mitigating password database breaches with intel sgx
play

Mitigating Password Database Breaches with Intel SGX Helena Brekalo - PowerPoint PPT Presentation

Oct 28, 2023 •145 likes •514 views

Mitigating Password Database Breaches with Intel SGX Helena Brekalo Raoul Strackx Frank Piessens imec - Distrinet, KU Leuven December 12, 2016 Brekalo, Strackx , Piessens (KU Leuven) Mitigating Password Database Breaches December 12, 2016 1

  1. Mitigating Password Database Breaches with Intel SGX Helena Brekalo Raoul Strackx Frank Piessens imec - Distrinet, KU Leuven December 12, 2016 Brekalo, Strackx , Piessens (KU Leuven) Mitigating Password Database Breaches December 12, 2016 1 / 18

  2. Introduction Outline Introduction 1 Problem Statement 2 3 Performance Evaluation Conclusion 4 Brekalo, Strackx , Piessens (KU Leuven) Mitigating Password Database Breaches December 12, 2016 2 / 18

  3. Introduction Passwords: The ugly truth Passwords are everywhere and heavily depended upon Developers are not always careful . . . nor are users Passwords are often not the most sensitive data Brekalo, Strackx , Piessens (KU Leuven) Mitigating Password Database Breaches December 12, 2016 3 / 18

  4. Introduction Passwords: The ugly truth Passwords are everywhere and heavily depended upon Only a password and “security questions” are required I’d like stronger protection for my money Developers are not always careful . . . nor are users Passwords are often not the most sensitive data Brekalo, Strackx , Piessens (KU Leuven) Mitigating Password Database Breaches December 12, 2016 3 / 18

  5. Introduction Passwords: The ugly truth Passwords are everywhere and heavily depended upon Developers are not always careful Sells offensive intrusion and surveillance capabilities 400GB of lost data . . . nor are users Passwords are often not the most sensitive data Brekalo, Strackx , Piessens (KU Leuven) Mitigating Password Database Breaches December 12, 2016 3 / 18

  6. Introduction Passwords: The ugly truth Passwords are everywhere and heavily depended upon Developers are not always careful . . . nor are users BAH: Consulting firm for Homeland Security, . . . MD5-hashes without a salt “123456” appeared 22x in the database Passwords are often not the most sensitive data Brekalo, Strackx , Piessens (KU Leuven) Mitigating Password Database Breaches December 12, 2016 3 / 18

  7. Introduction Passwords: The ugly truth Passwords are everywhere and heavily depended upon Developers are not always careful . . . nor are users Passwords are often not the most sensitive data “Discretion matters” 30M entries Dates of birth, Names, Passwords, Sexual orientations, Website activity, . . . Brekalo, Strackx , Piessens (KU Leuven) Mitigating Password Database Breaches December 12, 2016 3 / 18

  8. Problem Statement Outline Introduction 1 Problem Statement 2 3 Performance Evaluation Conclusion 4 Brekalo, Strackx , Piessens (KU Leuven) Mitigating Password Database Breaches December 12, 2016 4 / 18

  9. Problem Statement Attacker Model Server-side protection Potential malicious cloud provider/compromised kernel Complete password data may be leaked Brekalo, Strackx , Piessens (KU Leuven) Mitigating Password Database Breaches December 12, 2016 5 / 18

  10. Problem Statement Security Properties Offline attacks: Focus on stored passwords Computational infeasible to break passwords Online attacks: Enforce strong passwords Guess-limit attacker → Out of scope Other sensitive data: Out of scope Brekalo, Strackx , Piessens (KU Leuven) Mitigating Password Database Breaches December 12, 2016 6 / 18

  11. Problem Statement Why is this so hard? PBKDF2: Reduce speed to “Weaken the hash passwords attacker, without Scrypt: Increase required memory putting strain on Separate HW: Keep (a part of) the password secret the defender” Brekalo, Strackx , Piessens (KU Leuven) Mitigating Password Database Breaches December 12, 2016 7 / 18

  12. Problem Statement Setup The bad approach Brekalo, Strackx , Piessens (KU Leuven) Mitigating Password Database Breaches December 12, 2016 8 / 18

  13. Problem Statement Setup The bad approach password stored = SHA1 ( password ) Brekalo, Strackx , Piessens (KU Leuven) Mitigating Password Database Breaches December 12, 2016 8 / 18

  14. Problem Statement Setup The bad approach password stored = SHA1 ( password || salt ) Brekalo, Strackx , Piessens (KU Leuven) Mitigating Password Database Breaches December 12, 2016 8 / 18

  15. Problem Statement Setup The bad approach Problem: Offline bruteforce attacks Brekalo, Strackx , Piessens (KU Leuven) Mitigating Password Database Breaches December 12, 2016 8 / 18

  16. Problem Statement Iteration 1: Intel SGX to the rescue! Brekalo, Strackx , Piessens (KU Leuven) Mitigating Password Database Breaches December 12, 2016 9 / 18

  17. Problem Statement Iteration 1: Intel SGX to the rescue! password stored = HMAC ( k , password || salt ) Brekalo, Strackx , Piessens (KU Leuven) Mitigating Password Database Breaches December 12, 2016 9 / 18

  18. Problem Statement Iteration 1: Intel SGX to the rescue! password stored = HMAC ( k , password || salt ) k must never leave the enclave! Brekalo, Strackx , Piessens (KU Leuven) Mitigating Password Database Breaches December 12, 2016 9 / 18

  19. Problem Statement Iteration 1: Intel SGX to the rescue! password stored = HMAC ( k , password || salt ) Scenario 1 : Attacker leaks PWD database � no bruteforce attacks against passwords as k is never leaked. � no hash-collisions for the same password Brekalo, Strackx , Piessens (KU Leuven) Mitigating Password Database Breaches December 12, 2016 9 / 18

  20. Problem Statement Iteration 1: Intel SGX to the rescue! password stored = HMAC ( k , password || salt ) Scenario 2 : Attacker creates fake passwords then leaks PWD database � no bruteforce attacks against passwords as salt ensures different hashes for different users. Brekalo, Strackx , Piessens (KU Leuven) Mitigating Password Database Breaches December 12, 2016 9 / 18

  21. Problem Statement Iteration 1: Intel SGX to the rescue! password stored = HMAC ( k , password || salt ) Problem: In the cloud the enclave will have to move to a different VM Brekalo, Strackx , Piessens (KU Leuven) Mitigating Password Database Breaches December 12, 2016 9 / 18

  22. Problem Statement Iteration 2: Migratable Enclaves Brekalo, Strackx , Piessens (KU Leuven) Mitigating Password Database Breaches December 12, 2016 10 / 18

  23. Problem Statement Iteration 2: Migratable Enclaves Option 1: Dedicated server to keep k + Easy - Single point of failure - Active defense mechanisms (e.g., guess limiting) need to communicate with the server 1 Strackx and Lambrigts. “Idea: State-Continuous Transfer of State in Protected-Module Architectures”. 2015. Engineering Secure Software and Systems Brekalo, Strackx , Piessens (KU Leuven) Mitigating Password Database Breaches December 12, 2016 11 / 18

  24. Problem Statement Iteration 2: Migratable Enclaves Option 2: End-to-end transfer of state-continuous enclave state + No single point of failure - Both endpoints need to be active at the same time - Active defense mechanisms (e.g., guess limiting) pose a challenge 1 1 Strackx and Lambrigts. “Idea: State-Continuous Transfer of State in Protected-Module Architectures”. 2015. Engineering Secure Software and Systems Brekalo, Strackx , Piessens (KU Leuven) Mitigating Password Database Breaches December 12, 2016 11 / 18

  25. Problem Statement Iteration 2: Migratable Enclaves Option 3: True P2P network of enclaves + No single point of failure + Flexible - Harder to implement - Active defense mechanisms (e.g., guess limiting) pose an (unsolved) challenge 1 Strackx and Lambrigts. “Idea: State-Continuous Transfer of State in Brekalo, Strackx , Piessens (KU Leuven) Protected-Module Architectures”. 2015. Engineering Secure Software and Systems Mitigating Password Database Breaches December 12, 2016 11 / 18

  26. Problem Statement Iteration 2: Migratable Enclaves Problem: Preventing an attacker to move the enclave to her own machine 1 Strackx and Lambrigts. “Idea: State-Continuous Transfer of State in Protected-Module Architectures”. 2015. Engineering Secure Software and Systems Brekalo, Strackx , Piessens (KU Leuven) Mitigating Password Database Breaches December 12, 2016 11 / 18

  27. Problem Statement A Modified Attestation Scheme General idea : Provide each VM with a cloud provider’s enclave 1 Check during attestation that the password enclave is executing 2 on the same machine as one of those particular enclaves Brekalo, Strackx , Piessens (KU Leuven) Mitigating Password Database Breaches December 12, 2016 12 / 18

  28. Problem Statement A Modified Attestation Scheme � An attacker should not be able to create a cloud provider’s enclave: keep SK CP securely sealed Brekalo, Strackx , Piessens (KU Leuven) Mitigating Password Database Breaches December 12, 2016 13 / 18

  29. Performance Evaluation Outline Introduction 1 Problem Statement 2 3 Performance Evaluation Conclusion 4 Brekalo, Strackx , Piessens (KU Leuven) Mitigating Password Database Breaches December 12, 2016 14 / 18

  30. Performance Evaluation Performance Evaluation Overhead is caused by: HMAC uses 2 SHA3 calls Entering/exiting the enclave is time consuming Without SGX SGX Algorithm SHA3 SHA3-HMAC Time (ms) 0.006788 0.046023 Table: Performance measures of the creation of passwords with and without the use of SGX. Brekalo, Strackx , Piessens (KU Leuven) Mitigating Password Database Breaches December 12, 2016 15 / 18

  31. Conclusion Outline Introduction 1 Problem Statement 2 3 Performance Evaluation Conclusion 4 Brekalo, Strackx , Piessens (KU Leuven) Mitigating Password Database Breaches December 12, 2016 16 / 18

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Mitigating D&O Liability Exposure for Data Privacy and Cybersecurity Breaches Reducing

Mitigating D&O Liability Exposure for Data Privacy and Cybersecurity Breaches Reducing

Presenting a live 90-minute webinar with interactive Q&A Mitigating D&O Liability Exposure for Data Privacy and Cybersecurity Breaches Reducing D&O Risk With Internal Controls, Insurance, and Indemnification; Defending Derivative

1.28k views • 79 slides
Project Contract Variations: Mitigating Risks of Cost Overruns, Scope Creep and Breaches in

Project Contract Variations: Mitigating Risks of Cost Overruns, Scope Creep and Breaches in

Presenting a live 90-minute webinar with interactive Q&A Project Contract Variations: Mitigating Risks of Cost Overruns, Scope Creep and Breaches in Delivery Obligations WEDNESDAY, MAY 25, 2016 1pm Eastern | 12pm Central | 11am

370 views • 24 slides
Beyond Credential Stuffing: Password Similarity Models using Neural Networks Bijeeta Pal*, Tal

Beyond Credential Stuffing: Password Similarity Models using Neural Networks Bijeeta Pal*, Tal

Beyond Credential Stuffing: Password Similarity Models using Neural Networks Bijeeta Pal*, Tal Daniel + , Rahul Chatterjee*, and Thomas Ristenpart* *Cornell Tech + Technion 1 Password Breaches Millions of passwords leaked every year First half

369 views • 19 slides
Smarter decisions with no privacy breaches Dan Bogdanov & the Sharemind team dan@cyber.ee

Smarter decisions with no privacy breaches Dan Bogdanov & the Sharemind team dan@cyber.ee

Smarter decisions with no privacy breaches Dan Bogdanov & the Sharemind team dan@cyber.ee http://sharemind.cyber.ee/ Secure computing encrypted database standard When a standard database tools encrypts data, it must be

483 views • 16 slides
SAuth: Protecting User Accounts from Password Database Leaks Georgios Kontaxis , Elias

SAuth: Protecting User Accounts from Password Database Leaks Georgios Kontaxis , Elias

SAuth: Protecting User Accounts from Password Database Leaks Georgios Kontaxis , Elias Athanasopoulos Georgios Portokalidis * , Angelos Keromytis Columbia University * Stevens Institute of Technology Authentication recognizes

441 views • 30 slides
https://xkcd.com/838/ Data Breaches This years study analyzed 524 breaches that occurred

https://xkcd.com/838/ Data Breaches This years study analyzed 524 breaches that occurred

https://xkcd.com/838/ Data Breaches This years study analyzed 524 breaches that occurred between August 2019 and April 2020, in organizations of all sizes, across 17 geographies and 17 industries. The 2020 Cost of a Data Breach

289 views • 17 slides
Developments in CyberSecurity Law presented by www.udalllaw.com Security Breaches &

Developments in CyberSecurity Law presented by www.udalllaw.com Security Breaches &

Developments in CyberSecurity Law presented by www.udalllaw.com Security Breaches & Security Requirements Security Breaches Criminal Conduct -computer viruses (ransomware) -physical theft -server, laptops, flash drives -electronic

668 views • 31 slides
Responding to Skyrocketing Cyber Attacks Managing Risk, Responding to Breaches and OCR

Responding to Skyrocketing Cyber Attacks Managing Risk, Responding to Breaches and OCR

Presenting a live 90-minute webinar with interactive Q&A Data Breaches in Healthcare: Responding to Skyrocketing Cyber Attacks Managing Risk, Responding to Breaches and OCR Investigations, Minimizing HIPAA Liability THURSDAY, MARCH 24, 2016

795 views • 76 slides
Team Password Manager Password Management Software for Groups http://teampasswordmanager.com

Team Password Manager Password Management Software for Groups http://teampasswordmanager.com

Team Password Manager Password Management Software for Groups http://teampasswordmanager.com What is Team Password Manager - Password manager for groups and projects - Uses projects to group passwords - Secure, fine grained password sharing -

712 views • 9 slides
Cisco Passwords - Enforcing Minimum Password Length Common Types of Password Attacks Brute-Force

Cisco Passwords - Enforcing Minimum Password Length Common Types of Password Attacks Brute-Force

Cisco Passwords - Enforcing Minimum Password Length Common Types of Password Attacks Brute-Force Attack - tries every possible character combination as a password. To recover a single-letter password would require up to 26 combinations. A

415 views • 8 slides
Health Information Privacy Breaches Privacy Breaches EHIL Webinar November 14, 2011 1 2011

Health Information Privacy Breaches Privacy Breaches EHIL Webinar November 14, 2011 1 2011

2011 11 16 Health Information Privacy Breaches Privacy Breaches EHIL Webinar November 14, 2011 1 2011 11 16 Agenda What is a privacy breach? What is a privacy breach? Breaches we investigate How to prepare

641 views • 14 slides
Core Intel On the bank secret service Krzysztof Adamski # Mariusz Derela Miami 18th May 2017

Core Intel On the bank secret service Krzysztof Adamski # Mariusz Derela Miami 18th May 2017

Core Intel On the bank secret service Krzysztof Adamski # Mariusz Derela Miami 18th May 2017 Are security breaches common? https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/4

1.14k views • 61 slides
Challenging the Intel Xeon: ARM and OpenPower Now you really have to optimize Mighty Intel

Challenging the Intel Xeon: ARM and OpenPower Now you really have to optimize Mighty Intel

Challenging the Intel Xeon: ARM and OpenPower Now you really have to optimize Mighty Intel Intel had a 99.2 percent market share in server chips (IDC, 2015 Quoted on InfoWorld) We started experimenting with SoCs two

838 views • 47 slides
INFORMATION SECURITY AND PRIVACY ADVISORY BOARD 1 Mega Breaches The Year of the Breach 2011

INFORMATION SECURITY AND PRIVACY ADVISORY BOARD 1 Mega Breaches The Year of the Breach 2011

INFORMATION SECURITY AND PRIVACY ADVISORY BOARD 1 Mega Breaches The Year of the Breach 2011 2012 2013 Breaches 208 156 253 Identities Exposed 232M 93M 552M Breaches >10M 5 1 8 2013 was the Year of the Mega Breach Internet

214 views • 5 slides
Database data security through the lens of cryptographic engineering Eugene Pilyankevich, Chief

Database data security through the lens of cryptographic engineering Eugene Pilyankevich, Chief

Database data security through the lens of cryptographic engineering Eugene Pilyankevich, Chief Technical officer, Cossack Labs Data breaches, annually 1093 783 781 614 447 419 2011 2012 2013 2014 2015 2016 Airplane crashes,

717 views • 58 slides
Bridging the Gap on Breaches: What Makes the Difference? Sponsored By: Bridging the Gap on

Bridging the Gap on Breaches: What Makes the Difference? Sponsored By: Bridging the Gap on

Bridging the Gap on Breaches: What Makes the Difference? Sponsored By: Bridging the Gap on Breaches: What Makes the Difference? Visit www.advisenltd.com at the end of this webinar to download: Copy of these slides Recording of

423 views • 21 slides
Formal Security Analysis of Cryptographic Protocol Code

Formal Security Analysis of Cryptographic Protocol Code

Formal Security Analysis of Cryptographic Protocol Code Karthikeyan Bhargavan INRIA IIT Delhi, Fall 2010 Lecture 1: WriCng Secure Web ApplicaCons

472 views • 25 slides
Password Managers A way to cope with dozens of online accounts Felix Morsbach Uppsala University

Password Managers A way to cope with dozens of online accounts Felix Morsbach Uppsala University

Password Managers A way to cope with dozens of online accounts Felix Morsbach Uppsala University Sweden CryptoParty #9 presentation of 23rd January 2020 What is the problem? How can one solve it? What actually (not) to do? Making it (more)

346 views • 13 slides
Attacking Passwords Richard Frovarp About Me Senior Software Engineer - Enterprise Computing

Attacking Passwords Richard Frovarp About Me Senior Software Engineer - Enterprise Computing

Attacking Passwords Richard Frovarp About Me Senior Software Engineer - Enterprise Computing & Infrastructure - NDSU Systems Administrator - EduTech Dabbler in Enterprise Wireless Member Apache Software Foundation 2 Standard Disclaimer

436 views • 32 slides
Joseph Bonneau jcb82@cl.cam.ac.uk Computer Laboratory Security Protocols Workshop Cambridge, UK

Joseph Bonneau jcb82@cl.cam.ac.uk Computer Laboratory Security Protocols Workshop Cambridge, UK

S TATISTICAL METRICS FOR INDIVIDUAL PASSWORD STRENGTH Joseph Bonneau jcb82@cl.cam.ac.uk Computer Laboratory Security Protocols Workshop Cambridge, UK April 12, 2012 Joseph Bonneau (University of Cambridge) Individual password strength

361 views • 21 slides
ELCE 2013 - Secure Embedded Linux Product (A Success Story) Marcin Bis http://bis-linux.com

ELCE 2013 - Secure Embedded Linux Product (A Success Story) Marcin Bis http://bis-linux.com

ELCE 2013 - Secure Embedded Linux Product (A Success Story) Marcin Bis http://bis-linux.com marcin@bis-linux.com Edinburgh - 2013.10.25 1 / 31 About me Marcin Bis Entrepreneur Embedded Linux: system development, kernel

623 views • 31 slides
SQL Used by all major vendors of relational databases SQL has been standardized by ISO and

SQL Used by all major vendors of relational databases SQL has been standardized by ISO and

Structured Query Language Developed by IBM (system R) in the 1970s SQL Used by all major vendors of relational databases SQL has been standardized by ISO and ANSI Lecture 11 SQL has many components Based on slides by R.

218 views • 4 slides

Introduction slide 150 Data Definition slide 152

317 views • 5 slides
CS419 Spring 2010 Computer Security Vinod Ganapathy Lecture 15 Chapter 5: Database security

CS419 Spring 2010 Computer Security Vinod Ganapathy Lecture 15 Chapter 5: Database security

CS419 Spring 2010 Computer Security Vinod Ganapathy Lecture 15 Chapter 5: Database security Database Security Relational Databases constructed from tables of data each column holds a particular type of data each row contains a

935 views • 24 slides

More recommend