isabelle establishes a connection between the notion of attack tree validity and CTL.
Furthermore in this paper, we illustrate the application of Attack Trees to security protocols on the example of the Quantum Key Distribution (QKD) algorithm. The application motivates the extension of the Attack Tree proof calculus by probabilities. We therefore introduce probabilities to quantify finite event sequences and show how this extension can be used to extend CTL to its probabilistic version PCTL. We show on the example of QKD how probabilistic reasoning with PCTL enables proof of quantitative security properties.
Hoyul Choi is currently pursuing the M.S. degree in Department of Computer Science and Engineering, College of Informatics, Korea University, Republic of Korea.
Jongmin Jeong is currently pursuing the M.S. degree in Department of Computer Science and Engineering, College of Informatics, Korea University, Republic of Korea.
Simon S.Woo is an Assistant professor in the State University of New York, Korea (SUNY, Korea).
Kyungtae Kang is an Associate professor in Department of Computer Science and Engineering, Hanyang University, Republic of Korea.
Junbeom Hur is an Associate professor in Department of Computer Science and Engineering, College of Informatics, Korea University, Republic of Korea.
- ☆
This is an extension of our previously published paper in Choi etal. (2017)
- 1
Both authors contributed equally to this work.
© 2018 Elsevier Ltd. All rights reserved.
FAQs
What is the honey encryption algorithm? ›
Honey encryption is a type of data encryption that "produces a ciphertext, which, when decrypted with an incorrect key as guessed by the attacker, presents a plausible-looking yet incorrect plaintext password or encryption key."
What are the advantages of honey encryption? ›Honey Encryption (HE) is an encryption scheme that can provide security beyond the brute-force bound. If an adversary obtains a copy of a hashed password database or a file that has been encrypted with PBE, they can mount an offline brute-force attack.
What is the strongest password encryption algorithm? ›To the time of writing, SHA-256 is still the most secure hashing algorithm out there. It has never been reverse engineered and is used by many software organizations and institutions, including the U.S. government, to protect sensitive information.
What is the best encryption algorithm for passwords? ›To protect passwords, experts suggest using a strong and slow hashing algorithm like Argon2 or Bcrypt, combined with salt (or even better, with salt and pepper). (Basically, avoid faster algorithms for this usage.) To verify file signatures and certificates, SHA-256 is among your best hashing algorithm choices.
What are three advantages of honey? ›In addition to its use as a natural sweetener, honey is used as an anti-inflammatory, antioxidant and antibacterial agent. People commonly use honey orally to treat coughs and topically to treat burns and promote wound healing.
Why is encryption better than password? ›Encryption goes one step further than password protection and is an easy and effective way to lessen the likelihood of a privacy breach. Encryption scrambles information so that it is unreadable without a passcode.
What is the weakest encryption algorithm? ›Encryption algorithms such as TripleDES and hashing algorithms such as SHA1 and RIPEMD160 are considered to be weak. These cryptographic algorithms do not provide as much security assurance as more modern counterparts.
What is the only encryption method that is unbreakable? ›There is only one known unbreakable cryptographic system, the one-time pad, which is not generally possible to use because of the difficulties involved in exchanging one-time pads without their being compromised. So any encryption algorithm can be compared to the perfect algorithm, the one-time pad.
What is the fastest encryption algorithm? ›Advanced Encryption Standard (AES) Algorithm
The Advanced Encryption Standard is the most common and extensively used symmetric encryption algorithm that is likely to be encountered nowadays (AES). It has been discovered to be at least six times quicker than triple DES.
CyberGhost VPN uses AES-256 encryption to protect your data over the internet. This encryption algorithm is considered to be one of the most secure and is commonly used by government and military organizations. AES-256 uses a 256-bit key to transform plaintext data into ciphertext.
What is the best encryption algorithm 2023? ›
The winner, a group of cryptographic algorithms called Ascon, will be published as NIST's lightweight cryptography standard later in 2023. The chosen algorithms are designed to protect information created and transmitted by the Internet of Things (IoT), including its myriad tiny sensors and actuators.
What type of encryption does Tesla use? ›TESLA is a symmetric cryptographic algorithm that creates asymmetry by the delayed release of keys used to authenticate signatures called Message Authentication Codes (MACs).
What is the disadvantage of honey? ›Overconsumption of honey may lead to weight gain, allergies, infant botulism (a serious gastrointestinal condition that occurs in infants up to age 12 months), high blood sugar levels, diarrhea, food poisoning, bleeding, and tooth decay. Hence, take it in moderation to avoid any reactions.
What is the most useful honey? ›Manuka has both antiviral and antibacterial properties. Its healing abilities come from methylglyoxal (MGO). Because Manuka honey has high concentrations of MGO, it is one of the healthiest kinds of honey on the planet.
What are the three major components of honey? ›However, generally honey has a content of 80–85% carbohydrates, 15–17% water, 0.3% proteins, 0.2% ashes and minor quantities of amino-acids, phenols, pigments and vitamins (Bogdanov et al., 2008, Miguel et al., 2017). Beside these other components are also found in minor concentration.
What is the possible downfall of using a honeypot? ›Deploying them is very easy, and they require very few resources. The biggest disadvantage of honeypots is that experienced hackers can detect and avoid them easily.As they simulate services most likely to be requested by attackers, honeypots with low interaction provide very limited insight and control.
What is the weakness of honeypot? ›Narrow Field of View. The greatest disadvantage of honeypots is they have a narrow field of view: They only see what activity is directed against them.
What is a potential risk of using a honeypot? ›Honeypot security has its limitations as the honeypot cannot detect security breaches in legitimate systems, and it does not always identify the attacker. There is also a risk that, having successfully exploited the honeypot, an attacker can move laterally to infiltrate the real production network.
Which encryption method is most widely used and why? ›5. Which encryption method is most widely used and why? AES and 3DES are the most widely used encryption method as it is strong and cannot be broken easily. The encryption of each data block happens with random salt making it complex and adding another layer of security to it.
Why is encryption not the best solution for password storage? ›Encryption may sound like a strong way to store passwords, but it's really just a step above plaintext. An encrypted password can generally be decoded with a key, and if the hackers can find or guess it, the encryption is useless.
What encryption algorithm does the US government use? ›
AES encryption uses a “symmetric block cipher” or encryption algorithm developed by the National Institute of Standards and Technology (NIST) in 1997 to make government data less susceptible to brute force attacks.
What is Hummingbird cryptographic algorithm? ›Hummingbird uses four identical block ciphers Eki (i = 1, 2, 3, 4) in a consecutive Manner consisting of substitution-permutation (SP) network with 16-bit block Size and 64-bit key as shown in the following figure. The block cipher consists of four regular rounds and a final round.
What encryption algorithm does VPN use? ›The “key” to decipher these chains can be 128, 192, or 256 bits long, each progressively harder to break. The best VPNs typically use AES-256 to encrypt user data. Public-key encryption: Symmetric encryption has one flaw — in order for the two sides to understand one another, they must share the cipher key.
What is the encryption algorithm for API? ›The API uses either AES 128-bit or AES 256-bit encryption. AES 256-bit data encryption provides a higher level of data encryption than AES 128-bit data encryption.
What are the three main encryption algorithms? ›- Triple DES Encryption. Triple DES was designed to replace the original Data Encryption Standard (DES) algorithm, which hackers learned to defeat with ease. ...
- RSA Encryption. ...
- Advanced Encryption Standards (AES)
AES has become the most popular algorithm used in symmetric key cryptography. The transparent selection process established by NIST helped create a high level of confidence in AES among security and cryptography experts.
What are the four cryptographic algorithms of NIST? ›The four algorithms contribute to NIST's ongoing post-quantum cryptographic standard, and will be finalized in roughly two years. They are available on NIST's website, and are referred to as Crystals-Kyber, Crystals-Dilithium, Falcon and SPHINCS+.
Which authentication algorithm is most secure? ›AES (Advanced Encryption Standard) — AES is the strongest encryption algorithm available. Fireware can use AES encryption keys of these lengths: 128, 192, or 256 bits.
Can NSA crack VPN? ›The computers would then return the key. Security researchers Alex Halderman and Nadia Heninger also presented convincing research suggesting that the NSA did develop the capability to decrypt a large number of HTTPS, SSH, and VPN traffic. This attack is known as Logjam.
What is the strongest encryption for VPN? ›What is the most secure VPN protocol? Many VPN experts recommend OpenVPN as the most secure protocol. It uses 256-bit encryption as a default but also offers other ciphers such as 3DES (triple data encryption standard), Blowfish, CAST-128, and AES (Advanced Encryption Standard).
Which encryption algorithm is best practices? ›
BEST PRACTICE Use the AES encryption algorithm and avoid DES and other nonstandard algorithms. NIST recommends that “All keys need to be protected against modification, and secret and private keys need to be protected against unauthorized disclosure.
What algorithm is used the most to encrypt messages? ›1. RSA Asymmetric Encryption Algorithm. Invented by Ron Rivest, Adi Shamir, and Leonard Adleman (hence “RSA”) in 1977, RSA is, to date, the most widely used asymmetric encryption algorithm.
Which encryption algorithm is best NIST? ›Currently, the most efficient NIST-approved technique for AEAD is the Advanced Encryption Standard (defined in FIPS 197) used with the Galois/Counter Mode (SP 800-38D), and for hashing, SHA-256 (defined in FIPS 180-4) is widely used.