kamouflage
play

Kamouflage Elie Bursztein, Hristo Bojinov, Dan Boneh, Xavier Boyen - PowerPoint PPT Presentation

Jun 12, 2023 •133 likes •468 views

Kamouflage Elie Bursztein, Hristo Bojinov, Dan Boneh, Xavier Boyen Stanford University 1 I am aware that what I am about to say is controversial 54 Millions of smartphone sold during the 1Q 2010 Browsers password managers Elie Bursztein,

  1. Kamouflage Elie Bursztein, Hristo Bojinov, Dan Boneh, Xavier Boyen Stanford University 1

  2. I am aware that what I am about to say is controversial

  3. 54 Millions of smartphone sold during the 1Q 2010

  4. Browsers password managers Elie Bursztein, Hristo Bojinov, Dan Boneh, Xavier Boyen Kamouflage http://ly.tl/p17

  5. Browsers password managers Elie Bursztein, Hristo Bojinov, Dan Boneh, Xavier Boyen Kamouflage http://ly.tl/p17

  6. User Study on Password Usages 40 Age High-school 30 College 20 Graduate 10 PhD/MD 0 0 12.5 25 37.5 50 19-25 31-35 41-45 50+ 32% 68% 86 people Male Female Elie Bursztein, Hristo Bojinov, Dan Boneh, Xavier Boyen Kamouflage http://ly.tl/p17

  7. Do you allows your web browser to remember your password ? 31% 41% 28% yes some no Elie Bursztein, Hristo Bojinov, Dan Boneh, Xavier Boyen Kamouflage http://ly.tl/p17

  8. What is our Objective ? Users want to store their passwords Elie Bursztein, Hristo Bojinov, Dan Boneh, Xavier Boyen Kamouflage http://ly.tl/p17

  9. Threat Model • Prevents offline attacks • Forces the attacker to go online Elie Bursztein, Hristo Bojinov, Dan Boneh, Xavier Boyen Kamouflage http://ly.tl/p17

  10. Known approaches Elie Bursztein, Hristo Bojinov, Dan Boneh, Xavier Boyen Kamouflage http://ly.tl/p17

  11. Known approaches • Make the passwords inaccessible Elie Bursztein, Hristo Bojinov, Dan Boneh, Xavier Boyen Kamouflage http://ly.tl/p17

  12. Known approaches • Make the passwords inaccessible • Use a password generator Elie Bursztein, Hristo Bojinov, Dan Boneh, Xavier Boyen Kamouflage http://ly.tl/p17

  13. Known approaches • Make the passwords inaccessible • Use a password generator • Have a secure master password Elie Bursztein, Hristo Bojinov, Dan Boneh, Xavier Boyen Kamouflage http://ly.tl/p17

  14. Make passwords inaccessible • Almost impossible for a large number of passwords Passwords list change and grow overtime • Need some form of revocation • • Even system build around this idea have bugs (e.g xbox360) Elie Bursztein, Hristo Bojinov, Dan Boneh, Xavier Boyen Kamouflage http://ly.tl/p17

  15. Do you use a password generator ? 13% 45% 42% yes no don’t know what it is Elie Bursztein, Hristo Bojinov, Dan Boneh, Xavier Boyen Kamouflage http://ly.tl/p17

  16. Use strong passwords Does anyone still believe users do that ???? Elie Bursztein, Hristo Bojinov, Dan Boneh, Xavier Boyen Kamouflage http://ly.tl/p17

  17. The rockyou database 1 2 3 4 5 6 7 • 32 603 388 passwords 8 9 • Disclosed in 2010 10 11 12 13 14 15 16 0 2250000 4500000 6750000 9000000 Length Elie Bursztein, Hristo Bojinov, Dan Boneh, Xavier Boyen Kamouflage http://ly.tl/p17

  18. Most used passwords Elie Bursztein, Hristo Bojinov, Dan Boneh, Xavier Boyen Kamouflage http://ly.tl/p17

  19. Embracing the Truth All known approaches are not working so we can we do ? Elie Bursztein, Hristo Bojinov, Dan Boneh, Xavier Boyen Kamouflage http://ly.tl/p17

  20. THE PURLOINED LETTER by Edgar Allan Poe (1845)

  22. Here

  23. You can’t perform offline attacks if you don’t know if you are successful

  24. Proposed Architecture Password storage Meta data Password set 1 Password set 2 ... ... Password set n URL password 1 password 1 password 1 password 1 Forms password 2 password 2 password 2 password 2 Usrmames ... ... ... ... ... Password M Password M Password M Password M Data in clear Decoy data encrypted Real data encrypted Elie Bursztein, Hristo Bojinov, Dan Boneh, Xavier Boyen Kamouflage http://ly.tl/p17

  25. Dealing with Password Structure digit: word mixed digit + word word + digit wo + digit + rd digit + word + digit digit + wo + digit wo + digit + rd + digit digit +wo + digit +rd + digit word + word digit + word + word word + word + digit word + digit + word digit + word + word + digit digit + word + digit + word + digit digit + word + digit + word word + digit + word + digit Leet (1337) Nb Passwords non-alpha 0 1750000 3500000 5250000 7000000 Elie Bursztein, Hristo Bojinov, Dan Boneh, Xavier Boyen Kamouflage http://ly.tl/p17

  26. RockYou Top word Elie Bursztein, Hristo Bojinov, Dan Boneh, Xavier Boyen Kamouflage http://ly.tl/p17

  27. Do you reuse password between different web site ? 18% 82% Yes No Elie Bursztein, Hristo Bojinov, Dan Boneh, Xavier Boyen Kamouflage http://ly.tl/p17

  28. Do you use related password ? 33% 67% Yes No Elie Bursztein, Hristo Bojinov, Dan Boneh, Xavier Boyen Kamouflage http://ly.tl/p17

  29. Web Site Policy Web Site Password Requirement Google at least 8 characters Yahoo! at least 6 characters YouTube at least 8 characters Facebook at least 6 characters Windows Live at least 6 characters MSN at least 6 characters MySpace between 6 and 10 characters, at least 1 digit or punctuation Fidelity between 6 and 12 characters, digits only Bank of America between 8 and 20 characters, ≥ 1 digit and ≥ 1 letter, no $ < > & ^ ! [ ] Wells Fargo between 8 and 10 characters, ≥ 3 of: uppercase, digit, or special characters Elie Bursztein, Hristo Bojinov, Dan Boneh, Xavier Boyen Kamouflage http://ly.tl/p17

  30. How users will know that they have entered the correct password ? Provide a visual indicator: each set is associated with a visual icon. Correct False False Elie Bursztein, Hristo Bojinov, Dan Boneh, Xavier Boyen Kamouflage http://ly.tl/p17

  31. Evaluation 10 3 10 4 10 4 Collection size (number of decoy sets) Password set size (number of user passwords) 100 100 20 Database size on disk 2MB 20MB 4MB Measured performance (access and update time) < 1 sec 5 sec < 1 sec Elie Bursztein, Hristo Bojinov, Dan Boneh, Xavier Boyen Kamouflage http://ly.tl/p17

  32. Conclusion • Hiding in plain sight is promising • It is also harder than one might expect Elie Bursztein, Hristo Bojinov, Dan Boneh, Xavier Boyen Kamouflage http://ly.tl/p17

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Computer Security: Passwords TA: Adrian Sham adrsham@cs Thanks to Franzi for slides. Logistics

Computer Security: Passwords TA: Adrian Sham adrsham@cs Thanks to Franzi for slides. Logistics

CSE 484 / CSE M 584 Computer Security: Passwords TA: Adrian Sham adrsham@cs Thanks to Franzi for slides. Logistics / Reminders Class tomorrow at PCAR 290 Lab #2 due 5/20,5pm (next Wednesday) Next office hour: Michael and

574 views • 22 slides
Advanced Tools from Modern Cryptography Lecture 0 Manoj Prabhakaran IIT Bombay

Advanced Tools from Modern Cryptography Lecture 0 Manoj Prabhakaran IIT Bombay

Advanced Tools from Modern Cryptography Lecture 0 Manoj Prabhakaran IIT Bombay Old Cryptography Scytale (ancient Greece) Caesar Cipher 100 BC - 44 BC Cryptanalysis (simple frequency analysis) of Caesar cipher by

368 views • 13 slides
Functional Encryption for Inner Product with Full Function Privacy by Sourav Mukhopadhyay joint

Functional Encryption for Inner Product with Full Function Privacy by Sourav Mukhopadhyay joint

Functional Encryption for Inner Product with Full Function Privacy by Sourav Mukhopadhyay joint work with Pratish Datta and Ratna Dutta Department of Mathematics Indian Institute of Technology Kharagpur Kharagpur-721302 India PKC 2016

340 views • 23 slides
High-speed cryptography, part 3: more cryptosystems Daniel J. Bernstein University of Illinois

High-speed cryptography, part 3: more cryptosystems Daniel J. Bernstein University of Illinois

High-speed cryptography, part 3: more cryptosystems Daniel J. Bernstein University of Illinois at Chicago &amp; Technische Universiteit Eindhoven Cryptographers Working systems Cryptanalytic algorithm designers Unbroken

739 views • 44 slides
On the Usability and Security of Password-Based User Authentication Maximilian Golla Thesis

On the Usability and Security of Password-Based User Authentication Maximilian Golla Thesis

On the Usability and Security of Password-Based User Authentication Maximilian Golla Thesis Defense, Bochum, Germany, May 29, 2019 User Authentication Competing requirements of security and usability . [1] Common Factors: Knowledge ( Password ,

619 views • 34 slides
Joseph Bonneau jcb82@cl.cam.ac.uk Computer Laboratory Security Protocols Workshop Cambridge, UK

Joseph Bonneau jcb82@cl.cam.ac.uk Computer Laboratory Security Protocols Workshop Cambridge, UK

S TATISTICAL METRICS FOR INDIVIDUAL PASSWORD STRENGTH Joseph Bonneau jcb82@cl.cam.ac.uk Computer Laboratory Security Protocols Workshop Cambridge, UK April 12, 2012 Joseph Bonneau (University of Cambridge) Individual password strength

361 views • 21 slides
Attacking Passwords Richard Frovarp About Me Senior Software Engineer - Enterprise Computing

Attacking Passwords Richard Frovarp About Me Senior Software Engineer - Enterprise Computing

Attacking Passwords Richard Frovarp About Me Senior Software Engineer - Enterprise Computing &amp; Infrastructure - NDSU Systems Administrator - EduTech Dabbler in Enterprise Wireless Member Apache Software Foundation 2 Standard Disclaimer

436 views • 32 slides
Password Managers A way to cope with dozens of online accounts Felix Morsbach Uppsala University

Password Managers A way to cope with dozens of online accounts Felix Morsbach Uppsala University

Password Managers A way to cope with dozens of online accounts Felix Morsbach Uppsala University Sweden CryptoParty #9 presentation of 23rd January 2020 What is the problem? How can one solve it? What actually (not) to do? Making it (more)

346 views • 13 slides
Formal Security Analysis of Cryptographic Protocol Code

Formal Security Analysis of Cryptographic Protocol Code

Formal Security Analysis of Cryptographic Protocol Code Karthikeyan Bhargavan INRIA IIT Delhi, Fall 2010 Lecture 1: WriCng Secure Web ApplicaCons

472 views • 25 slides
Mitigating Password Database Breaches with Intel SGX Helena Brekalo Raoul Strackx Frank

Mitigating Password Database Breaches with Intel SGX Helena Brekalo Raoul Strackx Frank

Mitigating Password Database Breaches with Intel SGX Helena Brekalo Raoul Strackx Frank Piessens imec - Distrinet, KU Leuven December 12, 2016 Brekalo, Strackx , Piessens (KU Leuven) Mitigating Password Database Breaches December 12, 2016 1

514 views • 36 slides
ELCE 2013 - Secure Embedded Linux Product (A Success Story) Marcin Bis http://bis-linux.com

ELCE 2013 - Secure Embedded Linux Product (A Success Story) Marcin Bis http://bis-linux.com

ELCE 2013 - Secure Embedded Linux Product (A Success Story) Marcin Bis http://bis-linux.com marcin@bis-linux.com Edinburgh - 2013.10.25 1 / 31 About me Marcin Bis Entrepreneur Embedded Linux: system development, kernel

623 views • 31 slides
SQL Used by all major vendors of relational databases SQL has been standardized by ISO and

SQL Used by all major vendors of relational databases SQL has been standardized by ISO and

Structured Query Language Developed by IBM (system R) in the 1970s SQL Used by all major vendors of relational databases SQL has been standardized by ISO and ANSI Lecture 11 SQL has many components Based on slides by R.

218 views • 4 slides

Introduction slide 150 Data Definition slide 152

317 views • 5 slides
CS419 Spring 2010 Computer Security Vinod Ganapathy Lecture 15 Chapter 5: Database security

CS419 Spring 2010 Computer Security Vinod Ganapathy Lecture 15 Chapter 5: Database security

CS419 Spring 2010 Computer Security Vinod Ganapathy Lecture 15 Chapter 5: Database security Database Security Relational Databases constructed from tables of data each column holds a particular type of data each row contains a

935 views • 24 slides
SQL statemen ts b ecome pro cedure calls. 1 Shared V ariables A sp ecial place

SQL statemen ts b ecome pro cedure calls. 1 Shared V ariables A sp ecial place

Em b edded SQL Add to a con v en tional programming language (C in our examples) certain statemen ts that represen t SQL op erations. Eac h em b edded SQL statemen t in tro duced with SQL . EXEC

157 views • 13 slides
Relational Databases Week 7 INFM 603 Agenda Questions Relational database design

Relational Databases Week 7 INFM 603 Agenda Questions Relational database design

Relational Databases Week 7 INFM 603 Agenda Questions Relational database design Microsoft Access MySQL Scalability Muddiest Points When to put JavaScript in the HTML head Whats a Class? When to use an

715 views • 56 slides
SQL Structured Query Language 1 Best known and most commonly used relational database query

SQL Structured Query Language 1 Best known and most commonly used relational database query

SQL Structured Query Language 1 Best known and most commonly used relational database query and manipulation language. Used in many commercial database systems. 2 SQL includes several components including: Data definition

723 views • 53 slides
Part I Structured Data Data Representation: I.1 The entity-relationship (ER) data model I.2

Part I Structured Data Data Representation: I.1 The entity-relationship (ER) data model I.2

Inf1-DA 20102011 I: 92 / 117 Part I Structured Data Data Representation: I.1 The entity-relationship (ER) data model I.2 The relational model Data Manipulation: I.3 Relational algebra I.4 Tuple-relational calculus I.5 The SQL query

370 views • 26 slides
Databases and SQL Databases for data storage and access The Structured Query Language Aaron

Databases and SQL Databases for data storage and access The Structured Query Language Aaron

3/4/13 CS108 Lecture 18: Databases and SQL Databases for data storage and access The Structured Query Language Aaron Stevens 4 March 2013 Computer Science What Youll Learn Today Computer Science How does Facebook generate unique pages

421 views • 17 slides
Todays lecture Recap of yesterdays lecture Databases 2 Retrieving Using Queries

Todays lecture Recap of yesterdays lecture Databases 2 Retrieving Using Queries

Todays lecture Recap of yesterdays lecture Databases 2 Retrieving Using Queries to retrieve information from database information Using Reports to retrieve information from a database Lecture 15 COMPSCI111/111G S1

212 views • 9 slides
Welcome to CS50 section! This is Week 9. Final project official proposals: due next Friday at

Welcome to CS50 section! This is Week 9. Final project official proposals: due next Friday at

Welcome to CS50 section! This is Week 9. Final project official proposals: due next Friday at noon Add to your calendar: Final project status report: Due Monday, Nov 28 at noon (Halfway point; be at least done) The

314 views • 30 slides
SQL SQL = Structured Query Language has become a standard in relational systems. Virtually

SQL SQL = Structured Query Language has become a standard in relational systems. Virtually

SQL SQL = Structured Query Language has become a standard in relational systems. Virtually all relational DBMS s support SQL. They usually provide a superset of a subset, but the differences for large systems are typically in

472 views • 22 slides
Introd u ction to databases STR E AML IN E D DATA IN G E STION W ITH PAN DAS Aman y Mahfo uz

Introd u ction to databases STR E AML IN E D DATA IN G E STION W ITH PAN DAS Aman y Mahfo uz

Introd u ction to databases STR E AML IN E D DATA IN G E STION W ITH PAN DAS Aman y Mahfo uz Instr u ctor Relational Databases Data abo u t entities is organi z ed into tables Each ro w or record is an instance of an entit y Each col u mn has

718 views • 43 slides
iCAT Interactions in iRODS Wayne Schroeder DICE/INC University of California San Diego, CA,

iCAT Interactions in iRODS Wayne Schroeder DICE/INC University of California San Diego, CA,

iCAT Interactions in iRODS Wayne Schroeder DICE/INC University of California San Diego, CA, USA. Arcot (Raja) Rajasekar DICE Center/SILS/RENCI University of North Carolina Chapel Hill, NC, USA. Introduction Role of iCAT Internal

435 views • 25 slides

More recommend