Upgrade to Pro — share decks privately, control downloads, hide ads and more …

"Slow down online guessing attack with Device Cookies", Anton Dedov

"Slow down online guessing attack with Device Cookies", Anton Dedov

OWASP Russia Meetup #6

47a3212bc9721c62f1135ead56569f17?s=128

OWASP Moscow

December 04, 2017
Tweet

Transcript

  1. Slow Down Online Guessing Attacks with Device Cookies Anton Dedov

    OWASP Russia Meetup #6, 2017
  2. Anton Dedov Security Architect Odin / Ingram Micro adedov@gmail.com @brutemorse

  3. Intro: Online guessing attacks

  4. App

  5. App App App App App App App App App

  6. App App App App App

  7. Attacker goals Password for specific account Password for any account

    in a system Password for any account in any system
  8. Threats for Authentication Online attacks Offline attacks Password leaks

  9. App user : password1 Online guessing attacks user : password2

    user : password3 ...
  10. Authentication attacks: Mitigations M-FA / M-Step UX! Password policy Magic

    106 Rate limiting ßßßßßßß Authentication parameters e.g. time, location, etc. Monitoring e.g. haveibeenpwned.com
  11. © Cormac Herley et al. An Administrator’s Guide to Internet

    Password Research
  12. Rate limiting CAPTCHA Account lockout Exponential timeouts Proof of work

  13. Account lockout: simple math 5 attempts ⇒ 20 min. lockout

    131400 attempts/year
  14. Account lockout Lock account Effective Easy DoS Lock (account, IP)

    Somewhat DoS mitigation Botnets Proxies IPv6 DoS as a collateral damage
  15. Device Cookie Distinguish known clients from unknown ones

  16. None
  17. None
  18. App Lockout all unknown devices at once Lockout individual user

    per device cookie user : password user : password Device Cookie
  19. Set-Cookie: KnownDevice= LOGIN|NONCE|HMAC(secret-key,LOGIN|NONCE)

  20. Set-Cookie: KnownDevice=JWT { "alg": "HS256", "typ": "JWT” } . {

    "aud": "device-cookie", "sub": "adedov@odin.com", "jti": "40e2a97a2ab37406” }
  21. Threats & Mitigations Threat Mitigation Online attack against one user

    Password policy Online attack using stolen device cookies Limited, prevent cookie leaks Online attack against multiple users Not mitigated Spoof device cookie Crypto Tamper with existing device cookie Crypto DoS for specific account OOB device cookie issue DoS for specific account when client is used by different accounts Device cookies per account
  22. Implementation recommendations Use good crypto, like HMAC-SHA2 or signed JWT.

    Prevent cookie leakage with Secure & HttpOnly flags. Issue cookie for valid reset password link. Issue new device cookie after each successful login. Include user ID into cookie name (privacy concerns?).
  23. References OWASP: Slow Down Online Guessing Attacks with Device Cookies

    PasswordsCon, and specific talks from PasswordsCon 14: • Marc Hause talk Online Password Attacks • Alec Muffet talk Facebook Password Hashigh & Authentication An Administrator’s Guide to Internet Password Research