S ecure H ash Algorithm for Optimal Password Protection Jeremiah Blocki MSRPurdue Anupam Datta CMU ID: 800760
Download The PPT/PDF document "CASH: A C ost A symmetric" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
CASH: A Cost Asymmetric Secure Hash Algorithm for Optimal Password Protection
Jeremiah Blocki (MSR/Purdue) Anupam Datta (CMU)
CSF 2016
Slide2Motivation: Password Storage2
Usernamejblocki
+
jblocki
, 123456
SHA1(123456
89d978034a3f6
)=
85e23cfe0021f584e3db87aa72630a9a2345c062
Hash
85e23cfe0021f584e3db87aa72630a9a2345c062
Salt
89d978034a3f6
Slide3Offline Attacks: A Common ProblemPassword breaches at major companies have affected millions of users.
Slide4Slide5Key Stretching
Hash Iteration
Memory Hard Functions
Hash
Function
Cost: C
H
H
k
…
Slide6A Fundamental Tradeoff
Increased Costs for Honest Party
Slide7A Fundamental Tradeoff
Is the extra effort worth it?
Slide8A Fundamental Tradeoff
Can I tip the scales?
Slide9Our ContributionsA Stackelberg Game Model Analyze Password CrackingQuantify: Security Gains from Key-Stretching.Cost Asymmetric Secure Hash
An optimal way to tip the scalesEmpirical EvaluationYahoo! and RockYou password frequency data50+% reduction in cracked-passwords in selected instances
Slide10A Key Observation
password
password
12345 letmein
abc123…. ……unbreakable
unbr3akabl3
…. ……
Most guesses are
wrong
Slide11Most guesses are
correctA Key Observation
password
password
12345
l
etmein
abc123
…. ……
unbreakable
unbr3akabl3
…. ……
unbr3akabl3
unbr3akabl3
unbr3akabl3
unbr3akabl3
….
unbr3akabl3
Slide12A Key Observation
password
password
12345
l
etmein
abc123
…. ……
unbreakable
unbr3akabl3
…. ……
unbr3akabl3
unbr3akabl3
unbr3akabl3
unbr3akabl3
….
unbr3akabl3
Goal Asymmetry:
COST
>
COST
Slide13Pepper [Manber96]Username
jblocki
jblocki
,
123456
SHA1(123456
89d978034a3f
6
)=
85e23cfe0021f584e3db87aa72630a9a2345c062
Hash
85e23cfe0021f584e3db87aa72630a9a2345c062
Salt
89d978034a3f
Pepper: t
Pepper [Manber96]Username
jblocki
jblocki
,
123456
SHA1(123456
89d978034a3f
1
)
Hash
85e23cfe0021f584e3db87aa72630a9a2345c062
Salt
89d978034a3f
Pepper: t
SHA1(123456
89d978034a3f
2
)
SHA1(123456
89d978034a3f
3
)
SHA1(123456
89d978034a3f
6
)
….
Slide15Pepper [Manber96]Username
jblocki
jblocki
,
123456
7
SHA1(123456
7
89d978034a3f
1
)
Hash
85e23cfe0021f584e3db87aa72630a9a2345c062
Salt
89d978034a3f
Pepper: t
SHA1(123456
7
89d978034a3f
2
)
SHA1(123456
7
89d978034a3f
3
)
SHA1(123456
7
89d978034a3f
m
)
….
Correct Cost
Incorrect Cost
Slide16Stackelberg Game Model (Setup)Known distribution
over N passwords pwd
1
,…,
pwd
N
Successful login rate (
)
Probability that a user enters the correct password
Parameters fixed by nature
Password Preferences
Human Memory/Typo Rate
Stackelberg Game ModelLeader (Server)Selects pepper distribution
Selects hash cost parameter c
Constrained by maximum server workload
Amortized authentication costs
(
)
Pr
[wrong password]
Cost to reject
pwd
Slide18Stackelberg Game Model (Defender)Leader (Server)Selects pepper distribution
Selects hash cost parameter c
Constrained by maximum server workload
Amortized authentication costs
(
)
Pr
[right password]
Cost if secret
pepper value is t.
Probability pepper value is t.
Slide19Stackelberg Game ModelLeader (Server)Selects pepper distribution
Selects hash cost parameter c
Constrained by maximum server workload
Amortized authentication costs
(
)
Model traditional (deterministic) password hashing?
Simply set
and c =
Stackelberg Game Model (Adversary)Follower (Untargeted Adversary)Faces new distribution over (password,pepper) pairs
Stackelberg Game Model (Adversary)Follower (Untargeted Adversary)Faces new distribution over (password,pepper) pairs
Action: Selects a budget BGuess B most likely (password,pepper) values
Stackelberg Game (Adversary Rewards)AdversaryExpected Reward -
Expected Guessing Cost
Adversary value for cracked password
Probability
i’th
guess is correct
Slide23Stackelberg Game (Adversary Rewards)AdversaryExpected Reward -
Expected Guessing Cost
Cost on Fail
Probability adversary fails
Cost if
i
’th
g
uess is correct
Slide24Stackelberg Game (Adversary Rewards)AdversaryExpected Reward -
Expected Guessing Cost
Rational Adversary Action
Fixed by defender in advance
Slide25Stackelberg Game (Defender Rewards)
Probability adversary fails
Slide26Stackelberg Game (Defender Rewards)
Rational Defender Action:
Assume adversary responds optimally
Feasible Defender Moves
Slide27Problem Statementsuch that:
,
Valid pepper distribution
Amortized Authentication
Costs are Small Enough
Adversary plays rationally
Slide28A ChallengeOptimization Problem is inherently non-convexCulpritHeuristic Relaxation:Assume we know the adversary budget BCan drop non-convex constraint, and solve.
Heuristic SolutionSolve Relaxed Goal for many fixed budgets (B1,B2…,)
Obtain Candidate Solutions:
Pick the best candidate solution
Adversary plays rationally
such that:
Only need to check
possible solutions
Heuristic SolutionSolve Relaxed Goal for many fixed budgets (B1,B
2…,)Obtain Candidate Solutions:
Pick the best candidate solution
Adversary plays rationally
such that:
Easy to compute for fixed
Heuristic SolutionOptimization Problem is inherently non-convexCulpritHeuristic Relaxation:
s.t.
Variable.
is max % cracked
p
asswords when
adversary selects budget
B
Results
Yahoo! Frequency data [B12,BDB16]: https://figshare.com/articles/Yahoo_Password_Frequency_Corpus/2057937
Slide33Robustness
Slide34Our ContributionsA Stackelberg Game Model Analyze Password CrackingQuantify: Security Gains from Key-Stretching.Cost Asymmetric Secure Hash
An optimal way to tip the scalesEmpirical EvaluationYahoo! and RockYou password frequency data50+% reduction in cracked-passwords in selected instances
Slide35Thanks for Listening