Authstore: Password-Based Authentication and Encrypted Data Storage in Untrusted Environments
Total Page:16
File Type:pdf, Size:1020Kb
Load more
Recommended publications
-
GPU-Based Password Cracking on the Security of Password Hashing Schemes Regarding Advances in Graphics Processing Units
Radboud University Nijmegen Faculty of Science Kerckhoffs Institute Master of Science Thesis GPU-based Password Cracking On the Security of Password Hashing Schemes regarding Advances in Graphics Processing Units by Martijn Sprengers [email protected] Supervisors: Dr. L. Batina (Radboud University Nijmegen) Ir. S. Hegt (KPMG IT Advisory) Ir. P. Ceelen (KPMG IT Advisory) Thesis number: 646 Final Version Abstract Since users rely on passwords to authenticate themselves to computer systems, ad- versaries attempt to recover those passwords. To prevent such a recovery, various password hashing schemes can be used to store passwords securely. However, recent advances in the graphics processing unit (GPU) hardware challenge the way we have to look at secure password storage. GPU's have proven to be suitable for crypto- graphic operations and provide a significant speedup in performance compared to traditional central processing units (CPU's). This research focuses on the security requirements and properties of prevalent pass- word hashing schemes. Moreover, we present a proof of concept that launches an exhaustive search attack on the MD5-crypt password hashing scheme using modern GPU's. We show that it is possible to achieve a performance of 880 000 hashes per second, using different optimization techniques. Therefore our implementation, executed on a typical GPU, is more than 30 times faster than equally priced CPU hardware. With this performance increase, `complex' passwords with a length of 8 characters are now becoming feasible to crack. In addition, we show that between 50% and 80% of the passwords in a leaked database could be recovered within 2 months of computation time on one Nvidia GeForce 295 GTX. -
Modern Password Security for System Designers What to Consider When Building a Password-Based Authentication System
Modern password security for system designers What to consider when building a password-based authentication system By Ian Maddox and Kyle Moschetto, Google Cloud Solutions Architects This whitepaper describes and models modern password guidance and recommendations for the designers and engineers who create secure online applications. A related whitepaper, Password security for users, offers guidance for end users. This whitepaper covers the wide range of options to consider when building a password-based authentication system. It also establishes a set of user-focused recommendations for password policies and storage, including the balance of password strength and usability. The technology world has been trying to improve on the password since the early days of computing. Shared-knowledge authentication is problematic because information can fall into the wrong hands or be forgotten. The problem is magnified by systems that don't support real-world secure use cases and by the frequent decision of users to take shortcuts. According to a 2019 Yubico/Ponemon study, 69 percent of respondents admit to sharing passwords with their colleagues to access accounts. More than half of respondents (51 percent) reuse an average of five passwords across their business and personal accounts. Furthermore, two-factor authentication is not widely used, even though it adds protection beyond a username and password. Of the respondents, 67 percent don’t use any form of two-factor authentication in their personal life, and 55 percent don’t use it at work. Password systems often allow, or even encourage, users to use insecure passwords. Systems that allow only single-factor credentials and that implement ineffective security policies add to the problem. -
Security + Encryption Standards
Security + Encryption Standards Author: Joseph Lee Email: joseph@ ripplesoftware.ca Mobile: 778-725-3206 General Concepts Forward secrecy / perfect forward secrecy • Using a key exchange to provide a new key for each session provides improved forward secrecy because if keys are found out by an attacker, past data cannot be compromised with the keys Confusion • Cipher-text is significantly different than the original plaintext data • The property of confusion hides the relationship between the cipher-text and the key Diffusion • Is the principle that small changes in message plaintext results in large changes in the cipher-text • The idea of diffusion is to hide the relationship between the cipher-text and the plaintext Secret-algorithm • A proprietary algorithm that is not publicly disclosed • This is discouraged because it cannot be reviewed Weak / depreciated algorithms • An algorithm that can be easily "cracked" or defeated by an attacker High-resiliency • Refers to the strength of the encryption key if an attacker discovers part of the key Data-in-transit • Data sent over a network Data-at-rest • Data stored on a medium Data-in-use • Data being used by an application / computer system Out-of-band KEX • Using a medium / channel for key-exchange other than the medium the data transfer is taking place (phone, email, snail mail) In-band KEX • Using the same medium / channel for key-exchange that the data transfer is taking place Integrity • Ability to determine the message has not been altered • Hashing algorithms manage Authenticity -
Implementation and Performance Analysis of PBKDF2, Bcrypt, Scrypt Algorithms
Implementation and Performance Analysis of PBKDF2, Bcrypt, Scrypt Algorithms Levent Ertaul, Manpreet Kaur, Venkata Arun Kumar R Gudise CSU East Bay, Hayward, CA, USA. [email protected], [email protected], [email protected] Abstract- With the increase in mobile wireless or data lookup. Whereas, Cryptographic hash functions are technologies, security breaches are also increasing. It has used for building blocks for HMACs which provides become critical to safeguard our sensitive information message authentication. They ensure integrity of the data from the wrongdoers. So, having strong password is that is transmitted. Collision free hash function is the one pivotal. As almost every website needs you to login and which can never have same hashes of different output. If a create a password, it’s tempting to use same password and b are inputs such that H (a) =H (b), and a ≠ b. for numerous websites like banks, shopping and social User chosen passwords shall not be used directly as networking websites. This way we are making our cryptographic keys as they have low entropy and information easily accessible to hackers. Hence, we need randomness properties [2].Password is the secret value from a strong application for password security and which the cryptographic key can be generated. Figure 1 management. In this paper, we are going to compare the shows the statics of increasing cybercrime every year. Hence performance of 3 key derivation algorithms, namely, there is a need for strong key generation algorithms which PBKDF2 (Password Based Key Derivation Function), can generate the keys which are nearly impossible for the Bcrypt and Scrypt. -
A New Approach in Expanding the Hash Size of MD5
374 International Journal of Communication Networks and Information Security (IJCNIS) Vol. 10, No. 2, August 2018 A New Approach in Expanding the Hash Size of MD5 Esmael V. Maliberan, Ariel M. Sison, Ruji P. Medina Graduate Programs, Technological Institute of the Philippines, Quezon City, Philippines Abstract: The enhanced MD5 algorithm has been developed by variants and RIPEMD-160. These hash algorithms are used expanding its hash value up to 1280 bits from the original size of widely in cryptographic protocols and internet 128 bit using XOR and AND operators. Findings revealed that the communication in general. Among several hashing hash value of the modified algorithm was not cracked or hacked algorithms mentioned above, MD5 still surpasses the other during the experiment and testing using powerful bruteforce, since it is still widely used in the domain authentication dictionary, cracking tools and rainbow table such as security owing to its feature of irreversible [41]. This only CrackingStation, Hash Cracker, Cain and Abel and Rainbow Crack which are available online thus improved its security level means that the confirmation does not need to demand the compared to the original MD5. Furthermore, the proposed method original data but only need to have an effective digest to could output a hash value with 1280 bits with only 10.9 ms confirm the identity of the client. The MD5 message digest additional execution time from MD5. algorithm was developed by Ronald Rivest sometime in 1991 to change a previous hash function MD4, and it is commonly Keywords: MD5 algorithm, hashing, client-server used in securing data in various applications [27,23,22]. -
Password Security Compliance
Password Security Compliance Reduce risk and ensure compliance by managing password strength and policy. WHITE PAPER 1 PASSWORD SECURITY COMPLIANCE Reduce risk and ensure compliance by managing password strength and policy. Overview Passwords are a critical component of security. Passwords serve to protect user accounts; however, weak passwords may violate compliance standards, be reversed engineered back to plaintext and sold on the dark web, or result in a costly data breach if compromised. A periodic review of password rules is a vital component of your compliance and security strategies. Purpose The purpose of this security brief is to inform organizations of key password requirements and initiate internal compliance conversations. Use this security brief as a tool to enforce or strengthen your existing password policy. Learn more at fusionauth.io 2 According to Verizon’s 2017 Data Breach Investigations Report, 81% of hacking-related breaches leveraged either stolen and/or weak passwords. Financial, healthcare and public sector organizations 81% of hacking-related accounted for over half breaches leveraged of those breaches. either stolen and/or weak Password strength is an important security passwords. concern. With over four billion credentials Verizon BDIR 2017 stolen last year and data breaches averaging $3.62M in direct costs per incident, companies must be prepared for the security risks they face. While all applications should apply password constraints to discourage easy to guess passwords, many organizations are required to do so by law. It is necessary to have stringent password constraints in place in order to comply with industry regulations. Compliance is about fostering a culture that values user data and integrity and that culture starts at the top. -
Computational Security and the Economics of Password Hacking
COMPUTATIONAL SECURITY AND THE ECONOMICS OF PASSWORD HACKING Abstract Given the recent rise of cloud computing at cheap prices and the increase in cheap parallel computing options, brute force attacks against stolen password databases are a new option for attackers who may not have enough computing power on their own. We take a survey of the current availability and cost of cloud computing as it relates to the idea of computational security in the context of breaking password databases. Rather than look at just the increase in computing power available per computer, we look at how computing as a service is raising the barrier for password protections being computationally secure. We look at the set of key stretching functions meant to defeat brute force password attacks with the current cheapest cloud computing service in order to determine what amount of money and effort an attacker would need to compromise a password database. Michael Phox Zachary Sherin Adin Schmahmann Augusta Niles Context In password-based network security systems, there is a general architecture whereby the password is sent from the user device to a service server, which then hashes the password some number of times using a random oracle before storing the password in a database. Authentication is completed by following the same process and checking if the hashed password is correct. If the password is in the database, access permission is granted (See Figure 1). Figure 1 Password-based Security However, the security system above has been shown to have significant vulnerability depending on the method of password encryption. In contrast to informationally secure (intercepting a ciphertext does not yield any more information to change the probability of any plaintext message. -
Analyzing Password Strength
Analyzing Password Strength Martin M.A. Devillers Juli 2010 Password authentication requires no ABSTRACT specialized hardware, such as with finger- print authentication, can be easily imple- Password authentication is still the most mented by developers and just as easily used used authentication mechanism in today’s by users. In short: It’s usable. computer systems. In most systems, the But is it safe? The topic of “Security ver- password is set by the user and must adhere sus Usability” has always been of much de- to certain password requirements. Addition- bate in the computer security world (3). Us- ally, password checkers rank the strength of ers must be protected from harm by security a password to give the user an indication of controls, but these controls may not interfere how secure their password is. In this paper, (much) with the tasks the users want to per- we take a look at a large database of user form. For instance, a firewall that simply chosen passwords to determine the current blocks all traffic can be considered secure, state of affairs. In the end, we extract a mod- but heavily impedes the overall usability of el from the database and provide our own the system. password checker which ranks passwords in various ways. We ran this checker against Security experts or system developers are our dataset which shows that over 90% of usually the ones who have to make this tra- the passwords is highly insecure. deoff, but with password authentication, this task is essentially passed on to the user (3): INTRODUCTION One can either choose a short and simple password, which is easy to remember but As we perform increasingly important also easy to crack, or a very long and com- tasks from our living room computer, the plicated password, which is hard to remem- topic of computer security also becomes in- ber but also hard to crack. -
Authentication, Authorization and Transport Layer Security
Universidade de Brasília Instituto de Ciências Exatas Departamento de Ciência da Computação Security of a NoSQL database: authentication, authorization and transport layer security Bruno Jorge S. Rodrigues Monograph presented as a partial requirement for the conclusion of the Course of Computer Engineering Supervisor Prof. Dr. Rodrigo Bonifácio de Almeida Brasília 2019 Universidade de Brasília Instituto de Ciências Exatas Departamento de Ciência da Computação Security of a NoSQL database: authentication, authorization and transport layer security Bruno Jorge S. Rodrigues Monograph presented as a partial requirement for the conclusion of the Course of Computer Engineering Prof. Dr. Rodrigo Bonifácio de Almeida (Supervisor) CIC/UnB Prof. Dr. Donald Knuth Dr. Leslie Lamport Stanford University Microsoft Research Prof. Dr. José Edil Coordinator of the Course of Computer Engineering Brasília, January 25, 2019 Dedication This work is dedicated to all the people who supported me until here. This is dedicated to God in the first place, for blessing me throughout this path that I have been crossing until here (1 Corinthians 10:31). This is dedicated to all my family, especially my father, Dimas, and my mother, Odilma, for loving me in first place, and for giving me strength, courage and the resources that I needed to get here without thinking twice. This is dedicated to Gabriella, for making me smile in my darkest moments, even when she was not in the best days as well. This is dedicated to all my friends, who made my days happier and also made this path easier to cross. I love you all, and you are very important to me! iii Acknowledgements First of all, I thank God for His mercies and blessings, for His care and for each door that was opened and also for every door that was closed. -
Hybrid Password Authentication System
IOSR Journal of Computer Engineering (IOSR-JCE) e-ISSN: 2278-0661,p-ISSN: 2278-8727, Volume 22, Issue 4, Ser. I (Jul. – Aug. 2020), PP 42-51 www.iosrjournals.org Hybrid Password Authentication System 1 2 3 Harish Manikandan Balaji , Abisek K.S , Dharmesh Gopinath 1,2,3(Computer Science and Engineering, Anna University, India) Abstract: The storage and handling of passwords is a vital part of security systems. We introduce a novel approach for password authentication to store and handle passwords securely, which could be seamlessly, merged with existing security systems. This approach protects the genuine plaintext password from being discovered by a malicious actor even if the database storing the passwords suffers a data breach. The data breach could be a result of an unpatched or zero-day vulnerability. A plaintext password is hashed using a hash function. The hash is then split into two parts. One part is used to create a series of patterns (or) Anti-passwords involving the use of an Anti-password algorithm, which are then stored securely in a database. The other part is encrypted using AES algorithm. The encryption and the patterns together create two layers of security making it harder to crack through and access the passwords. The analysis and complexity of the system shows that the encrypted passwords can resist lookup attacks and provide even stronger protection against dictionary attacks. It should also be mentioned that the system combines the cryptographic hash function, patterns, and encryption, without requiring anything more than just the password. Key Word: Advanced Encryption Standard (AES); Anti-password; Negative Database (NDB); Hybrid password authentication system (HPAS). -
Cryptography Lecture 8 Digital Signatures, Hash Functions a Message Authentication Code Is What You Get from Symmetric Cryptography
Cryptography Lecture 8 Digital signatures, hash functions A Message Authentication Code is what you get from symmetric cryptography A MAC is used to prevent Eve from creating a new message and inserting it instead of Alice’s message Key Key Alice Create MAC Verify MAC Bob Eve Signature vs MAC A MAC, Message Authentication Code, preserves data integrity, • i.e., it ensures that creation and any changes of the message have been made by authorised entities Only the authorised entities can check a MAC, and all who can • check can also change the data In most legally interesting cases, you want to be able to verify that • one single individual wrote something Also, in many situations it is good if everyone is able to check the • signature Digital signatures In asymmetric ciphers, one single individual holds the private key, • while everyone can get the public key So if you encrypt with the private key, and send both cryptogram • and message, anyone can check that “decryption” with the public key does indeed create the message Note that some public key systems do not allow “encryption” with • the private key Most systems can be modified to generate and verify signatures • A digital signature can be created using asymmetric cryptography Used to prevent Eve from creating messages and present them as written by of Alice Private Public signing verification key key Create Verify Alice Anyone signature signature Eve Digital signatures A digital signature should not only be tied to the signing user, but • also to the message The example of encrypting -
Deepmnemonic: Password Mnemonic Genera- Tion Via Deep Attentive Encoder-Decoder Model
1 DeepMnemonic: Password Mnemonic Genera- tion via Deep Attentive Encoder-Decoder Model Yao Cheng, Chang Xu, Zhen Hai*, and Yingjiu Li Abstract—Strong passwords are fundamental to the security of password-based user authentication systems. In recent years, much effort has been made to evaluate the password strength or to generate strong passwords. Unfortunately, the usability or memorability of the strong passwords has been largely neglected. In this paper, we aim to bridge the gap between strong password generation and the usability of strong passwords. We propose to automatically generate textual password mnemonics, i.e., natural language sentences, which are intended to help users better memorize passwords. We introduce DeepMnemonic, a deep attentive encoder-decoder framework which takes a password as input and then automatically generates a mnemonic sentence for the password. We conduct extensive experiments to evaluate DeepMnemonic on the real-world data sets. The experimental results demonstrate that DeepMnemonic outperforms a well-known baseline for generating semantically meaningful mnemonic sentences. Moreover, the user study further validates that the generated mnemonic sentences by DeepMnemonic are useful in helping users memorize strong passwords. Index Terms—Password mnemonic generation, deep neural network, attention mechanism, neural machine translation. F 1 INTRODUCTION OWADAYS, user authentication is the key to ensuring made to address the memorability of strong passwords. N the security of user accounts for most online services, Strong passwords are usually difficult for users to memorize such as social media, e-commerce, and online banking. because their entropy values are beyond many users’ mem- Although various authentication schemes have emerged orability [13] [14] [15].