Upload File

«slow down online guessing attack with device cookies», Антон Дедов (odin)

  • Home
  • Internet
  • «Slow down online guessing attack with Device Cookies», Антон Дедов (Odin)
23
Slow Down Online Guessing Attacks with Device Cookies Anton Dedov OWASP Russia Meetup #6, 2017

Upload: owasp-russia

Post on 22-Mar-2017

2.560 views

Category:

Internet


0 download

Report

TRANSCRIPT

Page 1: «Slow down online guessing attack with Device Cookies», Антон Дедов (Odin)

SlowDownOnlineGuessingAttackswithDeviceCookies

AntonDedovOWASPRussiaMeetup#6,2017

Page 2: «Slow down online guessing attack with Device Cookies», Антон Дедов (Odin)

AntonDedovSecurityArchitectOdin / IngramMicro

[email protected]@brutemorse

Page 3: «Slow down online guessing attack with Device Cookies», Антон Дедов (Odin)

Intro:Onlineguessingattacks

Page 4: «Slow down online guessing attack with Device Cookies», Антон Дедов (Odin)

App

Page 5: «Slow down online guessing attack with Device Cookies», Антон Дедов (Odin)

App App

App

AppApp

App

App

App

App

Page 6: «Slow down online guessing attack with Device Cookies», Антон Дедов (Odin)

App

App

App

App

App

Page 7: «Slow down online guessing attack with Device Cookies», Антон Дедов (Odin)

Attackergoals

PasswordforspecificaccountPasswordforanyaccountinasystemPasswordforanyaccountinanysystem

Page 8: «Slow down online guessing attack with Device Cookies», Антон Дедов (Odin)

Threats forAuthentication

Online attacksOfflineattacksPasswordleaks

Page 9: «Slow down online guessing attack with Device Cookies», Антон Дедов (Odin)

App

user : password1

Onlineguessingattacks

user : password2user : password3

...

Page 10: «Slow down online guessing attack with Device Cookies», Антон Дедов (Odin)

Authenticationattacks:Mitigations

M-FA/M-Step UX!Passwordpolicy Magic106

Ratelimiting ßßßßßßß

Authentication parameters e.g.time,location,etc.

Monitoring e.g.haveibeenpwned.com

Page 11: «Slow down online guessing attack with Device Cookies», Антон Дедов (Odin)

©CormacHerley etal.AnAdministrator’sGuidetoInternetPasswordResearch

Page 12: «Slow down online guessing attack with Device Cookies», Антон Дедов (Odin)

Ratelimiting

CAPTCHAAccountlockoutExponential timeoutsProofof work

Page 13: «Slow down online guessing attack with Device Cookies», Антон Дедов (Odin)

Accountlockout:simplemath

5 attempts⇒ 20min.lockout131400 attempts/year

Page 14: «Slow down online guessing attack with Device Cookies», Антон Дедов (Odin)

Accountlockout

Lockaccount EffectiveEasyDoS

Lock (account,IP) Somewhat DoSmitigationBotnetsProxiesIPv6DoSasacollateraldamage

Page 15: «Slow down online guessing attack with Device Cookies», Антон Дедов (Odin)

DeviceCookieDistinguishknownclientsfromunknownones

Page 16: «Slow down online guessing attack with Device Cookies», Антон Дедов (Odin)
Page 17: «Slow down online guessing attack with Device Cookies», Антон Дедов (Odin)
Page 18: «Slow down online guessing attack with Device Cookies», Антон Дедов (Odin)

App

Lockoutallunknowndevicesatonce

Lockoutindividualuserperdevicecookie

user : password

user : passwordDevice Cookie

Page 19: «Slow down online guessing attack with Device Cookies», Антон Дедов (Odin)

Set-Cookie:KnownDevice=

LOGIN|NONCE|HMAC(secret-key,LOGIN|NONCE)

Page 20: «Slow down online guessing attack with Device Cookies», Антон Дедов (Odin)

Set-Cookie:KnownDevice=JWT

{"alg": "HS256","typ": "JWT”

} . {"aud": "device-cookie","sub": "[email protected]","jti": "40e2a97a2ab37406”

}

Page 21: «Slow down online guessing attack with Device Cookies», Антон Дедов (Odin)

Threats&Mitigations

Threat MitigationOnlineattackagainstoneuser PasswordpolicyOnlineattackusingstolendevicecookies Limited,preventcookieleaks

Onlineattackagainstmultipleusers NotmitigatedSpoofdevicecookie CryptoTamperwithexistingdevicecookie CryptoDoSforspecificaccount OOBdevicecookieissueDoSforspecificaccountwhenclientisusedbydifferentaccounts

Devicecookiesperaccount

Page 22: «Slow down online guessing attack with Device Cookies», Антон Дедов (Odin)

Implementationrecommendations

Usegoodcrypto,likeHMAC-SHA2orsignedJWT.PreventcookieleakagewithSecure&HttpOnly flags.Issuecookieforvalidresetpasswordlink.Issuenewdevicecookieaftereachsuccessfullogin.IncludeuserIDintocookiename(privacyconcerns?).

Page 23: «Slow down online guessing attack with Device Cookies», Антон Дедов (Odin)

References

OWASP:SlowDownOnlineGuessingAttackswithDeviceCookiesPasswordsCon,andspecifictalksfromPasswordsCon 14:• MarcHausetalkOnlinePasswordAttacks• AlecMuffettalkFacebookPasswordHashigh&Authentication

AnAdministrator’sGuidetoInternetPasswordResearch


GUESSING PICTURES

Лукьянов Антон

Антон П.Ч

Антон Шаяхов

Антон Лебедевич

Антон Павлович Чехов

антон поливчак,

Using Contextual Clues in Guessing Foreign Language ... · guessing the meaning of words from contextual clues or what is called the guessing from context strategy (GFC s). Guessing

Бірін Антон

антон турчанович,

антон презентация

Чупилко Антон

Голубятников Антон

Иванов Антон

Guessing Game

Антон Пронский

Guessing meaning

Антон Чехов

антон чехов

Антон Гуров

Антон Вершовский

SEOhide - Антон Иванов

Антон Тарасковский_Секреты BIOS

глазунов антон

5. антон шаяхов

os56.ruos56.ru/wp-content/uploads/2017/02/os-2018-18.pdf · №18 (1 192) 08.05.18 1 18 (1 192) 08.05.2018 ППамяти дедов амяти дедов рребята достойныебята

Антон Санченко, Електрокнига

NextPractice, Антон Павлов

Антон Старченков

Animal guessing

Антон Махно

Intelligent Guessing

Guessing Games

Антон Турецкий

Антон Зарубин