270 likes | 445 Views
Securing Passwords Against Dictionary Attacks. Presented By Chad Frommeyer. Introduction. Abstract/Introduction Reverse Turing Test (RTT) User Authentication Protocols Security Analysis Authentication Method Requirements Other Authentication Approaches Conclusion. Abstract/Introduction.
E N D
Securing Passwords Against Dictionary Attacks Presented By Chad Frommeyer
Introduction • Abstract/Introduction • Reverse Turing Test (RTT) • User Authentication Protocols • Security Analysis • Authentication Method Requirements • Other Authentication Approaches • Conclusion
Abstract/Introduction • Passwords are the most widely used authentication method • More secure methods are cumbersome to use • User chosen passwords are often weak and easy to guess with a dictionary • User requires the authentication to be easy to use • Goal is to build authentication that is still easy to use but hard for the computer to guess
Abstract/Introduction • Dictionary Attack– Attempting to authenticate by guessing all possible passwords • Offline Attack – attacking passwords when they are in transit • Offline attacks are prevented by securing communications and protecting password files
Abstract/Introduction • For this discussion we assume that communications are properly secured and password files are protected • Online Attack – Attack that requires interacting with the login server
Introduction – Common Countermeasures • Delayed Response – delaying the authentication response • Account Locking – Locking the account with too many negative responses
Introduction – Countermeasure Weaknesses • Global Password Attacks – Simultaneous attempts to multiple accounts • Risks (from account locking) • Denial of Service • Customer Service Costs
Introduction – Pricing via Processing • Add minimal processing time to each request results in a large impact to dictionary attacks but negligible impact to the individual • A drawback to this approach is that it can require a special user client or mobile code • The suggested approach • Add processing without changing the interaction • Make the processing hard for machines to automate
Reverse Turing Test (RTT) • Requirements of RTT • Automated Generation • Easy for Humans • Hard for Machines • Small probability of guessing the answer correctly • RTTs can be solved by either utilizing a human during the attack, or some type of OCR or Audio analysis
Reverse Turing Test (RTT) • Most well known RTT • Distorted text image • Production usage is typically during a registration process • Accessibility Issues • Utilize both Image and Audio based
User Authentication Protocols • Combining an existing system with an RTT • Requires passing and RTT for every authentication attempt • Usability – This is different than most users are accustomed, and would likely cause issues • Scalability -- RTT generation on a large scale is not a proven concept
User Authentication Protocols • Answers to the usability and scalability issues • Require RTT only a fraction of the time • Problem: Attacks would skip the attempts when an RTT was required • Require RTT only after first failure • Problem: When global password attacks are used, this doesn’t help
User Authentication Protocols • Papers Observations • Users typically use a limited number of computers • Requiring RTTs for only a fraction of the time can be helpful for an appropriate implementation • The protocol suggested by this paper assumes the ability to identify client computers. The following implementation uses web browser cookies.
User Authentication Protocols • The usability problems are solved because the RTTs are only required in a very small number of cases • Scalability problems are solved because of this same reason and because the RTTs are generated by a deterministic function based on the username and password and a probability 1/p • All expected RTTs could be cached
Security Analysis • Implementation Requirements • One of the following feedbacks are returned when a username/password pair doesn’t match • The username/password is invalid • Please answer the following RTT • The response must be a deterministic function based on the username/password • Response delays should be the same for a success and failed attempt
Security Analysis • The nature of the response as well as the response time will often key an attacker to more information about the system/passwords being attacked • If the requirements are met, the proposed system will respond with RTTs on correct guesses as well as a subset of incorrect guesses
Security Analysis • Goal: Make the cost of attacking the system more than the benefit of a successful attack • Some systems are so beneficial to attack that attackers will utilize humans to solve the RTTs encountered during an attack • The probability p must be adjusted to raise the cost of the attack
Security Analysis • What if an RTT can be broken? • The assumption should be that they can • In this case the system should dynamically adjust the probabilities • This means that the system must be able to identify a successful attack • When unsuccessful attempts with solved RTTs go up, this is a clear indication of an attack • Alternative RTT solutions should be available
Security Analysis • Cookie Theft • Cookies can be stolen off of one machine, and set on another • Keep a count on the server per cookie of the number of failed attempts • With a high number of failures (say 100) the server will ignore the cookie, and act as if no cookie was sent
Security Analysis • Account Locking Measures • Since we can determine when an attack is happening, we can use account locking measures as long as the number of attempts failed check is higher than typical • The accounts failed threshold should dynamically lower when an attack is happening, at least until a new RTT is implemented
Authentication Method Requirements • Requirement: Availability • Users shouldn’t be expected to have special software Installed • Requirement: Robust and Reliable • Requests should always receive response • Requirement: Friendliness • The interface should be friendly and usable
Authentication Method Requirements • Requirement: Low cost to implement and operate • Take strong consideration to the effect of a successful attack and what impact it has on business and customers • Risk is an important factor in choosing a authentication method
Other Authentication Approaches • Most other and potentially more secure authentication approaches do not satisfy the previous stated requirements • One time passwords (tokens) • Client certificates/keys • Biometrics • Graphical Passwords
Conclusion • With a scalable, low cost and usable solution similar to standard user/password authentication methods, the authors believe that their proposed solution is the answer to secure authentication • Why aren’t solutions that are implemented today using similar ideologies? • Questions?