260 likes | 417 Views
Improving Usability Through Password-Corrective Hashing Andrew Mehler www.cs.sunysb.edu/~mehler Steven Skiena www.cs.sunysb.edu/~skiena Stony Brook University 13 October 2006. =?. Password Authentication. User Entry:. Password Registry. mehler1979. mehler1979. =?. Password Authentication.
E N D
Improving Usability Through Password-Corrective HashingAndrew Mehlerwww.cs.sunysb.edu/~mehlerSteven Skienawww.cs.sunysb.edu/~skienaStony Brook University13 October 2006
=? Password Authentication User Entry: Password Registry mehler1979 mehler1979
=? Password Authentication Users Not Perfect! User Entry Password Registry mehler1997 mehler1979 • Enter wrong password • Can’t remember • Data Entry error (every 30 keystrokes)
Should passwords with entry errors be accepted? • Increase Usability. • Accept ‘close enough’ strings, little loss of security. • User will choose stronger passwords. • User won’t write down password. Idea: We accept Passwords that differ by a single error (substitution or transposition). Transposition: student -> studnet Substitution: student -> studint PROBLEM: How to implement this?
=? Solution 1: Repeated Login For an entered password, simulate login with all possible passwords differing by a single transposition or substitution. aba baa aab abb … User Entry ‘aba’ PROBLEMS Requires n-1 attempts for transpositions Requires n*m attempts for substitutions
=? Solution 2: Check Equivalence For an entered password, compare it to the password on file not just for equality, but if it differs by a transposition/substitution. sub? trans? Password Registry User Entry PROBLEMS • Password Registry not plain text! • Cant do transpositions/substitutions on • encrypted passwords. • Equality is really encrypted equality.
=? Solution 3: Store All Variants For each user, store in the encrypted file, their password, and all acceptable variations. aba `aba` baa aab Password Registry User Entry PROBLEMS • Registry file will be large. • Malicious decryption easier.
=? Our Solution: Corrective Hashing Reduce password space by a correcting hash function. Meh Meh h h Password Registry User Entry Mehler1979 Mehler1997 • Solves problems of previous methods. • Loss of recall and increase of false positives
Want to accept mistakes (recall) • h(flpajack) = h(flapjack) • Don’t accept other strings (false positive rate) • h(pancake) ≠ h(flapjack) • We separately consider correcting single transposition errors and single substitution errors (most common entry error types) Password Corrective Hashing Notation n = password (string) length m = alphabet size
Phonetic Hashing (Soundex, Metaphone, etc.) h(Smith) = S43 = h(Smyth) • SAMBA: repeated login to relax case and character order. • Personal Question Answering. • Semantic Pass-Phrase. Previous Work
Idea: Sort the characters of a password. h(flpajack) = aacfjklp = h(flapjack) • Sorting a string imposes its own order. • All strings differing by a transposition are the same when sorted, so • Recall = 1 • But many False Positives • h(erika) = aeikr = h(keira) • Theorem: No other method will have fewer false positives with perfect recall Correcting Transposition Errors
Assume some method M with recallM = 1 fpM < fpSort Then there are strings S,T such that Sort(S) = Sort(T) M(S) ≠ M(T) Thus there exists a sequence S, s1, s2, … , sj, T With each string differing by a transposition. (example: keira, ekira, eikra, eirka, erika) Since M(S)≠M(T), there is some i such that M(si) ≠ M(si+1) Contradicting M’s perfect recall. Proof
Sorting’s high false positive rate makes it insecure. • Can we get a lower false positive rate with almost as good recall? • We consider 2 methods that partially sort a string. • Sorting Networks • Block Sorting Partial Sorting d a a a b a d b b d c b c c d c d a a d b b c c
Sorting Networks • Correct Transpositions • Impose some order on the string, up to completely sorted • Take output of any stage as an operating point. 6 3 3 1 3 6 2 2 4 2 6 3 2 1 4 3 …. 5 1 4 4 1 5 3 4 3 3 5 5 4 4 4 6
Sorting Network Analysis • 1-stage • All even Transpositions are corrected. Recall is • 2-stage • All even transpositions still corrected. • Some odd transpositions corrected also. • Consider ‘abcd’ and ‘acbd’. • Hashed together if a b,c d
Block Sorting • Partition string into substrings, and sort the substrings. • Will correct all transposition errors except those occurring across substrings. 6 6 2 3 3 3 4 4 4 2 2 6 5 5 1 1 1 3 3 3 4 5 4 4
Block Sorting Analysis • Does not correct transpositions across block boundaries. • Recall = (n-k)/(n-1) • False positive if each block is hashed together under complete sorting fp = 2k-1∏(fpsort(ni)+tpsort(ni)) + ∑fpsort(ni)mn-ni
Correcting Transposition Results Conclusion: Block Sorting can be used to match passwords, except on small alphabets.
Hi/Low Weakening: Partition alphabet into two sets. • Ex: Low = [0-4] High = [5-9] • 1979 -> LHHH • Recall = (k(k-1) + (m-k)(m-k-1)) / m(m-1) • Weak Set • A subset of the alphabet is the weak set. • All members of the weak set get hashed • to the same symbol. • Ex: Weak-Set = {a,e,i,o,u} • Lawrence -> L.wr.nc. • Recall = k(k-1) / m(m-1) Correcting Substitution Errors
Weak Set Results Conclusion: Too insecure for usability gains.
Crack Lists Previous analysis assumed uniform distribution of passwords. Users tend to use dictionary words. One common way of breaking into systems is by using a ‘crack’ list of common words and names that might appear in a password. How much smaller of a crack list would be needed if corrective hashing was used? erika keira last salt h = sorting aeikr alst
Crack Lists < 13% reduction of crack list for complete sorting. < 1% reduction of crack list for 50% recall.
Conclusions • Usability increased with small security trade-off for correcting transposition errors • Substitution errors harder to correct • Crack list computational cost not significantly decreased • Open Problems • Better hash functions? • Correcting insert/deletion errors? • Empirical usability experiments?