Video: OWASP Russia Meetup #6 (https://www.meetup.com/OWASP-Russia/events/237926192/)

1. Slow Down
Online Guessing Attacks
with Device Cookies
Anton Dedov
OWASP Russia Meetup #6, 2017

2. Anton Dedov
Security Architect
Odin / Ingram Micro
adedov@gmail.com
@brutemorse

3. Intro: Online guessing attacks

4. App

5. App App
App
App
App
App
App
App
App

6. App
App
App
App
App

7. Attacker goals
Password for specific account
Password for any account in a system
Password for any account in any system

8. Threats for Authentication
Online attacks
Offline attacks
Password leaks

9. App
user : password1
Online guessing attacks
user : password2
user : password3
...

10. Authentication attacks: Mitigations
M-FA / M-Step UX!
Password policy Magic 106
Rate limiting ßßßßßßß
Authentication parameters e.g. time, location, etc.
Monitoring e.g. haveibeenpwned.com

11. © Cormac Herley et al. An Administrator’s Guide to Internet Password Research

12. Rate limiting
CAPTCHA
Account lockout
Exponential timeouts
Proof of work

13. Account lockout: simple math
5 attempts ⇒ 20 min. lockout
131400 attempts/year

14. Account lockout
Lock account Effective
Easy DoS
Lock (account, IP) Somewhat DoS mitigation
Botnets
Proxies
IPv6
DoS as a collateral damage

15. Device Cookie
Distinguish known clients from unknown ones

18. App
Lockout all unknown
devices at once
Lockout individual user
per device cookie
user : password
user : password
Device Cookie

19. Set-Cookie: KnownDevice=
LOGIN|NONCE|HMAC(secret-key,LOGIN|NONCE)

20. Set-Cookie: KnownDevice=JWT
{
"alg": "HS256",
"typ": "JWT”
} . {
"aud": "device-cookie",
"sub": "adedov@odin.com",
"jti": "40e2a97a2ab37406”
}

21. Threats & Mitigations
Threat Mitigation
Online attack against one user Password policy
Online attack using stolen device cookies Limited, prevent cookie leaks
Online attack against multiple users Not mitigated
Spoof device cookie Crypto
Tamper with existing device cookie Crypto
DoS for specific account OOB device cookie issue
DoS for specific account when client is used by
different accounts
Device cookies per account

22. Implementation recommendations
Use good crypto, like HMAC-SHA2 or signed JWT.
Prevent cookie leakage with Secure & HttpOnly flags.
Issue cookie for valid reset password link.
Issue new device cookie after each successful login.
Include user ID into cookie name (privacy concerns?).

23. References
OWASP: Slow Down Online Guessing Attacks with Device Cookies
PasswordsCon, and specific talks from PasswordsCon 14:
• Marc Hause talk Online Password Attacks
• Alec Muffet talk Facebook Password Hashigh & Authentication
An Administrator’s Guide to Internet Password Research