UNIVERSITY OF CYPRUS. Authentication. CS682 Advanced Security Topics

Transcription

1 UNIVERSITY OF CYPRUS COMPUTER SCIENCE DEPARTMENT Authentication CS682 Advanced Security Topics GEORGE MOULLOTOS

2 Authentication Roadmap Introduction Problem Main Topics Related Work Cryptographing Hashing Architecture Operation Generation Variations and Extensions Policy Choices Attacks Methods Comparison Synergetic Authentication (SAuth) Architecture Protocol Details Operation Password Reuse Security Evaluation GEORGE MOULLOTOS - AUTHENTICATION 2

3 Introduction Problem Password Theft GEORGE MOULLOTOS - AUTHENTICATION 3

4 Introduction Problem Attack Scenarios Stolen files of password hashes Easily guessable passwords Visible passwords Same password for many systems or services Passwords stolen from users Password change compromised GEORGE MOULLOTOS - AUTHENTICATION 4

5 Introduction Main Topics Synergetic Authentication (SAuth) GEORGE MOULLOTOS - AUTHENTICATION 5

6 Introduction Related Work GEORGE MOULLOTOS - AUTHENTICATION 6

7 Introduction Related Work H. Bojinov, E. Bursztein, X. Boyen, and D. Boneh. Kamouflage: loss-resistant password management. In ESORICS, pages , Kamouflage method of storing N 1 decoy passwords, N 10,000 First appearance of the term Shrisha Rao. Data and system security with failwords. U.S. Patent Application US2006/ A1, U.S. Patent Office, July 20, Patent of systems using Failwords Trick intruder thinking the attempt was successful and track GEORGE MOULLOTOS - AUTHENTICATION 7

8 Introduction Related Work Synergetic Authentication(SAuth) B. Adida. Beamauth: Two-factor web authentication with a bookmark. In Proceedings of the 14th ACM conference on Computer and Communications Security, BeamAuth, second-factor authentication to encounter Phising Uses tokens hidden in user s bookmars F. Benevenuto, T. Rodrigues, M. Cha, and V. Almeida. Characterizing user behavior in online social networks. In Proceedings of the 9th ACM SIGCOMM conference on Internet measurement conference, Online Social Networks (OSN) workload analysis Concurrent and constant authentication among and social networks GEORGE MOULLOTOS - AUTHENTICATION 8

9 Introduction Cryptographing Hashing GEORGE MOULLOTOS - AUTHENTICATION 9

10 Introduction Cryptographing Hashing Base case Username & Password Username & H(Password) Password H(Password) GEORGE MOULLOTOS - AUTHENTICATION 10

11 Introduction Cryptographing Hashing Base case examplepassword 8ac b2e0eccdfe0fa24036b6d5 MD5 Hash GEORGE MOULLOTOS - AUTHENTICATION 11

12 Introduction Cryptographing Hashing Salting GEORGE MOULLOTOS - AUTHENTICATION 12

13 Introduction Cryptographing Hashing Salting saltexamplepassword examplepassword b01e9c5c f3ebc861bd MD5 Hash with salt User Specific or System Specific random salt is stored as well GEORGE MOULLOTOS - AUTHENTICATION 13

14 GEORGE MOULLOTOS - AUTHENTICATION 14

15 Architecture GEORGE MOULLOTOS - AUTHENTICATION 15

16 Architecture Main server Honeychecker sweetwords w i, 1 w i, 2 w i, 3 w i, 4... w i, k-2 w i, k-1 w i, k honeywords tough nut? sugarword honeywords H(w i, 1 ) H(w i, 2 ) H(w i, 3 ) H(w i, 4 )... H(w i, k-2 ) H(w i, k-1 ) H(w i, k ) c i, 1 = k-2 GEORGE MOULLOTOS - AUTHENTICATION 16

17 Architecture k sweetwords = potential passwords 1 sugarword = correct password k 1 honeywords = incorrect passwords 1 tough nut = very strong password whose has the adversary is unable to invert Any honeyword or even the sugarword can bee tough nuts GEORGE MOULLOTOS - AUTHENTICATION 17

18 Architecture - Honeychecker Separate hardened computer system Safe channel of communicating with main system Can raise an alarm when irregularity detected Simple database containing key values pairs of u i : c i u i = the i th user c i = a small integer indicating the position of the correct password of the user in the list w Accepts commands of two types: Set(i,j): set c i = j Check(i,j): return result of c i == j GEORGE MOULLOTOS - AUTHENTICATION 18

19 Architecture Simple example System suspends account on five consecutive unsuccessful login attempts Total sweetwords (k) of list w = 20 75% chance of sugarword not appearing in the first 5 elements of any random ordering of list w GEORGE MOULLOTOS - AUTHENTICATION 19

20 Operation GEORGE MOULLOTOS - AUTHENTICATION 20

21 Operation Login Let g be the proffered password If g == sugarword then login is successful Else if g!= honeyword then login is rejected Else if g == honeyword then Set alarm off Let login proceed Let login proceed to a honeypot system Trace the login source Log user s activities Shut down user s account and contact the user Shut down system and request new passwords from all users GEORGE MOULLOTOS - AUTHENTICATION 21

22 Operation Change of password / Register Use procedure Gen(k) to obtain: List w of k sweetwords List h of the hashes Value of c i Notify honeychecker with the value c i Store list h in the main server GEORGE MOULLOTOS - AUTHENTICATION 22

23 Generation GEORGE MOULLOTOS - AUTHENTICATION 23

24 Generation Flatness Adversarial game to define security of the Gen(k) algorithm Gen(k) runs and produces the list w and the c index of the correct password Adversary (algorithm) after retrieving the list w can do the following: Wins the game if guesses the correct password Gets caught if guesses a honeyword Don t play and pass GEORGE MOULLOTOS - AUTHENTICATION 24

25 Generation Flatness Let z be the expected probability of the adversary winning the game z >= 1 / k as adversary can win with a random guess on the k sweetwords ε-flat generation if maximum value of all adversaries winning probability z is ε, for some ε Gen(k) is ε-flat with ε = 1 / k (1 - ε) = 1-1 / k = (k - 1) / k probability of choosing a honeyword and getting caught For k = 20 => 20-1 / 20 = 0.95 => 95% of getting caught GEORGE MOULLOTOS - AUTHENTICATION 25

26 Generation Categories Technique Legacy-UI password changes Modified-UI password changes Chaffing Does not influence user on the procedure of picking a password Modified UI to interact with the user s password choices k - 1 honeywords are similar in style with the sugarword or at least plausible as legitimate passwords so that the adversary has difficulty to distinguish any of them from the others GEORGE MOULLOTOS - AUTHENTICATION 26

27 Generation Chaffing by tweaking tail-tweaking for t = 3 k = 10 p = examplepassword1$ examplepasswort7( examplepasswora2! examplepassworc4_ examplepassworf0# examplepassworl9} examplepassword1$ examplepassworl6@ examplepassworm3) examplepassworq5* examplepassworz8+ GEORGE MOULLOTOS - AUTHENTICATION 27

28 Generation Chaffing-with-a-password-model k = 10 p = examplepassword1$ Password does not influence the generation of honeywords mobopy? venlorhan WORFmgthness pizzhemix01 1erapc hellofrom23 examplepassword1$ sbgo dia GEORGE MOULLOTOS - AUTHENTICATION 28

29 Generation Chaffing-with-a-password-model W15 D1 S1 acknowledgement9& p = examplepassword1$ Password structure influences the generation of honeywords GEORGE MOULLOTOS - AUTHENTICATION 29

30 Generation Chaffing with tough nuts mobopy? venlorhan WORFmgthness? 1erapc hellofrom23 examplepassword? 02123dia Non tough nuts can be produced with any of the previous methods Tough nuts are literally uncracked and adversary does not have complete knowledge of the honeywords GEORGE MOULLOTOS - AUTHENTICATION 30

31 Generation take-a-tail p = examplepassword1$ Append 623 to your password p = examplepassword1$623 Use Chaffing by tweaking to produce the rest of the honeywords GEORGE MOULLOTOS - AUTHENTICATION 31

32 Variations and Extensions GEORGE MOULLOTOS - AUTHENTICATION 32

33 Variations and Extensions Random pick Ask user to provide k passwords or generate by an algorithm Randomly pick one to be the sugarword and inform user High risk of user remembering a honeyword GEORGE MOULLOTOS - AUTHENTICATION 33

34 Variations and Extensions Typo-safety Typos are a common way of actual users to enter a honeyword Gen(k) techniques (chaffing) should prevent honeywords to being easy for the user to enter them by mistake Error detection techniques can be used to detect typos GEORGE MOULLOTOS - AUTHENTICATION 34

35 Variations and Extensions Managing old passwords Paper suggests not to store old passwords in order to keep users safe Store passwords on full user population and may use Bloom Filters GEORGE MOULLOTOS - AUTHENTICATION 35

36 Variations and Extensions Storage optimization Optimize methods to reduce their storage For tail-tweaking Store only the hash of the head not the tail Dynamically compute w with all the possible tails and check for the sugarword s index GEORGE MOULLOTOS - AUTHENTICATION 36

37 Variations and Extensions Hybrid generation methods Combine methods of different honeyword generation strategies Simple hybrid scheme: Use chaffing-with-a-password to generate a seed of sweetwords of length k Apply chaffing-by-tweaking-digits to each seed sweetword of length k = k * k Randomly permute the k length list to obtain final list w GEORGE MOULLOTOS - AUTHENTICATION 37

38 Policy Choices GEORGE MOULLOTOS - AUTHENTICATION 38

39 Policy Choices Password Eligibility Password syntax Minimum or maximum length password Minimum number of digits Minimum number of special characters Dictionary words Password cannot be a word in the dictionary Password re-use Password should be different of any of the last r password of same user Most common passwords restriction Popular passwords restriction GEORGE MOULLOTOS - AUTHENTICATION 39

40 Policy Choices Failover Failover mode in case honeychecker has failed or became unreachable All sweetwords are acceptable passwords Buffering of messages and logging for later processing by the honeychecker GEORGE MOULLOTOS - AUTHENTICATION 40

41 Policy Choices Per-user policies Honeypot accounts Help identify theft of Main Server and list w Distinguish DoS attack Selective alarms Raise alarm if honeyword hits are noticed Different policies based on user s role GEORGE MOULLOTOS - AUTHENTICATION 41

42 Policy Choices Per-sweetword policies Different action on each sweetword attempt like: Allow login Allow for single login Raise silent alarm Flexible policies from the side of the honeychecker GEORGE MOULLOTOS - AUTHENTICATION 42

43 Attacks GEORGE MOULLOTOS - AUTHENTICATION 43

44 Attacks General password guessing Legacy-UI methods cannot do anything about it Modified-UI methods can affect this threat Reduce probability of successful attack by a factor of 1000 GEORGE MOULLOTOS - AUTHENTICATION 44

45 Attacks Targeted password guessing User s personal information can help adversary distinguish the sugarword Deanonymize users based to their real-word identities Use social network graphs or usernames Find demographic or biographic data based on a user s identity Such data can be used to guess answers to personal questions in password recoveries GEORGE MOULLOTOS - AUTHENTICATION 45

46 Attacks Attacking the Honeychecker Can cause failovers as discussed before May try to use Set and Check methods by fooling the Honeychecker GEORGE MOULLOTOS - AUTHENTICATION 46

47 Attacks Likelihood attack Adversaries analyze honeywords Can distinguish honeyword generator s passwords from real user s passwords For example NewtonSaid:F=ma is not a password that a honeyword generate would produce GEORGE MOULLOTOS - AUTHENTICATION 47

48 Attacks Denial-of-service Adversary feasibly submit honeyword instead of the sugarword Trying to simulate DoS attacks to hide their true interests DoS attacks are not so strongly treated as a honeyword attack GEORGE MOULLOTOS - AUTHENTICATION 48

49 Attacks Multiple systems User maintains same password in two distinct systems Intersection Attack Adversary intersects two lists w to find the user s password Sweetword-submission Attack Adversary tries the honeywords from the first list to the second system and vice-versa of the first system are just wrong passwords on the second system GEORGE MOULLOTOS - AUTHENTICATION 49

50 Methods comparison GEORGE MOULLOTOS - AUTHENTICATION 50

51 Synergetic Authentication(SAuth) GEORGE MOULLOTOS - AUTHENTICATION 51

52 Synergetic Authentication(SAuth) Architecture GEORGE MOULLOTOS - AUTHENTICATION 52

53 Synergetic Authentication(SAuth) Architecture Target Service: S Target Service: S Vouching Services: V Vouch and Authenticate Selected Vouching Service: V User maintains account on both the target and the selected vouching service GEORGE MOULLOTOS - AUTHENTICATION 53

54 Synergetic Authentication(SAuth) Architecture User is asked to choose from a list of trusted vouching services The target service synergizes with the selected vouching service with the use of protocol messages Note that the authentication on the two services MUST be done on associated accounts GEORGE MOULLOTOS - AUTHENTICATION 54

55 Synergetic Authentication(SAuth) Protocol Details GEORGE MOULLOTOS - AUTHENTICATION 55

56 Synergetic Authentication(SAuth) Protocol Details Security and Trust SAuth s relies on the trust between the various vouching services If any vouching service fails to meet security expectations then it is discarded Maintaining a group of vouching services makes the SAuth more flexible GEORGE MOULLOTOS - AUTHENTICATION 56

57 Synergetic Authentication(SAuth) Protocol Details Activation In any new setup an association step is required between the target service and the potential vouching services Target service generates an anonymous alias for each user User is expected to provide the alias to the vouching services for the association Match between the services is done by proof of the alias GEORGE MOULLOTOS - AUTHENTICATION 57

58 Synergetic Authentication(SAuth) Protocol Details Authenticity Special measures needed in order to ensure authenticity of messages Each protocol message is required to carry the: Service: identifier of the sender service, could be the actual domain or a URI or an alias of the service Signature: cryptographic signature (RSA-SHA1) computed using the private key Signed fields: list of the names of the parameters decrypted using the public key of the service (X.509 certificate) GEORGE MOULLOTOS - AUTHENTICATION 58

59 Synergetic Authentication(SAuth) Protocol Details Password reset Use of typical method of ing to a trusted address after some security questions SAuth enhances this model by adding a step of verification with the vouching services GEORGE MOULLOTOS - AUTHENTICATION 59

60 Synergetic Authentication(SAuth) Protocol Details Usability Advantage of users maintaining concurrently many tabs open Authentication state is stored in the form of HTTP cookies Auto-completion features and authentication from the cookies SAuth aligned with sign in with Google or sign in with Facebook mechanisms Highly unlikely of a user not holding an account in any vouching services GEORGE MOULLOTOS - AUTHENTICATION 60

61 Synergetic Authentication(SAuth) Protocol Details Availability Target service is fully capable of acting on its own in case of the vouching service s failure Additional actions can be done until the vouching service is available again: Limited functionality service Use of security questions GEORGE MOULLOTOS - AUTHENTICATION 61

62 Synergetic Authentication(SAuth) Protocol Details Password Compromise Alerts SAuth acts as a warning system for when passwords are compromised Adversary must online guess the user s passwords for the vouching service A user repeatedly failing to authenticate is a suspect GEORGE MOULLOTOS - AUTHENTICATION 62

63 Synergetic Authentication(SAuth) Operation GEORGE MOULLOTOS - AUTHENTICATION 63

64 Synergetic Authentication(SAuth) Operation Target Service: Gmail User Agent: Google Chrome Vouching Service: Facebook GEORGE MOULLOTOS - AUTHENTICATION 64

65 Synergetic Authentication(SAuth) Operation Registration messages GEORGE MOULLOTOS - AUTHENTICATION 65

66 Synergetic Authentication(SAuth) Operation Authentication messages GEORGE MOULLOTOS - AUTHENTICATION 66

67 Synergetic Authentication(SAuth) Operation User-agent redirection messages GEORGE MOULLOTOS - AUTHENTICATION 67

68 Synergetic Authentication(SAuth) Password Reuse GEORGE MOULLOTOS - AUTHENTICATION 68

69 Synergetic Authentication(SAuth) Password Reuse - Decoys Password sharing among many services is a quite common case Decoys / is a possible solution as we have seen earlier Two requirements for decoys generation: There should be no single mask describing the set of the decoys Password chosen must be likeable to be produced by humans as well Major Difference from previous paper: ALL decoy passwords are accepted as valid passwords! GEORGE MOULLOTOS - AUTHENTICATION 69

70 Synergetic Authentication(SAuth) Security Evaluation GEORGE MOULLOTOS - AUTHENTICATION 70

71 Synergetic Authentication(SAuth) Security Evaluation Let G B be the probability of an adversary successfully guessing both passwords Let G S be the probability of the adversary guessing just the second assuming knowledge of the first Let D(s) be the distribution of users that share same password on both services Let PS denote a given password space GEORGE MOULLOTOS - AUTHENTICATION 71

72 Synergetic Authentication(SAuth) Security Evaluation Without Decoys Original design fails to improve the security of accounts that reuse their passwords GEORGE MOULLOTOS - AUTHENTICATION 72

73 Synergetic Authentication(SAuth) Security Evaluation With Decoys Decoys significantly improve the security GEORGE MOULLOTOS - AUTHENTICATION 73

74 Security Evaluation Comparison GEORGE MOULLOTOS - AUTHENTICATION 74

75 Security Evaluation Comparison GEORGE MOULLOTOS - AUTHENTICATION 75

76 Questions GEORGE MOULLOTOS - AUTHENTICATION 76