securing passwords against dictionary attacks
DESCRIPTION
Securing Passwords Against Dictionary Attacks. Presented By Chad Frommeyer. Introduction. Abstract/Introduction Reverse Turing Test (RTT) User Authentication Protocols Security Analysis Authentication Method Requirements Other Authentication Approaches Conclusion. Abstract/Introduction. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Securing Passwords Against Dictionary Attacks](https://reader036.vdocuments.us/reader036/viewer/2022081420/56813a5e550346895da2549c/html5/thumbnails/1.jpg)
Securing Passwords Against Dictionary Attacks
Presented By
Chad Frommeyer
![Page 2: Securing Passwords Against Dictionary Attacks](https://reader036.vdocuments.us/reader036/viewer/2022081420/56813a5e550346895da2549c/html5/thumbnails/2.jpg)
Introduction
• Abstract/Introduction
• Reverse Turing Test (RTT)
• User Authentication Protocols
• Security Analysis
• Authentication Method Requirements
• Other Authentication Approaches
• Conclusion
![Page 3: Securing Passwords Against Dictionary Attacks](https://reader036.vdocuments.us/reader036/viewer/2022081420/56813a5e550346895da2549c/html5/thumbnails/3.jpg)
Abstract/Introduction
• Passwords are the most widely used authentication method
• More secure methods are cumbersome to use• User chosen passwords are often weak and
easy to guess with a dictionary• User requires the authentication to be easy to
use• Goal is to build authentication that is still easy to
use but hard for the computer to guess
![Page 4: Securing Passwords Against Dictionary Attacks](https://reader036.vdocuments.us/reader036/viewer/2022081420/56813a5e550346895da2549c/html5/thumbnails/4.jpg)
Abstract/Introduction
• Dictionary Attack– Attempting to authenticate by guessing all possible passwords
• Offline Attack – attacking passwords when they are in transit– Offline attacks are prevented by securing
communications and protecting password files
![Page 5: Securing Passwords Against Dictionary Attacks](https://reader036.vdocuments.us/reader036/viewer/2022081420/56813a5e550346895da2549c/html5/thumbnails/5.jpg)
Abstract/Introduction
• For this discussion we assume that communications are properly secured and password files are protected
• Online Attack – Attack that requires interacting with the login server
![Page 6: Securing Passwords Against Dictionary Attacks](https://reader036.vdocuments.us/reader036/viewer/2022081420/56813a5e550346895da2549c/html5/thumbnails/6.jpg)
Introduction – Common Countermeasures
• Delayed Response – delaying the authentication response
• Account Locking – Locking the account with too many negative responses
![Page 7: Securing Passwords Against Dictionary Attacks](https://reader036.vdocuments.us/reader036/viewer/2022081420/56813a5e550346895da2549c/html5/thumbnails/7.jpg)
Introduction – Countermeasure Weaknesses
• Global Password Attacks – Simultaneous attempts to multiple accounts
• Risks (from account locking)– Denial of Service– Customer Service Costs
![Page 8: Securing Passwords Against Dictionary Attacks](https://reader036.vdocuments.us/reader036/viewer/2022081420/56813a5e550346895da2549c/html5/thumbnails/8.jpg)
Introduction – Pricing via Processing
• Add minimal processing time to each request results in a large impact to dictionary attacks but negligible impact to the individual
• A drawback to this approach is that it can require a special user client or mobile code
• The suggested approach– Add processing without changing the interaction– Make the processing hard for machines to automate
![Page 9: Securing Passwords Against Dictionary Attacks](https://reader036.vdocuments.us/reader036/viewer/2022081420/56813a5e550346895da2549c/html5/thumbnails/9.jpg)
Reverse Turing Test (RTT)
• Requirements of RTT– Automated Generation– Easy for Humans– Hard for Machines– Small probability of guessing the answer
correctly
• RTTs can be solved by either utilizing a human during the attack, or some type of OCR or Audio analysis
![Page 10: Securing Passwords Against Dictionary Attacks](https://reader036.vdocuments.us/reader036/viewer/2022081420/56813a5e550346895da2549c/html5/thumbnails/10.jpg)
Reverse Turing Test (RTT)
• Most well known RTT– Distorted text image– Production usage is typically during a
registration process
• Accessibility Issues– Utilize both Image and Audio based
![Page 11: Securing Passwords Against Dictionary Attacks](https://reader036.vdocuments.us/reader036/viewer/2022081420/56813a5e550346895da2549c/html5/thumbnails/11.jpg)
User Authentication Protocols
• Combining an existing system with an RTT– Requires passing and RTT for every
authentication attempt– Usability – This is different than most users
are accustomed, and would likely cause issues
– Scalability -- RTT generation on a large scale is not a proven concept
![Page 12: Securing Passwords Against Dictionary Attacks](https://reader036.vdocuments.us/reader036/viewer/2022081420/56813a5e550346895da2549c/html5/thumbnails/12.jpg)
User Authentication Protocols
• Answers to the usability and scalability issues– Require RTT only a fraction of the time
• Problem: Attacks would skip the attempts when an RTT was required
– Require RTT only after first failure• Problem: When global password attacks are used,
this doesn’t help
![Page 13: Securing Passwords Against Dictionary Attacks](https://reader036.vdocuments.us/reader036/viewer/2022081420/56813a5e550346895da2549c/html5/thumbnails/13.jpg)
User Authentication Protocols
• Papers Observations– Users typically use a limited number of
computers– Requiring RTTs for only a fraction of the time
can be helpful for an appropriate implementation
• The protocol suggested by this paper assumes the ability to identify client computers. The following implementation uses web browser cookies.
![Page 14: Securing Passwords Against Dictionary Attacks](https://reader036.vdocuments.us/reader036/viewer/2022081420/56813a5e550346895da2549c/html5/thumbnails/14.jpg)
![Page 15: Securing Passwords Against Dictionary Attacks](https://reader036.vdocuments.us/reader036/viewer/2022081420/56813a5e550346895da2549c/html5/thumbnails/15.jpg)
User Authentication Protocols
• The usability problems are solved because the RTTs are only required in a very small number of cases
• Scalability problems are solved because of this same reason and because the RTTs are generated by a deterministic function based on the username and password and a probability 1/p– All expected RTTs could be cached
![Page 16: Securing Passwords Against Dictionary Attacks](https://reader036.vdocuments.us/reader036/viewer/2022081420/56813a5e550346895da2549c/html5/thumbnails/16.jpg)
Security Analysis
• Implementation Requirements– One of the following feedbacks are returned
when a username/password pair doesn’t match
• The username/password is invalid• Please answer the following RTT
– The response must be a deterministic function based on the username/password
– Response delays should be the same for a success and failed attempt
![Page 17: Securing Passwords Against Dictionary Attacks](https://reader036.vdocuments.us/reader036/viewer/2022081420/56813a5e550346895da2549c/html5/thumbnails/17.jpg)
Security Analysis
• The nature of the response as well as the response time will often key an attacker to more information about the system/passwords being attacked
• If the requirements are met, the proposed system will respond with RTTs on correct guesses as well as a subset of incorrect guesses
![Page 18: Securing Passwords Against Dictionary Attacks](https://reader036.vdocuments.us/reader036/viewer/2022081420/56813a5e550346895da2549c/html5/thumbnails/18.jpg)
Security Analysis
• Goal: Make the cost of attacking the system more than the benefit of a successful attack– Some systems are so beneficial to attack that
attackers will utilize humans to solve the RTTs encountered during an attack
– The probability p must be adjusted to raise the cost of the attack
![Page 19: Securing Passwords Against Dictionary Attacks](https://reader036.vdocuments.us/reader036/viewer/2022081420/56813a5e550346895da2549c/html5/thumbnails/19.jpg)
Security Analysis
• What if an RTT can be broken?• The assumption should be that they can• In this case the system should dynamically
adjust the probabilities• This means that the system must be able to
identify a successful attack– When unsuccessful attempts with solved RTTs go up,
this is a clear indication of an attack
• Alternative RTT solutions should be available
![Page 20: Securing Passwords Against Dictionary Attacks](https://reader036.vdocuments.us/reader036/viewer/2022081420/56813a5e550346895da2549c/html5/thumbnails/20.jpg)
Security Analysis
• Cookie Theft– Cookies can be stolen off of one machine,
and set on another– Keep a count on the server per cookie of the
number of failed attempts– With a high number of failures (say 100) the
server will ignore the cookie, and act as if no cookie was sent
![Page 21: Securing Passwords Against Dictionary Attacks](https://reader036.vdocuments.us/reader036/viewer/2022081420/56813a5e550346895da2549c/html5/thumbnails/21.jpg)
Security Analysis
• Account Locking Measures– Since we can determine when an attack is
happening, we can use account locking measures as long as the number of attempts failed check is higher than typical
– The accounts failed threshold should dynamically lower when an attack is happening, at least until a new RTT is implemented
![Page 22: Securing Passwords Against Dictionary Attacks](https://reader036.vdocuments.us/reader036/viewer/2022081420/56813a5e550346895da2549c/html5/thumbnails/22.jpg)
Authentication Method Requirements
• Requirement: Availability– Users shouldn’t be expected to have special
software Installed
• Requirement: Robust and Reliable– Requests should always receive response
• Requirement: Friendliness– The interface should be friendly and usable
![Page 23: Securing Passwords Against Dictionary Attacks](https://reader036.vdocuments.us/reader036/viewer/2022081420/56813a5e550346895da2549c/html5/thumbnails/23.jpg)
Authentication Method Requirements
• Requirement: Low cost to implement and operate
• Take strong consideration to the effect of a successful attack and what impact it has on business and customers
• Risk is an important factor in choosing a authentication method
![Page 24: Securing Passwords Against Dictionary Attacks](https://reader036.vdocuments.us/reader036/viewer/2022081420/56813a5e550346895da2549c/html5/thumbnails/24.jpg)
Other Authentication Approaches
• Most other and potentially more secure authentication approaches do not satisfy the previous stated requirements– One time passwords (tokens)– Client certificates/keys– Biometrics– Graphical Passwords
![Page 25: Securing Passwords Against Dictionary Attacks](https://reader036.vdocuments.us/reader036/viewer/2022081420/56813a5e550346895da2549c/html5/thumbnails/25.jpg)
Conclusion
• With a scalable, low cost and usable solution similar to standard user/password authentication methods, the authors believe that their proposed solution is the answer to secure authentication
• Why aren’t solutions that are implemented today using similar ideologies?
• Questions?