How to Design a Blacklist (for a Password Meter) L. Jacquin A. - - PowerPoint PPT Presentation

▶

Mar 30, 2023 157 likes •320 views

How to Design a Blacklist (for a Password Meter) L. Jacquin A. Kumar C. Lauradoux December 4, 2014 Blacklist in practice The backbone of security ! Traffic analysis : Firewall : iptables , netfilter IDS : l7-filter

SLIDE 1

How to Design a Blacklist (for a Password Meter)

L. Jacquin – A. Kumar – C. Lauradoux

December 4, 2014

SLIDE 2

Blacklist in practice ◮ The backbone of security ! ◮ Traffic analysis:

⊲ Firewall: iptables, netfilter ⊲ IDS: l7-filter ⊲ DPI: OpenDPI,nDPI

◮ Malware signatures:

⊲ anti-viruses: ClamAV, SplitScreen ⊲ anti-phishing: Google Safe Browsing

◮ and password meters !

SLIDE 3

Application to password meters ◮ Password meter: tool to prevent users to choose weak (or strong) passwords. ◮ Examples:

LUDS: Lower, Upper, Digit, Symbol
cracklib, apg and apgbfm (Linux)
Keepass

◮ de Carn´ e de Carnavalet and Mannan [NDSS 2014] report the use of password blacklist by at least:

Google
Apple

SLIDE 4

Are password meters useful ? ◮ Can you trust a password meter ?

Yes if it fails
No otherwise

The NIST Test Suite for Pseudorandom Generator suffers the same flaw. Only failure is trustworthy. ◮ Does it give an advantage to a cracker ? Can I speedup the cracking by including the meter? ◮ Difficulty to exploit a meter during cracking ?

SLIDE 5

Exploit a meter during cracking

Dict. Rules Dict. Rules Meter Dict. Rules Meter Hash Hash Hash Eng. Eng. Eng.

SLIDE 6

Implementation of a blacklist ◮ Data to store the data ?

Raw list
hash table
Bloom filter
Count-min sketch

◮ Which data ?

Leaked passwords
Personal data

◮ Result expected ?

SLIDE 7

Blacklist Data Structures

An algorithmic problem

◮ Exact/approximate answer: the value returned by the blacklist is correct with probability ǫ.

ǫ = 1 exact answer
ǫ < 1 approximate answer

◮ Exact/approximate query: the goal is to emulate mangling as it is done in crack engines. passwZrd is close to password.

SLIDE 8

Approximate query Blacklist ◮ Definition. Let B be a blacklist and s ∈ B. We want to have s′ / ∈ B, d(s, s′) ≤ δ such that: query(s′, B) = true, with d(·, ·) a distance and δ a given threshold. If d(s, s′) > δ, query(s′, B) = false. ◮ Implementations:

transformation on the password
special hash functions: h(s) = h(s′),
approximate pattern matching.

SLIDE 9

Approximate answer Blacklist ◮ Different types of errors:

false-positive, s′ /

∈ B but query(s′, B) = true

true-negative, s′ ∈ B but query(s′, B) = false

False-positives are acceptable but not true-negatives ◮ Example: Bloom filter

s′ ∈ B, Pr(query(s′, B) = false) = 0
s′ /

∈ B, Pr(query(s′, B) = true) = ǫ and ǫ ≈

1 − e

−kn m

k

SLIDE 10

Bloom filter

Bloomcrastination

◮ Vector of bit z of size m set to 0:

k hash functions: hi : {0, 1}∗ → [0, m − 1]
Insert(x): set bits at hi(x) of

z.

Query(y): Check #set bits at hi(y).

0 0 1 1 0 1 1 0 1 0 x1 x2 x3 y2 = x1 y1 y3

SLIDE 11

Approximate answer Blacklist

Advantages (ǫ = 2−16)

Dictionary # entries Size (Mb) Bloom (Mb) Conficker 182 1.4K 252 JtR 3107 22K 4.2K phpbb 184.389 1.6M 256K C&A 306.706 3.1M 415K RockYou 14.344.391 134M 19M ◮ apgbfm is based on Bloom filter. ◮ Good compression but supports exact query only!

SLIDE 12

APM vs apgbfm

Mamber and Wu

◮ Raw data can be used with approximate pattern matching (APM):

agrep
tre-agrep

Raw Data + APM apgbfm password weak weak passwZrd weak strong ◮ Exact query solutions are space-efficient but limited.

SLIDE 13

Approximate query/Approximate answer

Mamber and Wu

Dictionary Size # entries Mangling Conficker 1.4K 489 2.6 JtR 22K 7602 2.4 phpbb 1.6M 545.643 2.9 C&A 3.1M 1.091.563 3.5 RockYou 134M 48.493.095 3.8 ◮ Mangling + Bloom is inefficient.

SLIDE 14

Approximate query/Approximate answer

Locality-sensitive hashing

◮ Definition:

d(s, s′) < δ then Pr(h(s) = h(s′)) = c1
d(s, s′) ≥ δ then Pr(h(s) = h(s′)) = c2

◮ Example: tabulation hashing h(s) = H1(s1) ⊕ H2(s2) ⊕ · · · ⊕ Hℓ(sℓ) ◮ Famous application: Minhash, Simhash (Google) ◮ Better coverage of mangling. ◮ Difficulty to control false-positive rate.

SLIDE 15

Conclusion ◮ We are not trying to solve the password problem! This war is lost unless you take 15-character password randomly generated. ◮ Our goal is to find how to implement efficiently

blacklist. The only literature available is related to

How to Design a Blacklist (for a Password Meter)

December 4, 2014

Blacklist in practice ◮ The backbone of security ! ◮ Traffic analysis:

⊲ Firewall: iptables, netfilter ⊲ IDS: l7-filter ⊲ DPI: OpenDPI,nDPI

◮ Malware signatures:

⊲ anti-viruses: ClamAV, SplitScreen ⊲ anti-phishing: Google Safe Browsing

◮ and password meters !

Application to password meters ◮ Password meter: tool to prevent users to choose weak (or strong) passwords. ◮ Examples:

◮ de Carn´ e de Carnavalet and Mannan [NDSS 2014] report the use of password blacklist by at least:

Are password meters useful ? ◮ Can you trust a password meter ?

The NIST Test Suite for Pseudorandom Generator suffers the same flaw. Only failure is trustworthy. ◮ Does it give an advantage to a cracker ? Can I speedup the cracking by including the meter? ◮ Difficulty to exploit a meter during cracking ?

Exploit a meter during cracking

Dict. Rules Dict. Rules Meter Dict. Rules Meter Hash Hash Hash Eng. Eng. Eng.

Implementation of a blacklist ◮ Data to store the data ?

◮ Which data ?

◮ Result expected ?

Blacklist Data Structures

◮ Exact/approximate answer: the value returned by the blacklist is correct with probability ǫ.

◮ Exact/approximate query: the goal is to emulate mangling as it is done in crack engines. passwZrd is close to password.

Approximate query Blacklist ◮ Definition. Let B be a blacklist and s ∈ B. We want to have s′ / ∈ B, d(s, s′) ≤ δ such that: query(s′, B) = true, with d(·, ·) a distance and δ a given threshold. If d(s, s′) > δ, query(s′, B) = false. ◮ Implementations:

Approximate answer Blacklist ◮ Different types of errors:

∈ B but query(s′, B) = true

False-positives are acceptable but not true-negatives ◮ Example: Bloom filter

∈ B, Pr(query(s′, B) = true) = ǫ and ǫ ≈

k

Bloom filter

◮ Vector of bit z of size m set to 0:

z.

0 0 1 1 0 1 1 0 1 0 x1 x2 x3 y2 = x1 y1 y3

Approximate answer Blacklist

Dictionary # entries Size (Mb) Bloom (Mb) Conficker 182 1.4K 252 JtR 3107 22K 4.2K phpbb 184.389 1.6M 256K C&A 306.706 3.1M 415K RockYou 14.344.391 134M 19M ◮ apgbfm is based on Bloom filter. ◮ Good compression but supports exact query only!

APM vs apgbfm

◮ Raw data can be used with approximate pattern matching (APM):

Raw Data + APM apgbfm password weak weak passwZrd weak strong ◮ Exact query solutions are space-efficient but limited.

Approximate query/Approximate answer

Dictionary Size # entries Mangling Conficker 1.4K 489 2.6 JtR 22K 7602 2.4 phpbb 1.6M 545.643 2.9 C&A 3.1M 1.091.563 3.5 RockYou 134M 48.493.095 3.8 ◮ Mangling + Bloom is inefficient.

Approximate query/Approximate answer

◮ Definition:

◮ Example: tabulation hashing h(s) = H1(s1) ⊕ H2(s2) ⊕ · · · ⊕ Hℓ(sℓ) ◮ Famous application: Minhash, Simhash (Google) ◮ Better coverage of mangling. ◮ Difficulty to control false-positive rate.

Conclusion ◮ We are not trying to solve the password problem! This war is lost unless you take 15-character password randomly generated. ◮ Our goal is to find how to implement efficiently

password meter. ◮ It is not easy to use memory efficient solutions. Ongoing need to find good locality-sensitive hash functions for password.