Sudhir Aggarwal

Bio: Sudhir Aggarwal is an academic researcher from Florida State University. The author has contributed to research in topics: Password & Formal specification. The author has an hindex of 18, co-authored 67 publications receiving 1737 citations. Previous affiliations of Sudhir Aggarwal include Telcordia Technologies & Bell Labs.

Password Cracking Using Probabilistic Context-Free Grammars

Abstract: Choosing the most effective word-mangling rules to use when performing a dictionary-based password cracking attack can be a difficult task In this paper we discuss a new method that generates password structures in highest probability order We first automatically create a probabilistic context-free grammar based upon a training set of previously disclosed passwords This grammar then allows us to generate word-mangling rules, and from them, password guesses to be used in password cracking We will also show that this approach seems to provide a more effective way to crack passwords as compared to traditional methods by testing our tools and techniques on real password sets In one series of experiments, training on a set of disclosed passwords, our approach was able to crack 28% to 129% more passwords than John the Ripper, a publicly available standard password cracking program

Testing metrics for password creation policies by attacking large sets of revealed passwords

Abstract: In this paper we attempt to determine the effectiveness of using entropy, as defined in NIST SP800-63, as a measurement of the security provided by various password creation policies. This is accomplished by modeling the success rate of current password cracking techniques against real user passwords. These data sets were collected from several different websites, the largest one containing over 32 million passwords. This focus on actual attack methodologies and real user passwords quite possibly makes this one of the largest studies on password security to date. In addition we examine what these results mean for standard password creation policies, such as minimum password length, and character set requirements.

Accuracy in dead-reckoning based distributed multi-player games

Abstract: Distributed multi-player games use dead reckoning vectors to intimate other (at a distance) participating players about the movement of any entity by a controlling player. The dead reckoning vector contains the current position of the entity and the velocity components. When a participating player receives a vector, traditionally it puts the entity at the current position specified by the vector and starts projecting the path of the entity from that point using the local clock of the receiver. In this paper we show that this traditional method of usage of dead reckoning vector brings in inaccuracy in the receivers' rendering of the entity. This inaccuracy can be substantial even with low network delay between the sender-receiver pairs and increases with network delay. We propose the use of globally synchronized clocks among the participating players and a time-stamp augmented dead reckoning vector that enables the receiver to render the entity accurately. We modified the popular game BZFlag with this technique, and compared the accuracy seen in game playing using the traditional method and the proposed technique. We conducted several types of experiments varying the frequency of generation of dead reckoning vectors and the delay between the sender and the receivers. The experiments show significant quantitative improvement in accuracy even for 100ms delay between the sender-receiver pairs and appreciable qualitative improvement in game playing experience.

System and method for multicast conferencing and online discussion groups

Abstract: A system and method for multicast conferencing and online discussion groups using a periodically determined a close-to-optimal Steiner spanning tree.Both the system and method are suitable for stationary and/or mobile group members.

The control of discrete event systems

Abstract: A discrete event system (DES) is a dynamic system that evolves in accordance with the abrupt occurrence, at possibly unknown irregular intervals, of physical events. Such systems arise in a variety of contexts ranging from computer operating systems to the control of complex multimode processes. A control theory for the logical aspects of such DESs is surveyed. The focus is on the qualitative aspects of control, but computation and the related issue of computational complexity are also considered. Automata and formal language models for DESs are surveyed. >

Automata for modeling real-time systems

Abstract: To model the behavior of finite-state asynchronous real-time systems we propose the notion of timed Buchi automata (TBA). TBAs are Buchi automata coupled with a mechanism to express constant bounds on the timing delays between system events. These automata accept languages of timed traces, traces in which each event has an associated real-valued time of occurrence.

Timing assumptions and verification of finite-state concurrent systems

Abstract: We have described a scheme that allows timing assumptions to be incorporated into automatic proofs of arbitrary finite-state temporal properties. The obvious extension is to be able to prove timing properties, not just assume them. This would provide a verification framework for finite-state hard real-time systems. We conjecture that the method presented can, in fact, be extended in this way.

The Science of Guessing: Analyzing an Anonymized Corpus of 70 Million Passwords

Abstract: We report on the largest corpus of user-chosen passwords ever studied, consisting of anonymized password histograms representing almost 70 million Yahoo! users, mitigating privacy concerns while enabling analysis of dozens of subpopulations based on demographic factors and site usage characteristics. This large data set motivates a thorough statistical treatment of estimating guessing difficulty by sampling from a secret distribution. In place of previously used metrics such as Shannon entropy and guessing entropy, which cannot be estimated with any realistically sized sample, we develop partial guessing metrics including a new variant of guesswork parameterized by an attacker's desired success rate. Our new metric is comparatively easy to approximate and directly relevant for security engineering. By comparing password distributions with a uniform distribution which would provide equivalent security against different forms of guessing attack, we estimate that passwords provide fewer than 10 bits of security against an online, trawling attack, and only about 20 bits of security against an optimal offline dictionary attack. We find surprisingly little variation in guessing difficulty; every identifiable group of users generated a comparably weak password distribution. Security motivations such as the registration of a payment card have no greater impact than demographic factors such as age and nationality. Even proactive efforts to nudge users towards better password choices with graphical feedback make little difference. More surprisingly, even seemingly distant language communities choose the same weak passwords and an attacker never gains more than a factor of 2 efficiency gain by switching from the globally optimal dictionary to a population-specific lists.