Enhancing Password Security Using Deceptive Covert Communication
-
Upload
mohammed-almeshekah -
Category
Technology
-
view
95 -
download
0
Transcript of Enhancing Password Security Using Deceptive Covert Communication
Enhancing Passwords Security Using Deceptive Covert Communication
IFIP SEC’15
Mohammed [email protected]
Eugene [email protected]
Mikhail [email protected]
Acknowledgment
• Joint work with:
• Prof. Eugene Spafford and Prof. Mike Atallah.
• Part of the Liars Club group at Purdue.
• Partially supported by Northrop Grumman.
Authentication
• One of the most common security controls.
• Two-factor authentication is a de-facto standard.
• Two major limitations;
• Passwords are still exposed.
• Man-in-the-Browser (MitB), e.g., Zeus Malware.
A Password Dangerous Trip
A Password Dangerous Trip Threats
Shoulder-Surfing
MitB/Keylogger
Sniffing/Phishing
Insider Threat
A Password Dangerous Trip Current Controls
Shoulder-Surfing
MitB/Keylogger
Sniffing/Phishing
Insider Threat
SSL/TLS Ersatz Passwords2FA
Information Asymmetry Context-less Authentication
User wants to access
Banks want me to access.
Information Asymmetry Contextual Authentication
Public Network?
Email link?
….
Dynamic Decisioncontext
A Password Dangerous Trip Reducing password exposure
A Deceptive Covert Communication
• We will use an accumulation function A() that can be realized using modular exponentiation.
• A(x1, x2) = A(x2, x1).
• Computing A(A(x1), x2) doesn’t require the knowledge of x1.
• Current systems store h = H(passwd || salt).
• For every account compute A(h).
A Deceptive Covert Communication Enter username
A Deceptive Covert Communication Check whether username exists?
if usernameExists(): A(h) = getHashedPass() s = getSalt() R = randomNonce() key = A(A(h), R) id = Bankid x = HMACkey(A(R), s, id) Send QR(A(R), x, id)
A Deceptive Covert Communication User scans QR
A Deceptive Covert Communication Check the integrity of QR
h = Hash(passwd || salt) key = A(A(R), h) x’ = HMACkey(A(R),id) if x == x’ -> route (b) else -> route (a)
A Deceptive Covert Communication Verify the identity of application
A Deceptive Covert Communication Covert message
A Deceptive Covert Communication Generating code
code = A(A(R), h, msgs)
A Deceptive Covert Communication
A Deceptive Covert Communication Verifying the code
code’ = A(A(R), h, possible msgs)
check code =? code’
A Deceptive Covert Communication The use of Deception
Comparison
Enhancements
• Full-transaction Authentication.
• Phone connectivity.
• Storage of Insensitive Information.
Length of code
• Having 64 possible characters (including alphanumeric characters and symbols):
• Probability of guessing a single character is 2−6.
• When length = 5 —> prob. = 2−30.
• Calculation of code includes a random number R.
• Adversary gains no advantage by learning any previous runs of the protocol.
Why use a smartphone
• The use of Software Guards.
• Reducing password exposure.