Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Improving password-based authentication

1,364 views

Published on

On password storage and password-based key exchange (PAKEs).

Published in: Engineering
  • Be the first to comment

Improving password-based authentication

  1. 1. Improving password-based authentication Improving password-based authentication Frank Denis @jedisct1
  2. 2. Improving password-based authentication What’s wrong with passwords?
  3. 3. Improving password-based authentication Passwords are reused: find one, pwn many. Companies don’t always communicate about a breach until they are forced to. Which can have side effects if discovered when you are negotiating an acquisition by Verizon. Breaches happen all the time, even big corporations and banks cannot be trusted.
  4. 4. Improving password-based authentication API keys are passwords, too. Committed to public repositories. Present on present and past employees laptops. Long-term, shared secrets. Intentionally leaked by customers because you asked them to!
  5. 5. Improving password-based authentication OpenDNS
 support
 forum
  6. 6. Improving password-based authentication Password! https://support.opendns.com/hc/en-us/community/posts/220033527-OpenDNS-Blocking-never-set-it-up Many more leaks happen due to bad design.
 Ex: HTTP_REFERER
  7. 7. Improving password-based authentication Face it: passwords are here to stay Convenient, universal way to log in from anywhere, on any device. Today’s passwords might be less terrible than 10 years ago. This is something you know, not something that you have. Stealing them requires a $5 wrench.
  8. 8. Improving password-based authentication How to survive a password breach
  9. 9. Improving password-based authentication Database encryption Useless against other threats we are going to talk about soon. Useless if the key is leaked. Useless if passwords are leaked using a post-decryption vulnerability.
  10. 10. Improving password-based authentication Hashing Gives a false sense of security Deterministic Can be broken by using Google.
  11. 11. Improving password-based authentication Hashing with a salt Defeats rainbow tables. This is not enough.
  12. 12. Improving password-based authentication Hashing with a salt Every time a new breach is announced, about 70% of the passwords were already present in previous lists. Lists of > 500 million passwords from previous breaches can be freely downloaded. What about the remaining 30%?
  13. 13. Improving password-based authentication Hashing with a salt A personal cracking rig can run 100 billion guesses per second. An exhaustive search of all the possible 8 characters passwords can be performed by a single rig in less than a day. But wait… it gets worse…
  14. 14. Improving password-based authentication Hashing with a salt Password entropy is almost always overestimated.
  15. 15. Improving password-based authentication Hashing with a salt Humans are bad at generating randomness.
  16. 16. Improving password-based authentication Hashing with a salt Modern password crackers use permutations, substitutions, Markov chains, and neural networks in order to efficiently probe the key space. Smart contracts can reward people for cracking passwords.
  17. 17. Improving password-based authentication CPU-hard hash functions PBKDF2, bcrypt Can be massively parallelized A perfect fit for GPUs and ASICs We’d like to minimize the advantage attackers have over defenders.
  18. 18. Improving password-based authentication Memory-hard hash functions scrypt Require a lot of memory: each iteration requires data from previous iterations. TMTO attacks.
  19. 19. Improving password-based authentication 2013-2015: password hashing competition Winner: Argon2 For a given set of parameters, computing a hash requires a fixed amount of silicon (transistors, capacitors, routing).
  20. 20. Improving password-based authentication 2015-2019: Argon2 adoption libsodium, libargon2 Now available for all programming languages. Quickly adopted by cryptocurrencies and applications. Not a good fit for JavaScript, though.
  21. 21. Improving password-based authentication 2019 We realized that some practical requirements had been overlooked. What we may need is cache-hard functions instead of memory-hard functions. Due to CPU caches, Argon2 is actually worse than bcrypt for some parameters.
  22. 22. Improving password-based authentication 2019 Still, if you use any of the functions from the previous slides, you’ll be in a far better position than virtually everyone else in the industry. Yes, even with random parameters.
  23. 23. Improving password-based authentication It could have been the last slide, but…
  24. 24. Improving password-based authentication Password hashing is an expensive operation, done server-side. Introduces a DoS vector. Choosing optimal parameters is hard.
  25. 25. Improving password-based authentication Client Server password over TLS
  26. 26. Improving password-based authentication Client Server password over TLS TLS termination
  27. 27. Improving password-based authentication Client ServerEnterprise security gateway SSL added and removed here!
  28. 28. Improving password-based authentication Client ServerISP
  29. 29. Improving password-based authentication Passwords can be found in application logs, displayed on error pages. Sent to 3rd party services (New Relic, Datadog…) Affected Facebook and Twitter. Password hashing doesn’t do anything.
  30. 30. Improving password-based authentication Insider threats. Cloud providers. This is a stealth, passive attack. Password hashing doesn’t do anything. Running tcpdump on a production server can be all it takes.
  31. 31. Improving password-based authentication Passwords should not be sent over a network any more.
  32. 32. Improving password-based authentication Public-key cryptography to the rescue Passwordless SSH Client certificates are widely supported by web servers and browsers, but they’re barely usable. Private keys stay on the clients. Their public counterparts being leaked is no big deal.
  33. 33. Improving password-based authentication Deterministic keys from passwords Derive keys from passwords; servers can then use public keys for authentication. h ← H(pwd) (pk, sk) ← H2KP(h) The client does the hard work (or a part of it): no more DoS vector! But this is deterministic; public keys can be precomputed from password dictionaries.
  34. 34. Improving password-based authentication h ← H(s, pwd) (pk, sk) ← H2KP(h) But how does the client get the salt? Deterministic keys from passwords Client ServerS(sk, n) Client ServerV(pk, S(sk, n)) Client Servern
  35. 35. Improving password-based authentication h ← H(s, pwd) (pk, sk) ← H2KP(h) Client Servern, s Client ServerS(sk, n) Client ServerV(pk, S(sk, n)) Client Servername But wait…
  36. 36. Improving password-based authentication Now, the salt is public Not secure against targeted precomputation
  37. 37. Improving password-based authentication A B? A B? x ?f(x) Oblivious transfer
  38. 38. Improving password-based authentication A Bg(xr ) A Bxr (mod p) x, r g f(x) = g(xr )1/r (mod p) (V)OPRFs blind(x)
  39. 39. Improving password-based authentication A Bg(xr ) A Bxr x, r k f(x) = g(xr )1/r (V)OPRFs g(x) = xk blind(x) random oracle for A
  40. 40. Improving password-based authentication Client Serverg ∘ blind(s) Client Serverblind(s) OPAQUE blind salts h′ ← H′(pwd) s ← H2S(h′) s′ ← g(s)
  41. 41. Improving password-based authentication Client Serverg ∘ blind(s) Client Serverblind(s) OPAQUE blind salts s′ ← g(s) h ← H(s, pwd) (pk, sk) ← H2KP(h) h′ ← H′(pwd) s ← H2S(h′)
  42. 42. Improving password-based authentication Client Serverg ∘ blind(s), n Client ServerS(sk, n) Client ServerV(pk, S(sk, n)) Client Servername, blind(s) A shared session key can also be computed. User enumeration can be prevented.
  43. 43. Improving password-based authentication The server doesn’t know the salt. Defeats precomputation. Every attempt requires an interaction with the server. Knowing the salt requires knowing the password. Proof of concept implemented for Terrarium.
  44. 44. Improving password-based authentication PAKEs
  45. 45. Improving password-based authentication PAKEs Password-based authentication. Use cases: More generally: secure key exchange from low-entropy secrets. Ex: Magic Wormhole, biometric authentication, pairing IoT devices, QRCode-based pairing… Bootstraping a PKI
  46. 46. Improving password-based authentication The PAKE selection process SRP and SCRAM can be improved.
  47. 47. Improving password-based authentication Deployment Requires tight coupling with operating systems and web browsers. Integration into TLS 1.3 is being considered. May be a solid defense against phishing. Browser vendors haven’t been involved yet.
  48. 48. Improving password-based authentication
  49. 49. Improving password-based authentication Dependencies
  50. 50. Improving password-based authentication Dependencies
  51. 51. Improving password-based authentication Dependencies
  52. 52. Improving password-based authentication Terrarium demo - Shows that PAKEs need shared code between clients and servers, and that WebAssembly can help with that. SPAKE2+EE implementation for libsodium. Now in libsodium 1.0.18 and wasm-crypto: - hash-to-curve - ristretto - arithmetic to implement (V)OPRFs. https://github.com/jedisct1/wasm-crypto https://sk.tl/66AuXfXS
  53. 53. Improving password-based authentication Thanks!

×