Top

Published in:

2019 | OriginalPaper | Chapter

Practical Password Hardening Based on TLS

Authors : Constantinos Diomedous, Elias Athanasopoulos

Published in: Detection of Intrusions and Malware, and Vulnerability Assessment

Publisher: Springer International Publishing

Activate our intelligent search to find suitable subject content or patents.

search-config

AI-assisted search

Off

Abstract

Text-based passwords are still the dominant form of user authentication in remote services. Beyond the many usability issues associated with handling several text-based passwords, security is also an important dimension. Through the years, a significant amount of on-line services has been compromised and their stored passwords have been leaked. Once the database is compromised, it takes little time for a program to crack the cryptographically hashed (weak) passwords, no matter the algorithm used.

In response to this problem, researchers have proposed cryptographic services for hardening all stored passwords. These services perform several sessions of cryptographic hashing combined with message authentication codes. The goal of these services is to coerce adversaries to use them while cracking the passwords. This essentially transforms off-line password cracking to on-line.

Although these services incorporate elaborate cryptographic schemes for password hardening, it is unclear how easily typical web sites can utilize them without outsourcing the functionality to large providers. In this paper, we take a systems approach for making any web site that is serviced through TLS capable of strongly hardening their passwords. We observe that any TLS-enabled web server is already equipped with strong cryptographic functions. We modify mod_ssl, the module that offers TLS to any Apache web server, to act as a password-hardening service. Our evaluation shows that with an overhead similar to adapting hash functions (such as scrypt and bcrypt), our proposal can protect even the weakest passwords, once they are leaked.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

previous chapter DPX: Data-Plane eXtensions for SDN Security Service Instantiation

next chapter Role Inference + Anomaly Detection = Situational Awareness in BACnet Networks

Available only for authorised users

But not unseen [6].

The term weak here is not associated necessarily with password entropy [15], but with guessing probability. Even high-entropy passwords can be cracked if they are based on known words [1].

Involving a secret key in the computation can be seen also as adding pepper [15] to the password.

Bible References Make Very Weak Passwords. https://boingboing.net/2017/01/07/bible-references-make-very-wea.html. Accessed Jan 2019

Drupal - Open Source CMS. https://www.drupal.org. Accessed Jan 2019

Hacker Posts 6.4 Million LinkedIn Passwords. http://www.technewsdaily.com/7839-linked-passwords-hack.html

\({\text{mod}}_{\text{ ssl }}\): The apache interface to OpenSSL. http://www.modssl.org. Accessed Jan 2019

Online Hash Crack. https://www.onlinehashcrack.com. Accessed Jan 2019

Plain Text Offenders. http://plaintextoffenders.com. Accessed Jan 2019

Protecting Basecamp from Breached Passwords. https://m.signalvnoise.com/protecting-basecamp-from-breached-passwords/. Accessed Feb 2019

Sony Hacked Again, 1 Million Passwords Exposed. http://www.informationweek.com/security/attacks/sony-hacked-again-1-million-passwords-ex/229900111

Twitter Detects and Shuts Down Password Data Hack in Progress. http://arstechnica.com/security/2013/02/twitter-detects-and-shuts-down-password-data-hack-in-progress/

10.

WordPress - Create a Website in Minutes. https://wordpress.com. Accessed Jan 2019

11.

Muffet, A.: Facebook: password hashing and authentication. https://video.adm.ntnu.no/pres/54b660049af94. Accessed Jan 2019

12.

Alwen, J., Chen, B., Pietrzak, K., Reyzin, L., Tessaro, S.: Scrypt is maximally memory-hard. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10212, pp. 33–62. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-56617-7_2CrossRef

13.

Bellare, M., Pointcheval, D., Rogaway, P.: Authenticated key exchange secure against dictionary attacks. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 139–155. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-45539-6_11CrossRef

14.

Bellovin, S.M., Merritt, M.: Encrypted key exchange: password-based protocols secure against dictionary attacks. In: Proceedings 1992 IEEE Computer Society Symposium on Research in Security and Privacy, pp. 72–84. IEEE (1992)

15.

Burr, W.E., Dodson, D.F., Polk, W.T., et al.: Electronic authentication guideline. Commonly known as: Draft NIST Special Publication 800-63-2 (2004)

16.

Das, A., Bonneau, J., Caesar, M., Borisov, N., Wang, X.: The tangled web of password reuse. In: 21st Annual Network and Distributed System Security Symposium, NDSS 2014, San Diego, California, USA, 23–26 February 2014

17.

Dhamija, R., Tygar, J., Hearst, M.: Why phishing works. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, SIGCHI (2006)

18.

Dierks, T., Rescorla, E.: The Transport Layer Security (TLS) protocol version 1.2. Technical report (2008)

19.

Everspaugh, A., Chaterjee, R., Scott, S., Juels, A., Ristenpart, T.: The Pythia PRF service. In: 24th USENIX Security Symposium (USENIX Security 2015), pp. 547–562. USENIX Association, Washington, D.C. (2015)

20.

Gaw, S., Felten, E.W.: Password management strategies for online accounts. In: Proceedings of the Symposium on Usable Privacy and Security, SOUPS (2006)

21.

Gelernter, N., Kalma, S., Magnezi, B., Porcilan, H.: The password reset MitM attack. In: IEEE Symposium on Security and Privacy (SP), vol. 00, pp. 251–267, May 2017

22.

Hill, K.: Google says not to worry about 5 million Gmail passwords leaked. http://www.forbes.com/sites/kashmirhill/2014/09/11/google-says-not-to-worry-about-5-million-gmail-passwords-leaked/

23.

Karapanos, N., Capkun, S.: On the effective prevention of TLS man-in-the-middle attacks in web applications. In: USENIX Security Symposium, vol. 23, pp. 671–686 (2014)

24.

Kontaxis, G., Athanasopoulos, E., Portokalidis, G., Keromytis, A.D.: SAuth: protecting user accounts from password database leaks. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer and Communications Security, CCS 2013, pp. 187–198. ACM, New York (2013)

25.

Krawczyk, H., Bellare, M., Canetti, R.: HMAC: keyed-hashing for message authentication. Technical report (1997)

26.

Lai, R.W.F., Egger, C., Reinert, M., Chow, S.S.M., Maffei, M., Schröder, D.: Simple password-hardened encryption services. In: 27th USENIX Security Symposium (USENIX Security 2018), pp. 1405–1421. USENIX Association, Baltimore (2018)

27.

Lai, R.W.F., Egger, C., Schröder, D., Chow, S.S.M.: Phoenix: rebirth of a cryptographic password-hardening service. In: 26th USENIX Security Symposium (USENIX Security 2017), pp. 899–916. USENIX Association, Vancouver (2017)

28.

U.S. Department of Commerce, National Institute of Standards, and Technology: Secure Hash Standard - SHS: Federal Information Processing Standards Publication 180-4. CreateSpace Independent Publishing Platform, USA (2012)

29.

Provos, N., Mazieres, D.: A future-adaptable password scheme. In: USENIX Annual Technical Conference, FREENIX Track, pp. 81–91 (1999)

30.

Rivest, R.: The MD5 message-digest algorithm. Technical report (1992)

31.

Schneider, J., Fleischhacker, N., Schröder, D., Backes, M.: Efficient cryptographic password hardening services from partially oblivious commitments. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, CCS 2016, pp. 1192–1203. ACM, New York (2016)

32.

Ur, B., et al.: How does your password measure up? The effect of strength meters on password creation. In: Proceedings of the 21st USENIX Conference on Security Symposium, Security 2012, p. 5. USENIX Association, Berkeley (2012)

33.

von Ahn, L., Maurer, B., McMillen, C., Abraham, D., Blum, M.: reCAPTCHA: human-based character recognition via web security measures. Science 321(5895), 1465–1468 (2008)MathSciNetCrossRef

34.

Wang, X., Yu, H.: How to break MD5 and other hash functions. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 19–35. Springer, Heidelberg (2005). https://doi.org/10.1007/11426639_2CrossRef

35.

Wu, T.D., et al.: The secure remote password protocol. In: NDSS, vol. 98, pp. 97–111. Citeseer (1998)

Title: Practical Password Hardening Based on TLS
Authors: Constantinos Diomedous
Elias Athanasopoulos
Publisher: Springer International Publishing
Book: Detection of Intrusions and Malware, and Vulnerability Assessment
Print ISBN: 978-3-030-22037-2

Electronic ISBN: 978-3-030-22038-9

Copyright Year: 2019
DOI: https://doi.org/10.1007/978-3-030-22038-9_21

Springer Professional

Abstract

Please log in to get access to your license.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Premium Partner