cracking-resistant password vaults using natural language encoders rahul chatterjee uw-madison &...
TRANSCRIPT
Cracking-Resistant Password Vaults using Natural Language Encoders
Cracking-Resistant Password Vaults Using Natural Language EncodersRahul ChatterjeeUW-Madison& Cornell University (Fall 2015)Joseph BonneauStanford UniversityAri JuelsCornell Tech (Jacobs Inst.)Thomas RistenpartUW-Madison& Cornell Tech (next week)Hello Everyone. I am going to tell you how to create a password vault that can not be cracked offline.1Password Vaults(a.k.a Password Manager)
mypass4
Plaintext VaultEncrypted Vaultfamily00family01family.1qwertypoiuyt.12PKCS#5encryption0xe1f3f4a0x73bc52e0x4e5e3730x3c8b8ea0xe33188aCloud StorageMaster passwordA key security concern is what will happen if an attacker gets hold of an encrypted password vault; the attacker might either compromise the server or exfiltrate the vault from the users machine. In theory the encryption of the vault should protect the valuable user site credentials, but in practice 2
Password Vaults Increasing in Popularity
And many more.
Which attests to the demand for this kind of service.3Server CompromiseL. Whitney, LastPass CEO reveals details on security breach, CNet, May 2011.Exfiltration from Client MachineZ. Li et al., The emperors new password manager: Security analysis of web-based password managers, USENIX Security, 2014.Stealing Password Vaults
mypass4
Plaintext VaultEncrypted VaultCloud Storagefamily00family01family.1qwertypoiuyt.12PKCS#50xe1f3f4a0x73bc52e0x4e5e3730x3c8b8ea0xe33188a0xe1f3f4a0x73bc52e0x4e5e3730x3c8b8ea0xe33188aStealing Vault
A key security concern is what will happen if an attacker gets hold of an encrypted password vault; the attacker might either compromise the server or exfiltrate the vault from the users machine. In theory the encryption of the vault should protect the valuable user site credentials, but in practice 4Offline Brute Force Attack
0xe1f3f4a0x73bc52e0x4e5e3730x3c8b8ea0xe33188aDecryption(PKCS#5)?%?U? ? sU%aVault CiphertextOutput of Decryption123456passwordiloveyoumypass4abc123nicoleDaniel...Attackers guesses
Random Junkthe vault can be cracked using an offline Brute-force attack. Take the vault cipher text, and try to decrypt with master password guesses. When the wrong master password is used, decryption will fail, or output JUNK... 5Offline Brute Force Attack
0xe1f3f4a0x73bc52e0x4e5e3730x3c8b8ea0xe33188aDecryption(PKCS#5)?%?U? ?a sU%?%aVault CiphertextOutput of Decryption123456passwordiloveyoumypass4abc123nicoleDaniel...
Random JunkAttackers guessesOffline Brute Force Attack
0xe1f3f4a0x73bc52e0x4e5e3730x3c8b8ea0xe33188aDecryption(PKCS#5)770&c#a&a339019f*a?U%Vault CiphertextOutput of Decryption123456passwordiloveyoumypass4abc123nicoleDaniel...
Random JunkAttackers guessesOffline Brute Force Attack
0xe1f3f4a0x73bc52e0x4e5e3730x3c8b8ea0xe33188a123456passwordiloveyoumypass4abc123nicoleDaniel...Decryption(PKCS#5)family00family01family.1qwertypoiuyt.12Vault CiphertextOutput of Decryption[*] Hashing and salting slows down by small factor.
Yes, this is it.Runtime of the attack = # of decryption attemptsOffline Work*Attackers guessesbut when the real master password is used the easy-to-recognize legitimate plaintext will be recovered. The runtime of the attack is the number of decryption attempts he has to make. Standards for password-based encryption like PKCS#5 suggest using hash chains and salting, but this only slows down the attack by constant factor. We call the total attacker computational effort Offline Work as it requires no interaction with any servers. 8So What ?!?Lose Your VaultLose Your Passwords=70% of passwords can be cracked