找到密码黑客了!

Proceedings of the 2013 ACM workshop on Artificial intelligence and security Pub Date : 2013-10-03 DOI:10.1145/2517312.2517319

Jeremiah Blocki, M. Blum, Anupam Datta

{"title":"找到密码黑客了!","authors":"Jeremiah Blocki, M. Blum, Anupam Datta","doi":"10.1145/2517312.2517319","DOIUrl":null,"url":null,"abstract":"We introduce GOTCHAs (Generating panOptic Turing Tests to Tell Computers and Humans Apart) as a way of preventing automated offline dictionary attacks against user selected passwords. A GOTCHA is a randomized puzzle generation protocol, which involves interaction between a computer and a human. Informally, a GOTCHA should satisfy two key properties: (1) The puzzles are easy for the human to solve. (2) The puzzles are hard for a computer to solve even if it has the random bits used by the computer to generate the final puzzle --- unlike a CAPTCHA [44]. Our main theorem demonstrates that GOTCHAs can be used to mitigate the threat of offline dictionary attacks against passwords by ensuring that a password cracker must receive constant feedback from a human being while mounting an attack. Finally, we provide a candidate construction of GOTCHAs based on Inkblot images. Our construction relies on the usability assumption that users can recognize the phrases that they originally used to describe each Inkblot image --- a much weaker usability assumption than previous password systems based on Inkblots which required users to recall their phrase exactly. We conduct a user study to evaluate the usability of our GOTCHA construction. We also generate a GOTCHA challenge where we encourage artificial intelligence and security researchers to try to crack several passwords protected with our scheme.","PeriodicalId":422398,"journal":{"name":"Proceedings of the 2013 ACM workshop on Artificial intelligence and security","volume":"20 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2013-10-03","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"17","resultStr":"{\"title\":\"GOTCHA password hackers!\",\"authors\":\"Jeremiah Blocki, M. Blum, Anupam Datta\",\"doi\":\"10.1145/2517312.2517319\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"We introduce GOTCHAs (Generating panOptic Turing Tests to Tell Computers and Humans Apart) as a way of preventing automated offline dictionary attacks against user selected passwords. A GOTCHA is a randomized puzzle generation protocol, which involves interaction between a computer and a human. Informally, a GOTCHA should satisfy two key properties: (1) The puzzles are easy for the human to solve. (2) The puzzles are hard for a computer to solve even if it has the random bits used by the computer to generate the final puzzle --- unlike a CAPTCHA [44]. Our main theorem demonstrates that GOTCHAs can be used to mitigate the threat of offline dictionary attacks against passwords by ensuring that a password cracker must receive constant feedback from a human being while mounting an attack. Finally, we provide a candidate construction of GOTCHAs based on Inkblot images. Our construction relies on the usability assumption that users can recognize the phrases that they originally used to describe each Inkblot image --- a much weaker usability assumption than previous password systems based on Inkblots which required users to recall their phrase exactly. We conduct a user study to evaluate the usability of our GOTCHA construction. We also generate a GOTCHA challenge where we encourage artificial intelligence and security researchers to try to crack several passwords protected with our scheme.\",\"PeriodicalId\":422398,\"journal\":{\"name\":\"Proceedings of the 2013 ACM workshop on Artificial intelligence and security\",\"volume\":\"20 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2013-10-03\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"17\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Proceedings of the 2013 ACM workshop on Artificial intelligence and security\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1145/2517312.2517319\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings of the 2013 ACM workshop on Artificial intelligence and security","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/2517312.2517319","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 17

摘要

我们引入了GOTCHAs(生成全光图灵测试来区分计算机和人类)作为一种防止针对用户选择密码的自动离线字典攻击的方法。GOTCHA是一种随机的谜题生成协议，涉及计算机和人类之间的交互。非正式地说，GOTCHA应该满足两个关键属性:(1)谜题对人类来说很容易解决。(2)这些谜题对计算机来说很难解决，即使它有计算机用来生成最终谜题的随机比特——不像CAPTCHA[44]。我们的主要定理证明，通过确保密码破解者在发动攻击时必须从人类那里得到持续的反馈，GOTCHAs可以用来减轻对密码的离线字典攻击的威胁。最后，我们提出了一种基于墨迹图像的GOTCHAs候选结构。我们的构建依赖于可用性假设，即用户可以识别他们最初用于描述每个Inkblots图像的短语——这是一个比以前基于Inkblots的密码系统弱得多的可用性假设，后者要求用户准确地回忆他们的短语。我们进行用户研究来评估GOTCHA结构的可用性。我们还生成了一个GOTCHA挑战，我们鼓励人工智能和安全研究人员尝试破解我们方案保护的几个密码。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文本刊更多论文

GOTCHA password hackers!

We introduce GOTCHAs (Generating panOptic Turing Tests to Tell Computers and Humans Apart) as a way of preventing automated offline dictionary attacks against user selected passwords. A GOTCHA is a randomized puzzle generation protocol, which involves interaction between a computer and a human. Informally, a GOTCHA should satisfy two key properties: (1) The puzzles are easy for the human to solve. (2) The puzzles are hard for a computer to solve even if it has the random bits used by the computer to generate the final puzzle --- unlike a CAPTCHA [44]. Our main theorem demonstrates that GOTCHAs can be used to mitigate the threat of offline dictionary attacks against passwords by ensuring that a password cracker must receive constant feedback from a human being while mounting an attack. Finally, we provide a candidate construction of GOTCHAs based on Inkblot images. Our construction relies on the usability assumption that users can recognize the phrases that they originally used to describe each Inkblot image --- a much weaker usability assumption than previous password systems based on Inkblots which required users to recall their phrase exactly. We conduct a user study to evaluate the usability of our GOTCHA construction. We also generate a GOTCHA challenge where we encourage artificial intelligence and security researchers to try to crack several passwords protected with our scheme.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

Proceedings of the 2013 ACM workshop on Artificial intelligence and security

自引率

0.00%

发文量