In the present thesis, we aim at alleviating the inherent limitations affecting current solu- tions in password security. First and foremost, this process requires to devise adversary models that accurately describe real-world guessing attacks. Then, it necessitates the im- plementation of techniques that are capable of guiding users to choose secure and usable passwords at composition time. Unfortunately, despite more than three decades of active research dedicated to define and improve these methodologies, existing approaches still present two major drawbacks: (1) current adversary models rely on simplistic adversarial behaviors that only imperfectly describe the guessing strategies adopted by real-world attackers; (2) existing proactive techniques such as password strength meters, by construction, are unable to fully support users during the password composition process. Here, we show how Deep Learning techniques allow us to define novel approaches, that were either unfeasible or unpractical before and that move towards addressing those issues: (1) We introduce dynamic adversary models in password guessing. Similarly to real-world adversaries, dynamic models automatically adjust their guessing strategy for the current attacked-set of passwords by exploiting information collected during the running attack. (2) We introduce new guessing techniques that make dictionary attacks consis- tently more resilient to inadequate configurations. This novel framework allows dictionary attacks to self-heal and move towards optimal attacks’ performance, requiring no supervision. (3) We introduce Interpretable Probabilistic Password Strength Meters. This novel class of meters exhibits a natural and general feedback mechanism capable of de- scribing to the users the latent relation between password strength and password struc- ture. Unlike existing heuristic constructions, this method is free from any human bias, and, more importantly, its feedback has a clear probabilistic interpretation. Eventually, these general techniques allow us to increase the rigorousness and reliabil- ity of password security analysis and proactive methodologies that stem on top of them.
Enabling secure passwords via Deep Learning: Towards a new generation of attacks and defenses / Pasquini, Dario. - (2021 Jul 08).
Enabling secure passwords via Deep Learning: Towards a new generation of attacks and defenses
PASQUINI, DARIO
08/07/2021
Abstract
In the present thesis, we aim at alleviating the inherent limitations affecting current solu- tions in password security. First and foremost, this process requires to devise adversary models that accurately describe real-world guessing attacks. Then, it necessitates the im- plementation of techniques that are capable of guiding users to choose secure and usable passwords at composition time. Unfortunately, despite more than three decades of active research dedicated to define and improve these methodologies, existing approaches still present two major drawbacks: (1) current adversary models rely on simplistic adversarial behaviors that only imperfectly describe the guessing strategies adopted by real-world attackers; (2) existing proactive techniques such as password strength meters, by construction, are unable to fully support users during the password composition process. Here, we show how Deep Learning techniques allow us to define novel approaches, that were either unfeasible or unpractical before and that move towards addressing those issues: (1) We introduce dynamic adversary models in password guessing. Similarly to real-world adversaries, dynamic models automatically adjust their guessing strategy for the current attacked-set of passwords by exploiting information collected during the running attack. (2) We introduce new guessing techniques that make dictionary attacks consis- tently more resilient to inadequate configurations. This novel framework allows dictionary attacks to self-heal and move towards optimal attacks’ performance, requiring no supervision. (3) We introduce Interpretable Probabilistic Password Strength Meters. This novel class of meters exhibits a natural and general feedback mechanism capable of de- scribing to the users the latent relation between password strength and password struc- ture. Unlike existing heuristic constructions, this method is free from any human bias, and, more importantly, its feedback has a clear probabilistic interpretation. Eventually, these general techniques allow us to increase the rigorousness and reliabil- ity of password security analysis and proactive methodologies that stem on top of them.| File | Dimensione | Formato | |
|---|---|---|---|
|
Tesi_dottorato_Pasquini.pdf
accesso aperto
Tipologia:
Tesi di dottorato
Licenza:
Tutti i diritti riservati (All rights reserved)
Dimensione
6.22 MB
Formato
Adobe PDF
|
6.22 MB | Adobe PDF |
I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
