Securing Passwords Against Dictionary Attacks - PowerPoint PPT Presentation

1 / 25
About This Presentation
Title:

Securing Passwords Against Dictionary Attacks

Description:

... keys Biometrics Graphical Passwords Conclusion With a scalable, low cost and usable solution similar to standard user/password authentication ... – PowerPoint PPT presentation

Number of Views:106
Avg rating:3.0/5.0
Slides: 26
Provided by: ChadF150
Category:

less

Transcript and Presenter's Notes

Title: Securing Passwords Against Dictionary Attacks


1
Securing Passwords Against Dictionary Attacks
  • Presented By
  • Chad Frommeyer

2
Introduction
  • Abstract/Introduction
  • Reverse Turing Test (RTT)
  • User Authentication Protocols
  • Security Analysis
  • Authentication Method Requirements
  • Other Authentication Approaches
  • Conclusion

3
Abstract/Introduction
  • Passwords are the most widely used authentication
    method
  • More secure methods are cumbersome to use
  • User chosen passwords are often weak and easy to
    guess with a dictionary
  • User requires the authentication to be easy to
    use
  • Goal is to build authentication that is still
    easy to use but hard for the computer to guess

4
Abstract/Introduction
  • Dictionary Attack Attempting to authenticate by
    guessing all possible passwords
  • Offline Attack attacking passwords when they
    are in transit
  • Offline attacks are prevented by securing
    communications and protecting password files

5
Abstract/Introduction
  • For this discussion we assume that communications
    are properly secured and password files are
    protected
  • Online Attack Attack that requires interacting
    with the login server

6
Introduction Common Countermeasures
  • Delayed Response delaying the authentication
    response
  • Account Locking Locking the account with too
    many negative responses

7
Introduction Countermeasure Weaknesses
  • Global Password Attacks Simultaneous attempts
    to multiple accounts
  • Risks (from account locking)
  • Denial of Service
  • Customer Service Costs

8
Introduction Pricing via Processing
  • Add minimal processing time to each request
    results in a large impact to dictionary attacks
    but negligible impact to the individual
  • A drawback to this approach is that it can
    require a special user client or mobile code
  • The suggested approach
  • Add processing without changing the interaction
  • Make the processing hard for machines to automate

9
Reverse Turing Test (RTT)
  • Requirements of RTT
  • Automated Generation
  • Easy for Humans
  • Hard for Machines
  • Small probability of guessing the answer
    correctly
  • RTTs can be solved by either utilizing a human
    during the attack, or some type of OCR or Audio
    analysis

10
Reverse Turing Test (RTT)
  • Most well known RTT
  • Distorted text image
  • Production usage is typically during a
    registration process
  • Accessibility Issues
  • Utilize both Image and Audio based

11
User Authentication Protocols
  • Combining an existing system with an RTT
  • Requires passing and RTT for every authentication
    attempt
  • Usability This is different than most users are
    accustomed, and would likely cause issues
  • Scalability -- RTT generation on a large scale
    is not a proven concept

12
User Authentication Protocols
  • Answers to the usability and scalability issues
  • Require RTT only a fraction of the time
  • Problem Attacks would skip the attempts when an
    RTT was required
  • Require RTT only after first failure
  • Problem When global password attacks are used,
    this doesnt help

13
User Authentication Protocols
  • Papers Observations
  • Users typically use a limited number of computers
  • Requiring RTTs for only a fraction of the time
    can be helpful for an appropriate implementation
  • The protocol suggested by this paper assumes the
    ability to identify client computers. The
    following implementation uses web browser cookies.

14
(No Transcript)
15
User Authentication Protocols
  • The usability problems are solved because the
    RTTs are only required in a very small number of
    cases
  • Scalability problems are solved because of this
    same reason and because the RTTs are generated by
    a deterministic function based on the username
    and password and a probability 1/p
  • All expected RTTs could be cached

16
Security Analysis
  • Implementation Requirements
  • One of the following feedbacks are returned when
    a username/password pair doesnt match
  • The username/password is invalid
  • Please answer the following RTT
  • The response must be a deterministic function
    based on the username/password
  • Response delays should be the same for a success
    and failed attempt

17
Security Analysis
  • The nature of the response as well as the
    response time will often key an attacker to more
    information about the system/passwords being
    attacked
  • If the requirements are met, the proposed system
    will respond with RTTs on correct guesses as well
    as a subset of incorrect guesses

18
Security Analysis
  • Goal Make the cost of attacking the system more
    than the benefit of a successful attack
  • Some systems are so beneficial to attack that
    attackers will utilize humans to solve the RTTs
    encountered during an attack
  • The probability p must be adjusted to raise the
    cost of the attack

19
Security Analysis
  • What if an RTT can be broken?
  • The assumption should be that they can
  • In this case the system should dynamically adjust
    the probabilities
  • This means that the system must be able to
    identify a successful attack
  • When unsuccessful attempts with solved RTTs go
    up, this is a clear indication of an attack
  • Alternative RTT solutions should be available

20
Security Analysis
  • Cookie Theft
  • Cookies can be stolen off of one machine, and set
    on another
  • Keep a count on the server per cookie of the
    number of failed attempts
  • With a high number of failures (say 100) the
    server will ignore the cookie, and act as if no
    cookie was sent

21
Security Analysis
  • Account Locking Measures
  • Since we can determine when an attack is
    happening, we can use account locking measures as
    long as the number of attempts failed check is
    higher than typical
  • The accounts failed threshold should dynamically
    lower when an attack is happening, at least until
    a new RTT is implemented

22
Authentication Method Requirements
  • Requirement Availability
  • Users shouldnt be expected to have special
    software Installed
  • Requirement Robust and Reliable
  • Requests should always receive response
  • Requirement Friendliness
  • The interface should be friendly and usable

23
Authentication Method Requirements
  • Requirement Low cost to implement and operate
  • Take strong consideration to the effect of a
    successful attack and what impact it has on
    business and customers
  • Risk is an important factor in choosing a
    authentication method

24
Other Authentication Approaches
  • Most other and potentially more secure
    authentication approaches do not satisfy the
    previous stated requirements
  • One time passwords (tokens)
  • Client certificates/keys
  • Biometrics
  • Graphical Passwords

25
Conclusion
  • With a scalable, low cost and usable solution
    similar to standard user/password authentication
    methods, the authors believe that their proposed
    solution is the answer to secure authentication
  • Why arent solutions that are implemented today
    using similar ideologies?
  • Questions?
Write a Comment
User Comments (0)
About PowerShow.com