Cracking-Resistant Password Vaults using Natural Language Encoders

Password vaults are increasingly popular applications that store multiple passwords encrypted under a single master password that the user memorizes. A password vault can greatly reduce the burden on a user of remembering passwords, but introduces a single point of failure. An attacker that obtains a user’s encrypted vault can mount offline brute-force attacks and, if successful, compromise all of the passwords in the vault. In this paper, we investigate the construction of encrypted vaults that resist such offline cracking attacks and force attackers instead to mount online attacks. Our contributions are as follows. We present an attack and supporting analysis showing that a previous design for cracking-resistant vaults—the only one of which we are aware—actually degrades security relative to conventional password-based approaches. We then introduce a new type of secure encoding scheme that we call a natural language encoder (NLE). An NLE permits the construction of vaults which, when decrypted with the wrong master password, produce plausible-looking decoy passwords. We show how to build NLEs using existing tools from natural language processing, such as n-gram models and probabilistic context-free grammars, and evaluate their ability to generate plausible decoys. Finally, we present, implement, and evaluate a full, NLE-based cracking-resistant vault system called NoCrack

On the Fly Access Request Authentication: Two-Layer Password-Based Access Control Systems for Securing Information

In the digital era, most of our highly sensitive documents are stored in computers. These documents are in a great threat unless protected using appropriate measures. Despite their several imperfections, passwords are becoming the de-facto mechanism for securing documents stored in local directories or on the websites. In this scheme users protect their documents using passwords. In order for such scheme to work, the passwords must be stored in the file system either in plain or hashed form so that they can be used as references when information is requested. This paper proposes innovative password-based protection system. Although the proposed system uses passwords for document protection, it proposes a completely different way of using and managing these passwords. Our system protects a stored document in terms of both the document itself and the password. Both the document’s content and the password are used along with random noises to generate security code that serves as a reference when the document is requested. The security code is neither reversible nor reproducible without a full knowledge of the password and the content of the document. The users of our system keep their passwords and provide them only when they first store the document and when they later request document retrieval. The passwords are never stored neither in their plain nor hashed forms. Experiments with our prototype implementation showed that our protection scheme is effective and passed important security tests

On the Gold Standard for Security of Universal Steganography

While symmetric-key steganography is quite well understood both in the information-theoretic and in the computational setting, many fundamental questions about its public-key counterpart resist persistent attempts to solve them. The computational model for public-key steganography was proposed by von Ahn and Hopper in EUROCRYPT 2004. At TCC 2005, Backes and Cachin gave the first universal public-key stegosystem - i.e. one that works on all channels - achieving security against replayable chosen-covertext attacks (SS-RCCA) and asked whether security against non-replayable chosen-covertext attacks (SS-CCA) is achievable. Later, Hopper (ICALP 2005) provided such a stegosystem for every efficiently sampleable channel, but did not achieve universality. He posed the question whether universality and SS-CCA-security can be achieved simultaneously. No progress on this question has been achieved since more than a decade. In our work we solve Hopper's problem in a somehow complete manner: As our main positive result we design an SS-CCA-secure stegosystem that works for every memoryless channel. On the other hand, we prove that this result is the best possible in the context of universal steganography. We provide a family of 0-memoryless channels - where the already sent documents have only marginal influence on the current distribution - and prove that no SS-CCA-secure steganography for this family exists in the standard non-look-ahead model.Comment: EUROCRYPT 2018, llncs styl

Explore the Security ofthe Fingerprint Fuzzy Vault Scheme Which Based on N- Neighbor Matching

随着指纹识别技术在智能手机上的普及，指纹加密技术及其安全问题备受关注。指纹模糊金库算法能够将生物特征的模糊性和密钥的精确性有机地结合在一起，因为这一优点，近年来许多学者都对指纹模糊金库算法进行了深入的研究。大量的指纹模糊金库方案被提出，王的n邻域指纹模糊金库方案就是其中之一。该方案在上锁阶段利用指纹的n邻域结构创建指纹模糊金库；在解锁阶段通过对比n邻域结构实现身份验证。该方案在效率和精确度上都有着良好的表现，但是王并没有对该方案的安全性进行深入的研究。 科技飞速发展的今天，人们越来越关注安全性。因为科技的发展也带来了黑客科技的进步。近年来许多人受到口令猜测、钓鱼诈骗等攻击，而导致银行账号、密...With the popularity of fingerprint recognition on intelligent phone, the fingerprint encryption technology and its security are received much concern. The fingerprint fuzzy vault scheme integrate the obscure attribute of the biometric data into the exact attribute of the secret . And for this advantage , A lot of scholar work on the fingerprint fuzzy vault .A number of fingerprint fuzzy vault s...学位：工学硕士院系专业：信息科学与技术学院_计算机科学与技术学号：2302013115316

A secure vault setup for a crypto wallet

In today's digital world, every user needs to store sensitive data, including personal information, cryptographic keys and/or passwords. For user convenience, this data is usually backed up on a cloud hosting so that users can have access to it from all their devices, However, this behaviour puts on risk user's privacy, since sensitive data is somehow "shared" with their cloud hosting provider. In this master thesis we present a secure cloud backup for arbitrary data that does not leak any information to the cloud provider. Before uploading any data to the cloud server, the data is locally encrypted by the user using a key securely derived from a password. For user convenience the same password is used to derive a key to authenticate with the cloud server; although the server by no means is able to compute the decryption key from it, and thus has no access to the stored data. We have developed the cloud server, a client library in JavaScript, and an example use case using a React app