一种基于频率和熵的口令策略生成框架  

作　　者：朱浩[1,2] 郭华 陈晨[1] 刘伟伟 ZHU Hao;GUO Hua;CHEN Chen;LIU Weiwei(Key Laboratory of Aerospace Network Security(Ministry of Industry and Information Technology),Beihang University,Beijing 100191,China;State Key Laboratory of Software Development Environment,Beihang University,Beijing 100191,China;School of Mathematics and Statistics,North China University of Water Resources and Electric Power,Zhengzhou 450046,China)

机构地区：[1]北京航空航天大学空天网络安全工业与信息化部重点实验室,北京100191 [2]复杂关键软件环境全国重点实验室,北京100191 [3]华北水利水电大学数学与统计学院,郑州450046

出　　处：《网络空间安全科学学报》2023年第2期73-82,共10页Journal of Cybersecurity

基　　金：国家重点研发计划(2021YFB2700200);国家自然科学基金项目(U21B2021,61972018,61932014)。

摘　　要：文本口令具有实现简单、可部署性强的优点,是当前最主要的身份认证技术之一,口令安全至关重要,合理的口令生成策略有助于提升口令安全。文章针对已有基于频率的口令策略生成器HTPG中因为仅使用频率作为口令分类标准,从而只反映了口令的流行性的问题,设计了基于频率和熵的口令策略生成器框架(FEPG),创新性地引入熵作为口令复杂性的衡量标准,通过Zipf分布和正态分布构建了基于频率和熵的口令四分类方法,并使用口令强度评价工具zxcvbn验证了四分类的有效性。FEPG通过比较弱口令与低频高熵口令的差异,提供了一套修改策略,并在模拟用户修改口令行为后,使用概率上下文无关语法(PCFG,probabilisticcontext-freegrammar)进行测试,结果表明,经过FEPG强化的口令比经过HTPG强化的口令被成功猜测的比例下降了69.30%,验证了FEPG的有效性。Text password has the advantages of simple implementation and strong deployability,it is one of the most important identity authentication technologies currently,and password security is of great significance.A rea-sonable password generation strategy helps to improve password security.For the existing frequency-based password policy generator,only frequency is used as the password classification criterion,which only reflects the popularity of passwords,a password policy generator framework based on frequency and entropy(FEPG)is designed,innovatively introducing entropy as the measurement standard of the password complexity,and a password four-classification method based on frequency and entropy is constructed through the Zipf distribution and normal distribution,and the password strength evaluation tool(zxcvbn)is used to verify the effectiveness of the four classifications.The FEPG provides the modification strategies by comparing the difference between weak passwords,low-frequency and high-entropy passwords,and after simulating the usersmodifying their passwords,the probabilistic context-free grammar(PCFG)algorithm is adopted for testing,The test results show that,the proportion of successfully guessed pass-words after the FEPG enhancement decreased by 69.30%compared to those after the HTPG enhancement,validat-ing the effectiveness of the FEPG.

关 键 词：口令策略 熵 正态分布 口令强度 

分 类 号：TP391[自动化与计算机技术—计算机应用技术]