maintaining a cache of previously queried prefixes “telepathwords: preventing weak passwords by...
TRANSCRIPT
![Page 1: Maintaining a Cache of Previously Queried Prefixes “Telepathwords: Preventing weak passwords by reading users’ minds.” Saranga Komanduri, Richard Shay,](https://reader036.vdocument.in/reader036/viewer/2022082414/5697bf991a28abf838c9196a/html5/thumbnails/1.jpg)
Maintaining a Cache of Previously Queried
Prefixes “Telepathwords: Preventing weak passwords by reading
users’ minds.”
Saranga Komanduri, Richard Shay, Lorrie Faith Cranor, Cormac Herley, and Stuart Schechter.
In 23rd USENIX Security Symposium (USENIX Security 14). San Diego, CA: USENIX Association, pp. 591-606. 2014.
Presented by: Nazish Khan
![Page 2: Maintaining a Cache of Previously Queried Prefixes “Telepathwords: Preventing weak passwords by reading users’ minds.” Saranga Komanduri, Richard Shay,](https://reader036.vdocument.in/reader036/viewer/2022082414/5697bf991a28abf838c9196a/html5/thumbnails/2.jpg)
2
Summary
Requires efficient algorithms to model users’ behaviour and employ already-typed characters to predict subsequent ones
Real time predictions based on numerous predictors
Common character sequences
Keyboard movements
Repeated strings
Interleaved strings
Compared Telepathwords with composition rules
Feedback bar
Prediction display
![Page 3: Maintaining a Cache of Previously Queried Prefixes “Telepathwords: Preventing weak passwords by reading users’ minds.” Saranga Komanduri, Richard Shay,](https://reader036.vdocument.in/reader036/viewer/2022082414/5697bf991a28abf838c9196a/html5/thumbnails/3.jpg)
3
Storing Previous Queries
In an ideal situation, we would want no evidence of past requests
Authors take a security risk by maintaining a cache of previously queried prefixes on the server
Cache of past requests ---
Removal of past requests
![Page 4: Maintaining a Cache of Previously Queried Prefixes “Telepathwords: Preventing weak passwords by reading users’ minds.” Saranga Komanduri, Richard Shay,](https://reader036.vdocument.in/reader036/viewer/2022082414/5697bf991a28abf838c9196a/html5/thumbnails/4.jpg)
4
Issues
Why is it a security risk?
Cache becomes central point of storage (of previous queries- prone to attacks)
Is confidentiality guaranteed? No
Is integrity guaranteed? No
Protect the log but what about the cache?
![Page 5: Maintaining a Cache of Previously Queried Prefixes “Telepathwords: Preventing weak passwords by reading users’ minds.” Saranga Komanduri, Richard Shay,](https://reader036.vdocument.in/reader036/viewer/2022082414/5697bf991a28abf838c9196a/html5/thumbnails/5.jpg)
5
Securing the Log
Requests one-time session key
Generates session key, encrypt it with a public key andwrites encrypted session key to the log
Log
Sends the session key
XORs traffic with stream cipher and using symmetric encryption (AES)
![Page 6: Maintaining a Cache of Previously Queried Prefixes “Telepathwords: Preventing weak passwords by reading users’ minds.” Saranga Komanduri, Richard Shay,](https://reader036.vdocument.in/reader036/viewer/2022082414/5697bf991a28abf838c9196a/html5/thumbnails/6.jpg)
6
Justification
Authors hardly justify their decision to go ahead with this risk.
Why did they take this risk?
Reuse queries
Faster processing
Route all client-server communications over HTTPS
Server is unable to read the contents of the online log
![Page 7: Maintaining a Cache of Previously Queried Prefixes “Telepathwords: Preventing weak passwords by reading users’ minds.” Saranga Komanduri, Richard Shay,](https://reader036.vdocument.in/reader036/viewer/2022082414/5697bf991a28abf838c9196a/html5/thumbnails/7.jpg)
7
Conclusion
Cache is not protected
An attacker could gain access to the data
No confidentiality or integrity
When a user is typing text, no protection mechanism in memory.
Log has only been encrypted to cater for confidentiality
An attacker could modify its contents- threat to integrity
![Page 8: Maintaining a Cache of Previously Queried Prefixes “Telepathwords: Preventing weak passwords by reading users’ minds.” Saranga Komanduri, Richard Shay,](https://reader036.vdocument.in/reader036/viewer/2022082414/5697bf991a28abf838c9196a/html5/thumbnails/8.jpg)
Thank you
Questions?
![Page 9: Maintaining a Cache of Previously Queried Prefixes “Telepathwords: Preventing weak passwords by reading users’ minds.” Saranga Komanduri, Richard Shay,](https://reader036.vdocument.in/reader036/viewer/2022082414/5697bf991a28abf838c9196a/html5/thumbnails/9.jpg)
9
My opinion
I have my doubts regarding the realistic use of this system
Need to give some crucial thought to the following questions:
Is security really important in such a system?
How to cater for the trade-off between security and usability? What’s more important? To whom?