Jeff Yan, Professor of Cyber Security
I did my Ph.D. with Ross
Anderson in the
Group at Cambridge
Most recently, Aurélien Bourquard and I are inventing
Differential Imaging Forensics. We started with asking Who was Behind the Camera?
We started to work on usable security long before it's
The work on
password security and memorability I did with colleagues
in the 1990's (first published in 2000, and then in 2001 featured by
Ross Anderson's book, Security Engineering)
has been widely recognised as an early influential study in
usable security, a currently booming field in both academia and industry.
I was a contributor to the first book on usable security, "Security
and Usability: Designing Secure Systems that People Can Use" (edited by
Cranor and Garfinkel, O'Reilly 2005), and served
on the Program Committee for the first Symposium On Usable Privacy
and Security (SOUPS'05, Carnegie Mellon).
In 2014, I was given a (in fact, the first)
SOUPS Impact Award in the USA for a paper I wrote in 2008.
This award is presented every three years, recognising a
paper that has had a significant impact on usable
security and privacy research and practice.
My work on graphical passwords,
a Secret (BDAS)
Shoulder-Surfing Resistant BDAS (SSR-BDAS) [SOUPS'11],
were selected by
the Royal Society - the UK's national
academy of science - for their
2008 Summer Science Exhibition.
Since 2011, Microsoft has deployed
a version of BDAS in Windows 8 OS and its successors.
On the offensive front,
in collaboration with
Ben Zhu at Microsoft Research,
I've developed novel concepts and methods
for analysing the security of graphical passwords. Our methods
for the first time revealed severe security vulnerabilities in
a major family of graphical password designs, which
was extensively studied in the literature
before our work.
We also developed the first method for generating
high-quality 'graphical honeywords',
successfully extending the notion of honeywords
from text passwords (proposed by
Ariel Juels and Turing Award winner Ron Rivest)
to graphical ones.
My work on the robustness and usability of Captcha (automated Turing tests),
a standard Internet security mechanism, has led to highly cited papers (e.g.
[ACSAC'07], [CCS'08], [SOUPS'08],
and influenced the system design of major companies such as Microsoft, Yahoo! and Google. Some technology developed by my team was licensed to Yahoo!.
Invited talks were given at Cambridge, Cisco, Google, Microsoft and Yahoo!,
as well as to the Messaging Anti-Abuse Working Group - this global industry consortium represented at the time nearly one billion mailboxes and considered my participation in their meeting "important in the global
fight against online abuse". For this line of work, my duo team (with student
Ahmad) was a finalist for a Times Higher Education award in the category of
the Outstanding Engineering Research Team of the Year in the UK
in 2009. A recent breakthrough was
surprisingly simple, low-cost, generic
but powerful attack [NDSS'16]
that breaks a wide variety of Captcha designs (joint work with
HC Gao et al).
Our work on CaRP [TIFS'14]
proposed a new family of security
primitives, and it was one step forward in the emerging paradigm of using hard AI problems for security,
introduced by Turing Award winner Manuel Blum's team at CMU. CaRP addresses a number of security threats altogether,
such as online dictionary attacks, relay attacks and cross-site scripting.
More recently, NIST in the USA have revised part of SP 800-63-3 Digital Authentication Guideline,
responding to our papers on targeted online guessing [CCS'16] and on
cryptanalysis [WOOT'16]. In 2016, my team won the best student paper
award at the 32nd ACSAC
(Los Angeles, USA), by resolving an open security problem with deep learning.
Our NDSS'18 paper
examined the honeyword algorithms designed by Juels and Rivest, and we showed that they
fail to deliver the claimed security level
by a large margin.
I wrote a well-cited paper
with Brian Randell
analysing online game cheating; was the first to
fairness enforcement has emerged as
the most important new security concern in online games.
I designed Magic
Bullet [IJCAI'09], a dual-purpose
game that people play online for fun
but their gameplay resolves a problem that no computer
algorithm can yet solve.
I was the first to work on
collusion detection in contract Bridge [AAAI'10] and
aim-bot detection in first-person shooters, and
helped to launch NetGames in 2001, which has been
a successful Int'l Workshop series on Network and Systems Support for Games.
I play Texas Hold'em, and have written a few peer-reviewed papers on poker, e.g. Machiavelli as a poker mate,
gender biased deception, and the science and detection of tilting.
My recent collaboration with Cambridge (2013-2017)
looked into deception deterrence, with the
aim to further the understanding of deception, which is not
only the basic problem underlying security and cybercrime,
but is central to human behaviour.
Interesting results on poker deception, insurance fraud and stock market are either published or in the pipeline -
My research on graphical passwords, Captchas, targeted online guessing, poker and
the latest SonarSnoop attack (active acoustic side-channels)
have all received significant media attention.
Major outlets such as
BBC News, London Science Museum,
MIT Technology Review,
Slashdot and The Economist
have featured my work.
Some star students I've advised
(drop me a line if you belong to here but I forgot!):
Pook Leong Cho,
Ahmad El Ahmad,
Jussi Palomaki, David Mordic, Yu Guang, Xingjie Wei, Beibei Liu, Budi Arief.
Selected Professional Activities
Security and Human Behavior: 2019 (Harvard), 2018 (CMU), 2017 (Cambridge), etc.
2014 Raymond and Beverly Sackler
U.S.-U.K. Scientific Forum, the National Academy
Washington, DC. (by invitation only)
- PC Co-Chair, IEEE Biometrics Council's International Conference on Identity, Security
and Behavior Analysis, 2018, Singapore.
- Academy of Finland, Research Council for Natural Sciences and Engineering, Information Security Panel, 2014, 2016
Springer's International Journal of Information Security (IJIS),
Transactions on Information Forensics and Security
IET Smart Cities,
Journal of Information Society
(an interdisciplinary journal in social sciences)
Dagstuhl Seminar on Assessing ICT Security Risks in Socio-Technical Systems, 2016
Playing poker for fun, profit and Science
- a talk I gave at Cambridge in 2015 summer,
with loads of amazing people like
in the audience.
Usable Security: A Personal Perspective,
the 17th International Conference on
Information and Communications Security (ICICS'15).
Dagstuhl seminar on Socio-technical Security Metrics, Nov 30 - Dec 5, 2014,
- Newcastle University Center for Cybercrime and Computer Security, Founding Research Director, 2009 -
- Program committee member, 1st Symposium On Usable Privacy and Security (SOUPS), CMU, USA, 2005
- Program committee member, First International Workshop on Network and System Support for Games
(NetGames), Germany, 2002
- Expert panel member, NetCrime and Policy Study, Home Office, UK,
2002 - 2003
Tutorials given at major conferences
Before coming to Lancaster, I have taught
at Newcastle University, England and
Chinese University of Hong Kong;
was the founding research director for Newcastle University
Centre for Cybercrime and Computer Security;
at Microsoft Research Asia,
Hewlett-Packard Labs and
An introduction to usable security, 16th ACM Conference on Computer and Communications Security
(CCS), 10 Nov 2009, Chicago, USA. (pretty well attended and received)
A full-day tutorial on
usable security (Jointly with Mary Ellen Zurko,
a pioneer of usable security),
at the 26th Annual Computer Security Applications Conference (ACSAC), 7 Dec 2010, Austin, Texas.
Hiring highly-motivated and bright PhD students and postdocs to
work on side channels, automotive security, cybercrime or interdisciplinary security studies.
Differential Imaging Forensics
From Sicilian mafia to Chinese "scam villages"
Hearing your touch, a new acoustic side channel on smartphones. Light Blue Touchpaper, Schneier,
WSJ, Daily Mail and many more.
SonarSnoop, the first active acoustic side-channel attack.
"Truly spooky new method of remote surveillance" - Ross Anderson,
"It's amazing that this is even possible" - Bruce Schneier,
"This is the coolest Android hack we've seen" - Pocketnow,
, and many more (in various languages including Chinese, German and Russian).
Towards Reactive Acoustic Jamming for Personal Voice Assistants
Analysis of Honeywords, NDSS'18
How Does Match-Fixing Inform Computer Game Security?, Security Protocols 2018, LNCS 11286
Who was Behind the Camera? Towards
Some New Forensics, CCS'17.
A security analysis of automated Chinese Turing Tests
(ACSAC 2016) resolved a
long-standing open problem using deep learning and won
the best student paper.
Joint work with
Dan Ciresan @ the Swiss AI Lab IDSIA.
Targeted Online Password
Guessing: An Underestimated Threat
(ACM CCS'16) examines how to best do targeted online guess attacks.
Our new algorithms,
with 100 guesses per account,
achieve avg success rates ~70% against normal users, and ~30% against
security-savvy users. In
a pretty quick response to our results,
NIST in the USA have revised part
of SP 800-63-3 Digital Authentication Guideline, and invited our
further comments on SP 800-63B etc.
C ACM, Naked Security, the Register,
Daily Mail, Metro, the
Mirror, the Sun and hundreds more outlets.
YouTube has a copy of the video of my talk at CCS'16.
Machiavelli as a poker mate - a naturalistic behavioural study on strategic deception (Journal of Personality
and Individual Differences, 2016) shows that Machiavellian people
don't bluff more frequently but when they bluff, they do it big; they are
also more distraught by getting slow-played. Machiavellianism has
rarely been studied outside the laboratory via behavioural experiments,
but online poker gives us a naturalistic setting
for such studies!
Poker Academie (in French).
"To Bluff like a Man or Fold like a Girl?" - Gender Biased Deceptive Behavior in Online Poker (PLoS ONE, 2016) shows that
our experiment participants (poker players) bluff 6%
more frequently on average at tables with female-only avatars than at
tables with male-only or gender mixed avatars.
This is a significant
effect in games involving repeated decisions.
To put it in perspective, casinos kick out of their premises anyone
who is able to obtain a marginal edge over the house, e.g. a 0.5% edge
(achieved typically via card counting).
Joint work with
postdocs Jussi Palomaki, David Mordic et al.
A fan of our work made a
presentation lecturing this paper on YouTube.
Acceleration Attacks on PBKDF2: Or, What Is Inside the
Black-Box of oclHashcat? (Usenix WOOT'16) reports
the fastest attack to date
a crypto primitive that is implemented in
widely deployed security systems such as WiFi, Microsoft .NET, Apple OS X
and iOS, Cisco IOS and Blackberry, among
Security APIs: A New Case (Financial Crypto'16)
expands the research of
Security APIs to a new setting.
Pioneered by Ross Anderson, this line of research
had mostly focused on
Hardware Security Module and cryptographic key managements.
show that system architecture analysis is useful both for
identifying vulnerabilities in security APIs and for fixing them.
A Simple Generic Attack on Text Captchas (NDSS'16) reports a surprisingly simple, low-cost but powerful
attack on Captchas. It breaks a wide variety of representative schemes,
each with distinctive design features, including those deployed by Google,
Microsoft, Yahoo!, Amazon and other Internet giants.
Our attack is a human-like solving algorithm, and it is deeply
rooted in seminal research
by Cambridge academics John Daugman and David Field (now at Cornell)
for very different purposes.
Novel security and privacy perspectives of
camera fingerprints (SPW'16)
proposes new research directions out of the usual box of signal processing,
e.g. using PRNU as a PUF to build a novel authentication
mechanism - "any photo you take are you";
handling new socio-technical problems such as revenge porn; and
applications in privacy intrusion.
The Science and Detection of Tilting (ICMR'16)
proposes novel interdisciplinary research on tilting, a significant but
rarely studied phenomenon, which both psychologists and computer
scientists will find a fertile topic. This has nothing to do with
security or privacy, but it just so happened that I had
this brainchild during a brief lunch chat with Jussi Palomaki.
We joyfully wrote it up, together with postdoc
Xingjie Wei and Cambridge don Peter Robinson.
Pattern Noise for Source Camera
Identification: An Empirical Evaluation (ACM IH&MMSec 2015) identifies
the best way for extracting camera fingerprints from images, and debunks
misconceptions in the literature. Joint work
with postdocs Bei-bei Liu and Xingjie Wei.
Security Analyses of Click-based Graphical Passwords via Image Point Memorability
(ACM CCS'14) introduces a novel concept and a model of image point
both defensive and offensive applications.
On one hand, we develop the first method for
generating high-quality graphical honeywords.
The notion of honeywords was first introduced
by Ariel Juels and Turing Award winner Ron Rivest
at CCS'13, but their algorithms only work with text passwords.
On the other hand,
under our new lens,
the effective password space of the
state-of-the-art click-based graphical passwords
is actually weaker than
its commonly believed strength by a factor of 2,048.
Abundant room remains for researchers in security, computer
vision and psychology to
improve our work.
Thanks Alexei Czeskis for
presenting the paper for me.
We're given the first
SOUPS Impact Award. Thanks to the award committee, and thanks to the
community of usable security & pricacy
for reading, citing and using our results!
Also thank Rob Miller
for presenting the paper
and Joe Bonneau
for collecting the award
at Facebook Headquarters on my behalf.
A New Security Primitive Based on Hard AI Problems
(IEEE Trans. on Information Forensics and Security, v9 no.6, 2014)
introduces CaRP, a new family of security primitives that
address a number of security threats altogether, such as online
dictionary attacks, relay attacks and cross-site scripting.
Our work is one step forward in the paradigm of
using hard AI problems for security, which was
introduced by Turing Award winner Manuel Blum's team
A surreal true story How I became notorious on campus
(Spring semester, 2014).
Our WWW'13 paper
Security Implications of Discretization
for Click-based Graphical Passwords
resolves a long-standing open problem. We
show that image discretization, a fundamental technical
mechanism introduced to
support both security and
usability of popular graphical password schemes,
leaks significant password information in representative designs
PassPoints, Cued Click Points (CCP) and Persuasive Cued Click
Our CCS'13 paper
The Robustness of Hollow CAPTCHAs
reports a novel attack that breaks a whole family of
new designs, deployed by major companies such as Yahoo!, Tencent,
Sina, China Mobile and Baidu.
Two projects on security and cybercrime research.
by EU, works on
image forensics (keywords: digital camera fingerprint, fast search
algorithm, forensic tools, law enforcement).
The EPSRC-funded "Deterrence of deception in
Socio-Technical Systems" works on deception and cybercrime via
an interdisciplinary approach.
The Robustness of Google CAPTCHAs has been
held in private for long, and finally we have released it now. Google were informed the results in advance. Coverage by
CAPTCHA design: colour, usability and security
(IEEE Internet Computing, March-April 2012),
colour misuse in CAPTCHAs
has impact beyond usability.
Using colour in user interface is a common practice for enhancing
usability and has rarely caused security concerns.
Here, we discuss interesting but critical
security failures caused by colour (mis)use.
Captcha Robustness: A Security Engineering Perspective
novel and successful
approach to Captchas
Attacks and Design of Image Recognition CAPTCHAs
at CCS'10. We report: novel attacks on two representative image recognition
CAPTHCAs: IMAGINATION (designed at Penn State around 2005) and
ARTiFACIAL (designed at MSR Redmond around 2004); a theoretical explanation
why well-known schemes such as IMAGINATION, ARTiFACIAL and Assira
(another MSR design) have all failed; a simple framework for guiding the
design of robust image recognition CAPTHCAs; and a new image recognition
CAPTHCA, which we call Cortcha (Context-based Object Recognition to Tell Computers and Humans Apart).
Coverage by Slashdot and Bruce Schneier.
We have released a computer game, Magic Bullet, which is a spin-off from our CAPTCHA robustness project. Our paper about this game appears at IJCAI'09 in Pasadena, CA. Coverage by
CACM, Science Daily,
A Low-cost Attack on a Microsoft CAPTCHA
reports a novel attack that can break,
with a success rate of higher than 60%, a
CAPTCHA that was desinged by Microsoft and has been deployed for their
Hotmail, MSN and Windows Live for years.
Microsoft was notified our results in Sept, 2007.
Responding to their request, we held this paper confidential until 10 April, 2008.
Here are some frequently asked questions, and coverage in
ABC News, ACM Tech
Times Higher Education
MIT Technology Review (also here).
Also have a look at The Economist. A peer-reviewed version appears at ACM CCS'08.
A related paper, "Is cheap labour behind the scene? - Low-cost automated attacks on Yahoo CAPTCHAs",
is not released yet (an abstract is here), but
has been reviewed by Yahoo! Engineering in Sunnyvale, California.
Our graphical password scheme Background Draw
a Secret (BDAS) appears at
London Science Museum,
ACM Tech News,
Slashdot, and many others. Details see my BDAS page.
Our BDAS and SSR-BDAS were selected by
the Royal Society for their annual
Summer Science Exhibition
(Monday 30 June - Thursday 3 July 2008, London).
A piece on BDAS I wrote
for the Royal Society,
and one piece for
the London Mathematical Society.
Our exhibit. Since 2011, Microsoft has deployed
a version of BDAS in Windows 8.
I am interested in most aspects of computer and network security, both
theoretical and practical, and my recent work focuses on systems security,
including human aspects of security (e.g. usable security). My previous
contributions illustrate both my
view of security and research methodology. Namely, security fails not only
because of the lack or failure of technical mechanisms, but also because of
failures of other issues such as usability and motivation, and therefore an
interdisciplinary approach is needed to tackle (many) security problems.
Below you will find brief descriptions of some of my previous work and
pointers to selected papers where you can find out more.
- Computer Games (I designed)
- Psychology of security
- Usable Security
- Incentive-Compatible Security Design
- Traditional Security Design
- Applied Cryptography
- Digital forensics
Human Aspects of Information Security
Psychology of security
Deception is not just the basic problem at the heart of cybercrime,
but is central to human behaviour.
More papers on this topic are forthcoming.
Password memorability and security
Passwords are one good example of the importance of the human factors and
usability in security.
In this work, carried
out in collaboration with
a psychologist, we tackled an old but fundamental security problem - how do
you train users to choose passwords that are easy to remember but hard to
guess? There's a lot of "folk wisdom" on this subject but little that would
pass muster by the standards of applied psychology. We did a randomized
controlled trial with four hundred of our first year science students, and
produced solid empirical results.
While confirming some widely held folk beliefs about passwords, we observed
a number of phenomena which run counter to the established wisdom.
- J. Yan, A. Blackwell, R. Anderson and A. Grant.
The memorability and security of passwords -- some empirical results.
University of Cambridge,
Computer Laboratory Technical Report No. 500, 2000.
- J. Yan, A. Blackwell, R. Anderson and A. Grant.
Password Memorability and Security: Empirical Results.
IEEE Security & Privacy, Vol. 2 No. 5, 2004.
- Also reprinted with more clarifications as:
J. Yan, A. Blackwell, R. Anderson and A. Grant. The Memorability and Security of Passwords. Refereed book chapter in
Security and Usability: Designing Secure Systems that People Can Use
Lorrie Cranor and Simson Garfinkel), OReilly & Associates, USA, 2005.
(This is the first ever book on the emerging interdisciplinary
field, "usable security".)
Secure and usable CAPTCHAs
A Simple Generic Attack on Text Captchas, NDSS'16
The Robustness of Hollow CAPTCHAs, ACM CCS'13
The Robustness of Google CAPTCHAs
CAPTCHA design: colour, usability and security.
IEEE Internet Computing, March-April 2012.
(A preliminary version appears as
CS-TR-1203, School of Computing Science, Newcastle University, UK,
Captcha Robustness: A Security Engineering Perspective.
IEEE Computer, vol. 44, no. 2, pp. 54-60, Feb. 2011. (A preliminary version
appears as CS-TR-1180 in November, 2009)
Attacks and Design of Image Recognition CAPTCHAs (with Bin Zhu et al). ACM CCS'10.
The Robustness of a New CAPTCHA
(with A El Ahmad et al).
ACM EuroSec 2010,
CAPTCHA security: a case study (with A El Ahmad), IEEE Security & Privacy,
vol. 7, no. 4, July/Aug. 2009. pp. 22-28.
(cover feature article).
A Low-cost Attack on a Microsoft CAPTCHA (with Ahmad El Ahmad).
ACM CCS'08 version (they have the same title, but differ much
Usability of CAPTCHAs - Or "usability issues in CAPTCHA
Is cheap labour behind the scene? - Low-cost automated attacks on Yahoo CAPTCHAs (with Ahmad El Ahmad).
Breaking Visual CAPTCHAs with Naive Pattern Recognition Algorithms (ACSAC'07)
reports a "pixel count" attack that works very well on quite some CAPTCHAs.
In spirit, this is an interesting "side channel" attack.
Bot, Cyborg and Automated Turing Test,
Cambridge Security Protocols Workshop 2006.
- J. Yan. The Robustness of CAPTCHAs. Computer Laboratory Security Seminar, Cambridge University, Nov 21, 2008.
- J. Yan. User Authentication, Theory Meets Reality. HCI Seminar, Department of Computer Science, Bath University, Nov 18, 2008.
- J. Yan. The Robustness of CAPTCHAs. Google tech talk, Pittsburgh, Nov 4, 2008.
- J. Yan. Graphical Passwords: Some Recent Results.
Computer Science and Engineering
Departmental Seminar, Polytechnic Institute of New York University,
New York City, October 27, 2008.
- J. Yan. Graphical passwords: some recent results.
Computer Laboratory Security Seminar, Cambridge University, December 7, 2007.
- J. Yan. Do Background Images Improve "Draw a Secret"
14th ACM Conf. on Computer and Communications Security (CCS'07), Washington
Oct 30, 2007.
- J. Yan. Usable security research at Newcastle.
CMU Usable Privacy and Security
Laboratory, Carnegie Mellon University, Oct 26, 2007.
Failure of motivation also leads to security failure.
Incentive compatible security design, as an emerging research topic, appears
to be essential in an autonomous network environment like the Internet where
many parties (or agents) involved are selfish.
Distributed Denial of Service (DDoS) is at heart a manifestation of what
economists call the "tragedy of the commons": while everyone may have an
interest in protecting a shared resource (Internet security), individuals have
a stronger motive to cheat (connecting insecure computers). Most of the
proposed technical countermeasures would not work, as they didn't consider the
incentive issue. We propose the XenoService as a distributed remedy to
DDoS attacks which can be deployed in such a way as to provide effective
economic incentives for the principals to behave properly.
For more information on this line of research, as well as security economics,
a highly related topic, and its applications, refer to the
Economics and Security Resource Page maintained by Ross Anderson.
Traditional Security Design
The design of technical mechanisms has been the traditional focus of security research. My main contribution in this aspect is the design of new techniques addressing emerging security threats, and improvement of existing security techniques.
Data structure for Security
- J. Yan. Enhancing Signature-based Collaborative Spam Detection,
Computer Laboratory Security Seminar, Cambridge University, March 31, 2006.
Security for network gamesThe emergence of online games has fundamentally changed the traditional
security requirement for computer games, which was mainly copy protection.
Although online games share many security issues that other
networked E-commerce applications concern, e.g., payment security
and service availability, some unique characteristics of online
game systems impose interesting and challenging new security
requirements, which call for the novel use of existing
technology and the invention of new techniques.
While online games are developing into a multi-billion dollar
business, their security has recently started to attract researchers' attention.
- J Yan.
Collusion Detection in Online Bridge
, AAAI-10, Atlanta, USA. (
Security Design in Human Computation Games,
Security Protocols Workshop, Cambridge, 2009.
- J. Yan and
B Randell. An Investigation of
Cheating in Online Games. IEEE Security & Privacy, vol. 7, no. 3, May/June 2009.
- J Yan. Bot, Cyborg and Automated Turing Test,
Cambridge Security Protocols Workshop 2006.
- Detecting Cheaters for Multiplayer Games: Theory, Design and Implementation (with S.F. Yueng et al), IEEE NIME'06.
- J. Yan and
Systematic Classification of Cheating in Online Games.
4th Workshop on Network & System Support for Games
IBM TJ Watson Research Center, New York, U.S.A., Oct 10-11, 2005.
- J Yan and B Randell. Security in Computer Games: from Pong to Online Poker,
CS-TR-889, School of Computing Science, Newcastle University, UK.
- J. Yan.
Security Design in Online Games. In Proc. of the 19th Annual
Computer Security Applications Conference
(ACSAC'03), IEEE Computer Society, Las
Vegas, U.S.A., December, 2003.
- J. Yan and H-J Choi.
Security Issues in Online Games. The
Electronic Library: International Journal for the application of technology
in information environments, Vol. 20 No.2, 2002, Emerald, UK. A
preliminary version appears in Proceedings of the International
Conference on Application and Development of Computer Games, City University of Hong Kong, HK, November 2001.
A statistical aimbot detection method for online FPS games.
The International Joint Conference on Neural Networks (IJCNN), 2012. pp 1-8.
Aimbot Detection in Online FPS Games Using a Heuristic Method
Based on Distribution Comparison Matrix. 19th International Conference
on Neural Information Processing (ICONIP), 2012. pp 654-661
- J. Yan. How to publish by playing games everyday.
Departmental Seminar Talk, Dept. of Computer Science, Hong Kong University
of Science and Technology. March 1, 2004.
Here is a piece of
related work on password security that I contributed.
Proactive password checking and password protocolsIn this work, we attack the classical proactive password checking method,
based on dictionary attack and often fails to prevent some weak passwords with
low entropy. A new approach is proposed to deal with this new class of weak
passwords by (roughly) measuring entropy. A simple example is given to exploit
effective patterns to prevent low-entropy passwords as the first step of
entropy-based proactive checking. We also argue why strong password
authentication protocols like EKE, SRP cannot replace proactive checking,
responding to Wu's proposal in NDSS'99.
Denial of Service
Although denial of service (DoS) attack has become a fast-growing
concern in security research, previous work focused on a type of classical
service denial caused by resource exhaustion. We look into the DoS problem
(including distributed DoS) from some new angles.
Others: code obfuscation for software protection, and vulnerability
I am mostly interesed in cryptanalysis, which has also informed my series of
work on breaking Captchas.
PBKDF2 is a popular crypto primitive and widely used in
real systems such as Wi-Fi, Microsoft .NET, Cisco IOS and Apple's OS X.
Cracking PBKDF2 with GPGPU is not news, but we will have something interesting
to share here soon.
Traitor tracing is an emerging but promising
cryptographic method introduced
to combat copyright piracy of digital media, e.g. pay-TV. One threat model
considered by researchers is that traitors, who are subscribed users in a
content distribution system, build pirate decoders with their legitimate
decoding keys to bypass the security mechanism of the system. Many schemes
were proposed to catch traitors who leak their keys, and some
supported a black-box tracing paradigm. In this work, we show that a type of
intelligent self-protecting pirate decoder can defeat many black-box
- J. Yan. Practical Security Issues in Traitor
Tracing Schemes. Pure Math Seminar, Department of Mathematics, Royal
Holloway, University of London, UK. Nov 13, 2001.
- J. Yan. An Attack on Black-box Traitor Tracing Schemes. Cryptography and Info Security Seminar,
Hewlett-Packard Labs, Bristol, UK. June 26, 2001.
Differential Imaging Forensics
- 2014: my student Andrew Ruddick won the best BSc dissertation in CS
at Newcastle, with a project on
OpenCL Acceleration of Cryptographic Primitives.
- 2006-07: my student Ahmad El Ahmad won
the Philip Merlin Prize for
the best MSc Dissertation
at Newcastle and later a highly
competitive ORS award.
won the best student project award at
Imperial College, UK with his final year
B.Eng. dissertation that I advised at Cambridge.
His dissertation entitled Automatic Signature Extraction
for Mimetic Viruses was among the first to explore automated
signature generation for detecting computer virus and malware,
which has become a hot topic in the recent years.
(Pablo is a full professor in France, and writes papers that I
- 2006 - :
Systems and Network Security at both postgradulate and undergraduate levels;
Databases; Reliability and Fault Tolerance; etc.
- Cambridge days: I regularly supervised
undergraduate and diploma computer science courses, e.g.
Security and Introduction to Security
in Christ's, Churchill, Jesus and King's, and
Discrete Mathematics and Programming
in Java in Trinity College.
How to contact me
jeffyan at acm.org