PASS: Strengthening and Democratizing Enterprise Password ...145 s 14 4 n s 130 million (ECB-...
Transcript of PASS: Strengthening and Democratizing Enterprise Password ...145 s 14 4 n s 130 million (ECB-...
![Page 1: PASS: Strengthening and Democratizing Enterprise Password ...145 s 14 4 n s 130 million (ECB- encrypted) passwords Oct. 2013 50 s 2014 Password breaches never go out of style 36 s](https://reader034.fdocuments.net/reader034/viewer/2022052002/6014e18cee45d46fc16e0669/html5/thumbnails/1.jpg)
Ari JuelsJacobs Technion-Cornell InstituteCornell Tech
with D. Akhawe (Dropbox). A. Athalye (MIT), R. Chatterjee (Cornell), A. Everspaugh (UWisc), T. Ristenpart (Cornell Tech), S. Scott (Royal Holloway)
Real World Cryptography, Stanford, 7 January 2016
PASS: Strengthening and Democratizing Enterprise Password Hardening
![Page 2: PASS: Strengthening and Democratizing Enterprise Password ...145 s 14 4 n s 130 million (ECB- encrypted) passwords Oct. 2013 50 s 2014 Password breaches never go out of style 36 s](https://reader034.fdocuments.net/reader034/viewer/2022052002/6014e18cee45d46fc16e0669/html5/thumbnails/2.jpg)
145 million passwords May 2014
273 million passwords Jan. 2014
50 million passwords March 2013
130 million (ECB-encrypted) passwords Oct. 2013
50 million passwords
April 2014
Password breaches never go out of style
36 million passwords
August 2015
Plus last.fm, Twitter, eHarmony, etc., etc., etc.
![Page 3: PASS: Strengthening and Democratizing Enterprise Password ...145 s 14 4 n s 130 million (ECB- encrypted) passwords Oct. 2013 50 s 2014 Password breaches never go out of style 36 s](https://reader034.fdocuments.net/reader034/viewer/2022052002/6014e18cee45d46fc16e0669/html5/thumbnails/3.jpg)
Hashing often isn't enough…
H(P)
Server
P
(2) Crack H(P) offline; get P
(1) Steal H(P)(3) Impersonate
user
“Alice”
![Page 4: PASS: Strengthening and Democratizing Enterprise Password ...145 s 14 4 n s 130 million (ECB- encrypted) passwords Oct. 2013 50 s 2014 Password breaches never go out of style 36 s](https://reader034.fdocuments.net/reader034/viewer/2022052002/6014e18cee45d46fc16e0669/html5/thumbnails/4.jpg)
Ashley Madison breach• AM used salted bcrypt
• Cost parameter 12 • Very strong relative to common industry
practice • Not strong enough to compensate for
weak passwords • Result of cracking sample of 4000
passwords… • And for good measure AM left
around a bunch of MD5 password hashes…
Source: http://www.pxdojo.net/2015/08/what-i-learned-from-cracking-4000.html
![Page 5: PASS: Strengthening and Democratizing Enterprise Password ...145 s 14 4 n s 130 million (ECB- encrypted) passwords Oct. 2013 50 s 2014 Password breaches never go out of style 36 s](https://reader034.fdocuments.net/reader034/viewer/2022052002/6014e18cee45d46fc16e0669/html5/thumbnails/5.jpg)
Even sophisticated organizations struggle to protect themselves
H(P)
Server
P
(2) Crack H(P) offline; get P
(1) Steal H(P)(3) Impersonate
user
“Alice”Can we: (1) Create password-protection system better than industry norm and (2) Can we democratize it?
PASS
![Page 6: PASS: Strengthening and Democratizing Enterprise Password ...145 s 14 4 n s 130 million (ECB- encrypted) passwords Oct. 2013 50 s 2014 Password breaches never go out of style 36 s](https://reader034.fdocuments.net/reader034/viewer/2022052002/6014e18cee45d46fc16e0669/html5/thumbnails/6.jpg)
Even sophisticated organizations struggle to protect themselves
H(P)
Server
P
(2) Crack H(P) offline; get P
(1) Steal H(P)(3) Impersonate
user
“Alice”Two major features of PASS:(1) Password hardening protects
against smash-and-grab password breaches
(2) Typo correctors safely correct (some) password typos
PASS
![Page 7: PASS: Strengthening and Democratizing Enterprise Password ...145 s 14 4 n s 130 million (ECB- encrypted) passwords Oct. 2013 50 s 2014 Password breaches never go out of style 36 s](https://reader034.fdocuments.net/reader034/viewer/2022052002/6014e18cee45d46fc16e0669/html5/thumbnails/7.jpg)
Password Hardening in PASS
![Page 8: PASS: Strengthening and Democratizing Enterprise Password ...145 s 14 4 n s 130 million (ECB- encrypted) passwords Oct. 2013 50 s 2014 Password breaches never go out of style 36 s](https://reader034.fdocuments.net/reader034/viewer/2022052002/6014e18cee45d46fc16e0669/html5/thumbnails/8.jpg)
The Facebook Password Onion
$cur = ‘password’ $cur = md5($cur) $salt = randbytes(20) $cur = hmac_sha1($cur, $salt) $cur = remote_hmac_sha256($cur, $secret) $cur = scrypt($cur, $salt) $cur = hmac_sha256($cur, $salt)
From last year's RWC…
![Page 9: PASS: Strengthening and Democratizing Enterprise Password ...145 s 14 4 n s 130 million (ECB- encrypted) passwords Oct. 2013 50 s 2014 Password breaches never go out of style 36 s](https://reader034.fdocuments.net/reader034/viewer/2022052002/6014e18cee45d46fc16e0669/html5/thumbnails/9.jpg)
$cur = ‘password’$cur = md5($cur)$salt = randbytes(20)$cur = hmac_sha1($cur, $salt)$cur = remote_hmac_sha256($cur, $secret)$cur = scrypt($cur, $salt)$cur = hmac_sha256($cur, $salt)
The Facebook Password Onion
![Page 10: PASS: Strengthening and Democratizing Enterprise Password ...145 s 14 4 n s 130 million (ECB- encrypted) passwords Oct. 2013 50 s 2014 Password breaches never go out of style 36 s](https://reader034.fdocuments.net/reader034/viewer/2022052002/6014e18cee45d46fc16e0669/html5/thumbnails/10.jpg)
Facebook approach
Remote PRF serviceServer
Alice
P H(P)
z=HMACk(H(P)) k
![Page 11: PASS: Strengthening and Democratizing Enterprise Password ...145 s 14 4 n s 130 million (ECB- encrypted) passwords Oct. 2013 50 s 2014 Password breaches never go out of style 36 s](https://reader034.fdocuments.net/reader034/viewer/2022052002/6014e18cee45d46fc16e0669/html5/thumbnails/11.jpg)
Facebook's remote hardening service
Remote PRF serviceServer
kGuess
z ???
Turns offline attack into online attack
![Page 12: PASS: Strengthening and Democratizing Enterprise Password ...145 s 14 4 n s 130 million (ECB- encrypted) passwords Oct. 2013 50 s 2014 Password breaches never go out of style 36 s](https://reader034.fdocuments.net/reader034/viewer/2022052002/6014e18cee45d46fc16e0669/html5/thumbnails/12.jpg)
Facebook approach
Alice
P H(P)
k(Hashed / HMACed) password exposed to
PRF service!
Drawback 1
![Page 13: PASS: Strengthening and Democratizing Enterprise Password ...145 s 14 4 n s 130 million (ECB- encrypted) passwords Oct. 2013 50 s 2014 Password breaches never go out of style 36 s](https://reader034.fdocuments.net/reader034/viewer/2022052002/6014e18cee45d46fc16e0669/html5/thumbnails/13.jpg)
Facebook approach
Remote PRF serviceServer
kH(P)
(Perhaps) not operating / alerting with per-user granularity
Drawback 2?
![Page 14: PASS: Strengthening and Democratizing Enterprise Password ...145 s 14 4 n s 130 million (ECB- encrypted) passwords Oct. 2013 50 s 2014 Password breaches never go out of style 36 s](https://reader034.fdocuments.net/reader034/viewer/2022052002/6014e18cee45d46fc16e0669/html5/thumbnails/14.jpg)
Facebook approach
kNo support for periodic key rotation
Drawback 3
z1 = HMACk(H(P))
…
z2 = HMACk(H(P))
z3 = HMACk(H(P))
k'+
![Page 15: PASS: Strengthening and Democratizing Enterprise Password ...145 s 14 4 n s 130 million (ECB- encrypted) passwords Oct. 2013 50 s 2014 Password breaches never go out of style 36 s](https://reader034.fdocuments.net/reader034/viewer/2022052002/6014e18cee45d46fc16e0669/html5/thumbnails/15.jpg)
The Facebook Password Onion
$cur = ‘password’ $cur = md5($cur) $salt = randbytes(20) $cur = hmac_sha1($cur, $salt) $cur = remote_hmac_sha256($cur, $secret) $cur = scrypt($cur, $salt) $cur = hmac_sha256($cur, $salt) $cur = remote2_hmac_sha256($cur, $secret2) $cur = remote3_hmac_sha256($cur, $secret3) … $cur = remotei_hmac_sha256($cur, $secreti)
![Page 16: PASS: Strengthening and Democratizing Enterprise Password ...145 s 14 4 n s 130 million (ECB- encrypted) passwords Oct. 2013 50 s 2014 Password breaches never go out of style 36 s](https://reader034.fdocuments.net/reader034/viewer/2022052002/6014e18cee45d46fc16e0669/html5/thumbnails/16.jpg)
PASS: PRF Service
Hardens passwords à la Facebook, but also has: 1. Blinding: Conceals passwords from PRF service 2. Graceful key rotation: No code change (or
service interruption) 3. Fine-grained alerting: Per-user monitoring / rate-
limiting of PRF service requests
k
![Page 17: PASS: Strengthening and Democratizing Enterprise Password ...145 s 14 4 n s 130 million (ECB- encrypted) passwords Oct. 2013 50 s 2014 Password breaches never go out of style 36 s](https://reader034.fdocuments.net/reader034/viewer/2022052002/6014e18cee45d46fc16e0669/html5/thumbnails/17.jpg)
PASS:: User registrationk
user,Pt:=random() x:=blind(P)
(t,x) y := Fk(t,x) y
User ID for alerting /
throttling
Blinded PW
z := unblind(y) store: (user,t,z)
Password service
PRF service
![Page 18: PASS: Strengthening and Democratizing Enterprise Password ...145 s 14 4 n s 130 million (ECB- encrypted) passwords Oct. 2013 50 s 2014 Password breaches never go out of style 36 s](https://reader034.fdocuments.net/reader034/viewer/2022052002/6014e18cee45d46fc16e0669/html5/thumbnails/18.jpg)
PASS: Fine-grained monitoring
kuser,P
x:=blind(P)
(t,x) y := Fk(t,x)
User identifier t in clear
![Page 19: PASS: Strengthening and Democratizing Enterprise Password ...145 s 14 4 n s 130 million (ECB- encrypted) passwords Oct. 2013 50 s 2014 Password breaches never go out of style 36 s](https://reader034.fdocuments.net/reader034/viewer/2022052002/6014e18cee45d46fc16e0669/html5/thumbnails/19.jpg)
PASS: Key rotation
k
z’ ⇐ z
update()
Δk→k'k'
(for all users)
![Page 20: PASS: Strengthening and Democratizing Enterprise Password ...145 s 14 4 n s 130 million (ECB- encrypted) passwords Oct. 2013 50 s 2014 Password breaches never go out of style 36 s](https://reader034.fdocuments.net/reader034/viewer/2022052002/6014e18cee45d46fc16e0669/html5/thumbnails/20.jpg)
Existing crypto primitives insufficient
Deterministic
Pseudorandom
Key Rotation
PRFs
Key Updateable Encryption
Proxy Re-encryption
(Partial) Message Privacy
Oblivious PRFs
Partially-Blind Signatures
Partially Oblivious PRF (PO-PRF)
empty
![Page 21: PASS: Strengthening and Democratizing Enterprise Password ...145 s 14 4 n s 130 million (ECB- encrypted) passwords Oct. 2013 50 s 2014 Password breaches never go out of style 36 s](https://reader034.fdocuments.net/reader034/viewer/2022052002/6014e18cee45d46fc16e0669/html5/thumbnails/21.jpg)
PO-PRF ConstructionBilinear Pairinge: G1 x G2→GT
e(ax, by) = e(a,b)xy
t,x x := H(P)r
blind() yFk(t,x)
unblind()z := y1/r = e(H(t),H(P))k= e(H(t), H(P))k*r*1/r
Similar use of pairings: [Sakai, Ohgishi, Kasahara] [Boneh,Waters]
k
y := e(H(t),x)k
![Page 22: PASS: Strengthening and Democratizing Enterprise Password ...145 s 14 4 n s 130 million (ECB- encrypted) passwords Oct. 2013 50 s 2014 Password breaches never go out of style 36 s](https://reader034.fdocuments.net/reader034/viewer/2022052002/6014e18cee45d46fc16e0669/html5/thumbnails/22.jpg)
PASS: Key rotation
k
z’ := zk’/k = e(H(t),H(P))k*k’/k = e(H(t),H(P))k’update()
Δk→k'= k’/k k'
![Page 23: PASS: Strengthening and Democratizing Enterprise Password ...145 s 14 4 n s 130 million (ECB- encrypted) passwords Oct. 2013 50 s 2014 Password breaches never go out of style 36 s](https://reader034.fdocuments.net/reader034/viewer/2022052002/6014e18cee45d46fc16e0669/html5/thumbnails/23.jpg)
PASS PRF service is easy to deploy
ppass = PASS.query(server, t, pass) digest = PASS.combine(ppass, digest)
def verify(username, pass): (salt,check) = authTableLookup(username) digest = hashpass(salt, pass)
Small change to code base No impact on user experience
return digest == check
![Page 24: PASS: Strengthening and Democratizing Enterprise Password ...145 s 14 4 n s 130 million (ECB- encrypted) passwords Oct. 2013 50 s 2014 Password breaches never go out of style 36 s](https://reader034.fdocuments.net/reader034/viewer/2022052002/6014e18cee45d46fc16e0669/html5/thumbnails/24.jpg)
…and highly scalable
Throughput: 1350 connections/sec (8-core EC2 instance)
PRF Latency: 11.8ms (LAN)
PRF-Service Storage:
Within factor of 2 of TLS query for static page
One key! (plus temporary rate-limiting state)
96ms (WAN)
![Page 25: PASS: Strengthening and Democratizing Enterprise Password ...145 s 14 4 n s 130 million (ECB- encrypted) passwords Oct. 2013 50 s 2014 Password breaches never go out of style 36 s](https://reader034.fdocuments.net/reader034/viewer/2022052002/6014e18cee45d46fc16e0669/html5/thumbnails/25.jpg)
Multi-tenant serviceObliviousness means possibility of supporting multiple tenants / servers
per-tenant keys:k1, k2, k3
S1
S2
S3
PASS PRF Service
![Page 26: PASS: Strengthening and Democratizing Enterprise Password ...145 s 14 4 n s 130 million (ECB- encrypted) passwords Oct. 2013 50 s 2014 Password breaches never go out of style 36 s](https://reader034.fdocuments.net/reader034/viewer/2022052002/6014e18cee45d46fc16e0669/html5/thumbnails/26.jpg)
…and good for many other password applications
Bitcoin Brainwallet
Message-locked encryption
File Encryption
Password managers
![Page 27: PASS: Strengthening and Democratizing Enterprise Password ...145 s 14 4 n s 130 million (ECB- encrypted) passwords Oct. 2013 50 s 2014 Password breaches never go out of style 36 s](https://reader034.fdocuments.net/reader034/viewer/2022052002/6014e18cee45d46fc16e0669/html5/thumbnails/27.jpg)
Password Typo Correction in PASS
![Page 28: PASS: Strengthening and Democratizing Enterprise Password ...145 s 14 4 n s 130 million (ECB- encrypted) passwords Oct. 2013 50 s 2014 Password breaches never go out of style 36 s](https://reader034.fdocuments.net/reader034/viewer/2022052002/6014e18cee45d46fc16e0669/html5/thumbnails/28.jpg)
Password Typos
Password1 password1no <shift>
True password
Typed password
![Page 29: PASS: Strengthening and Democratizing Enterprise Password ...145 s 14 4 n s 130 million (ECB- encrypted) passwords Oct. 2013 50 s 2014 Password breaches never go out of style 36 s](https://reader034.fdocuments.net/reader034/viewer/2022052002/6014e18cee45d46fc16e0669/html5/thumbnails/29.jpg)
Why not try correctors?
Typed password
swc-all
swc-first
rm-last
PASSWORD1
password
Password1 ✗password1
Password service
![Page 30: PASS: Strengthening and Democratizing Enterprise Password ...145 s 14 4 n s 130 million (ECB- encrypted) passwords Oct. 2013 50 s 2014 Password breaches never go out of style 36 s](https://reader034.fdocuments.net/reader034/viewer/2022052002/6014e18cee45d46fc16e0669/html5/thumbnails/30.jpg)
Typed password
swc-all
swc-first
rm-last
PASSWORD1
password
Password1 ✗password1✔
Why not try correctors?
![Page 31: PASS: Strengthening and Democratizing Enterprise Password ...145 s 14 4 n s 130 million (ECB- encrypted) passwords Oct. 2013 50 s 2014 Password breaches never go out of style 36 s](https://reader034.fdocuments.net/reader034/viewer/2022052002/6014e18cee45d46fc16e0669/html5/thumbnails/31.jpg)
Password typo correctors: Industry practice
• Facebook, Vanguard, etc., doing some form of this • E.g., correcting CAPS LOCK
• Hue and cry
• c correctors turns adversary's 1 password guess into (c+1) guesses
• Increases attacker's guessing success by factor of c+1! ✗
![Page 32: PASS: Strengthening and Democratizing Enterprise Password ...145 s 14 4 n s 130 million (ECB- encrypted) passwords Oct. 2013 50 s 2014 Password breaches never go out of style 36 s](https://reader034.fdocuments.net/reader034/viewer/2022052002/6014e18cee45d46fc16e0669/html5/thumbnails/32.jpg)
Experimental finding: A few correctors go a long way
• Instrumented Dropbox for all users over 24-hour period
• (No policy change) • Set of three correctors:
• Ctop3= {swc-all, swc-first, rm-last} • Key results:
• Could correct 9% of failed password submissions
• 3% of all users rejected but entered at least one password correctable by Ctop3
swc-all
swc-first
rm-last
✗
Users needlessly turned away from service!
![Page 33: PASS: Strengthening and Democratizing Enterprise Password ...145 s 14 4 n s 130 million (ECB- encrypted) passwords Oct. 2013 50 s 2014 Password breaches never go out of style 36 s](https://reader034.fdocuments.net/reader034/viewer/2022052002/6014e18cee45d46fc16e0669/html5/thumbnails/33.jpg)
Another finding: Minimal security impact
• Analysis shows little security degradation for Ctop3
• Very pessimistic (1000 guesses): 9.54% ➜ 11.96% adv. success
• Realistic analyses / scheme show virtually no security loss
• Intuition: Common passwords are lexicographically sparse
• E.g., "password" is common, but "PASSWORD" isn't
swc-all
swc-first
rm-last
✗
![Page 34: PASS: Strengthening and Democratizing Enterprise Password ...145 s 14 4 n s 130 million (ECB- encrypted) passwords Oct. 2013 50 s 2014 Password breaches never go out of style 36 s](https://reader034.fdocuments.net/reader034/viewer/2022052002/6014e18cee45d46fc16e0669/html5/thumbnails/34.jpg)
Findings• General "free corrections
theorem" shows optimal strategy for correction with no security loss
• Reasonable approximation possible
• Conclusion: Typo correctors can be simple, effective, and safe for PASS!
swc-all
swc-first
rm-last
✗
![Page 35: PASS: Strengthening and Democratizing Enterprise Password ...145 s 14 4 n s 130 million (ECB- encrypted) passwords Oct. 2013 50 s 2014 Password breaches never go out of style 36 s](https://reader034.fdocuments.net/reader034/viewer/2022052002/6014e18cee45d46fc16e0669/html5/thumbnails/35.jpg)
Summing up• Enterprise password protections are broken • PASS's goal: improve best practice for
passwords and democratize it • PASS offers principled and practical:
• Hardening of password databases • Typo correction
• Toward democratization: • Open-source (PRF) • Commercial offering in the works
![Page 36: PASS: Strengthening and Democratizing Enterprise Password ...145 s 14 4 n s 130 million (ECB- encrypted) passwords Oct. 2013 50 s 2014 Password breaches never go out of style 36 s](https://reader034.fdocuments.net/reader034/viewer/2022052002/6014e18cee45d46fc16e0669/html5/thumbnails/36.jpg)
To learn more about PASS•Papers:
• The Pythia PRF Service. A. Everspaugh, R. Chatterjee. S. Scott, A. Juels, and T. Ristenpart. USENIX Security. 2015.
• pASSWORD tYPOS and How to Correct Them Securely. R. Chatterjee, A. Athalye, D. Akhawe, A. Juels, and T. Ristenpart. 2016. In submission.
•E-mail: • • swc-all
swc-first
rm-last
✗k(t,x)