The Password Problem Will Only Get Worse

Transcription

1 The Password Problem Will Only Get Worse New technology for proving who we are Isaac Potoczny-Jones Galois &

2 Goals & Talk outline Update the group on authentication threats Update the group on authentication solutions 2 Factor authentication factors on the market Single Sign-On The state of various protocols Get your advice on our approach Outline: Background, Threat Landscape, Solutions, Our Approach

3 About the Speaker Galois, Inc. - galois.com Research & Development, mostly for federal gov. Computer security, safety, correctness, etc. 40+ employees in Portland, OR Founded in 1999 SEQRD: A Galois spin-off seqrd.com Startup focusing on authentication Isaac's background: BS Computer Science, MS Cybersecurity

4 Authentication: Foundations Authentication is proving who you are Or proving that you're the same person as last time Something you know e.g. Passwords, PINs, screen patterns, first pet, etc. Something you have Physical keys, secure tokens, mobile phones Something you are Biometrics, fingerprint readers, etc.

5 Single & Multi-Factor Single factor: One authentication method Classics: Password, keys, keyfobs, keycards Multi-factor: More than one factor Get more security by mixing methods Multi-factor classics Debit card & PIN Password & Random # token

6 Uses for Authentication Remote authentication e.g. proving who you are to a web site That's our focus today Physical authentication Granting access to: locations/devices/services Screen unlock Mobile devices or computers

7 Threat Landscape: Passwords

8 Fundamental Problems Passwords dominate, but: Bad passwords are easy to guess Good passwords are impossible to remember But what's a good password? To answer that, let's explore password attacks

9 Massive Database Spills Causing acceleration in understanding of passwords LinkedIn: 6.5M (2012) Yahoo: 340K (2012) RSA: SecurID token seed-keys stolen (2011) Gawker: 740K (2011) Sony: (2011) Stratfor: 800K (2011) RockYou: 32M (2009)

10 Brute-Force Attacks source: Rob Graham, Errata Security

11 Password Cracking ocl-hashcat-plus performance 1 GPU benchmark NTLM 7487M c/s MD5 5144M c/s SHA1 2030M c/s SHA M c/s Password Safe 495k c/s bcrypt $2a$ 3788 c/s source:

12 Hybrid Attacks 90% Success Great article by Ars on password crackers Challenge: 3 crackers, 16,000+ hashes Outcome: 90% success Example attacker approach: Method Passwords Uncovered Time Brute force 1-6 char length 1, minutes Mixed brute force 2, minutes Word list 6,000 9 minutes Hybrid 2,700 5 hours -of-your-passwords

13 So What's a Good Password? Long enough Maybe 9+ characters Complex enough Pretty much random & large character set Not reused Or risk the wrath of database spills But: Average user has 26 accounts* (I have 300) *Source: Experian & Deloitte:

14 With 26 passwords, it's impossible Let's just admit it: we're asking the impossible Users can never remember random passwords Users manage the problem: Reuse is most common users have 5 passwords reset - I forgot my password Password managers Firefox, KeePass, etc.

15 Conclusions about Threats Crack speed is increasing e.g. via GPUs Tool support is improving very quickly This is gaining steam as big password database spills provide crackers more info Passwords can't get complex enough

16 Result: 2 Factor is taking off Major Internet players offer it: Google, Facebook, Twitter, DropBox, etc. It's a good way to protect yourself from: Password reuse by users Other sites getting hacked

17 Solutions

18 Solutions: Identity Federation Single Sign On There was a great talk on this yesterday

19 Identity Federation: Moving Parts Service provider (SP): The site you log into Also called Relying Party or RP Identity Provider (IdP): The site you log in with Typical workflow: Visit Yahoo, click login Get redirected to Google with a session token Log into Google Get redirected to Yahoo with proof of login

20 Identity Federation Workflow Sign into Yahoo using Google (simplified) Yahoo (Service Provider) 2. Ask Google 5. Login & Attributes Google (Identity Provider) 3. I'm Isaac 4. Login & Attributes 1. Let me in User & Browser

21 OpenID OpenID seems to have lost momentum Relying parties are a problem On the mainstream Internet, there are very few Yahoo: Accepts Google & Facebook Google & Facebook are IdPs for OpenID & OAuth Facebook: Accepted logins in stopped If there's a way, I can't figure it out myopenid.com: shutting down

22 OAuth Used for authorization in lots of sites Often also used for some kinds of authentication OAuth 2 worries: Facebook has several OAuth vulns this year The standard was abandoned / lambasted by its editor, now under new stewardship Both too complex & under-specified

23 Security Assertion Markup Language - SAML Seems to be gaining momentum Federation & SSO InCommon, Education, Enterprise Also used to share attributes groups, etc. Accepted by Google Apps, Dropbox, Salesforce, etc. Major implementations Shibboleth (Java), SimpleSamlPHP Plugins for lots of platforms I audited plugins for Drupal & WordPress they were very insecure.

24 Central Authentication Service (CAS) Somewhat similar to SAML Widespread use in the academic community Can also be used for attribute exchange Java / Spring system Integrates with: Active directory, LDAP, X509, passwords, OpenID, SAML, etc.

25 Cloud SSO Services (IdP) Largely based on SAML Mostly subscription SAAS Instead of operating your own IdP They work to integrate service providers Ping Identity, OneLogin, Okta, Centrify, Symplified, probably others JanRain Social login & user management

26 Physical Factors

27 Physical Tokens YubiKey Small, uses one-time or fixed passwords, pretends to be a USB keyboard. Random number tokens RSA SecurID Google Authenticator (soft token App) Lots of similar tokens Hardware benefits & drawbacks: Benefits: Tamper-proof & can't get viruses Drawbacks: Can't put 100 of them on your keychain

28 Password Managers Saves the password on the client Problematic for moving between clients Often have cloud options Becomes Something you have (e.g. laptop) Often also locked / encrypted in keychain Hey look! It's 2-factor auth! In the browser (e.g. Firefox, Chrome) In a browser plugin (e.g. Lastpass, OnePass) Native client (e.g. KeePass) Problem: Logging in on different devices

29 Mobile Phone Factors Mobile phone factors are a great trade-off! Google Authenticator random number (app) Text message random number used by Facebook, Twitter, Telesign In-app push-based notifications Twitter, DuoSecurity, others PhoneFactor (Microsoft) Text, Voice, Push

30 How to use your phone as a password manager today On your computer: Visit the website you want to log into Instead of login, click forgot my password Type in your address On your phone: Open the reset Reset your password Log in on your computer So what happens when you lose your phone?

31 Summary: Each factor has drawbacks Something you know: Basically passwords Doesn't scale beyond a handful of secure passwords Something you have Physical token: Doesn't scale beyond size of your keyring Mobile phone: Seems most promising to me Something you are: biometrics are not secret Federation / SSO: If only we could agree to agree

32 SEQRD

33 Mobile Authentication Factor How we're trying to solve this Looking for your feedback Passwords are terrible Let's replace passwords with a mobile phone Get 2 factor with a password or PIN Integrated with SAML & REST API Demo

34 How it Works User's Perspective 1. Scan QR code Creating an Account 2. Account Creation Logging In 1. Scan QR code 3. Login Approved 2. Secure authentication

35 How 2 Factor Works - 1 Type a Password First Factor - Password Second Factor - SEQRD 1. Scan QR code 2. Secure authentication

36 How 2 factor works - 2 Second Factor - SEQRD 1. Scan QR code 2. Type PIN (decrypts key) 3. Secure authentication

37 How it Works Under the hood Browser 5. App scans QR code : Session key, Challenge 1. Login request 3. QR code includes Session key, Challenge 8. User ID, OTP, Session key 12. Approved 13. Approved blog.seqrd.com 10. Site computes OTP Checks match 2. Session key 4. Web site & Session key 7. App computes OTP = OCRA (Challenge, Shared secret) 9. Shared key for User ID 11. Session key authenticated Cookie Storage 6. User ID, Shared secret For Web site Web site Storage Phone Storage

38 Threats & Mitigations During Registration & Issuance Threat Mitigation Impersonation of Stronger identification, claimed identity government-issued ID, bills Repudiation of registration Signed forms Disclosure during Issue in person transmission Tampering during Establish a procedure transmission Unauthorized Issuance Establish a procedure Source: NIST R1

39 Threats & Mitigations Against Tokens Threats Mitigations Theft Duplication Eavesdropping Offline cracking Phishing Social engineering Online guessing Multi-factor w/ PIN or biometric Hardware crypto tokens Dynamic & Challenge/response High entropy & lockout Dynamic & Challenge/response Dynamic & challenge/response High entropy Source: NIST R1

40 SEQRD - Threats & Mitigations Against Tokens Threats Disclosure during transmission Theft Duplication Eavesdropping Offline cracking Phishing Social engineering Online guessing Mitigations QR code on your screen or send the crypto key in snail mail Multi-factor w/ PIN & password, revocation Tricky on mobile! Software-based protections One-time passwords (OTP) challenge & response Long cryptographic keys OTP / challenge & response OTP / challenge & response Long cryptographic keys

41 Conclusions Threats against passwords are really bad 2-factor auth to greatly increase security SAML for SSO Mobile phone factors as good trade-off Contact info: