hotsec08 presentation july 29 2008
play

HotSec08 Presentation July 29, 2008 Digital Objects as Passwords - PowerPoint PPT Presentation

Feb 08, 2024 •119 likes •285 views

ObPwd: Digital Objects as Passwords HotSec08 Presentation July 29, 2008 Digital Objects as Passwords Mohammad Mannan and P.C. van Oorschot mmannan@scs.carleton.ca Carleton University, Canada Mohammad Mannan July 29, 2008 1/15 ObPwd:

  1. ObPwd: Digital Objects as Passwords HotSec08 Presentation – July 29, 2008 Digital Objects as Passwords Mohammad Mannan and P.C. van Oorschot mmannan@scs.carleton.ca Carleton University, Canada Mohammad Mannan July 29, 2008 1/15

  2. ObPwd: Digital Objects as Passwords The fun of password generation Mohammad Mannan July 29, 2008 2/15

  3. ObPwd: Digital Objects as Passwords Use random generators? Mohammad Mannan July 29, 2008 3/15

  4. ObPwd: Digital Objects as Passwords What we focus on 1. Usable strong password � password generation � password recall 2. Infrequently-used password � Personal Verification Questions (PVQs) � tax filing password “easy to remember = easy to guess” Mohammad Mannan July 29, 2008 4/15

  5. ObPwd: Digital Objects as Passwords Your object is your password: ObPwd User selected content (image, text, binary) Apply hash function SHA-1 (base64 output) Hashed value XLVe1DSkCHeEWA2qhK6QSnvOJXA PwdHash encoding Hash2Text Password e1DSkCHeRXLV (b) An example of ObPwd (a) Generic steps in ObPwd Mohammad Mannan July 29, 2008 5/15

  6. ObPwd: Digital Objects as Passwords Password objects 1. Object features � personal or personally meaningful � stable (long-lived) content 2. Object sources � private objects: inaccessibility � web objects: vast richness Mohammad Mannan July 29, 2008 6/15

  7. ObPwd: Digital Objects as Passwords Password objects (cont.) 1. Private objects � local disk, mobile media (USB stick) � images, documents, text passages, executables, emails 2. Web/public objects � Internet Archive, Project Gutenberg, Google Books, ACM/IEEE digital archive � images, text passages, files Mohammad Mannan July 29, 2008 7/15

  8. ObPwd: Digital Objects as Passwords ObPwd variants 1. Append a salt with the selected object � pwd = Hash2Text( Hash(object, salt) ) � harder to generate password from compromised objects 2. Append a URL � pwd = Hash2Text( Hash(object, URL) ) � may prevent password phishing (cf. PwdHash) Better protection but ... usability, portability? Mohammad Mannan July 29, 2008 8/15

  9. ObPwd: Digital Objects as Passwords Prototype implementations 1. Firefox add-on (cross platform, web objects) 2. Windows XP application (local objects) 3. Linux/Mac command-line program (local objects) Mohammad Mannan July 29, 2008 9/15

  10. ObPwd: Digital Objects as Passwords Prototype implementations Password generated from the selected image ObPwd extension menu in Firefox ObPwd Win32 application Mohammad Mannan July 29, 2008 10/15

  11. ObPwd: Digital Objects as Passwords Implementation choices 1. PwdHash encoding as Hash2Text � 12 characters, alphanumeric � omit special character option 2. Min. object size = 30 bytes, truncate at: 100 , 000 bytes Mohammad Mannan July 29, 2008 11/15

  12. ObPwd: Digital Objects as Passwords Limitations 1. Shoulder surfing 2. Obvious public objects � Facebook profile photo 3. Password objects visible to network attacker � mostly affects web login (use Tor?) 4. Interference: passwords from different objects 5. Rootkits � Mohammad Mannan July 29, 2008 12/15

  13. ObPwd: Digital Objects as Passwords Related ideas 1. TrueCrypt allows files as an encryption key � resulting key isn’t exposed to users 2. Photos as PVQs (Ariel Rabkin, SOUPS 2008) � upload a selected photo to an authenticating site � answer “who is the person in the photo?” Mohammad Mannan July 29, 2008 13/15

  14. ObPwd: Digital Objects as Passwords Some benefits 1. Reduced memory load: remember only a hint 2. Generating global password dictionary seems difficult � dictionaries for regular and passphrase/mnemonic pass- word exist 3. Written backup: not feasible for graphical passwords � middle ground between text and image based schemes � rich selection space: human seeded attacks are harder 4. Password sharing through hints � better than email password sharing? Mohammad Mannan July 29, 2008 14/15

  15. ObPwd: Digital Objects as Passwords Open issues 1. Is ObPwd a usable technique to generate strong password? � user testing required 2. Can we expose more options to users without confusing them? � password length, special chars, look-alike chars (1, l, 0, O) 3. How to deal with site-specific password requirements? Try from: http://www.ccsl.carleton.ca/ ∼ mmannan/obpwd Mohammad Mannan July 29, 2008 15/15

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Analyst Presentation CSR Sugar - July 2008 Insert pictures AGENDA Thursday 31 July 2008

Analyst Presentation CSR Sugar - July 2008 Insert pictures AGENDA Thursday 31 July 2008

Analyst Presentation CSR Sugar - July 2008 Insert pictures AGENDA Thursday 31 July 2008 Welcome & Introduction Jerry Maycock, Managing Director, CSR Sugar Overview Ian Glasson, CEO CSR Sugar Cogeneration Shayne Rutherford,

152 views • 14 slides
Windows 2008 R2 SQL 2008 R2 Jan 2016 Jan 2015 July 2014 SQL 2008 July 2019 July

Windows 2008 R2 SQL 2008 R2 Jan 2016 Jan 2015 July 2014 SQL 2008 July 2019 July

Windows 2008 R2 SQL 2008 R2 Jan 2016 Jan 2015 July 2014 SQL 2008 July 2019 July 2014 SQL 2005 7/12/2016 April 2016 2 months 3 months 4 months 5 months 6 months 0 1 month 7 months 8 months Feature BizTalk 2016

321 views • 17 slides
Conference Call H1 2008 Revenue July 17, 2008 Solid performance in H1 2008 - Revenue: 3,765m

Conference Call H1 2008 Revenue July 17, 2008 Solid performance in H1 2008 - Revenue: 3,765m

Conference Call H1 2008 Revenue July 17, 2008 Solid performance in H1 2008 - Revenue: 3,765m Strong performance in Services and Hotels: +210m +5.2% Like-for-like +5.2% Q1 2008: +4.8% L/L Q2 2008: +5.6%L/L Expansion

782 views • 35 slides
4th International Conference on Environmental Science and Technology 2008 July 27-31, 2008

4th International Conference on Environmental Science and Technology 2008 July 27-31, 2008

4th International Conference on Environmental Science and Technology 2008 July 27-31, 2008 Greenspoint Wyndham Hotel Houston, USA (It should be noted that it is not the final version. The schedule is subject to change without notification)

185 views • 15 slides
HERMANUSDOORNS SHAREBLOCK LIMITED AGM July 2008 AGM 2008 1 PDF created with pdfFactory Pro

HERMANUSDOORNS SHAREBLOCK LIMITED AGM July 2008 AGM 2008 1 PDF created with pdfFactory Pro

HERMANUSDOORNS SHAREBLOCK LIMITED AGM July 2008 AGM 2008 1 PDF created with pdfFactory Pro trial version www.pdffactory.com AGENDA l Welcome l Special welcome to all new shareholders l Attendance Register l Notice Convening the Meeting and

630 views • 60 slides
Discussion with 802.1 Regarding 802.3at/802.3az use of LLDP July 2008 Denver Plenary Wael

Discussion with 802.1 Regarding 802.3at/802.3az use of LLDP July 2008 Denver Plenary Wael

Discussion with 802.1 Regarding 802.3at/802.3az use of LLDP July 2008 Denver Plenary Wael William Diab Broadcom IEEE 802.3 Joint Discussion with 802.1 July 2008 Plenary Version 1.0 Page 1 Agenda Code-point Locations 1

180 views • 15 slides
Second Quarter Results to June 30, 2008 Shire Limited July 31, 2008 THE SAFE HARBOR

Second Quarter Results to June 30, 2008 Shire Limited July 31, 2008 THE SAFE HARBOR

Second Quarter Results to June 30, 2008 Shire Limited July 31, 2008 THE SAFE HARBOR STATEMENT UNDER THE PRIVATE SECURITIES LITIGATION REFORM ACT OF 1995 Statements included herein that are not historical facts are forward-looking

785 views • 51 slides
Signal Processing and Data Analysis 2005-2008 21 st July 2008 Members 2008 4 PhD, 3 PosDoc (2 -

Signal Processing and Data Analysis 2005-2008 21 st July 2008 Members 2008 4 PhD, 3 PosDoc (2 -

Signal Processing and Data Analysis 2005-2008 21 st July 2008 Members 2008 4 PhD, 3 PosDoc (2 - Cincia 2007) , 2 PhD Stud 2005 (PhD , FCUP ) , PI Ana Paula Rocha Argentina Leite (PhD stud , FCUP and UTAD ) (PhD stud FCT ,

397 views • 12 slides
IP EuroNF Wrzburg July 21-22 2008 1 Network (R)Evolution Future Internet Interconnecting

IP EuroNF Wrzburg July 21-22 2008 1 Network (R)Evolution Future Internet Interconnecting

The Way 4WARD to a Creation of a Future Internet Henrik Abramowicz Ericsson Research EuroNF Wrzburg July 21-22 2008 Challenging the IP fortress - will this be successful ? IP EuroNF Wrzburg July 21-22 2008 1 Network (R)Evolution

223 views • 9 slides
PRESENTATION EXPERIENCE NSCA 2008 N ATIONAL C ONFERENCE , Las Vegas NV, July, 2008. T OPIC : P

PRESENTATION EXPERIENCE NSCA 2008 N ATIONAL C ONFERENCE , Las Vegas NV, July, 2008. T OPIC : P

PRESENTATION EXPERIENCE NSCA 2008 N ATIONAL C ONFERENCE , Las Vegas NV, July, 2008. T OPIC : P ERSONAL A THLETIC T RAINING S YSTEMS TM M OVEMENT T ESTING AND M OVEMENT S OLUTIONS (2 sessions) C ONTACT : V IRGINIA M EIER P HONE : 800-815-6826

309 views • 5 slides
Joel Tay The Financial Crisis of 2008 A brief analysis 19 th July 2013 The Financial Crisis

Joel Tay The Financial Crisis of 2008 A brief analysis 19 th July 2013 The Financial Crisis

9/11/2013 Agenda for 19 th July 2013 1 Questions 2 A Brief Overview 3 2004-2008 Timeline 4 Key Factors 5 Financial Regulations Post 2008 6 Effective or not? 7 Conclusion Joel Tay The Financial Crisis of 2008 A brief analysis 19

335 views • 4 slides
Economic Regulation & Market Liberalization ACCC 2008 Regulatory Conference July 24-25,

Economic Regulation & Market Liberalization ACCC 2008 Regulatory Conference July 24-25,

Economic Regulation & Market Liberalization ACCC 2008 Regulatory Conference July 24-25, 2008 Gold Coast, Queensland Australia Paul R. Kleindorfer University of Pennsylvania & INSEAD Kleindorfer@wharton.upenn.edu ACCC: PRK-July 08

468 views • 26 slides
UN ECOSOC Coordination Segment 7-9 July 2008 New York Wednesday 9 th July Round table discussion

UN ECOSOC Coordination Segment 7-9 July 2008 New York Wednesday 9 th July Round table discussion

DRAFT H.E. Mr ZDZISLAW RAPACKI UN ECOSOC Coordination Segment 7-9 July 2008 New York Wednesday 9 th July Round table discussion on the theme: Coherence: Strengthening the normative and operational link in the work of the UN on rural

187 views • 4 slides
Second Quarter Results 2008 Zurich July 24, 2008 Cautionary statement Cautionary statement

Second Quarter Results 2008 Zurich July 24, 2008 Cautionary statement Cautionary statement

Second Quarter Results 2008 Zurich July 24, 2008 Cautionary statement Cautionary statement regarding forward-looking and non-GAAP information This presentation contains forward-looking statements within the meaning of the Private Securities

599 views • 36 slides
NTFP Centre of Excellence 13 July 2015 Objectives NCE was established in 2008 (started

NTFP Centre of Excellence 13 July 2015 Objectives NCE was established in 2008 (started

Presentation on NTFP Centre of Excellence 13 July 2015 Objectives NCE was established in 2008 (started functioning on 15 April 2008) under Tripura JICA Project to address the issue of NTFPs and value addition in a comprehensive manner,

547 views • 41 slides
2008 Half Year Results July 2008 Agenda Henry - Highlights David - UK car insurance

2008 Half Year Results July 2008 Agenda Henry - Highlights David - UK car insurance

2008 Half Year Results July 2008 Agenda Henry - Highlights David - UK car insurance results, the UK market & Confused Kevin - International, reinsurance, dividends Henry - Long-term strategy 2 Highlights Profits in the

678 views • 54 slides
The Black Art of Wireless Post-Exploitation: Bypassing Port-Based Access Controls Using Indirect

The Black Art of Wireless Post-Exploitation: Bypassing Port-Based Access Controls Using Indirect

The Black Art of Wireless Post-Exploitation: Bypassing Port-Based Access Controls Using Indirect Wireless Pivots GreHacks Gabriel Ryan (solstice) net user author /domain Gabriel Ryan Researcher @ Gotham Digital Science Worlds best Red

1.89k views • 125 slides
Amos 8:1-3 Gods Passion for Justice A vision Amos sees of Gods judgement upon Israel A

Amos 8:1-3 Gods Passion for Justice A vision Amos sees of Gods judgement upon Israel A

2019-11-19 The Roar of the Lion Amos 8:1-3 Gods Passion for Justice A vision Amos sees of Gods judgement upon Israel A Famine The 4 th of 4 visions starting in For Hearing Amos 7 Gods Word A play on words ending with

257 views • 4 slides
Prelude What's Going On by Al Cleveland, Renaldo Benson, and Marvin Gaye Call to Worship from

Prelude What's Going On by Al Cleveland, Renaldo Benson, and Marvin Gaye Call to Worship from

Welcome! We Prelude What's Going On by Al Cleveland, Renaldo Benson, and Marvin Gaye Call to Worship from Write Some New Agenda by Joseph H. Gilmore Leader: The wind blows across every border. The sun warms every upturned face, The

1.29k views • 61 slides
WELCOME SAINTS! SABBATH GREETINGS! John 4:25-26 The woman saith unto him, I know that Messias

WELCOME SAINTS! SABBATH GREETINGS! John 4:25-26 The woman saith unto him, I know that Messias

WELCOME SAINTS! SABBATH GREETINGS! John 4:25-26 The woman saith unto him, I know that Messias cometh, which is called Christ: when he is come, he will tell us all things. Jesus saith unto her, I that speak unto thee am he . John 8:23-24 And he

667 views • 41 slides
DEFY: A Deniable, Encrypted File System for Log Structured Storage WRITTEN BY: PRESENTED BY:

DEFY: A Deniable, Encrypted File System for Log Structured Storage WRITTEN BY: PRESENTED BY:

DEFY: A Deniable, Encrypted File System for Log Structured Storage WRITTEN BY: PRESENTED BY: TIMOTHY PETERS NICHOLAS BURTON MARK GONDREE ZACHARY PETERSON What is encryption? Why hide encryption? Previous Work on the Matter u Anderson and

550 views • 39 slides
Unicorn: Two-Factor Attestation for Data Security M. Mannan

Unicorn: Two-Factor Attestation for Data Security M. Mannan

ACM CCS - Oct. 18, 2011 Unicorn: Two-Factor Attestation for Data Security M. Mannan Concordia University, Canada B. Kim, A. Ganjali & D. Lie University of Toronto, Canada 1 Unicorn target systems q

809 views • 21 slides
A Survey on Private Set Intersection Presented by Hongrui Cui RickFreeman@sjtu.edu.cn October

A Survey on Private Set Intersection Presented by Hongrui Cui RickFreeman@sjtu.edu.cn October

A Survey on Private Set Intersection Presented by Hongrui Cui RickFreeman@sjtu.edu.cn October 17, 2019 Cui Hongrui (SJTU) PSI October 17, 2019 1 / 27 Overview Introduction 1 PSI Literature Notations The Core of PSI Semi-Honest PSI 2

668 views • 36 slides
Electroweak Symmetry Breaking with Holomorphic Supersymmetric NambuJona-Lasinio Model

Electroweak Symmetry Breaking with Holomorphic Supersymmetric NambuJona-Lasinio Model

Electroweak Symmetry Breaking with Holomorphic Supersymmetric NambuJona-Lasinio Model Talk at PHENO 2010 OTTO C. W. KONG Natl Central U, Taiwan 1 NambuJona-Lasinio Model :- Otto Kong (NCU) 09ntnu-1 dynamical symmetry

530 views • 21 slides

More recommend