This is an implementation of Honey Encryption. The term was tossed by Ari Juels(RSA Labs) & Ronald L. Rivest(MIT CSAIL) during the presentation of The Password That Never Was at Harvard's Center for Research on Computation and Society (CRCS)(2014).
2. Good News & Bad News about Password
Breaches
Good News: When I’m giving a talk about password breaches, a
convenient example crops up.
-September, 2014: JPMorgan Chase & Co. Lost 83 million Passwords!
Bad News: It’s all Bad News!
400 Passwords Lost
13, Oct 2014
+5Million Passwords
8, Sept 2014
145Million Passwords
19, May 2014
273Million Passwords
31, Jan 2014
4. To Verify an Incoming Password…
Alice
P’
H
H(P)H(P’) ==
5. Human Weakness in Password Selection
Why do humans tend to select easy passwords?
•Easy to remember
•Has to login into multiple devices regularly
•Mobile Device Keyboards are small
How are Password Breachers Advancing?
•State-of-art of cracking tools have advanced
•They use previously breached password lists for Brute Force attack
•Implementation of Distributed System for Password Cracking (Ex: AWS)
6. Adversarial Game : Always Wins
Alice
Alice,”P”
H(P)H(P’) ==
Steps:
1.Server Compromise : Active Attack
2.Snapshot
3.Offline Brute Force Attack
7. State-of-Art of Cracking S/W: Advanced
Human Made Passwords
Crackers use previously breached passwords to fasten the process of
Brute-Force attack
Resource is no more a constraint
Crackers use Distributed Systems (ex. A.W.S.) to crack the huge database of hashed passwords
11. Adversarial Game : Guessing
Alice:
P1
P2
.
Pi = P
.
.
Pn
What is “i” ?
Alice,”Pj”
12. Adversarial Game : Guessing
Alice:
myPassw0rd
heyItsme!
qwerty
admin
123456
Jesus
lov3y0u
Which is the
Password ?
13. Honeyword Design Questions
Verification
How do we check if the submitted password (P’) is the correct
password (P)?
How is index i verified without storing i alongside passwords?
Generation
How are Honeywords generated?
How do we make bogus password look real?
16. Honeywords: Verification Rule
Case I : If true password (P) is submitted then the user is authenticated
Case II : If a password P’ {P∉ 1,…,Pn} is submitted then it is treated as a normal
password authentication failure.
Case III : If a Honeyword (Pj ≠ Pi) is submitted, an alarm is raised by the Honeychecker.
•This is likely to happen only after a breach!
•Honeywords (if properly chosen) will rarely be submitted otherwise.
17. Some nice Design Features
COMPUTER
SYSTEM
HONEYCHECKER
COMPUTER SYSTEM transmits the index
i of the password
•Little modification required.
We get the benefits of Distributed
System
•Compromise of either component isn’t fatal
•No single point of compromise
•Compromise of both the components brings us
back to Hashing Case
Honeychecker can be offline
If a breach occurs when Honeychecker is offline
the Computer System’s Cache can still store the
activity logs.
18. Honeyword: Generation
Method 1 : Chaffing Method
Idea: Repurpose Cracker as a Generator
Generate passwords form previously
breached passwords.
Ex. Rockyou, darkc0de Database
Blink123
Graph128
Blink128
12345
letmein123
Method 2 : Chaffing by tweaking
Idea: Tweak passwords to generate
honeywords.
Reacher found users tweak password during
reset.
letmein3211
letmein3212
letmein3213
letmein3214
letmein3215
Method 3 : Assigning ones password as Honeyword to other random user
21. Password Breach Scenario
Breacher uploads Hashed
passwords to AWS to crack
20 Passwords for
1 User ID…!!!
Let me try…
User ID : shiris
Password : hello
User ID : shirisUser ID : shiris
Password : helloPassword : hello
Finally cracked one
account! Let’s go for
the next one…
26. Thank You!
Project Guide:
Mr. V. Srinadh
Assistant Professor
(Dept. of CSE.)
Team Members:
1. T. Vandana (11341A05A4)
2. R. Pavani (11341A0590)
3. Shiris Kumar (11341A05A0)
4. K. Vijay Durga Prasad (12345A0517)