1 / 25

Securing Passwords Against Dictionary Attacks

Securing Passwords Against Dictionary Attacks. Presented By Chad Frommeyer. Introduction. Abstract/Introduction Reverse Turing Test (RTT) User Authentication Protocols Security Analysis Authentication Method Requirements Other Authentication Approaches Conclusion. Abstract/Introduction.

helmut
Download Presentation

Securing Passwords Against Dictionary Attacks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Securing Passwords Against Dictionary Attacks Presented By Chad Frommeyer

  2. Introduction • Abstract/Introduction • Reverse Turing Test (RTT) • User Authentication Protocols • Security Analysis • Authentication Method Requirements • Other Authentication Approaches • Conclusion

  3. Abstract/Introduction • Passwords are the most widely used authentication method • More secure methods are cumbersome to use • User chosen passwords are often weak and easy to guess with a dictionary • User requires the authentication to be easy to use • Goal is to build authentication that is still easy to use but hard for the computer to guess

  4. Abstract/Introduction • Dictionary Attack– Attempting to authenticate by guessing all possible passwords • Offline Attack – attacking passwords when they are in transit • Offline attacks are prevented by securing communications and protecting password files

  5. Abstract/Introduction • For this discussion we assume that communications are properly secured and password files are protected • Online Attack – Attack that requires interacting with the login server

  6. Introduction – Common Countermeasures • Delayed Response – delaying the authentication response • Account Locking – Locking the account with too many negative responses

  7. Introduction – Countermeasure Weaknesses • Global Password Attacks – Simultaneous attempts to multiple accounts • Risks (from account locking) • Denial of Service • Customer Service Costs

  8. Introduction – Pricing via Processing • Add minimal processing time to each request results in a large impact to dictionary attacks but negligible impact to the individual • A drawback to this approach is that it can require a special user client or mobile code • The suggested approach • Add processing without changing the interaction • Make the processing hard for machines to automate

  9. Reverse Turing Test (RTT) • Requirements of RTT • Automated Generation • Easy for Humans • Hard for Machines • Small probability of guessing the answer correctly • RTTs can be solved by either utilizing a human during the attack, or some type of OCR or Audio analysis

  10. Reverse Turing Test (RTT) • Most well known RTT • Distorted text image • Production usage is typically during a registration process • Accessibility Issues • Utilize both Image and Audio based

  11. User Authentication Protocols • Combining an existing system with an RTT • Requires passing and RTT for every authentication attempt • Usability – This is different than most users are accustomed, and would likely cause issues • Scalability -- RTT generation on a large scale is not a proven concept

  12. User Authentication Protocols • Answers to the usability and scalability issues • Require RTT only a fraction of the time • Problem: Attacks would skip the attempts when an RTT was required • Require RTT only after first failure • Problem: When global password attacks are used, this doesn’t help

  13. User Authentication Protocols • Papers Observations • Users typically use a limited number of computers • Requiring RTTs for only a fraction of the time can be helpful for an appropriate implementation • The protocol suggested by this paper assumes the ability to identify client computers. The following implementation uses web browser cookies.

  14. User Authentication Protocols • The usability problems are solved because the RTTs are only required in a very small number of cases • Scalability problems are solved because of this same reason and because the RTTs are generated by a deterministic function based on the username and password and a probability 1/p • All expected RTTs could be cached

  15. Security Analysis • Implementation Requirements • One of the following feedbacks are returned when a username/password pair doesn’t match • The username/password is invalid • Please answer the following RTT • The response must be a deterministic function based on the username/password • Response delays should be the same for a success and failed attempt

  16. Security Analysis • The nature of the response as well as the response time will often key an attacker to more information about the system/passwords being attacked • If the requirements are met, the proposed system will respond with RTTs on correct guesses as well as a subset of incorrect guesses

  17. Security Analysis • Goal: Make the cost of attacking the system more than the benefit of a successful attack • Some systems are so beneficial to attack that attackers will utilize humans to solve the RTTs encountered during an attack • The probability p must be adjusted to raise the cost of the attack

  18. Security Analysis • What if an RTT can be broken? • The assumption should be that they can • In this case the system should dynamically adjust the probabilities • This means that the system must be able to identify a successful attack • When unsuccessful attempts with solved RTTs go up, this is a clear indication of an attack • Alternative RTT solutions should be available

  19. Security Analysis • Cookie Theft • Cookies can be stolen off of one machine, and set on another • Keep a count on the server per cookie of the number of failed attempts • With a high number of failures (say 100) the server will ignore the cookie, and act as if no cookie was sent

  20. Security Analysis • Account Locking Measures • Since we can determine when an attack is happening, we can use account locking measures as long as the number of attempts failed check is higher than typical • The accounts failed threshold should dynamically lower when an attack is happening, at least until a new RTT is implemented

  21. Authentication Method Requirements • Requirement: Availability • Users shouldn’t be expected to have special software Installed • Requirement: Robust and Reliable • Requests should always receive response • Requirement: Friendliness • The interface should be friendly and usable

  22. Authentication Method Requirements • Requirement: Low cost to implement and operate • Take strong consideration to the effect of a successful attack and what impact it has on business and customers • Risk is an important factor in choosing a authentication method

  23. Other Authentication Approaches • Most other and potentially more secure authentication approaches do not satisfy the previous stated requirements • One time passwords (tokens) • Client certificates/keys • Biometrics • Graphical Passwords

  24. Conclusion • With a scalable, low cost and usable solution similar to standard user/password authentication methods, the authors believe that their proposed solution is the answer to secure authentication • Why aren’t solutions that are implemented today using similar ideologies? • Questions?

More Related