11

Securing Passwords Securing Passwords Against Dictionary AttacksAgainst Dictionary Attacks

Base on an article by Base on an article by

Benny Pinkas & Tomas SanderBenny Pinkas & Tomas Sander

20022002

Presented by Tomer Conforti

22

AgendaAgenda

Introduction - why the article was Introduction - why the article was writtenwritten

Current countermeasures and why Current countermeasures and why they don’t suffice. they don’t suffice.

RTT - reversed turing tests.RTT - reversed turing tests. Naïve solutionNaïve solution The protocol and analysisThe protocol and analysis

33

IntroductionIntroduction

The need for securityThe need for security The common usage of passwordsThe common usage of passwords Vulnerabilities of user chosen Vulnerabilities of user chosen

passwordspasswords What is dictionary attacksWhat is dictionary attacks

44

Security AssumptionsSecurity Assumptions

Not enabling eavesdropping of Not enabling eavesdropping of ongoing transaction ongoing transaction using encryption of the transaction (ex. using encryption of the transaction (ex.

SSL)SSL) Online interaction must take place in Online interaction must take place in

order to determine the password order to determine the password authentication authentication

55

Current Countermeasures Current Countermeasures Against Dictionary AttacksAgainst Dictionary Attacks

Delayed response - Delayed response - Many user systems.Many user systems. Many parallel login attempts. Many parallel login attempts.

Account lockingAccount locking Denial of service attacks.Denial of service attacks. Customer service costs.Customer service costs.

66

RTT – Reversed Turing RTT – Reversed Turing TestTest

TTs and RTTs – are tests created to TTs and RTTs – are tests created to distinguish man from machine.distinguish man from machine.

Turing Tests – are easy for machines and Turing Tests – are easy for machines and almost impossible for people. almost impossible for people. example – long number multiplication or division.example – long number multiplication or division.

Reversed Turing Tests – are tests that are Reversed Turing Tests – are tests that are easy (enough) for people but very hard for easy (enough) for people but very hard for current technology computers. current technology computers. These tests must have a large answers domain These tests must have a large answers domain

so guessing of the answer has very low so guessing of the answer has very low probability.probability.

77

There are several kinds of RTTs know todayThere are several kinds of RTTs know today Most commonly used - distorted character Most commonly used - distorted character

recognition.recognition. Distorted pictures recognition.Distorted pictures recognition. For disabled people there are less known For disabled people there are less known

tests like hearing a word in a noisy tests like hearing a word in a noisy playback.playback.

It is true that if one has enough resources It is true that if one has enough resources he could pay (for development and/or he could pay (for development and/or hardware) to be able to break an RTT.hardware) to be able to break an RTT. We will touch the point of dealing with broken We will touch the point of dealing with broken

RTT later on.RTT later on.

Various RTTsVarious RTTs

88

Naïve SolutionsNaïve Solutions

Password and RTT based solution:Password and RTT based solution: For every login attempt the server will ask For every login attempt the server will ask

the user to pass a RTTthe user to pass a RTT Corrupts the login experience.Corrupts the login experience. Very demanding to manufacture a RTT per login.Very demanding to manufacture a RTT per login.

Only ask for a RTT if the previous login has Only ask for a RTT if the previous login has failed. failed. The attacker will not use this logins (and won’t The attacker will not use this logins (and won’t

loose much of the attack throughput.loose much of the attack throughput.

99

Just Before the ProtocolJust Before the Protocol

The server has to have a way to reliably The server has to have a way to reliably identify the login computer.identify the login computer. For web based programs – cookiesFor web based programs – cookies Network address/mac addressNetwork address/mac address Client program installed on login computerClient program installed on login computer

Our protocol assume the use of cookies.Our protocol assume the use of cookies. Cookie theft is also dealt withCookie theft is also dealt with

1010

The ProtocolThe Protocol

Initialization :Initialization : After a first successful login the server After a first successful login the server

plants a cookie, with the record of the plants a cookie, with the record of the username and the machine’s IDusername and the machine’s ID

The cookie could be read and changed The cookie could be read and changed only by the server – by encrypting the only by the server – by encrypting the stored data.stored data.

1111

The Protocol – cont (2)The Protocol – cont (2)Login procedure:Login procedure: The user enters the username and The user enters the username and

passwordpassword If a cookie exists its sent and If a cookie exists its sent and

authenticated by the serverauthenticated by the server If the username and password is If the username and password is

correct :correct : If the cookie is authentic – access is If the cookie is authentic – access is

grantedgranted If the cookie doesn’t exist or not If the cookie doesn’t exist or not

authenticated – RTT is generated. authenticated – RTT is generated. With the correct RTT answer access is granted.With the correct RTT answer access is granted.

1212

The Protocol – cont (3)The Protocol – cont (3) If the password is incorrect :If the password is incorrect :

With a probability of “p” the user is With a probability of “p” the user is asked to pass a RTTasked to pass a RTT

afterafter the RTT answer (correct or not) the the RTT answer (correct or not) the user is denied of access.user is denied of access.

With probability of “1-p” the user is With probability of “1-p” the user is denied immediately.denied immediately.

Important point : the decision whether Important point : the decision whether to serve the user with a RTT must be a to serve the user with a RTT must be a deterministic function of the username deterministic function of the username and password submittedand password submitted

1313

Usability AnalysisUsability Analysis

User experience almost doesn’t change.User experience almost doesn’t change. User is asked to pass a RTT only when he User is asked to pass a RTT only when he

tries to log on from a new computer or is he tries to log on from a new computer or is he entered the wrong password (with prob “p”)entered the wrong password (with prob “p”)

Most users use small set of computers to Most users use small set of computers to login from.login from.

From experience of yahoo, alta vista From experience of yahoo, alta vista and paypal we can learn that users are and paypal we can learn that users are willing to answer RTTs as long as they willing to answer RTTs as long as they don’t come frequently.don’t come frequently.

1414

Scalability and OperationalScalability and Operational Analysis Analysis

How many RTTs the server has to How many RTTs the server has to generate?generate? For logins from new machines For logins from new machines

(negligible) (negligible) For a fraction of “p” from the failed For a fraction of “p” from the failed

login attempts.login attempts. this is much better from the this is much better from the naïvenaïve

solution (assuming p << 1)solution (assuming p << 1)

1515

Security Analysis – Single Security Analysis – Single AccountAccount

Assuming there are “N” different Assuming there are “N” different passwords in the domain.passwords in the domain.

The attacker can identify that the The attacker can identify that the correct password is from a subset of correct password is from a subset of the the size : ,with out size : ,with out answering any RTT.answering any RTT.

To gain more information the attacker To gain more information the attacker must pay with a RTT answer.must pay with a RTT answer.

pNNp 11

1616

Security Analysis – Multiple Security Analysis – Multiple AccountsAccounts

Assume that the attacker knows “L” Assume that the attacker knows “L” user names.user names.

Since the different users are IID, the Since the different users are IID, the best strategy is to deal with each best strategy is to deal with each username independently. username independently.

1717

Playing the Numbers – Brute Playing the Numbers – Brute ForceForce

N = 10N = 1066, randomly selected 2 word from a , randomly selected 2 word from a 1000 word dictionary1000 word dictionary

p = 0.1p = 0.1 Number of different RTTs : 1000Number of different RTTs : 1000 Brute force (guessing the RTT): Brute force (guessing the RTT):

daysondattemptxxxx 7.5sec/100@710510001.061021

1818

Playing the Numbers – Solving Playing the Numbers – Solving RTTsRTTs

Assume it takes 3 seconds to solve a RTTAssume it takes 3 seconds to solve a RTT Either by a program (god forbid)Either by a program (god forbid) or a low cost worker that solves RTTsor a low cost worker that solves RTTs

150,000 seconds = 5 working days to 150,000 seconds = 5 working days to break into one user. break into one user.

sec000,15031.061021 xxx

1919

Broken RTTBroken RTT Identifying broken RTT:Identifying broken RTT:

Correct RTT & Failed passwordCorrect RTT & Failed password Total logins Total logins

The server must assume that the RTT is The server must assume that the RTT is broken.broken.

Countermeasures :Countermeasures : Rising “p” (even to more than 1 – attacker Rising “p” (even to more than 1 – attacker

needs to provide more than one RTT per login).needs to provide more than one RTT per login). Changing RTT – preferably to one from a Changing RTT – preferably to one from a

different domain.different domain. Contacting the user by phone or mail to decide Contacting the user by phone or mail to decide

on an alternative form of login.on an alternative form of login.

2020

Cookie TheftCookie Theft

The server holds a counter for every cookie it The server holds a counter for every cookie it sent out.sent out.

For every failed login attempt (with this For every failed login attempt (with this cookie) the value of the counter increases by cookie) the value of the counter increases by one.one.

When the counter reaches a certain number When the counter reaches a certain number the cookie is forever disabled, and any login the cookie is forever disabled, and any login attempt with this cookie will be dealt as no attempt with this cookie will be dealt as no cookie at all.cookie at all.

A new cookie will be presented after a correct A new cookie will be presented after a correct login.login.

2121

Now we can lock accountsNow we can lock accounts Assuming that the best break of an Assuming that the best break of an

RTT is a guessRTT is a guess The server can rise the number of The server can rise the number of

unsuccessful attempts that locks an unsuccessful attempts that locks an account (lets say 100)account (lets say 100)

With out the RRT method an attacker With out the RRT method an attacker can break into an account with the can break into an account with the probability of : M*L/Nprobability of : M*L/N M = number of accounts, L = number of M = number of accounts, L = number of

attempts before lock, N = password attempts before lock, N = password domain sizedomain size

2222

Now we can lock accounts Now we can lock accounts (cont’)(cont’)

With an RTT the password domain raises to With an RTT the password domain raises to N*p*SN*p*S p = fraction , S = RTT answers domainp = fraction , S = RTT answers domain When common number for p*S = 100, we have When common number for p*S = 100, we have

a substantial advantage on previous solutions.a substantial advantage on previous solutions. Advantage : when RTT is broken the locking Advantage : when RTT is broken the locking

mechanism gives the system administrator mechanism gives the system administrator the time to react to the broken RTT.the time to react to the broken RTT.

User will accidentally lock his own user by User will accidentally lock his own user by failing 100 attempts of logins…failing 100 attempts of logins…

2323

SummerySummery Gives good protection against dictionary Gives good protection against dictionary

attacks.attacks. RTT can be used on all web based systems RTT can be used on all web based systems

(ex. String RTTs).(ex. String RTTs). No additional hardware tokens or software No additional hardware tokens or software

downloads.downloads. RTT doesn’t appear frequently for the RTT doesn’t appear frequently for the

normal user.normal user. Easy integration in existing protocols.Easy integration in existing protocols.

2424

QuestionsQuestions??

Thank youThank you

2525

HomeworkHomeworkfirefoxtc (at) gmail.comfirefoxtc (at) gmail.com

1.1. Why does the protocol demands that the Why does the protocol demands that the function whether to serve a RTT or not function whether to serve a RTT or not must be deterministic?must be deterministic?

2.2. What method is suggested to improve What method is suggested to improve the login experience from a new machine the login experience from a new machine by smartly choosing the RTT given to the by smartly choosing the RTT given to the user?user?

3.3. What should we demand from the What should we demand from the protocol to avoid “timing attacks” ?protocol to avoid “timing attacks” ?