gotcha challenge (un)solved - weeblyruxandraolimid.weebly.com/.../cisis_2015_gotcha.pdf · gotcha...
TRANSCRIPT
GOTCHA Challenge (Un)Solved
Ruxandra F. Olimid
University of Bucharest
June 15, 2015
Password-based Authentication
R.F.Olimid - GOTCHA Challenge (Un)Solved 2/15 ,
Password-based Authentication
R.F.Olimid - GOTCHA Challenge (Un)Solved 3/15 ,
GOTCHA Authentication
▸ GOTCHA (Generating panOptic Turing Tests to TellComputers and Humans Apart)
▸ introduced by J. Blocki, M. Blum and A. Datta, fromCarnegie Mellon University
▸ an innovate method based on the interaction between the userand the authentication system that prevents automatic attacks
▸ somehow similar to CAPTCHA (Completely AutomatedPublic Turing test to tell Computers and Humans Apart)
R.F.Olimid - GOTCHA Challenge (Un)Solved 4/15 ,
GOTCHA Authentication
▸ GOTCHA (Generating panOptic Turing Tests to TellComputers and Humans Apart)
▸ introduced by J. Blocki, M. Blum and A. Datta, fromCarnegie Mellon University
▸ an innovate method based on the interaction between the userand the authentication system that prevents automatic attacks
▸ somehow similar to CAPTCHA (Completely AutomatedPublic Turing test to tell Computers and Humans Apart)
R.F.Olimid - GOTCHA Challenge (Un)Solved 4/15 ,
GOTCHA Authentication
▸ GOTCHA (Generating panOptic Turing Tests to TellComputers and Humans Apart)
▸ introduced by J. Blocki, M. Blum and A. Datta, fromCarnegie Mellon University
▸ an innovate method based on the interaction between the userand the authentication system that prevents automatic attacks
▸ somehow similar to CAPTCHA (Completely AutomatedPublic Turing test to tell Computers and Humans Apart)
R.F.Olimid - GOTCHA Challenge (Un)Solved 4/15 ,
GOTCHA Authentication
▸ GOTCHA (Generating panOptic Turing Tests to TellComputers and Humans Apart)
▸ introduced by J. Blocki, M. Blum and A. Datta, fromCarnegie Mellon University
▸ an innovate method based on the interaction between the userand the authentication system that prevents automatic attacks
▸ somehow similar to CAPTCHA (Completely AutomatedPublic Turing test to tell Computers and Humans Apart)
R.F.Olimid - GOTCHA Challenge (Un)Solved 4/15 ,
GOTCHA Authentication
Two phases:
▸ Create Account
▸ Authenticate
R.F.Olimid - GOTCHA Challenge (Un)Solved 5/15 ,
GOTCHA - Create Account Phase
http://www.cs.cmu.edu/~jblocki/GOTCHA-Challenge.html
R.F.Olimid - GOTCHA Challenge (Un)Solved 6/15 ,
GOTCHA - Authentication Phase
http://www.cs.cmu.edu/~jblocki/GOTCHA-Challenge.html
R.F.Olimid - GOTCHA Challenge (Un)Solved 7/15 ,
GOTCHA Challenge
http://www.cs.cmu.edu/~jblocki/GOTCHA-Challenge.html
R.F.Olimid - GOTCHA Challenge (Un)Solved 8/15 ,
GOTCHA Challenge
▸ 5 puzzles: 4 numeric 7-digits passwords and 1 numeric 8-digitpassword
▸ public information: the code (C#), password files (passwordhash and labels in permuted order)
▸ bug: the source folder contained the 10 inkblotscorresponding to each account
R.F.Olimid - GOTCHA Challenge (Un)Solved 9/15 ,
GOTCHA Challenge
▸ 5 puzzles: 4 numeric 7-digits passwords and 1 numeric 8-digitpassword
▸ public information: the code (C#), password files (passwordhash and labels in permuted order)
▸ bug: the source folder contained the 10 inkblotscorresponding to each account
R.F.Olimid - GOTCHA Challenge (Un)Solved 9/15 ,
GOTCHA Challenge
▸ 5 puzzles: 4 numeric 7-digits passwords and 1 numeric 8-digitpassword
▸ public information: the code (C#), password files (passwordhash and labels in permuted order)
▸ bug: the source folder contained the 10 inkblotscorresponding to each account
R.F.Olimid - GOTCHA Challenge (Un)Solved 9/15 ,
GOTCHA Challenge
http://www.cs.cmu.edu/~jblocki/GOTCHA-Challenge.html
R.F.Olimid - GOTCHA Challenge (Un)Solved 10/15 ,
Generation of Inkblots
▸ the password is seed into a PRG
▸ the output of the PRG gives the coordinates and the colors ofthe plotted shapes
▸ 40 big circles, 20 ellipses and 20 small circles, plus theirsymmetric
▸ each figure is plot on top of the already existing ones
R.F.Olimid - GOTCHA Challenge (Un)Solved 11/15 ,
Generation of Inkblots
▸ the password is seed into a PRG
▸ the output of the PRG gives the coordinates and the colors ofthe plotted shapes
▸ 40 big circles, 20 ellipses and 20 small circles, plus theirsymmetric
▸ each figure is plot on top of the already existing ones
R.F.Olimid - GOTCHA Challenge (Un)Solved 11/15 ,
Generation of Inkblots
▸ the password is seed into a PRG
▸ the output of the PRG gives the coordinates and the colors ofthe plotted shapes
▸ 40 big circles, 20 ellipses and 20 small circles, plus theirsymmetric
▸ each figure is plot on top of the already existing ones
R.F.Olimid - GOTCHA Challenge (Un)Solved 11/15 ,
Generation of Inkblots
▸ the password is seed into a PRG
▸ the output of the PRG gives the coordinates and the colors ofthe plotted shapes
▸ 40 big circles, 20 ellipses and 20 small circles, plus theirsymmetric
▸ each figure is plot on top of the already existing ones
R.F.Olimid - GOTCHA Challenge (Un)Solved 11/15 ,
Generation of Inkblots
First inkblot for pwd1 = 1258136:
Idea: generate inkblots from all possible passwords and comparethem to the stored inkblots
R.F.Olimid - GOTCHA Challenge (Un)Solved 12/15 ,
Generation of Inkblots
First inkblot for pwd1 = 1258136:
Idea: generate inkblots from all possible passwords and comparethem to the stored inkblots
R.F.Olimid - GOTCHA Challenge (Un)Solved 12/15 ,
The Attack
R.F.Olimid - GOTCHA Challenge (Un)Solved 13/15 ,
The Attack
R.F.Olimid - GOTCHA Challenge (Un)Solved 14/15 ,
Intel Core 2 Duo CPU at 2GHz, 3GB RAMWindows 70.5 (7-digits password)1.5 hours (8-digits password)
Takeaway Message
More challenges are still active!
Thank you!
R.F.Olimid - GOTCHA Challenge (Un)Solved 15/15 ,
Takeaway Message
More challenges are still active!
Thank you!
R.F.Olimid - GOTCHA Challenge (Un)Solved 15/15 ,