This document proposes a new approach to generating honeywords (fake passwords) to detect password cracking. Instead of generating fake passwords, it uses passwords from existing user accounts. When a user registers, the system selects fake passwords from other accounts and stores their indices along with the real password index. During login, if the entered password does not match the real one, it checks the stored indices to see if it matches a fake password. This reduces storage costs compared to storing fake passwords and makes cracking harder by utilizing real passwords. The document compares this approach to previous honeyword generation methods.
1. Achieving Flatness: Selecting the Honeywords from
Existing User Passwords
SREYA SRIDHAR P.P
9 November 2017
SREYA SRIDHAR P.P Achieving Flatness: Selecting the Honeywords from Existing User Passwords9 November 2017 1 / 26
2. CONTENTS
1 Introduction
2 Honeyword generation algorithm
Honeyword generation algorithm (k)
3 Honeyword Generation Methods
Security Analysis of honeywords
4 A NEW APPROACH
1.Initialization
2.Registration
3.Honeychecker
4.Login Process
5 Future Work
6 Conclusions
7 References
SREYA SRIDHAR P.P Achieving Flatness: Selecting the Honeywords from Existing User Passwords9 November 2017 2 / 26
3. Introduction
Leaked password causes many cyber attacks.
Password file is stolen using password cracking technique.
Devlope a methode to detect a password file disclousure.
SREYA SRIDHAR P.P Achieving Flatness: Selecting the Honeywords from Existing User Passwords9 November 2017 3 / 26
4. Honey Words
Fake passwords are stored with real passwords.
Detect incorrect password login attempt and cracked file.
SREYA SRIDHAR P.P Achieving Flatness: Selecting the Honeywords from Existing User Passwords9 November 2017 4 / 26
5. Honeyword generation algorithm (k)
Input : k as the number of sweetwords
Outputs: both the password list and ci , where ci is the index of the
correct password
SREYA SRIDHAR P.P Achieving Flatness: Selecting the Honeywords from Existing User Passwords9 November 2017 5 / 26
6. Honeyword generation algorithm (k)[Cond..]
The username and the hashes of the sweetwords as [ ui,(v1,....vk)]
tuple is kept in the database of the main server.
ci is stored in another server called as honeychecker.
SREYA SRIDHAR P.P Achieving Flatness: Selecting the Honeywords from Existing User Passwords9 November 2017 6 / 26
7. Login procedure
1.User ui enters a password g to login to the system.
2.Server firstly checks whether or not H(g) is in list Vi . If not, then login
is denied.
3.Otherwise system checks to verify if it is a honey word or the correct
password.
4.Let v(i, j) = H(g). Then j value is delivered to the honeychecker in an
authenticated secure communication.
5.The honeychecker checks whether j = c i or not. If the equality holds, it
returns a TRUE value, other wise it responses FALSE and may raise an
alarm depending on security policy of the system.
SREYA SRIDHAR P.P Achieving Flatness: Selecting the Honeywords from Existing User Passwords9 November 2017 7 / 26
8. Flatness of Gen()
It measures the chance of an adversary in picking the correct
password.
If the algorithm is not flat enough, the real password stands out from
the remaining fake password.
SREYA SRIDHAR P.P Achieving Flatness: Selecting the Honeywords from Existing User Passwords9 November 2017 8 / 26
9. Honeyword Generation Methods
The honeyword generation methods are categorized into two groups.
1.the legacy-UI (user interface) procedures.
2.modified-UI procedures (Take-a-tail method)
SREYA SRIDHAR P.P Achieving Flatness: Selecting the Honeywords from Existing User Passwords9 November 2017 9 / 26
10. 1.Chaffing-by-tweaking
Generator algorithm Gen(k, t).
Eg: t=3 and password is “ 52galaxy ”
The generated honey words are 40galaxy,69galaxy etc..
SREYA SRIDHAR P.P Achieving Flatness: Selecting the Honeywords from Existing User Passwords9 November 2017 10 / 26
11. 2.Chaffing-with-a-password-model
1.Modeling syntax
In this model the password is splitted into character sets.
2.Simple model
Generates honeywords through a password list.
SREYA SRIDHAR P.P Achieving Flatness: Selecting the Honeywords from Existing User Passwords9 November 2017 11 / 26
12. 3.Chaffing with ”Tough Nuts”
The system intentionally injects some special honeywords, named as
tough nuts.
Eg: ’9,50PEe[KV.0?RIOtcL-:IJ”b+Wol¡*]! NWT/pb’.
Inverting hash values of those words is computationally infeasible.
SREYA SRIDHAR P.P Achieving Flatness: Selecting the Honeywords from Existing User Passwords9 November 2017 12 / 26
13. 4.Hybrid Method
Combining the chaffing-with-a-password-model and chaffing-by-tweaking
digits.
happy9679 apple1422 angel2656
happy9757 apple1903 angel2036
happy9743 apple1172 angel2849
Happy9392 apple1792 angel2562
SREYA SRIDHAR P.P Achieving Flatness: Selecting the Honeywords from Existing User Passwords9 November 2017 13 / 26
14. Security Analysis of honeywords
1.Denial-of-service Attack
2.Brute-force Attack
3.Choosing Policy
SREYA SRIDHAR P.P Achieving Flatness: Selecting the Honeywords from Existing User Passwords9 November 2017 14 / 26
15. A NEW APPROACH
Our proposed model is still based on use of honeyword.
Instead of generating the honeywords and storing them, benefit from
existing passwords to simulate honeywords.
SREYA SRIDHAR P.P Achieving Flatness: Selecting the Honeywords from Existing User Passwords9 November 2017 15 / 26
16. 1.Initialization
1. T user accounts are created.
2.For each account a honeyindex set is built like Xi =(x1 , x2 , . . . ,
xk )
3.One of the elements in X i is the correct index (sugarindex) as ci .
SREYA SRIDHAR P.P Achieving Flatness: Selecting the Honeywords from Existing User Passwords9 November 2017 16 / 26
17. Password files F1 and F2
Figure: Example Password File F2 for the proposed Model
SREYA SRIDHAR P.P Achieving Flatness: Selecting the Honeywords from Existing User Passwords9 November 2017 17 / 26
18. 2.Registration
1.Generator algorithm Gen(k, S I ) Produce ci , Xi
2.Outputs includes ci as the correct index for ui Xi = (x1 , x2 , . . . , xk )
as honeyindexes.
SREYA SRIDHAR P.P Achieving Flatness: Selecting the Honeywords from Existing User Passwords9 November 2017 18 / 26
19. 3.Honeychecker
1.Honeychecker store correct indexes for each account.
2.It communicates with the main server through a secure channel.
SREYA SRIDHAR P.P Achieving Flatness: Selecting the Honeywords from Existing User Passwords9 November 2017 19 / 26
20. 4.Login Process
1.System firstly checks whether entered password, g is correct for ui.
2.If a match is not obtained g is neither the correct password nor one of
the honeywords, i.e. login fails.
SREYA SRIDHAR P.P Achieving Flatness: Selecting the Honeywords from Existing User Passwords9 November 2017 20 / 26
21. SECURITY A NALYSIS OF THE PROPOSED MODEL
1.DoS Attack
2. Password Guessing
3. Brute-force Attack
4. Same User in Multiple Systems
SREYA SRIDHAR P.P Achieving Flatness: Selecting the Honeywords from Existing User Passwords9 November 2017 21 / 26
22. COMPARISON OF HONEYWORD GENERATION
MODELS
1.DoS Resistance
2.Storage Cost
3.Flatness
4.Usability
SREYA SRIDHAR P.P Achieving Flatness: Selecting the Honeywords from Existing User Passwords9 November 2017 22 / 26
23. COMPARISON OF HONEYWORD GENERATION
MODELS
Figure: Comparison of honeyword generation model
SREYA SRIDHAR P.P Achieving Flatness: Selecting the Honeywords from Existing User Passwords9 November 2017 23 / 26
24. Future WORK
Refine this model by involving hybrid generation algorithm to make
the total hash inversion function harder.
SREYA SRIDHAR P.P Achieving Flatness: Selecting the Honeywords from Existing User Passwords9 November 2017 24 / 26
25. Conclusions
We have analyzed the security of the honeyword system .
The honeyword system directly depends on the generation algorithm.
SREYA SRIDHAR P.P Achieving Flatness: Selecting the Honeywords from Existing User Passwords9 November 2017 25 / 26
26. References
1.A. Juels and R. L. Rivest, “Honeywords: Making Password-cracking
Detectable,” in Proceedings of the 2013 ACM SIGSACConference on
Computer Communications Security, ser. CCS’13. New York, NY,
USA: ACM, 2013, pp. 145–160. [Online].Available:
http://doi.acm.org/10.1145/2508859.2516671
2.M. Weir, S. Aggarwal, B. de Medeiros, and B. Glodek, “Password
Cracking Using Probabilistic Context-Free Grammars,” in Security
and Privacy, 30th IEEE Symposium on. IEEE, 2009, pp. 391–405.
3.P. G. Kelley, S. Komanduri, M. L. Mazurek, R. Shay, T. Vidas,L.
Bauer, N. Christin, L. F. Cranor, and J. Lopez, “Guess again (and
gain and again): Measuring Password Strength by
SimulatingPassword-cracking Algorithms,” in Security and Privacy
(SP), 2012IEEE Symposium on. IEEE, 2012, pp. 523–537.
4.[21] A. Pathak, “An Analysis of Various Tools, Methods and
Systems to Generate Fake Accounts for Social Media,” Ph.D.
dissertation,Northeastern University Boston, 2014
SREYA SRIDHAR P.P Achieving Flatness: Selecting the Honeywords from Existing User Passwords9 November 2017 26 / 26