{"id":4881,"date":"2024-06-11T00:08:00","date_gmt":"2024-06-11T00:08:00","guid":{"rendered":"https:\/\/new.www.purdue.edu\/newsroom\/?post_type=purduetoday&#038;p=4881"},"modified":"2024-08-05T12:16:20","modified_gmt":"2024-08-05T16:16:20","slug":"can-science-make-it-too-costly-for-hackers-to-attempt-to-steal-information","status":"publish","type":"post","link":"https:\/\/www.purdue.edu\/newsroom\/2024\/Q2\/can-science-make-it-too-costly-for-hackers-to-attempt-to-steal-information","title":{"rendered":"Can science make it too costly for hackers to attempt to steal information?"},"content":{"rendered":"\n<p><strong>WEST LAFAYETTE, Ind.<\/strong> \u2014 Cryptography, the age-old art of secrecy, has evolved into the science of protecting confidential information in the burgeoning world of bytes, passwords and cloud storage.<\/p>\n\n\n\n<p>Jeremiah Blocki, an associate professor of computer science in Purdue\u2019s&nbsp;<a href=\"https:\/\/www.purdue.edu\/science\/\" rel=\"noreferrer noopener\" target=\"_blank\">College of Science<\/a>,&nbsp;applies his work with passwords and secure systems to stem the ongoing tide of hackers by finding new and better ways to store information as securely as possible. Researchers take several angles to explore password security beyond the logon screen of your favorite website.<\/p>\n\n\n\n<p>\u201cWhen most people think about passwords, they only think about being locked out of a website if they try to log in with three incorrect passwords in a row,\u201d he said. \u201cSo most have the mental model that if an online attacker tries the wrong password three times, the attacker will be locked out.\u201d<\/p>\n\n\n\n    <div  class=\"purdue-home-quick-links-static \">\n        <div class=\"tagged-header-container\">\n\n            <h2 class=\"tagged-header\"><span>ADDITIONAL INFORMATION<\/span><\/h2>\n        \n        <\/div>\n\n       <ul class=\"quick-links-content\">\n                                        <li class=\"quick-link__item\">\n                                                                <a class=\"quick-link__link\"\n                                    href=\"https:\/\/www.purdue.edu\/computes\/\" target=\"_blank\">\n                                    Purdue Computes                                <\/a>\n                            <\/li>\n                                                <li class=\"quick-link__item\">\n                                                                <a class=\"quick-link__link\"\n                                    href=\"https:\/\/www.cs.purdue.edu\/\" target=\"_blank\">\n                                    Purdue Department of Computer Science                                <\/a>\n                            <\/li>\n                                                <li class=\"quick-link__item\">\n                                                                <a class=\"quick-link__link\"\n                                    href=\"https:\/\/www.purdue.edu\/science\/\" target=\"_blank\">\n                                    Purdue College of Science                                <\/a>\n                            <\/li>\n                                                <li class=\"quick-link__item\">\n                                                                <a class=\"quick-link__link\"\n                                    href=\"https:\/\/www.cerias.purdue.edu\/\" target=\"_blank\">\n                                    CERIAS                                <\/a>\n                            <\/li>\n                                                <li class=\"quick-link__item\">\n                                                                <a class=\"quick-link__link\"\n                                    href=\"https:\/\/www.cs.purdue.edu\/people\/faculty\/jblocki.html\" target=\"_blank\">\n                                    Jeremiah Blocki                                <\/a>\n                            <\/li>\n                            <\/ul>\n\n<\/div>\n\n\n\n\n<p>The problem is that hackers often gain access to website servers, circumventing the security mechanism that locks people out after three incorrect guesses. If successful, the online attackers have unlimited tries to guess passwords and obtain information for any and every account on the server.<\/p>\n\n\n\n<p>That\u2019s where Blocki steps in with his current research. He is trying to create a system that makes logon computation relatively quick and inexpensive for website owners but at the same time makes it expensive enough in terms of time and memory that hackers move on to easier targets.<\/p>\n\n\n\n<p>Blocki\u2019s work in cryptography and passwords comprises part of the information security and assurance research area in Purdue\u2019s&nbsp;<a href=\"https:\/\/www.cs.purdue.edu\/\" rel=\"noreferrer noopener\" target=\"_blank\">Department of Computer Science<\/a>. Through his research, Blocki also is a member of the university\u2019s Center for Education and Research in Information Assurance and Security (<a href=\"https:\/\/www.cerias.purdue.edu\/\" rel=\"noreferrer noopener\" target=\"_blank\">CERIAS<\/a>).<\/p>\n\n\n\n<p>Blocki\u2019s work is funded by a CAREER grant from the National Science Foundation. His research will be presented as part of a talk at The Theory of Quantum Computation, Communication and Cryptography conference later this year.<\/p>\n\n\n\n<p>Password hash functions are used whenever someone logs into a website. Whenever a user registers for a new account, the server uses the password hash function to scramble the password and stores this. The server can validate a later login attempt by scrambling the password again and then checking that the passwords match.<\/p>\n\n\n\n<p>A good password hash function should be moderately expensive to enable a quick user login, but prohibitively expensive for a hacker to try to evaluate this function repeatedly.<\/p>\n\n\n\n<p>The memory tied up in a function for one password try isn\u2019t much for a laptop. But an online attacker who has gained internal access to a server needs more than one try \u2014 a lot more.<\/p>\n\n\n\n<p>\u201cMost people don\u2019t think of an attacker as checking with millions of guesses or billions of guesses or trillions of guesses,\u201d Blocki said.<\/p>\n\n\n\n<p>That many tries can tie up a huge amount of memory in hackers\u2019 computer systems, turning the effort to steal important private information into a test of patience. Hackers must determine if they are willing to expend significant resources on a single target.&nbsp;<\/p>\n\n\n\n<p>\u201cWhen you think about it from the attacker\u2019s standpoint, they\u2019re not locking up half a gigabyte of memory for half a second toward guessing a password once,\u201d he said. \u201cThey\u2019re trying to compute this function a million, a billion or even a trillion times. Half a trillion gigabytes for a second, if you wanted to try a trillion guesses per second, for a password, that\u2019s an absurd amount of memory. The attacker is not going to want to invest that much.\u201d<\/p>\n\n\n\n<p>Memory-hard functions are the latest way to increase the memory usage for hackers trying to steal passwords. Prior password algorithms focused only on trying to increase the attacker\u2019s computation costs. They didn&#8217;t attempt to increase the hacker\u2019s memory usage.&nbsp;<\/p>\n\n\n\n<p>Memory-hard functions create a situation where attempts to reach the passwords causes hackers to be overwhelmed with memory costs. Blocki said that area, which utilizes a form of mathematics called combinatorial graph theory, has been a focus for the last seven years in both defining the problem as well as constructing the functions.<\/p>\n\n\n\n<p>Purdue ranks sixth in cybersecurity by U.S. News &amp; World Report and second in computer security by&nbsp;<a href=\"https:\/\/csrankings.org\/#\/index?sec&amp;us\" rel=\"noreferrer noopener\" target=\"_blank\">csrankings.org<\/a>.<\/p>\n\n\n\n<p>The Department of Computer Science is part of&nbsp;<a href=\"https:\/\/www.purdue.edu\/computes\/\" rel=\"noreferrer noopener\" target=\"_blank\">Purdue Computes<\/a>, a comprehensive initiative with the goals of positioning the department as a top 10 national program, becoming a leader in the field of physical artificial intelligence, and advancing quantum science and engineering to create future technologies that enable unparalleled excellence at scale.<\/p>\n\n\n\n<p>Blocki is actively researching mathematical techniques to analyze memory-hard functions and see how secure they are against attackers with complex quantum computer capabilities.<\/p>\n\n\n\n<p>He is also researching improved memory-hard constructions and is working within the industry to find partners interested in standardizing some of the confirmed memory-hard constructions.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>About Purdue University<\/strong><\/h2>\n\n\n\n<p>Purdue University is a public research institution demonstrating excellence at scale. Ranked among top 10 public universities and with two colleges in the top four in the United States, Purdue discovers and disseminates knowledge with a quality and at a scale second to none. More than 105,000 students study at Purdue across modalities and locations, including nearly 50,000 in person on the West Lafayette campus. Committed to affordability and accessibility, Purdue\u2019s main campus has frozen tuition 13 years in a row.&nbsp;See how Purdue never stops in the persistent pursuit of the next giant leap \u2014 including its first comprehensive urban campus in Indianapolis, the&nbsp;Mitchell E. Daniels, Jr. School of Business, Purdue Computes and the One Health initiative \u2014 at&nbsp;<a href=\"https:\/\/www.purdue.edu\/president\/strategic-initiatives\" rel=\"noreferrer noopener\" target=\"_blank\">https:\/\/www.purdue.edu\/president\/strategic-initiatives<\/a>.&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>WEST LAFAYETTE, Ind. \u2014 Cryptography, the age-old art of secrecy, has evolved into the science of protecting confidential information in the burgeoning world of bytes, passwords and cloud storage. Jeremiah Blocki, an associate professor of computer science in Purdue\u2019s&nbsp;College of<\/p>\n","protected":false},"author":8,"featured_media":4882,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[19,263],"tags":[],"department":[32],"source":[29],"purdue_today_topic":[],"coauthors":[40],"class_list":["post-4881","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-general","category-purdue-computes","department-science","source-purdue-news"],"acf":[],"_links":{"self":[{"href":"https:\/\/www.purdue.edu\/newsroom\/wp-json\/wp\/v2\/posts\/4881","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.purdue.edu\/newsroom\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.purdue.edu\/newsroom\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.purdue.edu\/newsroom\/wp-json\/wp\/v2\/users\/8"}],"replies":[{"embeddable":true,"href":"https:\/\/www.purdue.edu\/newsroom\/wp-json\/wp\/v2\/comments?post=4881"}],"version-history":[{"count":1,"href":"https:\/\/www.purdue.edu\/newsroom\/wp-json\/wp\/v2\/posts\/4881\/revisions"}],"predecessor-version":[{"id":7784,"href":"https:\/\/www.purdue.edu\/newsroom\/wp-json\/wp\/v2\/posts\/4881\/revisions\/7784"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.purdue.edu\/newsroom\/wp-json\/wp\/v2\/media\/4882"}],"wp:attachment":[{"href":"https:\/\/www.purdue.edu\/newsroom\/wp-json\/wp\/v2\/media?parent=4881"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.purdue.edu\/newsroom\/wp-json\/wp\/v2\/categories?post=4881"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.purdue.edu\/newsroom\/wp-json\/wp\/v2\/tags?post=4881"},{"taxonomy":"department","embeddable":true,"href":"https:\/\/www.purdue.edu\/newsroom\/wp-json\/wp\/v2\/department?post=4881"},{"taxonomy":"source","embeddable":true,"href":"https:\/\/www.purdue.edu\/newsroom\/wp-json\/wp\/v2\/source?post=4881"},{"taxonomy":"purdue_today_topic","embeddable":true,"href":"https:\/\/www.purdue.edu\/newsroom\/wp-json\/wp\/v2\/purdue_today_topic?post=4881"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.purdue.edu\/newsroom\/wp-json\/wp\/v2\/coauthors?post=4881"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}