Sosa-Gómez, Guillermo
Thumbnail Image
Preferred name
Sosa-Gómez, Guillermo
Official Name
Sosa Gómez, Guillermo
Alternative Name
gsosag
Main Affiliation
ORCID
Scopus Author ID
57202400202
Researcher ID
ABA-2857-2020

Research Output
Now showing 1 - 10 of 11
No Thumbnail Available
Publication

Weak PassPoint Passwords Detected by the Perimeter of Delaunay Triangles

2022 , Lisset Suárez-Plasencia , Carlos Miguel Legón-Pérez , Joaquín Alberto Herrera-Macías , Raisa Socorro-Llanes , Rojas, Omar , Sosa-Gómez, Guillermo , Sridhar Adepu

PassPoint is a graphical authentication technique that is based on the selection of five points in an image. A detected vulnerability lies in the possible existence of a pattern in the points that make up the password. The objective of this work is to detect nonrandom graphical passwords in the PassPoint scenario. A spatial randomness test based on the average of Delaunay triangles’ perimeter is proposed, given the ineffectiveness of the classic tests in this scenario, which only consists of five points. A state-of-the-art of various applications of Voronoi polygons and Delaunay triangulations are presented to detect clustered and regular patterns. The distributions of the averages of the triangles’ perimeters in the PassPoint scenario for various sizes of images are disclosed, which were unknown. The test’s decision criterion was constructed from one of the best distributions to which the data were adjusted. Type I and type II errors were estimated, and it was concluded that the proposed test could detect clustered and regular graphical passwords in PassPoint, therefore being more effective in detecting clustering than regularity.

View
No Thumbnail Available
Publication

Measuring Independence between Statistical Randomness Tests by Mutual Information

2020 , Jorge Augusto Karell-Albo , Carlos Miguel Legón-Pérez , Evaristo José Madarro-Capó , Rojas, Omar , Sosa-Gómez, Guillermo

The analysis of independence between statistical randomness tests has had great attention in the literature recently. Dependency detection between statistical randomness tests allows one to discriminate statistical randomness tests that measure similar characteristics, and thus minimize the amount of statistical randomness tests that need to be used. In this work, a method for detecting statistical dependency by using mutual information is proposed. The main advantage of using mutual information is its ability to detect nonlinear correlations, which cannot be detected by the linear correlation coefficient used in previous work. This method analyzes the correlation between the battery tests of the National Institute of Standards and Technology, used as a standard in the evaluation of randomness. The results of the experiments show the existence of statistical dependencies between the tests that have not been previously detected.

View
No Thumbnail Available
Publication

Selecting an Effective Entropy Estimator for Short Sequences of Bits and Bytes with Maximum Entropy

2021 , Lianet Contreras Rodríguez , Evaristo José Madarro-Capó , Carlos Miguel Legón-Pérez , Rojas, Omar , Sosa-Gómez, Guillermo

Entropy makes it possible to measure the uncertainty about an information source from the distribution of its output symbols. It is known that the maximum Shannon’s entropy of a discrete source of information is reached when its symbols follow a Uniform distribution. In cryptography, these sources have great applications since they allow for the highest security standards to be reached. In this work, the most effective estimator is selected to estimate entropy in short samples of bytes and bits with maximum entropy. For this, 18 estimators were compared. Results concerning the comparisons published in the literature between these estimators are discussed. The most suitable estimator is determined experimentally, based on its bias, the mean square error short samples of bytes and bits.

View
No Thumbnail Available
Publication

Search-Space Reduction for S-Boxes Resilient to Power Attacks

2021 , Carlos Miguel Legón-Pérez , Ricardo Sánchez-Muiña , Dianne Miyares-Moreno , Yasser Bardaji-López , Ismel Martínez-Díaz , Rojas, Omar , Sosa-Gómez, Guillermo

The search of bijective n×n S-boxes resilient to power attacks in the space of dimension (2n)! is a controversial topic in the cryptology community nowadays. This paper proposes partitioning the space of (2n)! S-boxes into equivalence classes using the hypothetical power leakage according to the Hamming weights model, which ensures a homogeneous theoretical resistance within the class against power attacks. We developed a fast algorithm to generate these S-boxes by class. It was mathematically demonstrated that the theoretical metric confusion coefficient variance takes constant values within each class. A new search strategy—jumping over the class space—is justified to find S-boxes with high confusion coefficient variance in the space partitioned by Hamming weight classes. In addition, a decision criterion is proposed to move quickly between or within classes. The number of classes and the number of S-boxes within each class are calculated, showing that, as n increases, the class space dimension is an ever-smaller fraction of the space of S-boxes, which significantly reduces the space of search of S-boxes resilient to power attacks, when the search is performed from class to class.

View
No Thumbnail Available
Publication

Information Theory Based Evaluation of the RC4 Stream Cipher Outputs

2021 , Evaristo José Madarro-Capó , Carlos Miguel Legón-Pérez , Rojas, Omar , Sosa-Gómez, Guillermo

This paper presents a criterion, based on information theory, to measure the amount of average information provided by the sequences of outputs of the RC4 on the internal state. The test statistic used is the sum of the maximum plausible estimates of the entropies H(jt|zt), corresponding to the probability distributions P(jt|zt) of the sequences of random variables (jt)t∈T and (zt)t∈T, independent, but not identically distributed, where zt are the known values of the outputs, while jt is one of the unknown elements of the internal state of the RC4. It is experimentally demonstrated that the test statistic allows for determining the most vulnerable RC4 outputs, and it is proposed to be used as a vulnerability metric for each RC4 output sequence concerning the iterative probabilistic attack.

View
No Thumbnail Available
Publication

Measuring Avalanche Properties on RC4 Stream Cipher Variants

2021 , Evaristo José Madarro-Capó , Carlos Miguel Legón-Pérez , Rojas, Omar , Sosa-Gómez, Guillermo

In the last three decades, the RC4 has been the most cited stream cipher, due to a large amount of research carried out on its operation. In this sense, dissimilar works have been presented on its performance, security, and usability. One of the distinguishing features that stand out the most is the sheer number of RC4 variants proposed. Recently, a weakness has been reported regarding the existence of statistical dependence between the inputs and outputs of the RC4, based on the use of the strict avalanche criterion and the bit independence criterion. This work analyzes the influence of this weakness in some of its variants concerning RC4. The five best-known variants of RC4 were compared experimentally and classified into two groups according to the presence or absence of such a weakness.

View
No Thumbnail Available
Publication

Test for Detection of Weak Graphic Passwords in Passpoint Based on the Mean Distance between Points

2021 , Joaquín Alberto Herrera-Macías , Carlos Miguel Legón-Pérez , Lisset Suárez-Plasencia , Luis Ramiro Piñeiro-Díaz , Rojas, Omar , Sosa-Gómez, Guillermo

This work demonstrates the ineffectiveness of the Ripley’s K function tests, the distance to the nearest neighbor, and the empty space function in the Graphical Authentication scenario with Passpoint for the detection of non-random graphical passwords. The results obtained show that none of these tests effectively detect non-random graphical passwords; the reason for their failure is attributed to the small sample of the spatial pattern in question, where only the five points of the graphical password are analyzed. Consequently, a test based on mean distances is proposed, whose experiments show that it detects with good efficiency non-random graphical passwords in Passpoint. The test was designed to be included in the Graphical Authentication systems with Passpoint to warn the user about a possibly weak password during the registration phase, and in this way, the security of the system is increased.

View
No Thumbnail Available
Publication

Bit Independence Criterion Extended to Stream Ciphers

2020 , Evaristo José Madarro-Capó , Carlos Miguel Legón-Pérez , Rojas, Omar , Sosa-Gómez, Guillermo , Raisa Socorro-Llanes

The bit independence criterion was proposed to evaluate the security of the S-boxes used in block ciphers. This paper proposes an algorithm that extends this criterion to evaluate the degree of independence between the bits of inputs and outputs of the stream ciphers. The effectiveness of the algorithm is experimentally confirmed in two scenarios: random outputs independent of the input, in which it does not detect dependence, and in the RC4 ciphers, where it detects significant dependencies related to some known weaknesses. The complexity of the algorithm is estimated based on the number of inputs l, and the dimensions, n and m, of the inputs and outputs, respectively.

View
No Thumbnail Available
Publication

New Test to Detect Clustered Graphical Passwords in Passpoints Based on the Perimeter of the Convex Hull

2024 , Joaquín Alberto Herrera-Macías , Lisset Suárez-Plasencia , Carlos Miguel Legón-Pérez , Sosa-Gómez, Guillermo , Rojas, Omar

This research paper presents a new test based on a novel approach for identifying clustered graphical passwords within the Passpoints scenario. Clustered graphical passwords are considered a weakness of graphical authentication systems, introduced by users during the registration phase, and thus it is necessary to have methods for the detection and prevention of such weaknesses. Graphical authentication methods serve as a viable alternative to the conventional alphanumeric password-based authentication method, which is susceptible to known weaknesses arising from user-generated passwords of this nature. The test proposed in this study is based on estimating the distributions of the perimeter of the convex hull, based on the hypothesis that the perimeter of the convex hull of a set of five clustered points is smaller than the one formed by random points. This convex hull is computed based on the points that users select as passwords within an image measuring 1920 × 1080 pixels, using the built-in function convhull in Matlab R2018a relying on the Qhull algorithm. The test was formulated by choosing the optimal distribution that fits the data from a total of 54 distributions, evaluated using the Kolmogorov–Smirnov, Anderson–Darling, and Chi-squared tests, thus achieving the highest reliability. Evaluating the effectiveness of the proposed test involves estimating type I and II errors, for five levels of significance α∈{0.01,0.02,0.05,0.1,0.2}, by simulating datasets of random and clustered graphical passwords with different levels of clustering. In this study, we compare the effectiveness and efficiency of the proposed test with existing tests from the literature that can detect this type of pattern in Passpoints graphical passwords. Our findings indicate that the new test demonstrates a significant improvement in effectiveness compared to previously published tests. Furthermore, the joint application of the two tests also shows improvement. Depending on the significance level determined by the user or system, the enhancement results in a higher detection rate of clustered passwords, ranging from 0.1% to 8% compared to the most effective previous methods. This improvement leads to a decrease in the estimated probability of committing a type II error. In terms of efficiency, the proposed test outperforms several previous tests; however, it falls short of being the most efficient, using computation time measured in seconds as a metric. It can be concluded that the newly developed test demonstrates the highest effectiveness and the second-highest efficiency level compared to the other tests available in the existing literature for the same purpose. The test was designed to be implemented in graphical authentication systems to prevent users from selecting weak graphical passwords, enhance password strength, and improve system security.

View
No Thumbnail Available
Publication

Detection of DIAG and LINE Patterns in PassPoints Graphical Passwords Based on the Maximum Angles of Their Delaunay Triangles

2022 , Lisset Suárez-Plasencia , Joaquín Alberto Herrera-Macías , Carlos Miguel Legón-Pérez , Sosa-Gómez, Guillermo , Rojas, Omar

An alternative authentication method to traditional alphanumeric passwords is graphical password authentication, also known as graphical authentication, for which one of the most valuable cued-recall techniques is PassPoints. This technique stands out for its security and usability. However, it can be violated if the user follows a predefined pattern when selecting the five points in an image as their passwords, such as the DIAG and LINE patterns. Dictionary attacks can be built using these two patterns to compromise graphical passwords. So far, no reports have been found in the state of the art about any test capable of detecting graphical passwords with DIAG or LINE patterns in PassPoints. Studies carried out in other scenarios have shown the effectiveness of the characteristics of Delaunay triangulations in extracting information about the dependence between the points. In this work, graphical passwords formed by five randomly selected points on an image are compared with passwords whose points contain patterns of the DIAG or LINE type. The comparison is based on building for each password its Delaunay triangulation and calculating the mean value of the maximum angles of the triangles obtained; such a mean value is denoted by amadt. It is experimentally shown that in passwords containing DIAG and LINE patterns, the value of amadt is higher than the one obtained in passwords formed by random dots. From this result, it is proposed to use this amadt value as a statistic to build a test of means. This result constitutes the work’s main contribution: The proposal of a spatial randomness test to detect weak graphic passwords that contain DIAG and LINE type patterns. The importance and novelty of this result become evident when two aspects are taken into account: First, these weak passwords can be exploited by attackers to improve the effectiveness of their attacks; second, there are no prior criteria to detect this type of weak password. The practical application of said test contributes to increasing PassPoints security without substantially affecting its efficiency.

View