GOTCHA Password Hackers! Jeremiah Blocki Manuel Blum Anupam Datta AISec2013 Presented by Arunesh Sinha.

Slides:



Advertisements
Similar presentations
Securing Passwords against Dictionary Attacks
Advertisements

MFA for Business Banking – Security Code Multifactor Authentication: Quick Tip Sheets Note to Financial Institutions: We are providing these QT sheets.
1 CompChall: Addressing Password Guessing Attacks IAS, ITCC-2005, April 2005 CompChall: Addressing Password Guessing Attacks By Vipul Goyal OSP Global.
Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.
Naturally Rehearsing Passwords Jeremiah Blocki ASIACRYPT 2013 Manuel Blum Anupam Datta.
Regret Minimizing Audits: A Learning-theoretic Basis for Privacy Protection Jeremiah Blocki, Nicolas Christin, Anupam Datta, Arunesh Sinha Carnegie Mellon.
Spaced Repetition and Mnemonics Enable Recall of Multiple Strong Passwords Jeremiah Blocki Saranga Komanduri Lorrie Cranor Anupam Datta NDSS 2015.
CAPTCHA Completely Automated Public Turing test to tell Computers and Humans Apart A Computer Program that can generate and grade test that: Most Humans.
CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.
Authentication attacks, causes and solutions Analyzing man in the middle and dictionary attacks against SSL/TLS and password based authentication systems.
Naturally Rehearsing Passwords Jeremiah Blocki NSF TRUST October 2013 Manuel Blum Anupam Datta.
SIA: Secure Information Aggregation in Sensor Networks Bartosz Przydatek, Dawn Song, Adrian Perrig Carnegie Mellon University Carl Hartung CSCI 7143: Secure.
 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.
CAPTCHA Presented By Sayani Chandra (Roll )
CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.
1 Intro To Encryption Exercise Problem What may be the problem with a central KDC?
1 Authentication CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute March 11, 2004.
CMSC 414 Computer and Network Security Lecture 14 Jonathan Katz.
1 Pertemuan 04 Pengamanan Akses Sistem Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.
Apr 4, 2003Mårten Trolin1 Previous lecture TLS details –Phases Handshake Securing messages –What the messages contain –Authentication.
CMSC 414 Computer and Network Security Lecture 14 Jonathan Katz.
Human Computation CSC4170 Web Intelligence and Social Computing Tutorial 7 Tutor: Tom Chao Zhou
Human Computable Passwords
Authentication for Humans Rachna Dhamija SIMS, UC Berkeley DIMACS Workshop on Usable Privacy and Security Software July 7, 2004.
Authentication System
1 Securing Passwords Against Dictionary Attacks Base on an article by Benny Pinkas & Tomas Sander 2002 Presented by Tomer Conforti.
Authentication Deniable Authentication Protection Against Dictionary Attacks Isidora Petreska Dimitar Gosevski and.
Lecture 7 Page 1 CS 236 Online Password Management Limit login attempts Encrypt your passwords Protecting the password file Forgotten passwords Generating.
Jason Polakis and Sotiris Ioannidis, FORTH-ICS, Greece; Marco Lancini, Federico Maggi, and Stefano Zanero, Politecnico di Milano, Italia; Georgios Kontaxis.
Matthias Neubauer CAPTCHA What humans can do, But computers can not.
CAPTCHA 1 Are you Human? (Sorry, I had to ask). CAPTCHA 2 Agenda What is CAPTCHA? Types of CAPTCHA Where to use CAPTCHAs? Guidelines when making a CAPTCHA.
intelligence study and design of intelligent agentsis the intelligence of machines and the branch of computer science that aims to create it. AI textbooks.
CIS 450 – Network Security Chapter 8 – Password Security.
Exploration Seminar 3 Human Computation Roy McElmurry.
Protecting Web Servers from Content Request Floods Srikanth Kandula ▪ Shantanu Sinha ▪ Dina Katabi ▪ Matthias Jacob CSAIL –MIT.
Presented by: Suparita Parakarn Kinzang Wangdi Research Report Presentation Computer Network Security.
Multifactor Identification for Internet Banking Citizens State Bank Monticello, Iowa
REVISITING DEFENSES AGAINST LARGE SCALE ONLINE PASSWORD GUESSING ATTACKS Mansour Alsaleh,Mohammad Mannan and P.C van Oorschot.
Denial-of-Service, Address Ownership,and,Early Authentication in IPv6 World (An Approach) Aditya Vutukuri From article by Pekka Nikander Ericsson Research.
CMSC 414 Computer and Network Security Lecture 20 Jonathan Katz.
G53SEC 1 Authentication and Identification Who? What? Where?
COEN 350: Network Security Authentication. Between human and machine Between machine and machine.
Securing Passwords Against Dictionary Attacks Presented By Chad Frommeyer.
Stein-65 Slide 1 PW security measures PWE3 – 65 th IETF 10 November 2005 Yaakov (J) Stein.
Identification Authentication. 2 Authentication Allows an entity (a user or a system) to prove its identity to another entity Typically, the entity whose.
 Password Fallback Authentication › Resource resorted to when users forget their passwords  Existing Tools › CAPTCHA › Pre-defined questions › User-defined.
Audit Games Jeremiah Blocki, Nicolas Christin, Anupam Datta, Ariel D. Procaccia, Arunesh Sinha 1 Carnegie Mellon University.
Authentication has three means of authentication Verifies user has permission to access network 1.Open authentication : Each WLAN client can be.
Jeremiah Blocki, Saranga Komanduri, Lorrie Cranor, Anupam Datta Presented by Lihua Ren.
Internet safety. Dangers of a poor password How people guess your password Your partner, child, or pet's name, possibly followed by a 0 or 1 The last.
Peter Matthews, Cliff C. Zou University of Central Florida AsiaCCS 2010.
Human-Computable Passwords Jeremiah Blocki Manuel Blum Anupam Datta Santosh Vempala.
Separating man from machine since 2000….. ?. Agenda  Definition  History  Need  Types  Constructing CAPTCHAs  Breaking CAPTCHAs  Applications 
 Encryption provides confidentiality  Information is unreadable to anyone without knowledge of the key  Hashing provides integrity  Verify the integrity.
Usability of CAPTCHAs Or usability issues in CAPTCHA design Authors: Jeff Yan and Ahmad Salah El Ahmad Presented By: Kim Giglia CSC /19/2008.
CAPTCHA Presented by: Md.R ahim 08B21A Agenda Definition Background Motivation Applications Types of CAPTCHAs Breaking CAPTCHAs Proposed Approach.
SANDEEP MEHTA (ECE, IV Year). CAPTCHA Completely Automated Public Turing test to tell Computers and Humans Apart Invented at CMU by Luis von Ahn, Manuel.
Towards Human Computable Passwords
Designing Proofs of Human Work for Cryptocurrency and Beyond
3.6 Fundamentals of cyber security
Usable and Secure Human Authentication
Human Computable Passwords
Joël Alwen (IST Austria/Wickr Inc.)
Authentication by Passwords
Human-Computable Passwords
On the Depth-Robustness and Cumulative Pebbling Cost of Argon2i
Jeremiah Blocki Saranga Komanduri Lorrie Cranor Anupam Datta
Firewalls and Security
REVISITING DEFENSES AGAINST LARGE SCALE ONLINE PASSWORD GUESSING ATTACKS Mansour Alsaleh,Mohammad Mannan and P.C van Oorschot.
Solve the equation: 6 x - 2 = 7 x + 7 Select the correct answer.
Presentation transcript:

GOTCHA Password Hackers! Jeremiah Blocki Manuel Blum Anupam Datta AISec2013 Presented by Arunesh Sinha

Questions Jeremiah Blocki was not able to make it because BLS International did not return his passport. Arunesh Sinha agreed to present in his place. Please address any questions to

GOTCHAs in the Blogosphere Answer: No! GOTCHAs address a fundamentally different problem than CAPTCHAs.

Outline Offline Dictionary Attacks Goal: Require Human Interaction GOTCHAs User Study Challenge

Offline Dictionary Attack 5 Username jblocki + jblocki, SHA1( d978034a3f6)=85e23cfe 0021f584e3db87aa72630a9a2345c062 Hash 85e23cfe0021 f584e3db87aa 72630a9a234 5c062 Salt 89d978034a3f6

A Common Problem Password breaches at major companies have affected millions of users.

Better Hash Functions Source: Percival, C. Stronger Key Derivation via Sequential Memory-Hard Functions.

Costly Hash Functions Tradeoff

Outline Offline Dictionary Attacks Goal: Require Human Interaction – Failed Approach: CAPTCHAs – Human Only Solvable Puzzles (HOSPs) [CHS 2006] – Limitations GOTCHAs User Study Challenge

Basic Idea: Require Human Interaction 11 + Goal:

Basic Idea: Require Human Interaction 12 + Goal:

A Failed Attempt CAPTCHA jblocki, Answer: KWTER KWTER Username jblocki SHA1(123456KWTER89d978034a3f6)=1f88e cdcb0c25e8ae1ed1c9ce6f2e2e6dcfb0e21 Hash 1f88ecdcb0c2 5e8ae1ed1c9 ce6f2e2e6dcf b0e21 Salt 89d978034a3f6

A Failed Attempt CAPTCHA Username jblocki SHA1(passwordGWNAB89d978034a3f6)=4e108b3 c12b4a1c6b bb9a63e40b8d7a1d Hash 1f88ecdcb0c2 5e8ae1ed1c9 ce6f2e2e6dcf b0e21 Salt 89d978034a3f6 password Answer: GWNAB

Human Only Solvable Puzzles [CHS 2006] Mitigating dictionary attacks on password-protected local storageMitigating dictionary attacks on password-protected local storage jblocki, KWTER Username jblocki SHA1(123456KWTER89d978034a3f6)=1f88e cdcb0c25e8ae1ed1c9ce6f2e2e6dcfb0e21 Hash 1f88ecdcb0c2 5e8ae1ed1c9 ce6f2e2e6dcf b0e21 Salt 89d978034a3f6 …

Limited Protection … Username jblocki Hash 1f88ecdcb0c2 5e8ae1ed1c9 ce6f2e2e6dcf b0e21 Salt 89d978034a3f6 password GWNAB SHA1(passwordGWNAB89d a3f6)=4e108b3c12b4a1c6b bb9a63e40b8d7a1d GWNAB [CHS 2006] Mitigating dictionary attacks on password-protected local storageMitigating dictionary attacks on password-protected local storage Open Question: Can we build a puzzle system that doesn’t have this limitation?

Outline Offline Dictionary Attacks Goal: Require Human Interaction GOTCHAs – Example Construction – GOTCHAs vs HOSPs – Security User Study Challenge

Inkblots Easy to generate on computer Human Imagination – Evil Clown?

GOTCHA: Account Creation jblocki, evil clown, …,steroid cow Username jblocki SHA1( d978034a3f6)= 0340eebc16d09e5a747a9ac879019af61e Hash 0340eebc16d 09e5a747a9a c879019af61e Salt 89d a3f6 Inkblots … … Labels Steroid cow … Evil clown

GOTCHA: Authentication jblocki, Inkblots … … Steroid cow, …, Evil clown evil clown, …,steroid cow Username jblocki SHA1( d978034a3f6)= 0340eebc16d09e5a747a9ac879019af61e Hash 0340eebc16d 09e5a747a9a c879019af61e Salt 89d a3f6 Labels Steroid cow … Evil clown

GOTCHA: Authentication jblocki, Inkblots … Steroid cow, …, Evil clown Steroid cow, …,evil clown Username jblocki SHA1( d978034a3f6)= babb03d14600ef101b4a46f86b0c4ae3f25aa1a 7 Hash 0340eebc16d 09e5a747a9a c879019af61e Salt 89d a3f6 Labels Steroid cow … Evil clown …

GOTCHAs vs HOSPs Human Involved in Generation of Puzzle – HOSP puzzles are generated without human interaction Puzzle need not be meaningful to user if he enters the wrong password – HOSP puzzles must always be human-solvable

Security: Real vs Fake Puzzles Real Puzzles Fake Puzzles Inkblots Labels Inkblots Labels Inkblots (permuted order) Inkblots

Security: Real vs Fake Solutions Real Solution Fake Solution Inkblots Labels Inkblots (permuted order) Solution Inkblots Labels Inkblots (permuted order) Fake Solution Distribution R

Definition

Offline Attacks are Expensive! Cost of Human Labor Cost of Computation

What Does GOTCHA stand for? Generating panOptic Turing Tests to Tell Computers and Humans Appart

Outline Offline Dictionary Attacks Goal: Require Human Interaction GOTCHAs User Study – Protocol – Results – Discussion Challenge

Study Protocol Participants recruited on Amazon Mechanical Turk Labeling Phase – Participants asked to label 10 Inkblot images – Paid $1 Matching Phase – Participants asked to match their labels after 10 days. – Paid $1 (even if answers were wrong)

Labeling Phase 10 Inkblots Compensation: $1 Seventy Participants

Matching Phase 10 Days Later Compensation: $1 (even for wrong answers) 58 Participants

Results 69% of users matched at least half of their images correctly

Discussion Personal Experience vs. Study – Incentives – Better Instructions? Time Barrier Improved Constructions – Better Inkblots – Reject Confusing Inkblots – Multiple GOTCHAs?

Outline Offline Dictionary Attacks Human Only Solvable Puzzles GOTCHAs User Study Challenge

GOTCHA Challenge Source:

GOTCHA Challenge Source:

GOTCHA Challenge PasswordWinnerInstitutionDate Solved Example123456Harry Q. Bovik Carnegie Mellon University 7/17/2013 Challenge 1?N/A Challenge 2?N/A Challenge 3?N/A Challenge 4?N/A Challenge 5?N/A Source:

Thanks for Listening! Please direct questions to Jeremiah Blocki

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.