The Password Problem Will Only Get Worse

New technology for proving who we are

Isaac Potoczny-Jones – Galois & SEQRDijones@seqrd.com

@SyntaxPolice

Goals & Talk outline

● Update the group on authentication threats● Update the group on authentication solutions

– 2 Factor authentication factors on the market

– Single Sign-On

– The state of various protocols

– Get your advice on our approach

● Outline:– Background, Threat Landscape, Solutions, Our Approach

About the Speaker● Galois, Inc. - galois.com

– Research & Development, mostly for federal gov.– Computer security, safety, correctness, etc.– 40+ employees in Portland, OR– Founded in 1999

● SEQRD: A Galois spin-off – seqrd.com– Startup focusing on authentication

● Isaac's background: – BS Computer Science, MS Cybersecurity

Authentication: Foundations● Authentication is proving who you are

– Or proving that you're the same person as last time

● Something you know– e.g. Passwords, PINs, screen patterns, first pet, etc.

● Something you have– Physical keys, secure tokens, mobile phones

● Something you are– Biometrics, fingerprint readers, etc.

Single & Multi-Factor

● Single factor: One authentication method– Classics: Password, keys, keyfobs, keycards

● Multi-factor: More than one factor– Get more security by mixing methods

● Multi-factor classics– Debit card & PIN

– Password & Random # token

Uses for Authentication

● Remote authentication– e.g. proving who you are to a web site– That's our focus today

● Physical authentication– Granting access to:– locations/devices/services

● Screen unlock– Mobile devices or computers

Threat Landscape:Passwords

Fundamental Problems

Passwords dominate, but:● Bad passwords are easy to guess● Good passwords are impossible to remember

But what's a good password?

To answer that, let's explore password attacks

Massive Database Spills● Causing acceleration in understanding of passwords● LinkedIn: 6.5M (2012)● Yahoo: 340K (2012)● RSA: SecurID token seed-keys stolen (2011)● Gawker: 740K (2011)● Sony: (2011)● Stratfor: 800K (2011)● RockYou: 32M (2009)

http://thepasswordproject.com/leaked_password_lists_and_dictionaries

Brute-Force Attacks

source: Rob Graham, Errata Security

Password Crackingocl-hashcat-plus performance 1 GPU benchmark

● NTLM 7487M c/s● MD5 5144M c/s● SHA1 2030M c/s ● SHA256 1003M c/s● Password Safe 495k c/s● bcrypt $2a$ 3788 c/s

source: http://hashcat.net/oclhashcat-plus/

Hybrid Attacks – 90% Success● Great article by Ars on password crackers● Challenge: 3 crackers, 16,000+ hashes● Outcome: 90% success● Example attacker approach:

Method Passwords Uncovered Time

Brute force 1-6 char length 1,300 2.5 minutes

Mixed brute force 2,600 4.5 minutes

Word list 6,000 9 minutes

Hybrid 2,700 5 hours

http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords

So What's a Good Password?

● Long enough– Maybe 9+ characters

● Complex enough– Pretty much random & large character set

● Not reused– Or risk the wrath of database spills

● But: Average user has 26 accounts* (I have 300)

*Source: Experian & Deloitte: http://goo.gl/4jrnha

With 26 passwords, it's impossible

● Let's just admit it: we're asking the impossible● Users can never remember random passwords● Users manage the problem:

– Reuse is most common – users have 5 passwords

– Email reset - “I forgot my password”

– Password managers – Firefox, KeePass, etc.

Conclusions about Threats

● Crack speed is increasing e.g. via GPUs● Tool support is improving very quickly● This is gaining steam as big password

database spills provide crackers more info● Passwords can't get complex enough

Result: 2 Factor is taking off

● Major Internet players offer it:– Google, Facebook, Twitter, DropBox, etc.

● It's a good way to protect yourself from:– Password reuse by users

– Other sites getting hacked

Solutions

Solutions: Identity FederationSingle Sign On

There was a great talk on this yesterday

Identity Federation: Moving Parts

● Service provider (SP): The site you log into– Also called “Relying Party” or RP

● Identity Provider (IdP): The site you log in with● Typical workflow:

– Visit Yahoo, click “login”– Get redirected to Google with a session token– Log into Google– Get redirected to Yahoo with proof of login

Identity Federation Workflow

Sign into Yahoo using Google (simplified)

Google(Identity Provider)

Yahoo(Service Provider)

User & Browser1. Let me in

2. Ask Google

3. I'm Isaac

4. Login & Attributes

5. Login & Attributes

OpenID

● OpenID seems to have lost momentum● Relying parties are a problem● On the mainstream Internet, there are very few● Yahoo: Accepts Google & Facebook

– Google & Facebook are IdPs for OpenID & OAuth

● Facebook: Accepted logins in 2009 - stopped– If there's a way, I can't figure it out

● myopenid.com: shutting down

OAuth● Used for authorization in lots of sites● Often also used for some kinds of authentication● OAuth 2 worries:

– Facebook has several OAuth vulns this year

– The standard was abandoned / lambasted by its editor, now under new stewardship

– Both too complex & under-specified

http://thehackernews.com/search?q=Facebook%20OAuthhttp://hueniverse.com/2012/07/oauth-2-0-and-the-road-to-hell/

Security Assertion Markup Language - SAML

● Seems to be gaining momentum● Federation & SSO – InCommon, Education, Enterprise

– Also used to share attributes – groups, etc.

● Accepted by Google Apps, Dropbox, Salesforce, etc.● Major implementations

– Shibboleth (Java), SimpleSamlPHP

● Plugins for lots of platforms– I audited plugins for Drupal & WordPress

– they were very insecure.

Central Authentication Service (CAS)

● Somewhat similar to SAML● Widespread use in the academic community● Can also be used for attribute exchange● Java / Spring system● Integrates with: Active directory, LDAP, X509,

passwords, OpenID, SAML, etc.https://wiki.jasig.org/display/CAS/CAS+Deployers

Cloud SSO Services (IdP)

● Largely based on SAML● Mostly subscription SAAS

– Instead of operating your own IdP

● They work to integrate service providers● Ping Identity, OneLogin, Okta, Centrify,

Symplified, probably others● JanRain – Social login & user management

Physical Factors

Physical Tokens● YubiKey – Small, uses one-time or fixed

passwords, pretends to be a USB keyboard.● Random number tokens

– RSA SecurID

– Google Authenticator (soft token App)

– Lots of similar tokens

● Hardware benefits & drawbacks:– Benefits: Tamper-proof & can't get viruses

– Drawbacks: Can't put 100 of them on your keychain

Password Managers

● Saves the password on the client– Problematic for moving between clients

– Often have cloud options

● Becomes “Something you have” (e.g. laptop)– Often also locked / encrypted in keychain

– Hey look! It's 2-factor auth!

● In the browser (e.g. Firefox, Chrome)● In a browser plugin (e.g. Lastpass, OnePass)● Native client (e.g. KeePass)● Problem: Logging in on different devices

Mobile Phone Factors

● Mobile phone factors are a great trade-off!● Google Authenticator random number (app)● Text message random number

– used by Facebook, Twitter, Telesign

● In-app push-based notifications– Twitter, DuoSecurity, others

● PhoneFactor (Microsoft) – Text, Voice, Push

How to use your phone as a password manager today

● On your computer:– Visit the website you want to log into

– Instead of “login”, click “forgot my password”

– Type in your email address

● On your phone:– Open the reset email

– Reset your password

● Log in on your computer● So what happens when you lose your phone?

Summary: Each factor has drawbacks

● Something you know: Basically passwords– Doesn't scale beyond a handful of secure passwords

● Something you have– Physical token: Doesn't scale beyond size of your keyring– Mobile phone: Seems most promising to me

● Something you are: biometrics are not secret● Federation / SSO: If only we could agree to agree

SEQRD

Mobile Authentication Factor

● How we're trying to solve this● Looking for your feedback● Passwords are terrible● Let's replace passwords with a mobile phone● Get 2 factor with a password or PIN● Integrated with SAML & REST API● Demo

How it Works – User's Perspective

1. Scan QR code

2. Secure authentication

1. Scan QR code

2. Account Creation

Logging In

Creating an Account

3. Login Approved

How 2 Factor Works - 1

1. Scan QR code

2. Secure authentication

Type a Password

Second Factor - SEQRD

First Factor - Password

How 2 factor works - 2

1. Scan QR code

3. Secure authentication

Second Factor - SEQRD

2. Type PIN(decrypts key)

How it Works – Under the hoodBrowser

PhoneStorage

blog.seqrd.com

CookieStorage

Web siteStorage

1. Login request

3. QR code includes Session key, Challenge

2. Session key

4. Web site& Session

key

5. App scans QR code : Session key,Challenge

8. User ID, OTP, Session key

9. Shared key for User

ID

6. User ID, Shared secretFor Web site

7. App computes OTP =OCRA (Challenge, Shared

secret)

10. Site computes

OTPChecks match

11. Session key authenticated

13. Approved

12. Approved

Threats & MitigationsDuring Registration & Issuance

Threat MitigationImpersonation of claimed identity

Stronger identification, government-issued ID, bills

Repudiation of registration Signed forms

Disclosure during transmission

Issue in person

Tampering during transmission

Establish a procedure

Unauthorized Issuance Establish a procedure

Source: NIST 800-63-R1

Threats & MitigationsAgainst Tokens

Source: NIST 800-63-R1

Threats Mitigations

Theft Multi-factor w/ PIN or biometric

Duplication Hardware crypto tokens

Eavesdropping Dynamic & Challenge/response

Offline cracking High entropy & lockout

Phishing Dynamic & Challenge/response

Social engineering Dynamic & challenge/response

Online guessing High entropy

SEQRD - Threats & MitigationsAgainst Tokens

Threats Mitigations

Disclosure during transmission

QR code on your screenor send the crypto key in snail mail

Theft Multi-factor w/ PIN & password, revocation

Duplication Tricky on mobile! Software-based protections

Eavesdropping One-time passwords (OTP)challenge & response

Offline cracking Long cryptographic keys

Phishing OTP / challenge & response

Social engineering OTP / challenge & response

Online guessing Long cryptographic keys

Conclusions

● Threats against passwords are really bad● 2-factor auth to greatly increase security● SAML for SSO● Mobile phone factors as good trade-off● Contact info: ijones@seqrd.com