摘要
在身份认证系统中使用honeywords是及时检测口令数据库是否被盗的有效方法。针对现有方法生成的honeywords与真实口令差距大、能够被攻击者轻易识别的问题,提出一种基于轻量级口令攻击模型的honeywords生成方法(Generating Honeywords Using Lightweight Password Attack Models,GHLA),该方法将基于规则的攻击模型和基于概率上下文无关(Probabilistic Context-Free Grammars,PCFG)的攻击模型这两种轻量级攻击模型结合起来,用于生成honeywords。通过理论分析证明其具有较好的平滑度以及抵抗Dos攻击的能力,并进一步利用人人网泄露的口令数据进行测试。相比其他方法,使用所提出的方法生成honeywords,真实口令被攻击者一次识别成功的概率下降了约7.83%,在触发系统报警前攻击成功的账户数量最多减少48.54%,实验结果表明所提方法具有更高的安全性。
Generating honeywords for each account in an identity authentication system is an effective way to detect whether passwords databases are compromised in time.However,the honeywords generated by existing methods have a large gap with the real passwords so that honeywords can be easily identified by the attacker.To address this problem,we propose a method for generating honeywords using lightweight password attack models(GHLA).The proposed method combines the rule-based attack model and the model based on probabilistic context-free grammar(PCFG)to generate honeywords.We have proved the flatness and the ability to resist Dos attacks of the proposed method through theoretical analysis.Furthermore,we test our method on passwords leaked from RenRen.com.Compared to other methods,the probability that the real password is successfully recognized by the attacker at one time is reduced by about 7.83%,and the number of accounts that are successfully attacked before the system alarm is triggered drops by up to 48.54%when generating honeywords using the proposed method.The results show that the proposed method has higher security.
作者
杨坤雨
胡学先
张启慧
徐震
YANG Kunyu;HU Xuexian;ZHANG Qihui;XU Zhen(Information Engineering University, Zhengzhou 450001, China)
出处
《信息工程大学学报》
2021年第6期688-693,721,共7页
Journal of Information Engineering University
基金
国家自然科学基金资助项目(61862011,61872449,61772548)。
