4,571 research outputs found
Naturally Rehearsing Passwords
We introduce quantitative usability and security models to guide the design
of password management schemes --- systematic strategies to help users create
and remember multiple passwords. In the same way that security proofs in
cryptography are based on complexity-theoretic assumptions (e.g., hardness of
factoring and discrete logarithm), we quantify usability by introducing
usability assumptions. In particular, password management relies on assumptions
about human memory, e.g., that a user who follows a particular rehearsal
schedule will successfully maintain the corresponding memory. These assumptions
are informed by research in cognitive science and validated through empirical
studies. Given rehearsal requirements and a user's visitation schedule for each
account, we use the total number of extra rehearsals that the user would have
to do to remember all of his passwords as a measure of the usability of the
password scheme. Our usability model leads us to a key observation: password
reuse benefits users not only by reducing the number of passwords that the user
has to memorize, but more importantly by increasing the natural rehearsal rate
for each password. We also present a security model which accounts for the
complexity of password management with multiple accounts and associated
threats, including online, offline, and plaintext password leak attacks.
Observing that current password management schemes are either insecure or
unusable, we present Shared Cues--- a new scheme in which the underlying secret
is strategically shared across accounts to ensure that most rehearsal
requirements are satisfied naturally while simultaneously providing strong
security. The construction uses the Chinese Remainder Theorem to achieve these
competing goals
Introducing a Machine Learning Password Metric Based on EFKM Clustering Algorithm
we introduce a password strength metric using Enhanced Fuzzy K-Means clustering algorithm (EFKM henceforth). The EFKM is trained on the OWASP list of 10002 weak passwords. After that, the optimized centroids are maximized to develop a password strength metric. The resulting meter was validated by contrasting with three entropy-based metrics using two datasets: the training dataset (OWASP) and a dataset that we collected from github website that contains 5189451 leaked passwords. Our metric is able to recognize all the passwords from the OWASP as weak passwords only. Regarding the leaked passwords, the metric recognizes almost the entire set as weak passwords. We found that the results of the EFKM-based metric and the entropy-based meters are consistent. Hence the EFKM metric demonstrates its validity as an efficient password strength checker
Privacy protocols
Security protocols enable secure communication over insecure channels.
Privacy protocols enable private interactions over secure channels. Security
protocols set up secure channels using cryptographic primitives. Privacy
protocols set up private channels using secure channels. But just like some
security protocols can be broken without breaking the underlying cryptography,
some privacy protocols can be broken without breaking the underlying security.
Such privacy attacks have been used to leverage e-commerce against targeted
advertising from the outset; but their depth and scope became apparent only
with the overwhelming advent of influence campaigns in politics. The blurred
boundaries between privacy protocols and privacy attacks present a new
challenge for protocol analysis. Covert channels turn out to be concealed not
only below overt channels, but also above: subversions, and the level-below
attacks are supplemented by sublimations and the level-above attacks.Comment: 38 pages, 6 figure
Selling a Single Item with Negative Externalities
We consider the problem of regulating products with negative externalities to
a third party that is neither the buyer nor the seller, but where both the
buyer and seller can take steps to mitigate the externality. The motivating
example to have in mind is the sale of Internet-of-Things (IoT) devices, many
of which have historically been compromised for DDoS attacks that disrupted
Internet-wide services such as Twitter. Neither the buyer (i.e., consumers) nor
seller (i.e., IoT manufacturers) was known to suffer from the attack, but both
have the power to expend effort to secure their devices. We consider a
regulator who regulates payments (via fines if the device is compromised, or
market prices directly), or the product directly via mandatory security
requirements.
Both regulations come at a cost---implementing security requirements
increases production costs, and the existence of fines decreases consumers'
values---thereby reducing the seller's profits. The focus of this paper is to
understand the \emph{efficiency} of various regulatory policies. That is,
policy A is more efficient than policy B if A more successfully minimizes
negatives externalities, while both A and B reduce seller's profits equally.
We develop a simple model to capture the impact of regulatory policies on a
buyer's behavior. {In this model, we show that for \textit{homogeneous}
markets---where the buyer's ability to follow security practices is always high
or always low---the optimal (externality-minimizing for a given profit
constraint) regulatory policy need regulate \emph{only} payments \emph{or}
production.} In arbitrary markets, by contrast, we show that while the optimal
policy may require regulating both aspects, there is always an approximately
optimal policy which regulates just one
- …