基于主题PCFG的口令猜测模型研究

doi:10.3969/j.issn.1671-1122.2019.08.001

摘要/Abstract

摘要：

口令是一种重要的身份认证方式,用户为了能够方便记住口令,常把一些与人相关的要素信息加入口令中。传统基于概率上下文无关文法（PCFG）算法进行的口令安全评估,并没有关注用户兴趣爱好、文化背景等与人相关的主题因素。文章基于传统PCFG算法,重点针对口令字母字段进行分析研究,通过对所收集的数据库字母字段的对比,提取用户口令与主题的关系,进而提出基于主题PCFG的口令猜测模型——T-PCFG模型。文章围绕收集的7个数据库中的3300万口令数据集进行实验,结果显示,主题为兴趣爱好时口令的猜测成功率比普通口令的猜测成功率高2.37~8.2个百分点。

关键词: 概率上下文无关文法, 口令, 主题, 口令猜测, 口令安全

Abstract:

Password is an important method of identity authentication. In order to be able to remember passwords conveniently, users often add some related information about people to passwords. Traditional password security assessment based on probabilistic context free grammar(PCFG) does not pay attention to user-related subject factors such as user hobbies and cultural backgrounds. Based on the traditional PCFG algorithm, this paper focuses on the analysis of the password letter field. By comparing the collected database letter fields, the relationship between the user password and the subject is extracted, and then the password guessing model based on the theme PCFG is proposed T-PCFG model. The article carried out experiments on the 33 million passwords collected from the seven databases. The results show that when the subject is a hobby, the success rate of password guessing is 2.37~8.2 percentage points higher than the normal one.

Key words: PCFG, password, theme, password guess, password security

中图分类号:

TP309

毕红军, 谭儒, 赵建军, 李昱甫. 基于主题PCFG的口令猜测模型研究[J]. 信息网络安全, 2019, 19(8): 1-7.

Hongjun BI, Ru TAN, Jianjun ZHAO, Yufu LI. Research on Password Guessing Model Based on Theme PCFG[J]. Netinfo Security, 2019, 19(8): 1-7.

图/表 8

表1

表2

表3

图1

表4

图2

表5

图3

参考文献 21

[1]	WANG Ding, WANG Nan, WANG Ping, et al. Preserving Privacy for Free: Efficient and Provably Secure Two-factor Authentication Scheme with User Anonymity[EB/OL]. , 2018-12-11.
[2]	BIDDLE R, CHIASSON S, VAN OORSCHOT P C. Graphical Passwords: Learning from the First Twelve Years[J]. ACM Computing Surveys, 2012, 44(4): 1-41.
[3]	KEITH M, SHAO B, STEINBART P J.The Usability of Passphrases for Authentication: An Empirical Field Study[J]. International Journal of Human-computer Studies, 2007, 65(1): 17-28.
[4]	BONNEAU J.The Science of Guessing: Analyzing an Anonymized Corpusof 70 Million Passwords[C]//IEEE. 2012 IEEE Symposium on Security and Privacy, May 20-23, 2012, San Francisco, CA, USA. New Jersey: 2012: 538-552.
[5]	UR B, KELLY P G, KOMANDURI S, et al.How Does Your PasswordMeasure Up? The Effect of Strength Meters on Password Creation[C]//ACM. 21st USENIX Conference on Security symposium, August 8-10, 2012, Bellevue, CA, USA. New York: ACM, 2012: 65-80.
[6]	MELICHER W, UR B, SEGRETI S M, et al.Fast, Lean, and Accurate: Modeling Password Guessability Using Neural Networks[J]. Journal of Networks, 2013, 8(6): 1278-1284.
[7]	VAITHYASUBRAMANIAN S, CHRISTY A.A Scheme to Create Secured Random Password Using Markov Chain[J]. Artificial Intelligence and Evolutionary Algorithms in Engineering Systems, 2014, 2(11): 809-814.
[8]	VERASR, COLLINS C, THORPE J. On the Semantic Patterns of Passwords and Their Security Impact[EB/OL]. , 2018-12-12.
[9]	NEDERHOF M J, SATTA G.Computing Partition Functions of PCFGs[J]. Research on Language & Computation, 2009, 7(2-4): 233-233.
[10]	MA J, YANG Weining, LUO Min, et al.A Study of Probabilistic Password Models[C]//IEEE. 2014 IEEE Symposium on Security and Privacy, May 18-21, 2014, San Jose, CA, USA. New Jersey: IEEE, 2014: 689-704.
[11]	WAGN Ding, CHENG H, GU Q, et al. Understanding Passwords of Chinese Users: Characteristics, Security, and Implications[EB/OL]. , 2018-12-22.
[12]	SHAY R, BAUER L, CHRISTIN N, et al.A Spoonful of Sugar?: The Impact of Guidance and Feedback on Password-creation Behavior[C]//ACM. 33rd Annual ACM Conference on Human Factors in Computing Systems, April 18-23, 2015, Seoul, Republic of Korea. New York: ACM, 2015: 2903-2912.
[13]	WEIR M, AGGARWAL S, MEDEIROS B D, et al.Password Cracking Using Probabilistic Context-free Grammars[C]//IEEE. 30th IEEE Symposium on Security and Privacy, May 17-20, 2009, Berkeley, CA, USA. New Jersey: IEEE, 2009: 391-405.
[14]	NARAYANAN A, SHMATIKOV V.Fast Dictionary Attacks on Passwords Using Time-space Tradeoff[C]//ACM. 12th ACM Conference on Computer and Communications Security, November 7-11, 2005, Alexandria, VA, USA. New York: ACM, 2005: 364-372.
[15]	FLORENCIO D, HERLEY C. A Large-scale Study of Web Password Habits[C]//ACM. 16th International Conference on World Wide Web, May 8-12, 2007, Banff, Alberta, Canada. New York: 657-666.
[16]	WANG Ding, CHENG Haibo, WANG Ping. Understanding Passwords of Chinese Users: A Data-driven Approach[EB/OL]. ,2019-1-10.
[17]	FURNELL S.An Assessment of Website Password Practices[J]. Comput Secur, 2007, 26(7): 445-451.
[18]	LIU Gongshen, QIU Weidong, MENG Kui, et al.Password Vulnerability Assessment and Recovery Based on Real Data Mining[J]. Chinese Journal of Computers, 2016, 39(3): 454-467.
	刘功申,邱卫东,孟魁,等.基于真实数据挖掘的口令脆弱性评估及恢复[J].计算机学报,2016,39(3):454-467.
[19]	LI Zhigong, HAN Weili, XU Wenyuan. A Large-scale Empirical Analysis on Chinese Web Passwords[C]//ACM. 23rd USENIX conference on Security Symposium, August 20-22, 2014, San Diego, CA. New York: ACM: 559-574.
[20]	DAILEY D V, MARKUS DÜRMUTH, PAAR C. Statistics on Password Re-use and Adaptive Strength for Financial Accounts[C]//Springer. 2014 International Conference on Security and Cryptography for Networks, September 3-5, 2014, Amalfi, Italy. Heidelberg: Springer, 2014: 218-235.
[21]	YOU Lin, LIANG Jiahao.Research on Secure Identity Authentication Based on Homomorphic Encryption and Biometrics[J]. Netinfo Security, 2018, 18(4): 7-14.
	游林,梁家豪.基于同态加密与生物特征的安全身份认证研究[J].信息网络安全,2018,18(4):7-14.

数据库	类别	数据量	数据类别	简介
游戏库2	兴趣库（游戏）	23855063	明文	游戏论坛,主要内容有魔兽世界等
游戏库1	兴趣库（游戏）	436346	明文	官方网站,主要内容有守望先锋等
动漫库2	兴趣库（动漫）	1507023	MD5	动漫网站,主要内容有恶魔岛等
动漫库1	兴趣库（动漫）	152788	明文	动漫网站,主要内容有动漫视频等
普通库1	普通库	129303	明文	网络订票网站
普通库2	普通库	700023	明文	网盘系统
普通库3	普通库	6871375	明文	婚恋网站

排名	动漫库1	游戏库1	普通库1	游戏库2	普通库2	普通库3
1	123456	woaini1314	123456	123456	123456	123456
2	111111	a123456789	a123456	123456789	111111	123456789
3	000000	caonima	5201314	111111	123456789	111111
4	123123	asd8814520	123456a	123123	000000	000000
5	123456789	123456789a	111111	000000	123123	5201314
6	lucifer	abcd1234	woaini	5201314	5201314	123123
7	5201314	qq123456	123123	12345678	123	1314520
8	1234567	qqq7758521	000000	12345	123321	123321
9	123321	1q2w3e4r	qq123456	123321	12345678	1234567
10	asdasd	Woaini521	1qaz2wsx	1314520	7758521	12345678
占比	5.80%	0.61%	1.79%	8.80%	7.87%	6.59%

字段	解释	数据库
dearbook	CSDN自由品牌“第二书店”默认账号	游戏库1
dedewang	CSDN博主	游戏库1
ARPG	Action Role Playing Game,游戏术语,动作角色扮演类游戏,角色的动作（特别是攻击动作）与操作（如点击鼠标）相关	游戏库2
SCV	Space Construction Vehicle,空间建筑工程车,俗称农民、工人或工程兵,是星际争霸系列游戏中兵种的名称	游戏库2
acfun	A站,一个关于动漫的视频网站	动漫库1
qrst	游戏论坛	游戏库2
Heman	Alborz Haidarian,欧洲最好的War3选手之一	游戏库1
moe	动画片《辛普森一家》中的人物,荷马的朋友,经营一个小酒吧	动漫库1
onep	一个关于海贼王动漫中的词	动漫库1
xiaoy	魔兽争霸WAR3游戏解说	游戏库2

	提取L_T 字段	D、S字段频率表和结构频率表	测试集
a	游戏库1 （游戏类）	游戏库2（训练集,游戏类）	普通库1（测试集,普通类）,普通库2（测试集,普通类）,普通库3（测试集,普通类）,游戏库2（测试集,游戏类）
b		普通库1（训练集,普通类）
c		普通库2（训练集,普通类）
d		普通库3（训练集,普通类）
e	动漫库1 （动漫类）	普通库1（训练集,普通类）	普通库1（测试集,普通类）,普通库2（测试集,普通类）,普通库3（测试集,普通类）,动漫库2（动漫类）
f		普通库2（训练集,普通类）
g		普通库3（训练集,普通类）

实验		字典口令/个	猜测集/万个
WEIR^[13]等人		68611	300
实验一	a	72890
	b
	c
	d
实验二	e	78003
	f
	g