Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Securing Passwords Against Dictionary Attacks Base on an article by Benny Pinkas & Tomas Sander 2002 Presented by Tomer Conforti.

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "1 Securing Passwords Against Dictionary Attacks Base on an article by Benny Pinkas & Tomas Sander 2002 Presented by Tomer Conforti."— Presentation transcript:

1 1 Securing Passwords Against Dictionary Attacks Base on an article by Benny Pinkas & Tomas Sander 2002 Presented by Tomer Conforti

2 2 Agenda Introduction - why the article was written Introduction - why the article was written Current countermeasures and why they don ’ t suffice. Current countermeasures and why they don ’ t suffice. RTT - reversed turing tests. RTT - reversed turing tests. Na ï ve solution Na ï ve solution The protocol and analysis The protocol and analysis

3 3 Introduction The need for security The need for security The common usage of passwords The common usage of passwords Vulnerabilities of user chosen passwords Vulnerabilities of user chosen passwords What is dictionary attacks What is dictionary attacks

4 4 Security Assumptions Not enabling eavesdropping of ongoing transaction Not enabling eavesdropping of ongoing transaction using encryption of the transaction (ex. SSL) using encryption of the transaction (ex. SSL) Online interaction must take place in order to determine the password authentication Online interaction must take place in order to determine the password authentication

5 5 Current Countermeasures Against Dictionary Attacks Delayed response - Delayed response - Many user systems. Many user systems. Many parallel login attempts. Many parallel login attempts. Account locking Account locking Denial of service attacks. Denial of service attacks. Customer service costs. Customer service costs.

6 6 RTT – Reversed Turing Test TTs and RTTs – are tests created to distinguish man from machine. TTs and RTTs – are tests created to distinguish man from machine. Turing Tests – are easy for machines and almost impossible for people. Turing Tests – are easy for machines and almost impossible for people. example – long number multiplication or division. example – long number multiplication or division. Reversed Turing Tests – are tests that are easy (enough) for people but very hard for current technology computers. Reversed Turing Tests – are tests that are easy (enough) for people but very hard for current technology computers. These tests must have a large answers domain so guessing of the answer has very low probability. These tests must have a large answers domain so guessing of the answer has very low probability.

7 7 There are several kinds of RTTs know today There are several kinds of RTTs know today Most commonly used - distorted character recognition. Most commonly used - distorted character recognition. Distorted pictures recognition. Distorted pictures recognition. For disabled people there are less known tests like hearing a word in a noisy playback. For disabled people there are less known tests like hearing a word in a noisy playback. It is true that if one has enough resources he could pay (for development and/or hardware) to be able to break an RTT. It is true that if one has enough resources he could pay (for development and/or hardware) to be able to break an RTT. We will touch the point of dealing with broken RTT later on. We will touch the point of dealing with broken RTT later on. Various RTTs

8 8 Na ï ve Solutions Password and RTT based solution: Password and RTT based solution: For every login attempt the server will ask the user to pass a RTT For every login attempt the server will ask the user to pass a RTT Corrupts the login experience. Corrupts the login experience. Very demanding to manufacture a RTT per login. Very demanding to manufacture a RTT per login. Only ask for a RTT if the previous login has failed. Only ask for a RTT if the previous login has failed. The attacker will not use this logins (and won ’ t loose much of the attack throughput. The attacker will not use this logins (and won ’ t loose much of the attack throughput.

9 9 Just Before the Protocol The server has to have a way to reliably identify the login computer. The server has to have a way to reliably identify the login computer. For web based programs – cookies For web based programs – cookies Network address/mac address Network address/mac address Client program installed on login computer Client program installed on login computer Our protocol assume the use of cookies. Our protocol assume the use of cookies. Cookie theft is also dealt with Cookie theft is also dealt with

10 10 The Protocol Initialization : Initialization : After a first successful login the server plants a cookie, with the record of the username and the machine ’ s ID After a first successful login the server plants a cookie, with the record of the username and the machine ’ s ID The cookie could be read and changed only by the server – by encrypting the stored data. The cookie could be read and changed only by the server – by encrypting the stored data.

11 11 The Protocol – cont (2) Login procedure: The user enters the username and password The user enters the username and password If a cookie exists its sent and authenticated by the server If a cookie exists its sent and authenticated by the server If the username and password is correct : If the username and password is correct : If the cookie is authentic – access is granted If the cookie is authentic – access is granted If the cookie doesn ’ t exist or not authenticated – RTT is generated. If the cookie doesn ’ t exist or not authenticated – RTT is generated. With the correct RTT answer access is granted. With the correct RTT answer access is granted.

12 12 The Protocol – cont (3) If the password is incorrect : If the password is incorrect : With a probability of “ p ” the user is asked to pass a RTT With a probability of “ p ” the user is asked to pass a RTT after the RTT answer (correct or not) the user is denied of access. after the RTT answer (correct or not) the user is denied of access. With probability of “ 1-p ” the user is denied immediately. With probability of “ 1-p ” the user is denied immediately. Important point : the decision whether to serve the user with a RTT must be a deterministic function of the username and password submitted

13 13 Usability Analysis User experience almost doesn ’ t change. User experience almost doesn ’ t change. User is asked to pass a RTT only when he tries to log on from a new computer or is he entered the wrong password (with prob “ p ” ) User is asked to pass a RTT only when he tries to log on from a new computer or is he entered the wrong password (with prob “ p ” ) Most users use small set of computers to login from. Most users use small set of computers to login from. From experience of yahoo, alta vista and paypal we can learn that users are willing to answer RTTs as long as they don ’ t come frequently.

14 14 Scalability and Operational Analysis How many RTTs the server has to generate? How many RTTs the server has to generate? For logins from new machines (negligible) For logins from new machines (negligible) For a fraction of “ p ” from the failed login attempts. For a fraction of “ p ” from the failed login attempts. this is much better from the na ï ve solution (assuming p << 1) this is much better from the na ï ve solution (assuming p << 1)na ï vena ï ve

15 15 Security Analysis – Single Account Assuming there are “ N ” different passwords in the domain. Assuming there are “ N ” different passwords in the domain. The attacker can identify that the correct password is from a subset of the The attacker can identify that the correct password is from a subset of the size :,with out answering any RTT. To gain more information the attacker must pay with a RTT answer. To gain more information the attacker must pay with a RTT answer.

16 16 Security Analysis – Multiple Accounts Assume that the attacker knows “ L ” user names. Assume that the attacker knows “ L ” user names. Since the different users are IID, the best strategy is to deal with each username independently. Since the different users are IID, the best strategy is to deal with each username independently.

17 17 Playing the Numbers – Brute Force N = 10 6, randomly selected 2 word from a 1000 word dictionary N = 10 6, randomly selected 2 word from a 1000 word dictionary p = 0.1 p = 0.1 Number of different RTTs : 1000 Number of different RTTs : 1000 Brute force (guessing the RTT): Brute force (guessing the RTT):

18 18 Playing the Numbers – Solving RTTs Assume it takes 3 seconds to solve a RTT Assume it takes 3 seconds to solve a RTT Either by a program (god forbid) Either by a program (god forbid) or a low cost worker that solves RTTs or a low cost worker that solves RTTs 150,000 seconds = 5 working days to break into one user. 150,000 seconds = 5 working days to break into one user.

19 19 Broken RTT Identifying broken RTT: Identifying broken RTT: Correct RTT & Failed password Total logins Correct RTT & Failed password Total logins The server must assume that the RTT is broken. The server must assume that the RTT is broken. Countermeasures : Countermeasures : Rising “ p ” (even to more than 1 – attacker needs to provide more than one RTT per login). Rising “ p ” (even to more than 1 – attacker needs to provide more than one RTT per login). Changing RTT – preferably to one from a different domain. Changing RTT – preferably to one from a different domain. Contacting the user by phone or mail to decide on an alternative form of login. Contacting the user by phone or mail to decide on an alternative form of login.

20 20 Cookie Theft The server holds a counter for every cookie it sent out. The server holds a counter for every cookie it sent out. For every failed login attempt (with this cookie) the value of the counter increases by one. For every failed login attempt (with this cookie) the value of the counter increases by one. When the counter reaches a certain number the cookie is forever disabled, and any login attempt with this cookie will be dealt as no cookie at all. When the counter reaches a certain number the cookie is forever disabled, and any login attempt with this cookie will be dealt as no cookie at all. A new cookie will be presented after a correct login. A new cookie will be presented after a correct login.

21 21 Now we can lock accounts Assuming that the best break of an RTT is a guess Assuming that the best break of an RTT is a guess The server can rise the number of unsuccessful attempts that locks an account (lets say 100) The server can rise the number of unsuccessful attempts that locks an account (lets say 100) With out the RRT method an attacker can break into an account with the probability of : M*L/N With out the RRT method an attacker can break into an account with the probability of : M*L/N M = number of accounts, L = number of attempts before lock, N = password domain size M = number of accounts, L = number of attempts before lock, N = password domain size

22 22 Now we can lock accounts (cont ’ ) With an RTT the password domain raises to N*p*S With an RTT the password domain raises to N*p*S p = fraction, S = RTT answers domain p = fraction, S = RTT answers domain When common number for p*S = 100, we have a substantial advantage on previous solutions. When common number for p*S = 100, we have a substantial advantage on previous solutions. Advantage : when RTT is broken the locking mechanism gives the system administrator the time to react to the broken RTT. Advantage : when RTT is broken the locking mechanism gives the system administrator the time to react to the broken RTT. User will accidentally lock his own user by failing 100 attempts of logins … User will accidentally lock his own user by failing 100 attempts of logins …

23 23 Summery Gives good protection against dictionary attacks. Gives good protection against dictionary attacks. RTT can be used on all web based systems (ex. String RTTs). RTT can be used on all web based systems (ex. String RTTs). No additional hardware tokens or software downloads. No additional hardware tokens or software downloads. RTT doesn ’ t appear frequently for the normal user. RTT doesn ’ t appear frequently for the normal user. Easy integration in existing protocols. Easy integration in existing protocols.

24 24 Questions? Thank you Thank you

25 25 Homework firefoxtc (at) gmail.com 1. Why does the protocol demands that the function whether to serve a RTT or not must be deterministic? 2. What method is suggested to improve the login experience from a new machine by smartly choosing the RTT given to the user? 3. What should we demand from the protocol to avoid “ timing attacks ” ?

Download ppt "1 Securing Passwords Against Dictionary Attacks Base on an article by Benny Pinkas & Tomas Sander 2002 Presented by Tomer Conforti."

Similar presentations

Securing Passwords against Dictionary Attacks

Securing Passwords against Dictionary Attacks
1 CompChall: Addressing Password Guessing Attacks IAS, ITCC-2005, April 2005 CompChall: Addressing Password Guessing Attacks By Vipul Goyal OSP Global.

1 CompChall: Addressing Password Guessing Attacks IAS, ITCC-2005, April 2005 CompChall: Addressing Password Guessing Attacks By Vipul Goyal OSP Global.
Securing the Worlds Information Secure Dynamic Credit and Debit Cards Stop Credit Card and Identity Theft Andre Brisson Stephen Boren Co founders/ Co.

Securing the Worlds Information Secure Dynamic Credit and Debit Cards Stop Credit Card and Identity Theft Andre Brisson Stephen Boren Co founders/ Co.
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).

Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
Password Cracking Lesson 10. Why crack passwords?

Password Cracking Lesson 10. Why crack passwords?
1 Security in Wireless Protocols Bluetooth, 802.11, ZigBee.

1 Security in Wireless Protocols Bluetooth, , ZigBee.
Secure Lync mobile Authentication

Secure Lync mobile Authentication
Secure SharePoint mobile connectivity

Secure SharePoint mobile connectivity
ATTACKING AUTHENTICATION The Web Application Hacker’s Handbook, Ch. 6 Presenter: Jie Huang 10/31/2012.

ATTACKING AUTHENTICATION The Web Application Hacker’s Handbook, Ch. 6 Presenter: Jie Huang 10/31/2012.
COEN 350: Network Security Authentication. Between human and machine Between machine and machine.

COEN 350: Network Security Authentication. Between human and machine Between machine and machine.
CMPE208 Presentation Terminal Access Controller Access Control System Plus (TACACS+) By MARVEL (Libing, Bhavana, Ramya, Maggie, Nitin)

CMPE208 Presentation Terminal Access Controller Access Control System Plus (TACACS+) By MARVEL (Libing, Bhavana, Ramya, Maggie, Nitin)
CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.
CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.

CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (7) AUTHENTICATION.

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (7) AUTHENTICATION.
Security Issues and Challenges in Cloud Computing

Security Issues and Challenges in Cloud Computing
Kerberos Jean-Anne Fitzpatrick Jennifer English. What is Kerberos? Network authentication protocol Developed at MIT in the mid 1980s Available as open.

Kerberos Jean-Anne Fitzpatrick Jennifer English. What is Kerberos? Network authentication protocol Developed at MIT in the mid 1980s Available as open.
CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.
1 Minggu 7, Pertemuan 13 Security Matakuliah: T0206-Sistem Basisdata Tahun: 2005 Versi: 1.0/0.0.

1 Minggu 7, Pertemuan 13 Security Matakuliah: T0206-Sistem Basisdata Tahun: 2005 Versi: 1.0/0.0.

Similar presentations

Ads by Google