CAREER: Cryptographic Tools for Usable Human Authentication

职业：用于可用人类身份验证的加密工具

• 批准号: 2047272
• 负责人: Jeremiah Blocki
• 金额: $ 59.19万
• 依托单位: Purdue University
• 依托单位国家: 美国
• 项目类别: Continuing Grant
• 财政年份: 2021
• 资助国家: 美国
• 起止时间: 2021-05-15 至 2026-04-30
• 项目状态: 未结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=2047272&HistoricalAwards=false
• 关键词: CAREER; Cryptographic; Tools; Usable; Human

Password authentication is a common source of frustration for users and a constant source of security vulnerabilities. Users struggle with the burdensome task of creating and remembering passwords for multiple different accounts and frequently cope by selecting weak (low-entropy) passwords and reusing the same password across multiple accounts. Over the past decade data breaches at many prominent organizations have exposed billions of these low-entropy passwords to the dangerous threat of offline brute-force attacks. Despite their shortcomings passwords continue to be the most widely adopted form of authentication. The goal of the project is to develop cryptographic tools to improve the security and usability of human authentication, especially password authentication. The project investigates new combinatorial techniques to design and analyze memory hard functions, a cryptographic primitive which can be used to protect low-entropy secrets such as passwords and biometrics against brute-force attacks. The project develops stronger memory hard functions and analyzes the concrete security of prior memory hard functions such as SCRYPT, Argon2 and DRSample. The project adapts tools from statistics and game theory to better understand the distribution over user chosen passwords and predict how password attackers will behave. The investigators study how password defenses can be tuned based on this distribution to optimally protect user accounts against attackers. Finally, the project develops mechanisms to help users (gradually) memorize stronger passwords and to help users securely manage multiple passwords without requiring users to memorize independent passwords for every account.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

密码身份验证是用户感到沮丧的常见原因，也是安全漏洞的持续来源。用户需要为多个不同的帐户创建和记住密码，这是一项繁重的任务，并且经常通过选择弱（低熵）密码并在多个帐户中重复使用相同的密码来科普。在过去的十年中，许多知名组织的数据泄露事件使数十亿个低熵密码暴露在离线暴力攻击的危险威胁之下。尽管存在缺点，密码仍然是最广泛采用的身份验证形式。该项目的目标是开发密码工具，以提高人类身份验证，特别是密码身份验证的安全性和可用性。该项目研究了新的组合技术来设计和分析内存硬函数，这是一种密码学原语，可用于保护低熵秘密，如密码和生物特征免受暴力攻击。该项目开发了更强的内存硬函数，并对已有的SCRYPT、Argon2和DRSample等内存硬函数的具体安全性进行了分析。该项目采用了统计学和博弈论的工具，以更好地了解用户选择的密码的分布情况，并预测密码攻击者的行为。研究人员研究如何根据此分布调整密码防御，以最佳地保护用户帐户免受攻击者的攻击。最后，该项目开发了一种机制，帮助用户（逐渐）记住更强的密码，并帮助用户安全地管理多个密码，而无需用户记住每个帐户的独立密码。该奖项反映了NSF的法定使命，并通过使用基金会的智力价值和更广泛的影响审查标准进行评估，被认为值得支持。

项目成果

The Parallel Reversible Pebbling Game: Analyzing the Post-quantum Security of iMHFs

并行可逆卵石游戏：分析 iMHF 的后量子安全性

• 发表时间: 2022
• 期刊: Theory of Cryptography Conference (TCC 2022
• 作者: Blocki, Jeremiah;Holman, Blake;Lee, Seunghoon
• 通讯作者: Lee, Seunghoon

Towards a Rigorous Statistical Analysis of Empirical Password Datasets

• DOI: 10.1109/sp46215.2023.10179431
• 发表时间: 2021-05
• 期刊: 2023 IEEE Symposium on Security and Privacy (SP)
• 作者: Jeremiah Blocki;Peiyuan Liu

Cost-Asymmetric Memory Hard Password Hashing

成本不对称内存硬密码哈希

• 发表时间: 2022
• 期刊: Security and Cryptography for Networks. SCN 2022
• 作者: Bai, Wenjie;Blocki, J;Ameri, Mohammad Hassan
• 通讯作者: Ameri, Mohammad Hassan

DALock: Password Distribution-Aware Throttling

• DOI: 10.56553/popets-2022-0084
• 发表时间: 2022-07
• 期刊: Proc. Priv. Enhancing Technol.
• 作者: Jeremiah Blocki;Wuwei Zhang

Leibniz International Proceedings in Informatics (LIPIcs):38th Computational Complexity Conference (CCC 2023)

莱布尼茨国际信息学会议录 (LIPIcs)：第 38 届计算复杂性会议 (CCC 2023)

• DOI: 10.4230/lipics.ccc.2023.14
• 发表时间: 2023
• 期刊: 38th Computational Complexity Conference (CCC 2023
• 作者: Block, Alexander R.;Blocki, Jeremiah;Cheng, Kuan;Grigorescu, Elena;Li, Xin;Zheng, Yu;Zhu, Minshen
• 通讯作者: Zhu, Minshen