making password checking systems better password... · note:we did not admit login using...
TRANSCRIPT
MakingPasswordCheckingSystemsBetter
TomRistenpart
Coveringjointworkwith:AnishAthayle,Devdatta Akawhe,JosephBonneau,RahulChatterjee,Anusha Chowdhury,Yevgeniy Dodis,AdamEverspaugh,AriJuels,YuvalPnueli,SamScott,JoanneWoodage
Passwordcheckingsystemstom,password1 tom password1
alice 123456
bob p@ssword!Loginserver
Allowloginif:
Attackdetectionmechanismsdon’tflagrequest
Sometimes:secondfactorsucceeds
(plushundredsofmillionsmore)
Passwordmatches
Problemsw/passwordcheckingsystemstom,password1 tom password1
alice 123456
bob p@ssword!Loginserver
Peopleoftenenterwrongpassword:- Typos- Memoryerrors
Passwordsdatabasesmustbeprotected:- Servercompromise- Exfiltrationattacks(e.g.,SQLinjection)Widespreadpractice:- Applyhashingw/salts- Hopeslowsdownattacksenough
Today’stalk
Pythia:movingbeyond“hash&hope”Hardenhasheswithoff-systemsecretkeyusingpartiallyobliviouspseudorandomfunctionprotocol
[Everspaugh,Chatterjee,Scott,Juels,R.– USENIXSecurity2015]
Typo-tolerantpasswordcheckingIn-depthstudyoftyposinuser-chosenpasswordsShowhowtoallowtyposwithoutharmingsecurity
[Chatterjee,Athayle,Akawhe,Juels,R.– Oakland2016][Woodage,Chatterjee,Dodis,Juels,R.– Crypto2017]
[Chatterjee,Woodage, Pnueli,Chowdhury,R.– CCS2017]
Passwordcheckingsystemstom,password1 tom password1
alice 123456
bob p@ssword!Loginserver
Websitesshouldnever storepasswordsdirectly,theyshouldbe(atleast)hashedwithasalt(alsostored)
H …pw||salt H H
ctimes CryptographichashfunctionH(H=SHA-256,SHA-512,etc.)
Commonchoiceisc=10,000
Better:scrypt,argon2
tom salt1 ,Hc(password1,salt1)
alice salt2 ,Hc(123456,salt2)
bob salt3 ,Hc(p@ssword!,salt3)
UNIXpasswordhashingscheme,PKCS#5Formalanalyses:[Wagner,Goldberg2000][Bellare,R.,Tessaro 2012]
AshleyMadison hack:36millionuserhashesSalts+Passwordshashedusingbcrypt withc=212=40964,007crackeddirectlywithtrivialapproach
Passwordcracker
29072912345679076123457678912345678959462password49952iloveyou33291princess
…
ListofpossiblepasswordsinorderoftheirlikelihoodRecompute hashandcheck
Examples:Hashcat,Johntheripper,academicprojects
AshleyMadison hack:36millionuserhashesSalts+Passwordshashedusingbcrypt withc=212=40964,007crackeddirectlywithtrivialapproach
CynoSure analysis:11millionhashescracked>630,000peopleusedusernamesaspasswordsMD5hashesleftlyingaroundaccidentally
http://cynosureprime.blogspot.com/2015/09/csp-our-take-on-cracked-am-passwords.html
Passworddatabasecompromises
……
32.6million
#stolen %recovered format
100% plaintext(!)2012
year
117million 90% UnsaltedSHA-12012
36million ?? ECBencryption2013
36millionSaltedbcrypt+MD52015 33%
~500million ?? bcrypt +??2014
(1)Passwordprotectionsoftenimplementedincorrectlyinpractice
(2)Eveninbestcase,hashingslowsdownbutdoesnotpreventofflinebrute-forcecracking
$cur=‘password’$cur=md5($cur)$salt=randbytes(20)$cur=hmac_sha1($cur,$salt)$cur=remote_hmac_sha256($cur,$secret)$cur=scrypt($cur,$salt)$cur=hmac_sha256($cur,$salt)
Facebookpasswordonion
h=Hc(password1||salt)Back-endcryptoservice
h
f =HMAC(K,h)K
Storesalt,f
Back-endcryptoservice
f’=Hc(123456||salt)
f’=HMAC(K,h’) Kf =f’?
Hc(1234567||salt)
Hc(12345||salt)
…
Muststillperformonlinebrute-forceattack
Exfiltrationdoesn’thelp
HMACispseudorandomfunction(PRF).
Strengtheningpasswordhashstoragetom,password1
Strengtheningpasswordhashstorage
Criticallimitation:can’trotateKtoanewsecretK’
h=Hc(password1||salt)Back-endcryptoservice
h
f =HMAC(K,h)K
Storesalt,f
tom,password1
• Idea1:Versiondatabaseandupdateasuserslogin§ Butdoesn’tupdateoldhashes
• Idea2:Invalidateoldhashes§ Butrequirespasswordreset
• Idea3:Usesecret-keyencryptioninsteadofPRF§ Butrequiressendingkeystowebserver(orhighbandwidth)
ThePythia PRFService
h=Hc(password1||salt)Blindh,pickuserIDUnblind PRFoutputfStoreuserID,salt,f
Back-endcryptoservice
userid,blindedh
BlindedPRFoutputfK
tom,password1
Combinetokenandftogeneratef’=F(K’,h)
Back-endcryptoservice
Token(K->K’)K
K’ServerlearnsnothingaboutKorK’
Cryptographicallyerasesf:Uselesstoattackerinthefuture
Blindingmeansservicelearnsnothing aboutpasswords
UserIDrevealsfine-grainedquerypatternstoservice.Compromisedetection&ratelimiting
Newcrypto:partially-obliviousPRF
h=Hc(password1||salt)Chooserandomrf=y1/rStoreuserID,salt,f
userid,hr
y
Ktom,password1
GroupsG1 ,G2 ,GT w/bilinearpairinge:G1 xG2 ->GT e(ax,by)=cxy
t =H(userid)y=e(tK,hr)
f=e(tK,hr)1/r =e(t,h)Kr*1/r=e(t,h)K
• Pairingcryptographicallybindsuseridwithpasswordhash• Canaddverifiability(proofthatPRFproperlyapplied)• Keyrotationstraightforward:Token(K->K’)=K’/ K• Interestingformalsecurityanalysis(seepaper)
ThePythia PRFService
Queriesarefastdespitepairings• PRFquery:11.8ms (LAN)96ms (WAN)
Parallelizablepasswordonions• Hc andPRFquerymadeinparallel(hideslatency)
Multi-tenant(theoretically:scalesto100millionloginservers)
Easytodeploy• Open-sourcereferenceimplementationat
http://pages.cs.wisc.edu/~ace/pythia.html• Atleastonestartupdeployingitcommercially
https://virgilsecurity.com/pythia/
Today’stalk
Pythia:movingbeyond“hash&hope”Hardenhasheswithoff-systemsecretkeyusingpartiallyobliviouspseudorandomfunctionprotocol
[Everspaugh,Chatterjee,Scott,Juels,R.– USENIXSecurity2015]
Typo-tolerantpasswordcheckingIn-depthstudyoftyposinuser-chosenpasswordsShowhowtoallowtyposwithoutharmingsecurity
[Chatterjee,Athayle,Akawhe,Juels,R.– Oakland2016][Woodage,Chatterjee,Dodis,Juels,R.– Crypto2017]
[Chatterjee,Woodage, Pnueli,Chowdhury,R.– CCS2017]
Backtoourbigpicturetom,password1 tom password1
alice 123456
bob p@ssword!Loginserver
Peopleoftenenterwrongpassword:- Typos- Memoryerrors
Passwordsdatabasesmustbeprotected:- Servercompromise- Exfiltrationattacks(e.g.,SQLinjection)Widespreadpractice:- Applyhashingw/salts- Hopeslowsdownattacksenough
tom salt1 ,GK(salt1 ,password1)
alice salt2 ,GK(salt2 ,123456)
bob salt3 ,GK(salt3 ,p@ssword!)
Backtoourbigpicturetom,password1
Loginserver
Peopleoftenenterwrongpassword:- Typos- Memoryerrors
Usershavehardtimeremembering(complex)passwords[Uretal.2012][Shayetal.2012][Mazurek etal.2013][Shayetal.2014][Bonneau,Schechter2014]
Passwordscanbedifficulttoenterwithouterror(typo)[Keithetal.2007,2009] [Shayetal.2012]
Suggestionsforerror-correctingpassphrases[Bard2007][Jakobsson,Akavipat 2012][Shayetal.2012]
tom salt1 ,GK(salt1 ,password1)
alice salt2 ,GK(salt2 ,123456)
bob salt3 ,GK(salt3 ,p@ssword!)
Backtoourbigpicturetom,password1
Loginserver
Peopleoftenenterwrongpassword:- Typos- Memoryerrors
tom salt1 ,GK(salt1 ,password1)
alice salt2 ,GK(salt2 ,123456)
bob salt3 ,GK(salt3 ,p@ssword!)
password1 Password1 PASSWORD1
Typo-tolerantpasswordchecking:Allowregisteredpasswordorsometyposofit
(1)Firststudyoftypo-tolerance&simpleconstructionstocorrectpopularerrors [Oakland2016]
(2)Newconstructionstocorrectmoreerrorssecurely,showthatsimpleapproachesaresofarthebest[Crypto2017]
(3)Personalizedtypo-tolerance:havecheckingsystemlearnovertimetyposspecificusermakes[CCS2017]
Capslock11%
Flipfirstlettercase4.5% Add
characteratend4.6%
Other78.8%
%OFTYPOS
100,000+passwordstypedby4,300workers
MechanicalTurktranscriptionstudy
Top3accountfor20%oftypos
Typo-tolerantpasswordchecking
Password1
password1
pASSWORD1
Flipfirstletter
Flipallletters
Canviewasanerror-correctionproblem
Ball issetofallpointswechecknearasubmittedstring(includingit)
Successoccursiftruepasswordisintheballofsubmittedpasssword
Password
Password12
Password13
Balanceutilityimprovementversusperformance&security
DroplastcharEasytodefineballsbygenericcorrectorfunctions
Ballsize(b) %corrected
3 20%
64 50%
Relaxedcheckingviabrute-forcesearchtom,Password1
Computeballforeachpassword,checkeachhash
GK(salt1,Password1)GK(salt1,pASSWORD1)GK(salt1,password1)
WorkswithexistingpasswordhardeningschemesNochangeinwhatisstoredBallsizeb=4gives20%oftyposacrossallusers
Cansetballtoberesultofapplyingcorrectorfunctionsforpopulartypos
TofinishchecksintimeT,mustsetTime(GK)=T/bApplycapslockcorrectorApplyfirstcaseflipcorrector
tom salt1 ,GK(salt1 ,password1)
alice salt2 ,GK(salt2 ,123456)
bob salt3 ,GK(salt3 ,p@ssword!)
InstrumentedproductionloginofDropboxtoquantifytyposNOTE:Wedidnotadmitloginusingtypo’d passwords
24hourperiod:
• 3%ofallusers failedtologinduetooneoftop3typos
• 20% ofuserswhomadeatypowouldhavesavedatleast1minuteinloggingintoDropboxiftop3typosarecorrected.
Allowingtyposinpasswordwilladdseveralperson-monthsoflogintimeeveryday.
ImpactofTop3typosinrealworld
Typo-tolerancewouldsignificantlyimproveusabilityofpassword-basedlogin
Canitbesecure?
Threat#1:Servercompromise
Ifbissmall,thencanuseexistingGKNochangeinsecurityaftercompromise
NochangetopasswordDB
tom salt1 ,GK(salt1 ,password1)
alice salt2 ,GK(salt2 ,123456)
bob salt3 ,GK(salt3 ,p@ssword!)
Threat#2:Remoteguessingattackstom,password
GK(salt1,password)GK(salt1,PASSWORD)GK(salt1,Password)GK(salt1,passwor)
ApplycapslockcorrectorApplyfirstcaseflipcorrectorApplyextracharcorrector
tom salt1 ,GK(salt1 ,password1)
alice salt2 ,GK(salt2 ,123456)
bob salt3 ,GK(salt3 ,p@ssword!)
Threat#2:Remoteguessingattackstom,password
GK(salt1,iloveyou)GK(salt1,ILOVEYOU)GK(salt1,Iloveyou)GK(salt1,iloveyo)
ApplycapslockcorrectorApplyfirstcaseflipcorrectorApplyextracharcorrector
tom,iloveyou
Serverlocksaccountafterqfailedattempts(e.g.,q=10)
…
Upto4passwordscheckedatcostof1query=>
Attacksuccessincreasesby4x
tom salt1 ,GK(salt1 ,password1)
alice salt2 ,GK(salt2 ,123456)
bob salt3 ,GK(salt3 ,p@ssword!)
Threat#2:Remoteguessingattackstom,password
tom,iloveyou
Serverlocksaccountafterqfailedattempts(e.g.,q=10)
…
Adversarycangetimprovementsonlyifmanypopularpasswordstypotothesamestring
Eachguessincreasessuccessprobabilitybysumofmassesofpasswordsinball:
password
Password
PASSWORD
passwor
P(password)+P(Password)+P(passwor)+P(PASSWORD)
Won’tbe4xincreasesinceP(passwor)<<P(password)
tom salt1 ,GK(salt1 ,password1)
alice salt2 ,GK(salt2 ,123456)
bob salt3 ,GK(salt3 ,p@ssword!)
Attacksimulationusingpasswordleaks
30
Adversaryknows:Distributionofpasswords,andthesetofcorrectors
2.75
0.79
2.94
0.96
0
1
2
3
4
phpbb myspace
Successp
robability(%
) ExactcheckingTypo-tolerantchecking
ExactcheckingQuerymostprobableqpasswords
Typo-tolerantcheckingQueryqpasswordsthatmaximizessuccessNP-completeproblem.Computeusinggreedyapproximation
Top3correctors,q=10
PASSWORDPassword
Don’t check a correction if the resulting password is too popular.
pASSWORD pASSWOR
pASSWORD
Security-sensitivetypotolerance
Checkersw/heuristicfiltering
32
Usepasswordleakrockyou toestimatepassworddistributionFilterouttypostoensureaggregateballweightnottoolarge
2.75
0.79
2.94
0.96
2.77
0.81
0
0.5
1
1.5
2
2.5
3
3.5
phpbb myspace
Successp
robability(%
)
Exactchecking
Typo-tolerantchecking
Typo-tolerantcheckingw/filtering
Top3correctors,q=10
Typo-tolerancecanenhanceuserexperiencewithoutdegradingsecurity inpractice
Relaxedchecking(brute-forceballsearch):• Workswithexistingpasswordhardeningschemes• Nochangeinwhatisstored• Ballsizeb=4gives20%oftyposacrossallusers
Outstandingquestions:• Canweincrease%oftyposcorrectable?• Whataboutuserswithraretypos?
NewApproach1:Popularity-proportionalhashingWecanincreaseballsizeforrelaxedcheckingbutwillhavetodecreaseruntimeofGKDecreasingruntimeby10=>10xspeedupinofflineattacks
Password1
password1
pASSWORD1
Password
Password12
Password13
Popularityproportionalhashing:Hashtimeinverselyproportionaltostrengthofpassword
P(pw)high=>hashtimelongerP(pw)low=>hashtimefaster
Ballsize(b) %corrected
3 20%
64 50%
~200*|pw| 79%
Aggregatetimetocheckallpointsinaballislowerifsomelow-entropypasswordsinball
Anotherpossibleapproach:usesecuresketches [Dodis,Smith2005]Pairofalgorithms(SS,Rec):
s<- SS(pw)
pw’’<- Rec(pw’,s)
Pr[pw’’=pw]>1- 𝛿ifpw’inballofpw
Password1
password1
pASSWORD1
Password
Password12
Password13
Ballsize(b) %corrected
3 20%
64 50%
~200*|pw| 79%
StoreswithGK(pw)
NewApproach2:Secure-sketch-basedchecking
Tochecksubmissionpw’:IfGK(pw’)=GK(pw)thenallowloginpw’’<- Rec(pw’,s)IfGK(pw’’)=GK(pw)thenallowlogin
Allowederror(e.g.,𝛿 =5%)
Buildingsuitablesecuresketches
Distribution-sensitivesecuresketchescanprovidebettersecurity• Sketchalgorithmsdesignedforparticulardistribution• Securityonlymustholdforthatdistribution
[Fuller,Rezyin,Smith2016]giveconstructionusing“layering”
Weprovideimprovedversionoftheirconstruction,layer-hidinghash
Bestknownsecurity,efficiencytrade-off
Traditionalsecuresketches(e.g.,[Dodis,Smith2005])notsecureenough(leaktoomuchaboutpassword)
Fortypicalpassworddistributions,relaxedcheckingisbetterthanPPH
Comparingtheapproaches
Relaxedchecking
Popularity-proportionalhashing
Secure-sketchchecking
Fixerrorscorrected&runtimeofchecking.Whichoffersbestsecurity?
Lower-boundsecurityofsecure-sketchapproachbyPPH
PPHalwaysbettertrade-offthanbest-knownsecure-sketch(layer-hidinghash)
Relaxedcheckingremainsbestknownapproach
Outstandingquestions:• Canweincrease%oftyposcorrectable?• Whataboutuserswithraretypos?
Conjecture:Relaxedcheckingisbestpossibleapproachinthissetting
tom salt1 ,GK(salt1 ,password1)
Typocache:
Waitlist:
Personalizedtypo-tolerantcheckingAnotherapproach:learntyposindividualusermakesovertime
tom,Password1
CheckGK(salt1 ,Password1),seethatitiswrongAddtoawaitlistofrecentincorrectsubmissions
Whenusercorrectlylogsin:• Checkwaitlist,applytypopolicy(e.g.,editdistance1oftruepassword)• Addvalidtyposfromwaitlistintocacheandclearwaitlist
CheckGK(salt1 ,Password1)andGK(salt2 ,Password1),allowloginifeithermatch
tom,ihatetypos
tom,password1
tom,Password1 Password1 ihatetypos
salt2 ,GK(salt2 ,Password1)
Personalizedtypo-tolerantcheckingAnotherapproach:learntyposindividualusermakesovertime
tom,Password1
tom salt1 ,GK(salt1 ,password1)
Typocache
Waitlist:
Obviouslycan’tstorewaitlistinclear,securityproblemEncryptwaitlistusingpublickeyencryption• Encryptsecretkeyatregistrationtimeusingpassword1• Encryptsecretkeyundereachtypoaddedtotypocache
tom,ihatetypos
tom,password1
tom,Password1
pk ,Epassword1(sk),EPassword1(sk)
salt2 ,GK(salt2 ,Password1)
ihatetyposPassword1Epk(Password1) Epk(ihatetypos)
Lotsmoredetailsofdesign:Randomizingorderoftypocache,cacheevictionpolicies,etc.
Personalizedtypo-tolerantcheckingAnotherapproach:learntyposindividualusermakesovertime
tom,Password1
tom salt1 ,GK(salt1 ,password1)
Typocache
Waitlist:
Security: weprovethatforrealisticpassword/typodistributions,anattackerthatcompromisessystemcannotdobetterthanclassicbrute-forceattackagainstGK(salt1 ,password1)
tom,ihatetypos
tom,password1
tom,Password1
salt2 ,GK(salt2 ,Password1)
Epk(Password1) Epk(ihatetypos)
Nosecuritylossbyaddingtypocache
pk ,Epassword1(sk),EPassword1(sk)
• Mechanicalturk studiesshowedpersonalizationcanbebeneficial– 45%ofuserswouldbenefit
• WebuiltaprototypecalledTypTop.–MacOSXandLinuxpasswordchecking– Pilotdeploymentwith~25users– SomeusersgethugebenefitfromTypTop
• Availableathttps://typtop.info
TypTop:prototypeadaptivechecker
Today’stalk
Pythia:movingbeyond“hash&hope”Hardenhasheswithoff-systemsecretkeyusingpartiallyobliviouspseudorandomfunctionprotocol
[Everspaugh,Chatterjee,Scott,Juels,R.– USENIXSecurity2015]
Typo-tolerantpasswordcheckingIn-depthstudyoftyposinuser-chosenpasswordsShowhowtoallowtyposwithoutharmingsecurity
[Chatterjee,Athayle,Akawhe,Juels,R.– Oakland2016][Woodage,Chatterjee,Dodis,Juels,R.– Crypto2017]
[Chatterjee,Woodage, Pnueli,Chowdhury,R.– CCS2017]