时间:2018年11月15日(周四)10:00-11:00
地点:仙林校区计算机学科楼338房间
报告人:Kun Sun
报告题目: On Enhancing Security of Password-based Authentication
报告摘要:
Password remains the dominant authentication scheme for more than 30 years, and it cannot be totally replaced in the foreseeable future. However, password authentication has been long plagued to have many security and usability drawbacks, mainly due to human memory limitations. We present two research projects that focus on the security of password authentication and its ecosystem. First, we observe that personal information plays an important role when a user creates a password. Enlightened by this, we conduct a study on how users create their passwords using their personal information based on a leaked password dataset. Then, we develop a novel password cracker, named personal-PCFG, that leverages personal information for password cracking. Second, we investigate an overlooked aspect in the password lifecycle – the password recovery procedure. We study the possibility of mounting an email-based account recovery attack. We examine the account authentication and recovery protocols in 239 traffic-heavy websites, confirming that most of them use emails for account recovery. We further scrutinize the security policy of major email service providers and show that a significant portion of them take no or marginal effort to protect user email accounts. Finally, we propose a lightweight email security enhancement called Secure Email Account Recovery (SEAR) to defend against account recovery attacks as an extra layer of protection to account recovery emails.
报告人简介:
Dr. Kun Sun is an associate professor in the Department of Information Sciences and Technology at George Mason University. He is also the director of Sun Security Laboratory and the Chief Scientist of Center for Secure Information Systems. He joined George Mason University after serving as Assistant Professor in the Department of Computer Science at College of William and Mary. He has more than 15 years working experience in both industry and academia. He received his PhD from Department of Computer Science at North Carolina State University. His research focuses on systems and network security. The main thrusts of his research include trusted computing, moving target defense, cyber deception, software security, security on Internet of Things (IoT), cloud security, mobile security, and password management. He published over 70 technical papers on security conferences and journals including IEEE S&P, ACM CCS, NDSS, IEEE DSN, ESORICS, ACSAC, IEEE TDSC, and IEEE TIFS, and two papers won the Best Paper Award.