The Experts below are selected from a list of 216 Experts worldwide ranked by ideXlab platform
Ning Xu - One of the best experts on this subject based on the ideXlab platform.
-
captcha as graphical Passwords a new security primitive based on hard ai problems
IEEE Transactions on Information Forensics and Security, 2014Co-Authors: Maowei Yang, Ning XuAbstract:Many security primitives are based on hard mathematical problems. Using hard AI problems for security is emerging as an exciting new paradigm, but has been under-explored. In this paper, we present a new security primitive based on hard AI problems, namely, a novel family of graphical Password systems built on top of Captcha technology, which we call Captcha as graphical Passwords (CaRP). CaRP is both a Captcha and a graphical Password scheme. CaRP addresses a number of security problems altogether, such as online guessing attacks, relay attacks, and, if combined with dual-view technologies, shoulder-surfing attacks. Notably, a CaRP Password can be found only probabilistically by automatic online guessing attacks even if the Password is in the search set. CaRP also offers a novel approach to address the well-known image hotspot problem in popular graphical Password systems, such as PassPoints, that often leads to Weak Password choices. CaRP is not a panacea, but it offers reasonable security and usability and appears to fit well with some practical applications for improving online security.
-
Captcha as Graphical Passwords—A New Security Primitive Based on Hard AI Problems
IEEE Transactions on Information Forensics and Security, 2014Co-Authors: Maowei Yang, Ning XuAbstract:Many security primitives are based on hard mathematical problems. Using hard AI problems for security is emerging as an exciting new paradigm, but has been under-explored. In this paper, we present a new security primitive based on hard AI problems, namely, a novel family of graphical Password systems built on top of Captcha technology, which we call Captcha as graphical Passwords (CaRP). CaRP is both a Captcha and a graphical Password scheme. CaRP addresses a number of security problems altogether, such as online guessing attacks, relay attacks, and, if combined with dual-view technologies, shoulder-surfing attacks. Notably, a CaRP Password can be found only probabilistically by automatic online guessing attacks even if the Password is in the search set. CaRP also offers a novel approach to address the well-known image hotspot problem in popular graphical Password systems, such as PassPoints, that often leads to Weak Password choices. CaRP is not a panacea, but it offers reasonable security and usability and appears to fit well with some practical applications for improving online security.
Joseph Bonneau - One of the best experts on this subject based on the ideXlab platform.
-
IEEE Symposium on Security and Privacy - The Science of Guessing: Analyzing an Anonymized Corpus of 70 Million Passwords
2012 IEEE Symposium on Security and Privacy, 2012Co-Authors: Joseph BonneauAbstract:We report on the largest corpus of user-chosen Passwords ever studied, consisting of anonymized Password histograms representing almost 70 million Yahoo! users, mitigating privacy concerns while enabling analysis of dozens of subpopulations based on demographic factors and site usage characteristics. This large data set motivates a thorough statistical treatment of estimating guessing difficulty by sampling from a secret distribution. In place of previously used metrics such as Shannon entropy and guessing entropy, which cannot be estimated with any realistically sized sample, we develop partial guessing metrics including a new variant of guesswork parameterized by an attacker's desired success rate. Our new metric is comparatively easy to approximate and directly relevant for security engineering. By comparing Password distributions with a uniform distribution which would provide equivalent security against different forms of guessing attack, we estimate that Passwords provide fewer than 10 bits of security against an online, trawling attack, and only about 20 bits of security against an optimal offline dictionary attack. We find surprisingly little variation in guessing difficulty; every identifiable group of users generated a comparably Weak Password distribution. Security motivations such as the registration of a payment card have no greater impact than demographic factors such as age and nationality. Even proactive efforts to nudge users towards better Password choices with graphical feedback make little difference. More surprisingly, even seemingly distant language communities choose the same Weak Passwords and an attacker never gains more than a factor of 2 efficiency gain by switching from the globally optimal dictionary to a population-specific lists.
-
The science of guessing: Analyzing an anonymized corpus of 70 million Passwords
Proceedings - IEEE Symposium on Security and Privacy, 2012Co-Authors: Joseph BonneauAbstract:We report on the largest corpus of user-chosen Passwords ever studied, consisting of anonymized Password histograms representing almost 70 million Yahoo! users, mitigating privacy concerns while enabling analysis of dozens of subpopulations based on demographic factors and site usage characteristics. This large data set motivates a thorough statistical treatment of estimating guessing difficulty by sampling from a secret distribution. In place of previously used metrics such as Shannon entropy and guessing entropy, which cannot be estimated with any realistically sized sample, we develop partial guessing metrics including a new variant of guesswork parameterized by an attacker's desired success rate. Our new metric is comparatively easy to approximate and directly relevant for security engineering. By comparing Password distributions with a uniform distribution which would provide equivalent security against different forms of guessing attack, we estimate that Passwords provide fewer than 10 bits of security against an online, trawling attack, and only about 20 bits of security against an optimal offline dictionary attack. We find surprisingly little variation in guessing difficulty; every identifiable group of users generated a comparably Weak Password distribution. Security motivations such as the registration of a payment card have no greater impact than demographic factors such as age and nationality. Even proactive efforts to nudge users towards better Password choices with graphical feedback make little difference. More surprisingly, even seemingly distant language communities choose the same Weak Passwords and an attacker never gains more than a factor of 2 efficiency gain by switching from the globally optimal dictionary to a population-specific lists.
-
the Password game negative externalities from Weak Password practices
Decision and Game Theory for Security, 2010Co-Authors: Soren Preibusch, Joseph BonneauAbstract:The combination of username and Password is widely used as a human authentication mechanism on the Web. Despite this universal adoption and despite their long tradition, Password schemes exhibit a high number of security flaws which jeopardise the confidentiality and integrity of personal information. As Web users tend to reuse the same Password for several sites, security negligence at any one site introduces a negative externality into the entire Password ecosystem. We analyse this market inefficiency as the equilibrium between Password deployment strategies at security-concerned Web sites and indifferent Web sites. The game-theoretic prediction is challenged by an empirical analysis. By a manual inspection of 150 public Web sites that offer free yet Password-protected sign-up, complemented by an automated sampling of 2184 Web sites, we demonstrate that observed Password practices follow the theory: Web sites that have little incentive to invest in security are indeed found to have Weaker Password schemes, thereby facilitating the compromise of other sites. We use the theoretical model to explore which technical and regulatory approaches could eliminate the empirically detected inefficiency in the market for Password protection.
-
GameSec - The Password game: negative externalities from Weak Password practices
Lecture Notes in Computer Science, 2010Co-Authors: Soren Preibusch, Joseph BonneauAbstract:The combination of username and Password is widely used as a human authentication mechanism on the Web. Despite this universal adoption and despite their long tradition, Password schemes exhibit a high number of security flaws which jeopardise the confidentiality and integrity of personal information. As Web users tend to reuse the same Password for several sites, security negligence at any one site introduces a negative externality into the entire Password ecosystem. We analyse this market inefficiency as the equilibrium between Password deployment strategies at security-concerned Web sites and indifferent Web sites. The game-theoretic prediction is challenged by an empirical analysis. By a manual inspection of 150 public Web sites that offer free yet Password-protected sign-up, complemented by an automated sampling of 2184 Web sites, we demonstrate that observed Password practices follow the theory: Web sites that have little incentive to invest in security are indeed found to have Weaker Password schemes, thereby facilitating the compromise of other sites. We use the theoretical model to explore which technical and regulatory approaches could eliminate the empirically detected inefficiency in the market for Password protection.
Maowei Yang - One of the best experts on this subject based on the ideXlab platform.
-
captcha as graphical Passwords a new security primitive based on hard ai problems
IEEE Transactions on Information Forensics and Security, 2014Co-Authors: Maowei Yang, Ning XuAbstract:Many security primitives are based on hard mathematical problems. Using hard AI problems for security is emerging as an exciting new paradigm, but has been under-explored. In this paper, we present a new security primitive based on hard AI problems, namely, a novel family of graphical Password systems built on top of Captcha technology, which we call Captcha as graphical Passwords (CaRP). CaRP is both a Captcha and a graphical Password scheme. CaRP addresses a number of security problems altogether, such as online guessing attacks, relay attacks, and, if combined with dual-view technologies, shoulder-surfing attacks. Notably, a CaRP Password can be found only probabilistically by automatic online guessing attacks even if the Password is in the search set. CaRP also offers a novel approach to address the well-known image hotspot problem in popular graphical Password systems, such as PassPoints, that often leads to Weak Password choices. CaRP is not a panacea, but it offers reasonable security and usability and appears to fit well with some practical applications for improving online security.
-
Captcha as Graphical Passwords—A New Security Primitive Based on Hard AI Problems
IEEE Transactions on Information Forensics and Security, 2014Co-Authors: Maowei Yang, Ning XuAbstract:Many security primitives are based on hard mathematical problems. Using hard AI problems for security is emerging as an exciting new paradigm, but has been under-explored. In this paper, we present a new security primitive based on hard AI problems, namely, a novel family of graphical Password systems built on top of Captcha technology, which we call Captcha as graphical Passwords (CaRP). CaRP is both a Captcha and a graphical Password scheme. CaRP addresses a number of security problems altogether, such as online guessing attacks, relay attacks, and, if combined with dual-view technologies, shoulder-surfing attacks. Notably, a CaRP Password can be found only probabilistically by automatic online guessing attacks even if the Password is in the search set. CaRP also offers a novel approach to address the well-known image hotspot problem in popular graphical Password systems, such as PassPoints, that often leads to Weak Password choices. CaRP is not a panacea, but it offers reasonable security and usability and appears to fit well with some practical applications for improving online security.
Weijun Hong - One of the best experts on this subject based on the ideXlab platform.
-
UIC/ATC/ScalCom - A Weak Password Cracker of UHF RFID Tags
2015 IEEE 12th Intl Conf on Ubiquitous Intelligence and Computing and 2015 IEEE 12th Intl Conf on Autonomic and Trusted Computing and 2015 IEEE 15th I, 2015Co-Authors: Zhentao Zhao, Shufang Li, Yang Kang, Jiankai Li, Shengguang Li, Weijun HongAbstract:Under the ISO/IEC 18000-6C protocol of UHF RFID an electronic tag's information security is based on Password protection, but its natural defect is unable to reject brute tests which can be exhaustive. By the protocol analysis, this article theoretically proves that tags' Weak Passwords can be cracked. Combined with a concrete Tag-Interrogator module a method for improving the cracking efficiency is given out with a special concise Password library. Furthermore this paper implements the Password cracker has carried on the exploration of distributed detection. By this method most electronic tags' Passwords can be cracked within one week. The ultimate goal of this paper is to remind that UHF RFID industry projects should enhance the security level of tag's Password practically.
-
A Weak Password Cracker of UHF RFID Tags
2015 IEEE 12th Intl Conf on Ubiquitous Intelligence and Computing and 2015 IEEE 12th Intl Conf on Autonomic and Trusted Computing and 2015 IEEE 15th I, 2015Co-Authors: Zhentao Zhao, Shufang Li, Yang Kang, Jiankai Li, Shengguang Li, Weijun HongAbstract:Under the ISO/IEC 18000-6C protocol of UHF RFID an electronic tag's information security is based on Password protection, but its natural defect is unable to reject brute tests which can be exhaustive. By the protocol analysis, this article theoretically proves that tags' Weak Passwords can be cracked. Combined with a concrete Tag-Interrogator module a method for improving the cracking efficiency is given out with a special concise Password library. Furthermore this paper implements the Password cracker has carried on the exploration of distributed detection. By this method most electronic tags' Passwords can be cracked within one week. The ultimate goal of this paper is to remind that UHF RFID industry projects should enhance the security level of tag's Password practically.
Emin Anarım - One of the best experts on this subject based on the ideXlab platform.
-
Simetrik Anahtar Kripto ile Bir Parola-tabanli Anahtar Olusturma Protokol¨ u A Password-based Key Establishment Protocol with Symmetric Key Cryptography
2020Co-Authors: Emin AnarımAbstract:In 2005, Laih, Ding and Huang proposed a Password-based key establishment protocol such that a user and a server can authenticate each other and generate a strong session key by their shared Weak Password within a symmetric cipher in an insecure channel. They claim that the proposed protocol is secure against offline dictionary attacks that are major threats for most of the Weak Password-based protocols and other some well known attacks. However Tang and Mitchell shows that the protocol suffers from an offline dictionary attack requiring a machine-based search of size 2 23 which takes only about 2.3 hours. So designing such a protocol with providing practical security against offline attack is still an open problem. In this study, we introduce two Password-based authenticated key establishment protocols that provide practical security against offline dictionary attacks by only using symmetric cryptography.
-
WiMob - A Password-Based Key Establishment Protocol with Symmetric Key Cryptography
2008 IEEE International Conference on Wireless and Mobile Computing Networking and Communications, 2008Co-Authors: Imran Erguler, Emin AnarımAbstract:In 2005, Laih, Ding and Huang proposed a Password-based key establishment protocol such that a user and a server can authenticate each other and generate a strong session key by their shared Weak Password within a symmetric cipher in an insecure channel. In this protocol, a special function which is a combination of a picture function and a distortion function e.g. CAPTCHA, is combined to authenticate the user and protect the Password from the dictionary attacks that are major threats for most of the Weak Password-based protocols. They claim that the proposed protocol is secure against some well known attacks. However Tang and Mitchell show that the protocol suffers from an offline dictionary attack requiring a machine-based search of size 223 which takes only about 2.3 hours. So designing such a protocol with providing practical security against offline attack is still an open problem. In this study, we introduce two Password-based authenticated key establishment protocols that provide practical security against offline dictionary attacks by only using symmetric key cryptography.
-
A Password-based key establishment protocol with symmetric key cryptography
2008 IEEE 16th Signal Processing Communication and Applications Conference, 2008Co-Authors: Imran Erguler, Emin AnarımAbstract:In 2005, Laih, Ding and Huang proposed a Password-based key establishment protocol such that a user and a server can authenticate each other and generate a strong session key by their shared Weak Password within a symmetric cipher in an insecure channel. They claim that the proposed protocol is secure against offline dictionary attacks that are major threats for most of the Weak Password-based protocols and other some well known attacks. However Tang and Mitchell shows that the protocol suffers from an offline dictionary attack requiring a machine-based search of size 223 which takes only about 2.3 hours. So designing such a protocol with providing practical security against offline attack is still an open problem. In this study, we introduce two Password-based authenticated key establishment protocols that provide practical security against offline dictionary attacks by only using symmetric cryptography.
-
A Password-based key establishment protocol with symmetric key cryptography
Proceedings - 4th IEEE International Conference on Wireless and Mobile Computing Networking and Communication WiMob 2008, 2008Co-Authors: Imran Erguler, Emin AnarımAbstract:In 2005, Laih, Ding and Huang proposed a Password-based key establishment protocol such that a user and a server can authenticate each other and generate a strong session key by their shared Weak Password within a symmetric cipher in an insecure channel. In this protocol, a special function which is a combination of a picture function and a distortion function e.g. CAPTCHA, is combined to authenticate the user and protect the Password from the dictionary attacks that are major threats for most of the Weak Password-based protocols. They claim that the proposed protocol is secure against some well known attacks. However Tang and Mitchell show that the protocol suffers from an offline dictionary attack requiring a machine-based search of size 223 which takes only about 2.3 hours. So designing such a protocol with providing practical security against offline attack is still an open problem. In this study, we introduce two Password-based authenticated key establishment protocols that provide practical security against offline dictionary attacks by only using symmetric key cryptography.
