Download presentation
Presentation is loading. Please wait.
1
1 Securing Passwords Against Dictionary Attacks Base on an article by Benny Pinkas & Tomas Sander 2002 Presented by Tomer Conforti
2
2 Agenda Introduction - why the article was written Introduction - why the article was written Current countermeasures and why they don ’ t suffice. Current countermeasures and why they don ’ t suffice. RTT - reversed turing tests. RTT - reversed turing tests. Na ï ve solution Na ï ve solution The protocol and analysis The protocol and analysis
3
3 Introduction The need for security The need for security The common usage of passwords The common usage of passwords Vulnerabilities of user chosen passwords Vulnerabilities of user chosen passwords What is dictionary attacks What is dictionary attacks
4
4 Security Assumptions Not enabling eavesdropping of ongoing transaction Not enabling eavesdropping of ongoing transaction using encryption of the transaction (ex. SSL) using encryption of the transaction (ex. SSL) Online interaction must take place in order to determine the password authentication Online interaction must take place in order to determine the password authentication
5
5 Current Countermeasures Against Dictionary Attacks Delayed response - Delayed response - Many user systems. Many user systems. Many parallel login attempts. Many parallel login attempts. Account locking Account locking Denial of service attacks. Denial of service attacks. Customer service costs. Customer service costs.
6
6 RTT – Reversed Turing Test TTs and RTTs – are tests created to distinguish man from machine. TTs and RTTs – are tests created to distinguish man from machine. Turing Tests – are easy for machines and almost impossible for people. Turing Tests – are easy for machines and almost impossible for people. example – long number multiplication or division. example – long number multiplication or division. Reversed Turing Tests – are tests that are easy (enough) for people but very hard for current technology computers. Reversed Turing Tests – are tests that are easy (enough) for people but very hard for current technology computers. These tests must have a large answers domain so guessing of the answer has very low probability. These tests must have a large answers domain so guessing of the answer has very low probability.
7
7 There are several kinds of RTTs know today There are several kinds of RTTs know today Most commonly used - distorted character recognition. Most commonly used - distorted character recognition. Distorted pictures recognition. Distorted pictures recognition. For disabled people there are less known tests like hearing a word in a noisy playback. For disabled people there are less known tests like hearing a word in a noisy playback. It is true that if one has enough resources he could pay (for development and/or hardware) to be able to break an RTT. It is true that if one has enough resources he could pay (for development and/or hardware) to be able to break an RTT. We will touch the point of dealing with broken RTT later on. We will touch the point of dealing with broken RTT later on. Various RTTs
8
8 Na ï ve Solutions Password and RTT based solution: Password and RTT based solution: For every login attempt the server will ask the user to pass a RTT For every login attempt the server will ask the user to pass a RTT Corrupts the login experience. Corrupts the login experience. Very demanding to manufacture a RTT per login. Very demanding to manufacture a RTT per login. Only ask for a RTT if the previous login has failed. Only ask for a RTT if the previous login has failed. The attacker will not use this logins (and won ’ t loose much of the attack throughput. The attacker will not use this logins (and won ’ t loose much of the attack throughput.
9
9 Just Before the Protocol The server has to have a way to reliably identify the login computer. The server has to have a way to reliably identify the login computer. For web based programs – cookies For web based programs – cookies Network address/mac address Network address/mac address Client program installed on login computer Client program installed on login computer Our protocol assume the use of cookies. Our protocol assume the use of cookies. Cookie theft is also dealt with Cookie theft is also dealt with
10
10 The Protocol Initialization : Initialization : After a first successful login the server plants a cookie, with the record of the username and the machine ’ s ID After a first successful login the server plants a cookie, with the record of the username and the machine ’ s ID The cookie could be read and changed only by the server – by encrypting the stored data. The cookie could be read and changed only by the server – by encrypting the stored data.
11
11 The Protocol – cont (2) Login procedure: The user enters the username and password The user enters the username and password If a cookie exists its sent and authenticated by the server If a cookie exists its sent and authenticated by the server If the username and password is correct : If the username and password is correct : If the cookie is authentic – access is granted If the cookie is authentic – access is granted If the cookie doesn ’ t exist or not authenticated – RTT is generated. If the cookie doesn ’ t exist or not authenticated – RTT is generated. With the correct RTT answer access is granted. With the correct RTT answer access is granted.
12
12 The Protocol – cont (3) If the password is incorrect : If the password is incorrect : With a probability of “ p ” the user is asked to pass a RTT With a probability of “ p ” the user is asked to pass a RTT after the RTT answer (correct or not) the user is denied of access. after the RTT answer (correct or not) the user is denied of access. With probability of “ 1-p ” the user is denied immediately. With probability of “ 1-p ” the user is denied immediately. Important point : the decision whether to serve the user with a RTT must be a deterministic function of the username and password submitted
13
13 Usability Analysis User experience almost doesn ’ t change. User experience almost doesn ’ t change. User is asked to pass a RTT only when he tries to log on from a new computer or is he entered the wrong password (with prob “ p ” ) User is asked to pass a RTT only when he tries to log on from a new computer or is he entered the wrong password (with prob “ p ” ) Most users use small set of computers to login from. Most users use small set of computers to login from. From experience of yahoo, alta vista and paypal we can learn that users are willing to answer RTTs as long as they don ’ t come frequently.
14
14 Scalability and Operational Analysis How many RTTs the server has to generate? How many RTTs the server has to generate? For logins from new machines (negligible) For logins from new machines (negligible) For a fraction of “ p ” from the failed login attempts. For a fraction of “ p ” from the failed login attempts. this is much better from the na ï ve solution (assuming p << 1) this is much better from the na ï ve solution (assuming p << 1)na ï vena ï ve
15
15 Security Analysis – Single Account Assuming there are “ N ” different passwords in the domain. Assuming there are “ N ” different passwords in the domain. The attacker can identify that the correct password is from a subset of the The attacker can identify that the correct password is from a subset of the size :,with out answering any RTT. To gain more information the attacker must pay with a RTT answer. To gain more information the attacker must pay with a RTT answer.
16
16 Security Analysis – Multiple Accounts Assume that the attacker knows “ L ” user names. Assume that the attacker knows “ L ” user names. Since the different users are IID, the best strategy is to deal with each username independently. Since the different users are IID, the best strategy is to deal with each username independently.
17
17 Playing the Numbers – Brute Force N = 10 6, randomly selected 2 word from a 1000 word dictionary N = 10 6, randomly selected 2 word from a 1000 word dictionary p = 0.1 p = 0.1 Number of different RTTs : 1000 Number of different RTTs : 1000 Brute force (guessing the RTT): Brute force (guessing the RTT):
18
18 Playing the Numbers – Solving RTTs Assume it takes 3 seconds to solve a RTT Assume it takes 3 seconds to solve a RTT Either by a program (god forbid) Either by a program (god forbid) or a low cost worker that solves RTTs or a low cost worker that solves RTTs 150,000 seconds = 5 working days to break into one user. 150,000 seconds = 5 working days to break into one user.
19
19 Broken RTT Identifying broken RTT: Identifying broken RTT: Correct RTT & Failed password Total logins Correct RTT & Failed password Total logins The server must assume that the RTT is broken. The server must assume that the RTT is broken. Countermeasures : Countermeasures : Rising “ p ” (even to more than 1 – attacker needs to provide more than one RTT per login). Rising “ p ” (even to more than 1 – attacker needs to provide more than one RTT per login). Changing RTT – preferably to one from a different domain. Changing RTT – preferably to one from a different domain. Contacting the user by phone or mail to decide on an alternative form of login. Contacting the user by phone or mail to decide on an alternative form of login.
20
20 Cookie Theft The server holds a counter for every cookie it sent out. The server holds a counter for every cookie it sent out. For every failed login attempt (with this cookie) the value of the counter increases by one. For every failed login attempt (with this cookie) the value of the counter increases by one. When the counter reaches a certain number the cookie is forever disabled, and any login attempt with this cookie will be dealt as no cookie at all. When the counter reaches a certain number the cookie is forever disabled, and any login attempt with this cookie will be dealt as no cookie at all. A new cookie will be presented after a correct login. A new cookie will be presented after a correct login.
21
21 Now we can lock accounts Assuming that the best break of an RTT is a guess Assuming that the best break of an RTT is a guess The server can rise the number of unsuccessful attempts that locks an account (lets say 100) The server can rise the number of unsuccessful attempts that locks an account (lets say 100) With out the RRT method an attacker can break into an account with the probability of : M*L/N With out the RRT method an attacker can break into an account with the probability of : M*L/N M = number of accounts, L = number of attempts before lock, N = password domain size M = number of accounts, L = number of attempts before lock, N = password domain size
22
22 Now we can lock accounts (cont ’ ) With an RTT the password domain raises to N*p*S With an RTT the password domain raises to N*p*S p = fraction, S = RTT answers domain p = fraction, S = RTT answers domain When common number for p*S = 100, we have a substantial advantage on previous solutions. When common number for p*S = 100, we have a substantial advantage on previous solutions. Advantage : when RTT is broken the locking mechanism gives the system administrator the time to react to the broken RTT. Advantage : when RTT is broken the locking mechanism gives the system administrator the time to react to the broken RTT. User will accidentally lock his own user by failing 100 attempts of logins … User will accidentally lock his own user by failing 100 attempts of logins …
23
23 Summery Gives good protection against dictionary attacks. Gives good protection against dictionary attacks. RTT can be used on all web based systems (ex. String RTTs). RTT can be used on all web based systems (ex. String RTTs). No additional hardware tokens or software downloads. No additional hardware tokens or software downloads. RTT doesn ’ t appear frequently for the normal user. RTT doesn ’ t appear frequently for the normal user. Easy integration in existing protocols. Easy integration in existing protocols.
24
24 Questions? Thank you Thank you
25
25 Homework firefoxtc (at) gmail.com 1. Why does the protocol demands that the function whether to serve a RTT or not must be deterministic? 2. What method is suggested to improve the login experience from a new machine by smartly choosing the RTT given to the user? 3. What should we demand from the protocol to avoid “ timing attacks ” ?
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.