"Slow down online guessing attack with Device Cookies", Anton Dedov

Transcript

1. Slow Down Online Guessing Attacks with Device Cookies Anton Dedov

   OWASP Russia Meetup #6, 2017

2. Anton Dedov Security Architect Odin / Ingram Micro adedov@gmail.com @brutemorse

3. Intro: Online guessing attacks

4. App

5. App App App App App App App App App

6. App App App App App

7. Attacker goals Password for specific account Password for any account

   in a system Password for any account in any system

8. Threats for Authentication Online attacks Offline attacks Password leaks

9. App user : password1 Online guessing attacks user : password2

   user : password3 ...

10. Authentication attacks: Mitigations M-FA / M-Step UX! Password policy Magic

    106 Rate limiting ßßßßßßß Authentication parameters e.g. time, location, etc. Monitoring e.g. haveibeenpwned.com

11. © Cormac Herley et al. An Administrator’s Guide to Internet

    Password Research

12. Rate limiting CAPTCHA Account lockout Exponential timeouts Proof of work

13. Account lockout: simple math 5 attempts ⇒ 20 min. lockout

    131400 attempts/year

14. Account lockout Lock account Effective Easy DoS Lock (account, IP)

    Somewhat DoS mitigation Botnets Proxies IPv6 DoS as a collateral damage

15. Device Cookie Distinguish known clients from unknown ones

16. None
17. None

18. App Lockout all unknown devices at once Lockout individual user

    per device cookie user : password user : password Device Cookie

19. Set-Cookie: KnownDevice= LOGIN|NONCE|HMAC(secret-key,LOGIN|NONCE)

20. Set-Cookie: KnownDevice=JWT { "alg": "HS256", "typ": "JWT” } . {

    "aud": "device-cookie", "sub": "adedov@odin.com", "jti": "40e2a97a2ab37406” }

21. Threats & Mitigations Threat Mitigation Online attack against one user

    Password policy Online attack using stolen device cookies Limited, prevent cookie leaks Online attack against multiple users Not mitigated Spoof device cookie Crypto Tamper with existing device cookie Crypto DoS for specific account OOB device cookie issue DoS for specific account when client is used by different accounts Device cookies per account

22. Implementation recommendations Use good crypto, like HMAC-SHA2 or signed JWT.

    Prevent cookie leakage with Secure & HttpOnly flags. Issue cookie for valid reset password link. Issue new device cookie after each successful login. Include user ID into cookie name (privacy concerns?).

23. References OWASP: Slow Down Online Guessing Attacks with Device Cookies

    PasswordsCon, and specific talks from PasswordsCon 14: • Marc Hause talk Online Password Attacks • Alec Muffet talk Facebook Password Hashigh & Authentication An Administrator’s Guide to Internet Password Research