SlideShare a Scribd company logo

Presentation 3 1 1 1

Download as PPTX, PDF
Ashwin Kumar
Ashwin Kumar

Achieving Flatness:Selecting Honeywords From Existing User Passwords

Technology
1 of 28
S E L E C T I N G H O N E Y W O R D S F R O M E X I S T I N G U S E R P A S S W O R D S P R E S E N T E D B Y : R A S H W I N K U M A R - 2 4 5 1 - 1 2 - 7 3 3 - 3 2 2 A L L A D I M A H E S H - 2 4 5 1 - 1 2 - 7 3 3 - 3 2 4 I M E E N A K S H I - 2 4 5 1 - 1 2 - 7 3 3 - 3 1 6
INTRODUCTION • Recently, Juels and Rivest proposed honeywords (decoy passwords) to detect attacks against hashed password databases. • For each user account, the legitimate password is stored with several honeywords in order to sense impersonation. • If honeywords are selected properly, a cyber-attacker who steals a file of hashed passwords cannot be sure if it is the real password or a honeyword for any account. • Moreover, entering with a honeyword to login will trigger an alarm notifying the administrator about a password file breach. • At the expense of increasing the storage requirement by 20 times, the authors introduce a simple and effective solution to the detection of password file disclosure events.
• Honeywords – enables detection of theft, prevents impersonation • Honeywords are ``decoy passwords’’ (many for each user) • Separate ``honeychecker’’ aids in password checking • Why Honeywords? 6+ millions passwords Hacked in june 2012 1.5 million passwords june 2012 450,000 passwords july 2012
PROBLEM DEFINITION • In this respect, there are two issues that should be considered to overcome these security problems: • First, passwords must be protected by taking appropriate precautions and storing with their hash values computed through salting or some other complex mechanisms. Hence, for an adversary it must be hard to invert hashes to acquire plaintext passwords. • The second point is that a secure system should detect whether a password file disclosure incident happened or not to take appropriate actions. In this study, we focus on the latter issue and deal with fake passwords or accounts as a simple and cost effective solution to detect compromise of passwords. • Honey pot is one of the methods to identify occurrence of a password database breach. In this approach, the administrator purposely creates deceit user accounts to lure adversaries and detects a password disclosure, if any one of the honey pot passwords get used.
PASSWORDS USUALLY STORED IN HASHED FORM • P = Alice’s password • System stores mapping “Alice” h(P) in database, for a suitable hash function h. • When someone (perhaps Alice) tries to log in as Alice, system computes h(P’) of submitted password P’ • and compares it to h(P). If equal, login is allowed. • Hash function h should be easy to compute, hard to invert. Such ``one- wayness’’ makes a stolen hash not so useful to adversary.
PASSWORD HASHING • To defeat precomputation attack, a per-user ``salt’’ value s is used: system stores mapping “Alice”(s,h(s,P)). Hash h(s,P’) computed for submitted password P’ and compared. • Hashing with salting forces adversary who steals hashes and salts to find passwords by brute-force offline search: adversary repeatedly guesses P’ until a P’ is found such that h(s,P’) = h(s,P) • Also, hashing can be hardened (slowed) in various ways (e.g. bcrypt) • This all seems good, but… • Real passwords are often weak and easily guessed. • Password-hash crackers now use models or sets of real passwords.
"Alice" , P • "Alice": s,h(s,P)• Adversary compromises system ephemerally, steals password hashes • Adversary cracks hash, finding P • Impersonate user(s) and logs in. • Adversary almost always succeeds, and is often undetected. • ADVERSARY
TERMINOLOGY True Password P1 P2 …. Pi=P …. Pn Alice:
TERMINOLOGY Alice: P1 P2 …. Pi=P …. Pn Honey Words (Decoys)
TERMINOLOGY Alice: P1 P2 …. Pi …. Pn Sweet Words Wi
Honey Words Design Two questions: 1. HoneyWords Verification 2. HoneyWords Generation HoneyWords Verification: • The authentication system stores a mapping from Alice to his set of passwords • A “honeychecker” stores the index of the correct password for Alice Alice: P1 P2 …. Pi …. Pn Computer System Alice: (Ci) i Honey Checker
• Alice authenticates by submitting her password P • The computer system checks her password against all those it stores • If a match is found, the index of that match is sent to the honeychecker for verification • If the index is correct, Alice is authenticated. What is i ? • With ideal honeywords, adversary guesses correctly ( j = i ), with probability only 1/n • HoneyWords Verification Alice: P1 P2 …. Pi …. Pn Computer System Alice: i Honey Checker True i
• An attacker will submit a sweetword • The computer system checks the password against all those it stores • If a match is found, the index of that match is sent to the honeychecker for verification • If the index is incorrect, an alarm is raised HoneyWords Verification Alice: Pj = P1 P2 …. Pi …. Pn Computer System Alice: 2=i Honey Checker False 2
HONEYWORD S GENERATION
• Generation procedures of Honeywords are required to produce a ‘flat’ list denoted by ‘W’ • Legacy-UI procedures: - 1) Chaffing-by-tweaking 2) Chaffing-with-a-password-model • Modified-UI procedure: - Take-a-tail HoneyWords Generation Chaffing-by-tweeking: • the user password seeds the generator algorithm which tweaks selected character positions of the real password to produce the honeywords. • For instance,each character of a user password in predetermined positions is replaced by a randomly chosen character of the same type: digits are replaced by digits, letters by letters, and special characters by special characters. • Number of positions to be tweaked, denoted as t should depend on system policy.
• The generator algorithm takes the password from the user and relying on a probabilistic model of real passwords it produces the Honeywords. • May not depend on user-chosen password • However, attacker might have access to the list of passwords • The password is splitted into character sets. For instance, "mice3blind" is decomposed as 4-letters + 1-digit + 5-letters L4+D1+L5 and replaced with the same composition like "gold5rings". Chaffing-with-a-password model:
MD5 ALGORITHM • The MD5 message-digest algorithm is a widely used cryptographic hash function producing a 128-bit (16-byte) hash value, typically expressed in text format as a 32- digit hexadecimal number. MD5 has been utilized in a wide variety of cryptographic applications, and is also commonly used to verify data integrity. • Steps: • A message digest algorithm is a hash function that takes a bit sequence of any length and produces a bit sequence of a fixed small length. • The output of a message digest is considered as a digital signature of the input data. • MD5 is a message digest algorithm producing 128 bits of data. • It uses constants derived to trigonometric Sine function. • It loops through the original message in blocks of 512 bits, with 4 rounds of operations for each block, and 16 operations in each round. • Most modern programming languages provides MD5 algorithm as built-in functions.
SIMPLE MODEL ALGORITHM FOR HONEYWORDS GENERATION • 1: procedure SIMPLEMODEL(L) • 2: w <--random(L) . // randomly returns a word from L • 3: d <--length(w) . //returns length of word w • 4: honeyword(1) <-- w(1) . //The first character is the just first character of w • 5: for j <-- 2 to d do . //Probabilities of mod1, mod2 and else are 0.1, 0.4 and 0.5 • 6: if mod1 then • 7: w <-- random(L), honeyword(j) <-- w(j) . // Add character in same position of new random word • 8: else if mod2 then • 9: w <--random(L), honeyword(j) <-- w(j) . //Select a random word s.t. w(j-1) = honeyword(j-1) • 10: else • 11: honeyword(j) <-- w(j) . //Proceed with the same word • 12: end if • 13: end for • 14: end procedure
DESIGN APPROACH : 1) Implementation: Firstly, T fake user accounts (honeypots) are created with their passwords. also an index value between [1;N], but not used previously is assigned to each honeypot randomly. 2) Registration: After the initialization process, system is ready for user registration. In this phase, a legacy-UI is preferred, i.e. a username and password are required from the user as ui; pi to register the system. 3) HoneyWord: Incorporate an auxiliary secure server called a “honeychecker” . The role and primary processes of the honeychecker: It executes two commands sent by the main server: i) Set: Ci,Ui ii) Check: Ui; 4) Login: If entered password g is correct then login succesful,, else it will go to fake server which is honeypot account and Alaram is raised.
MODULES: • Client Module • Admin Module Types Of Attacks:
SCREEN SHOTS
SCREEN SHOTS
SCREEN SHOTS
SCREENSHOTS
SCREENSHOTS
FUTURE ENHANCEMENTS • In the future, we would like to refine our model by involving hybrid generation algorithms to also make the total hash inversion process harder for an adversary in getting the passwords in plaintext form from a leaked password hash file. • In our approach, the auxiliary service honey checker is employed to store correct indexes for each account and we assume that it communicates with the main server through a secure channel in an authenticated manner. • Indeed, it can be assumed that security enhancements for honey checker and the main server presented in are applied, but it is out scope of this study. • The role and primary processes of the honey checker are the same as described in the original study.
CONCLUSION • Eventually, passwords should be supplemented with stronger and more convenient authentication methods • A simple and powerful new line of defense in the security of hashed passwords • Decreases the value of the stolen password hash files • Makes password cracking detectable.
THANK YOU

Recommended

Storing passwords-honey words
Storing passwords-honey wordsStoring passwords-honey words
Storing passwords-honey wordskandulasindhu
 
Honeywords - BSides London 2014
Honeywords - BSides London 2014Honeywords - BSides London 2014
Honeywords - BSides London 2014Gavin Holt
 
Achieving flatness selecting the honeywords
Achieving flatness selecting the honeywordsAchieving flatness selecting the honeywords
Achieving flatness selecting the honeywordsKamal Spring
 
Honeywords
HoneywordsHoneywords
HoneywordsPratiksha Kale
 
Honeywords
HoneywordsHoneywords
HoneywordsSreya Sridhar PP
 
Secure passwords-theory-and-practice
Secure passwords-theory-and-practiceSecure passwords-theory-and-practice
Secure passwords-theory-and-practiceAkash Mahajan
 
P@ssw0rds
P@ssw0rdsP@ssw0rds
P@ssw0rdsWill Alexander
 
Hacknbeers sqli and cryptography
Hacknbeers sqli and cryptographyHacknbeers sqli and cryptography
Hacknbeers sqli and cryptographyMiguel Ibarra
 

Recommended

Storing passwords-honey words
Storing passwords-honey wordsStoring passwords-honey words
Storing passwords-honey wordskandulasindhu
 
Honeywords - BSides London 2014
Honeywords - BSides London 2014Honeywords - BSides London 2014
Honeywords - BSides London 2014Gavin Holt
 
Achieving flatness selecting the honeywords
Achieving flatness selecting the honeywordsAchieving flatness selecting the honeywords
Achieving flatness selecting the honeywordsKamal Spring
 
Honeywords
HoneywordsHoneywords
HoneywordsPratiksha Kale
 
Honeywords
HoneywordsHoneywords
HoneywordsSreya Sridhar PP
 
Secure passwords-theory-and-practice
Secure passwords-theory-and-practiceSecure passwords-theory-and-practice
Secure passwords-theory-and-practiceAkash Mahajan
 
P@ssw0rds
P@ssw0rdsP@ssw0rds
P@ssw0rdsWill Alexander
 
Hacknbeers sqli and cryptography
Hacknbeers sqli and cryptographyHacknbeers sqli and cryptography
Hacknbeers sqli and cryptographyMiguel Ibarra
 
PASSWORD SECURITY BASED ON HONEYWORD
PASSWORD SECURITY BASED ON HONEYWORDPASSWORD SECURITY BASED ON HONEYWORD
PASSWORD SECURITY BASED ON HONEYWORDDevyani Chaudhari
 
How to Use Cryptography Properly: The Common Mistakes People Make When Using ...
How to Use Cryptography Properly: The Common Mistakes People Make When Using ...How to Use Cryptography Properly: The Common Mistakes People Make When Using ...
How to Use Cryptography Properly: The Common Mistakes People Make When Using ...POSSCON
 
Flaws of password-based authentication
Flaws of password-based authenticationFlaws of password-based authentication
Flaws of password-based authenticationsluge
 
Introduction to Web Application Security Principles
Introduction to Web Application Security Principles Introduction to Web Application Security Principles
Introduction to Web Application Security Principles Dr. P. Mohana Priya
 
Defending Against Attacks With Rails
Defending Against Attacks With RailsDefending Against Attacks With Rails
Defending Against Attacks With RailsTony Amoyal
 
authentication.ppt
authentication.pptauthentication.ppt
authentication.pptAchinikeWinifred
 
How to Use Cryptography Properly: Common Mistakes People Make When Using Cry...
How to Use Cryptography Properly: Common Mistakes People Make When Using Cry...How to Use Cryptography Properly: Common Mistakes People Make When Using Cry...
How to Use Cryptography Properly: Common Mistakes People Make When Using Cry...All Things Open
 
Passwords good badugly181212-2
Passwords good badugly181212-2Passwords good badugly181212-2
Passwords good badugly181212-2Iftach Ian Amit
 
Redesigning Password Authentication for the Modern Web
Redesigning Password Authentication for the Modern WebRedesigning Password Authentication for the Modern Web
Redesigning Password Authentication for the Modern WebCliff Smith
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysJoff Thyer
 
User Credential handling in Web Applications done right
User Credential handling in Web Applications done rightUser Credential handling in Web Applications done right
User Credential handling in Web Applications done righttladesignz
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopPaul Ionescu
 
Workshop on Network Security
Workshop on Network SecurityWorkshop on Network Security
Workshop on Network SecurityUC San Diego
 
Honey Encryption
Honey EncryptionHoney Encryption
Honey Encryptionshiriskumar
 
Password Storage Sucks!
Password Storage Sucks!Password Storage Sucks!
Password Storage Sucks!nerdybeardo
 
Getting authentication right
Getting authentication rightGetting authentication right
Getting authentication rightAndre N. Klingsheim
 
Website Hacking and Preventive Measures
Website Hacking and Preventive MeasuresWebsite Hacking and Preventive Measures
Website Hacking and Preventive MeasuresShubham Takode
 
PHISHING URL - Review 1.pptx
PHISHING URL - Review 1.pptxPHISHING URL - Review 1.pptx
PHISHING URL - Review 1.pptxArulvincent3
 
Open source security
Open source securityOpen source security
Open source securitylrigknat
 
Authetication ppt
Authetication pptAuthetication ppt
Authetication pptPranav Doshi
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 

More Related Content

Similar to Presentation 3 1 1 1

PASSWORD SECURITY BASED ON HONEYWORD
PASSWORD SECURITY BASED ON HONEYWORDPASSWORD SECURITY BASED ON HONEYWORD
PASSWORD SECURITY BASED ON HONEYWORDDevyani Chaudhari
 
How to Use Cryptography Properly: The Common Mistakes People Make When Using ...
How to Use Cryptography Properly: The Common Mistakes People Make When Using ...How to Use Cryptography Properly: The Common Mistakes People Make When Using ...
How to Use Cryptography Properly: The Common Mistakes People Make When Using ...POSSCON
 
Flaws of password-based authentication
Flaws of password-based authenticationFlaws of password-based authentication
Flaws of password-based authenticationsluge
 
Introduction to Web Application Security Principles
Introduction to Web Application Security Principles Introduction to Web Application Security Principles
Introduction to Web Application Security Principles Dr. P. Mohana Priya
 
Defending Against Attacks With Rails
Defending Against Attacks With RailsDefending Against Attacks With Rails
Defending Against Attacks With RailsTony Amoyal
 
How to Use Cryptography Properly: Common Mistakes People Make When Using Cry...
How to Use Cryptography Properly: Common Mistakes People Make When Using Cry...How to Use Cryptography Properly: Common Mistakes People Make When Using Cry...
How to Use Cryptography Properly: Common Mistakes People Make When Using Cry...All Things Open
 
Passwords good badugly181212-2
Passwords good badugly181212-2Passwords good badugly181212-2
Passwords good badugly181212-2Iftach Ian Amit
 
Redesigning Password Authentication for the Modern Web
Redesigning Password Authentication for the Modern WebRedesigning Password Authentication for the Modern Web
Redesigning Password Authentication for the Modern WebCliff Smith
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysJoff Thyer
 
User Credential handling in Web Applications done right
User Credential handling in Web Applications done rightUser Credential handling in Web Applications done right
User Credential handling in Web Applications done righttladesignz
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopPaul Ionescu
 
Workshop on Network Security
Workshop on Network SecurityWorkshop on Network Security
Workshop on Network SecurityUC San Diego
 
Honey Encryption
Honey EncryptionHoney Encryption
Honey Encryptionshiriskumar
 
Password Storage Sucks!
Password Storage Sucks!Password Storage Sucks!
Password Storage Sucks!nerdybeardo
 
Website Hacking and Preventive Measures
Website Hacking and Preventive MeasuresWebsite Hacking and Preventive Measures
Website Hacking and Preventive MeasuresShubham Takode
 
PHISHING URL - Review 1.pptx
PHISHING URL - Review 1.pptxPHISHING URL - Review 1.pptx
PHISHING URL - Review 1.pptxArulvincent3
 
Open source security
Open source securityOpen source security
Open source securitylrigknat
 

Similar to Presentation 3 1 1 1 (20)

PASSWORD SECURITY BASED ON HONEYWORD
PASSWORD SECURITY BASED ON HONEYWORDPASSWORD SECURITY BASED ON HONEYWORD
PASSWORD SECURITY BASED ON HONEYWORD
 
How to Use Cryptography Properly: The Common Mistakes People Make When Using ...
How to Use Cryptography Properly: The Common Mistakes People Make When Using ...How to Use Cryptography Properly: The Common Mistakes People Make When Using ...
How to Use Cryptography Properly: The Common Mistakes People Make When Using ...
 
Flaws of password-based authentication
Flaws of password-based authenticationFlaws of password-based authentication
Flaws of password-based authentication
 
Introduction to Web Application Security Principles
Introduction to Web Application Security Principles Introduction to Web Application Security Principles
Introduction to Web Application Security Principles
 
Defending Against Attacks With Rails
Defending Against Attacks With RailsDefending Against Attacks With Rails
Defending Against Attacks With Rails
 
authentication.ppt
authentication.pptauthentication.ppt
authentication.ppt
 
How to Use Cryptography Properly: Common Mistakes People Make When Using Cry...
How to Use Cryptography Properly: Common Mistakes People Make When Using Cry...How to Use Cryptography Properly: Common Mistakes People Make When Using Cry...
How to Use Cryptography Properly: Common Mistakes People Make When Using Cry...
 
Passwords good badugly181212-2
Passwords good badugly181212-2Passwords good badugly181212-2
Passwords good badugly181212-2
 
Redesigning Password Authentication for the Modern Web
Redesigning Password Authentication for the Modern WebRedesigning Password Authentication for the Modern Web
Redesigning Password Authentication for the Modern Web
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad Guys
 
User Credential handling in Web Applications done right
User Credential handling in Web Applications done rightUser Credential handling in Web Applications done right
User Credential handling in Web Applications done right
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa Workshop
 
Workshop on Network Security
Workshop on Network SecurityWorkshop on Network Security
Workshop on Network Security
 
Honey Encryption
Honey EncryptionHoney Encryption
Honey Encryption
 
Password Storage Sucks!
Password Storage Sucks!Password Storage Sucks!
Password Storage Sucks!
 
Getting authentication right
Getting authentication rightGetting authentication right
Getting authentication right
 
Website Hacking and Preventive Measures
Website Hacking and Preventive MeasuresWebsite Hacking and Preventive Measures
Website Hacking and Preventive Measures
 
PHISHING URL - Review 1.pptx
PHISHING URL - Review 1.pptxPHISHING URL - Review 1.pptx
PHISHING URL - Review 1.pptx
 
Open source security
Open source securityOpen source security
Open source security
 
Authetication ppt
Authetication pptAuthetication ppt
Authetication ppt
 

Recently uploaded

2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 

Recently uploaded (20)

2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 

Presentation 3 1 1 1

  • 1. S E L E C T I N G H O N E Y W O R D S F R O M E X I S T I N G U S E R P A S S W O R D S P R E S E N T E D B Y : R A S H W I N K U M A R - 2 4 5 1 - 1 2 - 7 3 3 - 3 2 2 A L L A D I M A H E S H - 2 4 5 1 - 1 2 - 7 3 3 - 3 2 4 I M E E N A K S H I - 2 4 5 1 - 1 2 - 7 3 3 - 3 1 6
  • 2. INTRODUCTION • Recently, Juels and Rivest proposed honeywords (decoy passwords) to detect attacks against hashed password databases. • For each user account, the legitimate password is stored with several honeywords in order to sense impersonation. • If honeywords are selected properly, a cyber-attacker who steals a file of hashed passwords cannot be sure if it is the real password or a honeyword for any account. • Moreover, entering with a honeyword to login will trigger an alarm notifying the administrator about a password file breach. • At the expense of increasing the storage requirement by 20 times, the authors introduce a simple and effective solution to the detection of password file disclosure events.
  • 3. • Honeywords – enables detection of theft, prevents impersonation • Honeywords are ``decoy passwords’’ (many for each user) • Separate ``honeychecker’’ aids in password checking • Why Honeywords? 6+ millions passwords Hacked in june 2012 1.5 million passwords june 2012 450,000 passwords july 2012
  • 4. PROBLEM DEFINITION • In this respect, there are two issues that should be considered to overcome these security problems: • First, passwords must be protected by taking appropriate precautions and storing with their hash values computed through salting or some other complex mechanisms. Hence, for an adversary it must be hard to invert hashes to acquire plaintext passwords. • The second point is that a secure system should detect whether a password file disclosure incident happened or not to take appropriate actions. In this study, we focus on the latter issue and deal with fake passwords or accounts as a simple and cost effective solution to detect compromise of passwords. • Honey pot is one of the methods to identify occurrence of a password database breach. In this approach, the administrator purposely creates deceit user accounts to lure adversaries and detects a password disclosure, if any one of the honey pot passwords get used.
  • 5. PASSWORDS USUALLY STORED IN HASHED FORM • P = Alice’s password • System stores mapping “Alice” h(P) in database, for a suitable hash function h. • When someone (perhaps Alice) tries to log in as Alice, system computes h(P’) of submitted password P’ • and compares it to h(P). If equal, login is allowed. • Hash function h should be easy to compute, hard to invert. Such ``one- wayness’’ makes a stolen hash not so useful to adversary.
  • 6. PASSWORD HASHING • To defeat precomputation attack, a per-user ``salt’’ value s is used: system stores mapping “Alice”(s,h(s,P)). Hash h(s,P’) computed for submitted password P’ and compared. • Hashing with salting forces adversary who steals hashes and salts to find passwords by brute-force offline search: adversary repeatedly guesses P’ until a P’ is found such that h(s,P’) = h(s,P) • Also, hashing can be hardened (slowed) in various ways (e.g. bcrypt) • This all seems good, but… • Real passwords are often weak and easily guessed. • Password-hash crackers now use models or sets of real passwords.
  • 7. "Alice" , P • "Alice": s,h(s,P)• Adversary compromises system ephemerally, steals password hashes • Adversary cracks hash, finding P • Impersonate user(s) and logs in. • Adversary almost always succeeds, and is often undetected. • ADVERSARY
  • 11. Honey Words Design Two questions: 1. HoneyWords Verification 2. HoneyWords Generation HoneyWords Verification: • The authentication system stores a mapping from Alice to his set of passwords • A “honeychecker” stores the index of the correct password for Alice Alice: P1 P2 …. Pi …. Pn Computer System Alice: (Ci) i Honey Checker
  • 12. • Alice authenticates by submitting her password P • The computer system checks her password against all those it stores • If a match is found, the index of that match is sent to the honeychecker for verification • If the index is correct, Alice is authenticated. What is i ? • With ideal honeywords, adversary guesses correctly ( j = i ), with probability only 1/n • HoneyWords Verification Alice: P1 P2 …. Pi …. Pn Computer System Alice: i Honey Checker True i
  • 13. • An attacker will submit a sweetword • The computer system checks the password against all those it stores • If a match is found, the index of that match is sent to the honeychecker for verification • If the index is incorrect, an alarm is raised HoneyWords Verification Alice: Pj = P1 P2 …. Pi …. Pn Computer System Alice: 2=i Honey Checker False 2
  • 15. • Generation procedures of Honeywords are required to produce a ‘flat’ list denoted by ‘W’ • Legacy-UI procedures: - 1) Chaffing-by-tweaking 2) Chaffing-with-a-password-model • Modified-UI procedure: - Take-a-tail HoneyWords Generation Chaffing-by-tweeking: • the user password seeds the generator algorithm which tweaks selected character positions of the real password to produce the honeywords. • For instance,each character of a user password in predetermined positions is replaced by a randomly chosen character of the same type: digits are replaced by digits, letters by letters, and special characters by special characters. • Number of positions to be tweaked, denoted as t should depend on system policy.
  • 16. • The generator algorithm takes the password from the user and relying on a probabilistic model of real passwords it produces the Honeywords. • May not depend on user-chosen password • However, attacker might have access to the list of passwords • The password is splitted into character sets. For instance, "mice3blind" is decomposed as 4-letters + 1-digit + 5-letters L4+D1+L5 and replaced with the same composition like "gold5rings". Chaffing-with-a-password model:
  • 17. MD5 ALGORITHM • The MD5 message-digest algorithm is a widely used cryptographic hash function producing a 128-bit (16-byte) hash value, typically expressed in text format as a 32- digit hexadecimal number. MD5 has been utilized in a wide variety of cryptographic applications, and is also commonly used to verify data integrity. • Steps: • A message digest algorithm is a hash function that takes a bit sequence of any length and produces a bit sequence of a fixed small length. • The output of a message digest is considered as a digital signature of the input data. • MD5 is a message digest algorithm producing 128 bits of data. • It uses constants derived to trigonometric Sine function. • It loops through the original message in blocks of 512 bits, with 4 rounds of operations for each block, and 16 operations in each round. • Most modern programming languages provides MD5 algorithm as built-in functions.
  • 18. SIMPLE MODEL ALGORITHM FOR HONEYWORDS GENERATION • 1: procedure SIMPLEMODEL(L) • 2: w <--random(L) . // randomly returns a word from L • 3: d <--length(w) . //returns length of word w • 4: honeyword(1) <-- w(1) . //The first character is the just first character of w • 5: for j <-- 2 to d do . //Probabilities of mod1, mod2 and else are 0.1, 0.4 and 0.5 • 6: if mod1 then • 7: w <-- random(L), honeyword(j) <-- w(j) . // Add character in same position of new random word • 8: else if mod2 then • 9: w <--random(L), honeyword(j) <-- w(j) . //Select a random word s.t. w(j-1) = honeyword(j-1) • 10: else • 11: honeyword(j) <-- w(j) . //Proceed with the same word • 12: end if • 13: end for • 14: end procedure
  • 19. DESIGN APPROACH : 1) Implementation: Firstly, T fake user accounts (honeypots) are created with their passwords. also an index value between [1;N], but not used previously is assigned to each honeypot randomly. 2) Registration: After the initialization process, system is ready for user registration. In this phase, a legacy-UI is preferred, i.e. a username and password are required from the user as ui; pi to register the system. 3) HoneyWord: Incorporate an auxiliary secure server called a “honeychecker” . The role and primary processes of the honeychecker: It executes two commands sent by the main server: i) Set: Ci,Ui ii) Check: Ui; 4) Login: If entered password g is correct then login succesful,, else it will go to fake server which is honeypot account and Alaram is raised.
  • 20. MODULES: • Client Module • Admin Module Types Of Attacks:
  • 26. FUTURE ENHANCEMENTS • In the future, we would like to refine our model by involving hybrid generation algorithms to also make the total hash inversion process harder for an adversary in getting the passwords in plaintext form from a leaked password hash file. • In our approach, the auxiliary service honey checker is employed to store correct indexes for each account and we assume that it communicates with the main server through a secure channel in an authenticated manner. • Indeed, it can be assumed that security enhancements for honey checker and the main server presented in are applied, but it is out scope of this study. • The role and primary processes of the honey checker are the same as described in the original study.
  • 27. CONCLUSION • Eventually, passwords should be supplemented with stronger and more convenient authentication methods • A simple and powerful new line of defense in the security of hashed passwords • Decreases the value of the stolen password hash files • Makes password cracking detectable.