• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Choosing strong passwords

Choosing strong passwords



A short discussion on how file encryption works and how passwords actually contribute (or don't) to the security of those files.

A short discussion on how file encryption works and how passwords actually contribute (or don't) to the security of those files.



Total Views
Views on SlideShare
Embed Views



0 Embeds 0

No embeds



Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

    Choosing strong passwords Choosing strong passwords Presentation Transcript

    • The Illusion of protection(commentary on passing encrypted data via files)
    •  Anywhere in US = high profile target  Large Organizations have a large target profile  Example: With 50,000 users, SOMEONE is going to have the password: *1Passw0rD* Access to home machines gives access to work most of the time Personal AND business information at risk
    •  Well-funded enemies of the state  International Criminal Organizations  State-sponsored enemies Hackers with almost unlimited free time  Anonymous / Lulz Sec Logistics for all  Corporate Resourcing for Hire  Cloud Services – AWS, Google Cloud, etc.  Each generation has a knowledgebase upon which to build  Our children have access to more knowledge than ever before in history  Distribution channels for new attacks  Internet – fastest distribution methodology history has known
    •  Generating a random password is harder than it looks  Randomness does not occur naturally in language  (English language entropy [sensible language] – 1.5 bits/character) Password generation algorithms are patterns  Pick a word/phrase and mix it up  n0tY0urP@ssw0rd - Letme!n123 - P@tri0tsRule!!  Mash the keyboard in a pattern  1234!@#$qwerQWER - 12qw!@QW  Password Complexity Rules just limits the usable algorithms  E.g. cat*town_horse_buddy;itself”computer- drapes%query_limits^yuletide@notices  Strong passwords don’t always meet complexity rules (no caps, no numbers!) Rules and patterns severely limit search space  Hackers don’t have to test millions of passwords that don’t meet the complexity criteria  True randomness doesn’t have rules  Rules give hackers too much information about the password
    •  Secure password transmission  Recommendation #1 – Users should transmit passwords over alternate medium  Assumption is that if someone can get the document, they can also get the email.  The level of risk already inherent in the transmission  Passwords should not be written down, even in emails  Key changes should be done with all personnel changes (minimum) Encoding passwords to be easy to remember  Train users to get random!  Five RANDOM common words (tomboy, skateboard, caterpillar, the, mouse)  Estimated 55 bits of entropy based on a working vocabulary of 2048 words  Add entropy with personal rules of insertion/capitalization and numbers/symbols  Compare to ideal AES-128 key = 128 bits of entropy (2^73 x LESS entropy!)  Compare to AES-256 key = 256 bits of entropy (2^201 x LESS entropy!) Technical Controls  Ensuring adequate salt (randomness) for AES key  Change salt length to match length of encryption key (32 bytes/256 bits)  Forced password complexity (? – better than nothing – but good enough - ?)  Enforcing simple rules can actually REDUCE available entropy  Improving password complexity rules to force more entropy
    •  Assigning passwords (give entropy to users)  Because humans aren’t random – password generation should be ‘more’ random  Password Generation as a Service Secure Data Exchange Gateways  Encrypted IM  Encrypted email
    • How encryption is implemented with passphrase-based software SECRET INFO Passphrase Random Number PBKDF2 AES-128 GeneratorSalt AES Key Encrypted INFO Compress & Package (ZIP) Encrypted Doc [and that’s a simplified version of the flow-chart]
    •  Almost everyone in IT knows AES!  Encryption algorithm  Current standard (Rijndael)  Advancement from DES/Triple-DES Securing document is not just encryption  Encryption needs keys  Keys require handling / (Key Management)  Key management requires a chains of trust  Secure generating and trading of random keys is HARD Few have heard of PBKDF2  Used to ‘passphrase’-protected documents  (pseudo-random keys from simple passphrases)  Creates AES encryption keys from Passphrases  One-way algorithm (like a blender)  Having the output you can’t get the input  Flexible control  # of cycles directly related to time to compute results  Added entropy salted in by user (take the pseudo- out of pseudo-random with entropy)
    • gr@pe_Pudd1ng SECRET INFO random AES combo one-way hash 101010101010101101011100 001010111011011010000111 101011010100110101001010 AES – pick-proof, complex Salt added to recipe ensures randomness for AES key Email 2 Email 1Entropy comes from recipe complexity.A passphrase is created with a recipe that describes it. Salt and locked safe delivered to recipient
    • Control of this is possible only with Email 2 ONLINE system controls – not offline documents and files 29 million tries per hour ? If attacker has access to emails already, trying every OTHER Attacker has access to Salt so email in the random entropy of AES key does mailbox will be not interfere with trials quick and easy! Highly-automated Blender ($329) 29,064,960 recipes/hour (yes, 29 MILLION!)The complexity of the recipe and number of potential ingredients is the only thing preventing them fromduplicating the secret formula to recreate the AES key. Note the attacker does not directly brute force AES keys!With online password systems, we can control speed of attacks with login controls such as timeouts and lockout.
    • 100000 Vocabulary 1 100000 100,000 phrases 1 Capital letter 1 1 32 typewriter symbol 1 32 10 number 1 10 4 number/cap/sym position 3 64 Attacker can choose capital speed/cost 32 GPUs @$250 ea $ 10,528.00 Attacker capital resources Total $ 15,328.00 2,048,000,000 2.20 hours 0.09 days Amazon GPU Cloud* $ 81.03 16 AWS GPU instances With cloud computing - attacker no longer worries about capital costs! *Amazon GPUs not this fast (yet) -erring on side of cautionWorksheet simulation to examine how password rules/complexity affect attacker costBased on attack against MS Word 2010 PBKDF2 algorithm of 100,000 cycles –Assumption based on using an ATI Radeon HD 5970 – Online price $329 --- (published attack speed of 20,184 passes/sec with COTS package)