Stronger Password Authentication Using Browser Extensions - PowerPoint PPT Presentation

About This Presentation
Title:

Stronger Password Authentication Using Browser Extensions

Description:

Firefox. 16. Dictionary attacks. After phishing attack or ... Prototype for Internet Explorer and Mozilla Firefox. Defends against spoofing. Invisible to user ... – PowerPoint PPT presentation

Number of Views:100
Avg rating:3.0/5.0
Slides: 18
Provided by: danb2
Category:

less

Transcript and Presenter's Notes

Title: Stronger Password Authentication Using Browser Extensions


1
Stronger Password Authentication Using Browser
Extensions
Blake Ross, Collin Jackson, Nick Miyake, Dan
Boneh, John Mitchell Stanford University
http//crypto.stanford.edu/PwdHash
2
Password Phishing Problem
Bank A
pwdA
pwdA
Fake Site
  • User cannot reliably identify fake sites
  • Captured password can be used at target site

3
Common Password Problem
Bank A
high security site
pwdA
Site B
  • Phishing attack or break-in at site B reveals
    pwd at A
  • Server-side solutions will not keep pwd safe
  • Solution Strengthen with client-side support

4
Our Solution PwdHash
  • Lightweight browser extension
  • Impedes password theft
  • Invisible to server
  • Invisible to user

? Pwd Hashing
? Pwd Prefix
5
Password Hashing
hash(pwdA, BankA)
Bank A
hash(pwdB, SiteB)
Site B
  • Generate a unique password per site
  • HMACfido123(banka.com) ? Q7a0ekEXb
  • HMACfido123(siteb.com) ? OzX2ICiqc

6
Password Hashing past attempts
  • Hash pwd with realm provided by remote site
  • HTTP 1.1 Digest Authentication
  • Kerberos 5
  • Does not prevent phishing, common pwd
  • Hash pwd with network service name
  • Abadi, Bharat, Marais PTO 97 Standalone.
  • Gabber, Gibbons, Mattias, Mayer FC 97.
    Proxy.
  • Relies on intercepting traffic ? cant handle
    https

7
Password Hashing a popular idea
  • Recent password hashing projects
  • Similar hashing algorithms
  • Only PwdHash defends against spoofing and is
    invisible to the user

Password Generator Extension
Password Composer
Passwdlet
Genpass
Site Password
Password Maker
PwdHash
Magic Password Generator
8
The Spoofing Problem
  • JavaScript can display password fields or
    dialogs
  • Unhashed password sent
  • to attacker in clear

9
Password Prefix
  • Original pwd
  • should never be visible
  • to web page

_at__at_abcdefgh
_at__at_fido123
_at__at_fido123
OzX2ICiqc
Site B
10
Password Prefix How it works
  • Normal operation Prefix in password field
  • Abnormal operation Prefix in non-password field
  • Can just ignore the prefix and not hash
  • Remind user not to enter password

_at__at_fido123 ? _at__at_abcdefgh ?
abcdefgh ? fido123
HMACfido123(siteb.com) ? Q7a0ekEXb
11
Why use Password Prefix?
  • Protection mechanism built in to password
  • Does not rely on user to make a decision
  • Same prefix works for everyone
  • Distinguishes secure passwords from
  • normal passwords
  • social security numbers
  • PINs
  • Only use it when you want to

12
Other Trusted Pwd Interfaces
  • Password prefix
  • Secure attention sequence
  • Trusted image or phrase
  • Passmark
  • DSS

Starts with _at__at_
13
Other Challenges
  • Password Reset
  • Internet Cafes
  • Dictionary Attacks
  • Spyware, DNS poisoning (no protection)
  • Other issues (described in the paper)
  • Choosing salt for hash
  • Encoding hashed password
  • Additional attacks and defenses

14
Password Reset
  • After install, PwdHash cant protect existing
    pwds
  • Only passwords starting with _at__at_ are secure
  • User can choose where to use PwdHash
  • User must enter old password unhashed into
    password reset page
  • Pwd Prefix makes it easy
  • Old passwords wont
  • be accidentally hashed
  • New, secure passwords are
  • automatically hashed

Starts with _at__at_
15
Internet Cafes
  • Users cannot install software at Internet Cafes.
  • Would not be a problem if PwdHash were
    universally available
  • Interim solution A secure web site for remote
    hashing, e.g.
  • https//www.pwdhash.com
  • Hash is computed using JavaScript
  • Server never sees password
  • Resulting hash is copied into clipboard
  • Can also be used as a
  • standalone password
  • generator

Internet Explorer
Firefox
16
Dictionary attacks
aardvark, aback, abacus, abandon
  • After phishing attack or break-in to low security
    site,attacker can repeatedly guess password and
    check hash.
  • Succeeds on ?15 of passwords (unlike 100 today)
  • Less effective on longer, stronger passwords
  • Solution better authentication protocol (SPEKE,
    SRP, etc.)
  • Requires server-side changes
  • Defense user specifies a global pwd to
    strengthen all pwd hashes
  • Creates a new pwd management problem for shared
    machines
  • Defense slow hash function (Halderman, Waters,
    Felten 05)
  • Increases time of dictionary attack

17
PwdHash Try it out
  • Prototype for Internet Explorer and Mozilla
    Firefox
  • Defends against spoofing
  • Invisible to user
  • Invisible to server
  • Complementary to other anti-phishing solutions
  • Only use it when you want to
  • www.pwdhash.com
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Stronger Password Authentication Using Browser Extensions" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!