Upload
dominic-gallagher
View
214
Download
0
Tags:
Embed Size (px)
Citation preview
The game plan
• Historical analysis• Brief overview of research landscape• Current practices in industry• Bonneau paper• Weir et al. paper• Misc and wrap-up
Password use cases
• OS login• Website / service login• PINs• Encryption
Authentication
Confidentiality
PW-based authentication: the basic architecture
Register:tom, pw
Store tom, pw in someform.
login:tom, pw’
Authenticationservice
Check that pw’ = pw
What are security threats?
The history of password research
“Human beings being what they are, there is a strong tendency for people to choose relatively short and simple passwords that they can remember. “
[Morris, Thompson 1979]
Analysis of UNIX passwords & password-hashing system
“The results were disappointing, except to the bad guy. In a collection of 3,289 passwords gathered from many users over a long period of time,
15 were a single ASCII character;72 were strings of two ASCII characters;464 were strings of three ASCII characters;477 were strings of four alphamerics;706 were five letters, all upper-case or all lower-case;605 were six letters, all lower-case.”
[Morris, Thompson 1979]
The history of password research
86% crackable
Morris, Thompson suggest:– Slow hashing (they called it encryption)– Less predictable passwords– Salt before hashing– Use custom version of DES to avoid hardware– Don’t have separate error for bad login
The history of password research
The research landscape since 1979…• Understanding user selection
– Measuring password strength [see citations in Bonneau paper], [Li, Han `14], [CMU papers]• Guiding password selection
– Strength meters, requirements, etc.– Password expiration [Zhang et al. ‘12]
• Password transmission, login logic– Single sign-on (SSO) technologies
• Password hashing – New algorithms [PKCS standards], [Percival ’09], [Biryukov, Khovratovich ‘15]– Proofs [Wagner, Goldberg ‘00] [Bellare, Ristenpart, Tessaro ‘12]
• Improving offline brute-force attacks– Time-space trade-offs (rainbow tables) [Hellman ’80], [Oeschlin ‘03], [Narayanan, Shmatikov
‘05]– Better dictionaries [JohntheRipper], [Weir et al. ‘09], [Ma et al. ‘14]
• Password managers – Decoy-based [Bojinov et al. ’10], [Chatterjee et al. ‘15]– Breaking password managers [Li et al. ‘14] [Silver et al. ’15]– Stateless password managers [Ross et al. ’05]
• https://github.com/hackappcom/ibrute• https://github.com/Pr0x13/iDict/blob/
master/main.php
Courtesy of Belenko, Troshichev (viaForensics)
Linked in circa 2012 stored passwords as which of:• pw• MD5(pw)• H(salt,pw)• Hc(salt,pw) 6.5 million hashes leaked
90% cracked in 2 weeks
Offline brute-force attacks
Dictionary:List of probable passwords
h1 = H(pw1) h2 = H(pw2) … hm = H(pwm)
H(guess1) , H(guess2) , …
Check if any guesses equal any of h1, … , hm
Password hashing• Recall Morris, Thompson goal: slow down
brute-force attacks• PKCS#5 approach:
H H H…pw || salt h = Hc(pw || salt)
H : {0,1}* -> {0,1}n is cryptographic hashfunction (e.g., SHA-256)
salt should be random bit string large enough to be unpredictable
c times
Password hashing• Recall Morris, Thompson goal: slow down
brute-force attacks• The role of salts:– Prevents use of time-memory trade-offs (rainbow
tables)– Cracking m accounts requires m times the work
h1 = Hc(pw1,salt1) h2 = Hc(pw2,salt2) … hm = Hc(pwm,saltm)
Proofs: See [Bellare, Ristenpart, Tessaro ‘12]
$cur = ‘password’$cur = md5($cur)$salt = randbytes(20)$cur = hmac_sha1($cur, $salt)$cur = remote_hmac_sha256($cur, $secret)$cur = scrypt($cur, $salt)$cur = hmac_sha256($cur, $salt)
Facebook password “onion”
Brute-force attacks
• Offline attacks of hashed database slowed down by a constant factor -- guessing still works if passwords are bad– Nowadays, use memory-hard functions (e.g., scrypt,
Argon2)
• Online brute-force attacks– Public login pages– Compromised web server in distributed security
architecture
Rockyou data breach: 32 million social gaming accounts
290729 123456 79076 12345 76789 123456789 59462 password 49952 iloveyou 33291 princess 21725 1234567 20901 rockyou 20553 12345678 16648 abc123 16227 nicole 15308 daniel 15163 babygirl 14726 monkey 14331 lovely 14103 jessica 13984 654321 13981 michael 13488 ashley 13456 qwerty 13272 111111 13134 iloveu 13028 000000 12714 michelle 11761 tigger 11489 sunshine 11289 chocolate 11112 password1 10836 soccer 10755 anthony 10731 friends 10560 butterfly 10547 purple 10508 angel 10167 jordan 9764 liverpool 9708 justin 9704 loveme 9610 fuckyou ... ... 9 tonee 9 tonebone 9 tonatzin 9 tonatihu 9 tonaor 9 tonantzin 9 tomybill 9 tomtomgo 9 tomtom8 9 tomrules 9 tomoe 9 tommyr 9 tommylee1 9 tommyjr 9 tommydog
... 5 dansbaby 5 dansar 5 danrules 5 danrox 5 danrick 5 danou 5 danota 5 danonino1 5 danone1
[Bonneau 2012]69 million Yahoo! Passwords1.1% of users pick same password
Most common password used by almost 1%
Bonneau Yahoo password study
• Instrument login infrastructure• Hash passwords with key H(K,pw) and store
result in histogram• Throw away K– Can’t do brute-force attacks later on– Only learn empirical distribution of passwords
• Also stored some demographic information
Password strength metrics
Shannon entropy:
Let X be password distribution. Passwords are drawn iid from XN is size of support of Xp1 , p2 , …, pN are probabilities of passwords in decreasing order
An example distribution
N = 1,000,000p1 = 1 / 100p2 = (1 – 1/100)/999,999 ≈ 1 / 220 …pN = (1 – 1/100)/999,999 ≈ 1 / 220
.01
2-20
What is probability of success if attacker makes one guess?
H1(X) ≈ 19
19 bits of “unpredictability”. Probability of success about 1/219
Shannon entropy is almost never useful measure for security
H∞(X) = - log p1 ≈ 6.6 The min-entropy of X
Bonneau takeaways
• People pick lousy passwords• New strength measures for password
distributions
• What questions are left open by his paper?
Building good password guessers
Brute-force guessers- try all strings of a certain lengthDictionary guessers- Try only common words
A better guesser would:Output list of passwords in order of likelihood
JohnTheRipper:Dictionaries of common words + mangling rules
Also has brute-force mode
Eg: add digit to end: pw -> pw1
Train models from leaked passwordsTraining alg. for language
model
290729 123456 79076 12345 76789 123456789 59462 password 49952 iloveyou 33291 princess …
Trivial model is just the empirical CDF of the histogram itself
Model
Model
290729 123456 79076 12345 76789 123456789 59462 password 49952 iloveyou 33291 princess …
Model defines a probability distributionover passwords. Can use to:- sample passwords according to distribution- enumerate passwords in order of likelihood
Supports all the aboveGeneralizability is quite poorML people would say this model isoverfit
Train models from leaked passwordsTraining alg. for language
model
290729 123456 79076 12345 76789 123456789 59462 password 49952 iloveyou 33291 princess …
Model
CFG with probability distribution associated to each rule
Probabilistic context-free grammar
We can encode a string by its parse tree, thetree represented by probabilities in PCFG CDF
[Weir et al. 2009]
Fix a CFG, then learn probabilities by training on passwords
Train models from leaked passwordsTraining alg. for language
model
290729 123456 79076 12345 76789 123456789 59462 password 49952 iloveyou 33291 princess …
Model
What open questions do Weir et al. leave?
Train models from leaked passwordsTraining alg. for language
model
290729 123456 79076 12345 76789 123456789 59462 password 49952 iloveyou 33291 princess …
Model
Probabilistic context-free grammar only one NLP modeling approach
n-gram Markov models another popular choice.:
[Ma et al. ’14] show carefully chosen Markov model beats Weir et al. PCFG
Password selection policies
• [Komanduri et al. ‘11], [Vu et al. ‘07], [Proctor et al. ‘02] and others studied with Amazon Mturk– General consensus that it increases resistance (but
by exactly how much is not clear to me), but decreases usability
• Password expiration policies [Zhang et al. ’10]– High-level bit: they don’t work– Attacker with old password can crack new one
very often
The research landscape since 1979…• Understanding user selection
– Measuring password strength [see citations in Bonneau paper], [Ma et al. `14], [Li, Han `14], [CMU papers]
• Guiding password selection – Strength meters, requirements, etc.– Periodic forced changes [Zhang et al. ‘12]
• Password transmission, login logic– Single sign-on (SSO) technologies
• Password hashing – New algorithms [PKCS standards], [Percival ’09], [Biryukov, Khovratovich ‘15]– Proofs [Wagner, Goldberg ‘00] [Bellare, Ristenpart, Tessaro ‘12]
• Improving offline brute-force attacks– Time-space trade-offs (rainbow tables) [Hellman ’80], [Oeschlin ‘03], [Narayanan, Shmatikov
‘05]– Better dictionaries [JohntheRipper], [Weir et al. ‘09],
• Password managers– Decoy-based [Bojinov et al. ’10], [Chatterjee et al. ‘15]– Breaking password managers [Li et al. ‘14] [Silver et al. ’15]– Stateless password managers [Ross et al. ’05]