View
219
Download
1
Tags:
Embed Size (px)
Citation preview
11
Securing Passwords Securing Passwords Against Dictionary AttacksAgainst Dictionary Attacks
Base on an article by Base on an article by
Benny Pinkas & Tomas SanderBenny Pinkas & Tomas Sander
20022002
Presented by Tomer Conforti
22
AgendaAgenda
Introduction - why the article was Introduction - why the article was writtenwritten
Current countermeasures and why Current countermeasures and why they don’t suffice. they don’t suffice.
RTT - reversed turing tests.RTT - reversed turing tests. Naïve solutionNaïve solution The protocol and analysisThe protocol and analysis
33
IntroductionIntroduction
The need for securityThe need for security The common usage of passwordsThe common usage of passwords Vulnerabilities of user chosen Vulnerabilities of user chosen
passwordspasswords What is dictionary attacksWhat is dictionary attacks
44
Security AssumptionsSecurity Assumptions
Not enabling eavesdropping of Not enabling eavesdropping of ongoing transaction ongoing transaction using encryption of the transaction (ex. using encryption of the transaction (ex.
SSL)SSL) Online interaction must take place in Online interaction must take place in
order to determine the password order to determine the password authentication authentication
55
Current Countermeasures Current Countermeasures Against Dictionary AttacksAgainst Dictionary Attacks
Delayed response - Delayed response - Many user systems.Many user systems. Many parallel login attempts. Many parallel login attempts.
Account lockingAccount locking Denial of service attacks.Denial of service attacks. Customer service costs.Customer service costs.
66
RTT – Reversed Turing RTT – Reversed Turing TestTest
TTs and RTTs – are tests created to TTs and RTTs – are tests created to distinguish man from machine.distinguish man from machine.
Turing Tests – are easy for machines and Turing Tests – are easy for machines and almost impossible for people. almost impossible for people. example – long number multiplication or division.example – long number multiplication or division.
Reversed Turing Tests – are tests that are Reversed Turing Tests – are tests that are easy (enough) for people but very hard for easy (enough) for people but very hard for current technology computers. current technology computers. These tests must have a large answers domain These tests must have a large answers domain
so guessing of the answer has very low so guessing of the answer has very low probability.probability.
77
There are several kinds of RTTs know todayThere are several kinds of RTTs know today Most commonly used - distorted character Most commonly used - distorted character
recognition.recognition. Distorted pictures recognition.Distorted pictures recognition. For disabled people there are less known For disabled people there are less known
tests like hearing a word in a noisy tests like hearing a word in a noisy playback.playback.
It is true that if one has enough resources It is true that if one has enough resources he could pay (for development and/or he could pay (for development and/or hardware) to be able to break an RTT.hardware) to be able to break an RTT. We will touch the point of dealing with broken We will touch the point of dealing with broken
RTT later on.RTT later on.
Various RTTsVarious RTTs
88
Naïve SolutionsNaïve Solutions
Password and RTT based solution:Password and RTT based solution: For every login attempt the server will ask For every login attempt the server will ask
the user to pass a RTTthe user to pass a RTT Corrupts the login experience.Corrupts the login experience. Very demanding to manufacture a RTT per login.Very demanding to manufacture a RTT per login.
Only ask for a RTT if the previous login has Only ask for a RTT if the previous login has failed. failed. The attacker will not use this logins (and won’t The attacker will not use this logins (and won’t
loose much of the attack throughput.loose much of the attack throughput.
99
Just Before the ProtocolJust Before the Protocol
The server has to have a way to reliably The server has to have a way to reliably identify the login computer.identify the login computer. For web based programs – cookiesFor web based programs – cookies Network address/mac addressNetwork address/mac address Client program installed on login computerClient program installed on login computer
Our protocol assume the use of cookies.Our protocol assume the use of cookies. Cookie theft is also dealt withCookie theft is also dealt with
1010
The ProtocolThe Protocol
Initialization :Initialization : After a first successful login the server After a first successful login the server
plants a cookie, with the record of the plants a cookie, with the record of the username and the machine’s IDusername and the machine’s ID
The cookie could be read and changed The cookie could be read and changed only by the server – by encrypting the only by the server – by encrypting the stored data.stored data.
1111
The Protocol – cont (2)The Protocol – cont (2)Login procedure:Login procedure: The user enters the username and The user enters the username and
passwordpassword If a cookie exists its sent and If a cookie exists its sent and
authenticated by the serverauthenticated by the server If the username and password is If the username and password is
correct :correct : If the cookie is authentic – access is If the cookie is authentic – access is
grantedgranted If the cookie doesn’t exist or not If the cookie doesn’t exist or not
authenticated – RTT is generated. authenticated – RTT is generated. With the correct RTT answer access is granted.With the correct RTT answer access is granted.
1212
The Protocol – cont (3)The Protocol – cont (3) If the password is incorrect :If the password is incorrect :
With a probability of “p” the user is With a probability of “p” the user is asked to pass a RTTasked to pass a RTT
afterafter the RTT answer (correct or not) the the RTT answer (correct or not) the user is denied of access.user is denied of access.
With probability of “1-p” the user is With probability of “1-p” the user is denied immediately.denied immediately.
Important point : the decision whether Important point : the decision whether to serve the user with a RTT must be a to serve the user with a RTT must be a deterministic function of the username deterministic function of the username and password submittedand password submitted
1313
Usability AnalysisUsability Analysis
User experience almost doesn’t change.User experience almost doesn’t change. User is asked to pass a RTT only when he User is asked to pass a RTT only when he
tries to log on from a new computer or is he tries to log on from a new computer or is he entered the wrong password (with prob “p”)entered the wrong password (with prob “p”)
Most users use small set of computers to Most users use small set of computers to login from.login from.
From experience of yahoo, alta vista From experience of yahoo, alta vista and paypal we can learn that users are and paypal we can learn that users are willing to answer RTTs as long as they willing to answer RTTs as long as they don’t come frequently.don’t come frequently.
1414
Scalability and OperationalScalability and Operational Analysis Analysis
How many RTTs the server has to How many RTTs the server has to generate?generate? For logins from new machines For logins from new machines
(negligible) (negligible) For a fraction of “p” from the failed For a fraction of “p” from the failed
login attempts.login attempts. this is much better from the this is much better from the naïvenaïve
solution (assuming p << 1)solution (assuming p << 1)
1515
Security Analysis – Single Security Analysis – Single AccountAccount
Assuming there are “N” different Assuming there are “N” different passwords in the domain.passwords in the domain.
The attacker can identify that the The attacker can identify that the correct password is from a subset of correct password is from a subset of the the size : ,with out size : ,with out answering any RTT.answering any RTT.
To gain more information the attacker To gain more information the attacker must pay with a RTT answer.must pay with a RTT answer.
pNNp 11
1616
Security Analysis – Multiple Security Analysis – Multiple AccountsAccounts
Assume that the attacker knows “L” Assume that the attacker knows “L” user names.user names.
Since the different users are IID, the Since the different users are IID, the best strategy is to deal with each best strategy is to deal with each username independently. username independently.
1717
Playing the Numbers – Brute Playing the Numbers – Brute ForceForce
N = 10N = 1066, randomly selected 2 word from a , randomly selected 2 word from a 1000 word dictionary1000 word dictionary
p = 0.1p = 0.1 Number of different RTTs : 1000Number of different RTTs : 1000 Brute force (guessing the RTT): Brute force (guessing the RTT):
daysondattemptxxxx 7.5sec/[email protected]
1818
Playing the Numbers – Solving Playing the Numbers – Solving RTTsRTTs
Assume it takes 3 seconds to solve a RTTAssume it takes 3 seconds to solve a RTT Either by a program (god forbid)Either by a program (god forbid) or a low cost worker that solves RTTsor a low cost worker that solves RTTs
150,000 seconds = 5 working days to 150,000 seconds = 5 working days to break into one user. break into one user.
sec000,15031.061021 xxx
1919
Broken RTTBroken RTT Identifying broken RTT:Identifying broken RTT:
Correct RTT & Failed passwordCorrect RTT & Failed password Total logins Total logins
The server must assume that the RTT is The server must assume that the RTT is broken.broken.
Countermeasures :Countermeasures : Rising “p” (even to more than 1 – attacker Rising “p” (even to more than 1 – attacker
needs to provide more than one RTT per login).needs to provide more than one RTT per login). Changing RTT – preferably to one from a Changing RTT – preferably to one from a
different domain.different domain. Contacting the user by phone or mail to decide Contacting the user by phone or mail to decide
on an alternative form of login.on an alternative form of login.
2020
Cookie TheftCookie Theft
The server holds a counter for every cookie it The server holds a counter for every cookie it sent out.sent out.
For every failed login attempt (with this For every failed login attempt (with this cookie) the value of the counter increases by cookie) the value of the counter increases by one.one.
When the counter reaches a certain number When the counter reaches a certain number the cookie is forever disabled, and any login the cookie is forever disabled, and any login attempt with this cookie will be dealt as no attempt with this cookie will be dealt as no cookie at all.cookie at all.
A new cookie will be presented after a correct A new cookie will be presented after a correct login.login.
2121
Now we can lock accountsNow we can lock accounts Assuming that the best break of an Assuming that the best break of an
RTT is a guessRTT is a guess The server can rise the number of The server can rise the number of
unsuccessful attempts that locks an unsuccessful attempts that locks an account (lets say 100)account (lets say 100)
With out the RRT method an attacker With out the RRT method an attacker can break into an account with the can break into an account with the probability of : M*L/Nprobability of : M*L/N M = number of accounts, L = number of M = number of accounts, L = number of
attempts before lock, N = password attempts before lock, N = password domain sizedomain size
2222
Now we can lock accounts Now we can lock accounts (cont’)(cont’)
With an RTT the password domain raises to With an RTT the password domain raises to N*p*SN*p*S p = fraction , S = RTT answers domainp = fraction , S = RTT answers domain When common number for p*S = 100, we have When common number for p*S = 100, we have
a substantial advantage on previous solutions.a substantial advantage on previous solutions. Advantage : when RTT is broken the locking Advantage : when RTT is broken the locking
mechanism gives the system administrator mechanism gives the system administrator the time to react to the broken RTT.the time to react to the broken RTT.
User will accidentally lock his own user by User will accidentally lock his own user by failing 100 attempts of logins…failing 100 attempts of logins…
2323
SummerySummery Gives good protection against dictionary Gives good protection against dictionary
attacks.attacks. RTT can be used on all web based systems RTT can be used on all web based systems
(ex. String RTTs).(ex. String RTTs). No additional hardware tokens or software No additional hardware tokens or software
downloads.downloads. RTT doesn’t appear frequently for the RTT doesn’t appear frequently for the
normal user.normal user. Easy integration in existing protocols.Easy integration in existing protocols.
2424
QuestionsQuestions??
Thank youThank you
2525
HomeworkHomeworkfirefoxtc (at) gmail.comfirefoxtc (at) gmail.com
1.1. Why does the protocol demands that the Why does the protocol demands that the function whether to serve a RTT or not function whether to serve a RTT or not must be deterministic?must be deterministic?
2.2. What method is suggested to improve What method is suggested to improve the login experience from a new machine the login experience from a new machine by smartly choosing the RTT given to the by smartly choosing the RTT given to the user?user?
3.3. What should we demand from the What should we demand from the protocol to avoid “timing attacks” ?protocol to avoid “timing attacks” ?