Enhancing Passwords Security Using Deceptive Covert Communication

IFIP SEC’15

Mohammed Almeshekahmalmeshe@purdue.edu

Eugene Spaffordspaf@purdue.edu

Mikhail Atallahmatallah@purdue.edu

Acknowledgment

• Joint work with:

• Prof. Eugene Spafford and Prof. Mike Atallah.

• Part of the Liars Club group at Purdue.

• Partially supported by Northrop Grumman.

Authentication

• One of the most common security controls.

• Two-factor authentication is a de-facto standard.

• Two major limitations;

• Passwords are still exposed.

• Man-in-the-Browser (MitB), e.g., Zeus Malware.

A Password Dangerous Trip

A Password Dangerous Trip Threats

Shoulder-Surfing

MitB/Keylogger

Sniffing/Phishing

Insider Threat

A Password Dangerous Trip Current Controls

Shoulder-Surfing

MitB/Keylogger

Sniffing/Phishing

Insider Threat

SSL/TLS Ersatz Passwords2FA

Information Asymmetry Context-less Authentication

User wants to access

Banks want me to access.

Information Asymmetry Contextual Authentication

Public Network?

Email link?

….

Dynamic Decisioncontext

A Password Dangerous Trip Reducing password exposure

A Deceptive Covert Communication

• We will use an accumulation function A() that can be realized using modular exponentiation.

• A(x1, x2) = A(x2, x1).

• Computing A(A(x1), x2) doesn’t require the knowledge of x1.

• Current systems store h = H(passwd || salt).

• For every account compute A(h).

A Deceptive Covert Communication Enter username

A Deceptive Covert Communication Check whether username exists?

if usernameExists(): A(h) = getHashedPass() s = getSalt() R = randomNonce() key = A(A(h), R) id = Bankid x = HMACkey(A(R), s, id) Send QR(A(R), x, id)

A Deceptive Covert Communication User scans QR

A Deceptive Covert Communication Check the integrity of QR

h = Hash(passwd || salt) key = A(A(R), h) x’ = HMACkey(A(R),id) if x == x’ -> route (b) else -> route (a)

A Deceptive Covert Communication Verify the identity of application

A Deceptive Covert Communication Covert message

A Deceptive Covert Communication Generating code

code = A(A(R), h, msgs)

A Deceptive Covert Communication

A Deceptive Covert Communication Verifying the code

code’ = A(A(R), h, possible msgs)

check code =? code’

A Deceptive Covert Communication The use of Deception

Comparison

Enhancements

• Full-transaction Authentication.

• Phone connectivity.

• Storage of Insensitive Information.

Thanks!Mohammed Almeshekah@meshekah

deceptions-request@cerias.purdue.edu

Length of code

• Having 64 possible characters (including alphanumeric characters and symbols):

• Probability of guessing a single character is 2−6.

• When length = 5 —> prob. = 2−30.

• Calculation of code includes a random number R.

• Adversary gains no advantage by learning any previous runs of the protocol.

Why use a smartphone

• The use of Software Guards.

• Reducing password exposure.