Date post: | 12-Apr-2017 |
Category: |
Software |
Upload: | anton-dedov |
View: | 19 times |
Download: | 0 times |
Slow DownOnline Guessing Attacks
with Device CookiesAnton Dedov
OWASP Russia Meetup #6, 2017
Intro: Online guessing attacks
Attacker goals
Password for specific accountPassword for any account in a systemPassword for any account in any system
Threats for Authentication
Online attacksOffline attacksPassword leaks
user : password1
Online guessing attacks
user : password2user : password3
...
Authentication attacks: Mitigations
M-FA / M-Step UX!Password policy Magic 106
Rate limiting Authentication parameters e.g. time, location, etc.Monitoring e.g. haveibeenpwned.com
© Cormac Herley et al. An Administrator’s Guide to Internet Password Research
Rate limiting
CAPTCHAAccount lockoutExponential timeoutsProof of work
Account lockout: simple math
5 attempts ⇒ 20 min. lockout131400 attempts/year
Account lockoutLock account Effective
Easy DoS
Lock (account, IP) Somewhat DoS mitigationBotnetsProxiesIPv6DoS as a collateral damage
Device CookieDistinguish known clients from unknown ones
Lockout all unknown devices at once
Lockout individual userper device cookie
user : passworduser : passwordDevice Cookie
Set-Cookie: KnownDevice=LOGIN|NONCE|HMAC(secret-key,LOGIN|NONCE)
Set-Cookie: KnownDevice=JWT{ "alg": "HS256", "typ": "JWT”} . { "aud": "device-cookie", "sub": "[email protected]", "jti": "40e2a97a2ab37406”}
Threats & MitigationsThreat MitigationOnline attack against one user Password policyOnline attack using stolen device cookies Limited, prevent cookie leaks
Online attack against multiple users Not mitigatedSpoof device cookie CryptoTamper with existing device cookie CryptoDoS for specific account OOB device cookie issueDoS for specific account when client is used by different accounts
Device cookies per account
Implementation recommendations
Use good crypto, like HMAC-SHA2 or signed JWT.Prevent cookie leakage with Secure & HttpOnly flags.Issue cookie for valid reset password link.Issue new device cookie after each successful login.Include user ID into cookie name (privacy concerns?).
References
OWASP: Slow Down Online Guessing Attacks with Device CookiesPasswordsCon, and specific talks from PasswordsCon 14:• Marc Hause talk Online Password Attacks• Alec Muffet talk Facebook Password Hashigh & Authentication
An Administrator’s Guide to Internet Password Research