Slide 1 Vitaly Shmatikov CS 380S Host-Based Intrusion Detection.
Passwords – No Longer Viable Arvind Narayanan Vitaly Shmatikov Univ. of Texas at Austin ( stuck in...
-
Upload
nigel-cummings -
Category
Documents
-
view
216 -
download
0
Transcript of Passwords – No Longer Viable Arvind Narayanan Vitaly Shmatikov Univ. of Texas at Austin ( stuck in...
![Page 1: Passwords – No Longer Viable Arvind Narayanan Vitaly Shmatikov Univ. of Texas at Austin ( stuck in cowboy country )](https://reader036.fdocuments.us/reader036/viewer/2022062409/5697bfd71a28abf838cae963/html5/thumbnails/1.jpg)
Passwords – No Longer Viable
Arvind Narayanan
Vitaly Shmatikov
Univ. of Texas at Austin
(stuck in cowboy country )
![Page 2: Passwords – No Longer Viable Arvind Narayanan Vitaly Shmatikov Univ. of Texas at Austin ( stuck in cowboy country )](https://reader036.fdocuments.us/reader036/viewer/2022062409/5697bfd71a28abf838cae963/html5/thumbnails/2.jpg)
Greek mythology
Kerberos is tamed by the Lyre of Orpheus
![Page 3: Passwords – No Longer Viable Arvind Narayanan Vitaly Shmatikov Univ. of Texas at Austin ( stuck in cowboy country )](https://reader036.fdocuments.us/reader036/viewer/2022062409/5697bfd71a28abf838cae963/html5/thumbnails/3.jpg)
Today
Candy breaks computer security
70% of people will give up their password for a candy bar!
![Page 4: Passwords – No Longer Viable Arvind Narayanan Vitaly Shmatikov Univ. of Texas at Austin ( stuck in cowboy country )](https://reader036.fdocuments.us/reader036/viewer/2022062409/5697bfd71a28abf838cae963/html5/thumbnails/4.jpg)
Secure, Easy to Remember – Pick any one
Organizations implement cumbersome password rules – require
mixed case, numerals, special characters, etc.
The goal is for passwords to be secure as well as easy to
remember.
We show that there is an inherent conflict between these goals!
![Page 5: Passwords – No Longer Viable Arvind Narayanan Vitaly Shmatikov Univ. of Texas at Austin ( stuck in cowboy country )](https://reader036.fdocuments.us/reader036/viewer/2022062409/5697bfd71a28abf838cae963/html5/thumbnails/5.jpg)
WordsNames
Numbers
Alphabets
Randomness
Morph Password
Modeling Human Password Generation
![Page 6: Passwords – No Longer Viable Arvind Narayanan Vitaly Shmatikov Univ. of Texas at Austin ( stuck in cowboy country )](https://reader036.fdocuments.us/reader036/viewer/2022062409/5697bfd71a28abf838cae963/html5/thumbnails/6.jpg)
Memorability vs. Security
Assume we had a fast algorithm that perfectly reproduces the Morph procedure.
Memorability is inversely related to randomness.
Cryptanalysis time is directly related to randomness.
So memorability and cryptanalysis time are inversely related – if we can precisely model human password generation!
![Page 7: Passwords – No Longer Viable Arvind Narayanan Vitaly Shmatikov Univ. of Texas at Austin ( stuck in cowboy country )](https://reader036.fdocuments.us/reader036/viewer/2022062409/5697bfd71a28abf838cae963/html5/thumbnails/7.jpg)
One of our techniques - Markov Modeling
● sasetcki● eshembec● ertemenu● sleeteat● methesen
● wovmgrbl● vfxalnre● gnhkzdhl● ejvzhrfb● sxnsmvql
The words on the right were generated using MM1
They are more pronouncable than random character strings,on the left.
![Page 8: Passwords – No Longer Viable Arvind Narayanan Vitaly Shmatikov Univ. of Texas at Austin ( stuck in cowboy country )](https://reader036.fdocuments.us/reader036/viewer/2022062409/5697bfd71a28abf838cae963/html5/thumbnails/8.jpg)
Coverage
Key
spac
e re
duct
ion
fact
or
With 80% coverage we can get 25-fold compression!
![Page 9: Passwords – No Longer Viable Arvind Narayanan Vitaly Shmatikov Univ. of Texas at Austin ( stuck in cowboy country )](https://reader036.fdocuments.us/reader036/viewer/2022062409/5697bfd71a28abf838cae963/html5/thumbnails/9.jpg)
Current state of the art – Rainbow attack
● Word list size is 3 x 1012
● All alphanumeric passwords of length 8● Compressed database size is 48 GB● Cryptanalysis time is 40 minutes ● Amortized time is only 10 minutes
What we did
• Extend timespace tradeoff to “implicit dictionaries”.• Same efficiency as rainbow attack, increased coverage.
![Page 10: Passwords – No Longer Viable Arvind Narayanan Vitaly Shmatikov Univ. of Texas at Austin ( stuck in cowboy country )](https://reader036.fdocuments.us/reader036/viewer/2022062409/5697bfd71a28abf838cae963/html5/thumbnails/10.jpg)
Coverage comparison
Category Count Success(rainbow) Success(hybrid)
Length at most 5 63 29 63
Length 6 21 10 17
Length 7 18 0 0
Length 8, only alphabets 9 0 6
Others 31 0 0
Total 142 39 96
Total (length at least 6) 79 10(12.7%) 33(41.8%)
Word list size for above results was about 2 x 109
With a larger word list size of 3 x 1012,
we believe we can get a 90% success rate.
![Page 11: Passwords – No Longer Viable Arvind Narayanan Vitaly Shmatikov Univ. of Texas at Austin ( stuck in cowboy country )](https://reader036.fdocuments.us/reader036/viewer/2022062409/5697bfd71a28abf838cae963/html5/thumbnails/11.jpg)
If not passwords, then what?
● What about biometric?
• Biometric identification is good.• Biometric authentication is brain-damaged.
• PAKE (Password based Authenticated Key Exchange)
• Good for some, but not all scenarios.• Serge will talk about it tomorrow (and Zully later today).
![Page 12: Passwords – No Longer Viable Arvind Narayanan Vitaly Shmatikov Univ. of Texas at Austin ( stuck in cowboy country )](https://reader036.fdocuments.us/reader036/viewer/2022062409/5697bfd71a28abf838cae963/html5/thumbnails/12.jpg)
BOFH syndrome
Don’t blame users, blame poor system usability!
If users stick their passwordson their monitors, it doesn’t mean they’re stupid.
It means the security engineering needs rethinking.
![Page 13: Passwords – No Longer Viable Arvind Narayanan Vitaly Shmatikov Univ. of Texas at Austin ( stuck in cowboy country )](https://reader036.fdocuments.us/reader036/viewer/2022062409/5697bfd71a28abf838cae963/html5/thumbnails/13.jpg)
Smart cards
• Reduce electronic security to physical security.
• Protection mechanisms such as RFID based tracking exist.
● Economic, legal and law
enforcement infrastructure to
deal with compromise.
![Page 14: Passwords – No Longer Viable Arvind Narayanan Vitaly Shmatikov Univ. of Texas at Austin ( stuck in cowboy country )](https://reader036.fdocuments.us/reader036/viewer/2022062409/5697bfd71a28abf838cae963/html5/thumbnails/14.jpg)
Find out more atCCS 2005.
Alexandria, VA
![Page 15: Passwords – No Longer Viable Arvind Narayanan Vitaly Shmatikov Univ. of Texas at Austin ( stuck in cowboy country )](https://reader036.fdocuments.us/reader036/viewer/2022062409/5697bfd71a28abf838cae963/html5/thumbnails/15.jpg)
Thank you.
Enjoy your beer