Can science make it too costly for hackers to attempt to steal information?

Purdue computer scientist works to stymie password theft by forcing online attackers to use excessive memory

blocki-cryptography

Jeremiah Blocki, an associate professor of computer science at Purdue, stands in front of a whiteboard of cryptography research in his office. Blocki’s work with passwords and secure systems is finding new and better ways to store information as securely as possible. (Purdue University photo/Greta Bell)

WEST LAFAYETTE, Ind. — Cryptography, the age-old art of secrecy, has evolved into the science of protecting confidential information in the burgeoning world of bytes, passwords and cloud storage.

Jeremiah Blocki, an associate professor of computer science in Purdue’s College of Science, applies his work with passwords and secure systems to stem the ongoing tide of hackers by finding new and better ways to store information as securely as possible. Researchers take several angles to explore password security beyond the logon screen of your favorite website.

“When most people think about passwords, they only think about being locked out of a website if they try to log in with three incorrect passwords in a row,” he said. “So most have the mental model that if an online attacker tries the wrong password three times, the attacker will be locked out.”

The problem is that hackers often gain access to website servers, circumventing the security mechanism that locks people out after three incorrect guesses. If successful, the online attackers have unlimited tries to guess passwords and obtain information for any and every account on the server.

That’s where Blocki steps in with his current research. He is trying to create a system that makes logon computation relatively quick and inexpensive for website owners but at the same time makes it expensive enough in terms of time and memory that hackers move on to easier targets.

Blocki’s work in cryptography and passwords comprises part of the information security and assurance research area in Purdue’s Department of Computer Science. Through his research, Blocki also is a member of the university’s Center for Education and Research in Information Assurance and Security (CERIAS).

Blocki’s work is funded by a CAREER grant from the National Science Foundation. His research will be presented as part of a talk at The Theory of Quantum Computation, Communication and Cryptography conference later this year.

Password hash functions are used whenever someone logs into a website. Whenever a user registers for a new account, the server uses the password hash function to scramble the password and stores this. The server can validate a later login attempt by scrambling the password again and then checking that the passwords match.

A good password hash function should be moderately expensive to enable a quick user login, but prohibitively expensive for a hacker to try to evaluate this function repeatedly.

The memory tied up in a function for one password try isn’t much for a laptop. But an online attacker who has gained internal access to a server needs more than one try — a lot more.

“Most people don’t think of an attacker as checking with millions of guesses or billions of guesses or trillions of guesses,” Blocki said.

That many tries can tie up a huge amount of memory in hackers’ computer systems, turning the effort to steal important private information into a test of patience. Hackers must determine if they are willing to expend significant resources on a single target. 

“When you think about it from the attacker’s standpoint, they’re not locking up half a gigabyte of memory for half a second toward guessing a password once,” he said. “They’re trying to compute this function a million, a billion or even a trillion times. Half a trillion gigabytes for a second, if you wanted to try a trillion guesses per second, for a password, that’s an absurd amount of memory. The attacker is not going to want to invest that much.”

Memory-hard functions are the latest way to increase the memory usage for hackers trying to steal passwords. Prior password algorithms focused only on trying to increase the attacker’s computation costs. They didn’t attempt to increase the hacker’s memory usage. 

Memory-hard functions create a situation where attempts to reach the passwords causes hackers to be overwhelmed with memory costs. Blocki said that area, which utilizes a form of mathematics called combinatorial graph theory, has been a focus for the last seven years in both defining the problem as well as constructing the functions.

Purdue ranks sixth in cybersecurity by U.S. News & World Report and second in computer security by csrankings.org.

The Department of Computer Science is part of Purdue Computes, a comprehensive initiative with the goals of positioning the department as a top 10 national program, becoming a leader in the field of physical artificial intelligence, and advancing quantum science and engineering to create future technologies that enable unparalleled excellence at scale.

Blocki is actively researching mathematical techniques to analyze memory-hard functions and see how secure they are against attackers with complex quantum computer capabilities.

He is also researching improved memory-hard constructions and is working within the industry to find partners interested in standardizing some of the confirmed memory-hard constructions. 

About Purdue University

Purdue University is a public research institution demonstrating excellence at scale. Ranked among top 10 public universities and with two colleges in the top four in the United States, Purdue discovers and disseminates knowledge with a quality and at a scale second to none. More than 105,000 students study at Purdue across modalities and locations, including nearly 50,000 in person on the West Lafayette campus. Committed to affordability and accessibility, Purdue’s main campus has frozen tuition 13 years in a row. See how Purdue never stops in the persistent pursuit of the next giant leap — including its first comprehensive urban campus in Indianapolis, the Mitchell E. Daniels, Jr. School of Business, Purdue Computes and the One Health initiative — at https://www.purdue.edu/president/strategic-initiatives

Media contact: Brian Huchel, bhuchel@purdue.edu
Source: Jeremiah Blocki, jblocki@purdue.edu

Note to journalists:

An AP Newsroom video link on passwords and Jeremiah Blocki’s research is available for media.

Purdue Computes News

Mung Chiang and Todd Younkin

U.S. Department of Commerce awards $285M Manufacturing USA Institute to SRC-led consortium with Purdue as lead academic institution

November 19, 2024

A man with a short, dark beard and round glasses smiles in front of a brick wall and metal garage door.

Computing for contentment: Purdue scientist uses AI to model fairness and maximize the benefits of donated food

November 12, 2024

Fall trees line a walkway in the Purdue Mall leading to the Class of 1939 Water Sculpture.

Top semiconductor industry names join Purdue’s Semiconductor Week events

October 23, 2024

Purdue University’s Gateway to the Future Arch from below with fall flowers in the foreground.

Purdue University wins Microelectronics Commons Project to advance AI hardware through the Silicon Crossroads Microelectronics Commons Hub

October 14, 2024

All Purdue Computes News