1 / 25

Counting and Probability: Practical Analysis & Techniques for Password-Based Authentication

Learn about counting principles, probability in events, multiplication rule, password-based authentication, Anderson's Formula, security analysis, possibility trees, permutations, combinations, set operations, and counting techniques. Develop practical skills in maximizing security against dictionary attacks.

Download Presentation

Counting and Probability: Practical Analysis & Techniques for Password-Based Authentication

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.


Presentation Transcript

  1. Topics • Section 6.1 – 6.6

  2. Original author of the slides: Vadim Bulitko University of Alberta http://www.cs.ualberta.ca/~bulitko/W04 Modified by T. Andrew Yang (yang@uhcl.edu)

  3. Counting • A random process The set of outcomes is known, but the specific outcome is not predictable. • Outcomes • Sample space The set of all possible outcomes of a random process (or experiment). • Events An event is a subset of a sample space. • Examples • coins • dice

  4. Counting and Probability • The chance that a given event will occur • The ratio of the number of outcomes in an exhaustive set of equally likely outcomes that produce a given event to the total number of possible outcomes • Outcomes are assumed to be equally likely. • E: an event. • S: the sample space. • N(E): the number of outcomes in E • N(S): the total number of outcomes in S. • P(E): the probability that E will occur. • Then P(E) = • Examples: • Coins • Dice • Tournament

  5. Permutations, combinations, etc.

  6. Multiplication Rule • p.208: Theorem 6.2.1 k steps (s1, s2, …, sk) of an operation n1 ways in s1 n2 ways in s2 … Then, the entire operation can be performed in n1n2…nk ways.

  7. Multiplication Rule (cont.) • Example: • How many different PINs are possible? p.308 (repetition is allowed) • How if repetition is not allowed? p.309  permutations (p.313) • Password-based authentication

  8. Passwords-based Authentication • A dictionary attack is the guessing of a password by repeated trial and error. • The dictionary may be a set of strings in random order, or a set of strings in decreasing order of probability of selection.

  9. Passwords-based Authentication • Countering dictionary attack • The goal: To maximize the time needed to guess the password • Anderson’s Formula: P: The probability that an attacker guesses a password in a specified period of time G: The number of guesses that can be tested in one time unit T: The number of time units during which guessing occurs N: The number of possible passwords

  10. Passwords-based Authentication • An example: • Let S be the length of the password. • Let A be the number of characters in the alphabet from which the characters of the password are drawn. Then N = AS. • Let E be the number of characters exchanged when logging in. • Let R be the number of bytes per minute that can be sent over a communication link. • Let G be the number of guesses per minute. Then G = R / E. • If the attack extends over M months, T= 30 x 24 x 60 x M. • Let P be the probability that the attack would succeed. Then

  11. Passwords-based Authentication • Analysis of the Anderson Formula: • The goal is to maximize the time (T) needed for the attacker to guess the password. • That is, to decrease the chance that the attack may succeed (P). • Approaches: • To increase N, the set of possible passwords • To decrease the time allowed to guess the passwords, that is, to reduce T • To decrease G

  12. Possibility Trees • Used to count the number of outcomes • Can be used to illustrate the multiplication rule (e.g., toss a coin for three times) • Useful when the multiplication rule is difficult or impossible to apply • Examples • Possibilities for tournament play: p.306 • Election of officers: p.311

  13. Permutations • A permutation of a set of objects is an ordering of the objects in a row. • Example: S = {a, b} Permutations: ab, ba Order matters! Distinct objects! • Formula Given n objects (n >= 1), the number of permutations is n!

  14. r-permutations • An ordered selection of r elements out of n elements • Still, order matters and no repetition P(n,r) = n(n-1)(n-2)…(n-r+1) = • Exercises: P(5,3), P(7,3), P(3,3) • Example 6.2.11 (p.317) • Q16 on p.319

  15. Set Operations & Counting • The addition rule (p.321) Example 6.3.1: number of passwords Note: distinct, mutually disjoint sets • To make sets disjoint: intersection, symmetric difference • Inclusion/exclusion, difference rules • Example 6.3.6

  16. Combinations • Order is not important (i.e., sets) • c.f., Order is important in permutations • So, the different combinations can be considered as subsets of a given set • Example 6.4.2 (p.335) S = {0,1,2,3} Q: How many unordered selections of two elements can be made from S?

  17. r-combinations • An r-combination of a set of n elements is a subset of r of the n elements • n choose r: the number of r-combinations that can be chosen from a set of n elements Note: Order is not important, No repetition of elements • p.364: computing binomial coefficients • Formula • Example 6.4.10: p.344

  18. r-permutations vs r-combinations • Share: no repetitions, distinct elements • Difference: • Permutations: unordered • Combinations: ordered • Figure 6.4.1: p.336

  19. Be aware of double-counting! • A false solution: p.346 • Another example: M={a,b}, F={c,d,e}. Form 2-person teams, but one of them must be a woman. • Questions to ask: • Am I counting everything? • Am I counting anything twice? • Multiplication rule • Am I looking at everything at the possibility tree? • Does every outcome appear on a branch of tree? • Addition rule: • Does every outcome appear in some subset of the diagram? • Are the subsets disjoint?

  20. r-permutations with repetition • r-permutations without repetitions: order matters P(n,r)=n(n-1)(n-2)…(n-r+1) • What if we allow to put elements back? • How many ways can we choose r elements from n types of elements? • Order matters • Repetitions are allowed • Formula?

  21. Permutations of a set with repeated elements • Theorem 6.4.2: p.345 • Example 6.4.11 • Which to use? c.f.: nk • Q1: How many different bit strings can 4 bits hold? • Q2: What are the total number of transpositions for the 4-bit bit string 0110b? That is, how many 4-bit bit strings contain exactly 2 1’s? 0110, 0101, 1010, 1001 See example 6.4.10 (p.344) • Exercise: Try the same with 5 bits

  22. Special case • When k = 2, permutations with repeated elements is reduced to r-combinations. True? False?

  23. r-combinations with repetition • What if we allow repetitions? • Choose r elements out of n but allow repetitions (e.g., put the elements back after drawing them) • Order is not important • The underlying construct is multiset • Theorem 6.5.1: p.351 • Examples

  24. Summary • Question: How about

  25. Questions?

More Related