Presentation is loading. Please wait.

Presentation is loading. Please wait.

A Security Analysis of Two Commercial Browser and Cloud Based Password Managers Rui Zhao 1, Chuan Yue 1, Kun Sun 2 University of Colorado Colorado Springs.

Published byJohan Gibbon Modified over 9 years ago

Similar presentations

Presentation on theme: "A Security Analysis of Two Commercial Browser and Cloud Based Password Managers Rui Zhao 1, Chuan Yue 1, Kun Sun 2 University of Colorado Colorado Springs."— Presentation transcript:

1 A Security Analysis of Two Commercial Browser and Cloud Based Password Managers Rui Zhao 1, Chuan Yue 1, Kun Sun 2 University of Colorado Colorado Springs 1 George Mason University 2 2013 ASE/IEEE International Conference on Privacy, Security, Risk and Trust PASSAT’13 Washington D.C. 1

2 Background Different types of password managers: o Browser’s built-in feature o Browser’s extension o Stand-alone program Our focus: Browser-extension based password managers! 2

3 Background LastPass on Firefox & Chrome RoboForm on Firefox & Chrome Storage o LastPass stores both locally and remotely o RoboForm stores on either locally or remotely Online mode Offline mode Browser and Cloud based Password Managers (BCPMs) 3

4 Our Goal Do they well protect users’ passwords? o How do they protect passwords? o Do they have security vulnerabilities? o How severe are those vulnerabilities? 4

5 Threat Model The types of credentials The types of attackers The types of attacks under consideration 5

6 Security Analysis Methodology Win 7 platform Open-source in JavaScript: Eclipse IDE De-obfuscation: JS Beautify Other tools o Debug tools on Firefox and Chrome o Network traffic capture tool: HTTP Analyzer 6

7 Security Analysis Methodology Theoretically estimate the computational effort for performing different attacks o by William Stallings. One microsecond (μs) to perform a basic cryptographic operation One microsecond (μs) to perform a million basic cryptographic operations o DES, AES, SHA-1, SHA-2: a basic cryptographic operation 7

8 LastPass Security Design and Vulnerability Analysis LastPass-Vul-1 : Outsider Attackers’ Local Decryption Attacks ← insecure design of the master password remembering mechanism in LastPass 8

9 LastPass Security Design and Vulnerability Analysis LastPass-Vul-2 : Outsider Attackers’ Brute Force Attacks ← insecure design of the local user authentication mechanism and the insecure application of the PBKDF2 function in LastPass 9

10 LastPass Security Design and Vulnerability Analysis LastPass-Vul-3 : Insider Attackers’ Brute Force Attacks ← insecure association of the master password with authenticators in LastPass 10

11 LastPass Security Design and Vulnerability Analysis The master password brute force attack effort for LastPass-Vul-2 and LastPass-Vul-3 11

12 RoboForm Security Design and Vulnerability Analysis RoboForm-Vul-1: Outsider Attackers’ Local Decoding Attacks ← zero protection to local storage when a master password is not used in RoboForm 12 Website Credentials *.rfpEncoding

13 RoboForm Security Design and Vulnerability Analysis RoboForm-Vul-2: Outsider Attackers’ Brute Force Attacks ← weak protection to local storage when a master password is used in RoboForm 13

14 RoboForm Security Design and Vulnerability Analysis RoboForm-Vul-3: Insider Attackers’ Server-side Request Monitoring Attacks ← zero protection to the data received by the insiders of RoboForm 14

15 RoboForm Security Design and Vulnerability Analysis The master password brute force attack effort 15

16 Likelihood, impact, and overall risk ratings 16 OWASP (Open Web Application Security Project) o Risk rating methodology o Likelihood: how likely this particular vulnerability is to be uncovered and exploited by an attacker. HIGH, MEDIUM, LOW. o Impact: the impact of a successful attack: technical impact, business impact. HIGH, MEDIUM, LOW o Overall Risk Severity: from Likelihood and Impact

17 Suggestions 1. User data should be protected with confidentiality and authenticity mechanisms before being sent to cloud storage servers o RoboForm-Vul-3 2. Outsider attackers’ client-side stealing capability should be seriously considered o LastPass-Vul-1 o RoboForm-Vul-1 17

18 Suggestions 3. A master password mechanism must be provided in a BCPM, and users should be mandated to use a strong master password with the strength assured by a pure client-side proactive password checker o RoboForm-Vul-1 o LastPass-Vul-3 o LastPass-Vul-2 o RoboForm-Vul-2 18

19 Suggestions 4. Large iteration count values should be used in the password based key derivation functions o LastPass-Vul-3 o LastPass-Vul-2 o RoboForm-Vul-2 5. A user’s master password should be used to authenticate a user, but it should not be insecurely associated with any authenticator that will be sent to the cloud storage servers or saved locally to the user’s computer o LastPass-Vul-2 o RoboForm-Vul-2 19

20 Suggestions 6. Data authenticity should be assured and authenticity verification should not weaken confidentiality o RoboForm-Vul-2 20

21 Conclusion Define a threat model for analyzing the security of BCPMs Investigate the design and implementation of two very popular commercial BCPMs: LastPass, RoboForm Identify several vulnerabilities of these two BCPMs that could be exploited by outsider and insider attackers to obtain users’ saved website passwords Detailed figures, risk analysis and suggestions are in “Vulnerability and Risk Analysis of Two Commercial Browser and Cloud Based Password Managers” (invited paper), ASE Science Journal, 1(4): pages 1--15, 2013. 21

22 22

Download ppt "A Security Analysis of Two Commercial Browser and Cloud Based Password Managers Rui Zhao 1, Chuan Yue 1, Kun Sun 2 University of Colorado Colorado Springs."

Similar presentations

Driving Factors Security Risk Mgt Controls Compliance.

Driving Factors Security Risk Mgt Controls Compliance.
Akshat Sharma Samarth Shah

Akshat Sharma Samarth Shah
Cryptography and Network Security 2 nd Edition by William Stallings Note: Lecture slides by Lawrie Brown and Henric Johnson, Modified by Andrew Yang.

Cryptography and Network Security 2 nd Edition by William Stallings Note: Lecture slides by Lawrie Brown and Henric Johnson, Modified by Andrew Yang.
Bradley Cowie, Barry Irwin and Richard Barnett Security and Networks Research Group Department of Computer Science Rhodes University MANAGEMENT, PROCESSING.

Bradley Cowie, Barry Irwin and Richard Barnett Security and Networks Research Group Department of Computer Science Rhodes University MANAGEMENT, PROCESSING.
An Evaluation of the Google Chrome Extension Security Architecture

An Evaluation of the Google Chrome Extension Security Architecture
Cloud Computing Part #3 Zigmunds Buliņš, Mg. sc. ing 1.

Cloud Computing Part #3 Zigmunds Buliņš, Mg. sc. ing 1.
Gefördert durch das Kompetenzzentrenprogramm DI Alfred Wertner 19. September 2014 Ubiquitous Personal Computing © Know-Center 2014 www.know-center.at Security.

Gefördert durch das Kompetenzzentrenprogramm DI Alfred Wertner 19. September 2014 Ubiquitous Personal Computing © Know-Center Security.
All Your Browser-saved Passwords Could Belong to Us - A Security Analysis and a Cloud-based New Design By Rui Zhao, Chuan Yue ACM Conference on Data and.

All Your Browser-saved Passwords Could Belong to Us - A Security Analysis and a Cloud-based New Design By Rui Zhao, Chuan Yue ACM Conference on Data and.
1 MD5 Cracking One way hash. Used in online passwords and file verification.

1 MD5 Cracking One way hash. Used in online passwords and file verification.
Dr. Sarbari Gupta Electrosoft Services Tel: (703)757-9096 Security Characteristics of Cryptographic.

Dr. Sarbari Gupta Electrosoft Services Tel: (703) Security Characteristics of Cryptographic.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Administrative  Philosophy  Class survey  Grading  Project  Presentation.

Administrative  Philosophy  Class survey  Grading  Project  Presentation.
Cryptography and Network Security Chapter 1. Chapter 1 – Introduction The art of war teaches us to rely not on the likelihood of the enemy's not coming,

Cryptography and Network Security Chapter 1. Chapter 1 – Introduction The art of war teaches us to rely not on the likelihood of the enemy's not coming,
Web server security Dr Jim Briggs WEBP security1.

Web server security Dr Jim Briggs WEBP security1.
PASSWORD MANAGER Why you need one 1. WHAT IS A PASSWORD MANAGER? A modern Password Manager is a browser extension (Chrome, Internet Explorer, Firefox,

PASSWORD MANAGER Why you need one 1. WHAT IS A PASSWORD MANAGER? A modern Password Manager is a browser extension (Chrome, Internet Explorer, Firefox,
Cryptography and Network Security Chapter 1 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Chapter 1 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
Health IT RESTful Application Programming Interface (API) Security Considerations Transport & Security Standards Workgroup March 18, 2015.

Health IT RESTful Application Programming Interface (API) Security Considerations Transport & Security Standards Workgroup March 18, 2015.
D ATABASE S ECURITY Proposed by Abdulrahman Aldekhelallah University of Scranton – CS521 Spring2015.

D ATABASE S ECURITY Proposed by Abdulrahman Aldekhelallah University of Scranton – CS521 Spring2015.
Password Management Programs By SIR Phil Goff, Branch 116 Area 2 Computers and Technology April 18, 2013 1.

Password Management Programs By SIR Phil Goff, Branch 116 Area 2 Computers and Technology April 18,

Similar presentations

Ads by Google