Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Slow Down
Online Guessing Attacks
with Device Cookies
Anton Dedov
OWASP Russia Meetup #6, 2017
Anton Dedov
Security Architect
Odin / Ingram Micro
adedov@gmail.com
@brutemorse
Intro: Online guessing attacks
App
App
App
Attacker goals
Password for specific account
Password for any account in a system
Password for any account in any system
Threats for Authentication
Online attacks
Offline attacks
Password leaks
App
user : password1
Online guessing attacks
user : password2
user : password3
...
Authentication attacks: Mitigations
M-FA / M-Step UX!
Password policy Magic 106
Rate limiting 
Authentication param...
© Cormac Herley et al. An Administrator’s Guide to Internet Password Research
Rate limiting
CAPTCHA
Account lockout
Exponential timeouts
Proof of work
Account lockout: simple math
5 attempts ⇒ 20 min. lockout
131400 attempts/year
Account lockout
Lock account Effective
Easy DoS
Lock (account, IP) Somewhat DoS mitigation
Botnets
Proxies
IPv6
DoS as a c...
Device Cookie
Distinguish known clients from unknown ones
App
Lockout all unknown
devices at once
Lockout individual user
per device cookie
user : password
user : password
Device C...
Set-Cookie: KnownDevice=
LOGIN|NONCE|HMAC(secret-key,LOGIN|NONCE)
Set-Cookie: KnownDevice=JWT
{
"alg": "HS256",
"typ": "JWT”
} . {
"aud": "device-cookie",
"sub": "adedov@odin.com",
"jti": ...
Threats & Mitigations
Threat Mitigation
Online attack against one user Password policy
Online attack using stolen device c...
Implementation recommendations
Use good crypto, like HMAC-SHA2 or signed JWT.
Prevent cookie leakage with Secure & HttpOnl...
References
OWASP: Slow Down Online Guessing Attacks with Device Cookies
PasswordsCon, and specific talks from PasswordsCon...
Slow Down Online Guessing Attacks with Device Cookies
Slow Down Online Guessing Attacks with Device Cookies
Upcoming SlideShare
Loading in …5
×

Slow Down Online Guessing Attacks with Device Cookies

146 views

Published on

Talk on OWASP Russia Meetup #6, 2017

Published in: Software
  • Be the first to comment

  • Be the first to like this

Slow Down Online Guessing Attacks with Device Cookies

  1. 1. Slow Down Online Guessing Attacks with Device Cookies Anton Dedov OWASP Russia Meetup #6, 2017
  2. 2. Anton Dedov Security Architect Odin / Ingram Micro adedov@gmail.com @brutemorse
  3. 3. Intro: Online guessing attacks
  4. 4. App
  5. 5. App
  6. 6. App
  7. 7. Attacker goals Password for specific account Password for any account in a system Password for any account in any system
  8. 8. Threats for Authentication Online attacks Offline attacks Password leaks
  9. 9. App user : password1 Online guessing attacks user : password2 user : password3 ...
  10. 10. Authentication attacks: Mitigations M-FA / M-Step UX! Password policy Magic 106 Rate limiting  Authentication parameters e.g. time, location, etc. Monitoring e.g. haveibeenpwned.com
  11. 11. © Cormac Herley et al. An Administrator’s Guide to Internet Password Research
  12. 12. Rate limiting CAPTCHA Account lockout Exponential timeouts Proof of work
  13. 13. Account lockout: simple math 5 attempts ⇒ 20 min. lockout 131400 attempts/year
  14. 14. Account lockout Lock account Effective Easy DoS Lock (account, IP) Somewhat DoS mitigation Botnets Proxies IPv6 DoS as a collateral damage
  15. 15. Device Cookie Distinguish known clients from unknown ones
  16. 16. App Lockout all unknown devices at once Lockout individual user per device cookie user : password user : password Device Cookie
  17. 17. Set-Cookie: KnownDevice= LOGIN|NONCE|HMAC(secret-key,LOGIN|NONCE)
  18. 18. Set-Cookie: KnownDevice=JWT { "alg": "HS256", "typ": "JWT” } . { "aud": "device-cookie", "sub": "adedov@odin.com", "jti": "40e2a97a2ab37406” }
  19. 19. Threats & Mitigations Threat Mitigation Online attack against one user Password policy Online attack using stolen device cookies Limited, prevent cookie leaks Online attack against multiple users Not mitigated Spoof device cookie Crypto Tamper with existing device cookie Crypto DoS for specific account OOB device cookie issue DoS for specific account when client is used by different accounts Device cookies per account
  20. 20. Implementation recommendations Use good crypto, like HMAC-SHA2 or signed JWT. Prevent cookie leakage with Secure & HttpOnly flags. Issue cookie for valid reset password link. Issue new device cookie after each successful login. Include user ID into cookie name (privacy concerns?).
  21. 21. References OWASP: Slow Down Online Guessing Attacks with Device Cookies PasswordsCon, and specific talks from PasswordsCon 14: • Marc Hause talk Online Password Attacks • Alec Muffet talk Facebook Password Hashigh & Authentication An Administrator’s Guide to Internet Password Research

×