the simple english guide to human generated secrets
play

The Simple English guide to human-generated secrets Computers try to - PowerPoint PPT Presentation

Jul 09, 2023 •178 likes •557 views

H UMAN - GENERATED SECRET DATA Joseph Bonneau jcb82@cl.cam.ac.uk Computer Laboratory Security and Human Behaviour Cambridge, UK June 29, 2010 Joseph Bonneau (University of Cambridge) Human secrets June 29, 2010 1 / 15 The Simple English

  1. H UMAN - GENERATED SECRET DATA Joseph Bonneau jcb82@cl.cam.ac.uk Computer Laboratory Security and Human Behaviour Cambridge, UK June 29, 2010 Joseph Bonneau (University of Cambridge) Human secrets June 29, 2010 1 / 15

  2. The Simple English guide to human-generated secrets Computers try to tell humans apart by asking for secret memories. 1 They can ask for other things, but those are very expensive. Joseph Bonneau (University of Cambridge) Human secrets June 29, 2010 2 / 15

  3. Two-factor authentication remains far too expensive Joseph Bonneau (University of Cambridge) Human secrets June 29, 2010 2 / 15

  4. The Simple English guide to human-generated secrets Computers try to tell humans apart by asking for secret data. They 1 can ask for other things, but these are very expensive. Many computer scientists use something called “entropy” to 2 measure security for this secret data, but there are a lot of mathematical equations which say this is a bad idea. Joseph Bonneau (University of Cambridge) Human secrets June 29, 2010 3 / 15

  5. Measuring Security Against Guessing Which is “harder” to guess: Surname of randomly chosen Internet user Randomly chosen 4-digit PIN Joseph Bonneau (University of Cambridge) Human secrets June 29, 2010 4 / 15

  6. Measuring Security Against Guessing Which is “harder” to guess: Surname of randomly chosen Internet user H 1 (surname) = 16.2 bits Randomly chosen 4-digit PIN H 1 (PIN) = 13.3 bits Joseph Bonneau (University of Cambridge) Human secrets June 29, 2010 4 / 15

  7. Shannon Entropy N � H 1 ( X ) = − p i lg p i i = 1 H 1 (surname) = 16.2 bits H 1 (PIN) = 13.3 bits Meaning: Expected number of queries “Is X ∈ S ?” for arbitrary subsets S ⊆ X needed to guess X . (Source-Coding Theorem) Joseph Bonneau (University of Cambridge) Human secrets June 29, 2010 5 / 15

  8. Guessing Entropy N � � R � G ( X ) = E # guesses ( X ← X ) = p i · i i = 1 G (surname) ≈ 137000 guesses G (PIN) ≈ 5000 guesses Meaning: Expected number of queries “Is X = x i ?” for i = 1 , 2 , . . . , N (optimal sequential guessing) Joseph Bonneau (University of Cambridge) Human secrets June 29, 2010 6 / 15

  9. Alternate attack models not captured What if we only want a 50% chance of breaking a given account? PIN: ≈ 5000 guesses Surname: ≈ 8000 guesses Joseph Bonneau (University of Cambridge) Human secrets June 29, 2010 7 / 15

  10. Alternate attack models not captured What if we only want a 10% chance of breaking a given account? PIN: ≈ 1000 guesses Surname: ≈ 89 guesses Joseph Bonneau (University of Cambridge) Human secrets June 29, 2010 7 / 15

  11. Need specific metrics for attackers who may give up Marginal Guesswork Give up after reaching probability α of success:  �  j �   � � µ α ( X ) = min  j ∈ [ 1 , N ] p i ≥ α � �  i = 1 � � � µ α ( X ) Can convert to bitstrength : ˜ µ α ( X ) = lg α Joseph Bonneau (University of Cambridge) Human secrets June 29, 2010 8 / 15

  12. Example U 16 X 65 H 1 4 4 ˜ G 4 5.1 µ 1 ˜ 4 1 2 ˜ 4 5.46 µ 3 4 Joseph Bonneau (University of Cambridge) Human secrets June 29, 2010 9 / 15

  13. The complete picture 8 X 65 U 16 7 6 µ α marginal guesswork ˜ 5 4 3 2 1 0 0 . 0 0 . 2 0 . 4 0 . 6 0 . 8 1 . 0 success rate α Joseph Bonneau (University of Cambridge) Human secrets June 29, 2010 10 / 15

  14. The complete picture 25 PIN Surname 20 µ α marginal guesswork ˜ 15 10 5 0 0 . 0 0 . 2 0 . 4 0 . 6 0 . 8 1 . 0 success rate α Joseph Bonneau (University of Cambridge) Human secrets June 29, 2010 10 / 15

  15. Some theorems to wake you up in the morning Theorem (adapted from Pliam) Given any m > 0 , β > 0 and 0 < α < 1 , there exists a distribution X µ α ( X ) < H 1 ( X ) − m and ˜ such that ˜ λ β ( X ) < H 1 ( X ) − m. Theorem (adapted from Boztas ¸) Given any m > 0 , β > 0 and 0 < α < 1 , there exists a distribution X µ α ( X ) < ˜ λ β ( X ) < ˜ G ( X ) − m and ˜ such that ˜ G ( X ) − m. Theorem (from [BJM] FC 2010 paper) Given any m > 0 , α 1 > 0 , and α 2 > 0 with 0 < α 1 < α 2 < 1 , there exists a distribution X such that ˜ µ α 1 ( X ) < ˜ µ α 1 ( X ) − m. Joseph Bonneau (University of Cambridge) Human secrets June 29, 2010 11 / 15

  16. The Simple English guide to human-generated secrets Computers try to tell humans apart by asking for secret data. They 1 can ask for other things, but these are very expensive. Many computer scientists use something called “entropy” to 2 measure security for this secret data, but there are a lot of mathematical equations which say this is a bad idea. Things that good people can remember aren’t unpredictable 3 enough to prevent bad people from guessing them. Joseph Bonneau (University of Cambridge) Human secrets June 29, 2010 12 / 15

  17. Comparing human-memorable secrets Joseph Bonneau (University of Cambridge) Human secrets June 29, 2010 13 / 15

  18. Comparing human-memorable secrets 40 35 30 Password [Klein] µ α marginal guesswork ˜ 25 Password [Spafford] Password [Schneier] 20 Mnemonic [Kuo] Pass-Go 15 PassPoints Passfaces 10 5 0 0 . 0 0 . 2 0 . 4 0 . 6 0 . 8 1 . 0 success rate α Joseph Bonneau (University of Cambridge) Human secrets June 29, 2010 13 / 15

  19. Comparing human-memorable secrets 40 35 30 Password [Klein] Password [Spafford] µ α marginal guesswork ˜ 25 Password [Schneier] Mnemonic [Kuo] 20 Pass-Go PassPoints 15 Passfaces Surname Forename 10 5 0 0 . 0 0 . 2 0 . 4 0 . 6 0 . 8 1 . 0 success rate α Joseph Bonneau (University of Cambridge) Human secrets June 29, 2010 13 / 15

  20. The Simple English guide to human-generated secrets Computers try to tell humans apart by asking for secret data. They 1 can ask for other things, but these are very expensive. Many computer scientists use something called “entropy” to 2 measure security for this secret data, but there are a lot of mathematical equations which say this is a bad idea. Things that good people can remember aren’t unpredictable 3 enough to prevent bad people from guessing them. People at a gaming website called RockYou got pwned. 4 Researchers now have many passwords to study. Joseph Bonneau (University of Cambridge) Human secrets June 29, 2010 14 / 15

  21. RockYou loses a list of 32 M passwords Joseph Bonneau (University of Cambridge) Human secrets June 29, 2010 15 / 15

  22. RockYou loses a list of 32 M passwords 290729 123456 79076 12345 76789 123456789 59462 password 49952 iloveyou 33291 princess 21725 1234567 20901 rockyou 20553 12345678 16648 abc123 16227 nicole 15308 daniel 15163 babygirl 14726 monkey 14331 lovely Joseph Bonneau (University of Cambridge) Human secrets June 29, 2010 15 / 15

  23. RockYou loses a list of 32 M passwords 49952 iloveyou 13134 iloveu 5589 iloveme 3998 iloveyou2 3700 iloveyou1 2042 iloveu2 2007 ilovehim 1510 ilovejesus 1441 ilovegod 1358 iloveyou! 1096 iloveu1 1061 iloveme1 922 ilovemyself 908 iloveboys 894 ilovechris Joseph Bonneau (University of Cambridge) Human secrets June 29, 2010 15 / 15

  24. RockYou loses a list of 32 M passwords 830 lovesucks 680 lifesucks 166 schoolsucks 101 thissucks 71 luvsucks 58 sucks 43 mylifesucks 33 aolsucks 30 emosucks 23 bebosucks 19 l0vesucks 18 skoolsucks 16 love sucks 16 worksucks 15 lov3sucks Joseph Bonneau (University of Cambridge) Human secrets June 29, 2010 15 / 15

  25. RockYou loses a list of 32 M passwords 28 joeishot 11 joeismine 10 joeisfit 9 joeissexy 8 joeiscool 6 joeisgay 6 joeishot1 4 joeis#1 3 joeis1 3 joeisa 3 joeisastud 3 joeiscool1 3 joeissexy1 3 joeissohot 3 joeisthebest Joseph Bonneau (University of Cambridge) Human secrets June 29, 2010 15 / 15

  26. RockYou loses a list of 32 M passwords 1023 fresita 1023 mookie 1022 leelee 1021 tequieromucho 1020 giovanni 1020 harry 1018 celticfc 1018 ranger 1017 austin1 1017 newcastle 1017 preston 1017 snuggles 1017 tagged 1016 erica 1016 sniper Joseph Bonneau (University of Cambridge) Human secrets June 29, 2010 15 / 15

  27. RockYou loses a list of 32 M passwords 40 35 Password [Klein] 30 Password [Spafford] µ α Password [Schneier] marginal guesswork ˜ 25 Mnemonic [Kuo] Pass-Go 20 PassPoints Passfaces 15 Surname Forename 10 Password [RockYou] 5 0 0 . 0 0 . 2 0 . 4 0 . 6 0 . 8 1 . 0 success rate α Joseph Bonneau (University of Cambridge) Human secrets June 29, 2010 15 / 15

  28. The Simple English guide to human-generated secrets Computers try to tell humans apart by asking for secret data. They 1 can ask for other things, but these are very expensive. Many computer scientists use something called “entropy” to 2 measure security for this secret data, but there are a lot of mathematical equations which say this is a bad idea. Things that good people can remember aren’t unpredictable 3 enough to prevent bad people from guessing them. People at a gaming website called RockYou got pwned. 4 Researchers now have many passwords to study. Computer scientists have never studied how people pick banking 5 PINs, but people are very bad at picking 4-digit numbers for other things, and so they might be bad at picking banking PINs too. Joseph Bonneau (University of Cambridge) Human secrets June 29, 2010 16 / 15

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

the English 120 Project Search Guide so that you can refer to it when you actually begin searching

the English 120 Project Search Guide so that you can refer to it when you actually begin searching

The following presentation will guide you toward resources for your English 120 research project. There is also a search guide available that goes with this session. You should print out the English 120 Project Search Guide so that you can refer

563 views • 11 slides
Presentation Secrets Presentation Secrets Filesize: 8.11 MB Reviews Reviews It is really an

Presentation Secrets Presentation Secrets Filesize: 8.11 MB Reviews Reviews It is really an

XUECRQXNRXVS Book Presentation Secrets Presentation Secrets Presentation Secrets Filesize: 8.11 MB Reviews Reviews It is really an remarkable book which i have ever go through. It can be writter in simple terms and not difficult to

343 views • 3 slides
Secrets of Effective Communication Or . . . How You Can Change the World in 10 Simple Steps

Secrets of Effective Communication Or . . . How You Can Change the World in 10 Simple Steps

Secrets of Effective Communication Or . . . How You Can Change the World in 10 Simple Steps Prepared and presented by Nigel Sizer Ph.D. Director, Global Forests Initiative World Resources Institute 1 10 Steps to Impact INSTITUTION PROJECT

515 views • 33 slides
Whispered Secrets Eleanor McHugh Whispered Secrets @feyeleanor http://leanpub.com/GoNotebook

Whispered Secrets Eleanor McHugh Whispered Secrets @feyeleanor http://leanpub.com/GoNotebook

Whispered Secrets Eleanor McHugh Whispered Secrets @feyeleanor http://leanpub.com/GoNotebook we all have secrets and these secrets matter to us thats what makes them secrets software should keep our secrets some secrets are awful

1k views • 75 slides
Statistical Identification of English Loanwords in Korean Using Automatically Generated Training

Statistical Identification of English Loanwords in Korean Using Automatically Generated Training

Statistical Identification of English Loanwords in Korean Using Automatically Generated Training Data Kirk Baker Chris Brew Ohio State University LREC 2008 May 28-30, 2008 Guessing Etymology Identifying the etymological source of an

964 views • 29 slides
Side-Channel Attacks and Human Secrets Yossi Oren, BGU https://iss.oy.ne.ro @yossioren

Side-Channel Attacks and Human Secrets Yossi Oren, BGU https://iss.oy.ne.ro @yossioren

Side-Channel Attacks and Human Secrets Yossi Oren, BGU https://iss.oy.ne.ro @yossioren CROSSING Conference,TU Darmstadt, Germany September 2019 Joint work with Anatoly Shusterman, Lachlan Kang, Yosef Meltser, Yarden Haskal, Prateek Mittal

288 views • 27 slides
On (2,3)-generated groups Maxim Vsemirnov Steklov Institute of Mathematics at St. Petersburg

On (2,3)-generated groups Maxim Vsemirnov Steklov Institute of Mathematics at St. Petersburg

Definitions and motivations (2,3)-generated finite (simple) groups (2,3)-generated classical groups over Z On (2,3)-generated groups Maxim Vsemirnov Steklov Institute of Mathematics at St. Petersburg Group Theory Conference in honor of V. D.

515 views • 25 slides
Pourquoi ce guide ? Une action publique plus simple, plus juste et plus efficace : tel est le cap

Pourquoi ce guide ? Une action publique plus simple, plus juste et plus efficace : tel est le cap

Consulter pour mieux rglementer Guide pratique pour la consultation des entreprises et des organisations professionnelles Pourquoi ce guide ? Une action publique plus simple, plus juste et plus efficace : tel est le cap que le Gouvernement

774 views • 43 slides
T he Poets Guide September 2016 What is Big Data? 1. Oxford English Dictionary : data of a

T he Poets Guide September 2016 What is Big Data? 1. Oxford English Dictionary : data of a

Users Guide to Big Data T he Poets Guide September 2016 What is Big Data? 1. Oxford English Dictionary : data of a very large size, typically to the extent that its manipulation and management present significant logistical challenges 2.

497 views • 25 slides
Presentation Secrets Presentation Secrets Filesize: 9.28 MB Reviews Reviews Just no phrases to

Presentation Secrets Presentation Secrets Filesize: 9.28 MB Reviews Reviews Just no phrases to

NAHPXXJI6KNA Book ^ Presentation Secrets Presentation Secrets Presentation Secrets Filesize: 9.28 MB Reviews Reviews Just no phrases to describe. It typically does not price an excessive amount of. It is extremely difficult to leave it before

260 views • 3 slides
Food Presentation Secrets: Styling Techniques Of Professionals Read Free Books and Download

Food Presentation Secrets: Styling Techniques Of Professionals Read Free Books and Download

Food Presentation Secrets: Styling Techniques Of Professionals Read Free Books and Download eBooks A practical guide to adding that professional flourish to any dish. Food Presentation Secrets provides professional cooking school instruction,

203 views • 5 slides
Strong Randomness Properties of (Hyper-)Graphs Generated by Simple Hash Functions Martin Aum

Strong Randomness Properties of (Hyper-)Graphs Generated by Simple Hash Functions Martin Aum

Strong Randomness Properties of (Hyper-)Graphs Generated by Simple Hash Functions Martin Aum uller Technische Universit at Ilmenau, Germany AofA15 Strobl, June 8, 2015 Joint work with Martin Dietzfelbinger and Philipp Woelfel. M.

691 views • 56 slides
P1 English Language CHIJ Our Lady of the Nativity Simple in Virtue, Steadfast in Duty Outcomes

P1 English Language CHIJ Our Lady of the Nativity Simple in Virtue, Steadfast in Duty Outcomes

P1 English Language CHIJ Our Lady of the Nativity Simple in Virtue, Steadfast in Duty Outcomes of English Proficiency All pupils to be able to use English to express themselves. All pupils to attain foundational skills, particularly in

200 views • 18 slides
EDI 101 for SAGE USERS A SIMPLE GUIDE TO EDI FOR Sage USERS Jon Bellemore Sales &amp; Marketing

EDI 101 for SAGE USERS A SIMPLE GUIDE TO EDI FOR Sage USERS Jon Bellemore Sales &amp; Marketing

EDI 101 for SAGE USERS A SIMPLE GUIDE TO EDI FOR Sage USERS Jon Bellemore Sales &amp; Marketing Strategist B2bgateway EDI services What is EDI? It sounds simple EDI (Electronic Data Interchange) is defined as the structured transmission of

465 views • 21 slides
A simple guide for organisations in the Voluntary and Community Sector 28/11/2016 It can take

A simple guide for organisations in the Voluntary and Community Sector 28/11/2016 It can take

A simple guide for organisations in the Voluntary and Community Sector 28/11/2016 It can take several weeks, or even a few months to open a group bank account. Be careful to fill the application form fully, and send all the information that is

335 views • 12 slides
EDI 101 FOR NETSUITE A SIMPLE GUIDE TO EDI FOR NetSuite USERS Jon Bellemore Sales &amp;

EDI 101 FOR NETSUITE A SIMPLE GUIDE TO EDI FOR NetSuite USERS Jon Bellemore Sales &amp;

EDI 101 FOR NETSUITE A SIMPLE GUIDE TO EDI FOR NetSuite USERS Jon Bellemore Sales &amp; Marketing Strategist B2bgateway EDI services SHORT HISTORY OF EDI In the beginning ANSI X-12 1970s-90s, (pre-internet): modem and a phone

407 views • 18 slides
Conjugate prior summary Distribution Likelihood p ( x | ) Prior p ( ) Distribution (1

Conjugate prior summary Distribution Likelihood p ( x | ) Prior p ( ) Distribution (1

Conjugate prior summary Distribution Likelihood p ( x | ) Prior p ( ) Distribution (1 ) (1 x ) x (1 ) ( a 1) ( b 1) Bernoulli Beta (1 ) ( N x ) x (1 ) ( a 1) ( b

979 views • 64 slides
2. Information Theory -Channel Capacity Ying Cui Department of Electronic Engineering Shanghai

2. Information Theory -Channel Capacity Ying Cui Department of Electronic Engineering Shanghai

1896 1920 1987 2006 Computing and Communications 2. Information Theory -Channel Capacity Ying Cui Department of Electronic Engineering Shanghai Jiao Tong University, China 2018, Autumn 1 Outline Communication system Examples of

756 views • 36 slides
Lecture 2 Lossless Source Coding I-Hsiang Wang Department of Electrical Engineering National

Lecture 2 Lossless Source Coding I-Hsiang Wang Department of Electrical Engineering National

Lecture 2 Lossless Source Coding I-Hsiang Wang Department of Electrical Engineering National Taiwan University ihwang@ntu.edu.tw October 2, 2016 1 / 50 I-Hsiang Wang IT Lecture 2 The engineering problem motivating the study of this

1.05k views • 50 slides
Foundations of Computing II Lecture 16: Information Theory and Data Compression Stefano Tessaro

Foundations of Computing II Lecture 16: Information Theory and Data Compression Stefano Tessaro

CSE 312 Foundations of Computing II Lecture 16: Information Theory and Data Compression Stefano Tessaro tessaro@cs.washington.edu 1 Announcements Office hours: I am available 1-3pm. Please make sure to read the instructions for the

617 views • 20 slides
PriSec Research Group Datavetenskap, Karlstads universitet Christer Andersson , Reine Lundin On

PriSec Research Group Datavetenskap, Karlstads universitet Christer Andersson , Reine Lundin On

PriSec Research Group Datavetenskap, Karlstads universitet Christer Andersson , Reine Lundin On the Fundamentals of Anonymity Metrics Christer Andersson IFIP Summerscool 2007, 6 10 th Aug, 2007 Introducing Paper Context Anonymous

574 views • 24 slides
Katalin Marton Abbas El Gamal Stanford University Withits 2010 A. El Gamal (Stanford

Katalin Marton Abbas El Gamal Stanford University Withits 2010 A. El Gamal (Stanford

Katalin Marton Abbas El Gamal Stanford University Withits 2010 A. El Gamal (Stanford University) Katalin Marton Withits 2010 1 / 9 Brief Bio Born in 1941, Budapest Hungary PhD from E otv os Lor and University in 1965 Department

546 views • 26 slides
Integer-Forcing for Channels, Sources and ADCs Or Ordentlich Tel Aviv University Or Ordentlich

Integer-Forcing for Channels, Sources and ADCs Or Ordentlich Tel Aviv University Or Ordentlich

Integer-Forcing for Channels, Sources and ADCs Or Ordentlich Tel Aviv University Or Ordentlich Integer-Forcing for Channels, Sources and ADCs Motivating Example y = x 1 + 2 x 2 + z Or Ordentlich Integer-Forcing for Channels, Sources and

1.47k views • 113 slides
Quantum decoupling via efficient classical operations and the entanglement cost of one-shot

Quantum decoupling via efficient classical operations and the entanglement cost of one-shot

Review of some classical tasks Quantum tasks Efficient decoupling and entanglement optimization Quantum decoupling via efficient classical operations and the entanglement cost of one-shot quantum protocols Anurag Anshu (joint work with

707 views • 67 slides

More recommend