Securing Passwords Against Dictionary Attacks Presented By Chad Frommeyer.

Slides:

Advertisements

Similar presentations

Securing Passwords against Dictionary Attacks

Advertisements

MFA for Business Banking – Security Code Multifactor Authentication: Quick Tip Sheets Note to Financial Institutions: We are providing these QT sheets.

1 CompChall: Addressing Password Guessing Attacks IAS, ITCC-2005, April 2005 CompChall: Addressing Password Guessing Attacks By Vipul Goyal OSP Global.

Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).

Selecting a Strong Authentication Solution Scott Mackelprang, V.P. of Security Digital Insight.

CSC 386 – Computer Security Scott Heggen. Agenda Authentication Passwords Reducing the probability of a password being guessed Reducing the probability.

ATTACKING AUTHENTICATION The Web Application Hacker’s Handbook, Ch. 6 Presenter: Jie Huang 10/31/2012.

Networks. User access and levels Most network security involves users having different levels of user access to the network. The network manager will.

Two-Factor Authentication & Tools for Password Management August 29, 2014 Pang Chamreth, IT Development Innovations 1.

CMPE208 Presentation Terminal Access Controller Access Control System Plus (TACACS+) By MARVEL (Libing, Bhavana, Ramya, Maggie, Nitin)

CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.

CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.

Kerberos Jean-Anne Fitzpatrick Jennifer English. What is Kerberos? Network authentication protocol Developed at MIT in the mid 1980s Available as open.

 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.

A Security Pattern for a Virtual Private Network Ajoy Kumar and Eduardo B. Fernandez Dept. of Computer Science and Eng. Florida Atlantic University Boca.

CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Public Works and Government Services Canada Travaux publics et Services gouvernementaux Canada Password Management for Multiple Accounts Some Security.

CSI 400/500 Operating Systems Spring 2009 Lecture #20 – Security Measures Wednesday, April 29 th.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

CMSC 414 Computer and Network Security Lecture 14 Jonathan Katz.

User studies. Why user studies? How do we know security and privacy solutions are really usable? Have to observe users! –you may be surprised by what.

Apr 4, 2003Mårten Trolin1 Previous lecture TLS details –Phases Handshake Securing messages –What the messages contain –Authentication.

CertAnon A Proposal for an Anonymous WAN Authentication Service David Mirra CS410 January 30, 2007.

CMSC 414 Computer and Network Security Lecture 14 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 13 Jonathan Katz.

Homework #4 Comments. Passwords: What are they good for? Today passwords are the #1 means of authenticating users on a day-to-day basis. – , Websites,

Authentication for Humans Rachna Dhamija SIMS, UC Berkeley DIMACS Workshop on Usable Privacy and Security Software July 7, 2004.

1 Securing Passwords Against Dictionary Attacks Base on an article by Benny Pinkas & Tomas Sander 2002 Presented by Tomer Conforti.

Registration Steps for Registration Steps for :. Go to Choose Register/Purchase Access where you see.

Network Topologies.

Authentication Deniable Authentication Protection Against Dictionary Attacks Isidora Petreska Dimitar Gosevski and.

May 28, 2002Mårten Trolin1 Protocols for e-commerce Traditional credit cards SET SPA/UCAF 3D-Secure Temporary card numbers Direct Payments.

GRAPHICAL PASSWORD AUTHENTICATION PRESENTED BY SUDEEP KUMAR PATRA REGD NO Under the guidance of Mrs. Chinmayee Behera.

Process by which a system verifies the identity of a user wishes to access it. Authentication is essential for effective security.

The Protection of Information in Computer Systems Part I. Basic Principles of Information Protection Jerome Saltzer & Michael Schroeder Presented by Bert.

 Cookie is small information stored in text file on user’s hard drive by web server.  This information is later used by web browser to retrieve information.

COMP3121 E-Commerce Technologies Richard Henson University of Worcester November 2011.

Lecture 11: Strong Passwords

Session 7 LBSC 690 Information Technology Security.

DEMO - 8/14/2007. R2 Feature List ReceiveDocumentBatch Web Service SendPESCAcknowledgment Web Service Validate Acknowledgment Upload Acknowledgment Transcript.

Lecture 7 Page 1 CS 236 Online Challenge/Response Authentication Authentication by what questions you can answer correctly –Again, by what you know The.

SEC835 Runtime authentication Secure session management Secure use of cryptomaterials.

D´ej`a Vu: A User Study Using Images for Authentication Rachna Dhamija,Adrian Perrig SIMS / CS, University of California Berkeley 報告人：張淯閎.

Lecture 7 Page 1 CS 236, Spring 2008 Challenge/Response Authentication Authentication by what questions you can answer correctly –Again, by what you know.

REVISITING DEFENSES AGAINST LARGE SCALE ONLINE PASSWORD GUESSING ATTACKS Mansour Alsaleh,Mohammad Mannan and P.C van Oorschot.

SOS: An Architecture For Mitigating DDoS Attacks Angelos D. Keromytis, Vishal Misra, Dan Rubenstein ACM SIGCOMM 2002 Presented By : Tracy Wagner CDA 6938.

14.1/21 Part 5: protection and security Protection mechanisms control access to a system by limiting the types of file access permitted to users. In addition,

CMSC 414 Computer and Network Security Lecture 20 Jonathan Katz.

S OUND -P ROOF : U SABLE T WO -F ACTOR A UTHENTICATION B ASED ON A MBIENT S OUND Nikolaos Karapanos, Claudio marforio, Claudio Soriente and Srdjan Capkun.

MEMBERSHIP AND IDENTITY Active server pages (ASP.NET) 1 Chapter-4.

CERN - European Organization for Nuclear Research Beyond ACB – VPN’s FOCUS June 13 th, 2002 Frédéric Hemmer & Denise Heagerty- IT Division.

Typing Pattern Authentication Techniques 3 rd Quarter Luke Knepper.

LESSON 5-2 Protecting Your Computer Lesson Contents Protecting Your Computer Best Practices for Securing Online and Network Transactions Measures for Securing.

Lecture 7 Page 1 CS 236 Online Challenge/Response Authentication Authentication by what questions you can answer correctly –Again, by what you know The.

LINUX Presented By Parvathy Subramanian. April 23, 2008LINUX, By Parvathy Subramanian2 Agenda ► Introduction ► Standard design for security systems ►

 Encryption provides confidentiality  Information is unreadable to anyone without knowledge of the key  Hashing provides integrity  Verify the integrity.

What is Kerberos? Network authentication protocol Developed at MIT in the mid 1980s Kerberos is a three-headed dog Available as open source or in supported.

1 Web Technologies Website Publishing/Going Live! Copyright © Texas Education Agency, All rights reserved.

By: Brett Belin. Used to be only tackled by highly trained professionals As the internet grew, more and more people became familiar with securing a network.

Advanced Higher Computing Science

Simple Authentication for the Web

Challenge/Response Authentication

Software Design and Architecture

Are you Human?.

FTP - File Transfer Protocol

Kiran Subramanyam Password Cracking 1.

REVISITING DEFENSES AGAINST LARGE SCALE ONLINE PASSWORD GUESSING ATTACKS Mansour Alsaleh,Mohammad Mannan and P.C van Oorschot.

Presentation transcript:

Securing Passwords Against Dictionary Attacks Presented By Chad Frommeyer

Introduction Abstract/Introduction Reverse Turing Test (RTT) User Authentication Protocols Security Analysis Authentication Method Requirements Other Authentication Approaches Conclusion

Abstract/Introduction Passwords are the most widely used authentication method More secure methods are cumbersome to use User chosen passwords are often weak and easy to guess with a dictionary User requires the authentication to be easy to use Goal is to build authentication that is still easy to use but hard for the computer to guess

Abstract/Introduction Dictionary Attack– Attempting to authenticate by guessing all possible passwords Offline Attack – attacking passwords when they are in transit –Offline attacks are prevented by securing communications and protecting password files

Abstract/Introduction For this discussion we assume that communications are properly secured and password files are protected Online Attack – Attack that requires interacting with the login server

Introduction – Common Countermeasures Delayed Response – delaying the authentication response Account Locking – Locking the account with too many negative responses

Introduction – Countermeasure Weaknesses Global Password Attacks – Simultaneous attempts to multiple accounts Risks (from account locking) –Denial of Service –Customer Service Costs

Introduction – Pricing via Processing Add minimal processing time to each request results in a large impact to dictionary attacks but negligible impact to the individual A drawback to this approach is that it can require a special user client or mobile code The suggested approach –Add processing without changing the interaction –Make the processing hard for machines to automate

Reverse Turing Test (RTT) Requirements of RTT –Automated Generation –Easy for Humans –Hard for Machines –Small probability of guessing the answer correctly RTTs can be solved by either utilizing a human during the attack, or some type of OCR or Audio analysis

Reverse Turing Test (RTT) Most well known RTT –Distorted text image –Production usage is typically during a registration process Accessibility Issues –Utilize both Image and Audio based

User Authentication Protocols Combining an existing system with an RTT –Requires passing and RTT for every authentication attempt –Usability – This is different than most users are accustomed, and would likely cause issues –Scalability -- RTT generation on a large scale is not a proven concept

User Authentication Protocols Answers to the usability and scalability issues –Require RTT only a fraction of the time Problem: Attacks would skip the attempts when an RTT was required –Require RTT only after first failure Problem: When global password attacks are used, this doesn’t help

User Authentication Protocols Papers Observations –Users typically use a limited number of computers –Requiring RTTs for only a fraction of the time can be helpful for an appropriate implementation The protocol suggested by this paper assumes the ability to identify client computers. The following implementation uses web browser cookies.

User Authentication Protocols The usability problems are solved because the RTTs are only required in a very small number of cases Scalability problems are solved because of this same reason and because the RTTs are generated by a deterministic function based on the username and password and a probability 1/p –All expected RTTs could be cached

Security Analysis Implementation Requirements –One of the following feedbacks are returned when a username/password pair doesn’t match The username/password is invalid Please answer the following RTT –The response must be a deterministic function based on the username/password –Response delays should be the same for a success and failed attempt

Security Analysis The nature of the response as well as the response time will often key an attacker to more information about the system/passwords being attacked If the requirements are met, the proposed system will respond with RTTs on correct guesses as well as a subset of incorrect guesses

Security Analysis Goal: Make the cost of attacking the system more than the benefit of a successful attack –Some systems are so beneficial to attack that attackers will utilize humans to solve the RTTs encountered during an attack –The probability p must be adjusted to raise the cost of the attack

Security Analysis What if an RTT can be broken? The assumption should be that they can In this case the system should dynamically adjust the probabilities This means that the system must be able to identify a successful attack –When unsuccessful attempts with solved RTTs go up, this is a clear indication of an attack Alternative RTT solutions should be available

Security Analysis Cookie Theft –Cookies can be stolen off of one machine, and set on another –Keep a count on the server per cookie of the number of failed attempts –With a high number of failures (say 100) the server will ignore the cookie, and act as if no cookie was sent

Security Analysis Account Locking Measures –Since we can determine when an attack is happening, we can use account locking measures as long as the number of attempts failed check is higher than typical –The accounts failed threshold should dynamically lower when an attack is happening, at least until a new RTT is implemented

Authentication Method Requirements Requirement: Availability –Users shouldn’t be expected to have special software Installed Requirement: Robust and Reliable –Requests should always receive response Requirement: Friendliness –The interface should be friendly and usable

Authentication Method Requirements Requirement: Low cost to implement and operate Take strong consideration to the effect of a successful attack and what impact it has on business and customers Risk is an important factor in choosing a authentication method

Other Authentication Approaches Most other and potentially more secure authentication approaches do not satisfy the previous stated requirements –One time passwords (tokens) –Client certificates/keys –Biometrics –Graphical Passwords

Conclusion With a scalable, low cost and usable solution similar to standard user/password authentication methods, the authors believe that their proposed solution is the answer to secure authentication Why aren’t solutions that are implemented today using similar ideologies? Questions?