Search Results (26)

Password guessing is a crucial research direction in password security, considering vulnerabilities like password reuse and data breaches. While research has extensively explored intra-site password guessing, the complexities of cross-site attacks, where attackers use leaked data from one site to target another, remain less understood. This study investigates the impact of dataset feature similarity on cross-site password guessing performance, revealing that dataset differences significantly influence guessing success more than model variations. By analyzing eight password datasets and four guessing methods, we identified eight key features affecting guessing success, including general data features like length distribution and specific semantic features like PCFG grammar. Our research reveals that syntactic and statistical patterns in passwords, particularly PCFG features, are most effective for cross-site password guessing due to their strong generalization across datasets. The Spearman correlation coefficient of 0.754 between PCFG feature similarity and guessing success rate indicates a significant positive correlation, unlike the minimal impact of length distribution features (0.284). These findings highlight the importance of focusing on robust semantic features like PCFG for improving password guessing techniques and security strategies. Additionally, the study underscores the importance of dataset selection for attackers and suggests that defenders can enhance security by mitigating feature similarity with commonly leaked data. Full article

This work is devoted to the development of a biometric authentication system and the generation of a cryptographic key or a long password of 1024 bits based on a voice password, which ensures the protection of a biometric template from compromise. A new hybrid neural network model based on two types of trigonometric correlation neurons was proposed. The model is capable of recording correlation links between features and is resistant to data extraction attacks. The experiments were conducted on our own AIC-spkr-130 dataset and the publicly available RedDots, including recordings of user voices in different psycho-emotional states (sleepy state, alcohol intoxication). The results show that the proposed neural fuzzy extractor model provides an equal error probability level of EER = 2.1%. Full article

User-generated passwords often pose a security risk in authentication systems. However, providing a comparative substitute poses a challenge, given the common tradeoff between security and user experience. This paper integrates cryptographic methods (both asymmetric and symmetric), steganography, and a combination of physiological and behavioural biometrics to construct a prototype for a passwordless authentication system. We demonstrate the feasibility of scalable passwordless authentication while maintaining a balance between usability and security. We employ threat modeling techniques to pinpoint the security prerequisites for the system, along with choosing appropriate cryptographic protocols. In addition, a comparative analysis is conducted, examining the security impacts of the proposed system in contrast to that of traditional password-based systems. The results from the prototype indicate that authentication is possible within a timeframe similar to passwords (within 2 s), without imposing additional hardware costs on users to enhance security or compromising usability. Given the scalable nature of the system design and the elimination of shared secrets, the financial and efficiency burdens associated with password resets are alleviated. Furthermore, the risk of breaches is mitigated as there is no longer a need to store passwords and/or their hashes. Differing from prior research, our study presents a pragmatic design and prototype that deserves consideration as a viable alternative for both password-based and passwordless authentication systems. Full article

To support more complex and robust online services, enterprise-class applications prefer to interconnect multiple servers as the pedestal to enhance the system’s interoperability. However, the multiserver architecture always struggles to reconcile the trade-off between convenience and security, leaving users exposed to a variety of network attack threats. Existing security authentication schemes based on the Chebyshev Chaotic Map for multiserver architectures cannot provide three-factor (including password, biometric feature, and smart card) security. Therefore, we propose a novel Physical-Unclonable-Function-based Lightweight Three-Factor Authentication (PUF-LTA) scheme, which can achieve three-factor security. The PUF-LTA scheme mainly includes two components: (1) PUF-assisted registration and (2) lightweight mutual authentication with one-time interaction. During the PUF-assisted registration process, to defend against side-channel attacks on smart cards, the login credentials of users are XORed with the unique identifier generated by the PUF so that the adversary cannot obtain these secret login credentials. During the lightweight mutual authentication process, we combine the Chebyshev polynomial map and symmetric encryption/decryption to negotiate the session key between users and servers, which only needs one interaction. The security performance of PUF-LTA is theoretically proved by leveraging the random oracle model. In contrast with relevant multiserver authentication schemes, PUF-LTA is more efficient and suitable for resource-constrained multiserver environments because it can ensure secure three-factor authentication and support flexible biometrics and password updates with less computation cost. Full article

The leakage signals, including electromagnetic, energy, time, and temperature, generated during the operation of password devices contain highly correlated key information, which leads to security vulnerabilities. In traditional encryption algorithms, the length of the key greatly affects the upper limit of its security against cracking. Regarding side-channel attacks on long-key algorithms, traditional template attack methods characterize the energy traces using multivariate Gaussian distribution during the template construction phase. The exhaustive key-guessing process is expected to consume a significant amount of time and computational resources. Therefore, to analyze the effectiveness of obtaining key values from the side information of password devices, we propose an innovative attack method based on a divide-and-conquer logical structure, targeting semi-bytes. We construct a collection of key classification submodules with symmetric correlations. By integrating a differential network model for byte-block sets and an end-to-end direct attack method, we form a holistic symmetric decision framework and propose a key classification structure based on deep transfer learning. This structure consists of three main parts: side information data acquisition, analysis of key-value effectiveness, and determination of attack positions. It employs multiple parallel symmetric subnetworks, effectively improving attack efficiency and reducing the key enumeration range. Experimental results show that the optimal attack accuracy of the network model can reach 91%, with an average attack accuracy of 78%. It overcomes overfitting issues under small sample dataset conditions. Full article

In recent years, ICSs have become increasingly commonplace in virtually every industry. The abbreviation “ICSs” refers to industrial control systems. These are specially designed computers used for monitoring, managing, and controlling procedures and tasks across a wide range of industries and vital infrastructure sectors. Production, power, disinfection of water, transport, and other sectors all greatly benefit from ICS use. The authors of this paper aim to detect ICS cyber hazards in industry. This article is the result of the writers’ extensive research on ICS programs and the impact of cyberattacks on them as well. The study narrowed its attention to just three ICS applications because there are simply too many to count: power plants, water reservoirs, and gas pipelines. The present paper focuses on the development and evaluation of neural networks for use in cyberattacks. An early form of neural network, the residual system, came first in the field. When a breach is detected in the ICS, the neural network sorts it into one of several categories. The produced datasets must not compromise users’ privacy or cause harm to the relevant industry if they fall into the wrong hands. An encoding device, decoder, pseudo-encoder, and critical model neural networks work together to generate random data. Finally, a set of trials is conducted in which a residual neural network is utilized to classify cyberattacks based on both the created and original datasets. Results from a series of studies indicate that using the created dataset is an effective technique to train high-quality neural networks for use in cybersecurity on a large amount of data without sacrificing the accuracy of the models. The Kullback-Leibler and Jensen-Shannon divergences also serve as the theoretical foundation and technique, respectively. In particular, the paper recommends operational and maintenance cybersecurity standards for ICS. This entails such things as secure password practices, patch management, and anti-malware defense. Physical safeguards for ICS is another topic that is covered. Full article

With the increasing prevalence of cyber attacks and data breaches, the importance of strong passwords cannot be overstated. Password generating software has been widely used to generate complex passwords that are difficult to crack, but it has its limitations. One of the main problems with this kind of software is that it often generates passwords that are difficult to remember, leading to users write them down or reuse them across multiple accounts. In recent years, prompt models such as ChatGPT have emerged as a promising solution for generating strong and memorable passwords. By leveraging machine learning algorithms, these models can generate unique and complex passwords tailored to individual users’ preferences, making them easier to remember and more secure. However, the use of prompt models to generate passwords also raises concerns about exposing vulnerable passwords. Hackers can potentially use these models to predict passwords by analyzing a user’s online activity and personal data. Additionally, the constant need to change passwords to stay secure poses a challenge for both password generating software and prompt models. As technology continues to evolve, finding a balance between password security and user convenience remains a complex issue. While prompt models such as ChatGPT can offer a promising solution, it is essential to consider the potential risks and challenges associated with their use, including the constant need for password changes and the potential vulnerability of the generated passwords. Full article

Trustworthy AI applications such as biometric authentication must be implemented in a secure manner so that a malefactor is not able to take advantage of the knowledge and use it to make decisions. The goal of the present work is to increase the reliability of biometric-based key generation, which is used for remote authentication with the protection of biometric templates. Ear canal echograms were used as biometric images. Multilayer convolutional neural networks that belong to the autoencoder type were used to extract features from the echograms. A new class of neurons (correlation neurons) that analyzes correlations between features instead of feature values is proposed. A neuro-extractor model was developed to associate a feature vector with a cryptographic key or user password. An open data set of ear canal echograms to test the performance of the proposed model was used. The following indicators were achieved: EER = 0.0238 (FRR = 0.093, FAR < 0.001), with a key length of 8192 bits. The proposed model is superior to known analogues in terms of key length and probability of erroneous decisions. The ear canal parameters are hidden from direct observation and photography. This fact creates additional difficulties for the synthesis of adversarial examples. Full article

At present, static text passwords are still the most widely-used identity authentication method. Password-generation technology can generate large-scale password sets and then detect the defects in password-protection mechanisms, which is of great significance for evaluating password-guessing algorithms. However, the existing password-generation technology cannot ignore low-quality passwords in the generated password set, which will lead to low-efficiency password guessing. In this paper, a password-generation model based on an ordered Markov enumerator and critic discriminant network (OMECDN) is proposed, where passwords are generated via an ordered Markov enumerator (OMEN) and a discriminant network according to the probability of the combination of passwords. OMECDN optimizes the performance of password generation with a discriminative network based on the good statistical properties of OMEN. Moreover, the final password set is formed by the selected passwords with a higher score than the preset threshold, which guarantees the superiority of the hit rate of almost all ranges of combinations of passwords over the initial password set. Finally, the experiments show that OMECDN achieves a qualitative improvement in hit rate metrics. In particular, regarding the generation of ${10}^7$ passwords on the RockYou dataset, the matching entries of the password set generated by the OMECDN model are 25.18% and 243.58% higher than those generated by the OMEN model and the PassGAN model, respectively. Full article

Computer security depends mainly on passwords to protect human users from attackers. Therefore, manual and alphanumerical passwords are the most frequent type of computer authentication. However, creating these passwords has significant drawbacks. For example, users often tend to choose passwords based on personal information so that they can be memorable and therefore weak and guessable. In contrast, it is often difficult to remember if the password is difficult to guess. We propose an intelligent security model for password generation and estimation to address these problems using the ensemble learning approach and hand gesture features. This paper proposes two intelligent stages: the first is the password generation stage based on the ensemble learning approach and the proposed S-Box. The second is the password strength estimation stage, also based on the ensemble learning approach. Four well-known classifiers are used: Multi-Layer Perceptron (MLP), Support Vector Machine (SVM), Random Forest Tree (RFT), and AdaBoost applied on two datasets: MNIST images dataset and password strength dataset. The experimental results showed that the hand gesture and password strength classification processes accurately performed at 99% in AUC, Accuracy, F1-measures, Precision, and Recall. As a result, the extracted features of hand gestures will directly impact the complexity of generated passwords, which are very strong, hard to guess, and memorable. Full article

The Diophantine equation is a strong research domain in number theory with extensive cryptography applications. The goal of this paper is to describe certain geometric properties of positive integral solutions of the quadratic Diophantine equation $x_1^2+x_2^2=y_1^2+y_2^2(x_1,x_2,y_1,y_2>0)$, as well as their use in communication protocols. Given one pair $(x_1,y_1)$, finding another pair $(x_2,y_2)$ satisfying $x_1^2+x_2^2=y_1^2+y_2^2$ is a challenge. A novel secure authentication mechanism based on the positive integral solutions of the quadratic Diophantine which can be employed in the generation of one-time passwords or e-tokens for cryptography applications is presented. Further, the constructive cost models are applied to predict the initial effort and cost of the proposed authentication schemes. Full article

The frequent incidents of password leakage have increased people’s attention and research on password security. Password guessing is an essential part of password cracking and password security research. The progression of deep learning technology provides a promising way to improve the efficiency of password guessing. However, the mainstream models proposed for password guessing, such as RNN (or other variants, such as LSTM, GRU), GAN and VAE still face some problems, such as the low efficiency and high repetition rate of the generated passwords. In this paper, we propose a password-guessing model based on the temporal convolutional neural network (PassTCN). To further improve the performance of the generated passwords, we propose a novel password probability label-learning method, which reconstructs labels based on the password probability distribution of the training set and deduplicates the training set when training. Experiments on the RockYou dataset showed that, when generating ${10}^8$ passwords, the coverage rate of PassTCN with password probability label learning (PassTCN-PPLL) reached 12.6%, which is 87.2%, 72.6% and 42.9% higher than PassGAN (a password-guessing model based on GAN), VAEPass (a password-guessing model based on VAE) and FLA (a password-guessing model based on LSTM), respectively. The repetition rate of our model is 25.9%, which is 45.1%, 31.7% and 17.4% lower than that of PassGAN, VAEPass and FLA, respectively. The results confirm that our approach not only improves the coverage rate but also reduces the repetition rate. Full article

With the development of the Internet, information security has attracted more attention. Identity authentication based on password authentication is the first line of defense; however, the password-generation model is widely used in offline password attacks and password strength evaluation. In real attack scenarios, high-probability passwords are easy to enumerate; extremely low-probability passwords usually lack semantic structure and, so, are tough to crack by applying statistical laws in machine learning models, but these passwords with lower probability have a large search space and certain semantic information. Improving the low-probability password hit rate in this interval is of great significance for improving the efficiency of offline attacks. However, obtaining a low-probability password is difficult under the current password-generation model. To solve this problem, we propose a low-probability generator–probabilistic context-free grammar (LPG–PCFG) based on PCFG. LPG–PCFG directionally increases the probability of low-probability passwords in the models’ distribution, which is designed to obtain a degeneration distribution that is friendly for generating low-probability passwords. By using the control variable method to fine-tune the degeneration of LPG–PCFG, we obtained the optimal combination of degeneration parameters. Compared with the non-degeneration PCFG model, LPG–PCFG generates a larger number of hits. When generating ${10}^7$ and ${10}^8$ times, the number of hits to low-probability passwords increases by $50.4\%$ and $42.0\%$, respectively. Full article

The new fifth-generation (5G) cellular networks dramatically improve the speed of message transmissions. Most existing authentication schemes that secure 5G communication rely heavily on the vehicle’s tamper-proof device (TPD) and roadside units (RSUs) to store the system’s master key. However, it only takes a single compromised TPD to render the whole system insecure. We propose a password-guessing attack-aware authentication scheme based on the Chinese Remainder Theorem (CRT) to secure inter-vehicle communication on 5G-enabled vehicular networks to address this issue. The trusted authorities (TAs) in the proposed scheme generate and broadcast new group keys to the vehicles assisted by CRT. Moreover, since the system’s master key does not need to be preloaded, the proposed scheme only requires realistic TPDs. The proposed scheme overcomes password-guessing attacks and guarantees top-level security for entire 5G-enabled vehicular networks. The security analysis indicates that the proposed scheme is secure against adaptive chosen-message attacks under the random oracle model and meets the security requirements of a 5G-enabled vehicular network. Since cryptographic operations based on elliptic curve cryptography are employed, the performance evaluation shows that the proposed scheme outperforms the eight existing schemes in terms of computation and communication costs. Full article

Over the last two decades (2000–2020), the Internet has rapidly evolved, resulting in symmetrical and asymmetrical Internet consumption patterns and billions of users worldwide. With the immense rise of the Internet, attacks and malicious behaviors pose a huge threat to our computing environment. Brute-force attack is among the most prominent and commonly used attacks, achieved out using password-attack tools, a wordlist dictionary, and a usernames list—obtained through a so-called an enumeration attack. In this paper, we investigate username enumeration attack detection on SSH protocol by using machine-learning classifiers. We apply four asymmetrical classifiers on our generated dataset collected from a closed-environment network to build machine-learning-based models for attack detection. The use of several machine-learners offers a wider investigation spectrum of the classifiers’ ability in attack detection. Additionally, we investigate how beneficial it is to include or exclude network ports information as features-set in the process of learning. We evaluated and compared the performances of machine-learning models for both cases. The models used are k-nearest neighbor (K-NN), naïve Bayes (NB), random forest (RF) and decision tree (DT) with and without ports information. Our results show that machine-learning approaches to detect SSH username enumeration attacks were quite successful, with KNN having an accuracy of 99.93%, NB 95.70%, RF 99.92%, and DT 99.88%. Furthermore, the results improve when using ports information. Full article