Presentation is loading. Please wait.

Presentation is loading. Please wait.

presenter : Eirini Aikaterini Degleri , 2735

Published byRichard Moody Modified over 9 years ago

Similar presentations

Presentation on theme: "presenter : Eirini Aikaterini Degleri , 2735"— Presentation transcript:

1 presenter : Eirini Aikaterini Degleri , 2735
CS558 Lecture on Passwords I Honeywords: Making Password-Cracking Detectable by Ari Juels , Ronald L. Rivest presenter : Eirini Aikaterini Degleri , 2735

2 Table of contents Introduction Technical Description
Honeyword Generations Policy Choices Attacks Computer Science Department, Passwords

3 Introduction Passwords are a notoriously weak authentication mechanism. Users frequently choose poor passwords. Even hashed passwords are not a safe solution. numerous highprofile thefts of files containing consumers’ passwords; the hashed passwords of Evernote’s 50 million users were exposed as were those of users at Yahoo, LinkedIn, and eHarmony, among others [19]. Computer Science Department, Passwords

4 Ideas Make password hashing more complex and time- consuming.
can help slows down the authentication process for legitimate users, and doesn’t make successful password cracking easier to detect. Set up fake user accounts (“honeypot accounts”) an alarm is raised when an adversary attempts to login. the adversary may be able to distinguish real usernames from fake usernames, and thus avoid detection. Computer Science Department, Passwords

5 Honeywords Proposition
a simple method for improving the security of hashed passwords: the maintenance of additional “honeywords”( false passwords) associated with each user’s account. Search for : Kamouflage system of Bojinov Computer Science Department, Passwords

6 Technical Description
Pi is the password for user ui. System uses a cryptographic hash function H and stores hashes of passwords and maintains a file F listing username / password-hash pairs of the form (ui,H(pi)) for i = 1, 2,…,n. Computer Science Department, Passwords

7 Let’s stage the scenery
File F of usernames and associated hashed passwords Values of the salt or other parameters required to compute the hash function H. Can perform a brute-force search , until he determines the passwords for one or more users. If passwords are the only authentication mechanism in place, the adversary can then log in to the accounts of those users in a reliable and undetected manner. Computer Science Department, Passwords

8 Approach – Setup List Wi Users Wi,1 … Wi,2 User i (ui) Sugarword .. …
For each user ui, a list Wi of distinct words (called “potential passwords” or “sweetwords”) Only one of these sweetwords wi,j is equal to the password pi known to user ui. Let c(i) denote the “correct” index of user ui’s password in the list Wi, so that wi,c(i) = pi. The correct password is also called the “sugarword.” The other (k − 1) words wi,j are called “honeywords”,“chaff”,“decoys”, or just “incorrect passwords.” “Tough nut” is, a very strong password whose hash the adversary is unable to invert. We represent a tough nut by the symbol ‘ ? ’. A honeyword, or the password itself, may be a tough nut. List Wi Wi,1 Wi,2 Sugarword ? Wi,k Users User i (ui) .. Here k is a small integer, such as our recommended value of k = 20. For simplicity we assume that k is a fixed systemwide parameter, although k could be chosen in a per-user manner—for example, ki = 200 for the system administrator(s). Values as low as k = 2 or as large as k = 1000 might be reasonable choices in some circumstances. File F changes … The definition of the file F is changed so that it now contains an extended entry for each user ui, of the form: (ui,Hi) , Where vi,j = H(wi,j). The file F is now larger by a factor of roughly k Computer Science Department, Passwords

9 Honeychecker I An auxiliary secure server , to assist with honeywords
System communicates with the honeychecker when a login attempt is made, or when a user changes her password. In case of an irregularity, honeychecker is capable of raising an alarm. There is likely no place on the computer system where one can safely store additional secret information with which to defeat the adversary. The honeychecker is a separate hardened computer system where such secret information can be stored. The alarm signal may be sent to an administrator or other party different than the computer system itself. Depending on the policy chosen, the honeychecker may or may not reply to the computer system when a login is attempted. When it detects that something is amiss with the login attempt, it could signal to the computer system that login should be denied. Computer Science Department, Passwords

10 Honeychecker II Honeychecker maintains a single database value c(i) for each user ui; It accepts commands of exactly two types: Set: i, j , Sets c(i) to have value j. Check: i, j , Checks that c(i) = j. May return result of check to requesting computer system. the values are small integers in the range 1 to k, for some small integer parameter k (e.g. k = 20). Computer Science Department, Passwords

11 Generation Algorithm Honeyword generation scheme of the form Gen(k; pi), with user input pi. Gen(k, pi) is run, using a user-provided input pi Keyword generator Gen(k) generates a list Wi of length k of sweetwords for user ui an index c(i) of the correct password pi within Wi: some randomly chosen honeywords output by Gen(k; pi) may be “tough nuts”; for those honeywords the adversary only sees the symbol ? and not the underlying (hard) honeyword. Table c is maintained in a secure manner; in the proposal of this paper it is stored on the honeychecker. Salt. Again, we omit discussion of per-system or per-user salts or other parameters that may be included in the hash computation. We do, however, strongly urge the use of per user salts. Computer Science Department, Passwords

12 Approach – Login Password “g”. Is “g” a honeyword ?
setting off an alarm or notifying a system administrator, letting login proceed as usual, letting the login proceed, but on a honeypot system, tracing the source of the login carefully, etc The system login routine needs to determine whether a proffered password g is equal to the user’s password or not. If g is not the user’s password, the login routine needs to determine whether g is a honeyword or not. If the user—or perhaps the adversary—has submitted the correct password for the user, then login proceeds successfully as usual. Computer Science Department, Passwords

13 Approach – Change of password
When user ui changes her password, or sets it up when her account is first initialized, the system needs to: use procedure Gen(k) securely notify the honeychecker of the new value of c(i), update the user’s entry in the file F to (ui,Hi). The honeychecker does not learn the new password or any of the new honeywords. All it learns is the position c(i) of the hash vi,c(i) of user ui’s new password in the user’s list Hi in F. Computer Science Department, Passwords

14 Honeyword Generations
Legacy-UI procedures, the password-change UI is unchanged (chaffing-by-tweaking, chaffing-with-a-password-model) Modified-UI procedures, the password-change UI is modified to allow for better password/honeyword generation (take-a-tail ) chaffing-by-tweaking (which includes chaffing-by-tail-tweaking and chaffing-by-tweaking-digits as special cases) With take-a-tail, the UI change is really very simple: the user’s new password is modified to end with a given, randomly-chosen three-digit value. Otherwise take-a-tail is the same as chaffing-by-tail-tweaking. Computer Science Department, Passwords

15 Legacy-UI password changes
The password-change UI is unchanged. Honeywords may depend upon the password pi. When the case is such : Obviously if there are syntax or other restrictions on what is allowed as a password, then honeywords should also satisfy the same restrictions. We start with a password pi supplied by user ui. The system then generates a set of k−1 honeywords“similar in style” to the password pi, or at least plausible as legitimate passwords, so that an adversary will have difficulty in identifying pi in the list Wi of all sweetwords for user ui. Computer Science Department, Passwords

16 Chaffing-by-tweaking
“Tweak” selected character positions of the password to obtain the honeywords. Let t denote the desired number of positions to tweak. If the user-supplied password is “BG+7y45”, then the list Wi might be (for tail-tweaking with t = 3 and k = 4): BG+7q03, BG+7m55, BG+7y45, BG+7o92 The value of t may vary for some users The honeywords are then obtained by tweaking the characters in the selected t positions: each character in a selected position is replaced by a randomly-chosen character of the same type: digits are replaced by digits, letters by letters, and special characters (anything other than a letter of a digit) by special characters. Other tweaking patterns could also be used, such as choosing the last digit position and the last special-character position. Computer Science Department, Passwords

17 Chaffing-with-a-password-model (I)
Generates honeywords using a probabilistic model of real passwords. Does not need the password in order to generate the honeywords, and it can generate honeywords of widely varying strength. User password is “S’b123”, honeywords can be : kebrton1 0223dia …. o864959 aiwkme523 aj1aob12 9,50PEe]KV.0?RIOtc&L-:IJ"b+Wol<*[!NWT/pb [tough nut] this model might be based on a given list L of thousands or millions of passwords and perhaps some other parameters. Computer Science Department, Passwords

18 Chaffing-with-a-password-model (II)
The password is parsed into a sequence of “tokens,” each representing a distinct syntactic element—a word, number, or set of special characters. Honeywords are then generated by replacing tokens with randomly selected values that match the tokens. password “mice3blind” might be decomposed into the token sequence W4 | D1 | W5 Bojinov et al propose an interesting approach in which honeywords are generated using the same syntax as the password. Computer Science Department, Passwords

19 Chaffing with “tough nuts”
In the presence of “tough nuts,” the adversary cannot fully evaluate the likelihood of being detected during login, even if the adversary has cracked all other sweetwords. To ensure that the adversary cannot tell whether the password itself lies among the set of “tough nuts” Randomize the positions and the number of “tough nuts” added as honeywords. Computer Science Department, Passwords

20 Modified-UI password changes
“Take-a-tail” is identical to the chaffing-by-tail tweaking method, except that the tail of the new password is now randomly chosen by the system, and required in the user-entered new password. The required tail is randomly and freshly generated for each password change session. “Enter a new password:” has changed to something like: “Propose a password:” • • • • • • • Append ‘413’ to make your new password. Enter your new password: • • • • • • • • • • Thus, if the user proposes “RedEye2,” his new password is “RedEye2413.” That is, the password-change UI is changed from: Enter a new password: to something like: Propose a password: • • • • • • • Append ‘413’ to make your new password. Enter your new password: • • • • • • • • • • Thus, if the user proposes “RedEye2,” his new password is “RedEye2413.” Computer Science Department, Passwords

21 Variations and Extensions
Other ways of generating honeywords and some practical deployment considerations Storage optimization, Typo-safety, Managing old passwords, Storage optimization and Hybrid method Computer Science Department, Passwords

22 “Random pick” honeyword generation
A good way of generating a password and honeywords is to first generate the list Wi of k distinct sweetwords in some arbitrary manner (which may involve interaction with the user) and then pick an element of this list uniformly at random to be the new password; the other elements become honeywords. modified-UI procedure that is perfectly flat. Either in or out Computer Science Department, Passwords

23 Typo-safety Authors would also like it to be rare for a legitimate user to set off an alarm by accidentally entering a honeyword. Typos are one possible cause of such accidents, especially for tweaking methods. => Use an error-detection code to detect typos With tail-tweaking, it could thus be helpful if the password tail were quite different from the honeyword tails, so a typing error won’t turn the password into a honeyword. Computer Science Department, Passwords

24 Managing old passwords
If the system keeps around user’s old password, it may be placing his / her account on the system(s) she/he still uses it, at risk. When storing old passwords is required, however, we recommend storing them in a protected module strongly isolated from the basic functionality of the computer system— Computer Science Department, Passwords

25 Storage optimization Some honeyword generation methods, such as tweaking and take-a-tail, can be optimized to reduce their storage to little more than a single password hash. Consider tail tweaking where the tails are t-digit numbers. Suppose that T (pi) is of reasonable size—for example, with t = 2 digit tails we have |T (pi)| = 100. Let k = |T (p)| and let Wi = T (pi) = {wi,1, , wi,k}, sorted into increasing order lexicographically. Computer Science Department, Passwords

26 Hybrid generation method
Here is a simple hybrid scheme: 1. Use chaffing-with-a-password-model on user-supplied password p to generate a set of a (>= 2) seed sweetwords W", one of which is the password. Some seeds may be “tough nuts.” 2. Apply chaffing-by-tweaking-digits to each seed sweetword in W" to generate b (>= 2) tweaks (including the seed sweetword itself). This yields a full set W of k = a × b sweetwords. 3. Randomly permute W. Let c(i) be the index of p such that p = wc(i), as usual suppose we have a = 3, b = 4, and k = 12. The list Wi might look as follows: abacad513 snurfle672 zinja750 abacad941 snurfle806 zinja802 abacad004 snurfle772 zinja116 abacad752 snurfle091 zinja649 Because the hybrid method is legacy-UI, achieves excellent flatness under reasonable assumptions, and provides resistance to DoS attacks, it is paper’s recommended honeyword generation method. Computer Science Department, Passwords

27 Policy Choices Password Eligibility Failover Per user policies
Per sweetword policies Computer Science Department, Passwords

28 Password Eligibility Some words may be ineligible as passwords because they violate one or more policies regarding eligibility, such as: password syntax dictionary words password re-use most common passwords popular passwords Most common passwords: A password may not be chosen if it appears on a list of the 500 most common passwords in widespread use (to prevent online guessing attacks). Popular passwords: A password may not be chosen if m or more other users in a large population of users are currently using this password. Computer Science Department, Passwords

29 Failover The computer system can be designed to have a “failover” mode so that logins can proceed more-or-less as usual even if the honeychecker has failed or become unreachable. In failover mode, honeywords are temporarily promoted to become acceptable passwords; this prevents denial-of-service attacks resulting from attack on the honeychecker or the communications between the system and the honeychecker Computer Science Department, Passwords

30 Per-user policies Use honeypot accounts additionally to honeywords.
Such accounts can help identify theft of F and distinguish over a DoS attack . Which accounts are honeypot accounts would be known only to the honeychecker. Selective alarms It may be helpful raise an alarm if there are honeyword hits against administrator accounts or other particularly sensitive accounts, even at the risk of extra sensitivity to DoS attacks. We can have policies that vary per-user; this is not uncommon already. Policies needn’t (and perhaps shouldn’t) be uniform across a user population. Computer Science Department, Passwords

31 Per-sweetword policies
The “Set: i, j” command to the honeychecker could have an optional third argument a,i,j, which says what action to take if a “Check: i, j” command is later issued. Different actions “Raise silent alarm” , “Allow login”, “Allow for single login only”, etc... k different entries for a given user, with potentially k different policies, one per sweetword. This feature could be used, for example, with the take-a-tail strategy to note which honeywords have small edit distance to the password (e.g., a single transposition or change of character), so that user typos invoke a less severe reaction. This gives added flexibility to the policies enabled by the use of the honeychecker. Computer Science Department, Passwords

32 Attacks Possible attacks against the methods proposed :
General password guessing, Targeted password guessing, Attacking the Honeychecker, Likelihood Attack , Denial-of-service, Multiple systems Computer Science Department, Passwords

33 General password guessing
(-) Legacy-UI methods (+) Methods requiring users to choose uncommon passwords (+) Modified-UI methods ( take-a-tail ) Legacy-UI methods don’t affect how users choose passwords, so they have no beneficial effect against adversaries who try common passwords in an online guessing attack. Computer Science Department, Passwords

34 Targeted password guessing
Personal information about a user could help an adversary distinguish the user’s password from his honeywords. It is often feasible to deanonymize users (-) chaffing-with-a-password-model creates honeywords independently of user’s password, this method of honeyword generation may enable adversaries to target data-mining attacks against users and gain some advantage in distinguishing their passwords from their honeywords. Computer Science Department, Passwords

35 Attacking the Honeychecker
The adversary may decide to attack the honeychecker or its communications with the computer system. authenticate communications to and from the honeychecker By disabling communications between the computer system and the honeychecker, the adversary can cause a failover system either disallows login or takes the risk of temporarily allowing login based on a honeyword and buffering messages for later processing by the honeychecker. The updates (“Set” commands) sent to the honeychecker need to be authenticated, so that the honeychecker doesn’t incorrectly update its database. The requests (“Check” commands) sent to the honeychecker also need to be authenticated, so that the adversary cannot query the honeychecker so as to cause an alarm to be raised. The replies from the honeychecker should be authenticated, so that the computer system doesn’t improperly allow the adversary to login. Computer Science Department, Passwords

36 Likelihood Attack (-) Approach based on generating honeywords using a probabilistic model In this context, a user might be well advised either to choose a very strong password that the adversary will never crack, or choose a password of the sort that the honeyword generator might generate. Computer Science Department, Passwords

37 Denial-of-service Adversary has not compromised the password file F, but nonetheless knows a user’s password can feasibly submit one of the user’s honeywords. Mitigating DoS attacks. to limit the impact of a DoS attacks against chaffing-by-tweaking, one possible approach is to select a relatively small set of honeywords randomly from a larger class of possible sweetwords. We briefly discuss denial-of-service (DoS) attacks—a potential problem for methods such as chaffing-by-tweaking that generate honeywords by predictably modifying user supplied passwords. (In contrast, chaffing-with-a-password model as well as the hybrid scheme offer strong DoS resistance.) Computer Science Department, Passwords

38 Multiple systems Users commonly employ the same password across different systems an adversary might seek an advantage in password those systems. Two such forms of attack an “intersection” attack and a “sweetword-submission” attack. Computer Science Department, Passwords

39 Intersection attack User has the same password but distinct sets of honeywords on systems A and B, adversary that compromises the two password files learns the user’s password from their intersection. If management of multiple systems is of concern, take-a-tail generation approach ensures that a user has different passwords on different systems is achieved without coordination between the systems We would aim instead that an intersection attack against systems using honeywords offer an adversary no advantage in identifying the password on either system. Computer Science Department, Passwords

40 Sweetword submission attack
User has the same password on systems A and B the adversary that compromises the password file on system A can submit the user’s sweetwords as password guesses to system B without special risk of detection to system B, system A’s honeywords will be indistinguishable from any other incorrect passwords. “Take-a-tail” can also provide resistance to sweetword- submission attacks. Computer Science Department, Passwords

41 Related Work Password strength Password strengthening
Password storage and verification Decoys Computer Science Department, Passwords

42 Password strength. The current, state-of-the-art heuristic password cracking algorithm, is based on probabilistic, context-free grammars. Weakness of current password protections even with the use of sound practices, such as salting. Password strengthening. The take-a-tail method may be viewed as a variant on previously proposed password strengthening schemes Computer Science Department, Passwords

43 Password storage and verification
Password storage and verification. There are stronger approaches than honeywords for splitting password-related secrets across servers. Some proposed and commercialized employ distributed cryptography. Require substantial changes to password systems and client-side support as well Decoys. The use of decoy resources to detect security breaches is an age-old practice in the intelligence community. It is a common industry practice today to deploy “honeytokens,” bogus credentials such as credit card numbers, to detect information leakage and degrade the value of stolen credentials. Computer Science Department, Passwords

44 Evaluation of methods Computer Science Department, Passwords

45 Flatness Let z denote the adversary’s expected probability of guessing the sugarword. this probability is taken over the user’s choice of password pi, the generation procedure Gen(k; pi), and any randomization used by the adversary to produce its guess j. z = 1/k, since an adversary can win with probability 1/k merely by guessing j at random. A honeyword generation method is“ϵ-flat” for a parameter ϵ if the maximum value over all adversaries of the adversary’s winning probability z is ϵ. If the generation procedure is as flat as possible we say it is “perfectly flat”. Computer Science Department, Passwords

46 Comparison of methods Honeword Method Flatness DoS Resistance Legacy - UI ? Multiple System protection Tweaking 1/k Weak Yes No Password-model Strong Tough nuts* N/A Take-a-tail Hybrid Multiple-system protection is the property that compromise of the same user’s account in different systems will not immediately reveal pi. Finally, G denotes the probability distribution of honeywords generated by chaffing-with-a-password-model. (Thus U % G means that these honeywords are distributed like user passwords in the view of the adversary.) The * means “tough nuts” are not useful on their own; they are best used together with other methods. The storage costs assume generation of k − 1 honeywords. “Weak” DoS (denial of service) resistance, means that an adversary can with non-negligible probability submit a honeyword given knowledge of the password; “strong” DoS resistance, means that such attack is improbable Computer Science Department, Passwords

47 Conclusion Computer Science Department, Passwords

48 Computer Science Department, Passwords

49 End of Part I Computer Science Department, Passwords

Download ppt "presenter : Eirini Aikaterini Degleri , 2735"

Similar presentations

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
Operating System Security

Operating System Security
Use of a One-Way Hash without a Salt

Use of a One-Way Hash without a Salt
An investigation into the security features of Oracle 10g R2 Enterprise Edition Supervisor: Mr J Ebden.

An investigation into the security features of Oracle 10g R2 Enterprise Edition Supervisor: Mr J Ebden.
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
CS470, A.SelcukCryptographic Authentication1 Cryptographic Authentication Protocols CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukCryptographic Authentication1 Cryptographic Authentication Protocols CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Building web applications on top of encrypted data using Mylar Presented by Tenglu Liang Tai Liu.

Building web applications on top of encrypted data using Mylar Presented by Tenglu Liang Tai Liu.
Distribution and Revocation of Cryptographic Keys in Sensor Networks Amrinder Singh Dept. of Computer Science Virginia Tech.

Distribution and Revocation of Cryptographic Keys in Sensor Networks Amrinder Singh Dept. of Computer Science Virginia Tech.
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
ATTACKING AUTHENTICATION The Web Application Hacker’s Handbook, Ch. 6 Presenter: Jie Huang 10/31/2012.

ATTACKING AUTHENTICATION The Web Application Hacker’s Handbook, Ch. 6 Presenter: Jie Huang 10/31/2012.
Understand Database Security Concepts

Understand Database Security Concepts
Access Control Methodologies

Access Control Methodologies
Serverless Search and Authentication Protocols for RFID Chiu C. Tan, Bo Sheng and Qun Li Department of Computer Science College of William and Mary.

Serverless Search and Authentication Protocols for RFID Chiu C. Tan, Bo Sheng and Qun Li Department of Computer Science College of William and Mary.
CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.
CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.

CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (7) AUTHENTICATION.

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (7) AUTHENTICATION.
Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.

Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Similar presentations

Ads by Google