The Password Problem Will Only Get Worse - NWACC · 2014-06-12 · The Password Problem Will Only...
Transcript of The Password Problem Will Only Get Worse - NWACC · 2014-06-12 · The Password Problem Will Only...
The Password Problem Will Only Get Worse
New technology for proving who we are
Isaac Potoczny-Jones – Galois & [email protected]
@SyntaxPolice
Goals & Talk outline
● Update the group on authentication threats● Update the group on authentication solutions
– 2 Factor authentication factors on the market
– Single Sign-On
– The state of various protocols
– Get your advice on our approach
● Outline:– Background, Threat Landscape, Solutions, Our Approach
About the Speaker● Galois, Inc. - galois.com
– Research & Development, mostly for federal gov.– Computer security, safety, correctness, etc.– 40+ employees in Portland, OR– Founded in 1999
● SEQRD: A Galois spin-off – seqrd.com– Startup focusing on authentication
● Isaac's background: – BS Computer Science, MS Cybersecurity
Authentication: Foundations● Authentication is proving who you are
– Or proving that you're the same person as last time
● Something you know– e.g. Passwords, PINs, screen patterns, first pet, etc.
● Something you have– Physical keys, secure tokens, mobile phones
● Something you are– Biometrics, fingerprint readers, etc.
Single & Multi-Factor
● Single factor: One authentication method– Classics: Password, keys, keyfobs, keycards
● Multi-factor: More than one factor– Get more security by mixing methods
● Multi-factor classics– Debit card & PIN
– Password & Random # token
Uses for Authentication
● Remote authentication– e.g. proving who you are to a web site– That's our focus today
● Physical authentication– Granting access to:– locations/devices/services
● Screen unlock– Mobile devices or computers
Threat Landscape:Passwords
Fundamental Problems
Passwords dominate, but:● Bad passwords are easy to guess● Good passwords are impossible to remember
But what's a good password?
To answer that, let's explore password attacks
Massive Database Spills● Causing acceleration in understanding of passwords● LinkedIn: 6.5M (2012)● Yahoo: 340K (2012)● RSA: SecurID token seed-keys stolen (2011)● Gawker: 740K (2011)● Sony: (2011)● Stratfor: 800K (2011)● RockYou: 32M (2009)
http://thepasswordproject.com/leaked_password_lists_and_dictionaries
Brute-Force Attacks
source: Rob Graham, Errata Security
Password Crackingocl-hashcat-plus performance 1 GPU benchmark
● NTLM 7487M c/s● MD5 5144M c/s● SHA1 2030M c/s ● SHA256 1003M c/s● Password Safe 495k c/s● bcrypt $2a$ 3788 c/s
source: http://hashcat.net/oclhashcat-plus/
Hybrid Attacks – 90% Success● Great article by Ars on password crackers● Challenge: 3 crackers, 16,000+ hashes● Outcome: 90% success● Example attacker approach:
Method Passwords Uncovered Time
Brute force 1-6 char length 1,300 2.5 minutes
Mixed brute force 2,600 4.5 minutes
Word list 6,000 9 minutes
Hybrid 2,700 5 hours
http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords
So What's a Good Password?
● Long enough– Maybe 9+ characters
● Complex enough– Pretty much random & large character set
● Not reused– Or risk the wrath of database spills
● But: Average user has 26 accounts* (I have 300)
*Source: Experian & Deloitte: http://goo.gl/4jrnha
With 26 passwords, it's impossible
● Let's just admit it: we're asking the impossible● Users can never remember random passwords● Users manage the problem:
– Reuse is most common – users have 5 passwords
– Email reset - “I forgot my password”
– Password managers – Firefox, KeePass, etc.
Conclusions about Threats
● Crack speed is increasing e.g. via GPUs● Tool support is improving very quickly● This is gaining steam as big password
database spills provide crackers more info● Passwords can't get complex enough
Result: 2 Factor is taking off
● Major Internet players offer it:– Google, Facebook, Twitter, DropBox, etc.
● It's a good way to protect yourself from:– Password reuse by users
– Other sites getting hacked
Solutions
Solutions: Identity FederationSingle Sign On
There was a great talk on this yesterday
Identity Federation: Moving Parts
● Service provider (SP): The site you log into– Also called “Relying Party” or RP
● Identity Provider (IdP): The site you log in with● Typical workflow:
– Visit Yahoo, click “login”– Get redirected to Google with a session token– Log into Google– Get redirected to Yahoo with proof of login
Identity Federation Workflow
Sign into Yahoo using Google (simplified)
Google(Identity Provider)
Yahoo(Service Provider)
User & Browser1. Let me in
2. Ask Google
3. I'm Isaac
4. Login & Attributes
5. Login & Attributes
OpenID
● OpenID seems to have lost momentum● Relying parties are a problem● On the mainstream Internet, there are very few● Yahoo: Accepts Google & Facebook
– Google & Facebook are IdPs for OpenID & OAuth
● Facebook: Accepted logins in 2009 - stopped– If there's a way, I can't figure it out
● myopenid.com: shutting down
OAuth● Used for authorization in lots of sites● Often also used for some kinds of authentication● OAuth 2 worries:
– Facebook has several OAuth vulns this year
– The standard was abandoned / lambasted by its editor, now under new stewardship
– Both too complex & under-specified
http://thehackernews.com/search?q=Facebook%20OAuthhttp://hueniverse.com/2012/07/oauth-2-0-and-the-road-to-hell/
Security Assertion Markup Language - SAML
● Seems to be gaining momentum● Federation & SSO – InCommon, Education, Enterprise
– Also used to share attributes – groups, etc.
● Accepted by Google Apps, Dropbox, Salesforce, etc.● Major implementations
– Shibboleth (Java), SimpleSamlPHP
● Plugins for lots of platforms– I audited plugins for Drupal & WordPress
– they were very insecure.
Central Authentication Service (CAS)
● Somewhat similar to SAML● Widespread use in the academic community● Can also be used for attribute exchange● Java / Spring system● Integrates with: Active directory, LDAP, X509,
passwords, OpenID, SAML, etc.https://wiki.jasig.org/display/CAS/CAS+Deployers
Cloud SSO Services (IdP)
● Largely based on SAML● Mostly subscription SAAS
– Instead of operating your own IdP
● They work to integrate service providers● Ping Identity, OneLogin, Okta, Centrify,
Symplified, probably others● JanRain – Social login & user management
Physical Factors
Physical Tokens● YubiKey – Small, uses one-time or fixed
passwords, pretends to be a USB keyboard.● Random number tokens
– RSA SecurID
– Google Authenticator (soft token App)
– Lots of similar tokens
● Hardware benefits & drawbacks:– Benefits: Tamper-proof & can't get viruses
– Drawbacks: Can't put 100 of them on your keychain
Password Managers
● Saves the password on the client– Problematic for moving between clients
– Often have cloud options
● Becomes “Something you have” (e.g. laptop)– Often also locked / encrypted in keychain
– Hey look! It's 2-factor auth!
● In the browser (e.g. Firefox, Chrome)● In a browser plugin (e.g. Lastpass, OnePass)● Native client (e.g. KeePass)● Problem: Logging in on different devices
Mobile Phone Factors
● Mobile phone factors are a great trade-off!● Google Authenticator random number (app)● Text message random number
– used by Facebook, Twitter, Telesign
● In-app push-based notifications– Twitter, DuoSecurity, others
● PhoneFactor (Microsoft) – Text, Voice, Push
How to use your phone as a password manager today
● On your computer:– Visit the website you want to log into
– Instead of “login”, click “forgot my password”
– Type in your email address
● On your phone:– Open the reset email
– Reset your password
● Log in on your computer● So what happens when you lose your phone?
Summary: Each factor has drawbacks
● Something you know: Basically passwords– Doesn't scale beyond a handful of secure passwords
● Something you have– Physical token: Doesn't scale beyond size of your keyring– Mobile phone: Seems most promising to me
● Something you are: biometrics are not secret● Federation / SSO: If only we could agree to agree
SEQRD
Mobile Authentication Factor
● How we're trying to solve this● Looking for your feedback● Passwords are terrible● Let's replace passwords with a mobile phone● Get 2 factor with a password or PIN● Integrated with SAML & REST API● Demo
How it Works – User's Perspective
1. Scan QR code
2. Secure authentication
1. Scan QR code
2. Account Creation
Logging In
Creating an Account
3. Login Approved
How 2 Factor Works - 1
1. Scan QR code
2. Secure authentication
Type a Password
Second Factor - SEQRD
First Factor - Password
How 2 factor works - 2
1. Scan QR code
3. Secure authentication
Second Factor - SEQRD
2. Type PIN(decrypts key)
How it Works – Under the hoodBrowser
PhoneStorage
blog.seqrd.com
CookieStorage
Web siteStorage
1. Login request
3. QR code includes Session key, Challenge
2. Session key
4. Web site& Session
key
5. App scans QR code : Session key,Challenge
8. User ID, OTP, Session key
9. Shared key for User
ID
6. User ID, Shared secretFor Web site
7. App computes OTP =OCRA (Challenge, Shared
secret)
10. Site computes
OTPChecks match
11. Session key authenticated
13. Approved
12. Approved
Threats & MitigationsDuring Registration & Issuance
Threat MitigationImpersonation of claimed identity
Stronger identification, government-issued ID, bills
Repudiation of registration Signed forms
Disclosure during transmission
Issue in person
Tampering during transmission
Establish a procedure
Unauthorized Issuance Establish a procedure
Source: NIST 800-63-R1
Threats & MitigationsAgainst Tokens
Source: NIST 800-63-R1
Threats Mitigations
Theft Multi-factor w/ PIN or biometric
Duplication Hardware crypto tokens
Eavesdropping Dynamic & Challenge/response
Offline cracking High entropy & lockout
Phishing Dynamic & Challenge/response
Social engineering Dynamic & challenge/response
Online guessing High entropy
SEQRD - Threats & MitigationsAgainst Tokens
Threats Mitigations
Disclosure during transmission
QR code on your screenor send the crypto key in snail mail
Theft Multi-factor w/ PIN & password, revocation
Duplication Tricky on mobile! Software-based protections
Eavesdropping One-time passwords (OTP)challenge & response
Offline cracking Long cryptographic keys
Phishing OTP / challenge & response
Social engineering OTP / challenge & response
Online guessing Long cryptographic keys
Conclusions
● Threats against passwords are really bad● 2-factor auth to greatly increase security● SAML for SSO● Mobile phone factors as good trade-off● Contact info: [email protected]