报 告 人:韩进博士 美国推特(Twitter)公司
报告题目:On Limitations of Designing Leakage-Resilient Password Systems: Attacks, Principles and Usability
时 间:2015年5月14日 (星期四)下午15:00
地 点:仓山校区成功楼603报告厅
主 办:数学与计算机科学学院, 福建省网络安全与密码技术重点实验室
参加对象:相关老师和学生
报告摘要:The design of leakage-resilient password systems (LRPSes) in the absence of trusted devices remains a challenging problem today despite two decades of intensive research in the security community. In this paper, we investigate the inherent tradeoff between security and usability in designing LRPS. First, we demonstrate that most of the existing LRPS systems are subject to two types of generic attacks - brute force and statistical attacks, whose power has been underestimated in the literature. Second, in order to defend against these two generic attacks, we introduce five design principles that are necessary to achieve leakage resilience in the absence of trusted devices. We also show that these attacks cannot be effectively mitigated without significantly sacrificing the usability of LRPS systems. Third, to better understand the tradeoff between security and usability of LRPS, we propose for the first time a quantitative analysis framework on usability costs of password systems. By decomposing the authentication process of existing LRPS systems into atomic cognitive operations in psychology, we show that a secure LRPS in practical settings always imposes a considerable amount of cognitive workload on its users, which indicates the inherent limitations of such systems and in turn implies that an LRPS has to incorporate certain trusted devices in order to be both secure and usable.
专家简介:韩进博士现为美国推特(Twitter)公司应用安全软件工程师,主要负责网络安全和移动应用安全方面的开发和研究工作。韩博士先后获得复旦大学和爱尔兰都柏林大学双学士学位(2006),复旦大学计算机硕士学位(2009)以及新加坡管理大学博士学位(2012)。在入职推特公司之前,韩博士曾就职于新加坡科技研究局信息通讯研究院。韩博士在计算机安全领域有着丰富的研究经验,在NDSS,ACSAC,AsiaCCS,SecureComm等多个国际期刊和会议上发表过10余篇学术论文。其中一篇论文在2012年的顶级安全会议NDSS上更是获得了最佳论文奖。韩博士在移动安全领域的研究成果尤为突出。韩博士曾在iOS移动平台上发现多个高危漏洞,这些漏洞后由苹果公司公布并于iOS7中修复。
