R Chatterjee J Woodage Y Pnueli A Chowdhury T Ristenpart Password checking systems and typos Fail P assw92 Bob Salted slow cryptographic hash Success passw92 H P assw92 ID: 717564
Download Presentation The PPT/PDF document "The TypTop System Personalized Typo-To..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
The TypTop SystemPersonalized Typo-Tolerant Password Checking
R. Chatterjee, J. Woodage, Y. Pnueli, A. Chowdhury, T. RistenpartSlide2
Password checking systems and typos
Fail
P
assw92
Bob
Salted, slow cryptographic hash
Success
passw92
H(
P
assw92
) =
a5idoiaU7p...
?
H(
pASSW92
) =
a5idoiaU7p...
?
H(
passw92
) =
a5idoiaU7p...
?
Apply Caps lock Corrector
Apply shift Corrector
. . .
Typo-tolerant password checking
Allow registered password or typos of it
small typo
Oakland ’16
2
Top-5 correctors correct 20% of all typos
H(
passw92
) =
a5idoiaU7p...
?Slide3
Fail
Passw92
Typo-tolerance improves utility
Bob
Success
passw92
3
Salted, slow cryptographic hash
H(
P
assw92
) =
a5idoiaU7p...
?
H(
pASSW92
) =
a5idoiaU7p...
?
H(
passw92
) =
a5idoiaU7p...
?
Apply Caps lock Corrector
Apply shift Corrector
. . .
k
Top-5 correctors correct 20% of all typos
Login will increase by 3%
Does not degrade securitySlide4
Salted, slow cryptographic hash
Apply Caps lock Corrector
Apply shift Corrector
H(
P
assw92
) =
a5idoiaU7p...
?
H(
pASSW92
) =
a5idoiaU7p...
?
H(
passw92
) =
a5idoiaU7p...
?
… corrects only the tip of the iceberg
Bob
Success
passw92
Fail
Passw92
4
. . .
80% of typos are left uncorrected
To correct more with correctors would be
Expensive – slow hash function
Wasteful – not all users make same mistakes
Insecure – too many corrections for each guess
How to correct more typos?
Limitations
Top-5 correctors correct 20% of all typosSlide5
We propose: Personalized typo-toleranceIntroduce personalized typo-tolerant password checking: allow only the typos that a user makes
Design TypTop, a password checker that learns user’s frequent typos and allows login with them. Rigorously analyze TypTop’s security.
Build a prototype for rendering computer logins typo-tolerant
https://typtop.info5Slide6
Adaptive typo-tolerance
Fail
pass
e
92
Success
pass
e
92
Bob
Bob
Salted, slow cryptographic hash
Success
passw92
H(
pass
e
92
) =
a5idoiaU7p...
?
2.
How to figure out this is a legitimate typo?
E.g., within edit-distance 1 from real password
Allow previously seen typos
If only we could store passwords in plaintext…
1.
Do users repeat their typos?
6Slide7
Do users repeat their typos?
7Slide8
Simulate password typing behavior at
Asked workersto register a password for an imaginary email serviceand then, login by typing the password over multiple days
8
271 workers logged in for 8,739 times, median 30 times
35% made at least two typos in two different logins
45% of them repeat their typos
50% more users will benefit compared to prior approachSlide9
How to build a secure adaptive typo-tolerant password checking?
9
H(
pass
e
92
) =
a5idoiaU7p...
?
Is it legitimate?Slide10
Aux Info
------------
------------
------------
Cache
passw92
Register
Generates a public-key key pair:
------------
------------
------------
Waitlist
E
(
passw92
,
)
2
3
(E, D):
password-based encryption scheme
E(
passw92,
):
passw92
AEnc) return
Design of TypTop : RegistrationTypTop’s state
Slow, secure, authenticated encryption scheme
10
1
passw92Slide11
Design of TypTop : Login
Fail
pass
e
92
------------
------------
------------
Cache
------------
------------
------------
Waitlist
E
(
passw92
,
)
D(
pass
e
92,
)
?
E
(
passw92,)
11passe92
Aux Info
passw92Slide12
Design of TypTop : Login
Fail
pass
e
92
------------
------------
------------
Cache
------------
------------
------------
Waitlist
E
(
passw92
,
)
E
(
passw92
,
)
passw92
2
3
Typo Policy Check
D(
passw92,
)
?1 = passe
92
E(pass
e92,
)
4
Success
12
pass
e
92
Aux Info
passw92Slide13
Design of TypTop : Login with a typo
pass
e
92
------------
------------
------------
Cache
------------
------------
------------
Waitlist
E
(
passw92
,
)
E
(
pass
e
92
,
) Success
Adaptive typo-tolerant password checking without storing the password or any typos in clear
13
Aux Info
passw92Slide14
------------
------------------------
Cache
Design of TypTop : Some more details
pass
e
92
------------
------------
------------
Waitlist
E
(
passw92
,
)
E
(
pass
e
92
,
)
Size: 10
Caching policy: PLFU (Probabilistic Least Frequently Used)Fill cache and waitlist with random values to hide # of entriesSize: 5+1
Randomly permute after every cache update; benefits security
ラ
βτU823------------了йd0وا وا随------------τυχкলشન્ડ ش
#*D&aβτᶉëᶆSuccess
Typo Policy Check
Check edit-distance + typo strengthUsed zxcvbn strength meter
Frequency of typos, etc.14Aux Info
passw92Slide15
15
What about Security?Slide16
Smash and grab attack (Offline attack)More interesting, and we detail this in the talk
Remote guessing attack (Online attack)
Analysis is similar to Oakland ’16 paperShowed negligible security lossPlease see paper for details
16Slide17
Smash and grab attack (Offline attack)
------------
------------
------------
Cache
------------
------------
了
й
d0
وا
وا
随
------------Waitlist
E(passe92,)
E
(passw92,
)
Attacker’s Goal
Learn the registered password
17
TypTop’s state#*D&aβτᶉëᶆ Obvious StrategyBrute-force guess the password
Can the attacker do better?No!123456
password
1234567
…just like attacking traditional password checkersAux Info
passw92
passe92
P
assw92
Slide18
18
Attack against TypTop’s state
Cryptographic reduction
Brute-force crack the cache entries
Combinatorial argument
Brute-force guess the registered password
Obvious strategy is the best an attacker can do
Cracking password hashes
Slide19
TypTop’s state appears random
?
Attacker learns nothing unless he can guess an entry in the cache
19
Assuming underlying encryption schemes are secure
------------
#έ
------------
------------
------------
------------
------------
Waitlist
ĉṓɲṩḙċťᶒțû
रें
------------
ấɖḯƥ
भ
ĭṩčįɳġɾ
------------
ᵯáꞡᶇā
ąⱡîɋṹẵ
.$@G7&值β填写随机%
بے ترتیب اقدارCacheAux Info
Ɖ
ر&9dấḯ
------------------------------------
Cache
------------------------了йd0وا وا随------------
Waitlist
E(passe92,
)
E(passw92,)
#*D&aβτᶉëᶆ
Aux Info
passw92
pass
e
92
P
assw92
Slide20
------------
------------------------
Cache
E(passe92,
)
E
(passw92,
)
#
*
D&a
βτ
ᶉëᶆ
Guessing against the cache entries
20123456
123456
1234567
passw92
Decryption fails if the slot is incorrect
123456
password
1234567
password1
Passwordqwerty98765432100000001111111123123123321
Can attacker ever get higher advantage by trying to decrypt a typo entry in the cache?Decryption is as slow as normal password hashes
Typo entries are randomly permutedSlide21
thetypo
Guessing typo is beneficial if…
21
…there is a typo that is always in the cache, the attacker can break TypTop by guessing that typo against all slots.That scenario is quite unnatural
thetypo
thetypo
thetypo
thetypo
thetypoSlide22
t-Sparset-sparse: if no typo is frequently in the cache of many passwords
22
: Password
: Typo
: # of typos allowed in cache
: Cache inclusion probability
Cache inclusion probability (
)
,
Depends on the typo-distribution, and TypTop’s caching policy
Slide23
t-Sparse TypTop Normal Pw checker
23
𝐼𝑓 𝑡𝑦𝑝𝑜-𝑑𝑖𝑠𝑡𝑟𝑖𝑏𝑢𝑡𝑖𝑜𝑛 𝑖𝑠 𝑡-𝑠𝑝𝑎𝑟𝑠𝑒 𝑢𝑛𝑑𝑒𝑟 𝑇𝑦𝑝𝑇𝑜𝑝’𝑠 𝑐𝑎𝑐ℎ𝑖𝑛𝑔 𝑝𝑜𝑙𝑖𝑐𝑦, 𝑡ℎ𝑒𝑛 𝑏𝑒𝑠𝑡 𝑎𝑡𝑡𝑎𝑐𝑘 𝑖𝑠 𝑡𝑜 𝑏𝑟𝑢𝑡𝑒-𝑓𝑜𝑟𝑐𝑒 𝑔𝑢𝑒𝑠𝑠 𝑡ℎ𝑒 𝑟𝑒𝑔𝑖𝑠𝑡𝑒𝑟𝑒𝑑 𝑝𝑎𝑠𝑠𝑤𝑜𝑟𝑑.
TheoremSlide24
Guessing typo is sub-optimal if t-sparse24
------------
------------------------
Cache
E
(pass
e
92,
)
E
(passw92,
)
#
*
D&aβτᶉëᶆ ------------------------
------------
Cache
E(pass
e92,
)
E(passw92,
)
#*D&aβτᶉëᶆ
PasswordAdvantage
Every guess against a typo can be replaced by a guess against the real password that provides equal or more probability of success
123456
12345671234567passwordpassword
1234561234567password123654!loveyoul3tmeinSlide25
Attacking TypTop is no easier than attacking traditional password checkers25
Empirically verified that real world typo-distributions are
t-sparse for the configurations we considered for TypTop
Attack against TypTop’s state
Cryptographic reduction
Brute-force crack the cache entries
Combinatorial argument
Brute-force guess the registered password
Cracking password hashes
Slide26
TypTop is secure against online and offline attacks, and it improves utility.26
Let’s build one!Slide27
27TypTop: a smart password checker for Unix
Created a password authentication module (PAM)
Renders computer logins typo-tolerantAdded a logging module To collect anonymous statistics about typos for our studyUsers can disable logging, and still keep using TypTop
https://typtop.info
A smart password checker that lets you make mistakesSlide28
TypTop pilot deployment studyInstalled TypTop in 24 volunteers’ laptops5 on Linux platform, 19 on MACfor median 27 days.Total typos observed:
501
TypTop provides 3x improvement over prior approach28
Prior approach
22%
TypTop
63%Slide29
TypTop pilot deployment studyInstalled TypTop in 24 volunteers’ laptops5 on Linux platform, 19 on MACfor median 27 days.Total typos observed:
501
TypTop provides 3ximprovement over prior approach
29Slide30
TypTop in one slideDesigned TypTop, a secure personalized typo-tolerant password checking system, that adapts to user’s mistakesRigorously analyzed its securityYou can try TypTop now! Visit
https://typtop.info
Thanks!
30
Typo-tolerant password checking might encourage users to adopt better security practicesSlide31
31