Transcript Attack Modeling for Information Security and Survivability

Securing Passwords Against
Dictionary Attacks
Presented By
Chad Frommeyer
Introduction
•
•
•
•
•
•
•
Abstract/Introduction
Reverse Turing Test (RTT)
User Authentication Protocols
Security Analysis
Authentication Method Requirements
Other Authentication Approaches
Conclusion
Abstract/Introduction
• Passwords are the most widely used
authentication method
• More secure methods are cumbersome to use
• User chosen passwords are often weak and
easy to guess with a dictionary
• User requires the authentication to be easy to
use
• Goal is to build authentication that is still easy to
use but hard for the computer to guess
Abstract/Introduction
• Dictionary Attack– Attempting to
authenticate by guessing all possible
passwords
• Offline Attack – attacking passwords when
they are in transit
– Offline attacks are prevented by securing
communications and protecting password files
Abstract/Introduction
• For this discussion we assume that
communications are properly secured and
password files are protected
• Online Attack – Attack that requires
interacting with the login server
Introduction – Common
Countermeasures
• Delayed Response – delaying the
authentication response
• Account Locking – Locking the account
with too many negative responses
Introduction – Countermeasure
Weaknesses
• Global Password Attacks – Simultaneous
attempts to multiple accounts
• Risks (from account locking)
– Denial of Service
– Customer Service Costs
Introduction – Pricing via
Processing
• Add minimal processing time to each request
results in a large impact to dictionary attacks but
negligible impact to the individual
• A drawback to this approach is that it can require
a special user client or mobile code
• The suggested approach
– Add processing without changing the interaction
– Make the processing hard for machines to automate
Reverse Turing Test (RTT)
• Requirements of RTT
– Automated Generation
– Easy for Humans
– Hard for Machines
– Small probability of guessing the answer
correctly
• RTTs can be solved by either utilizing a
human during the attack, or some type of
OCR or Audio analysis
Reverse Turing Test (RTT)
• Most well known RTT
– Distorted text image
– Production usage is typically during a
registration process
• Accessibility Issues
– Utilize both Image and Audio based
User Authentication Protocols
• Combining an existing system with an RTT
– Requires passing and RTT for every
authentication attempt
– Usability – This is different than most users
are accustomed, and would likely cause
issues
– Scalability -- RTT generation on a large scale
is not a proven concept
User Authentication Protocols
• Answers to the usability and scalability
issues
– Require RTT only a fraction of the time
• Problem: Attacks would skip the attempts when an
RTT was required
– Require RTT only after first failure
• Problem: When global password attacks are used,
this doesn’t help
User Authentication Protocols
• Papers Observations
– Users typically use a limited number of
computers
– Requiring RTTs for only a fraction of the time
can be helpful for an appropriate
implementation
• The protocol suggested by this paper
assumes the ability to identify client
computers. The following implementation
uses web browser cookies.
User Authentication Protocols
• The usability problems are solved because
the RTTs are only required in a very small
number of cases
• Scalability problems are solved because of
this same reason and because the RTTs
are generated by a deterministic function
based on the username and password and
a probability 1/p
– All expected RTTs could be cached
Security Analysis
• Implementation Requirements
– One of the following feedbacks are returned
when a username/password pair doesn’t
match
• The username/password is invalid
• Please answer the following RTT
– The response must be a deterministic function
based on the username/password
– Response delays should be the same for a
success and failed attempt
Security Analysis
• The nature of the response as well as the
response time will often key an attacker to
more information about the
system/passwords being attacked
• If the requirements are met, the proposed
system will respond with RTTs on correct
guesses as well as a subset of incorrect
guesses
Security Analysis
• Goal: Make the cost of attacking the
system more than the benefit of a
successful attack
– Some systems are so beneficial to attack that
attackers will utilize humans to solve the RTTs
encountered during an attack
– The probability p must be adjusted to raise
the cost of the attack
Security Analysis
• What if an RTT can be broken?
• The assumption should be that they can
• In this case the system should dynamically
adjust the probabilities
• This means that the system must be able to
identify a successful attack
– When unsuccessful attempts with solved RTTs go up,
this is a clear indication of an attack
• Alternative RTT solutions should be available
Security Analysis
• Cookie Theft
– Cookies can be stolen off of one machine,
and set on another
– Keep a count on the server per cookie of the
number of failed attempts
– With a high number of failures (say 100) the
server will ignore the cookie, and act as if no
cookie was sent
Security Analysis
• Account Locking Measures
– Since we can determine when an attack is
happening, we can use account locking
measures as long as the number of attempts
failed check is higher than typical
– The accounts failed threshold should
dynamically lower when an attack is
happening, at least until a new RTT is
implemented
Authentication Method
Requirements
• Requirement: Availability
– Users shouldn’t be expected to have special
software Installed
• Requirement: Robust and Reliable
– Requests should always receive response
• Requirement: Friendliness
– The interface should be friendly and usable
Authentication Method
Requirements
• Requirement: Low cost to implement and
operate
• Take strong consideration to the effect of a
successful attack and what impact it has
on business and customers
• Risk is an important factor in choosing a
authentication method
Other Authentication Approaches
• Most other and potentially more secure
authentication approaches do not satisfy
the previous stated requirements
– One time passwords (tokens)
– Client certificates/keys
– Biometrics
– Graphical Passwords
Conclusion
• With a scalable, low cost and usable
solution similar to standard user/password
authentication methods, the authors
believe that their proposed solution is the
answer to secure authentication
• Why aren’t solutions that are implemented
today using similar ideologies?
• Questions?