securing passwords against dictionary attacks presented by chad frommeyer
TRANSCRIPT
Securing Passwords Against Dictionary Attacks
Presented By
Chad Frommeyer
Introduction
• Abstract/Introduction
• Reverse Turing Test (RTT)
• User Authentication Protocols
• Security Analysis
• Authentication Method Requirements
• Other Authentication Approaches
• Conclusion
Abstract/Introduction
• Passwords are the most widely used authentication method
• More secure methods are cumbersome to use• User chosen passwords are often weak and
easy to guess with a dictionary• User requires the authentication to be easy to
use• Goal is to build authentication that is still easy to
use but hard for the computer to guess
Abstract/Introduction
• Dictionary Attack– Attempting to authenticate by guessing all possible passwords
• Offline Attack – attacking passwords when they are in transit– Offline attacks are prevented by securing
communications and protecting password files
Abstract/Introduction
• For this discussion we assume that communications are properly secured and password files are protected
• Online Attack – Attack that requires interacting with the login server
Introduction – Common Countermeasures
• Delayed Response – delaying the authentication response
• Account Locking – Locking the account with too many negative responses
Introduction – Countermeasure Weaknesses
• Global Password Attacks – Simultaneous attempts to multiple accounts
• Risks (from account locking)– Denial of Service– Customer Service Costs
Introduction – Pricing via Processing
• Add minimal processing time to each request results in a large impact to dictionary attacks but negligible impact to the individual
• A drawback to this approach is that it can require a special user client or mobile code
• The suggested approach– Add processing without changing the interaction– Make the processing hard for machines to automate
Reverse Turing Test (RTT)
• Requirements of RTT– Automated Generation– Easy for Humans– Hard for Machines– Small probability of guessing the answer
correctly
• RTTs can be solved by either utilizing a human during the attack, or some type of OCR or Audio analysis
Reverse Turing Test (RTT)
• Most well known RTT– Distorted text image– Production usage is typically during a
registration process
• Accessibility Issues– Utilize both Image and Audio based
User Authentication Protocols
• Combining an existing system with an RTT– Requires passing and RTT for every
authentication attempt– Usability – This is different than most users
are accustomed, and would likely cause issues
– Scalability -- RTT generation on a large scale is not a proven concept
User Authentication Protocols
• Answers to the usability and scalability issues– Require RTT only a fraction of the time
• Problem: Attacks would skip the attempts when an RTT was required
– Require RTT only after first failure• Problem: When global password attacks are used,
this doesn’t help
User Authentication Protocols
• Papers Observations– Users typically use a limited number of
computers– Requiring RTTs for only a fraction of the time
can be helpful for an appropriate implementation
• The protocol suggested by this paper assumes the ability to identify client computers. The following implementation uses web browser cookies.
User Authentication Protocols
• The usability problems are solved because the RTTs are only required in a very small number of cases
• Scalability problems are solved because of this same reason and because the RTTs are generated by a deterministic function based on the username and password and a probability 1/p– All expected RTTs could be cached
Security Analysis
• Implementation Requirements– One of the following feedbacks are returned
when a username/password pair doesn’t match
• The username/password is invalid• Please answer the following RTT
– The response must be a deterministic function based on the username/password
– Response delays should be the same for a success and failed attempt
Security Analysis
• The nature of the response as well as the response time will often key an attacker to more information about the system/passwords being attacked
• If the requirements are met, the proposed system will respond with RTTs on correct guesses as well as a subset of incorrect guesses
Security Analysis
• Goal: Make the cost of attacking the system more than the benefit of a successful attack– Some systems are so beneficial to attack that
attackers will utilize humans to solve the RTTs encountered during an attack
– The probability p must be adjusted to raise the cost of the attack
Security Analysis
• What if an RTT can be broken?• The assumption should be that they can• In this case the system should dynamically
adjust the probabilities• This means that the system must be able to
identify a successful attack– When unsuccessful attempts with solved RTTs go up,
this is a clear indication of an attack
• Alternative RTT solutions should be available
Security Analysis
• Cookie Theft– Cookies can be stolen off of one machine,
and set on another– Keep a count on the server per cookie of the
number of failed attempts– With a high number of failures (say 100) the
server will ignore the cookie, and act as if no cookie was sent
Security Analysis
• Account Locking Measures– Since we can determine when an attack is
happening, we can use account locking measures as long as the number of attempts failed check is higher than typical
– The accounts failed threshold should dynamically lower when an attack is happening, at least until a new RTT is implemented
Authentication Method Requirements
• Requirement: Availability– Users shouldn’t be expected to have special
software Installed
• Requirement: Robust and Reliable– Requests should always receive response
• Requirement: Friendliness– The interface should be friendly and usable
Authentication Method Requirements
• Requirement: Low cost to implement and operate
• Take strong consideration to the effect of a successful attack and what impact it has on business and customers
• Risk is an important factor in choosing a authentication method
Other Authentication Approaches
• Most other and potentially more secure authentication approaches do not satisfy the previous stated requirements– One time passwords (tokens)– Client certificates/keys– Biometrics– Graphical Passwords
Conclusion
• With a scalable, low cost and usable solution similar to standard user/password authentication methods, the authors believe that their proposed solution is the answer to secure authentication
• Why aren’t solutions that are implemented today using similar ideologies?
• Questions?