"Slow down online guessing attack with Device Cookies", Anton Dedov

Slow Down Online Guessing Attacks with Device Cookies Anton Dedov
OWASP Russia Meetup #6, 2017

Anton Dedov Security Architect Odin / Ingram Micro [email protected] @brutemorse

Intro: Online guessing attacks

App App App App App App App App App

App App App App App

Attacker goals Password for specific account Password for any account
in a system Password for any account in any system

Threats for Authentication Online attacks Offline attacks Password leaks

App user : password1 Online guessing attacks user : password2
user : password3 ...

Authentication attacks: Mitigations M-FA / M-Step UX! Password policy Magic
106 Rate limiting ßßßßßßß Authentication parameters e.g. time, location, etc. Monitoring e.g. haveibeenpwned.com

© Cormac Herley et al. An Administrator’s Guide to Internet
Password Research

Rate limiting CAPTCHA Account lockout Exponential timeouts Proof of work

Account lockout: simple math 5 attempts ⇒ 20 min. lockout
131400 attempts/year

Account lockout Lock account Effective Easy DoS Lock (account, IP)
Somewhat DoS mitigation Botnets Proxies IPv6 DoS as a collateral damage

Device Cookie Distinguish known clients from unknown ones

App Lockout all unknown devices at once Lockout individual user
per device cookie user : password user : password Device Cookie

Set-Cookie: KnownDevice= LOGIN|NONCE|HMAC(secret-key,LOGIN|NONCE)

Set-Cookie: KnownDevice=JWT { "alg": "HS256", "typ": "JWT” } . {
"aud": "device-cookie", "sub": "[email protected]", "jti": "40e2a97a2ab37406” }

Threats & Mitigations Threat Mitigation Online attack against one user
Password policy Online attack using stolen device cookies Limited, prevent cookie leaks Online attack against multiple users Not mitigated Spoof device cookie Crypto Tamper with existing device cookie Crypto DoS for specific account OOB device cookie issue DoS for specific account when client is used by different accounts Device cookies per account

Implementation recommendations Use good crypto, like HMAC-SHA2 or signed JWT.
Prevent cookie leakage with Secure & HttpOnly flags. Issue cookie for valid reset password link. Issue new device cookie after each successful login. Include user ID into cookie name (privacy concerns?).

References OWASP: Slow Down Online Guessing Attacks with Device Cookies
PasswordsCon, and specific talks from PasswordsCon 14: • Marc Hause talk Online Password Attacks • Alec Muffet talk Facebook Password Hashigh & Authentication An Administrator’s Guide to Internet Password Research

"Slow down online guessing attack with Device C...

"Slow down online guessing attack with Device Cookies", Anton Dedov

OWASP Moscow

More Decks by OWASP Moscow

Other Decks in Technology

Featured

Transcript

Slow Down Online Guessing Attacks with Device Cookies Anton Dedov

Anton Dedov Security Architect Odin / Ingram Micro [email protected] @brutemorse

Intro: Online guessing attacks

App

App App App App App App App App App

App App App App App

Attacker goals Password for specific account Password for any account

Threats for Authentication Online attacks Offline attacks Password leaks

App user : password1 Online guessing attacks user : password2

Authentication attacks: Mitigations M-FA / M-Step UX! Password policy Magic

© Cormac Herley et al. An Administrator’s Guide to Internet

Rate limiting CAPTCHA Account lockout Exponential timeouts Proof of work

Account lockout: simple math 5 attempts ⇒ 20 min. lockout

Account lockout Lock account Effective Easy DoS Lock (account, IP)

Device Cookie Distinguish known clients from unknown ones

App Lockout all unknown devices at once Lockout individual user

Set-Cookie: KnownDevice= LOGIN|NONCE|HMAC(secret-key,LOGIN|NONCE)

Set-Cookie: KnownDevice=JWT { "alg": "HS256", "typ": "JWT” } . {

Threats & Mitigations Threat Mitigation Online attack against one user

Implementation recommendations Use good crypto, like HMAC-SHA2 or signed JWT.

References OWASP: Slow Down Online Guessing Attacks with Device Cookies