자료유형  

 학위논문

Control Number  

0017162750

International Standard Book Number  

9798342106252

Dewey Decimal Classification Number  

519.77

Main Entry-Personal Name  

Liu, Peiyuan.

Publication, Distribution, etc. (Imprint  

[S.l.] : Purdue University., 2024

Publication, Distribution, etc. (Imprint  

Ann Arbor : ProQuest Dissertations & Theses, 2024

Physical Description  

255 p.

General Note  

Source: Dissertations Abstracts International, Volume: 86-05, Section: B.

General Note  

Advisor: Blocki, Jeremiah.

Dissertation Note  

Thesis (Ph.D.)--Purdue University, 2024.

Summary, Etc.  

요약Brute force guessing attacks continue to pose a significant threat to user passwords. To protect user passwords against brute force attacks, many organizations impose restrictions aimed at forcing users to select stronger passwords. Organizations may also adopt stronger hashing functions in an effort to deter offline brute force guessing attacks. However, these defenses induce trade-offs between security, usability, and the resources an organization is willing to investigate to protect passwords. In order to make informed password policy decisions, it is crucial to understand the distribution over user passwords and how policy updates will impact this password distribution and/or the strategy of a brute force attacker.This first part of this thesis focuses on developing rigorous statistical tools to analyze user password distributions and the behavior of brute force password attackers. In particular, we first develop several rigorous statistical techniques to upper and lower bound the guessing curve of an optimal attacker who knows the user password distribution and can order guesses accordingly. We apply these techniques to analyze eight password datasets and two PIN datasets. Our empirical analysis demonstrates that our statistical techniques can be used to evaluate password composition policies, compare the strength of different password distributions, quantify the impact of applying PIN blocklists, and help tune hash cost parameters. A real world attacker may not have perfect knowledge of the password distribution. Prior work introduced an efficient Monte Carlo technique to estimate the guessing number of a password under a particular password cracking model, i.e., the number of guesses an attacker would check before this particular password. This tool can also be used to generate password guessing curves, but there is no absolute guarantee that the guessing number and the resulting guessing curves are accurate. Thus, we propose a tool called Confident Monte Carlo that uses rigorous statistical techniques to upper and lower bound the guessing number of a particular password as well as the attacker's entire guessing curve. Our empirical analysis also demonstrate that this tool can be used to help inform password policy decisions, e.g., identifying and warning users with weaker passwords, or tuning hash cost parameters.The second part of this thesis focuses on developing stronger password hashing algorithms to protect user passwords against offline brute force attacks. In particular, we establish that the memory hard function Scrypt, which has been widely deployed as password hash function, is maximally bandwidth hard. We also present new techniques to construct and analyze depth robust graph with improved concrete parameters. Depth robust graph play an essential rule in the design and analysis of memory hard functions.

Subject Added Entry-Topical Term  

Integer programming.

Subject Added Entry-Topical Term  

Confidence.

Subject Added Entry-Topical Term  

Graphs.

Subject Added Entry-Topical Term  

Passwords.

Subject Added Entry-Topical Term  

Cybersecurity.

Subject Added Entry-Topical Term  

Computer science.

Added Entry-Corporate Name  

Purdue University.

Host Item Entry  

Dissertations Abstracts International. 86-05B.

Electronic Location and Access  

로그인을 한후 보실 수 있는 자료입니다.

Control Number  

joongbu:658650