Presentation is loading. Please wait.

Presentation is loading. Please wait.

A Security Analysis of Two Commercial Browser and Cloud Based Password Managers Rui Zhao 1, Chuan Yue 1, Kun Sun 2 University of Colorado Colorado Springs.

Similar presentations


Presentation on theme: "A Security Analysis of Two Commercial Browser and Cloud Based Password Managers Rui Zhao 1, Chuan Yue 1, Kun Sun 2 University of Colorado Colorado Springs."— Presentation transcript:

1 A Security Analysis of Two Commercial Browser and Cloud Based Password Managers Rui Zhao 1, Chuan Yue 1, Kun Sun 2 University of Colorado Colorado Springs 1 George Mason University ASE/IEEE International Conference on Privacy, Security, Risk and Trust PASSAT’13 Washington D.C. 1

2 Background Different types of password managers: o Browser’s built-in feature o Browser’s extension o Stand-alone program Our focus: Browser-extension based password managers! 2

3 Background LastPass on Firefox & Chrome RoboForm on Firefox & Chrome Storage o LastPass stores both locally and remotely o RoboForm stores on either locally or remotely Online mode Offline mode Browser and Cloud based Password Managers (BCPMs) 3

4 Our Goal Do they well protect users’ passwords? o How do they protect passwords? o Do they have security vulnerabilities? o How severe are those vulnerabilities? 4

5 Threat Model The types of credentials The types of attackers The types of attacks under consideration 5

6 Security Analysis Methodology Win 7 platform Open-source in JavaScript: Eclipse IDE De-obfuscation: JS Beautify Other tools o Debug tools on Firefox and Chrome o Network traffic capture tool: HTTP Analyzer 6

7 Security Analysis Methodology Theoretically estimate the computational effort for performing different attacks o by William Stallings. One microsecond (μs) to perform a basic cryptographic operation One microsecond (μs) to perform a million basic cryptographic operations o DES, AES, SHA-1, SHA-2: a basic cryptographic operation 7

8 LastPass Security Design and Vulnerability Analysis LastPass-Vul-1 : Outsider Attackers’ Local Decryption Attacks ← insecure design of the master password remembering mechanism in LastPass 8

9 LastPass Security Design and Vulnerability Analysis LastPass-Vul-2 : Outsider Attackers’ Brute Force Attacks ← insecure design of the local user authentication mechanism and the insecure application of the PBKDF2 function in LastPass 9

10 LastPass Security Design and Vulnerability Analysis LastPass-Vul-3 : Insider Attackers’ Brute Force Attacks ← insecure association of the master password with authenticators in LastPass 10

11 LastPass Security Design and Vulnerability Analysis The master password brute force attack effort for LastPass-Vul-2 and LastPass-Vul-3 11

12 RoboForm Security Design and Vulnerability Analysis RoboForm-Vul-1: Outsider Attackers’ Local Decoding Attacks ← zero protection to local storage when a master password is not used in RoboForm 12 Website Credentials *.rfpEncoding

13 RoboForm Security Design and Vulnerability Analysis RoboForm-Vul-2: Outsider Attackers’ Brute Force Attacks ← weak protection to local storage when a master password is used in RoboForm 13

14 RoboForm Security Design and Vulnerability Analysis RoboForm-Vul-3: Insider Attackers’ Server-side Request Monitoring Attacks ← zero protection to the data received by the insiders of RoboForm 14

15 RoboForm Security Design and Vulnerability Analysis The master password brute force attack effort 15

16 Likelihood, impact, and overall risk ratings 16 OWASP (Open Web Application Security Project) o Risk rating methodology o Likelihood: how likely this particular vulnerability is to be uncovered and exploited by an attacker. HIGH, MEDIUM, LOW. o Impact: the impact of a successful attack: technical impact, business impact. HIGH, MEDIUM, LOW o Overall Risk Severity: from Likelihood and Impact

17 Suggestions 1. User data should be protected with confidentiality and authenticity mechanisms before being sent to cloud storage servers o RoboForm-Vul-3 2. Outsider attackers’ client-side stealing capability should be seriously considered o LastPass-Vul-1 o RoboForm-Vul-1 17

18 Suggestions 3. A master password mechanism must be provided in a BCPM, and users should be mandated to use a strong master password with the strength assured by a pure client-side proactive password checker o RoboForm-Vul-1 o LastPass-Vul-3 o LastPass-Vul-2 o RoboForm-Vul-2 18

19 Suggestions 4. Large iteration count values should be used in the password based key derivation functions o LastPass-Vul-3 o LastPass-Vul-2 o RoboForm-Vul-2 5. A user’s master password should be used to authenticate a user, but it should not be insecurely associated with any authenticator that will be sent to the cloud storage servers or saved locally to the user’s computer o LastPass-Vul-2 o RoboForm-Vul-2 19

20 Suggestions 6. Data authenticity should be assured and authenticity verification should not weaken confidentiality o RoboForm-Vul-2 20

21 Conclusion Define a threat model for analyzing the security of BCPMs Investigate the design and implementation of two very popular commercial BCPMs: LastPass, RoboForm Identify several vulnerabilities of these two BCPMs that could be exploited by outsider and insider attackers to obtain users’ saved website passwords Detailed figures, risk analysis and suggestions are in “Vulnerability and Risk Analysis of Two Commercial Browser and Cloud Based Password Managers” (invited paper), ASE Science Journal, 1(4): pages 1--15,

22 22


Download ppt "A Security Analysis of Two Commercial Browser and Cloud Based Password Managers Rui Zhao 1, Chuan Yue 1, Kun Sun 2 University of Colorado Colorado Springs."

Similar presentations


Ads by Google