CompChall: Addressing Password Guessing Attacks IAS, ITCC-2005, April 2005

1
CompChall Addressing Password Guessing Attacks
IAS, ITCC-2005, April 2005

• CompChall Addressing Password Guessing Attacks
• By
• Vipul Goyal
• OSP Global
• Mumbai, India
• Coauthors Virendra Kumar, Mayank Singh, Ajith
  Abraham and Sugata Sanyal

2
CompChall Addressing Password Guessing Attacks
IAS, ITCC-2005, April 2005

• Introduction
• Passwords are the most widely used means of
  authentication
• Humans have a tendency to choose relatively short
  and simple passwords
• Thus, passwords bring along with them, the threat
  of dictionary attacks

3
CompChall Addressing Password Guessing Attacks
IAS, ITCC-2005, April 2005

• Dictionary attacks
• Dictionary attack means guessing the password and
  somehow check whether it is valid or not
• If the rate of guessing and validating is
  reasonably high, the attacker stands a good
  chance of breaking the password
• Two types offline and online

4
CompChall Addressing Password Guessing Attacks
IAS, ITCC-2005, April 2005

• Offline dictionary attacks
• The attacker somehow gets access to some data
  which allow him to test passwords without any
  interaction with the server
• Theoretically impossible to resist w/o PKC but
  efficient protocols like EKE exist to resist
  these attacks using PKC

5
CompChall Addressing Password Guessing Attacks
IAS, ITCC-2005, April 2005

• Online dictionary attacks
• For each password validation, interaction with
  the server is required
• By attempting a login, it is always possible to
  test for password validity and hence, these
  attacks cannot be totally prevented
• Common countermeasures like account locking and
  delayed response are not satisfactory

6
CompChall Addressing Password Guessing Attacks
IAS, ITCC-2005, April 2005

• Our protocol
• Limits the rate of login attempt by asking the
  user to first solve a computational challenge
• Uses only fast one way hash functions for
  efficiency
• Totally stateless and thus less vulnerable to DoS
  attacks

7
CompChall Addressing Password Guessing Attacks
IAS, ITCC-2005, April 2005

• Protocol description
• Step 1 Alice sends her user ID to Bob
• This is a simple step in which Alice indicates
  her willingness to login

8
CompChall Addressing Password Guessing Attacks
IAS, ITCC-2005, April 2005

• Protocol description contd..
• Bob generates two random numbers r and R. r is a
  small (e.g. 20 bit) random number, R is a big
  (100 bit) random number
• Bob also computes H(r, P) where P is Alices
  password and computes a MAC H(KBob,H(r, P),
  Alice, n)
• KBob is Bobs secret key, n is the number of
  failed attempts by Alice so far
• Step 2 Bob replies back with H(r, R), R, MAC

9
CompChall Addressing Password Guessing Attacks
IAS, ITCC-2005, April 2005

• Protocol description contd..
• Alice should find out r before she can proceed
  with the login attempt. This is done by checking
  the hash values of all possible 20 bit number
  appended with R (and matching with H(r,R))
• R acts as a salt to prevent her from
  pre-computing H(r) for all possible r
• This step is computationally intensive for Alice
  and prevents her from making a large number of
  login attempts per unit time.

10
CompChall Addressing Password Guessing Attacks
IAS, ITCC-2005, April 2005

• Protocol description contd..
• After finding out r, Alice computes H(r, P)
• Step 3 Alice sends to Bob Alice, H(r, P) along
  with the received MAC (H(H(r, P), Alice, KBob,
  n))
• This step can be independently executed making
  the protocol stateless

11
CompChall Addressing Password Guessing Attacks
IAS, ITCC-2005, April 2005

• Protocol description contd..
• Bob hashes the received H(r, P) with its key,
  Alice, and n and matches the resulting quantity
  with the received MAC
• If they match, Alice is logged in
• Else n is incremented.
• Bob sends the success/failure signal

12
CompChall Addressing Password Guessing Attacks
IAS, ITCC-2005, April 2005

• Protocol figure

13
CompChall Addressing Password Guessing Attacks
IAS, ITCC-2005, April 2005

• Protocol Security
• The MAC H(H(r, P), Alice, KBob, n) is
  un-intelligible to Alice and is only meant to be
  returned to the server. This is to make the
  server stateless.
• This MAC is specific for the user and the login
  attempt. Thus, this cannot be re-used for any
  other user / attempting login more than once for
  a single user
• All this ensures that Alice did the required
  computation

14
CompChall Addressing Password Guessing Attacks
IAS, ITCC-2005, April 2005

• Protocol Variant 1
• A minor variation in the message sequence
  produces interesting results
• Replace H(r,R) with H(r,P,R) in step 2 and 3 with
  MACH(H(r, P), Alice, KBob, n)
• This rapidly increases the offline dictionary
  attack time, useful in case SSL protection is not
  used

15
CompChall Addressing Password Guessing Attacks
IAS, ITCC-2005, April 2005

• Protocol Variant 2
• Aimed at making the protocol secure again server
  compromise
• Replace H(P,r) with r, H(i-1)(P) with MAC H(r,
  Hi(P), Alice, KBob, n)
• Relatively complex, uses Hash chains

16
CompChall Addressing Password Guessing Attacks
IAS, ITCC-2005, April 2005

• Thank You