w hat s in a n ame
play

W HAT S IN A N AME ? E VALUATING S TATISTICAL A TTACKS ON P ERSONAL - PowerPoint PPT Presentation

Nov 01, 2023 •168 likes •882 views

W HAT S IN A N AME ? E VALUATING S TATISTICAL A TTACKS ON P ERSONAL K NOWLEDGE Q UESTIONS Joseph Bonneau Mike Just Greg Matthews jcb82@cl.cam.ac.uk Computer Laboratory Financial Cryptography and Data Security 2010 Tenerife, Spain January

  1. W HAT ’ S IN A N AME ? E VALUATING S TATISTICAL A TTACKS ON P ERSONAL K NOWLEDGE Q UESTIONS Joseph Bonneau Mike Just Greg Matthews jcb82@cl.cam.ac.uk Computer Laboratory Financial Cryptography and Data Security 2010 Tenerife, Spain January 26, 2010 Joseph Bonneau (University of Cambridge) What’s in a Name? January 26, 2010 1 / 44

  2. Research Question How “secure” are personal knowledge questions against guessing? Joseph Bonneau (University of Cambridge) What’s in a Name? January 26, 2010 2 / 44

  3. Authenticating Humans Physical Keys Crypto Hardware Fingerprints Iris Hardware Biometrics Appearance Documentation DNA Typing Gait Kerberos PKI Authentication Behaviour Post Delegation Delegation SMS Voice Handwriting OpenID Social Vouching Memory PINs Text Passwords Explicit Implicit "Cognitive" Schemes Graphical Passwords Personal Knowledge Questions Joseph Bonneau (University of Cambridge) What’s in a Name? January 26, 2010 3 / 44

  4. Personal Knowledge Questions Pros Cost Memorability? Cons Privacy Security Joseph Bonneau (University of Cambridge) What’s in a Name? January 26, 2010 4 / 44

  5. Authentication on the Web Text Passwords 1 Delegation 2 Personal Knowledge Questions 3 Trends: OpenID may make delegation preferred method Large webmail providers becoming the root of trust Joseph Bonneau (University of Cambridge) What’s in a Name? January 26, 2010 5 / 44

  6. In the News Paris Hilton T-Mobile Sidekick, 2005-02-20 Sarah Palin Yahoo! email, 2008-09-16 Twitter corporate Google Docs, 2009-07-16 Joseph Bonneau (University of Cambridge) What’s in a Name? January 26, 2010 6 / 44

  7. In the News Paris Hilton T-Mobile Sidekick, 2005-02-20 Sarah Palin Yahoo! email, 2008-09-16 Twitter corporate Google Docs, 2009-07-16 Joseph Bonneau (University of Cambridge) What’s in a Name? January 26, 2010 6 / 44

  8. In the News Paris Hilton T-Mobile Sidekick, 2005-02-20 Sarah Palin Yahoo! email, 2008-09-16 Twitter corporate Google Docs, 2009-07-16 Joseph Bonneau (University of Cambridge) What’s in a Name? January 26, 2010 6 / 44

  9. Protocol Model Client Server I am i − → Increment t i Select q R ← Q i Please answer q ← − The answer is x − → Verify x Joseph Bonneau (University of Cambridge) What’s in a Name? January 26, 2010 7 / 44

  10. Targeted Attacker Attack a specific i Real-world identity of i is known Per-target research possible Joseph Bonneau (University of Cambridge) What’s in a Name? January 26, 2010 8 / 44

  11. Targeted Attacker Web search Used in Hilton, Palin compromises Public records Griffith et. al: 30% of individual’s mother’s maiden names found via marriage, birth records Social engineering Dumpster diving, burglary Acquaintance attacks Schecter et. al: ∼ 25% of questions guessed by friends, family Joseph Bonneau (University of Cambridge) What’s in a Name? January 26, 2010 9 / 44

  12. Trawling Attacker Attack all i ∈ I from a large set I Real-world identities are unknown Population-wide statistics Joseph Bonneau (University of Cambridge) What’s in a Name? January 26, 2010 10 / 44

  13. Trawling Attacker Blind attack Don’t understand i or q CAPTCHA-ised protocols or user-written questions “What do I want to do?” Statistical attack Understand q but not i Guess most likely answers Thought to be used in Twitter compromise Joseph Bonneau (University of Cambridge) What’s in a Name? January 26, 2010 11 / 44

  14. Measuring Security Against Guessing Which is “harder” to guess: Surname of randomly chosen Internet user Randomly chosen 4-digit PIN Joseph Bonneau (University of Cambridge) What’s in a Name? January 26, 2010 12 / 44

  15. Mathematics of Guessing Answer X is drawn from a finite, known distribution X |X| = N P ( X = x i ) = p i for each possible answer x i X is monotonically decreasing: p 1 ≥ p 2 ≥ · · · ≥ p N Goal: guess X using as few queries “is X = x i ?”as possible. Joseph Bonneau (University of Cambridge) What’s in a Name? January 26, 2010 13 / 44

  16. Shannon Entropy N � H 1 ( X ) = − p i lg p i i = 1 H 1 (surname) = 16.2 bits H 1 (PIN) = 13.3 bits Meaning: Expected number of queries “Is X ∈ S ?” for arbitrary subsets S ⊆ X needed to guess X . (Source-Coding Theorem) Joseph Bonneau (University of Cambridge) What’s in a Name? January 26, 2010 14 / 44

  17. Shannon Entropy N � H 1 ( X ) = − p i lg p i i = 1 H 1 (surname) = 16.2 bits H 1 (PIN) = 13.3 bits Meaning: Expected number of queries “Is X ∈ S ?” for arbitrary subsets S ⊆ X needed to guess X . (Source-Coding Theorem) Joseph Bonneau (University of Cambridge) What’s in a Name? January 26, 2010 14 / 44

  18. Guessing Entropy N � � R � G ( X ) = E # guesses ( X ← X ) = p i · i i = 1 G (surname) ≈ 137000 guesses G (PIN) ≈ 5000 guesses Meaning: Expected number of queries “Is X = x i ?” for i = 1 , 2 , . . . , N (optimal sequential guessing) Joseph Bonneau (University of Cambridge) What’s in a Name? January 26, 2010 15 / 44

  19. The Trouble with Guessing 1 U 16 — N = 16, p 1 = p 2 = · · · = p 16 = 16 H 1 ( U 16 ) = 4 bits G ( U 16 ) = 8.5 guesses Joseph Bonneau (University of Cambridge) What’s in a Name? January 26, 2010 16 / 44

  20. The Trouble with Guessing X 65 — N = 65, p 1 = 1 1 2 , p 2 = · · · = p 65 = 128 H 1 ( X 65 ) = 4 bits G ( X 65 ) = 17.25 guesses Joseph Bonneau (University of Cambridge) What’s in a Name? January 26, 2010 17 / 44

  21. The Trouble with Guessing H 1 ( X 65 ) = H 1 ( U 16 ) G ( X 65 ) > G ( U 16 ) R Adversary can guess X ← X 65 in 1 try half the time! Joseph Bonneau (University of Cambridge) What’s in a Name? January 26, 2010 18 / 44

  22. Marginal Guessing Suppose Eve wants to guess any k out of m 4-digit PINS PIN #1 PIN #2 PIN #3 PIN # m . . . 0000 0000 0000 0000 . . . 0001 0001 0001 . . . 0001 0002 0002 0002 0002 . . . . . . . . . . . . . . . . . . 9998 9998 9998 . . . 9998 9999 9999 9999 9999 . . . Joseph Bonneau (University of Cambridge) What’s in a Name? January 26, 2010 19 / 44

  23. Marginal Guessing Suppose Eve wants to guess any k out of m 4-digit PINS PIN #1 PIN #2 PIN #3 PIN # m . . . 0000 0000 0000 0000 . . . 0001 0001 0001 . . . 0001 0002 0002 0002 0002 . . . . . . . . . . . . . . . . . . 9998 9998 9998 . . . 9998 9999 9999 9999 9999 . . . Joseph Bonneau (University of Cambridge) What’s in a Name? January 26, 2010 19 / 44

  24. Marginal Guessing Suppose Eve wants to guess any k out of m 4-digit PINS PIN #1 PIN #2 PIN #3 PIN # m . . . 0000 0000 0000 0000 . . . 0001 0001 0001 . . . 0001 0002 0002 0002 0002 . . . . . . . . . . . . . . . . . . 9998 9998 9998 . . . 9998 9999 9999 9999 9999 . . . Joseph Bonneau (University of Cambridge) What’s in a Name? January 26, 2010 19 / 44

  25. Marginal Guessing Suppose Eve wants to guess any k out of m 4-digit PINS PIN #1 PIN #2 PIN #3 PIN # m . . . 0000 0000 0000 0000 . . . 0001 0001 0001 . . . 0001 0002 0002 0002 0002 . . . . . . . . . . . . . . . . . . 9998 9998 9998 . . . 9998 9999 9999 9999 9999 . . . Any order of guessing is equivalent. Joseph Bonneau (University of Cambridge) What’s in a Name? January 26, 2010 19 / 44

  26. Marginal Guessing Suppose Mallory wants to guess any k out of m surnames Name #1 Name #2 Name #3 Name # m . . . Smith Smith Smith Smith . . . Jones Jones Jones . . . Jones Johnson Johnson Johnson Johnson . . . . . . . . . . . . . . . . . . Ytterock Ytterock Ytterock . . . Ytterock Zdrzynski Zdrzynski Zdrzynski Zdrzynski . . . Joseph Bonneau (University of Cambridge) What’s in a Name? January 26, 2010 20 / 44

  27. Marginal Guessing Suppose Mallory wants to guess any k out of m surnames Name #1 Name #2 Name #3 Name # m . . . Smith Smith Smith Smith . . . Jones Jones Jones . . . Jones Johnson Johnson Johnson Johnson . . . . . . . . . . . . . . . . . . Ytterock Ytterock Ytterock . . . Ytterock Zdrzynski Zdrzynski Zdrzynski Zdrzynski . . . Joseph Bonneau (University of Cambridge) What’s in a Name? January 26, 2010 20 / 44

  28. Marginal Guessing Suppose Mallory wants to guess any k out of m surnames Name #1 Name #2 Name #3 Name # m . . . Smith Smith Smith Smith . . . Jones Jones Jones . . . Jones Johnson Johnson Johnson Johnson . . . . . . . . . . . . . . . . . . Ytterock Ytterock Ytterock . . . Ytterock Zdrzynski Zdrzynski Zdrzynski Zdrzynski . . . Obvious optimal strategy Joseph Bonneau (University of Cambridge) What’s in a Name? January 26, 2010 20 / 44

  29. Measuring Security Against Guessing Given 100 accounts: PIN: 50% chance of success after 5000 guesses Surname: 50% chance of success after 168 guesses Joseph Bonneau (University of Cambridge) What’s in a Name? January 26, 2010 21 / 44

  30. Marginal Guessing Neither H 1 nor G model an adversary who can give up Marginal Guesswork Give up after reaching probability α of success:  �  j �   � � µ α ( X ) = min  j ∈ [ 1 , N ] p i ≥ α � �  i = 1 � Marginal Success Rate Give up after β guesses: β � λ β ( X ) = p i i = 1 Joseph Bonneau (University of Cambridge) What’s in a Name? January 26, 2010 22 / 44

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

EE 109 Unit 4 Microcontrollers (Arduino) Overview Using software to perform logic on individual

EE 109 Unit 4 Microcontrollers (Arduino) Overview Using software to perform logic on individual

4.1 4.2 EE 109 Unit 4 Microcontrollers (Arduino) Overview Using software to perform logic on individual (or groups) of bits BIT FIDDLING 4.3 4.4 Numbers in Other Bases in C/C++ Modifying Individual Bits Suppose we want to change only

518 views • 18 slides
An offline approach to narrowing driven J. Guadalupe Ramos partial evaluation DSIC, Technical

An offline approach to narrowing driven J. Guadalupe Ramos partial evaluation DSIC, Technical

An offline approach to narrowing driven J. Guadalupe Ramos partial evaluation DSIC, Technical University of Valencia guadalupe@dsic.upv.es www.dsic.upv.es/~guadalupe (joint work with Josep Silva and Germn Vidal ) 1) Domain specific

361 views • 23 slides
Stacks Linear list. One end is called top. Other end is called bottom.

Stacks Linear list. One end is called top. Other end is called bottom.

Stacks Linear list. One end is called top. Other end is called bottom. Additions to and removals from the top end only. Stack Of Cups top F top E E D D C C B B bottom bottom A A Add a cup to the stack.

782 views • 24 slides
ACTUATORS SERVOS RED => POWER BLACK => GROUND YELLOW => INPUT Input accepts a range

ACTUATORS SERVOS RED => POWER BLACK => GROUND YELLOW => INPUT Input accepts a range

ACTUATORS SERVOS RED => POWER BLACK => GROUND YELLOW => INPUT Input accepts a range from 0 to 180. CONTROL SERVO WITH ANALOG INPUT H-BRIDGE The L293/SN754410 is a very basic H-bridge. It has two bridges, one on the left side of

490 views • 27 slides
A Mahlers theorem for functions from words to integers Jean- Eric Pin 1 Pedro V. Silva 2 1

A Mahlers theorem for functions from words to integers Jean- Eric Pin 1 Pedro V. Silva 2 1

A Mahlers theorem for functions from words to integers Jean- Eric Pin 1 Pedro V. Silva 2 1 LIAFA, CNRS and University Paris Diderot 2 Centro de Matem atica, Faculdade de Ci encias, Universidade do Porto, R. Campo Alegre 687, 4169-007

518 views • 41 slides
an Some results of Zolt Esik on regular languages Jean- Eric Pin 1 1 IRIF, CNRS and

an Some results of Zolt Esik on regular languages Jean- Eric Pin 1 1 IRIF, CNRS and

an Some results of Zolt Esik on regular languages Jean- Eric Pin 1 1 IRIF, CNRS and University Paris Diderot FCT, September 2017, Bordeaux IRIF, CNRS and University Paris Diderot an Zolt Esik an Zolt Esik passed away in

828 views • 45 slides
Microprocessors & Interfacing Concepts Standards USART in AVR Serial

Microprocessors & Interfacing Concepts Standards USART in AVR Serial

Lecture Overview Serial Communication Microprocessors & Interfacing Concepts Standards USART in AVR Serial Input/Output Lecturer : Dr. Annie Guo S2, 2008 COMP9032 Week10 1 S2, 2008 COMP9032 Week10 2 Serial

335 views • 17 slides
!"#"$%&'()#"*'+",*-"$.' The Jeopardy Circuit ' '

!"#"$%&'()#"*'+",*-"$.' The Jeopardy Circuit ' '

!"#$%%&' ()**)+"',+--.#.' !"#"$%&'()#"*'+",*-"$.' The Jeopardy Circuit ' ' /0$,)1-*$")02' /"'01)*'-23'4+5'6)--'35)-7'2'8)$85)0'0120'7.0.$9)".*'61)81'0.29':-24.$':5*1.*'1)*;1.$'

685 views • 9 slides
Development for the iPhone/ iPad from a J ava Perspective The Tools, The Language, The

Development for the iPhone/ iPad from a J ava Perspective The Tools, The Language, The

Development for the iPhone/ iPad from a J ava Perspective The Tools, The Language, The Experience Ognen Ivanovski Netcetera 2 Myself > Software Architect; @Netcetera since 2001 > 2000 - present: Java (enterprise, web, swing, RCP)

592 views • 43 slides
Uni.lu High Performance Computing (ULHPC) Facility User Guide, 2020 UL HPC Team

Uni.lu High Performance Computing (ULHPC) Facility User Guide, 2020 UL HPC Team

Uni.lu High Performance Computing (ULHPC) Facility User Guide, 2020 UL HPC Team https://hpc.uni.lu S. Varrette & UL HPC Team (University of Luxembourg) Uni.lu High Performance Computing (ULHPC) Facility 1 / 48 Summary 1 High

1.02k views • 68 slides
George Chen Amit Dhuria Intel Cadence The TAU 2017 Contest Path Reporting Contest George Xi

George Chen Amit Dhuria Intel Cadence The TAU 2017 Contest Path Reporting Contest George Xi

George Chen Amit Dhuria Intel Cadence The TAU 2017 Contest Path Reporting Contest George Xi Amit Chen Chen Dhuria Intel Synopsys Cadence [Speaker] Sponsors: Programmable Solutions Group 2 Why Path Reporting? Path reporting occupies a

618 views • 25 slides
Centrality determination in MPD at NICA: Glauber model application Petr Parfenov 1,2 , Dim Idrisov

Centrality determination in MPD at NICA: Glauber model application Petr Parfenov 1,2 , Dim Idrisov

Centrality determination in MPD at NICA: Glauber model application Petr Parfenov 1,2 , Dim Idrisov 1 , Ilya Segal 1 , Vinh Luong 1 , Ilya Selyuzhenkov 1,3 , Arkadiy Taranenko 1 , Aleksandr Ivashkin 2 1 NRNU MEPhI, 2 INR RAS, 3 GSI for MPD

916 views • 68 slides
CLEF: 15 Years of IR Evaluation in Europe Nicola Ferro University of Padua, Italy Forum

CLEF: 15 Years of IR Evaluation in Europe Nicola Ferro University of Padua, Italy Forum

The CLEF Initiative Conference and Labs of the E valuation Forum I N I T I A T I V E http:/ /www.clef - initiative.eu/ CLEF: 15 Years of IR Evaluation in Europe Nicola Ferro University of Padua, Italy Forum for Information Retrieval

591 views • 22 slides
ALICE Experiment Highlights and Status Rene Bellwied (ALICE-USA Coordinator) University of

ALICE Experiment Highlights and Status Rene Bellwied (ALICE-USA Coordinator) University of

ALICE Experiment Highlights and Status Rene Bellwied (ALICE-USA Coordinator) University of Houston (bellwied@uh.edu) USLUA Meeting, Chicago, November 2015 R. BELLWIED * 1 Topics to be discussed Status of ALICE Run-1 analysis LS1

944 views • 50 slides
www.writeon.ie Overview South Tipp VEC 24/01/13 Tom O Mara NALA Overview Tom O Mara,

www.writeon.ie Overview South Tipp VEC 24/01/13 Tom O Mara NALA Overview Tom O Mara,

www.writeon.ie Overview South Tipp VEC 24/01/13 Tom O Mara NALA Overview Tom O Mara, Distance Learning Co - ordinator, NALA Background to DLS and www.writeon.ie structure (40 mins) Guided Tour of www.writeon.ie (45 mins)

849 views • 56 slides
1 The Space of Faces = + An image is a point in a high dimensional space An N x M image

1 The Space of Faces = + An image is a point in a high dimensional space An N x M image

1 The Space of Faces = + An image is a point in a high dimensional space An N x M image is a point in R NM 2 Linear Subspaces convert x into v 1 , v 2 coordinates What does the v 2 coordinate measure? - distance to line - use it for

810 views • 18 slides
ROBU BUST: M Meeti ting 2 2 LISBON, Feb 27-Mar 2 2018 POLICY A CY AND ND ROBU BUST 1. The

ROBU BUST: M Meeti ting 2 2 LISBON, Feb 27-Mar 2 2018 POLICY A CY AND ND ROBU BUST 1. The

ROBU BUST: M Meeti ting 2 2 LISBON, Feb 27-Mar 2 2018 POLICY A CY AND ND ROBU BUST 1. The ROBUST policy hub; feeding into European, national and local/regional policy debates linked to rural-urban relations 2. Contributing to current EU

667 views • 22 slides
Drive , Daniel Pink Motivation comes from three sources: 1. Purpose 2. Agency (control) 3.

Drive , Daniel Pink Motivation comes from three sources: 1. Purpose 2. Agency (control) 3.

Management and Supervision Fall 2014 Employee Development and Performance Coaching Management & Supervision Stephen Orton PhD Senior Investigator, NCIPH October 2014 Agenda for today Theory : Teams, Coaching, Performance Exercise :

750 views • 10 slides
information retrieval find documents find documents in response to user query find

information retrieval find documents find documents in response to user query find

Search indexing the web information retrieval find documents find documents in response to user query find relevant documents in response to user query quickly find relevant documents in response to user query Key steps

420 views • 13 slides
Noise model simulation for the DUNE FD DAQ Miquel Nebot, Babak Abi, Justo Martin-Albo 1

Noise model simulation for the DUNE FD DAQ Miquel Nebot, Babak Abi, Justo Martin-Albo 1

Noise model simulation for the DUNE FD DAQ Miquel Nebot, Babak Abi, Justo Martin-Albo 1 Noise modeling: motivation Started some time ago https://indico.fnal.gov/event/15612/contribution/2/material/slides/0.pdf Is one of the high

308 views • 19 slides
21cm Intensity Mapping with MeerKAT and SKA (autocorrelations) Prina Patel with Mario Santos

21cm Intensity Mapping with MeerKAT and SKA (autocorrelations) Prina Patel with Mario Santos

21cm Intensity Mapping with MeerKAT and SKA (autocorrelations) Prina Patel with Mario Santos Cosmology with Next Generation Radio Surveys, 21st June 2016 HI Intensity Mapping? Galaxies Intensity Map Look at the total intensity of a given

500 views • 30 slides
Data-intensive Programming Lecture #3 Timo Aaltonen Department of Pervasive Computing Guest

Data-intensive Programming Lecture #3 Timo Aaltonen Department of Pervasive Computing Guest

Data-intensive Programming Lecture #3 Timo Aaltonen Department of Pervasive Computing Guest Lectures Ill try to organize two guest lectures Oct 14, Tapio Rautonen, Gofore LTd, Making sense out of your big data Oct 7, ??? Outline

724 views • 46 slides
the-pi-project.com Kathleen Jalalpour and Corrinne Lieu BLOG : Follow a year in 5 th grade, week

the-pi-project.com Kathleen Jalalpour and Corrinne Lieu BLOG : Follow a year in 5 th grade, week

10/9/19 the-pi-project.com Kathleen Jalalpour and Corrinne Lieu BLOG : Follow a year in 5 th grade, week by week. https://singapore-math-blog.com/ or Google : Off the Beaten Math, the Pi Project Keys Middle School, Palo Alto, CA ( 5 th

508 views • 30 slides
Uns Unsup uper ervis vised ed PC PCFG FG Ind nduc ucti tion on for r Grounde ounded d

Uns Unsup uper ervis vised ed PC PCFG FG Ind nduc ucti tion on for r Grounde ounded d

Uns Unsup uper ervis vised ed PC PCFG FG Ind nduc ucti tion on for r Grounde ounded d Langu guage ge Lea earnin ing w g wit ith Hig ighly y Ambig biguou uous s Supe pervisi ision on - Kim and Mooney 12 Presented

269 views • 14 slides

More recommend