Duress Detection for Authentication Attacks

AgainstMultiple Administrators

Emil StefanovUC Berkeley

emil@cs.berkeley.ed

uMikhail Atallah

Purdue Universitymja@cs.purdue.edu

Remedies for Authentication Attacks• Guessing

passwordso Require strong

passwords.

• Eavesdroppingo Encrypt traffic

(e.g., TSL/SSH).

• Man in the middleo Pre-shared secrets,

certificate based authentication.

• Spywareo Intrusion

detection systems / antivirus

• Phishingo TSL, web filters.

• Shoulder surfingo Common sense.

• Physical Coerciono Duress Detection

Physical Coercion

• Alice has an account on a server.

• To use the server she must log in with her password.

• One day, Oscar threatens Alice and demands to know her password.

Duress Signaling• What should Alice do?

o Provide the correct password?• Oscar wins.

o Refuse to cooperate?• Oscar carries out his threat.

o Provide an invalid password?• Oscar tries the password and determines that Alice refused to cooperate.

o Provide a duress password?• The attacker logs in but unknowingly signals a silent alarm.

Duress Password• What should it look like?

o Let’s review a few possibilities.

Two-Password Schemes

• Alice has two passwords:o A correct password

• She always uses this one to log in when she is not under duress.

o A duress passwords• She gives this one to Oscar during duress.

• Advantages?o Simple to explain and implement.

• Problems?o Oscar can ask for both passwords Succeeds with

probability .o Alice will likely forget her duress password because

she never uses it.

N-Password Schemes• Alice has N passwords:

o One correct password• She always uses this one to log in when she is

not under duress.o N-1 duress passwords

• She gives this one to Oscar during duress.

• Advantages?o Oscar’s probability of success is smaller: .

• Problems?o Alice has to remember passwords, and she never

uses of them! This is not practical.

PIN Schemes• Alice has:

o A strong password (e.g., “VHz3xK*bL8”)• This must be correct during normal and duress

authentications.o A PIN (e.g., “8394”)

• Alice uses her PIN for a normal authentication.• She gives Oscar any other PIN during duress.

• Advantages?o Less for Alice to remember.o Oscar’s probability of success is low.

• Problems?o Recall attack – Oscar can ask her to repeat the PIN later.

• Alice might forget the PIN she gave Oscar.o Typos – Easy to mistype a PIN and cause a false alarm.

Our Approach• We split the authentication secret into two:

o A strong password – just like usual.o A keyword from a dictionary.

• Carefully choose a keyword dictionary.o Specify requirements.o Give an example.

• Allows for Alice to be an administrator.o Has access to the password/keyword store.o Can intercept network traffic.

• Allows multiple users/administrators.o Alice, Bob, etc.

Login Screen

Single Administrator Scheme

• A single administrator (Alice) is being attacked.

• Server stores passwords and keywords (hashed & salted).

• Incorrect keyword server notifies authorities.

Single Administrator Scheme

• Problem:oOscar gains administrator access.oOscar can verify the keyword.

• Solution:1. The server notifies the authorities.2. The server overwrites the correct

keyword.

Single Administrator Scheme

• Not secure for multiple administrators!

• Attack:• Alice and Bob are administrators.• Oscar attacks both of them.• Oscar authenticates as one of them

and checks the keyword of the other one.

o Solution?• Our multiple administrator scheme.

Multiple Administrator Scheme

• Oscar attacks Alice.• Alice provides a correct password and

an incorrect keyword.• The server receives the credentials.

Multiple Administrator Scheme

• Authentication server:o Has purposely “forgotten” the correct

keyword.o Creates a privacy-preserving record.o Sends it to the monitoring server.

Multiple Administrator Scheme

• Monitoring server:o Checks the authentication record.o If duress notifies monitoring personnel.

Multiple Administrator Scheme

• Monitoring personnel:o Notify the authorities.

• Similar to existing alarm system companies.

• Key ideas:oThe authentication server never

knows the correct keyword.oThe monitoring server can only

decrypt duress authentication records.

oKeywords are picked from a carefully selected dictionary (more on this later).

Multiple Administrator Scheme

Keyword Dictionary Requirements

• Well definedo Implicitly defined by a topic.oAlice can randomly pick a keyword

by only memorizing the topic.

• Hard to make a typoo Large edit distance between

keywords.

Keyword Dictionary Example: U.S. States

# Keyword Closest Keyword Edit Distance

1 arkansas kansas 22 kansas arkansas 23 northcarolina southcarolina 24 northdakota southdakota 25 southcarolina northcarolina 26 southdakota northdakota 27 alabama Alaska 3

  …45 rhodeisland louisiana 646 washington michigan 647 newhampshire newmexico 748 connecticut kentucky 849 pennsylvania indiana 850 massachusetts arkansas 9

Performance

 Authentication

TimeMonitoring

Time1024-bit

Keys 0.203 ms 0.125 ms2048-bit

Keys 0.250 ms 0.671 ms3072-bit

Keys 0.343 ms 2.075 ms4096-bit

Keys 0.468 ms 6.318 ms