making password checking systems better
play

Making Password Checking Systems Better Tom Ristenpart Covering - PowerPoint PPT Presentation

Dec 19, 2023 •128 likes •559 views

Making Password Checking Systems Better Tom Ristenpart Covering joint work with: Anish Athayle, Devdatta Akawhe, Joseph Bonneau, Rahul Chatterjee, Anusha Chowdhury, Yevgeniy Dodis, Adam Everspaugh, Ari Juels, Yuval Pnueli, Sam Scott, Joanne

  1. Making Password Checking Systems Better Tom Ristenpart Covering joint work with: Anish Athayle, Devdatta Akawhe, Joseph Bonneau, Rahul Chatterjee, Anusha Chowdhury, Yevgeniy Dodis, Adam Everspaugh, Ari Juels, Yuval Pnueli, Sam Scott, Joanne Woodage

  2. Password checking systems tom password1 tom, password1 alice 123456 bob p@ssword! Login server (plus hundreds of millions more) Allow login if: Password matches Attack detection mechanisms don’t flag request Sometimes: second factor succeeds

  3. Problems w/ password checking systems tom password1 tom, password1 alice 123456 bob p@ssword! Login server People often enter wrong password: Passwords databases must be protected: - Typos - Server compromise - Memory errors - Exfiltration attacks (e.g., SQL injection) Widespread practice: - Apply hashing w/ salts - Hope slows down attacks enough

  4. Today’s talk Pythia : moving beyond “hash & hope” Harden hashes with off-system secret key using partially oblivious pseudorandom function protocol [Everspaugh, Chatterjee, Scott, Juels, R. – USENIX Security 2015] Typo-tolerant password checking In-depth study of typos in user-chosen passwords Show how to allow typos without harming security [Chatterjee, Athayle, Akawhe, Juels, R. – Oakland 2016] [Woodage, Chatterjee, Dodis, Juels, R. – Crypto 2017] [Chatterjee, Woodage, Pnueli, Chowdhury, R. – CCS 2017]

  5. Password checking systems tom tom password1 salt 1 , H c (password1,salt 1 ) tom, password1 alice alice 123456 salt 2 , H c (123456,salt 2 ) bob bob p@ssword! salt 3 , H c (p@ssword!,salt 3 ) Login server Websites should never store passwords directly, they should be (at least) hashed with a salt (also stored) Cryptographic hash function H c times (H = SHA-256, SHA-512, etc.) Common choice is c = 10,000 … H H H pw||salt Better: scrypt, argon2 UNIX password hashing scheme, PKCS #5 Formal analyses: [Wagner, Goldberg 2000] [Bellare, R., Tessaro 2012]

  6. AshleyMadison hack: 36 million user hashes Salts + Passwords hashed using bcrypt with c = 2 12 = 4096 4,007 cracked directly with trivial approach 290729 123456 79076 12345 Password List of possible passwords in 76789 123456789 order of their likelihood cracker 59462 password Recompute hash and check 49952 iloveyou 33291 princess … Examples: Hashcat, Johntheripper, academic projects

  7. AshleyMadison hack: 36 million user hashes Salts + Passwords hashed using bcrypt with c = 2 12 = 4096 4,007 cracked directly with trivial approach CynoSure analysis: 11 million hashes cracked >630,000 people used usernames as passwords MD5 hashes left lying around accidentally http://cynosureprime.blogspot.com/2015/09/csp-our-take-on-cracked-am-passwords.html

  8. Password database compromises … year % recovered format # stolen 2012 100% plaintext (!) 32.6 million 2012 90% Unsalted SHA-1 117 million 2013 ?? ECB encryption 36 million 2014 ?? bcrypt + ?? ~500 million Salted bcrypt 2015 36 million 33% + MD5 …

  9. (1) Password protections often implemented incorrectly in practice (2) Even in best case, hashing slows down but does not prevent offline brute-force cracking

  10. Facebook password onion $cur = ‘password’ $cur = md5($cur) $salt = randbytes(20) $cur = hmac_sha1($cur, $salt) $cur = remote_hmac_sha256($cur, $secret) $cur = scrypt($cur, $salt) $cur = hmac_sha256($cur, $salt)

  11. Strengthening password hash storage tom, password1 h K f = HMAC(K, h) Back-end crypto h = H c (password1|| salt) service Store salt, f HMAC is pseudorandom function (PRF). f’ = H c (123456 || salt) f = f’? f’ = HMAC(K, h’) K Back-end H c (1234567 || salt) Must still perform online crypto service brute-force attack H c (12345 || salt) Exfiltration doesn’t help …

  12. Strengthening password hash storage tom, password1 h K f = HMAC(K, h) Back-end crypto h = H c (password1|| salt) service Store salt, f Critical limitation: can’t rotate K to a new secret K’ • Idea 1: Version database and update as users log in § But doesn’t update old hashes • Idea 2: Invalidate old hashes § But requires password reset • Idea 3: Use secret-key encryption instead of PRF § But requires sending keys to web server (or high bandwidth)

  13. The Pythia PRF Service Blinding means service learns nothing about passwords tom, password1 user id, blinded h K Blinded PRF output f Back-end crypto h = H c (password1|| salt) service Blind h, pick user ID User ID reveals fine-grained query Unblind PRF output f patterns to service. Store user ID, salt, f Compromise detection & rate limiting Cryptographically erases f: Useless to attacker in the future Combine token and f K to generate f’ = F(K’,h) Token(K->K’) Back-end crypto Server learns nothing K’ service about K or K’

  14. New crypto: partially-oblivious PRF Groups G 1 , G 2 , G T w/ bilinear pairing e : G 1 x G 2 -> G T e(a x ,b y ) = c xy K tom, password1 user id, h r y t = H(user id) y = e(t K ,h r ) h = H c (password1|| salt) Choose random r f = y 1/r Store user ID, salt, f f = e(t K ,h r ) 1/r = e(t,h) Kr*1/r = e(t,h) K • Pairing cryptographically binds user id with password hash • Can add verifiability (proof that PRF properly applied) • Key rotation straightforward: Token(K -> K’) = K ’ / K • Interesting formal security analysis (see paper)

  15. The Pythia PRF Service Queries are fast despite pairings • PRF query: 11.8 ms (LAN) 96 ms (WAN) Parallelizable password onions • H c and PRF query made in parallel (hides latency) Multi-tenant (theoretically: scales to 100 million login servers) Easy to deploy • Open-source reference implementation at http://pages.cs.wisc.edu/~ace/pythia.html • At least one startup deploying it commercially https://virgilsecurity.com/pythia/

  16. Today’s talk Pythia : moving beyond “hash & hope” Harden hashes with off-system secret key using partially oblivious pseudorandom function protocol [Everspaugh, Chatterjee, Scott, Juels, R. – USENIX Security 2015] Typo-tolerant password checking In-depth study of typos in user-chosen passwords Show how to allow typos without harming security [Chatterjee, Athayle, Akawhe, Juels, R. – Oakland 2016] [Woodage, Chatterjee, Dodis, Juels, R. – Crypto 2017] [Chatterjee, Woodage, Pnueli, Chowdhury, R. – CCS 2017]

  17. Back to our big picture tom tom salt 1 , G K (salt 1 , password1) password1 tom, password1 alice alice salt 2 , G K (salt 2 , 123456) 123456 bob bob salt 3 , G K (salt 3 , p@ssword!) p@ssword! Login server People often enter wrong password: Passwords databases must be protected: - Typos - Server compromise - Memory errors - Exfiltration attacks (e.g., SQL injection) Widespread practice: - Apply hashing w/ salts - Hope slows down attacks enough

  18. Back to our big picture tom salt 1 , G K (salt 1 , password1) tom, password1 alice salt 2 , G K (salt 2 , 123456) bob salt 3 , G K (salt 3 , p@ssword!) Login server People often enter wrong password: - Typos - Memory errors Users have hard time remembering (complex) passwords [Ur et al. 2012] [Shay et al. 2012] [Mazurek et al. 2013] [Shay et al. 2014] [Bonneau, Schechter 2014] Passwords can be difficult to enter without error (typo) [Keith et al. 2007, 2009] [Shay et al. 2012] Suggestions for error-correcting passphrases [Bard 2007] [Jakobsson, Akavipat 2012] [Shay et al. 2012]

  19. Back to our big picture tom salt 1 , G K (salt 1 , password1) tom, password1 alice salt 2 , G K (salt 2 , 123456) bob salt 3 , G K (salt 3 , p@ssword!) Login server People often enter wrong password: - Typos - Memory errors password1 Password1 PASSWORD1

  20. Typo-tolerant password checking: Allow registered password or some typos of it (1) First study of typo-tolerance & simple constructions to correct popular errors [Oakland 2016] (2) New constructions to correct more errors securely, show that simple approaches are so far the best [Crypto 2017] (3) Personalized typo-tolerance: have checking system learn over time typos specific user makes [CCS 2017]

  21. Mechanical Turk transcription study 100,000+ passwords typed by 4,300 workers Top 3 account % OF TYPOS for 20% of typos Flip first letter Capslock case 11% 4.5% Add character at end 4.6% Other 78.8%

  22. Typo-tolerant password checking Can view as an error-correction problem Ball is set of all points we check near a submitted string (including it) Success occurs if true password is in the ball of submitted passsword Password password1 Easy to define balls by generic Flip first letter corrector functions Drop last char Password1 Flip all letters Password13 Ball size (b) % corrected pASSWORD1 Password12 3 20% 64 50% Balance utility improvement versus performance & security

  23. Relaxed checking via brute-force search tom, Password1 tom salt 1 , G K (salt 1 , password1) alice salt 2 , G K (salt 2 , 123456) bob salt 3 , G K (salt 3 , p@ssword!) Compute ball for each password, check each hash To finish checks in time T, G K (salt 1 , Password1) must set Time(G K ) = T / b Apply caps lock corrector G K (salt 1 , pASSWORD1) Apply first case flip corrector G K (salt 1 , password1) Can set ball to be result of applying corrector functions for popular typos Works with existing password hardening schemes No change in what is stored Ball size b = 4 gives 20% of typos across all users

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Making Password Checking Systems Be7er Tom Ristenpart Covering

Making Password Checking Systems Be7er Tom Ristenpart Covering

Making Password Checking Systems Be7er Tom Ristenpart Covering joint work with: Anish Athayle, Devda<a Akawhe, Joseph Bonneau, Rahul Cha<erjee, Adam

414 views • 30 slides
Proactive Password Checking Analyze proposed password for goodness Always invoked

Proactive Password Checking Analyze proposed password for goodness Always invoked

Proactive Password Checking Analyze proposed password for goodness Always invoked Can detect, reject bad passwords for an appropriate definition of bad Discriminate on per-user, per-site basis Needs to do

363 views • 21 slides
Honeywords Making Password-Cracking Detectable By Ari Juels and Ronald L. Rivest Presented by

Honeywords Making Password-Cracking Detectable By Ari Juels and Ronald L. Rivest Presented by

Honeywords Making Password-Cracking Detectable By Ari Juels and Ronald L. Rivest Presented by Nunzio Cicone and Hans-Peter Hllwirth Setting Password Attacks Passwords are a notoriously weak authentication mechanism One significant

422 views • 20 slides
The Making of a Secure Open Source Password Keeper from the electronics to the high-level

The Making of a Secure Open Source Password Keeper from the electronics to the high-level

The Making of a Secure Open Source Password Keeper from the electronics to the high-level software Mathieu Stephan Hello! I am Mathieu Stephan - Embedded systems engineer - Former writer for Hackaday - www.limpkin.fr - Mooltipass

913 views • 51 slides
3. Satisfiability Checking 3.1 SAT-Checking Procedures Verification Technology

3. Satisfiability Checking 3.1 SAT-Checking Procedures Verification Technology

Fachgebiet RechnerSysteme Technische Universitt Verification Technology Darmstadt 3. Satisfiability Checking Computer Systems Lab 1 3. Satisfiability Checking 3 3. Satisfiability Checking 3.1 SAT-Checking Procedures Verification

278 views • 11 slides
Hash Proof Systems and Password Protocols II Password-Authenticated Key Exchange David

Hash Proof Systems and Password Protocols II Password-Authenticated Key Exchange David

Hash Proof Systems and Password Protocols II Password-Authenticated Key Exchange David Pointcheval CNRS, Ecole normale sup erieure/PSL & INRIA 8th BIU Winter School Key Exchange February 2018 CNRS/ENS/PSL/INRIA David

319 views • 14 slides
Hoare Logic and Model Checking 1. You should be able to model simple systems in NuSMV, an LTL

Hoare Logic and Model Checking 1. You should be able to model simple systems in NuSMV, an LTL

Hoare Logic and Model Checking 1. You should be able to model simple systems in NuSMV, an LTL Other interesting books: Model Checking by Clarke, Grumberg, and Peled Principles of Model Checking by Baier and Katoen 3 Course

636 views • 11 slides
Model Checking in Systems Biology s Brim and Milan ska and David Lubo Ce Safr

Model Checking in Systems Biology s Brim and Milan ska and David Lubo Ce Safr

Model Checking in Systems Biology s Brim and Milan ska and David Lubo Ce Safr anek Masaryk University Czech Republic SFM 2013 1/150 Outline Introduction 1 LTL Model Checking 2 Parallel LTL Model Checking 3 Discrete

2.18k views • 199 slides
Modeling and Analyzing Concurrent Systems using Model Checking Robert B. France 1 What is

Modeling and Analyzing Concurrent Systems using Model Checking Robert B. France 1 What is

Modeling and Analyzing Concurrent Systems using Model Checking Robert B. France 1 What is Model Checking? Model checking is an automated technique that, given a finite-state model of a system and a logical property , systematically

484 views • 36 slides
Model Checking Finite State Finite State Model Checking Finite State Systems

Model Checking Finite State Finite State Model Checking Finite State Systems

Model Checking Finite State Finite State Model Checking Finite State Systems Informationsteknologi System Description A No! Debugging Information TOOL TOOL Yes, Requirement F Prototypes C T L Executable Code Test sequences Tools:

637 views • 34 slides
Topic #27 Checking Nyquist Stability Reference textbook : Control Systems, Dhanesh N. Manik,

Topic #27 Checking Nyquist Stability Reference textbook : Control Systems, Dhanesh N. Manik,

ME 779 Control Systems Topic #27 Checking Nyquist Stability Reference textbook : Control Systems, Dhanesh N. Manik, Cengage Publishing, 2012 1 Control Systems: Checking Nyquist Stability Procedure (1) Locate open-loop poles on the s-plane

581 views • 25 slides
Checking Unwinding Conditions for Finite State Systems Deepak DSouza, Raghavendra K.R.

Checking Unwinding Conditions for Finite State Systems Deepak DSouza, Raghavendra K.R.

Checking Unwinding Conditions for Finite State Systems Deepak DSouza, Raghavendra K.R. Indian Institute of Science, Bangalore, India Checking Unwinding Conditions for Finite State Systems p.1/14 MAKS Framework of Heiko Events. V isible,

1.04k views • 56 slides
Type Checking General properties of type systems Types in programming languages

Type Checking General properties of type systems Types in programming languages

Outline Type Checking General properties of type systems Types in programming languages Notation for type rules Logical rules of inference Common type rules 2 Static Checking Static Checking (Cont.) Refers to

896 views • 10 slides
Making TLA + Model Checking Symbolic Igor Konnov Joining Interchain Foundation in August Jure

Making TLA + Model Checking Symbolic Igor Konnov Joining Interchain Foundation in August Jure

Making TLA + Model Checking Symbolic Igor Konnov Joining Interchain Foundation in August Jure Kukovec Thanh-Hai Tran VeriDis + Matryoushka seminar, Amsterdam, June 2019 Why TLA + ? Rich specification language TLA + is used in industry, e.g.,

699 views • 46 slides
Decision Making 1 Decision Making Skills Establishing a positive decision-making environment.

Decision Making 1 Decision Making Skills Establishing a positive decision-making environment.

Decision Making 1 Decision Making Skills Establishing a positive decision-making environment. Generating potential solutions. Evaluating the solutions. Deciding. How did you score? Checking the decision. Communicating and

938 views • 50 slides
Directed Model Checking (not only) for Timed Automata Sebastian Kupferschmid March, 2010 Model

Directed Model Checking (not only) for Timed Automata Sebastian Kupferschmid March, 2010 Model

Directed Model Checking (not only) for Timed Automata Sebastian Kupferschmid March, 2010 Model Checking Motivation Embedded Systems Omnipresent Safety relevant systems Pentium bug Ariane 5 Errors can be extremely harmful Correct

837 views • 67 slides
Mark.Polino@goFastpath.com www.amazon.com/Mark-Polino/e/B003VARZ72

Mark.Polino@goFastpath.com www.amazon.com/Mark-Polino/e/B003VARZ72

Mark.Polino@goFastpath.com www.amazon.com/Mark-Polino/e/B003VARZ72 http://willoware.com/free-software-registration/ Source: Willoware Category: ISV Solution Type: Installer Access: Form http://willoware.com/free-software-registration/

944 views • 67 slides
Outline Fine-Grain Register Allocation Based on a Global Spill Costs Analysis Graph coloring

Outline Fine-Grain Register Allocation Based on a Global Spill Costs Analysis Graph coloring

Outline Fine-Grain Register Allocation Based on a Global Spill Costs Analysis Graph coloring register allocation q Motivation example q 2003. 9. 25 (Thr.) Proposed register allocation algorithm q Allocation benefit model q Seoul National

431 views • 5 slides
On the Limiting Distribution of Eigenvalues of Large Random d -Regular Graphs with Weighted Edges

On the Limiting Distribution of Eigenvalues of Large Random d -Regular Graphs with Weighted Edges

Main Problem Combinatorial Objects of Study Main Results Summary. . . On the Limiting Distribution of Eigenvalues of Large Random d -Regular Graphs with Weighted Edges M. C. Khoury S. J. Miller Joint Mathematics Meetings 2012 (Boston, MA)

685 views • 24 slides
An Overview of Quantified Derandomization Roei Tell, Weizmann Institute of Science Complexity

An Overview of Quantified Derandomization Roei Tell, Weizmann Institute of Science Complexity

An Overview of Quantified Derandomization Roei Tell, Weizmann Institute of Science Complexity Theory @ Oxford, July 2018 Classical derandomization (CAPP) > the standard derandomization problem Given a circuit C C over n bits ,

978 views • 30 slides
worth the dig Passages worth the dig Can you type? Can you type without looking? Often ,I

worth the dig Passages worth the dig Can you type? Can you type without looking? Often ,I

Passages worth the dig Passages worth the dig Can you type? Can you type without looking? Often ,I ACCIDENTLY HIT CAPS LOCK WHEN I JUST MEAN SHIFT Often ,I ACCIDENTLY HIT CAPS LOCK WHEN I JUST MEAN SHIFT The ancient

790 views • 78 slides
N e o 2 T a s t a t u r l a y o u t C h r i s t o p h P r a t l ,

N e o 2 T a s t a t u r l a y o u t C h r i s t o p h P r a t l ,

h t t p : / / l u k a s - p r o k o p . a t / t a l k s / g l t 1 9 - n e o 2 / N e o 2 T a s t a t u r l a y o u t C h r i s t o p h P r a t l , L u k a s P r o k o

646 views • 43 slides
Hour #1: Passwords Identification, Authentication, and Authorization Identification: You

Hour #1: Passwords Identification, Authentication, and Authorization Identification: You

CSCI E-170 Computer Security, Usability & Privacy Hour #1: Passwords Identification, Authentication, and Authorization Identification: You give your name Authentication: Youve proven that its really you.

486 views • 31 slides
Safety Standards for Window Cleaning WAC 296-878-100 Scope Scope These rules apply to all

Safety Standards for Window Cleaning WAC 296-878-100 Scope Scope These rules apply to all

Safety Standards for Window Cleaning WAC 296-878-100 Scope Scope These rules apply to all window-cleaning activities performed on the inside or outside of a building in which the window cleaner is working from a level that is located more than

542 views • 40 slides

More recommend