| EPSRC Reference: |
EP/V034065/1 |
| Title: |
Untargeted Attacks in (Password-Based) Cryptography |
| Principal Investigator: |
Farshim, Dr P |
| Other Investigators: |
|
| Researcher Co-Investigators: |
|
| Project Partners: |
|
| Department: |
Computer Science |
| Organisation: |
Durham, University of |
| Scheme: |
New Investigator Award |
| Starts: |
01 February 2022 |
Ends: |
02 January 2025 |
Value (£): |
265,225
|
| EPSRC Research Topic Classifications: |
| Fundamentals of Computing |
|
|
| EPSRC Industrial Sector Classifications: |
|
| Related Grants: |
|
| Panel History: |
| Panel Date | Panel Name | Outcome |
|
23 Mar 2021
|
EPSRC ICT Prioritisation Panel March 2021
|
Announced
|
|
|
Summary on Grant Application Form |
admin/123456; user/qwerty; root/vizxv; farshim/*********.
Passwords permeate our lives: the security and privacy of many (perhaps all) of our on-line banking, commerce, and communication deeply rely on passwords. Yet they are one of the weakest links in securing systems. Storing username-passwords in plaintext, although convenient, seriously undermines security as evidenced by frequent leaks. Hashing passwords, i.e., applying a transformation that hides them, can reduce risks while still allowing for authentication. However, "123456" may well be a password chosen by someone, and then compromised.
This proposal will address a current gap in our understanding of password-based cryptography in multi-instance environments where everyone is a target. We will investigate fundamental cryptographic techniques that are used to mitigate some of the risks associated in such environments. The novelty of our approach is that besides considering system-wide risks, we will consider preprocessing attacks which can speed up password-cracking by orders of magnitude. Our goal will be to show that the cryptanalytic effort needed to compromise users scales up well with the number of users targeted, and according to how "unguessable" system-wide passwords are.
Formulating and studying measures of unguessability will be our starting point. These metrics will be developed with the view of usage in cryptographic contexts. For example, we will ask to what extent hashing of passwords preserves their unguessability. Crucially, we will incorporate appropriate modelling of preprocessing, so that amortised adversarial resources, such as the use of "rainbow tables," are accounted for.
Alongside salting, which is a common practice to "decouple" security of users, we will consider deeper countermeasures. These include iteration, which slows down the rate of hashing, and modern memory-hard designs, which exploit uniformity of memory-access speeds across different platforms to thwart hardware-assisted attacks. In addition to unguessability, stronger notions of security that guarantee secure composition in a variety of contexts will be studied. Special attention will be paid to derive security bounds that are compatible with (real-world) parameters set according to best-known attacks. Alongside, we will also develop a solid understanding of the foundational cryptographic theory, as multi-instance security enjoys close links with amplification of hardness.
The use of passwords is widespread in the security and ITC industries and their weakness is well recognised, especially in multi-user scenarios (such as IoT environments). This project will promote the creation of cryptographic standards for password hashing that are rigorously supported by security proofs. The final outcome will be an increased confidence in the resilience of our cyberspace.
|
|
Key Findings |
|
This information can now be found on Gateway to Research (GtR) http://gtr.rcuk.ac.uk
|
|
Potential use in non-academic contexts |
|
This information can now be found on Gateway to Research (GtR) http://gtr.rcuk.ac.uk
|
|
Impacts |
|
| Description |
This information can now be found on Gateway to Research (GtR) http://gtr.rcuk.ac.uk |
| Summary |
|
| Date Materialised |
|
|
|
|
Sectors submitted by the Researcher |
|
This information can now be found on Gateway to Research (GtR) http://gtr.rcuk.ac.uk
|
| Project URL: |
|
| Further Information: |
|
| Organisation Website: |
|