Towards more Secure and Efficient Password Databases

Password databases form one of the backbones of nowadays web applications. Every web application needs to store its users’ credentials (email and password) in an efficient way, and in popular applications (Google, Facebook, Twitter, etc.) these databases can grow to store millions of user credentials simultaneously. However, despite their critical nature and susceptibility to targeted attacks, the techniques used for securing password databases are still very rudimentary, opening the way to devastating attacks. Just in the year of 2016, and as far as publicly disclosed, there were more than 500 million passwords stolen in internet hacking attacks. To solve this problem we commit to study several schemes like property-preserving encryption schemes (e.g. deterministic encryption), encrypted data-structures that support operations (e.g. searchable encryption), partially homomorphic encryption schemes, and commodity trusted hardware (e.g. TPM and Intel SGX). In this thesis we propose to make a summary of the most efficient and secure techniques for password database management systems that exist today and recreating them to accommodate a new and simple universal API. We also propose SSPM(Simple Secure Password Management), a new password database scheme that simultaneously improves efficiency and security of current solutions existing in literature. SSPM is based on Searchable Symmetric Encryption techniques, more specifically ciphered data structures, that allow efficient queries with the minimum leak of access patterns. SSPM adapts these structures to work with the necessary operation of password database schemes preserving the security guarantees. Furthermore, SSPM explores the use of trusted hardware to minimize the revelation of access patterns during the execution of operations and protecting the storage of cryptographic keys. Experimental results with real password databases shows us that SSPM has a similar performance compared with the solutions used today in the industry, while simultaneous increasing the offered security conditions

Why Do Developers Get Password Storage Wrong? A Qualitative Usability Study

Passwords are still a mainstay of various security systems, as well as the cause of many usability issues. For end-users, many of these issues have been studied extensively, highlighting problems and informing design decisions for better policies and motivating research into alternatives. However, end-users are not the only ones who have usability problems with passwords! Developers who are tasked with writing the code by which passwords are stored must do so securely. Yet history has shown that this complex task often fails due to human error with catastrophic results. While an end-user who selects a bad password can have dire consequences, the consequences of a developer who forgets to hash and salt a password database can lead to far larger problems. In this paper we present a first qualitative usability study with 20 computer science students to discover how developers deal with password storage and to inform research into aiding developers in the creation of secure password systems

PALPAS - PAsswordLess PAssword Synchronization

Tools that synchronize passwords over several user devices typically store the encrypted passwords in a central online database. For encryption, a low-entropy, password-based key is used. Such a database may be subject to unauthorized access which can lead to the disclosure of all passwords by an offline brute-force attack. In this paper, we present PALPAS, a secure and user-friendly tool that synchronizes passwords between user devices without storing information about them centrally. The idea of PALPAS is to generate a password from a high entropy secret shared by all devices and a random salt value for each service. Only the salt values are stored on a server but not the secret. The salt enables the user devices to generate the same password but is statistically independent of the password. In order for PALPAS to generate passwords according to different password policies, we also present a mechanism that automatically retrieves and processes the password requirements of services. PALPAS users need to only memorize a single password and the setup of PALPAS on a further device demands only a one-time transfer of few static data.Comment: An extended abstract of this work appears in the proceedings of ARES 201

Dictionary Attacks and Password Selection

Passwords, particularly text-based, are the most common authentication mechanisms across all platforms and services like computers, mobiles, web and network services. Existing password strength evaluators and online service providers (Gmail, Yahoo, Paypal, Twitter, etc) password strength estimators determine the effectiveness of passwords chosen by user based on entropy techniques or a similar function of the parameters: length, complexity and predictability. Such implementations often ignore passwords part of publicly available password dictionaries and password leaks which are often the primary choice for malicious adversaries and particularly script kiddies. This paper presents an application that would help in preventing the use of such passwords thereby reducing the impact of dictionary based password attacks significantly. The application maintains a database of unique passwords by gathering publicly available password dictionaries and passwords leaked over the Internet. The application provides users with an interface to query the database and verify if their passwords are already available on the Internet thereby preventing them from the use of such passwords

Data management in cloud environments: NoSQL and NewSQL data stores

: Advances in Web technology and the proliferation of mobile devices and sensors connected to the Internet have resulted in immense processing and storage requirements. Cloud computing has emerged as a paradigm that promises to meet these requirements. This work focuses on the storage aspect of cloud computing, specifically on data management in cloud environments. Traditional relational databases were designed in a different hardware and software era and are facing challenges in meeting the performance and scale requirements of Big Data. NoSQL and NewSQL data stores present themselves as alternatives that can handle huge volume of data. Because of the large number and diversity of existing NoSQL and NewSQL solutions, it is difficult to comprehend the domain and even more challenging to choose an appropriate solution for a specific task. Therefore, this paper reviews NoSQL and NewSQL solutions with the objective of: (1) providing a perspective in the field, (2) providing guidance to practitioners and researchers to choose the appropriate data store, and (3) identifying challenges and opportunities in the field. Specifically, the most prominent solutions are compared focusing on data models, querying, scaling, and security related capabilities. Features driving the ability to scale read requests and write requests, or scaling data storage are investigated, in particular partitioning, replication, consistency, and concurrency control. Furthermore, use cases and scenarios in which NoSQL and NewSQL data stores have been used are discussed and the suitability of various solutions for different sets of applications is examined. Consequently, this study has identified challenges in the field, including the immense diversity and inconsistency of terminologies, limited documentation, sparse comparison and benchmarking criteria, and nonexistence of standardized query languages

Sähköisen identiteetin toteuttaminen TPM 2.0 -laitteistolla

Most of the financial, healthcare, and governmental services are available on Internet, where traditional identification methods used on face-to-face identification are not possible. Identification with username and password is a mediocre solution and therefore some services require strong authentication. Finland has three approved strong authentication methods: smart cards, bank credentials, and mobile ID. Out of the three authentication methods, only the government issued smart card is available to everyone who police can identify reliably. Bank credentials require identification with an identity document from Finland or other European Economic Area (EEA) country. Mobile ID explicitly require identification with Finnish identity document. The problem with smart cards is the requirement for a reader, slow functioning, and requirement for custom driver. A TPM could function as a replacement for a smart card with accompanying software library. In this thesis, I created a PKCS #11 software library that allows TPM to be used for browser based authentication according to draft specification by Finnish population registry. The keys used for authentication are created, stored and used securely inside the TPM. TPMs are deemed viable replacement for smart cards. The implemented system is faster to use than smart cards and has similar security properties as smart cards have. The created library contains implementations for 30% of all TPM 2.0 functions and could be used as a base for further TPM 2.0 based software.Pankki-, terveys- ja julkiset palvelut ovat suureksi osin saatavilla internetin välityksellä. Tunnistautuminen käyttäjätunnuksella ja salasanalla ei takaa riittävää luotettavuutta, vaan joissain palveluissa on käytettävä vahvaa tunnistautumista. Suomessa on tällä hetkellä käytössä kolme vahvaa tunnistautumisvälinettä: pankkien käyttämät verkkopankkitunnukset, Väestörekisterikeskuksen kansalaisvarmenne ja teleyritysten mobiilivarmenteet. Näistä kolmesta kansalaisvarmenne on ainoa, joka ei vaadi asiakkuutta ja on täten kaikille saatavilla, jotka poliisi voi luotettavasti tunnistaa. Verkkopankkitunnukset vaativat tunnistautumisen suomalaisella tai Euroopan talousalueen (ETA) valtion myöntämällä henkilötodistus. Mobiilivarmenne myönnetään vain henkilölle, joka voidaan tunnistaa suomalaisella henkilötodistuksella. Kansalaisvarmenne on kuitenkin älykortti kaikkine älykortin ongelmineen: sen käyttämiseen tarvitaan erillinen lukija, sen toiminta on hidasta ja se vaatii erillisen laiteajurin. Tämän työn tavoitteena on luoda ratkaisu, jolla älykorttipohjainen tunnistautuminen voidaan toteuttaa tietokoneissa olevan TPM-piirin avulla. Tässä diplomityössä luotiin PKCS #11 -rajapinnan täyttävä ohjelmistokirjasto, joka mahdollistaa TPM-piirin käyttämisen tunnistautumiseen selaimessa Väestörekisterikeskuksen laatiman määritelmän luonnoksen mukaan. Tunnistautumisavaimet luodaan, tallennetaan ja niitä käytetään TPM:ssa, mikä varmistaa avainten luottamuksellisuuden. Älykortin toiminnallisuudet todettiin mahdolliseksi toteuttaa TPM-piirillä. Toteutettu järjestelmä on nopeampi käyttää kuin älykortti ja se takaa älykortteja vastaavan tietoturvatason. Työn tuloksena tehty kirjasto toteuttaa 30 % kaikista TPM 2.0 -ohjelmistorajapinnoista, ja kirjastoa voidaan käyttää osana tulevia TPM 2.0 -ohjelmistoja

Energy-efficient distributed password hash computation on heterogeneous embedded system

This paper presents the improved version of our cool Cracker cluster (cCc), a heterogeneous distributed system for parallel and energy-efficient bcrypt password hash computation. The cluster consists of up to 8 computational units (nodes) with different performances measured in bcrypt hash computations per second [H/s]. In the cluster, nodes are low-power heterogeneous embedded systems with programmable logic containing specialized hash computation accelerators. In the experiments, we used a combination of Xilinx Zynq-series SoC boards and ZTEX 1.15y board which was initially used as a bitcoin miner. Zynq based nodes use the improved version of our custom bcrypt accelerator, which executes the most costly parts of the bcrypt hash computation in programmable logic. The cluster was formed around the famous open-source password cracking software package John the Ripper (abbr. JtR). On the communication layer, we used Message Passing Interface (MPI)library with a standard Ethernet network connecting the nodes. To mitigate the different performances among the cluster nodes and to balance the load, we developed and implemented password candidate distribution scheme based on the passwords\u27 probability distribution, i.e. the order of appearance in the dictionary. We tested individual nodes and the cluster as a whole, trying different combinations of nodes and evaluating our distribution scheme for password candidates. We also compared our cluster with various GPU implementations in terms of performance, energy-efficiency, and price-efficiency. We show that our solution outperforms other platforms such as high-end GPUs, by a factor of at least 3 in terms of energy-efficiency and thus producing less overall cost of password attack than other platforms. In terms of the total operational costs, our cluster pays off after 4500 cracked passwords for a bcrypt hash with cost parameter 12, which makes it more appealing for real-world password-based system attacks. We also demonstrate the scalability of our cCc cluster