Slow Down Online Guessing Attacks with Device Cookies

Post on 12-Apr-2017

19 views 0 download

Preview:

Click to see full reader
Report this document
SHARE

transcript

Slow DownOnline Guessing Attacks

with Device CookiesAnton Dedov

OWASP Russia Meetup #6, 2017

Anton DedovSecurity ArchitectOdin / Ingram Micro

adedov@gmail.com@brutemorse

Intro: Online guessing attacks

Attacker goals

Password for specific accountPassword for any account in a systemPassword for any account in any system

Threats for Authentication

Online attacksOffline attacksPassword leaks

user : password1

Online guessing attacks

user : password2user : password3

...

Authentication attacks: Mitigations

M-FA / M-Step UX!Password policy Magic 106

Rate limiting Authentication parameters e.g. time, location, etc.Monitoring e.g. haveibeenpwned.com

https://haveibeenpwned.com/

© Cormac Herley et al. An Administrator’s Guide to Internet Password Research

https://www.microsoft.com/en-us/research/people/cormac/
https://www.microsoft.com/en-us/research/publication/an-administrators-guide-to-internet-password-research/
https://www.microsoft.com/en-us/research/publication/an-administrators-guide-to-internet-password-research/
https://www.microsoft.com/en-us/research/publication/an-administrators-guide-to-internet-password-research/

Rate limiting

CAPTCHAAccount lockoutExponential timeoutsProof of work

Account lockout: simple math

5 attempts ⇒ 20 min. lockout131400 attempts/year

Account lockoutLock account Effective

Easy DoS

Lock (account, IP) Somewhat DoS mitigationBotnetsProxiesIPv6DoS as a collateral damage

Device CookieDistinguish known clients from unknown ones

Lockout all unknown devices at once

Lockout individual userper device cookie

user : passworduser : passwordDevice Cookie

Set-Cookie: KnownDevice=LOGIN|NONCE|HMAC(secret-key,LOGIN|NONCE)

Set-Cookie: KnownDevice=JWT{ "alg": "HS256", "typ": "JWT”} . { "aud": "device-cookie", "sub": "adedov@odin.com", "jti": "40e2a97a2ab37406”}

Threats & MitigationsThreat MitigationOnline attack against one user Password policyOnline attack using stolen device cookies Limited, prevent cookie leaks

Online attack against multiple users Not mitigatedSpoof device cookie CryptoTamper with existing device cookie CryptoDoS for specific account OOB device cookie issueDoS for specific account when client is used by different accounts

Device cookies per account

Implementation recommendations

Use good crypto, like HMAC-SHA2 or signed JWT.Prevent cookie leakage with Secure & HttpOnly flags.Issue cookie for valid reset password link.Issue new device cookie after each successful login.Include user ID into cookie name (privacy concerns?).

References

OWASP: Slow Down Online Guessing Attacks with Device CookiesPasswordsCon, and specific talks from PasswordsCon 14:• Marc Hause talk Online Password Attacks• Alec Muffet talk Facebook Password Hashigh & Authentication

An Administrator’s Guide to Internet Password Research

https://www.owasp.org/index.php/Slow_Down_Online_Guessing_Attacks_with_Device_Cookies
https://passwordscon.org/
http://video.adm.ntnu.no/pres/549401c165887
http://video.adm.ntnu.no/pres/54b660049af94
https://www.microsoft.com/en-us/research/publication/an-administrators-guide-to-internet-password-research/
https://www.microsoft.com/en-us/research/publication/an-administrators-guide-to-internet-password-research/
https://www.microsoft.com/en-us/research/publication/an-administrators-guide-to-internet-password-research/

Top related

SECURITY 115 Mitigating Cybersecurity Risk: Audit Perspective · • Brute force attacks (e.g., password guessing) ... Steps for Securing Your Environment 1. Define roles and responsibilities
Documents
Using Contextual Clues in Guessing Foreign Language ... · guessing the meaning of words from contextual clues or what is called the guessing from context strategy (GFC s). Guessing
Documents
Introduction - Microsoft... · Web viewTo be secure from brute-force guessing attacks, keys need to be securely generated with a cryptographically strong random number generator.
Documents
Guessing Attacks on User-Generated Gesture Passwordsjannelindqvist.com/publications/IMWUT17-gesture-guessingattacks.pdf · Guessing A˛acks on User-Generated Gesture Passwords •
Documents
IEEE TRANSACTIONS ON DEPENDABLE AND SECURE …mmannan/publications/pgrp-tdsc-dr… · Revisiting Defenses against Large-Scale Online Password Guessing Attacks Mansour Alsaleh, Mohammad
Documents
Picking vs. Guessing Secrets: A Game-Theoretic Analysis ... · Guessing attacks are often categorized as online and offline based on their context of execution [8]. Online attacks
Documents
Adjustment for guessing
Technology
Color guessing game
Documents
Secure Shell: SSH - Columbia Universitysmb/classes/f06/l12.pdf · Password Guessing Attacks on SSH Secure Shell: SSH Client Authentication Client Authentication Password Authentication
Documents
An Efficient Public-Key Searchable Encryption Scheme …An Efficient Public-Key Searchable Encryption Scheme Secure against Inside Keyword Guessing Attacks Qiong Huanga,b, Hongbo
Documents
Guessing german gender
Education
REVISITING DEFENSES AGAINST LARGE SCALE ONLINE PASSWORD GUESSING ATTACKS
Documents
GUESSING GAME
Documents
The Guessing Game
Documents
Guessing Games
Documents
Intelligent Guessing
Documents
Machine Learning Based DDoS Attack Detection From ...palms.ee.princeton.edu/system/files/Machine_Learning...such brute-force password guessing attacks. B. DDoS Attacks from the Cloud
Documents
CA-KEP : A Secure CA Based 2-Party Key Exchange Protocoljkalita/papers/2012/BhuyanMonowarJIAS2012.pdf · Advantages and limitations of 2PAKE: Password guessing attacks are classified
Documents
Guessing Game Afternoon
Education
«Slow down online guessing attack with Device Cookies», Антон Дедов (Odin)
Internet

Copyright © 2018 DOCUMENTS