112,695 research outputs found
Distributed Storage for Data Security
We study the secrecy of a distributed storage system for passwords. The
encoder, Alice, observes a length-n password and describes it using two hints,
which she then stores in different locations. The legitimate receiver, Bob,
observes both hints. The eavesdropper, Eve, sees only one of the hints; Alice
cannot control which. We characterize the largest normalized (by n) exponent
that we can guarantee for the number of guesses it takes Eve to guess the
password subject to the constraint that either the number of guesses it takes
Bob to guess the password or the size of the list that Bob must form to
guarantee that it contain the password approach 1 as n tends to infinity.Comment: 5 pages, submitted to ITW 201
An Improved Timestamp-Based Password Authentication Scheme Using Smart Cards
With the recent proliferation of distributed systems and networking, remote
authentication has become a crucial task in many networking applications.
Various schemes have been proposed so far for the two-party remote
authentication; however, some of them have been proved to be insecure. In this
paper, we propose an efficient timestamp-based password authentication scheme
using smart cards. We show various types of forgery attacks against a
previously proposed timestamp-based password authentication scheme and improve
that scheme to ensure robust security for the remote authentication process,
keeping all the advantages that were present in that scheme. Our scheme
successfully defends the attacks that could be launched against other related
previous schemes. We present a detailed cryptanalysis of previously proposed
Shen et. al scheme and an analysis of the improved scheme to show its
improvements and efficiency.Comment: 6 page
Password capabilities revisited
With reference to a distributed system consisting of nodes connected by a local area network,
we present a new formulation of the password capability paradigm that takes advantage of
techniques of symmetric-key cryptography to represent password capabilities in memory.We assign
a cryptographic key to each application; the password capabilities held by a process of a given
application are encrypted by using the key of this application. Passwords are associated with object
types;two or more objects of the same type, which are allocated to the same node, share the same set of passwords. Our password capability paradigm preserves all the advantages concerning simplicity in
access right representation and administration (distribution,verification,review and revocation) that
characterize the classical paradigm, while keeping the memory requirements for password storage
low and solving the problems connected with password capability stealing and forging
On Efficiency of Distributed Password Recovery
One of the major challenges in digital forensics today is data encryption. Due to the leaked information about unlawful sniffing, many users decided to protect their data by encryption. In case of criminal activities, forensic experts are challenged how to decipher suspect\u27s data that are subject to investigation. A common method how to overcome password-based protection is a brute force password recovery using GPU-accelerated hardware. This approach seems to be expensive. This paper presents an alternative approach using task distribution based on BOINC platform. The cost, time and energy efficiency of this approach is discussed and compared to the GPU-based solution
Centralized vs Decentralized Targeted Brute-Force Attacks: Guessing with Side-Information
According to recent empirical studies, a majority of users have the same, or
very similar, passwords across multiple password-secured online services. This
practice can have disastrous consequences, as one password being compromised
puts all the other accounts at much higher risk. Generally, an adversary may
use any side-information he/she possesses about the user, be it demographic
information, password reuse on a previously compromised account, or any other
relevant information to devise a better brute-force strategy (so called
targeted attack). In this work, we consider a distributed brute-force attack
scenario in which adversaries, each observing some side information,
attempt breaching a password secured system. We compare two strategies: an
uncoordinated attack in which the adversaries query the system based on their
own side-information until they find the correct password, and a fully
coordinated attack in which the adversaries pool their side-information and
query the system together. For passwords of length , generated
independently and identically from a distribution , we establish an
asymptotic closed-form expression for the uncoordinated and coordinated
strategies when the side-information are generated
independently from passing through a memoryless channel ,
as the length of the password goes to infinity. We illustrate our results
for binary symmetric channels and binary erasure channels, two families of
side-information channels which model password reuse. We demonstrate that two
coordinated agents perform asymptotically better than any finite number of
uncoordinated agents for these channels, meaning that sharing side-information
is very valuable in distributed attacks
MPI Enhancements in John the Ripper
John the Ripper (JtR) is an open source software package commonly used by system administrators to enforce password policy. JtR is designed to attack (i.e., crack) passwords encrypted in a wide variety of commonly used formats. While parallel implementations of JtR exist, there are several limitations to them. This research reports on two distinct algorithms that enhance this password cracking tool using the Message Passing Interface. The first algorithm is a novel approach that uses numerous processors to crack one password by using an innovative approach to workload distribution. In this algorithm the candidate password is distributed to all participating processors and the word list is divided based on probability so that each processor has the same likelihood of cracking the password while eliminating overlapping operations. The second algorithm developed in this research involves dividing the passwords within a password file equally amongst available processors while ensuring load-balanced and fault tolerant behavior. This paper describes John the Ripper, the design of these two algorithms and preliminary results. Given the same amount of time, the original JtR can crack 29 passwords, whereas our algorithms 1 and 2 can crack an additional 35 and 45 passwords respectively
A Protected Single Sign-On Technique Using 2D Password in Distributed Computer Networks
Single Sign-On (SSO) is a new authentication mechanism that enables a legal user with a single credential to be authenticated by multiple service providers in a distributed computer network. Recently, a new SSO scheme providing well-organized security argument failed to meet credential privacy and soundness of authentication. The main goal of this project is to provide security using Single Sign-On scheme meeting at least three basic security requirements, i.e., unforgetability, credential privacy, and soundness. User identification is an important access control mechanism for client–server networking architectures. The concept of Single Sign-On can allow legal users to use the unitary token to access different service providers in distributed computer networks. To overcome few drawbacks like not preserving user anonymity when possible attacks occur and extensive overhead costs of time-synchronized mechanisms, we propose a secure Single Sign-On mechanism that is efficient, secure, and suitable for mobile devices in distributed computer networks. In a real-life application, the mobile user can use the mobile device, e.g., a cell phone, with the unitary token to access multiservice, such as downloading music; receive/reply electronic mails etc. Our scheme is based on one-way hash functions and random nonce to solve the weaknesses described above and to decrease the overhead of the system. The proposed scheme is more secure with two types of password scheme namely, Text password and Graphical Password referred as 2D password in distributed computer networks that yields a more efficient system that consumes lower energy. The proposed system has less communication overhead. It eliminates the need for time synchronization and there is no need of holding multiple passwords for different services
Why Botnets Work: Distributed Brute-Force Attacks Need No Synchronization
In September 2017, McAffee Labs quarterly report estimated that brute force
attacks represent 20\% of total network attacks, making them the most prevalent
type of attack ex-aequo with browser based vulnerabilities. These attacks have
sometimes catastrophic consequences, and understanding their fundamental limits
may play an important role in the risk assessment of password-secured systems,
and in the design of better security protocols. While some solutions exist to
prevent online brute-force attacks that arise from one single IP address,
attacks performed by botnets are more challenging. In this paper, we analyze
these distributed attacks by using a simplified model. Our aim is to understand
the impact of distribution and asynchronization on the overall computational
effort necessary to breach a system. Our result is based on Guesswork, a
measure of the number of queries (guesses) required of an adversary before a
correct sequence, such as a password, is found in an optimal attack. Guesswork
is a direct surrogate for time and computational effort of guessing a sequence
from a set of sequences with associated likelihoods. We model the lack of
synchronization by a worst-case optimization in which the queries made by
multiple adversarial agents are received in the worst possible order for the
adversary, resulting in a min-max formulation. We show that, even without
synchronization, and for sequences of growing length, the asymptotic optimal
performance is achievable by using randomized guesses drawn from an appropriate
distribution. Therefore, randomization is key for distributed asynchronous
attacks. In other words, asynchronous guessers can asymptotically perform
brute-force attacks as efficiently as synchronized guessers.Comment: Accepted to IEEE Transactions on Information Forensics and Securit
- …