Human-Computable Passwords Jeremiah Blocki Manuel Blum Anupam Datta Santosh Vempala.

Slides:

Advertisements

Similar presentations

Securing Passwords against Dictionary Attacks

Advertisements

CSC 774 Advanced Network Security

Naturally Rehearsing Passwords Jeremiah Blocki ASIACRYPT 2013 Manuel Blum Anupam Datta.

Further improvement on the modified authenticated key agreement scheme Authors: N.Y. Lee and M.F. Lee Source: Applied Mathematics and Computation, Vol.157,

1 J. Alex Halderman A Convenient Method for Securely Managing Passwords J. Alex Halderman Princeton Brent Waters Stanford Edward W. Felten Princeton.

Key Exchange Using Passwords and Long Keys Vladimir Kolesnikov Charles Rackoff Comp. Sci. University of Toronto.

Spaced Repetition and Mnemonics Enable Recall of Multiple Strong Passwords Jeremiah Blocki Saranga Komanduri Lorrie Cranor Anupam Datta NDSS 2015.

GOTCHA Password Hackers! Jeremiah Blocki Manuel Blum Anupam Datta AISec2013 Presented by Arunesh Sinha.

Usable and Secure Password Management Jeremiah Blocki Spring 2012 Theory Lunch.

CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.

Trustworthy Computing in My Mind: A Case Study on Visual Password Shujun Li Visiting Student at VC Group, Microsoft Research Asia Institute of Image Processing.

Naturally Rehearsing Passwords Jeremiah Blocki NSF TRUST October 2013 Manuel Blum Anupam Datta.

Public-key based. Public-key Techniques based Protocols –may use either weak or strong passwords –high computation complexity (Slow) –high deployment.

Chapter 12: Authentication Basics Passwords Challenge-Response Biometrics Location Multiple Methods Computer Security: Art and Science © Matt.

CMSC 414 Computer (and Network) Security Lecture 21 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.

Public Works and Government Services Canada Travaux publics et Services gouvernementaux Canada Password Management for Multiple Accounts Some Security.

Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.

1 Analysis of the Linux Random Number Generator Zvi Gutterman, Benny Pinkas, and Tzachy Reinman.

Password Management Strategies for Online Accounts Gaw & Felten Optional Reading.

HumanAUT Secure Human Identification Protocols Adam Bender Manuel Blum Nick Hopper The ALADDIN Center Carnegie Mellon University.

CMSC 414 Computer and Network Security Lecture 23 Jonathan Katz.

Delayed Password Disclosure Mutual Authentication to Fight Phishing Steve Myers Indiana University, Bloomington Joint work with: Markus Jakobsson Indiana.

CMSC 414 Computer and Network Security Lecture 13 Jonathan Katz.

Security Arguments for Digital Signatures and Blind Signatures Journal of Cryptology, (2000) 13: Authors: D. Pointcheval and J. Stern Presented.

Human Computable Passwords

Authentication for Humans Rachna Dhamija SIMS, UC Berkeley DIMACS Workshop on Usable Privacy and Security Software July 7, 2004.

Authentication System

HumanAUT Secure Human Identification Protocols Adam Bender Avrim Blum Manuel Blum Nick Hopper The ALADDIN Center Carnegie Mellon University.

Strong Password Protocols

MAKING GOOD PASSWORDS (AND HOW TO KEEP THEM SAFE).

Cryptography Lecture 8 Stefan Dziembowski

CSC 386 – Computer Security Scott Heggen. Agenda Authentication.

Security and Usability of Password Based User Authentication Systems Hatim Alsuwat Sami Alsuwat.

Presented by: Lin Jie Authors: Xiaoyuan Suo, Ying Zhu and G. Scott. Owen.

Normal ： Simi-fuctional ：. Normal ： Simi-fuctional ：

On Limitations of Designing Leakage Resilient Password Systems: Attacks, Principles and Usability Presented by Siddarth Asokan 1.

David Evans CS150: Computer Science University of Virginia Computer Science Class 31: Cookie Monsters and Semi-Secure.

Password security Dr.Patrick A.H. Bours. 2 Password: Kinds of passwords Password A string of characters: PIN-code A string.

Password authentication Basic idea –User has a secret password –System checks password to authenticate user Issues –How is password stored? –How does system.

D´ej`a Vu: A User Study Using Images for Authentication Rachna Dhamija,Adrian Perrig SIMS / CS, University of California Berkeley 報告人：張淯閎.

REVISITING DEFENSES AGAINST LARGE SCALE ONLINE PASSWORD GUESSING ATTACKS Mansour Alsaleh,Mohammad Mannan and P.C van Oorschot.

Mitch Parks, GSEC/GCWN ITS Desktop Security Analyst

User Friendly Passwords Nicole Longworth Michael Shoppell RJ Brown.

File Systems Security File Systems Implementation.

NEW DIRECTIONS IN CRYPTOGRAPHY Made Harta Dwijaksara, Yi Jae Park.

In order for Cardholders to enroll in the internet Payment Center tool, they need to copy and paste the following URL in the address bar:

Partitioning and Tidy Numbers 6N1.4 Today, I will be able to add two and three digit numbers by using partitioning and tidy numbers.

King Mongkut’s University of Technology Network Security 8. Password Authentication Methods Prof. Reuven Aviv, Jan Password Authentication1.

Shoulder-Surfing Safe Login in a Partially Observable Attacker Model (Short Paper) FC 2010 Toni Perković joint work with Mario Čagalj and Nitesh Saxena.

Breaking Undercover: Exploiting Design Flaws and

© 2007 Cisco Systems, Inc. All rights reserved.ICND1 v1.0—4-1 LAN Connections Understanding Cisco Router Security.

Jeremiah Blocki, Saranga Komanduri, Lorrie Cranor, Anupam Datta Presented by Lihua Ren.

Internet safety. Dangers of a poor password How people guess your password Your partner, child, or pet's name, possibly followed by a 0 or 1 The last.

Implementation of Public Key Encryption Algorithms

Threshold password authentication against guessing attacks in Ad hoc networks ► Chai, Zhenchuan; Cao, Zhenfu; Lu, Rongxing ► Ad Hoc Networks Volume: 5,

The Password Game CSC 596: Computing Security By Ray Myers.

Game Theoretic Model of Censorship Resistance Andrei Serjantov University of Cambridge Computer Laboratory.

COOKIES AND SESSIONS.

Towards Human Computable Passwords

A Multi-OS Approach to Trusted Computer Systems

Usable and Secure Human Authentication

Human Computable Passwords

Usable security: Problems

Human-Computable Passwords

Jeremiah Blocki Saranga Komanduri Lorrie Cranor Anupam Datta

REU Summer Research in Computer Security

Security and Usability of Password Based User Authentication Systems

REVISITING DEFENSES AGAINST LARGE SCALE ONLINE PASSWORD GUESSING ATTACKS Mansour Alsaleh,Mohammad Mannan and P.C van Oorschot.

Presentation transcript:

Human-Computable Passwords Jeremiah Blocki Manuel Blum Anupam Datta Santosh Vempala

Password Management p5p5 p4p4 p3p3 p2p2 p1p1 2 Competing Goals: SecurityUsability

Password Security Game PayPaul.com + q $1,000,000 guesses p5p5 BCRYPT(p 4 ) p5p5 p4p4 p3p3 p2p2 p1p1 3

Previous Work Naturally Rehearsing Passwords – Presentation on Thursday – Password Management Scheme: Shared Cues

Security Results Attacks k= 1 t=1 k=2 ReuseNo Strong Random Independent Yes Shared CuesYes No 5 Usable + Insecure Unusable + Secure Usable + Secure Phishing Attack Offline Attack

Security Results Attacks k= 1 t=1 k=2 ReuseNo Strong Random Independent Yes Shared CuesYes No 6 Usable + Insecure Unusable + Secure Usable + Secure Phishing Attack Offline Attack

Previous Work Naturally Rehearsing Passwords – Presentation on Thursday – Password Management Scheme: Shared Cues Key Question: Can we get better security if we ask the user to perform simple computations to generate his passwords?

Human Computation Restricted – Simple operations (addition, lookup) – Operations performed in memory (limited space)

Human Computation Restricted – Simple operations (addition, lookup) – Operations performed in memory (limited space) Improve Security? – Simple Computations vs. Pure Recall

Candidate Scheme Memorize a Random Mapping – One time step! Password Computed as a Response to Public Challenges Required Operations – Addition modulo 10 – Memory lookups

Random Mapping Image I … σ(I)93…6

Single-Digit Challenge Response: σ + σ = 2 mod 10

Single-Digit Challenge Response: σ + σ = 2 mod 10

Single-Digit Challenge Response: σ + σ + σ = = 6 mod 10

Passwords Password: Username: jblocki σ + σ + σ = = 6 mod 10

Passwords Password: * Username: jblocki

Passwords Password: ** Username: jblocki

Usability Memorization is a one time cost – Mapping f is rehearsed naturally – Can Add new Images over Time Time – 75 seconds for a 10 digit password – 7.5 seconds per digit (average)

Usability (Time) It takes me 7.5 seconds per digit (average) 2.5 minutes for a 20-digit password <30 seconds for a 4-digit password

Open Challenge

Open Challenge