Client-CASH: Protecting Master against Offline Attacks Jeremiah Blocki, Anirudh Sridhar Motivation: Storage

asridhar, 123456

Username Hash 85e23cfe002 asridhar 89d978034a3f 1f584e3db87 6 aa72630a9a2 345c062

SHA1(12345689d978034a3f6) =85e23cfe0021f584e3db87aa + 72630a9a2345c062

2 Offline Attacks: A Common Problem • Password breaches at major companies have affected millions of users.

No stretching? Dictionary of 1000 words Password of 4 words: Horse battery staple 1012 possibilities correct 3.5 x 1011 hashes/second ~ 3 seconds to crack

Hash Function Cost: C H Hk …

Memory Hard Functions Hash Iteration A Fundamental Tradeoff

Increased Costs for Honest Party A Fundamental Tradeoff Is the extra effort worth it? A Fundamental Tradeoff Can I tip the scales? A Key Observation password 12345 letmein abc123 …. …… password unbreakable unbr3akabl3 Most …. …… guesses are wrong unbr3akabl3 A Key Observation unbr3akabl3 unbr3akabl3 unbr3@k@bl3 …. password 12345 unbr3akabl3 letmein abc123 …. …… password unbreakable unbr3akabl3 …. ……

Most guesses are correct unbr3akabl3 A Key Observation unbr3akabl3 unbr3akabl3 unbr3akabl3 …. password 12345 unbr3akabl3 letmein abc123 …. …… password unbreakable unbr3akabl3 …. ……

Goal Asymmetry: COST < COST Pepper [M96],[BD16]

Pepper: t asridhar, 123456

Username Salt Hash asridhar 89d978034a3f 85e23cfe002 1f584e3db87 aa72630a9a2 345c062 SHA1(12345689d978034a3f6)=85e23cfe 0021f584e3db87aa72630a9a2345c062 Pepper [Manber96],[BD16]

asridhar, 123456 Pepper: t

Username Salt Hash asridhar 89d978034a3f 85e23cfe002 1f584e3db87 aa72630a9a2 345c062 SHA1(12345689d978034a3f1) SHA1(12345689d978034a3f2) SHA1(12345689d978034a3f3) …. SHA1(12345689d978034a3f6) Halting Puzzles [B07] Account Creation Public String: 123456 Halting Password Puzzle: C22b5f91783426 Prepare 09428d6f51b2c5 af4c0bde6a42…

Authentication

If correct password, halt Password, Halting Password Puzzle: eventually, return hash Public string Extract Else, loop until threshold Master Passwords Typical Password Manager

qoirhfllaladfl

Login/use password password asdfoweiroi manager

lr4oi23urladj

Single point of access Attack 1: Server Breach

qoirhfllaladfl

Login to password password asdfoweiroi manager

lr4oi23urladj

Single point of access Attack 2: Client Breach

qoirhfllaladfl

Login to password password asdfoweiroi manager

lr4oi23urladj

Single point of access Is an Offline Attack possible?

Manager Server Breach Client Breach Both

Pwdhash Yes No (no stored state)

Halting Puzzles No Yes (stored state)

LastPass No No Yes (stored state)

Client-CASH No No Yes (stored state)

Contributions • Cost-Asymmetric Secure Hash protocol for Client-side applications (Client-CASH) • Main Features and challenges: – Tipping the scales in an optimal way – Preventing offline attacks of client and server – No offline attack possible unless both client and server are breached P1(s) = HALT if last char of s is a letter P2(s) = HALT if last char of s is a number Halting Predicates Salt = 89d978034a3f6 Round 1: abcde Output of (master password) SHA1(abcde89d978034a3f6)= protocol 47b91fe2502135d2a944c27af9dfc3 9ec51c7dec

P1(47b91fe2502135d2a944c27af9dfc39ec51c7dec) = HALT

Round Input (last values) HASH (last values) Predicate Result

1 abcde c51c7dec HALT 2 3 P1(s) = HALT if last char of s is a letter P2(s) = HALT if last char of s is a number Halting Predicates Salt = 89d978034a3f6 Round 1: 123456 (master password) SHA1(12345689d978034a3f6)= 85e23cfe0021f584e3db87aa72630a 9a2345c062

P1(85e23cfe0021f584e3db87aa72630a9a2345c062) = PASS

Round Input (last values) HASH (last values) Predicate Result

1 123456 2345c062 PASS 2 3 P1(s) = HALT if last char of s is a letter P2(s) = HALT if last char of s is a number Halting Predicates Salt = 89d978034a3f6 Round 2: 85e23cfe0021f584 e3db87aa72630a9 SHA1(85e23cfe0021f584e3db87aa72630a9a2345c062 a2345c062 89d978034a3f6)= (Round 1 Hash) ff52260d23b7e5eb33b3c2e84c3ad78863670dfd

P2(ff52260d23b7e5eb33b3c2e84c3ad78863670dfd) = PASS

Round Input (last values) HASH (last values) Predicate Result 1 123456 2345c062 PASS 2 2345c062 63670dfd PASS 3 P1(s) = HALT if last char of s is a letter P2(s) = HALT if last char of s is a number Halting Predicates Salt = 89d978034a3f6 Round 3: ff52260d23b7e5e b33b3c2e84c3ad7 SHA1(ff52260d23b7e5eb33b3c2e84c3ad78863670dfd 8863670dfd 89d978034a3f6)= (Round 2 Hash) e8f2384d053daf7265dd49f42eae89908eca27ce

Output of Protocol: e8f2384d053daf7265dd49f42eae89908eca27ce

Round Input (last values) HASH (last values) Predicate Result 1 123456 2345c062 PASS 2 2345c062 63670dfd PASS

3 63670dfd 8eca27ce HALT Information Leakage: Differential Privacy

For any two Some passwords sequence of Strict information pwd,pwd’ predicates, theoretic bound output of SelPreds Client-CASH: Account Creation

asridhar amazon.com 123456 Create Account

(P1,P2) Client-CASH: P1(s) = HALT if last char of s is a letter P2(s) = HALT if last char of s is a number Reproduce Salt = 89d978034a3f6

abcde Output of (master password) SHA1(abcde89d978034a3f6)= protocol 47b91fe2502135d2a944c27af9dfc3 9ec51c7dec

P1(47b91fe2502135d2a944c27af9dfc39ec51c7dec) = HALT Game theoretic model

Can choose: Can choose: - Amortized - Computational budget computational cost devoted to cracking per password passwords

- Probability - Set of passwords to distribution of halting hash predicates Distributions for Halting Predicates • Optimal Distribution – Given by solution to linear program – Requires knowledge of adversary budget • Exponential Mechanism: Differential Privacy constraint [MT07] – Don’t need to know adversary budget Assumptions • Passwords chosen uniformly at random • XKCD • Naturally Rehearsing Passwords [BBD13] • We know space of passwords – Eg. 4 random words Optimal Distribution Exponential Mechanism Summary/Future Work • Client-CASH can mitigate threat of an offline attack in the event of a server and client breach • Demo available: • Model value V adversary instead of budget B adversary • Experiments with nonuniform password distribution • Using more predicates Thanks for Listening! Any questions?