![Page 1: Enhancing Password Security Using Deceptive Covert Communication](https://reader031.vdocuments.us/reader031/viewer/2022030301/587f24db1a28ab350c8b79ef/html5/thumbnails/1.jpg)
Enhancing Passwords Security Using Deceptive Covert Communication
IFIP SEC’15
Mohammed [email protected]
Eugene [email protected]
Mikhail [email protected]
![Page 2: Enhancing Password Security Using Deceptive Covert Communication](https://reader031.vdocuments.us/reader031/viewer/2022030301/587f24db1a28ab350c8b79ef/html5/thumbnails/2.jpg)
Acknowledgment
• Joint work with:
• Prof. Eugene Spafford and Prof. Mike Atallah.
• Part of the Liars Club group at Purdue.
• Partially supported by Northrop Grumman.
![Page 3: Enhancing Password Security Using Deceptive Covert Communication](https://reader031.vdocuments.us/reader031/viewer/2022030301/587f24db1a28ab350c8b79ef/html5/thumbnails/3.jpg)
Authentication
• One of the most common security controls.
• Two-factor authentication is a de-facto standard.
• Two major limitations;
• Passwords are still exposed.
• Man-in-the-Browser (MitB), e.g., Zeus Malware.
![Page 4: Enhancing Password Security Using Deceptive Covert Communication](https://reader031.vdocuments.us/reader031/viewer/2022030301/587f24db1a28ab350c8b79ef/html5/thumbnails/4.jpg)
A Password Dangerous Trip
![Page 5: Enhancing Password Security Using Deceptive Covert Communication](https://reader031.vdocuments.us/reader031/viewer/2022030301/587f24db1a28ab350c8b79ef/html5/thumbnails/5.jpg)
A Password Dangerous Trip Threats
Shoulder-Surfing
MitB/Keylogger
Sniffing/Phishing
Insider Threat
![Page 6: Enhancing Password Security Using Deceptive Covert Communication](https://reader031.vdocuments.us/reader031/viewer/2022030301/587f24db1a28ab350c8b79ef/html5/thumbnails/6.jpg)
A Password Dangerous Trip Current Controls
Shoulder-Surfing
MitB/Keylogger
Sniffing/Phishing
Insider Threat
SSL/TLS Ersatz Passwords2FA
![Page 7: Enhancing Password Security Using Deceptive Covert Communication](https://reader031.vdocuments.us/reader031/viewer/2022030301/587f24db1a28ab350c8b79ef/html5/thumbnails/7.jpg)
Information Asymmetry Context-less Authentication
User wants to access
Banks want me to access.
![Page 8: Enhancing Password Security Using Deceptive Covert Communication](https://reader031.vdocuments.us/reader031/viewer/2022030301/587f24db1a28ab350c8b79ef/html5/thumbnails/8.jpg)
Information Asymmetry Contextual Authentication
Public Network?
Email link?
….
Dynamic Decisioncontext
![Page 9: Enhancing Password Security Using Deceptive Covert Communication](https://reader031.vdocuments.us/reader031/viewer/2022030301/587f24db1a28ab350c8b79ef/html5/thumbnails/9.jpg)
A Password Dangerous Trip Reducing password exposure
![Page 10: Enhancing Password Security Using Deceptive Covert Communication](https://reader031.vdocuments.us/reader031/viewer/2022030301/587f24db1a28ab350c8b79ef/html5/thumbnails/10.jpg)
A Deceptive Covert Communication
• We will use an accumulation function A() that can be realized using modular exponentiation.
• A(x1, x2) = A(x2, x1).
• Computing A(A(x1), x2) doesn’t require the knowledge of x1.
• Current systems store h = H(passwd || salt).
• For every account compute A(h).
![Page 11: Enhancing Password Security Using Deceptive Covert Communication](https://reader031.vdocuments.us/reader031/viewer/2022030301/587f24db1a28ab350c8b79ef/html5/thumbnails/11.jpg)
A Deceptive Covert Communication Enter username
![Page 12: Enhancing Password Security Using Deceptive Covert Communication](https://reader031.vdocuments.us/reader031/viewer/2022030301/587f24db1a28ab350c8b79ef/html5/thumbnails/12.jpg)
A Deceptive Covert Communication Check whether username exists?
if usernameExists(): A(h) = getHashedPass() s = getSalt() R = randomNonce() key = A(A(h), R) id = Bankid x = HMACkey(A(R), s, id) Send QR(A(R), x, id)
![Page 13: Enhancing Password Security Using Deceptive Covert Communication](https://reader031.vdocuments.us/reader031/viewer/2022030301/587f24db1a28ab350c8b79ef/html5/thumbnails/13.jpg)
A Deceptive Covert Communication User scans QR
![Page 14: Enhancing Password Security Using Deceptive Covert Communication](https://reader031.vdocuments.us/reader031/viewer/2022030301/587f24db1a28ab350c8b79ef/html5/thumbnails/14.jpg)
A Deceptive Covert Communication Check the integrity of QR
h = Hash(passwd || salt) key = A(A(R), h) x’ = HMACkey(A(R),id) if x == x’ -> route (b) else -> route (a)
![Page 15: Enhancing Password Security Using Deceptive Covert Communication](https://reader031.vdocuments.us/reader031/viewer/2022030301/587f24db1a28ab350c8b79ef/html5/thumbnails/15.jpg)
A Deceptive Covert Communication Verify the identity of application
![Page 16: Enhancing Password Security Using Deceptive Covert Communication](https://reader031.vdocuments.us/reader031/viewer/2022030301/587f24db1a28ab350c8b79ef/html5/thumbnails/16.jpg)
A Deceptive Covert Communication Covert message
![Page 17: Enhancing Password Security Using Deceptive Covert Communication](https://reader031.vdocuments.us/reader031/viewer/2022030301/587f24db1a28ab350c8b79ef/html5/thumbnails/17.jpg)
A Deceptive Covert Communication Generating code
code = A(A(R), h, msgs)
![Page 18: Enhancing Password Security Using Deceptive Covert Communication](https://reader031.vdocuments.us/reader031/viewer/2022030301/587f24db1a28ab350c8b79ef/html5/thumbnails/18.jpg)
A Deceptive Covert Communication
![Page 19: Enhancing Password Security Using Deceptive Covert Communication](https://reader031.vdocuments.us/reader031/viewer/2022030301/587f24db1a28ab350c8b79ef/html5/thumbnails/19.jpg)
A Deceptive Covert Communication Verifying the code
code’ = A(A(R), h, possible msgs)
check code =? code’
![Page 20: Enhancing Password Security Using Deceptive Covert Communication](https://reader031.vdocuments.us/reader031/viewer/2022030301/587f24db1a28ab350c8b79ef/html5/thumbnails/20.jpg)
A Deceptive Covert Communication The use of Deception
![Page 21: Enhancing Password Security Using Deceptive Covert Communication](https://reader031.vdocuments.us/reader031/viewer/2022030301/587f24db1a28ab350c8b79ef/html5/thumbnails/21.jpg)
Comparison
![Page 22: Enhancing Password Security Using Deceptive Covert Communication](https://reader031.vdocuments.us/reader031/viewer/2022030301/587f24db1a28ab350c8b79ef/html5/thumbnails/22.jpg)
Enhancements
• Full-transaction Authentication.
• Phone connectivity.
• Storage of Insensitive Information.
![Page 24: Enhancing Password Security Using Deceptive Covert Communication](https://reader031.vdocuments.us/reader031/viewer/2022030301/587f24db1a28ab350c8b79ef/html5/thumbnails/24.jpg)
Length of code
• Having 64 possible characters (including alphanumeric characters and symbols):
• Probability of guessing a single character is 2−6.
• When length = 5 —> prob. = 2−30.
• Calculation of code includes a random number R.
• Adversary gains no advantage by learning any previous runs of the protocol.
![Page 25: Enhancing Password Security Using Deceptive Covert Communication](https://reader031.vdocuments.us/reader031/viewer/2022030301/587f24db1a28ab350c8b79ef/html5/thumbnails/25.jpg)
Why use a smartphone
• The use of Software Guards.
• Reducing password exposure.