Attacking Data Independent Memory Hard Functions · As a motivating example consider an adversary...
66
Course Business • I am traveling April 25-May 3 rd • Will still be available by e-mail to answer questions • Final Exam Review on Monday, April 24 th • Guest Lectures on April 26 and 28 (TBD) • Final Exam on Monday, May 1 st (in this classroom) • Adib will proctor • Practice Final Exam released soon 1
As a motivating example consider an adversary who breaks into an authentication server and steals a users crptographic hash value The adversary can execute an offline attack against the password by comparing the hash value with the hashes of likely password guesses The adversary is limited only by the resources that he is willing to invest cracking the passwords
bull Password breaches at major companies have affected millions of users
Offline Attacks A Common Problem
Presenter
Presentation Notes
Unfortunately offline dictionary attacks are quite common Password breaches at major companies have affected millions of users In the past few years I have had to update the slide several times
Offline Attacks A Common Problem
bull Password breaches at major companies have affected millions of users
Presenter
Presentation Notes
Unfortunately offline dictionary attacks are quite common Password breaches at major companies have affected millions of users
A Dangerous Problem
$2400 onAmazon
Can we increase guessing costs for the attacker
Attempt 1 Hash Iteration
bull BCRYPT
bull PBKDF2 100000 SHA256 computations(iterative)
Estimated Cost on ASIC $1 per billion password guesses [BS14]
The Challenge
User Patience
Disclaimer This slide is entirely for humorous effect Donrsquot take it too seriously
Time
Uni
ts o
f Pat
ienc
e
USD
$
Goal Moderately Expensive Hash Function
Fast on PC and Expensive on ASIC
Presenter
Presentation Notes
This motivates the need for moderately hard functions The basic idea is to build a password hash function that is moderately expensive to compute to limit the number of guesses that an adversary would be willing to try An honest server only needs to compute the function once during a typical authentication session However the adversary potentially has an advantage in this game While the honest server must typically evaluate the function on standard hardware the adversary could use potentially reduce the cost per password guess by developing customized hardware (GPUs FPGAs ASICs) to evaluate the password hash function Thus we want to ensure that the cost to evaluate this function is equitable across platforms13
Memory Costs Equitable Across Architectures
Presenter
Presentation Notes
By contrast memory costs tends to be much more equitable across different architectures
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)
bull Attacks on iMHF Constructionsbull Constructing iMHFsbull Open Questions
Memory Hard Function (MHF)
bull Intuition computation costs dominated by memory costsvs
bull Data Independent Memory Hard Function (iMHF)bull Memory access pattern should not depend on input
Presenter
Presentation Notes
In this work we study a special type of memory hard function called data-independent memory hard functions As the name suggests the memory access pattern will not depend on the input making the functions resistant to side-channel attacks
iMHF Candidates
bull Catena [FLW15]bull Special Recognition at Password Hashing Competitionbull Two Variants Dragonfly and Double-Butterfly
bull Argon2 [BDK15]bull Winner of the Password Hashing Competitionbull Argon2i (data-independent mode) is recommended for Password Hashing
bull Balloon Hashing [BCS16]bull Newer proposal (three variants in original proposal)
Presenter
Presentation Notes
In terms of depth-robustness two of these variants were similar to Catena and one variant was similar to Argon
We will describe our algorithms for evaluating an iMHF using the language of graph pebbling Placing a pebble on a node corresponds to computing the corresponding label and keeping a pebble on the graph corresponds to storing that label in memory Of course we can only compute a label if we have all of the dependent labels Thus in a legal pebbling we cannot place a pebble on a node until we have pebbles on the parents of that node If the adversary is parallel then we are allowed to place multiple pebbles on the graph in each round We can remove pebbles from the graph at any point in time
Pebbling Example
1 2 3 4 51 3 4 5
Pebbling Example
1 2 3 4 5
P1 = 1
Pebbling Example
1 2 3 4 5
P1 = 1P2 = 12
Pebbling Example
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
Pebbling Example
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34
Pebbling Example
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34P5 = 5
Pebbling Example (CC)
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34P5 = 5
CC 119866119866 le119894119894=1
5
119875119875119894119894
= 1 + 2 + 1 + 2 + 1= 7
Measuring Cost
bull Cumulative Complexity (CC)
CC 119866119866 = min119875119875
119894119894=1
119905119905119875119875
119875119875119894119894
bull Amortization [AS15]CC 119866119866119866119866 = 2 times CC(119866119866)
Pebbling Example (CC)
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34P5 = 5
CC 119866119866 le119894119894=1
5
119875119875119894119894
= 1 + 2 + 1 + 2 + 1= 7
Pebbling Equivalence
119827119827119827119827119827119827119827119827119827119827119827119827119827119827 119808119808119808119808119808119808119808119808 (119816119816119816119816119816119816119827119827119827119827119827119827119816119816119816119816) High pebbling complexity of G implies high amortized memory complexity for the iMHF fGH
Implication Structure of the graph G is key to iMHFsecurity
Desiderata
Find a DAG G on n nodes such that1 Constant Indegree (120575120575 = 2)
2 CC(G) ge 1198991198992
120591120591for some small value 120591120591
Maximize costs for fixed n(Users are impatient)
Depth-Robustness The Key Property
Necessary [AB16] and sufficient[ABP16] for secure iMHFs
Naiumlve Pebbling Algorithms
bull Sequential Algorithm (Naiumlve)bull Constraint One new pebble per roundbull Every iMHF is defined via its Naiumlve algorithm
bull Example Naiumlve (Pebble in Topological Order)bull Never discard pebblesbull Time nbull Average pebbles n2bull ER(Naiumlve) = θ Rn + n2
Amortized Attack Quality
Quality119877119877 119860119860 =ER(Naiumlve)
ER 119860119860times 119894119894119894119894119904119904119904119904(119860119860)
Example Algorithm A evaluates 5 iMHF instances with total cost ER 119860119860 = 100 and ER Naiumlve = 40
Quality119877119877 119860119860 =40
100times 5 = 2
Presenter
Presentation Notes
Use Example
Desiderata
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for some small value 120591120591
Memory costs should dominate
Desiderata
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for some small value 120591120591
Maximize costs for fixed n(Users are impatient)
c-Ideal iMHF
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for 120591120591 = 119874119874(1)
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Our Attacks
bull General Attack on Non Depth Robust DAGsbull Existing iMHFs are not Depth Robustbull Ideal iMHFs donrsquot exist
bull Subsequent Results (Depth-Robustness is Sufficient)bull Open Questions
Depth-Robustness The Key Property
Necessary [AB16] and sufficient[ABP16] for secure iMHFs
Depth Robustness
Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d
Otherwise we say that G is (ed)-depth robust
1 2 3 4 5
Example (12)-reducible
Depth Robustness
Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d
Otherwise we say that G is (ed)-depth robust
1 2 3 4 5
Example (12)-reducible
Attacking (ed)-reducible DAGs
bull Input |S| lee such that depth(G-S) = d g gt d
bull Light Phase (g rounds) Discard most pebblesbull Goal Pebble the next g nodes in g (sequential) stepsbull Low Memory (only keep pebbles on S and on parents of new nodes)bull Lasts a ``longrdquo time
bull Balloon Phase (d rounds) Greedily Recover Missing Pebblesbull Goal Recover needed pebbles for upcoming light phasebull Expensive but quick (at most d steps in parallel)
Theorem (Depth-Robustness is a necessary condition) If G is not (ed)-node robust then CC 119866119866 = O 119890119890119894119894 + 1198941198943119901119901 In particular CC 119866119866 = o 1198941198942 for ed=o(n)
Depth Robustness is Necessary
Are existing iMHF candidates based on depth-robust DAGs
Answer No
bull Catena [FLW15] is 119890119890 119874119874 119899119899119890119890
119813119813119816119816119813119813119813119813 Easy to reduce the depth of a path
Argon2i is a layered DAG (almost)
1 2 3 11989411989434
+2 +3 helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894
Let S = S1+S2
helliphelliphellip
Attack Simulation [AB16b]
Attack on Argon 2i-B is practical even for pessimistic parameter ranges (brown line)
Pessimistic Argon 2i-B parameter
Parameter setting could easily be chosen when following Argon2i-B guidelines
hellip
Ideal iMHFs Donrsquot Exist
Thm[AB16] Any graph G (with constant in-degree) is at least somewhat depth-reducible
Implication If CC(G)= Ω 1198941198942 there is an attack A with high quality
QualityR 119860119860 =Ωlog(119894119894)
log log(119894119894)
But we cannot rule them out in practice
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Attacksbull Constructing iMHFs (New)
bull Depth-Robustness is sufficient
bull Conclusions and Open Questions
Presenter
Presentation Notes
Joint work with Joel Alwen and Krzysztof Pietrzak
Depth-Robustness is Sufficient [ABP16]
Proof Let P1hellipPt denote an (optimal) pebbling of G For 0lt i lt d defineSi = 119875119875119894119894 cup 119875119875119889119889+119894119894 cup 1198751198752119889119889+119894119894 cup ⋯
one of the sets Si has size at most CC(G)d Now we claim that d ge depth(G-Si)
because any path in G-Si must have been completely pebbled at some point Thus it must have been pebbled entirely during some interval of length d Thus G (CC(G)dd)-reducible It follows that CC(G)ge 119890119890119901119901
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Depth-Robustness is Sufficient [ABP16]
Implications There exists a constant indegree graph G with
CC G ge Ω1198941198942
log119894119894
Previous Best [AS15] Ω 1198991198992
log10 119899119899
[AB16] We cannot do better (in an asymptotic sense)
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Summary
bull BCRYPT and PBKDF2 are no longer sufficient for password hashing
bull Argon2i is an improvement over BCRYPT and PBKDF2bull But still has its flaws [AB16AB17]
bull Current Recommendation Argon2idbull No side channel attacks Resists known attacksbull Side channel attacks reduce security to Argon2i
bull Look for improvements in the near future using depth-robust graphs [ABP17]
Conclusions
bull Depth-robustness is a necessary and sufficient for secure iMHFsbull [AB16] [ABP16]
bull Big Challenge Improved Constructions of Depth-Robust Graphsbull We already have constructions in theory [EGS77 PR80 hellip]bull But constants matter
Thanks for Listening
Passwords vs time Look how far wersquove come
Netscape IPO Dotcom crash
Source Cormacrsquos estimate
ldquoThe password is deadrdquo
Chart1
3
48
1368
322
7791
15376
2527
39639
47953
61115
7353
94674
106021
134538
16527
194616
21681
Sheet1
Sheet1
Sheet2
Sheet3
Biometrics
59
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy
60
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Hardware Tokens
61
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around
62
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Graphical Passwords
bull Examplesbull Passfaces Cued Click Points Windows 8
63
Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13
Graphical Passwords
bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8
Challenge Multiple Passwords
64
Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
bull Password Management Software
67
Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313
Related Work
bull Password Management SoftwareChallenge Single point of failure
68
Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313
References
bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]
bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]
bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]
bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]
As a motivating example consider an adversary who breaks into an authentication server and steals a users crptographic hash value The adversary can execute an offline attack against the password by comparing the hash value with the hashes of likely password guesses The adversary is limited only by the resources that he is willing to invest cracking the passwords
bull Password breaches at major companies have affected millions of users
Offline Attacks A Common Problem
Presenter
Presentation Notes
Unfortunately offline dictionary attacks are quite common Password breaches at major companies have affected millions of users In the past few years I have had to update the slide several times
Offline Attacks A Common Problem
bull Password breaches at major companies have affected millions of users
Presenter
Presentation Notes
Unfortunately offline dictionary attacks are quite common Password breaches at major companies have affected millions of users
A Dangerous Problem
$2400 onAmazon
Can we increase guessing costs for the attacker
Attempt 1 Hash Iteration
bull BCRYPT
bull PBKDF2 100000 SHA256 computations(iterative)
Estimated Cost on ASIC $1 per billion password guesses [BS14]
The Challenge
User Patience
Disclaimer This slide is entirely for humorous effect Donrsquot take it too seriously
Time
Uni
ts o
f Pat
ienc
e
USD
$
Goal Moderately Expensive Hash Function
Fast on PC and Expensive on ASIC
Presenter
Presentation Notes
This motivates the need for moderately hard functions The basic idea is to build a password hash function that is moderately expensive to compute to limit the number of guesses that an adversary would be willing to try An honest server only needs to compute the function once during a typical authentication session However the adversary potentially has an advantage in this game While the honest server must typically evaluate the function on standard hardware the adversary could use potentially reduce the cost per password guess by developing customized hardware (GPUs FPGAs ASICs) to evaluate the password hash function Thus we want to ensure that the cost to evaluate this function is equitable across platforms13
Memory Costs Equitable Across Architectures
Presenter
Presentation Notes
By contrast memory costs tends to be much more equitable across different architectures
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)
bull Attacks on iMHF Constructionsbull Constructing iMHFsbull Open Questions
Memory Hard Function (MHF)
bull Intuition computation costs dominated by memory costsvs
bull Data Independent Memory Hard Function (iMHF)bull Memory access pattern should not depend on input
Presenter
Presentation Notes
In this work we study a special type of memory hard function called data-independent memory hard functions As the name suggests the memory access pattern will not depend on the input making the functions resistant to side-channel attacks
iMHF Candidates
bull Catena [FLW15]bull Special Recognition at Password Hashing Competitionbull Two Variants Dragonfly and Double-Butterfly
bull Argon2 [BDK15]bull Winner of the Password Hashing Competitionbull Argon2i (data-independent mode) is recommended for Password Hashing
bull Balloon Hashing [BCS16]bull Newer proposal (three variants in original proposal)
Presenter
Presentation Notes
In terms of depth-robustness two of these variants were similar to Catena and one variant was similar to Argon
We will describe our algorithms for evaluating an iMHF using the language of graph pebbling Placing a pebble on a node corresponds to computing the corresponding label and keeping a pebble on the graph corresponds to storing that label in memory Of course we can only compute a label if we have all of the dependent labels Thus in a legal pebbling we cannot place a pebble on a node until we have pebbles on the parents of that node If the adversary is parallel then we are allowed to place multiple pebbles on the graph in each round We can remove pebbles from the graph at any point in time
Pebbling Example
1 2 3 4 51 3 4 5
Pebbling Example
1 2 3 4 5
P1 = 1
Pebbling Example
1 2 3 4 5
P1 = 1P2 = 12
Pebbling Example
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
Pebbling Example
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34
Pebbling Example
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34P5 = 5
Pebbling Example (CC)
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34P5 = 5
CC 119866119866 le119894119894=1
5
119875119875119894119894
= 1 + 2 + 1 + 2 + 1= 7
Measuring Cost
bull Cumulative Complexity (CC)
CC 119866119866 = min119875119875
119894119894=1
119905119905119875119875
119875119875119894119894
bull Amortization [AS15]CC 119866119866119866119866 = 2 times CC(119866119866)
Pebbling Example (CC)
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34P5 = 5
CC 119866119866 le119894119894=1
5
119875119875119894119894
= 1 + 2 + 1 + 2 + 1= 7
Pebbling Equivalence
119827119827119827119827119827119827119827119827119827119827119827119827119827119827 119808119808119808119808119808119808119808119808 (119816119816119816119816119816119816119827119827119827119827119827119827119816119816119816119816) High pebbling complexity of G implies high amortized memory complexity for the iMHF fGH
Implication Structure of the graph G is key to iMHFsecurity
Desiderata
Find a DAG G on n nodes such that1 Constant Indegree (120575120575 = 2)
2 CC(G) ge 1198991198992
120591120591for some small value 120591120591
Maximize costs for fixed n(Users are impatient)
Depth-Robustness The Key Property
Necessary [AB16] and sufficient[ABP16] for secure iMHFs
Naiumlve Pebbling Algorithms
bull Sequential Algorithm (Naiumlve)bull Constraint One new pebble per roundbull Every iMHF is defined via its Naiumlve algorithm
bull Example Naiumlve (Pebble in Topological Order)bull Never discard pebblesbull Time nbull Average pebbles n2bull ER(Naiumlve) = θ Rn + n2
Amortized Attack Quality
Quality119877119877 119860119860 =ER(Naiumlve)
ER 119860119860times 119894119894119894119894119904119904119904119904(119860119860)
Example Algorithm A evaluates 5 iMHF instances with total cost ER 119860119860 = 100 and ER Naiumlve = 40
Quality119877119877 119860119860 =40
100times 5 = 2
Presenter
Presentation Notes
Use Example
Desiderata
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for some small value 120591120591
Memory costs should dominate
Desiderata
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for some small value 120591120591
Maximize costs for fixed n(Users are impatient)
c-Ideal iMHF
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for 120591120591 = 119874119874(1)
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Our Attacks
bull General Attack on Non Depth Robust DAGsbull Existing iMHFs are not Depth Robustbull Ideal iMHFs donrsquot exist
bull Subsequent Results (Depth-Robustness is Sufficient)bull Open Questions
Depth-Robustness The Key Property
Necessary [AB16] and sufficient[ABP16] for secure iMHFs
Depth Robustness
Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d
Otherwise we say that G is (ed)-depth robust
1 2 3 4 5
Example (12)-reducible
Depth Robustness
Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d
Otherwise we say that G is (ed)-depth robust
1 2 3 4 5
Example (12)-reducible
Attacking (ed)-reducible DAGs
bull Input |S| lee such that depth(G-S) = d g gt d
bull Light Phase (g rounds) Discard most pebblesbull Goal Pebble the next g nodes in g (sequential) stepsbull Low Memory (only keep pebbles on S and on parents of new nodes)bull Lasts a ``longrdquo time
bull Balloon Phase (d rounds) Greedily Recover Missing Pebblesbull Goal Recover needed pebbles for upcoming light phasebull Expensive but quick (at most d steps in parallel)
Theorem (Depth-Robustness is a necessary condition) If G is not (ed)-node robust then CC 119866119866 = O 119890119890119894119894 + 1198941198943119901119901 In particular CC 119866119866 = o 1198941198942 for ed=o(n)
Depth Robustness is Necessary
Are existing iMHF candidates based on depth-robust DAGs
Answer No
bull Catena [FLW15] is 119890119890 119874119874 119899119899119890119890
119813119813119816119816119813119813119813119813 Easy to reduce the depth of a path
Argon2i is a layered DAG (almost)
1 2 3 11989411989434
+2 +3 helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894
Let S = S1+S2
helliphelliphellip
Attack Simulation [AB16b]
Attack on Argon 2i-B is practical even for pessimistic parameter ranges (brown line)
Pessimistic Argon 2i-B parameter
Parameter setting could easily be chosen when following Argon2i-B guidelines
hellip
Ideal iMHFs Donrsquot Exist
Thm[AB16] Any graph G (with constant in-degree) is at least somewhat depth-reducible
Implication If CC(G)= Ω 1198941198942 there is an attack A with high quality
QualityR 119860119860 =Ωlog(119894119894)
log log(119894119894)
But we cannot rule them out in practice
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Attacksbull Constructing iMHFs (New)
bull Depth-Robustness is sufficient
bull Conclusions and Open Questions
Presenter
Presentation Notes
Joint work with Joel Alwen and Krzysztof Pietrzak
Depth-Robustness is Sufficient [ABP16]
Proof Let P1hellipPt denote an (optimal) pebbling of G For 0lt i lt d defineSi = 119875119875119894119894 cup 119875119875119889119889+119894119894 cup 1198751198752119889119889+119894119894 cup ⋯
one of the sets Si has size at most CC(G)d Now we claim that d ge depth(G-Si)
because any path in G-Si must have been completely pebbled at some point Thus it must have been pebbled entirely during some interval of length d Thus G (CC(G)dd)-reducible It follows that CC(G)ge 119890119890119901119901
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Depth-Robustness is Sufficient [ABP16]
Implications There exists a constant indegree graph G with
CC G ge Ω1198941198942
log119894119894
Previous Best [AS15] Ω 1198991198992
log10 119899119899
[AB16] We cannot do better (in an asymptotic sense)
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Summary
bull BCRYPT and PBKDF2 are no longer sufficient for password hashing
bull Argon2i is an improvement over BCRYPT and PBKDF2bull But still has its flaws [AB16AB17]
bull Current Recommendation Argon2idbull No side channel attacks Resists known attacksbull Side channel attacks reduce security to Argon2i
bull Look for improvements in the near future using depth-robust graphs [ABP17]
Conclusions
bull Depth-robustness is a necessary and sufficient for secure iMHFsbull [AB16] [ABP16]
bull Big Challenge Improved Constructions of Depth-Robust Graphsbull We already have constructions in theory [EGS77 PR80 hellip]bull But constants matter
Thanks for Listening
Passwords vs time Look how far wersquove come
Netscape IPO Dotcom crash
Source Cormacrsquos estimate
ldquoThe password is deadrdquo
Chart1
3
48
1368
322
7791
15376
2527
39639
47953
61115
7353
94674
106021
134538
16527
194616
21681
Sheet1
Sheet1
Sheet2
Sheet3
Biometrics
59
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy
60
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Hardware Tokens
61
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around
62
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Graphical Passwords
bull Examplesbull Passfaces Cued Click Points Windows 8
63
Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13
Graphical Passwords
bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8
Challenge Multiple Passwords
64
Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
bull Password Management Software
67
Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313
Related Work
bull Password Management SoftwareChallenge Single point of failure
68
Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313
References
bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]
bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]
bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]
bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]
As a motivating example consider an adversary who breaks into an authentication server and steals a users crptographic hash value The adversary can execute an offline attack against the password by comparing the hash value with the hashes of likely password guesses The adversary is limited only by the resources that he is willing to invest cracking the passwords
bull Password breaches at major companies have affected millions of users
Offline Attacks A Common Problem
Presenter
Presentation Notes
Unfortunately offline dictionary attacks are quite common Password breaches at major companies have affected millions of users In the past few years I have had to update the slide several times
Offline Attacks A Common Problem
bull Password breaches at major companies have affected millions of users
Presenter
Presentation Notes
Unfortunately offline dictionary attacks are quite common Password breaches at major companies have affected millions of users
A Dangerous Problem
$2400 onAmazon
Can we increase guessing costs for the attacker
Attempt 1 Hash Iteration
bull BCRYPT
bull PBKDF2 100000 SHA256 computations(iterative)
Estimated Cost on ASIC $1 per billion password guesses [BS14]
The Challenge
User Patience
Disclaimer This slide is entirely for humorous effect Donrsquot take it too seriously
Time
Uni
ts o
f Pat
ienc
e
USD
$
Goal Moderately Expensive Hash Function
Fast on PC and Expensive on ASIC
Presenter
Presentation Notes
This motivates the need for moderately hard functions The basic idea is to build a password hash function that is moderately expensive to compute to limit the number of guesses that an adversary would be willing to try An honest server only needs to compute the function once during a typical authentication session However the adversary potentially has an advantage in this game While the honest server must typically evaluate the function on standard hardware the adversary could use potentially reduce the cost per password guess by developing customized hardware (GPUs FPGAs ASICs) to evaluate the password hash function Thus we want to ensure that the cost to evaluate this function is equitable across platforms13
Memory Costs Equitable Across Architectures
Presenter
Presentation Notes
By contrast memory costs tends to be much more equitable across different architectures
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)
bull Attacks on iMHF Constructionsbull Constructing iMHFsbull Open Questions
Memory Hard Function (MHF)
bull Intuition computation costs dominated by memory costsvs
bull Data Independent Memory Hard Function (iMHF)bull Memory access pattern should not depend on input
Presenter
Presentation Notes
In this work we study a special type of memory hard function called data-independent memory hard functions As the name suggests the memory access pattern will not depend on the input making the functions resistant to side-channel attacks
iMHF Candidates
bull Catena [FLW15]bull Special Recognition at Password Hashing Competitionbull Two Variants Dragonfly and Double-Butterfly
bull Argon2 [BDK15]bull Winner of the Password Hashing Competitionbull Argon2i (data-independent mode) is recommended for Password Hashing
bull Balloon Hashing [BCS16]bull Newer proposal (three variants in original proposal)
Presenter
Presentation Notes
In terms of depth-robustness two of these variants were similar to Catena and one variant was similar to Argon
We will describe our algorithms for evaluating an iMHF using the language of graph pebbling Placing a pebble on a node corresponds to computing the corresponding label and keeping a pebble on the graph corresponds to storing that label in memory Of course we can only compute a label if we have all of the dependent labels Thus in a legal pebbling we cannot place a pebble on a node until we have pebbles on the parents of that node If the adversary is parallel then we are allowed to place multiple pebbles on the graph in each round We can remove pebbles from the graph at any point in time
Pebbling Example
1 2 3 4 51 3 4 5
Pebbling Example
1 2 3 4 5
P1 = 1
Pebbling Example
1 2 3 4 5
P1 = 1P2 = 12
Pebbling Example
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
Pebbling Example
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34
Pebbling Example
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34P5 = 5
Pebbling Example (CC)
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34P5 = 5
CC 119866119866 le119894119894=1
5
119875119875119894119894
= 1 + 2 + 1 + 2 + 1= 7
Measuring Cost
bull Cumulative Complexity (CC)
CC 119866119866 = min119875119875
119894119894=1
119905119905119875119875
119875119875119894119894
bull Amortization [AS15]CC 119866119866119866119866 = 2 times CC(119866119866)
Pebbling Example (CC)
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34P5 = 5
CC 119866119866 le119894119894=1
5
119875119875119894119894
= 1 + 2 + 1 + 2 + 1= 7
Pebbling Equivalence
119827119827119827119827119827119827119827119827119827119827119827119827119827119827 119808119808119808119808119808119808119808119808 (119816119816119816119816119816119816119827119827119827119827119827119827119816119816119816119816) High pebbling complexity of G implies high amortized memory complexity for the iMHF fGH
Implication Structure of the graph G is key to iMHFsecurity
Desiderata
Find a DAG G on n nodes such that1 Constant Indegree (120575120575 = 2)
2 CC(G) ge 1198991198992
120591120591for some small value 120591120591
Maximize costs for fixed n(Users are impatient)
Depth-Robustness The Key Property
Necessary [AB16] and sufficient[ABP16] for secure iMHFs
Naiumlve Pebbling Algorithms
bull Sequential Algorithm (Naiumlve)bull Constraint One new pebble per roundbull Every iMHF is defined via its Naiumlve algorithm
bull Example Naiumlve (Pebble in Topological Order)bull Never discard pebblesbull Time nbull Average pebbles n2bull ER(Naiumlve) = θ Rn + n2
Amortized Attack Quality
Quality119877119877 119860119860 =ER(Naiumlve)
ER 119860119860times 119894119894119894119894119904119904119904119904(119860119860)
Example Algorithm A evaluates 5 iMHF instances with total cost ER 119860119860 = 100 and ER Naiumlve = 40
Quality119877119877 119860119860 =40
100times 5 = 2
Presenter
Presentation Notes
Use Example
Desiderata
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for some small value 120591120591
Memory costs should dominate
Desiderata
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for some small value 120591120591
Maximize costs for fixed n(Users are impatient)
c-Ideal iMHF
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for 120591120591 = 119874119874(1)
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Our Attacks
bull General Attack on Non Depth Robust DAGsbull Existing iMHFs are not Depth Robustbull Ideal iMHFs donrsquot exist
bull Subsequent Results (Depth-Robustness is Sufficient)bull Open Questions
Depth-Robustness The Key Property
Necessary [AB16] and sufficient[ABP16] for secure iMHFs
Depth Robustness
Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d
Otherwise we say that G is (ed)-depth robust
1 2 3 4 5
Example (12)-reducible
Depth Robustness
Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d
Otherwise we say that G is (ed)-depth robust
1 2 3 4 5
Example (12)-reducible
Attacking (ed)-reducible DAGs
bull Input |S| lee such that depth(G-S) = d g gt d
bull Light Phase (g rounds) Discard most pebblesbull Goal Pebble the next g nodes in g (sequential) stepsbull Low Memory (only keep pebbles on S and on parents of new nodes)bull Lasts a ``longrdquo time
bull Balloon Phase (d rounds) Greedily Recover Missing Pebblesbull Goal Recover needed pebbles for upcoming light phasebull Expensive but quick (at most d steps in parallel)
Theorem (Depth-Robustness is a necessary condition) If G is not (ed)-node robust then CC 119866119866 = O 119890119890119894119894 + 1198941198943119901119901 In particular CC 119866119866 = o 1198941198942 for ed=o(n)
Depth Robustness is Necessary
Are existing iMHF candidates based on depth-robust DAGs
Answer No
bull Catena [FLW15] is 119890119890 119874119874 119899119899119890119890
119813119813119816119816119813119813119813119813 Easy to reduce the depth of a path
Argon2i is a layered DAG (almost)
1 2 3 11989411989434
+2 +3 helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894
Let S = S1+S2
helliphelliphellip
Attack Simulation [AB16b]
Attack on Argon 2i-B is practical even for pessimistic parameter ranges (brown line)
Pessimistic Argon 2i-B parameter
Parameter setting could easily be chosen when following Argon2i-B guidelines
hellip
Ideal iMHFs Donrsquot Exist
Thm[AB16] Any graph G (with constant in-degree) is at least somewhat depth-reducible
Implication If CC(G)= Ω 1198941198942 there is an attack A with high quality
QualityR 119860119860 =Ωlog(119894119894)
log log(119894119894)
But we cannot rule them out in practice
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Attacksbull Constructing iMHFs (New)
bull Depth-Robustness is sufficient
bull Conclusions and Open Questions
Presenter
Presentation Notes
Joint work with Joel Alwen and Krzysztof Pietrzak
Depth-Robustness is Sufficient [ABP16]
Proof Let P1hellipPt denote an (optimal) pebbling of G For 0lt i lt d defineSi = 119875119875119894119894 cup 119875119875119889119889+119894119894 cup 1198751198752119889119889+119894119894 cup ⋯
one of the sets Si has size at most CC(G)d Now we claim that d ge depth(G-Si)
because any path in G-Si must have been completely pebbled at some point Thus it must have been pebbled entirely during some interval of length d Thus G (CC(G)dd)-reducible It follows that CC(G)ge 119890119890119901119901
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Depth-Robustness is Sufficient [ABP16]
Implications There exists a constant indegree graph G with
CC G ge Ω1198941198942
log119894119894
Previous Best [AS15] Ω 1198991198992
log10 119899119899
[AB16] We cannot do better (in an asymptotic sense)
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Summary
bull BCRYPT and PBKDF2 are no longer sufficient for password hashing
bull Argon2i is an improvement over BCRYPT and PBKDF2bull But still has its flaws [AB16AB17]
bull Current Recommendation Argon2idbull No side channel attacks Resists known attacksbull Side channel attacks reduce security to Argon2i
bull Look for improvements in the near future using depth-robust graphs [ABP17]
Conclusions
bull Depth-robustness is a necessary and sufficient for secure iMHFsbull [AB16] [ABP16]
bull Big Challenge Improved Constructions of Depth-Robust Graphsbull We already have constructions in theory [EGS77 PR80 hellip]bull But constants matter
Thanks for Listening
Passwords vs time Look how far wersquove come
Netscape IPO Dotcom crash
Source Cormacrsquos estimate
ldquoThe password is deadrdquo
Chart1
3
48
1368
322
7791
15376
2527
39639
47953
61115
7353
94674
106021
134538
16527
194616
21681
Sheet1
Sheet1
Sheet2
Sheet3
Biometrics
59
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy
60
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Hardware Tokens
61
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around
62
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Graphical Passwords
bull Examplesbull Passfaces Cued Click Points Windows 8
63
Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13
Graphical Passwords
bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8
Challenge Multiple Passwords
64
Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
bull Password Management Software
67
Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313
Related Work
bull Password Management SoftwareChallenge Single point of failure
68
Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313
References
bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]
bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]
bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]
bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]
Course Business
CryptographyCS 555
Password Storage
Offline Attacks A Common Problem
Offline Attacks A Common Problem
A Dangerous Problem
Attempt 1 Hash Iteration
The Challenge
Goal Moderately Expensive Hash Function
Memory Costs Equitable Across Architectures
Outline
Memory Hard Function (MHF)
iMHF Candidates
iMHF (fGH)
Evaluating an iMHF (pebbling)
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example (CC)
Measuring Cost
Pebbling Example (CC)
Pebbling Equivalence
Desiderata
Depth-Robustness The Key Property
Naiumlve Pebbling Algorithms
Amortized Attack Quality
Desiderata
Desiderata
c-Ideal iMHF
Outline
Depth-Robustness The Key Property
Depth Robustness
Depth Robustness
Attacking (ed)-reducible DAGs
Depth Robustness is Necessary
Answer No
Argon2i [BDK]
Argon2i
Argon2i
Argon2i Reducing depth to 119899
Argon2i Reducing depth to 119899
Argon2i is a layered DAG (almost)
Attack Simulation [AB16b]
Ideal iMHFs Donrsquot Exist
But we cannot rule them out in practice
Outline
Depth-Robustness is Sufficient [ABP16]
Depth-Robustness is Sufficient [ABP16]
Summary
Conclusions
Thanks for Listening
Passwords vs time Look how far wersquove come
Biometrics
Biometrics
Hardware Tokens
Hardware Tokens
Graphical Passwords
Graphical Passwords
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
Related Work
References
Everybody
DATE
DATE
NUMBER OF USERS
WORLD
WORLD
INFORMATION
DATE
DATE
NUMBER OF USERS
DATE
DATE
acctsyr
POPULATION
POPULATION
SOURCE
December-90
0
3
15
020
00261
000
1
December-90
3
1
December-90
3
1
December-90
3
3
December-90
3
1
3
December-95
December-95
0
16
040
80
040
IDC
100
00522
180
12
December-95
192
December-95
16
1778
December-95
48
28448
December-95
48
3
48
December-96
December-96
0
36
090
180
090
IDC
200
00783
188
13132
December-96
472752
December-96
36
1994916
December-96
126
71816976
December-96
1368
38
126
December-97
December-97
0
70
170
350
170
IDC
300
01043
209
16263
December-97
113841
December-97
70
2238295752
December-97
280
15668070264
December-97
322
46
280
December-98
December-98
0
147
360
735
360
CI Almanac
400
01303
230
19391
December-98
2850477
December-98
147
25113678337
December-98
6615
3691710715604
December-98
7791
53
6615
December-99
December-99
0
248
410
1240
410
Nua Ltd
500
01563
251
22517
December-99
5584216
December-99
248
28177547095
December-99
1240
6988031679463
December-99
15376
62
1240
March-00
March-00
0
304
500
1520
500
Nua Ltd
600
01822
272
25638
March-00
7793952
December-00
361
3161520784
December-00
19855
11413090030294
December-00
2527
7
19855
July-00
July-00
0
359
590
1795
590
Nua Ltd
700
02081
293
28754
July-00
10322686
December-01
543
35472263197
December-01
3258
1926143891578
December-01
39639
73
3258
December-00
December-00
0
361
580
1805
580
Internet World Stats
800
02338
313
31864
December-00
11502904
December-02
607
39799879307
December-02
39455
2415852673913
December-02
47953
79
39455
March-01
March-01
0
458
760
2290
760
Nua Ltd
900
02852
334
34967
March-01
16014886
December-03
719
44655464582
December-03
5033
32107279034493
December-03
61115
85
5033
June-01
June-01
0
479
790
2395
790
Nua Ltd
1000
03107
355
38061
June-01
18231219
December-04
817
50103431261
December-04
61275
40934503340285
December-04
7353
9
61275
August-01
August-01
0
513
860
2565
860
Nua Ltd
1100
03361
396
44221
August-01
22685373
December-05
1018
56216049875
December-05
8144
57227938772657
December-05
9467
93
8144
April-02
April-02
0
558
860
2790
860
Internet World Stats
1200
03614
417
47284
April-02
26384472
December-06
1093
6307440796
December-06
9291
68940327899894
December-06
10602
97
9291
July-02
July-02
0
569
910
2845
910
Internet World Stats
1300
03866
437
50334
July-02
28640046
December-07
1319
70769485731
December-07
11871
93344951678825
December-07
13454
102
11871
September-02
September-02
0
587
940
2935
940
Internet World Stats
1400
04117
458
53371
September-02
31328777
December-08
1574
7940336299
December-08
14953
124980893346059
December-08
16527
105
14953
March-03
March-03
0
608
970
3040
970
Internet World Stats
1500
04366
478
56394
March-03
34287552
December-09
1802
89090573275
December-09
18020
160541213040896
December-09
19462
108
18020
September-03
September-03
0
677
1060
3385
1060
Internet World Stats
1600
04614
498
59401
September-03
40214477
December-10
1971
99959623214
December-10
20696
197020417355075
December-10
21681
11
20696
October-03
October-03
0
682
1070
3410
1070
Internet World Stats
1700
0486
518
62392
October-03
42551344
December-03
December-03
0
719
1110
3595
1110
Internet World Stats
1800
02852
538
65365
December-03
46997435
February-04
February-04
0
745
1150
3725
1150
Internet World Stats
1900
03107
558
6832
February-04
508984
May-04
May-04
0
757
1170
3785
1170
Internet World Stats
2000
03361
597
7417
May-04
5614669
October-04
October-04
0
812
1270
4060
1270
Internet World Stats
2100
03614
616
77064
October-04
62575968
December-04
December-04
0
817
1270
4085
1270
Internet World Stats
2200
03866
636
79935
December-04
65306895
March-05
March-05
0
888
1390
4440
1390
Internet World Stats
2300
04117
655
82782
March-05
73510416
June-05
June-05
0
938
1460
4690
1460
Internet World Stats
2400
04366
674
85606
June-05
80298428
September-05
September-05
0
957
1490
4785
1490
Internet World Stats
2500
04614
692
88404
September-05
84602628
November-05
November-05
0
972
1520
4860
1520
Internet World Stats
2600
0486
711
91176
November-05
88623072
December-05
December-05
0
1018
1570
5090
1570
Internet World Stats
2700
05348
729
93921
December-05
95611578
March-06
March-06
0
1023
1570
5115
1570
Internet World Stats
2800
05589
747
96638
March-06
98860674
June-06
June-06
0
1043
1600
5215
1600
Internet World Stats
2900
05828
783
101984
June-06
106369312
September-06
September-06
0
1086
1670
5430
1670
Internet World Stats
3000
06065
801
104611
September-06
113607546
December-06
December-06
0
1093
1670
5465
1670
Internet World Stats
3100
063
818
107207
December-06
117177251
March-07
March-07
0
1129
1720
5645
1720
Internet World Stats
3200
06534
835
109771
March-07
123931459
June-07
June-07
0
1173
1780
5865
1780
Internet World Stats
3300
06765
852
112301
June-07
131729073
September-07
September-07
0
1245
1890
6225
1890
Internet World Stats
3400
06993
869
114797
September-07
142922265
December-07
December-07
0
1319
2000
6595
2000
Internet World Stats
3500
0722
886
117258
December-07
154663302
March-08
March-08
0
1407
2110
7035
2110
Internet World Stats
3600
07665
902
119683
March-08
168393981
June-08
June-08
0
1463
2190
7315
2190
Internet World Stats
3700
07884
918
122071
June-08
178589873
September-08
September-08
0
1504
2250
7520
2250
Internet World Stats
3800
08101
949
126736
September-08
190610944
December-08
December-08
0
1574
2350
7870
2350
Internet World Stats
3900
08314
964
12901
December-08
20306174
March-09
March-09
0
1596
2380
7980
2380
Internet World Stats
4000
08525
971
13
March-09
20748
June-09
June-09
0
1669
2470
8345
2470
Internet World Stats
4100
08733
998
134
June-09
223646
September-09
September-09
0
1734
2560
8670
2560
Internet World Stats
4200
08938
1018
137
September-09
237558
December-09
December-09
0
1802
2660
9010
2660
Internet World Stats
4300
0914
1051
142
December-09
255884
June-10
June-10
0
1966
2870
9830
2870
Internet World Stats
4400
09339
1078
146
June-10
287036
September-10
September-10
0
1971
2880
9855
2880
Internet World Stats
4500
09728
1112
151
September-10
297621
09917
000
155333333333
159833333333
33208
35034
35400
35765
36130
36495
36861
37226
37591
37956
38322
38687
39052
39417
39783
40148
40513
bull Password breaches at major companies have affected millions of users
Offline Attacks A Common Problem
Presenter
Presentation Notes
Unfortunately offline dictionary attacks are quite common Password breaches at major companies have affected millions of users In the past few years I have had to update the slide several times
Offline Attacks A Common Problem
bull Password breaches at major companies have affected millions of users
Presenter
Presentation Notes
Unfortunately offline dictionary attacks are quite common Password breaches at major companies have affected millions of users
A Dangerous Problem
$2400 onAmazon
Can we increase guessing costs for the attacker
Attempt 1 Hash Iteration
bull BCRYPT
bull PBKDF2 100000 SHA256 computations(iterative)
Estimated Cost on ASIC $1 per billion password guesses [BS14]
The Challenge
User Patience
Disclaimer This slide is entirely for humorous effect Donrsquot take it too seriously
Time
Uni
ts o
f Pat
ienc
e
USD
$
Goal Moderately Expensive Hash Function
Fast on PC and Expensive on ASIC
Presenter
Presentation Notes
This motivates the need for moderately hard functions The basic idea is to build a password hash function that is moderately expensive to compute to limit the number of guesses that an adversary would be willing to try An honest server only needs to compute the function once during a typical authentication session However the adversary potentially has an advantage in this game While the honest server must typically evaluate the function on standard hardware the adversary could use potentially reduce the cost per password guess by developing customized hardware (GPUs FPGAs ASICs) to evaluate the password hash function Thus we want to ensure that the cost to evaluate this function is equitable across platforms13
Memory Costs Equitable Across Architectures
Presenter
Presentation Notes
By contrast memory costs tends to be much more equitable across different architectures
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)
bull Attacks on iMHF Constructionsbull Constructing iMHFsbull Open Questions
Memory Hard Function (MHF)
bull Intuition computation costs dominated by memory costsvs
bull Data Independent Memory Hard Function (iMHF)bull Memory access pattern should not depend on input
Presenter
Presentation Notes
In this work we study a special type of memory hard function called data-independent memory hard functions As the name suggests the memory access pattern will not depend on the input making the functions resistant to side-channel attacks
iMHF Candidates
bull Catena [FLW15]bull Special Recognition at Password Hashing Competitionbull Two Variants Dragonfly and Double-Butterfly
bull Argon2 [BDK15]bull Winner of the Password Hashing Competitionbull Argon2i (data-independent mode) is recommended for Password Hashing
bull Balloon Hashing [BCS16]bull Newer proposal (three variants in original proposal)
Presenter
Presentation Notes
In terms of depth-robustness two of these variants were similar to Catena and one variant was similar to Argon
We will describe our algorithms for evaluating an iMHF using the language of graph pebbling Placing a pebble on a node corresponds to computing the corresponding label and keeping a pebble on the graph corresponds to storing that label in memory Of course we can only compute a label if we have all of the dependent labels Thus in a legal pebbling we cannot place a pebble on a node until we have pebbles on the parents of that node If the adversary is parallel then we are allowed to place multiple pebbles on the graph in each round We can remove pebbles from the graph at any point in time
Pebbling Example
1 2 3 4 51 3 4 5
Pebbling Example
1 2 3 4 5
P1 = 1
Pebbling Example
1 2 3 4 5
P1 = 1P2 = 12
Pebbling Example
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
Pebbling Example
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34
Pebbling Example
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34P5 = 5
Pebbling Example (CC)
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34P5 = 5
CC 119866119866 le119894119894=1
5
119875119875119894119894
= 1 + 2 + 1 + 2 + 1= 7
Measuring Cost
bull Cumulative Complexity (CC)
CC 119866119866 = min119875119875
119894119894=1
119905119905119875119875
119875119875119894119894
bull Amortization [AS15]CC 119866119866119866119866 = 2 times CC(119866119866)
Pebbling Example (CC)
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34P5 = 5
CC 119866119866 le119894119894=1
5
119875119875119894119894
= 1 + 2 + 1 + 2 + 1= 7
Pebbling Equivalence
119827119827119827119827119827119827119827119827119827119827119827119827119827119827 119808119808119808119808119808119808119808119808 (119816119816119816119816119816119816119827119827119827119827119827119827119816119816119816119816) High pebbling complexity of G implies high amortized memory complexity for the iMHF fGH
Implication Structure of the graph G is key to iMHFsecurity
Desiderata
Find a DAG G on n nodes such that1 Constant Indegree (120575120575 = 2)
2 CC(G) ge 1198991198992
120591120591for some small value 120591120591
Maximize costs for fixed n(Users are impatient)
Depth-Robustness The Key Property
Necessary [AB16] and sufficient[ABP16] for secure iMHFs
Naiumlve Pebbling Algorithms
bull Sequential Algorithm (Naiumlve)bull Constraint One new pebble per roundbull Every iMHF is defined via its Naiumlve algorithm
bull Example Naiumlve (Pebble in Topological Order)bull Never discard pebblesbull Time nbull Average pebbles n2bull ER(Naiumlve) = θ Rn + n2
Amortized Attack Quality
Quality119877119877 119860119860 =ER(Naiumlve)
ER 119860119860times 119894119894119894119894119904119904119904119904(119860119860)
Example Algorithm A evaluates 5 iMHF instances with total cost ER 119860119860 = 100 and ER Naiumlve = 40
Quality119877119877 119860119860 =40
100times 5 = 2
Presenter
Presentation Notes
Use Example
Desiderata
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for some small value 120591120591
Memory costs should dominate
Desiderata
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for some small value 120591120591
Maximize costs for fixed n(Users are impatient)
c-Ideal iMHF
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for 120591120591 = 119874119874(1)
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Our Attacks
bull General Attack on Non Depth Robust DAGsbull Existing iMHFs are not Depth Robustbull Ideal iMHFs donrsquot exist
bull Subsequent Results (Depth-Robustness is Sufficient)bull Open Questions
Depth-Robustness The Key Property
Necessary [AB16] and sufficient[ABP16] for secure iMHFs
Depth Robustness
Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d
Otherwise we say that G is (ed)-depth robust
1 2 3 4 5
Example (12)-reducible
Depth Robustness
Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d
Otherwise we say that G is (ed)-depth robust
1 2 3 4 5
Example (12)-reducible
Attacking (ed)-reducible DAGs
bull Input |S| lee such that depth(G-S) = d g gt d
bull Light Phase (g rounds) Discard most pebblesbull Goal Pebble the next g nodes in g (sequential) stepsbull Low Memory (only keep pebbles on S and on parents of new nodes)bull Lasts a ``longrdquo time
bull Balloon Phase (d rounds) Greedily Recover Missing Pebblesbull Goal Recover needed pebbles for upcoming light phasebull Expensive but quick (at most d steps in parallel)
Theorem (Depth-Robustness is a necessary condition) If G is not (ed)-node robust then CC 119866119866 = O 119890119890119894119894 + 1198941198943119901119901 In particular CC 119866119866 = o 1198941198942 for ed=o(n)
Depth Robustness is Necessary
Are existing iMHF candidates based on depth-robust DAGs
Answer No
bull Catena [FLW15] is 119890119890 119874119874 119899119899119890119890
119813119813119816119816119813119813119813119813 Easy to reduce the depth of a path
Argon2i is a layered DAG (almost)
1 2 3 11989411989434
+2 +3 helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894
Let S = S1+S2
helliphelliphellip
Attack Simulation [AB16b]
Attack on Argon 2i-B is practical even for pessimistic parameter ranges (brown line)
Pessimistic Argon 2i-B parameter
Parameter setting could easily be chosen when following Argon2i-B guidelines
hellip
Ideal iMHFs Donrsquot Exist
Thm[AB16] Any graph G (with constant in-degree) is at least somewhat depth-reducible
Implication If CC(G)= Ω 1198941198942 there is an attack A with high quality
QualityR 119860119860 =Ωlog(119894119894)
log log(119894119894)
But we cannot rule them out in practice
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Attacksbull Constructing iMHFs (New)
bull Depth-Robustness is sufficient
bull Conclusions and Open Questions
Presenter
Presentation Notes
Joint work with Joel Alwen and Krzysztof Pietrzak
Depth-Robustness is Sufficient [ABP16]
Proof Let P1hellipPt denote an (optimal) pebbling of G For 0lt i lt d defineSi = 119875119875119894119894 cup 119875119875119889119889+119894119894 cup 1198751198752119889119889+119894119894 cup ⋯
one of the sets Si has size at most CC(G)d Now we claim that d ge depth(G-Si)
because any path in G-Si must have been completely pebbled at some point Thus it must have been pebbled entirely during some interval of length d Thus G (CC(G)dd)-reducible It follows that CC(G)ge 119890119890119901119901
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Depth-Robustness is Sufficient [ABP16]
Implications There exists a constant indegree graph G with
CC G ge Ω1198941198942
log119894119894
Previous Best [AS15] Ω 1198991198992
log10 119899119899
[AB16] We cannot do better (in an asymptotic sense)
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Summary
bull BCRYPT and PBKDF2 are no longer sufficient for password hashing
bull Argon2i is an improvement over BCRYPT and PBKDF2bull But still has its flaws [AB16AB17]
bull Current Recommendation Argon2idbull No side channel attacks Resists known attacksbull Side channel attacks reduce security to Argon2i
bull Look for improvements in the near future using depth-robust graphs [ABP17]
Conclusions
bull Depth-robustness is a necessary and sufficient for secure iMHFsbull [AB16] [ABP16]
bull Big Challenge Improved Constructions of Depth-Robust Graphsbull We already have constructions in theory [EGS77 PR80 hellip]bull But constants matter
Thanks for Listening
Passwords vs time Look how far wersquove come
Netscape IPO Dotcom crash
Source Cormacrsquos estimate
ldquoThe password is deadrdquo
Chart1
3
48
1368
322
7791
15376
2527
39639
47953
61115
7353
94674
106021
134538
16527
194616
21681
Sheet1
Sheet1
Sheet2
Sheet3
Biometrics
59
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy
60
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Hardware Tokens
61
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around
62
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Graphical Passwords
bull Examplesbull Passfaces Cued Click Points Windows 8
63
Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13
Graphical Passwords
bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8
Challenge Multiple Passwords
64
Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
bull Password Management Software
67
Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313
Related Work
bull Password Management SoftwareChallenge Single point of failure
68
Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313
References
bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]
bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]
bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]
bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]
Course Business
CryptographyCS 555
Password Storage
Offline Attacks A Common Problem
Offline Attacks A Common Problem
A Dangerous Problem
Attempt 1 Hash Iteration
The Challenge
Goal Moderately Expensive Hash Function
Memory Costs Equitable Across Architectures
Outline
Memory Hard Function (MHF)
iMHF Candidates
iMHF (fGH)
Evaluating an iMHF (pebbling)
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example (CC)
Measuring Cost
Pebbling Example (CC)
Pebbling Equivalence
Desiderata
Depth-Robustness The Key Property
Naiumlve Pebbling Algorithms
Amortized Attack Quality
Desiderata
Desiderata
c-Ideal iMHF
Outline
Depth-Robustness The Key Property
Depth Robustness
Depth Robustness
Attacking (ed)-reducible DAGs
Depth Robustness is Necessary
Answer No
Argon2i [BDK]
Argon2i
Argon2i
Argon2i Reducing depth to 119899
Argon2i Reducing depth to 119899
Argon2i is a layered DAG (almost)
Attack Simulation [AB16b]
Ideal iMHFs Donrsquot Exist
But we cannot rule them out in practice
Outline
Depth-Robustness is Sufficient [ABP16]
Depth-Robustness is Sufficient [ABP16]
Summary
Conclusions
Thanks for Listening
Passwords vs time Look how far wersquove come
Biometrics
Biometrics
Hardware Tokens
Hardware Tokens
Graphical Passwords
Graphical Passwords
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
Related Work
References
Everybody
DATE
DATE
NUMBER OF USERS
WORLD
WORLD
INFORMATION
DATE
DATE
NUMBER OF USERS
DATE
DATE
acctsyr
POPULATION
POPULATION
SOURCE
December-90
0
3
15
020
00261
000
1
December-90
3
1
December-90
3
1
December-90
3
3
December-90
3
1
3
December-95
December-95
0
16
040
80
040
IDC
100
00522
180
12
December-95
192
December-95
16
1778
December-95
48
28448
December-95
48
3
48
December-96
December-96
0
36
090
180
090
IDC
200
00783
188
13132
December-96
472752
December-96
36
1994916
December-96
126
71816976
December-96
1368
38
126
December-97
December-97
0
70
170
350
170
IDC
300
01043
209
16263
December-97
113841
December-97
70
2238295752
December-97
280
15668070264
December-97
322
46
280
December-98
December-98
0
147
360
735
360
CI Almanac
400
01303
230
19391
December-98
2850477
December-98
147
25113678337
December-98
6615
3691710715604
December-98
7791
53
6615
December-99
December-99
0
248
410
1240
410
Nua Ltd
500
01563
251
22517
December-99
5584216
December-99
248
28177547095
December-99
1240
6988031679463
December-99
15376
62
1240
March-00
March-00
0
304
500
1520
500
Nua Ltd
600
01822
272
25638
March-00
7793952
December-00
361
3161520784
December-00
19855
11413090030294
December-00
2527
7
19855
July-00
July-00
0
359
590
1795
590
Nua Ltd
700
02081
293
28754
July-00
10322686
December-01
543
35472263197
December-01
3258
1926143891578
December-01
39639
73
3258
December-00
December-00
0
361
580
1805
580
Internet World Stats
800
02338
313
31864
December-00
11502904
December-02
607
39799879307
December-02
39455
2415852673913
December-02
47953
79
39455
March-01
March-01
0
458
760
2290
760
Nua Ltd
900
02852
334
34967
March-01
16014886
December-03
719
44655464582
December-03
5033
32107279034493
December-03
61115
85
5033
June-01
June-01
0
479
790
2395
790
Nua Ltd
1000
03107
355
38061
June-01
18231219
December-04
817
50103431261
December-04
61275
40934503340285
December-04
7353
9
61275
August-01
August-01
0
513
860
2565
860
Nua Ltd
1100
03361
396
44221
August-01
22685373
December-05
1018
56216049875
December-05
8144
57227938772657
December-05
9467
93
8144
April-02
April-02
0
558
860
2790
860
Internet World Stats
1200
03614
417
47284
April-02
26384472
December-06
1093
6307440796
December-06
9291
68940327899894
December-06
10602
97
9291
July-02
July-02
0
569
910
2845
910
Internet World Stats
1300
03866
437
50334
July-02
28640046
December-07
1319
70769485731
December-07
11871
93344951678825
December-07
13454
102
11871
September-02
September-02
0
587
940
2935
940
Internet World Stats
1400
04117
458
53371
September-02
31328777
December-08
1574
7940336299
December-08
14953
124980893346059
December-08
16527
105
14953
March-03
March-03
0
608
970
3040
970
Internet World Stats
1500
04366
478
56394
March-03
34287552
December-09
1802
89090573275
December-09
18020
160541213040896
December-09
19462
108
18020
September-03
September-03
0
677
1060
3385
1060
Internet World Stats
1600
04614
498
59401
September-03
40214477
December-10
1971
99959623214
December-10
20696
197020417355075
December-10
21681
11
20696
October-03
October-03
0
682
1070
3410
1070
Internet World Stats
1700
0486
518
62392
October-03
42551344
December-03
December-03
0
719
1110
3595
1110
Internet World Stats
1800
02852
538
65365
December-03
46997435
February-04
February-04
0
745
1150
3725
1150
Internet World Stats
1900
03107
558
6832
February-04
508984
May-04
May-04
0
757
1170
3785
1170
Internet World Stats
2000
03361
597
7417
May-04
5614669
October-04
October-04
0
812
1270
4060
1270
Internet World Stats
2100
03614
616
77064
October-04
62575968
December-04
December-04
0
817
1270
4085
1270
Internet World Stats
2200
03866
636
79935
December-04
65306895
March-05
March-05
0
888
1390
4440
1390
Internet World Stats
2300
04117
655
82782
March-05
73510416
June-05
June-05
0
938
1460
4690
1460
Internet World Stats
2400
04366
674
85606
June-05
80298428
September-05
September-05
0
957
1490
4785
1490
Internet World Stats
2500
04614
692
88404
September-05
84602628
November-05
November-05
0
972
1520
4860
1520
Internet World Stats
2600
0486
711
91176
November-05
88623072
December-05
December-05
0
1018
1570
5090
1570
Internet World Stats
2700
05348
729
93921
December-05
95611578
March-06
March-06
0
1023
1570
5115
1570
Internet World Stats
2800
05589
747
96638
March-06
98860674
June-06
June-06
0
1043
1600
5215
1600
Internet World Stats
2900
05828
783
101984
June-06
106369312
September-06
September-06
0
1086
1670
5430
1670
Internet World Stats
3000
06065
801
104611
September-06
113607546
December-06
December-06
0
1093
1670
5465
1670
Internet World Stats
3100
063
818
107207
December-06
117177251
March-07
March-07
0
1129
1720
5645
1720
Internet World Stats
3200
06534
835
109771
March-07
123931459
June-07
June-07
0
1173
1780
5865
1780
Internet World Stats
3300
06765
852
112301
June-07
131729073
September-07
September-07
0
1245
1890
6225
1890
Internet World Stats
3400
06993
869
114797
September-07
142922265
December-07
December-07
0
1319
2000
6595
2000
Internet World Stats
3500
0722
886
117258
December-07
154663302
March-08
March-08
0
1407
2110
7035
2110
Internet World Stats
3600
07665
902
119683
March-08
168393981
June-08
June-08
0
1463
2190
7315
2190
Internet World Stats
3700
07884
918
122071
June-08
178589873
September-08
September-08
0
1504
2250
7520
2250
Internet World Stats
3800
08101
949
126736
September-08
190610944
December-08
December-08
0
1574
2350
7870
2350
Internet World Stats
3900
08314
964
12901
December-08
20306174
March-09
March-09
0
1596
2380
7980
2380
Internet World Stats
4000
08525
971
13
March-09
20748
June-09
June-09
0
1669
2470
8345
2470
Internet World Stats
4100
08733
998
134
June-09
223646
September-09
September-09
0
1734
2560
8670
2560
Internet World Stats
4200
08938
1018
137
September-09
237558
December-09
December-09
0
1802
2660
9010
2660
Internet World Stats
4300
0914
1051
142
December-09
255884
June-10
June-10
0
1966
2870
9830
2870
Internet World Stats
4400
09339
1078
146
June-10
287036
September-10
September-10
0
1971
2880
9855
2880
Internet World Stats
4500
09728
1112
151
September-10
297621
09917
000
155333333333
159833333333
33208
35034
35400
35765
36130
36495
36861
37226
37591
37956
38322
38687
39052
39417
39783
40148
40513
Offline Attacks A Common Problem
bull Password breaches at major companies have affected millions of users
Presenter
Presentation Notes
Unfortunately offline dictionary attacks are quite common Password breaches at major companies have affected millions of users
A Dangerous Problem
$2400 onAmazon
Can we increase guessing costs for the attacker
Attempt 1 Hash Iteration
bull BCRYPT
bull PBKDF2 100000 SHA256 computations(iterative)
Estimated Cost on ASIC $1 per billion password guesses [BS14]
The Challenge
User Patience
Disclaimer This slide is entirely for humorous effect Donrsquot take it too seriously
Time
Uni
ts o
f Pat
ienc
e
USD
$
Goal Moderately Expensive Hash Function
Fast on PC and Expensive on ASIC
Presenter
Presentation Notes
This motivates the need for moderately hard functions The basic idea is to build a password hash function that is moderately expensive to compute to limit the number of guesses that an adversary would be willing to try An honest server only needs to compute the function once during a typical authentication session However the adversary potentially has an advantage in this game While the honest server must typically evaluate the function on standard hardware the adversary could use potentially reduce the cost per password guess by developing customized hardware (GPUs FPGAs ASICs) to evaluate the password hash function Thus we want to ensure that the cost to evaluate this function is equitable across platforms13
Memory Costs Equitable Across Architectures
Presenter
Presentation Notes
By contrast memory costs tends to be much more equitable across different architectures
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)
bull Attacks on iMHF Constructionsbull Constructing iMHFsbull Open Questions
Memory Hard Function (MHF)
bull Intuition computation costs dominated by memory costsvs
bull Data Independent Memory Hard Function (iMHF)bull Memory access pattern should not depend on input
Presenter
Presentation Notes
In this work we study a special type of memory hard function called data-independent memory hard functions As the name suggests the memory access pattern will not depend on the input making the functions resistant to side-channel attacks
iMHF Candidates
bull Catena [FLW15]bull Special Recognition at Password Hashing Competitionbull Two Variants Dragonfly and Double-Butterfly
bull Argon2 [BDK15]bull Winner of the Password Hashing Competitionbull Argon2i (data-independent mode) is recommended for Password Hashing
bull Balloon Hashing [BCS16]bull Newer proposal (three variants in original proposal)
Presenter
Presentation Notes
In terms of depth-robustness two of these variants were similar to Catena and one variant was similar to Argon
We will describe our algorithms for evaluating an iMHF using the language of graph pebbling Placing a pebble on a node corresponds to computing the corresponding label and keeping a pebble on the graph corresponds to storing that label in memory Of course we can only compute a label if we have all of the dependent labels Thus in a legal pebbling we cannot place a pebble on a node until we have pebbles on the parents of that node If the adversary is parallel then we are allowed to place multiple pebbles on the graph in each round We can remove pebbles from the graph at any point in time
Pebbling Example
1 2 3 4 51 3 4 5
Pebbling Example
1 2 3 4 5
P1 = 1
Pebbling Example
1 2 3 4 5
P1 = 1P2 = 12
Pebbling Example
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
Pebbling Example
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34
Pebbling Example
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34P5 = 5
Pebbling Example (CC)
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34P5 = 5
CC 119866119866 le119894119894=1
5
119875119875119894119894
= 1 + 2 + 1 + 2 + 1= 7
Measuring Cost
bull Cumulative Complexity (CC)
CC 119866119866 = min119875119875
119894119894=1
119905119905119875119875
119875119875119894119894
bull Amortization [AS15]CC 119866119866119866119866 = 2 times CC(119866119866)
Pebbling Example (CC)
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34P5 = 5
CC 119866119866 le119894119894=1
5
119875119875119894119894
= 1 + 2 + 1 + 2 + 1= 7
Pebbling Equivalence
119827119827119827119827119827119827119827119827119827119827119827119827119827119827 119808119808119808119808119808119808119808119808 (119816119816119816119816119816119816119827119827119827119827119827119827119816119816119816119816) High pebbling complexity of G implies high amortized memory complexity for the iMHF fGH
Implication Structure of the graph G is key to iMHFsecurity
Desiderata
Find a DAG G on n nodes such that1 Constant Indegree (120575120575 = 2)
2 CC(G) ge 1198991198992
120591120591for some small value 120591120591
Maximize costs for fixed n(Users are impatient)
Depth-Robustness The Key Property
Necessary [AB16] and sufficient[ABP16] for secure iMHFs
Naiumlve Pebbling Algorithms
bull Sequential Algorithm (Naiumlve)bull Constraint One new pebble per roundbull Every iMHF is defined via its Naiumlve algorithm
bull Example Naiumlve (Pebble in Topological Order)bull Never discard pebblesbull Time nbull Average pebbles n2bull ER(Naiumlve) = θ Rn + n2
Amortized Attack Quality
Quality119877119877 119860119860 =ER(Naiumlve)
ER 119860119860times 119894119894119894119894119904119904119904119904(119860119860)
Example Algorithm A evaluates 5 iMHF instances with total cost ER 119860119860 = 100 and ER Naiumlve = 40
Quality119877119877 119860119860 =40
100times 5 = 2
Presenter
Presentation Notes
Use Example
Desiderata
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for some small value 120591120591
Memory costs should dominate
Desiderata
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for some small value 120591120591
Maximize costs for fixed n(Users are impatient)
c-Ideal iMHF
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for 120591120591 = 119874119874(1)
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Our Attacks
bull General Attack on Non Depth Robust DAGsbull Existing iMHFs are not Depth Robustbull Ideal iMHFs donrsquot exist
bull Subsequent Results (Depth-Robustness is Sufficient)bull Open Questions
Depth-Robustness The Key Property
Necessary [AB16] and sufficient[ABP16] for secure iMHFs
Depth Robustness
Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d
Otherwise we say that G is (ed)-depth robust
1 2 3 4 5
Example (12)-reducible
Depth Robustness
Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d
Otherwise we say that G is (ed)-depth robust
1 2 3 4 5
Example (12)-reducible
Attacking (ed)-reducible DAGs
bull Input |S| lee such that depth(G-S) = d g gt d
bull Light Phase (g rounds) Discard most pebblesbull Goal Pebble the next g nodes in g (sequential) stepsbull Low Memory (only keep pebbles on S and on parents of new nodes)bull Lasts a ``longrdquo time
bull Balloon Phase (d rounds) Greedily Recover Missing Pebblesbull Goal Recover needed pebbles for upcoming light phasebull Expensive but quick (at most d steps in parallel)
Theorem (Depth-Robustness is a necessary condition) If G is not (ed)-node robust then CC 119866119866 = O 119890119890119894119894 + 1198941198943119901119901 In particular CC 119866119866 = o 1198941198942 for ed=o(n)
Depth Robustness is Necessary
Are existing iMHF candidates based on depth-robust DAGs
Answer No
bull Catena [FLW15] is 119890119890 119874119874 119899119899119890119890
119813119813119816119816119813119813119813119813 Easy to reduce the depth of a path
Argon2i is a layered DAG (almost)
1 2 3 11989411989434
+2 +3 helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894
Let S = S1+S2
helliphelliphellip
Attack Simulation [AB16b]
Attack on Argon 2i-B is practical even for pessimistic parameter ranges (brown line)
Pessimistic Argon 2i-B parameter
Parameter setting could easily be chosen when following Argon2i-B guidelines
hellip
Ideal iMHFs Donrsquot Exist
Thm[AB16] Any graph G (with constant in-degree) is at least somewhat depth-reducible
Implication If CC(G)= Ω 1198941198942 there is an attack A with high quality
QualityR 119860119860 =Ωlog(119894119894)
log log(119894119894)
But we cannot rule them out in practice
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Attacksbull Constructing iMHFs (New)
bull Depth-Robustness is sufficient
bull Conclusions and Open Questions
Presenter
Presentation Notes
Joint work with Joel Alwen and Krzysztof Pietrzak
Depth-Robustness is Sufficient [ABP16]
Proof Let P1hellipPt denote an (optimal) pebbling of G For 0lt i lt d defineSi = 119875119875119894119894 cup 119875119875119889119889+119894119894 cup 1198751198752119889119889+119894119894 cup ⋯
one of the sets Si has size at most CC(G)d Now we claim that d ge depth(G-Si)
because any path in G-Si must have been completely pebbled at some point Thus it must have been pebbled entirely during some interval of length d Thus G (CC(G)dd)-reducible It follows that CC(G)ge 119890119890119901119901
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Depth-Robustness is Sufficient [ABP16]
Implications There exists a constant indegree graph G with
CC G ge Ω1198941198942
log119894119894
Previous Best [AS15] Ω 1198991198992
log10 119899119899
[AB16] We cannot do better (in an asymptotic sense)
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Summary
bull BCRYPT and PBKDF2 are no longer sufficient for password hashing
bull Argon2i is an improvement over BCRYPT and PBKDF2bull But still has its flaws [AB16AB17]
bull Current Recommendation Argon2idbull No side channel attacks Resists known attacksbull Side channel attacks reduce security to Argon2i
bull Look for improvements in the near future using depth-robust graphs [ABP17]
Conclusions
bull Depth-robustness is a necessary and sufficient for secure iMHFsbull [AB16] [ABP16]
bull Big Challenge Improved Constructions of Depth-Robust Graphsbull We already have constructions in theory [EGS77 PR80 hellip]bull But constants matter
Thanks for Listening
Passwords vs time Look how far wersquove come
Netscape IPO Dotcom crash
Source Cormacrsquos estimate
ldquoThe password is deadrdquo
Chart1
3
48
1368
322
7791
15376
2527
39639
47953
61115
7353
94674
106021
134538
16527
194616
21681
Sheet1
Sheet1
Sheet2
Sheet3
Biometrics
59
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy
60
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Hardware Tokens
61
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around
62
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Graphical Passwords
bull Examplesbull Passfaces Cued Click Points Windows 8
63
Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13
Graphical Passwords
bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8
Challenge Multiple Passwords
64
Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
bull Password Management Software
67
Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313
Related Work
bull Password Management SoftwareChallenge Single point of failure
68
Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313
References
bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]
bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]
bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]
bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]
Course Business
CryptographyCS 555
Password Storage
Offline Attacks A Common Problem
Offline Attacks A Common Problem
A Dangerous Problem
Attempt 1 Hash Iteration
The Challenge
Goal Moderately Expensive Hash Function
Memory Costs Equitable Across Architectures
Outline
Memory Hard Function (MHF)
iMHF Candidates
iMHF (fGH)
Evaluating an iMHF (pebbling)
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example (CC)
Measuring Cost
Pebbling Example (CC)
Pebbling Equivalence
Desiderata
Depth-Robustness The Key Property
Naiumlve Pebbling Algorithms
Amortized Attack Quality
Desiderata
Desiderata
c-Ideal iMHF
Outline
Depth-Robustness The Key Property
Depth Robustness
Depth Robustness
Attacking (ed)-reducible DAGs
Depth Robustness is Necessary
Answer No
Argon2i [BDK]
Argon2i
Argon2i
Argon2i Reducing depth to 119899
Argon2i Reducing depth to 119899
Argon2i is a layered DAG (almost)
Attack Simulation [AB16b]
Ideal iMHFs Donrsquot Exist
But we cannot rule them out in practice
Outline
Depth-Robustness is Sufficient [ABP16]
Depth-Robustness is Sufficient [ABP16]
Summary
Conclusions
Thanks for Listening
Passwords vs time Look how far wersquove come
Biometrics
Biometrics
Hardware Tokens
Hardware Tokens
Graphical Passwords
Graphical Passwords
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
Related Work
References
Everybody
DATE
DATE
NUMBER OF USERS
WORLD
WORLD
INFORMATION
DATE
DATE
NUMBER OF USERS
DATE
DATE
acctsyr
POPULATION
POPULATION
SOURCE
December-90
0
3
15
020
00261
000
1
December-90
3
1
December-90
3
1
December-90
3
3
December-90
3
1
3
December-95
December-95
0
16
040
80
040
IDC
100
00522
180
12
December-95
192
December-95
16
1778
December-95
48
28448
December-95
48
3
48
December-96
December-96
0
36
090
180
090
IDC
200
00783
188
13132
December-96
472752
December-96
36
1994916
December-96
126
71816976
December-96
1368
38
126
December-97
December-97
0
70
170
350
170
IDC
300
01043
209
16263
December-97
113841
December-97
70
2238295752
December-97
280
15668070264
December-97
322
46
280
December-98
December-98
0
147
360
735
360
CI Almanac
400
01303
230
19391
December-98
2850477
December-98
147
25113678337
December-98
6615
3691710715604
December-98
7791
53
6615
December-99
December-99
0
248
410
1240
410
Nua Ltd
500
01563
251
22517
December-99
5584216
December-99
248
28177547095
December-99
1240
6988031679463
December-99
15376
62
1240
March-00
March-00
0
304
500
1520
500
Nua Ltd
600
01822
272
25638
March-00
7793952
December-00
361
3161520784
December-00
19855
11413090030294
December-00
2527
7
19855
July-00
July-00
0
359
590
1795
590
Nua Ltd
700
02081
293
28754
July-00
10322686
December-01
543
35472263197
December-01
3258
1926143891578
December-01
39639
73
3258
December-00
December-00
0
361
580
1805
580
Internet World Stats
800
02338
313
31864
December-00
11502904
December-02
607
39799879307
December-02
39455
2415852673913
December-02
47953
79
39455
March-01
March-01
0
458
760
2290
760
Nua Ltd
900
02852
334
34967
March-01
16014886
December-03
719
44655464582
December-03
5033
32107279034493
December-03
61115
85
5033
June-01
June-01
0
479
790
2395
790
Nua Ltd
1000
03107
355
38061
June-01
18231219
December-04
817
50103431261
December-04
61275
40934503340285
December-04
7353
9
61275
August-01
August-01
0
513
860
2565
860
Nua Ltd
1100
03361
396
44221
August-01
22685373
December-05
1018
56216049875
December-05
8144
57227938772657
December-05
9467
93
8144
April-02
April-02
0
558
860
2790
860
Internet World Stats
1200
03614
417
47284
April-02
26384472
December-06
1093
6307440796
December-06
9291
68940327899894
December-06
10602
97
9291
July-02
July-02
0
569
910
2845
910
Internet World Stats
1300
03866
437
50334
July-02
28640046
December-07
1319
70769485731
December-07
11871
93344951678825
December-07
13454
102
11871
September-02
September-02
0
587
940
2935
940
Internet World Stats
1400
04117
458
53371
September-02
31328777
December-08
1574
7940336299
December-08
14953
124980893346059
December-08
16527
105
14953
March-03
March-03
0
608
970
3040
970
Internet World Stats
1500
04366
478
56394
March-03
34287552
December-09
1802
89090573275
December-09
18020
160541213040896
December-09
19462
108
18020
September-03
September-03
0
677
1060
3385
1060
Internet World Stats
1600
04614
498
59401
September-03
40214477
December-10
1971
99959623214
December-10
20696
197020417355075
December-10
21681
11
20696
October-03
October-03
0
682
1070
3410
1070
Internet World Stats
1700
0486
518
62392
October-03
42551344
December-03
December-03
0
719
1110
3595
1110
Internet World Stats
1800
02852
538
65365
December-03
46997435
February-04
February-04
0
745
1150
3725
1150
Internet World Stats
1900
03107
558
6832
February-04
508984
May-04
May-04
0
757
1170
3785
1170
Internet World Stats
2000
03361
597
7417
May-04
5614669
October-04
October-04
0
812
1270
4060
1270
Internet World Stats
2100
03614
616
77064
October-04
62575968
December-04
December-04
0
817
1270
4085
1270
Internet World Stats
2200
03866
636
79935
December-04
65306895
March-05
March-05
0
888
1390
4440
1390
Internet World Stats
2300
04117
655
82782
March-05
73510416
June-05
June-05
0
938
1460
4690
1460
Internet World Stats
2400
04366
674
85606
June-05
80298428
September-05
September-05
0
957
1490
4785
1490
Internet World Stats
2500
04614
692
88404
September-05
84602628
November-05
November-05
0
972
1520
4860
1520
Internet World Stats
2600
0486
711
91176
November-05
88623072
December-05
December-05
0
1018
1570
5090
1570
Internet World Stats
2700
05348
729
93921
December-05
95611578
March-06
March-06
0
1023
1570
5115
1570
Internet World Stats
2800
05589
747
96638
March-06
98860674
June-06
June-06
0
1043
1600
5215
1600
Internet World Stats
2900
05828
783
101984
June-06
106369312
September-06
September-06
0
1086
1670
5430
1670
Internet World Stats
3000
06065
801
104611
September-06
113607546
December-06
December-06
0
1093
1670
5465
1670
Internet World Stats
3100
063
818
107207
December-06
117177251
March-07
March-07
0
1129
1720
5645
1720
Internet World Stats
3200
06534
835
109771
March-07
123931459
June-07
June-07
0
1173
1780
5865
1780
Internet World Stats
3300
06765
852
112301
June-07
131729073
September-07
September-07
0
1245
1890
6225
1890
Internet World Stats
3400
06993
869
114797
September-07
142922265
December-07
December-07
0
1319
2000
6595
2000
Internet World Stats
3500
0722
886
117258
December-07
154663302
March-08
March-08
0
1407
2110
7035
2110
Internet World Stats
3600
07665
902
119683
March-08
168393981
June-08
June-08
0
1463
2190
7315
2190
Internet World Stats
3700
07884
918
122071
June-08
178589873
September-08
September-08
0
1504
2250
7520
2250
Internet World Stats
3800
08101
949
126736
September-08
190610944
December-08
December-08
0
1574
2350
7870
2350
Internet World Stats
3900
08314
964
12901
December-08
20306174
March-09
March-09
0
1596
2380
7980
2380
Internet World Stats
4000
08525
971
13
March-09
20748
June-09
June-09
0
1669
2470
8345
2470
Internet World Stats
4100
08733
998
134
June-09
223646
September-09
September-09
0
1734
2560
8670
2560
Internet World Stats
4200
08938
1018
137
September-09
237558
December-09
December-09
0
1802
2660
9010
2660
Internet World Stats
4300
0914
1051
142
December-09
255884
June-10
June-10
0
1966
2870
9830
2870
Internet World Stats
4400
09339
1078
146
June-10
287036
September-10
September-10
0
1971
2880
9855
2880
Internet World Stats
4500
09728
1112
151
September-10
297621
09917
000
155333333333
159833333333
33208
35034
35400
35765
36130
36495
36861
37226
37591
37956
38322
38687
39052
39417
39783
40148
40513
A Dangerous Problem
$2400 onAmazon
Can we increase guessing costs for the attacker
Attempt 1 Hash Iteration
bull BCRYPT
bull PBKDF2 100000 SHA256 computations(iterative)
Estimated Cost on ASIC $1 per billion password guesses [BS14]
The Challenge
User Patience
Disclaimer This slide is entirely for humorous effect Donrsquot take it too seriously
Time
Uni
ts o
f Pat
ienc
e
USD
$
Goal Moderately Expensive Hash Function
Fast on PC and Expensive on ASIC
Presenter
Presentation Notes
This motivates the need for moderately hard functions The basic idea is to build a password hash function that is moderately expensive to compute to limit the number of guesses that an adversary would be willing to try An honest server only needs to compute the function once during a typical authentication session However the adversary potentially has an advantage in this game While the honest server must typically evaluate the function on standard hardware the adversary could use potentially reduce the cost per password guess by developing customized hardware (GPUs FPGAs ASICs) to evaluate the password hash function Thus we want to ensure that the cost to evaluate this function is equitable across platforms13
Memory Costs Equitable Across Architectures
Presenter
Presentation Notes
By contrast memory costs tends to be much more equitable across different architectures
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)
bull Attacks on iMHF Constructionsbull Constructing iMHFsbull Open Questions
Memory Hard Function (MHF)
bull Intuition computation costs dominated by memory costsvs
bull Data Independent Memory Hard Function (iMHF)bull Memory access pattern should not depend on input
Presenter
Presentation Notes
In this work we study a special type of memory hard function called data-independent memory hard functions As the name suggests the memory access pattern will not depend on the input making the functions resistant to side-channel attacks
iMHF Candidates
bull Catena [FLW15]bull Special Recognition at Password Hashing Competitionbull Two Variants Dragonfly and Double-Butterfly
bull Argon2 [BDK15]bull Winner of the Password Hashing Competitionbull Argon2i (data-independent mode) is recommended for Password Hashing
bull Balloon Hashing [BCS16]bull Newer proposal (three variants in original proposal)
Presenter
Presentation Notes
In terms of depth-robustness two of these variants were similar to Catena and one variant was similar to Argon
We will describe our algorithms for evaluating an iMHF using the language of graph pebbling Placing a pebble on a node corresponds to computing the corresponding label and keeping a pebble on the graph corresponds to storing that label in memory Of course we can only compute a label if we have all of the dependent labels Thus in a legal pebbling we cannot place a pebble on a node until we have pebbles on the parents of that node If the adversary is parallel then we are allowed to place multiple pebbles on the graph in each round We can remove pebbles from the graph at any point in time
Pebbling Example
1 2 3 4 51 3 4 5
Pebbling Example
1 2 3 4 5
P1 = 1
Pebbling Example
1 2 3 4 5
P1 = 1P2 = 12
Pebbling Example
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
Pebbling Example
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34
Pebbling Example
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34P5 = 5
Pebbling Example (CC)
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34P5 = 5
CC 119866119866 le119894119894=1
5
119875119875119894119894
= 1 + 2 + 1 + 2 + 1= 7
Measuring Cost
bull Cumulative Complexity (CC)
CC 119866119866 = min119875119875
119894119894=1
119905119905119875119875
119875119875119894119894
bull Amortization [AS15]CC 119866119866119866119866 = 2 times CC(119866119866)
Pebbling Example (CC)
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34P5 = 5
CC 119866119866 le119894119894=1
5
119875119875119894119894
= 1 + 2 + 1 + 2 + 1= 7
Pebbling Equivalence
119827119827119827119827119827119827119827119827119827119827119827119827119827119827 119808119808119808119808119808119808119808119808 (119816119816119816119816119816119816119827119827119827119827119827119827119816119816119816119816) High pebbling complexity of G implies high amortized memory complexity for the iMHF fGH
Implication Structure of the graph G is key to iMHFsecurity
Desiderata
Find a DAG G on n nodes such that1 Constant Indegree (120575120575 = 2)
2 CC(G) ge 1198991198992
120591120591for some small value 120591120591
Maximize costs for fixed n(Users are impatient)
Depth-Robustness The Key Property
Necessary [AB16] and sufficient[ABP16] for secure iMHFs
Naiumlve Pebbling Algorithms
bull Sequential Algorithm (Naiumlve)bull Constraint One new pebble per roundbull Every iMHF is defined via its Naiumlve algorithm
bull Example Naiumlve (Pebble in Topological Order)bull Never discard pebblesbull Time nbull Average pebbles n2bull ER(Naiumlve) = θ Rn + n2
Amortized Attack Quality
Quality119877119877 119860119860 =ER(Naiumlve)
ER 119860119860times 119894119894119894119894119904119904119904119904(119860119860)
Example Algorithm A evaluates 5 iMHF instances with total cost ER 119860119860 = 100 and ER Naiumlve = 40
Quality119877119877 119860119860 =40
100times 5 = 2
Presenter
Presentation Notes
Use Example
Desiderata
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for some small value 120591120591
Memory costs should dominate
Desiderata
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for some small value 120591120591
Maximize costs for fixed n(Users are impatient)
c-Ideal iMHF
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for 120591120591 = 119874119874(1)
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Our Attacks
bull General Attack on Non Depth Robust DAGsbull Existing iMHFs are not Depth Robustbull Ideal iMHFs donrsquot exist
bull Subsequent Results (Depth-Robustness is Sufficient)bull Open Questions
Depth-Robustness The Key Property
Necessary [AB16] and sufficient[ABP16] for secure iMHFs
Depth Robustness
Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d
Otherwise we say that G is (ed)-depth robust
1 2 3 4 5
Example (12)-reducible
Depth Robustness
Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d
Otherwise we say that G is (ed)-depth robust
1 2 3 4 5
Example (12)-reducible
Attacking (ed)-reducible DAGs
bull Input |S| lee such that depth(G-S) = d g gt d
bull Light Phase (g rounds) Discard most pebblesbull Goal Pebble the next g nodes in g (sequential) stepsbull Low Memory (only keep pebbles on S and on parents of new nodes)bull Lasts a ``longrdquo time
bull Balloon Phase (d rounds) Greedily Recover Missing Pebblesbull Goal Recover needed pebbles for upcoming light phasebull Expensive but quick (at most d steps in parallel)
Theorem (Depth-Robustness is a necessary condition) If G is not (ed)-node robust then CC 119866119866 = O 119890119890119894119894 + 1198941198943119901119901 In particular CC 119866119866 = o 1198941198942 for ed=o(n)
Depth Robustness is Necessary
Are existing iMHF candidates based on depth-robust DAGs
Answer No
bull Catena [FLW15] is 119890119890 119874119874 119899119899119890119890
119813119813119816119816119813119813119813119813 Easy to reduce the depth of a path
Argon2i is a layered DAG (almost)
1 2 3 11989411989434
+2 +3 helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894
Let S = S1+S2
helliphelliphellip
Attack Simulation [AB16b]
Attack on Argon 2i-B is practical even for pessimistic parameter ranges (brown line)
Pessimistic Argon 2i-B parameter
Parameter setting could easily be chosen when following Argon2i-B guidelines
hellip
Ideal iMHFs Donrsquot Exist
Thm[AB16] Any graph G (with constant in-degree) is at least somewhat depth-reducible
Implication If CC(G)= Ω 1198941198942 there is an attack A with high quality
QualityR 119860119860 =Ωlog(119894119894)
log log(119894119894)
But we cannot rule them out in practice
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Attacksbull Constructing iMHFs (New)
bull Depth-Robustness is sufficient
bull Conclusions and Open Questions
Presenter
Presentation Notes
Joint work with Joel Alwen and Krzysztof Pietrzak
Depth-Robustness is Sufficient [ABP16]
Proof Let P1hellipPt denote an (optimal) pebbling of G For 0lt i lt d defineSi = 119875119875119894119894 cup 119875119875119889119889+119894119894 cup 1198751198752119889119889+119894119894 cup ⋯
one of the sets Si has size at most CC(G)d Now we claim that d ge depth(G-Si)
because any path in G-Si must have been completely pebbled at some point Thus it must have been pebbled entirely during some interval of length d Thus G (CC(G)dd)-reducible It follows that CC(G)ge 119890119890119901119901
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Depth-Robustness is Sufficient [ABP16]
Implications There exists a constant indegree graph G with
CC G ge Ω1198941198942
log119894119894
Previous Best [AS15] Ω 1198991198992
log10 119899119899
[AB16] We cannot do better (in an asymptotic sense)
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Summary
bull BCRYPT and PBKDF2 are no longer sufficient for password hashing
bull Argon2i is an improvement over BCRYPT and PBKDF2bull But still has its flaws [AB16AB17]
bull Current Recommendation Argon2idbull No side channel attacks Resists known attacksbull Side channel attacks reduce security to Argon2i
bull Look for improvements in the near future using depth-robust graphs [ABP17]
Conclusions
bull Depth-robustness is a necessary and sufficient for secure iMHFsbull [AB16] [ABP16]
bull Big Challenge Improved Constructions of Depth-Robust Graphsbull We already have constructions in theory [EGS77 PR80 hellip]bull But constants matter
Thanks for Listening
Passwords vs time Look how far wersquove come
Netscape IPO Dotcom crash
Source Cormacrsquos estimate
ldquoThe password is deadrdquo
Chart1
3
48
1368
322
7791
15376
2527
39639
47953
61115
7353
94674
106021
134538
16527
194616
21681
Sheet1
Sheet1
Sheet2
Sheet3
Biometrics
59
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy
60
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Hardware Tokens
61
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around
62
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Graphical Passwords
bull Examplesbull Passfaces Cued Click Points Windows 8
63
Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13
Graphical Passwords
bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8
Challenge Multiple Passwords
64
Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
bull Password Management Software
67
Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313
Related Work
bull Password Management SoftwareChallenge Single point of failure
68
Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313
References
bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]
bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]
bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]
bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]
Course Business
CryptographyCS 555
Password Storage
Offline Attacks A Common Problem
Offline Attacks A Common Problem
A Dangerous Problem
Attempt 1 Hash Iteration
The Challenge
Goal Moderately Expensive Hash Function
Memory Costs Equitable Across Architectures
Outline
Memory Hard Function (MHF)
iMHF Candidates
iMHF (fGH)
Evaluating an iMHF (pebbling)
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example (CC)
Measuring Cost
Pebbling Example (CC)
Pebbling Equivalence
Desiderata
Depth-Robustness The Key Property
Naiumlve Pebbling Algorithms
Amortized Attack Quality
Desiderata
Desiderata
c-Ideal iMHF
Outline
Depth-Robustness The Key Property
Depth Robustness
Depth Robustness
Attacking (ed)-reducible DAGs
Depth Robustness is Necessary
Answer No
Argon2i [BDK]
Argon2i
Argon2i
Argon2i Reducing depth to 119899
Argon2i Reducing depth to 119899
Argon2i is a layered DAG (almost)
Attack Simulation [AB16b]
Ideal iMHFs Donrsquot Exist
But we cannot rule them out in practice
Outline
Depth-Robustness is Sufficient [ABP16]
Depth-Robustness is Sufficient [ABP16]
Summary
Conclusions
Thanks for Listening
Passwords vs time Look how far wersquove come
Biometrics
Biometrics
Hardware Tokens
Hardware Tokens
Graphical Passwords
Graphical Passwords
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
Related Work
References
Everybody
DATE
DATE
NUMBER OF USERS
WORLD
WORLD
INFORMATION
DATE
DATE
NUMBER OF USERS
DATE
DATE
acctsyr
POPULATION
POPULATION
SOURCE
December-90
0
3
15
020
00261
000
1
December-90
3
1
December-90
3
1
December-90
3
3
December-90
3
1
3
December-95
December-95
0
16
040
80
040
IDC
100
00522
180
12
December-95
192
December-95
16
1778
December-95
48
28448
December-95
48
3
48
December-96
December-96
0
36
090
180
090
IDC
200
00783
188
13132
December-96
472752
December-96
36
1994916
December-96
126
71816976
December-96
1368
38
126
December-97
December-97
0
70
170
350
170
IDC
300
01043
209
16263
December-97
113841
December-97
70
2238295752
December-97
280
15668070264
December-97
322
46
280
December-98
December-98
0
147
360
735
360
CI Almanac
400
01303
230
19391
December-98
2850477
December-98
147
25113678337
December-98
6615
3691710715604
December-98
7791
53
6615
December-99
December-99
0
248
410
1240
410
Nua Ltd
500
01563
251
22517
December-99
5584216
December-99
248
28177547095
December-99
1240
6988031679463
December-99
15376
62
1240
March-00
March-00
0
304
500
1520
500
Nua Ltd
600
01822
272
25638
March-00
7793952
December-00
361
3161520784
December-00
19855
11413090030294
December-00
2527
7
19855
July-00
July-00
0
359
590
1795
590
Nua Ltd
700
02081
293
28754
July-00
10322686
December-01
543
35472263197
December-01
3258
1926143891578
December-01
39639
73
3258
December-00
December-00
0
361
580
1805
580
Internet World Stats
800
02338
313
31864
December-00
11502904
December-02
607
39799879307
December-02
39455
2415852673913
December-02
47953
79
39455
March-01
March-01
0
458
760
2290
760
Nua Ltd
900
02852
334
34967
March-01
16014886
December-03
719
44655464582
December-03
5033
32107279034493
December-03
61115
85
5033
June-01
June-01
0
479
790
2395
790
Nua Ltd
1000
03107
355
38061
June-01
18231219
December-04
817
50103431261
December-04
61275
40934503340285
December-04
7353
9
61275
August-01
August-01
0
513
860
2565
860
Nua Ltd
1100
03361
396
44221
August-01
22685373
December-05
1018
56216049875
December-05
8144
57227938772657
December-05
9467
93
8144
April-02
April-02
0
558
860
2790
860
Internet World Stats
1200
03614
417
47284
April-02
26384472
December-06
1093
6307440796
December-06
9291
68940327899894
December-06
10602
97
9291
July-02
July-02
0
569
910
2845
910
Internet World Stats
1300
03866
437
50334
July-02
28640046
December-07
1319
70769485731
December-07
11871
93344951678825
December-07
13454
102
11871
September-02
September-02
0
587
940
2935
940
Internet World Stats
1400
04117
458
53371
September-02
31328777
December-08
1574
7940336299
December-08
14953
124980893346059
December-08
16527
105
14953
March-03
March-03
0
608
970
3040
970
Internet World Stats
1500
04366
478
56394
March-03
34287552
December-09
1802
89090573275
December-09
18020
160541213040896
December-09
19462
108
18020
September-03
September-03
0
677
1060
3385
1060
Internet World Stats
1600
04614
498
59401
September-03
40214477
December-10
1971
99959623214
December-10
20696
197020417355075
December-10
21681
11
20696
October-03
October-03
0
682
1070
3410
1070
Internet World Stats
1700
0486
518
62392
October-03
42551344
December-03
December-03
0
719
1110
3595
1110
Internet World Stats
1800
02852
538
65365
December-03
46997435
February-04
February-04
0
745
1150
3725
1150
Internet World Stats
1900
03107
558
6832
February-04
508984
May-04
May-04
0
757
1170
3785
1170
Internet World Stats
2000
03361
597
7417
May-04
5614669
October-04
October-04
0
812
1270
4060
1270
Internet World Stats
2100
03614
616
77064
October-04
62575968
December-04
December-04
0
817
1270
4085
1270
Internet World Stats
2200
03866
636
79935
December-04
65306895
March-05
March-05
0
888
1390
4440
1390
Internet World Stats
2300
04117
655
82782
March-05
73510416
June-05
June-05
0
938
1460
4690
1460
Internet World Stats
2400
04366
674
85606
June-05
80298428
September-05
September-05
0
957
1490
4785
1490
Internet World Stats
2500
04614
692
88404
September-05
84602628
November-05
November-05
0
972
1520
4860
1520
Internet World Stats
2600
0486
711
91176
November-05
88623072
December-05
December-05
0
1018
1570
5090
1570
Internet World Stats
2700
05348
729
93921
December-05
95611578
March-06
March-06
0
1023
1570
5115
1570
Internet World Stats
2800
05589
747
96638
March-06
98860674
June-06
June-06
0
1043
1600
5215
1600
Internet World Stats
2900
05828
783
101984
June-06
106369312
September-06
September-06
0
1086
1670
5430
1670
Internet World Stats
3000
06065
801
104611
September-06
113607546
December-06
December-06
0
1093
1670
5465
1670
Internet World Stats
3100
063
818
107207
December-06
117177251
March-07
March-07
0
1129
1720
5645
1720
Internet World Stats
3200
06534
835
109771
March-07
123931459
June-07
June-07
0
1173
1780
5865
1780
Internet World Stats
3300
06765
852
112301
June-07
131729073
September-07
September-07
0
1245
1890
6225
1890
Internet World Stats
3400
06993
869
114797
September-07
142922265
December-07
December-07
0
1319
2000
6595
2000
Internet World Stats
3500
0722
886
117258
December-07
154663302
March-08
March-08
0
1407
2110
7035
2110
Internet World Stats
3600
07665
902
119683
March-08
168393981
June-08
June-08
0
1463
2190
7315
2190
Internet World Stats
3700
07884
918
122071
June-08
178589873
September-08
September-08
0
1504
2250
7520
2250
Internet World Stats
3800
08101
949
126736
September-08
190610944
December-08
December-08
0
1574
2350
7870
2350
Internet World Stats
3900
08314
964
12901
December-08
20306174
March-09
March-09
0
1596
2380
7980
2380
Internet World Stats
4000
08525
971
13
March-09
20748
June-09
June-09
0
1669
2470
8345
2470
Internet World Stats
4100
08733
998
134
June-09
223646
September-09
September-09
0
1734
2560
8670
2560
Internet World Stats
4200
08938
1018
137
September-09
237558
December-09
December-09
0
1802
2660
9010
2660
Internet World Stats
4300
0914
1051
142
December-09
255884
June-10
June-10
0
1966
2870
9830
2870
Internet World Stats
4400
09339
1078
146
June-10
287036
September-10
September-10
0
1971
2880
9855
2880
Internet World Stats
4500
09728
1112
151
September-10
297621
09917
000
155333333333
159833333333
33208
35034
35400
35765
36130
36495
36861
37226
37591
37956
38322
38687
39052
39417
39783
40148
40513
Attempt 1 Hash Iteration
bull BCRYPT
bull PBKDF2 100000 SHA256 computations(iterative)
Estimated Cost on ASIC $1 per billion password guesses [BS14]
The Challenge
User Patience
Disclaimer This slide is entirely for humorous effect Donrsquot take it too seriously
Time
Uni
ts o
f Pat
ienc
e
USD
$
Goal Moderately Expensive Hash Function
Fast on PC and Expensive on ASIC
Presenter
Presentation Notes
This motivates the need for moderately hard functions The basic idea is to build a password hash function that is moderately expensive to compute to limit the number of guesses that an adversary would be willing to try An honest server only needs to compute the function once during a typical authentication session However the adversary potentially has an advantage in this game While the honest server must typically evaluate the function on standard hardware the adversary could use potentially reduce the cost per password guess by developing customized hardware (GPUs FPGAs ASICs) to evaluate the password hash function Thus we want to ensure that the cost to evaluate this function is equitable across platforms13
Memory Costs Equitable Across Architectures
Presenter
Presentation Notes
By contrast memory costs tends to be much more equitable across different architectures
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)
bull Attacks on iMHF Constructionsbull Constructing iMHFsbull Open Questions
Memory Hard Function (MHF)
bull Intuition computation costs dominated by memory costsvs
bull Data Independent Memory Hard Function (iMHF)bull Memory access pattern should not depend on input
Presenter
Presentation Notes
In this work we study a special type of memory hard function called data-independent memory hard functions As the name suggests the memory access pattern will not depend on the input making the functions resistant to side-channel attacks
iMHF Candidates
bull Catena [FLW15]bull Special Recognition at Password Hashing Competitionbull Two Variants Dragonfly and Double-Butterfly
bull Argon2 [BDK15]bull Winner of the Password Hashing Competitionbull Argon2i (data-independent mode) is recommended for Password Hashing
bull Balloon Hashing [BCS16]bull Newer proposal (three variants in original proposal)
Presenter
Presentation Notes
In terms of depth-robustness two of these variants were similar to Catena and one variant was similar to Argon
We will describe our algorithms for evaluating an iMHF using the language of graph pebbling Placing a pebble on a node corresponds to computing the corresponding label and keeping a pebble on the graph corresponds to storing that label in memory Of course we can only compute a label if we have all of the dependent labels Thus in a legal pebbling we cannot place a pebble on a node until we have pebbles on the parents of that node If the adversary is parallel then we are allowed to place multiple pebbles on the graph in each round We can remove pebbles from the graph at any point in time
Pebbling Example
1 2 3 4 51 3 4 5
Pebbling Example
1 2 3 4 5
P1 = 1
Pebbling Example
1 2 3 4 5
P1 = 1P2 = 12
Pebbling Example
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
Pebbling Example
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34
Pebbling Example
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34P5 = 5
Pebbling Example (CC)
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34P5 = 5
CC 119866119866 le119894119894=1
5
119875119875119894119894
= 1 + 2 + 1 + 2 + 1= 7
Measuring Cost
bull Cumulative Complexity (CC)
CC 119866119866 = min119875119875
119894119894=1
119905119905119875119875
119875119875119894119894
bull Amortization [AS15]CC 119866119866119866119866 = 2 times CC(119866119866)
Pebbling Example (CC)
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34P5 = 5
CC 119866119866 le119894119894=1
5
119875119875119894119894
= 1 + 2 + 1 + 2 + 1= 7
Pebbling Equivalence
119827119827119827119827119827119827119827119827119827119827119827119827119827119827 119808119808119808119808119808119808119808119808 (119816119816119816119816119816119816119827119827119827119827119827119827119816119816119816119816) High pebbling complexity of G implies high amortized memory complexity for the iMHF fGH
Implication Structure of the graph G is key to iMHFsecurity
Desiderata
Find a DAG G on n nodes such that1 Constant Indegree (120575120575 = 2)
2 CC(G) ge 1198991198992
120591120591for some small value 120591120591
Maximize costs for fixed n(Users are impatient)
Depth-Robustness The Key Property
Necessary [AB16] and sufficient[ABP16] for secure iMHFs
Naiumlve Pebbling Algorithms
bull Sequential Algorithm (Naiumlve)bull Constraint One new pebble per roundbull Every iMHF is defined via its Naiumlve algorithm
bull Example Naiumlve (Pebble in Topological Order)bull Never discard pebblesbull Time nbull Average pebbles n2bull ER(Naiumlve) = θ Rn + n2
Amortized Attack Quality
Quality119877119877 119860119860 =ER(Naiumlve)
ER 119860119860times 119894119894119894119894119904119904119904119904(119860119860)
Example Algorithm A evaluates 5 iMHF instances with total cost ER 119860119860 = 100 and ER Naiumlve = 40
Quality119877119877 119860119860 =40
100times 5 = 2
Presenter
Presentation Notes
Use Example
Desiderata
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for some small value 120591120591
Memory costs should dominate
Desiderata
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for some small value 120591120591
Maximize costs for fixed n(Users are impatient)
c-Ideal iMHF
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for 120591120591 = 119874119874(1)
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Our Attacks
bull General Attack on Non Depth Robust DAGsbull Existing iMHFs are not Depth Robustbull Ideal iMHFs donrsquot exist
bull Subsequent Results (Depth-Robustness is Sufficient)bull Open Questions
Depth-Robustness The Key Property
Necessary [AB16] and sufficient[ABP16] for secure iMHFs
Depth Robustness
Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d
Otherwise we say that G is (ed)-depth robust
1 2 3 4 5
Example (12)-reducible
Depth Robustness
Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d
Otherwise we say that G is (ed)-depth robust
1 2 3 4 5
Example (12)-reducible
Attacking (ed)-reducible DAGs
bull Input |S| lee such that depth(G-S) = d g gt d
bull Light Phase (g rounds) Discard most pebblesbull Goal Pebble the next g nodes in g (sequential) stepsbull Low Memory (only keep pebbles on S and on parents of new nodes)bull Lasts a ``longrdquo time
bull Balloon Phase (d rounds) Greedily Recover Missing Pebblesbull Goal Recover needed pebbles for upcoming light phasebull Expensive but quick (at most d steps in parallel)
Theorem (Depth-Robustness is a necessary condition) If G is not (ed)-node robust then CC 119866119866 = O 119890119890119894119894 + 1198941198943119901119901 In particular CC 119866119866 = o 1198941198942 for ed=o(n)
Depth Robustness is Necessary
Are existing iMHF candidates based on depth-robust DAGs
Answer No
bull Catena [FLW15] is 119890119890 119874119874 119899119899119890119890
119813119813119816119816119813119813119813119813 Easy to reduce the depth of a path
Argon2i is a layered DAG (almost)
1 2 3 11989411989434
+2 +3 helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894
Let S = S1+S2
helliphelliphellip
Attack Simulation [AB16b]
Attack on Argon 2i-B is practical even for pessimistic parameter ranges (brown line)
Pessimistic Argon 2i-B parameter
Parameter setting could easily be chosen when following Argon2i-B guidelines
hellip
Ideal iMHFs Donrsquot Exist
Thm[AB16] Any graph G (with constant in-degree) is at least somewhat depth-reducible
Implication If CC(G)= Ω 1198941198942 there is an attack A with high quality
QualityR 119860119860 =Ωlog(119894119894)
log log(119894119894)
But we cannot rule them out in practice
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Attacksbull Constructing iMHFs (New)
bull Depth-Robustness is sufficient
bull Conclusions and Open Questions
Presenter
Presentation Notes
Joint work with Joel Alwen and Krzysztof Pietrzak
Depth-Robustness is Sufficient [ABP16]
Proof Let P1hellipPt denote an (optimal) pebbling of G For 0lt i lt d defineSi = 119875119875119894119894 cup 119875119875119889119889+119894119894 cup 1198751198752119889119889+119894119894 cup ⋯
one of the sets Si has size at most CC(G)d Now we claim that d ge depth(G-Si)
because any path in G-Si must have been completely pebbled at some point Thus it must have been pebbled entirely during some interval of length d Thus G (CC(G)dd)-reducible It follows that CC(G)ge 119890119890119901119901
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Depth-Robustness is Sufficient [ABP16]
Implications There exists a constant indegree graph G with
CC G ge Ω1198941198942
log119894119894
Previous Best [AS15] Ω 1198991198992
log10 119899119899
[AB16] We cannot do better (in an asymptotic sense)
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Summary
bull BCRYPT and PBKDF2 are no longer sufficient for password hashing
bull Argon2i is an improvement over BCRYPT and PBKDF2bull But still has its flaws [AB16AB17]
bull Current Recommendation Argon2idbull No side channel attacks Resists known attacksbull Side channel attacks reduce security to Argon2i
bull Look for improvements in the near future using depth-robust graphs [ABP17]
Conclusions
bull Depth-robustness is a necessary and sufficient for secure iMHFsbull [AB16] [ABP16]
bull Big Challenge Improved Constructions of Depth-Robust Graphsbull We already have constructions in theory [EGS77 PR80 hellip]bull But constants matter
Thanks for Listening
Passwords vs time Look how far wersquove come
Netscape IPO Dotcom crash
Source Cormacrsquos estimate
ldquoThe password is deadrdquo
Chart1
3
48
1368
322
7791
15376
2527
39639
47953
61115
7353
94674
106021
134538
16527
194616
21681
Sheet1
Sheet1
Sheet2
Sheet3
Biometrics
59
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy
60
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Hardware Tokens
61
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around
62
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Graphical Passwords
bull Examplesbull Passfaces Cued Click Points Windows 8
63
Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13
Graphical Passwords
bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8
Challenge Multiple Passwords
64
Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
bull Password Management Software
67
Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313
Related Work
bull Password Management SoftwareChallenge Single point of failure
68
Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313
References
bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]
bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]
bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]
bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]
Course Business
CryptographyCS 555
Password Storage
Offline Attacks A Common Problem
Offline Attacks A Common Problem
A Dangerous Problem
Attempt 1 Hash Iteration
The Challenge
Goal Moderately Expensive Hash Function
Memory Costs Equitable Across Architectures
Outline
Memory Hard Function (MHF)
iMHF Candidates
iMHF (fGH)
Evaluating an iMHF (pebbling)
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example (CC)
Measuring Cost
Pebbling Example (CC)
Pebbling Equivalence
Desiderata
Depth-Robustness The Key Property
Naiumlve Pebbling Algorithms
Amortized Attack Quality
Desiderata
Desiderata
c-Ideal iMHF
Outline
Depth-Robustness The Key Property
Depth Robustness
Depth Robustness
Attacking (ed)-reducible DAGs
Depth Robustness is Necessary
Answer No
Argon2i [BDK]
Argon2i
Argon2i
Argon2i Reducing depth to 119899
Argon2i Reducing depth to 119899
Argon2i is a layered DAG (almost)
Attack Simulation [AB16b]
Ideal iMHFs Donrsquot Exist
But we cannot rule them out in practice
Outline
Depth-Robustness is Sufficient [ABP16]
Depth-Robustness is Sufficient [ABP16]
Summary
Conclusions
Thanks for Listening
Passwords vs time Look how far wersquove come
Biometrics
Biometrics
Hardware Tokens
Hardware Tokens
Graphical Passwords
Graphical Passwords
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
Related Work
References
Everybody
DATE
DATE
NUMBER OF USERS
WORLD
WORLD
INFORMATION
DATE
DATE
NUMBER OF USERS
DATE
DATE
acctsyr
POPULATION
POPULATION
SOURCE
December-90
0
3
15
020
00261
000
1
December-90
3
1
December-90
3
1
December-90
3
3
December-90
3
1
3
December-95
December-95
0
16
040
80
040
IDC
100
00522
180
12
December-95
192
December-95
16
1778
December-95
48
28448
December-95
48
3
48
December-96
December-96
0
36
090
180
090
IDC
200
00783
188
13132
December-96
472752
December-96
36
1994916
December-96
126
71816976
December-96
1368
38
126
December-97
December-97
0
70
170
350
170
IDC
300
01043
209
16263
December-97
113841
December-97
70
2238295752
December-97
280
15668070264
December-97
322
46
280
December-98
December-98
0
147
360
735
360
CI Almanac
400
01303
230
19391
December-98
2850477
December-98
147
25113678337
December-98
6615
3691710715604
December-98
7791
53
6615
December-99
December-99
0
248
410
1240
410
Nua Ltd
500
01563
251
22517
December-99
5584216
December-99
248
28177547095
December-99
1240
6988031679463
December-99
15376
62
1240
March-00
March-00
0
304
500
1520
500
Nua Ltd
600
01822
272
25638
March-00
7793952
December-00
361
3161520784
December-00
19855
11413090030294
December-00
2527
7
19855
July-00
July-00
0
359
590
1795
590
Nua Ltd
700
02081
293
28754
July-00
10322686
December-01
543
35472263197
December-01
3258
1926143891578
December-01
39639
73
3258
December-00
December-00
0
361
580
1805
580
Internet World Stats
800
02338
313
31864
December-00
11502904
December-02
607
39799879307
December-02
39455
2415852673913
December-02
47953
79
39455
March-01
March-01
0
458
760
2290
760
Nua Ltd
900
02852
334
34967
March-01
16014886
December-03
719
44655464582
December-03
5033
32107279034493
December-03
61115
85
5033
June-01
June-01
0
479
790
2395
790
Nua Ltd
1000
03107
355
38061
June-01
18231219
December-04
817
50103431261
December-04
61275
40934503340285
December-04
7353
9
61275
August-01
August-01
0
513
860
2565
860
Nua Ltd
1100
03361
396
44221
August-01
22685373
December-05
1018
56216049875
December-05
8144
57227938772657
December-05
9467
93
8144
April-02
April-02
0
558
860
2790
860
Internet World Stats
1200
03614
417
47284
April-02
26384472
December-06
1093
6307440796
December-06
9291
68940327899894
December-06
10602
97
9291
July-02
July-02
0
569
910
2845
910
Internet World Stats
1300
03866
437
50334
July-02
28640046
December-07
1319
70769485731
December-07
11871
93344951678825
December-07
13454
102
11871
September-02
September-02
0
587
940
2935
940
Internet World Stats
1400
04117
458
53371
September-02
31328777
December-08
1574
7940336299
December-08
14953
124980893346059
December-08
16527
105
14953
March-03
March-03
0
608
970
3040
970
Internet World Stats
1500
04366
478
56394
March-03
34287552
December-09
1802
89090573275
December-09
18020
160541213040896
December-09
19462
108
18020
September-03
September-03
0
677
1060
3385
1060
Internet World Stats
1600
04614
498
59401
September-03
40214477
December-10
1971
99959623214
December-10
20696
197020417355075
December-10
21681
11
20696
October-03
October-03
0
682
1070
3410
1070
Internet World Stats
1700
0486
518
62392
October-03
42551344
December-03
December-03
0
719
1110
3595
1110
Internet World Stats
1800
02852
538
65365
December-03
46997435
February-04
February-04
0
745
1150
3725
1150
Internet World Stats
1900
03107
558
6832
February-04
508984
May-04
May-04
0
757
1170
3785
1170
Internet World Stats
2000
03361
597
7417
May-04
5614669
October-04
October-04
0
812
1270
4060
1270
Internet World Stats
2100
03614
616
77064
October-04
62575968
December-04
December-04
0
817
1270
4085
1270
Internet World Stats
2200
03866
636
79935
December-04
65306895
March-05
March-05
0
888
1390
4440
1390
Internet World Stats
2300
04117
655
82782
March-05
73510416
June-05
June-05
0
938
1460
4690
1460
Internet World Stats
2400
04366
674
85606
June-05
80298428
September-05
September-05
0
957
1490
4785
1490
Internet World Stats
2500
04614
692
88404
September-05
84602628
November-05
November-05
0
972
1520
4860
1520
Internet World Stats
2600
0486
711
91176
November-05
88623072
December-05
December-05
0
1018
1570
5090
1570
Internet World Stats
2700
05348
729
93921
December-05
95611578
March-06
March-06
0
1023
1570
5115
1570
Internet World Stats
2800
05589
747
96638
March-06
98860674
June-06
June-06
0
1043
1600
5215
1600
Internet World Stats
2900
05828
783
101984
June-06
106369312
September-06
September-06
0
1086
1670
5430
1670
Internet World Stats
3000
06065
801
104611
September-06
113607546
December-06
December-06
0
1093
1670
5465
1670
Internet World Stats
3100
063
818
107207
December-06
117177251
March-07
March-07
0
1129
1720
5645
1720
Internet World Stats
3200
06534
835
109771
March-07
123931459
June-07
June-07
0
1173
1780
5865
1780
Internet World Stats
3300
06765
852
112301
June-07
131729073
September-07
September-07
0
1245
1890
6225
1890
Internet World Stats
3400
06993
869
114797
September-07
142922265
December-07
December-07
0
1319
2000
6595
2000
Internet World Stats
3500
0722
886
117258
December-07
154663302
March-08
March-08
0
1407
2110
7035
2110
Internet World Stats
3600
07665
902
119683
March-08
168393981
June-08
June-08
0
1463
2190
7315
2190
Internet World Stats
3700
07884
918
122071
June-08
178589873
September-08
September-08
0
1504
2250
7520
2250
Internet World Stats
3800
08101
949
126736
September-08
190610944
December-08
December-08
0
1574
2350
7870
2350
Internet World Stats
3900
08314
964
12901
December-08
20306174
March-09
March-09
0
1596
2380
7980
2380
Internet World Stats
4000
08525
971
13
March-09
20748
June-09
June-09
0
1669
2470
8345
2470
Internet World Stats
4100
08733
998
134
June-09
223646
September-09
September-09
0
1734
2560
8670
2560
Internet World Stats
4200
08938
1018
137
September-09
237558
December-09
December-09
0
1802
2660
9010
2660
Internet World Stats
4300
0914
1051
142
December-09
255884
June-10
June-10
0
1966
2870
9830
2870
Internet World Stats
4400
09339
1078
146
June-10
287036
September-10
September-10
0
1971
2880
9855
2880
Internet World Stats
4500
09728
1112
151
September-10
297621
09917
000
155333333333
159833333333
33208
35034
35400
35765
36130
36495
36861
37226
37591
37956
38322
38687
39052
39417
39783
40148
40513
The Challenge
User Patience
Disclaimer This slide is entirely for humorous effect Donrsquot take it too seriously
Time
Uni
ts o
f Pat
ienc
e
USD
$
Goal Moderately Expensive Hash Function
Fast on PC and Expensive on ASIC
Presenter
Presentation Notes
This motivates the need for moderately hard functions The basic idea is to build a password hash function that is moderately expensive to compute to limit the number of guesses that an adversary would be willing to try An honest server only needs to compute the function once during a typical authentication session However the adversary potentially has an advantage in this game While the honest server must typically evaluate the function on standard hardware the adversary could use potentially reduce the cost per password guess by developing customized hardware (GPUs FPGAs ASICs) to evaluate the password hash function Thus we want to ensure that the cost to evaluate this function is equitable across platforms13
Memory Costs Equitable Across Architectures
Presenter
Presentation Notes
By contrast memory costs tends to be much more equitable across different architectures
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)
bull Attacks on iMHF Constructionsbull Constructing iMHFsbull Open Questions
Memory Hard Function (MHF)
bull Intuition computation costs dominated by memory costsvs
bull Data Independent Memory Hard Function (iMHF)bull Memory access pattern should not depend on input
Presenter
Presentation Notes
In this work we study a special type of memory hard function called data-independent memory hard functions As the name suggests the memory access pattern will not depend on the input making the functions resistant to side-channel attacks
iMHF Candidates
bull Catena [FLW15]bull Special Recognition at Password Hashing Competitionbull Two Variants Dragonfly and Double-Butterfly
bull Argon2 [BDK15]bull Winner of the Password Hashing Competitionbull Argon2i (data-independent mode) is recommended for Password Hashing
bull Balloon Hashing [BCS16]bull Newer proposal (three variants in original proposal)
Presenter
Presentation Notes
In terms of depth-robustness two of these variants were similar to Catena and one variant was similar to Argon
We will describe our algorithms for evaluating an iMHF using the language of graph pebbling Placing a pebble on a node corresponds to computing the corresponding label and keeping a pebble on the graph corresponds to storing that label in memory Of course we can only compute a label if we have all of the dependent labels Thus in a legal pebbling we cannot place a pebble on a node until we have pebbles on the parents of that node If the adversary is parallel then we are allowed to place multiple pebbles on the graph in each round We can remove pebbles from the graph at any point in time
Pebbling Example
1 2 3 4 51 3 4 5
Pebbling Example
1 2 3 4 5
P1 = 1
Pebbling Example
1 2 3 4 5
P1 = 1P2 = 12
Pebbling Example
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
Pebbling Example
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34
Pebbling Example
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34P5 = 5
Pebbling Example (CC)
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34P5 = 5
CC 119866119866 le119894119894=1
5
119875119875119894119894
= 1 + 2 + 1 + 2 + 1= 7
Measuring Cost
bull Cumulative Complexity (CC)
CC 119866119866 = min119875119875
119894119894=1
119905119905119875119875
119875119875119894119894
bull Amortization [AS15]CC 119866119866119866119866 = 2 times CC(119866119866)
Pebbling Example (CC)
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34P5 = 5
CC 119866119866 le119894119894=1
5
119875119875119894119894
= 1 + 2 + 1 + 2 + 1= 7
Pebbling Equivalence
119827119827119827119827119827119827119827119827119827119827119827119827119827119827 119808119808119808119808119808119808119808119808 (119816119816119816119816119816119816119827119827119827119827119827119827119816119816119816119816) High pebbling complexity of G implies high amortized memory complexity for the iMHF fGH
Implication Structure of the graph G is key to iMHFsecurity
Desiderata
Find a DAG G on n nodes such that1 Constant Indegree (120575120575 = 2)
2 CC(G) ge 1198991198992
120591120591for some small value 120591120591
Maximize costs for fixed n(Users are impatient)
Depth-Robustness The Key Property
Necessary [AB16] and sufficient[ABP16] for secure iMHFs
Naiumlve Pebbling Algorithms
bull Sequential Algorithm (Naiumlve)bull Constraint One new pebble per roundbull Every iMHF is defined via its Naiumlve algorithm
bull Example Naiumlve (Pebble in Topological Order)bull Never discard pebblesbull Time nbull Average pebbles n2bull ER(Naiumlve) = θ Rn + n2
Amortized Attack Quality
Quality119877119877 119860119860 =ER(Naiumlve)
ER 119860119860times 119894119894119894119894119904119904119904119904(119860119860)
Example Algorithm A evaluates 5 iMHF instances with total cost ER 119860119860 = 100 and ER Naiumlve = 40
Quality119877119877 119860119860 =40
100times 5 = 2
Presenter
Presentation Notes
Use Example
Desiderata
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for some small value 120591120591
Memory costs should dominate
Desiderata
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for some small value 120591120591
Maximize costs for fixed n(Users are impatient)
c-Ideal iMHF
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for 120591120591 = 119874119874(1)
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Our Attacks
bull General Attack on Non Depth Robust DAGsbull Existing iMHFs are not Depth Robustbull Ideal iMHFs donrsquot exist
bull Subsequent Results (Depth-Robustness is Sufficient)bull Open Questions
Depth-Robustness The Key Property
Necessary [AB16] and sufficient[ABP16] for secure iMHFs
Depth Robustness
Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d
Otherwise we say that G is (ed)-depth robust
1 2 3 4 5
Example (12)-reducible
Depth Robustness
Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d
Otherwise we say that G is (ed)-depth robust
1 2 3 4 5
Example (12)-reducible
Attacking (ed)-reducible DAGs
bull Input |S| lee such that depth(G-S) = d g gt d
bull Light Phase (g rounds) Discard most pebblesbull Goal Pebble the next g nodes in g (sequential) stepsbull Low Memory (only keep pebbles on S and on parents of new nodes)bull Lasts a ``longrdquo time
bull Balloon Phase (d rounds) Greedily Recover Missing Pebblesbull Goal Recover needed pebbles for upcoming light phasebull Expensive but quick (at most d steps in parallel)
Theorem (Depth-Robustness is a necessary condition) If G is not (ed)-node robust then CC 119866119866 = O 119890119890119894119894 + 1198941198943119901119901 In particular CC 119866119866 = o 1198941198942 for ed=o(n)
Depth Robustness is Necessary
Are existing iMHF candidates based on depth-robust DAGs
Answer No
bull Catena [FLW15] is 119890119890 119874119874 119899119899119890119890
119813119813119816119816119813119813119813119813 Easy to reduce the depth of a path
Argon2i is a layered DAG (almost)
1 2 3 11989411989434
+2 +3 helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894
Let S = S1+S2
helliphelliphellip
Attack Simulation [AB16b]
Attack on Argon 2i-B is practical even for pessimistic parameter ranges (brown line)
Pessimistic Argon 2i-B parameter
Parameter setting could easily be chosen when following Argon2i-B guidelines
hellip
Ideal iMHFs Donrsquot Exist
Thm[AB16] Any graph G (with constant in-degree) is at least somewhat depth-reducible
Implication If CC(G)= Ω 1198941198942 there is an attack A with high quality
QualityR 119860119860 =Ωlog(119894119894)
log log(119894119894)
But we cannot rule them out in practice
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Attacksbull Constructing iMHFs (New)
bull Depth-Robustness is sufficient
bull Conclusions and Open Questions
Presenter
Presentation Notes
Joint work with Joel Alwen and Krzysztof Pietrzak
Depth-Robustness is Sufficient [ABP16]
Proof Let P1hellipPt denote an (optimal) pebbling of G For 0lt i lt d defineSi = 119875119875119894119894 cup 119875119875119889119889+119894119894 cup 1198751198752119889119889+119894119894 cup ⋯
one of the sets Si has size at most CC(G)d Now we claim that d ge depth(G-Si)
because any path in G-Si must have been completely pebbled at some point Thus it must have been pebbled entirely during some interval of length d Thus G (CC(G)dd)-reducible It follows that CC(G)ge 119890119890119901119901
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Depth-Robustness is Sufficient [ABP16]
Implications There exists a constant indegree graph G with
CC G ge Ω1198941198942
log119894119894
Previous Best [AS15] Ω 1198991198992
log10 119899119899
[AB16] We cannot do better (in an asymptotic sense)
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Summary
bull BCRYPT and PBKDF2 are no longer sufficient for password hashing
bull Argon2i is an improvement over BCRYPT and PBKDF2bull But still has its flaws [AB16AB17]
bull Current Recommendation Argon2idbull No side channel attacks Resists known attacksbull Side channel attacks reduce security to Argon2i
bull Look for improvements in the near future using depth-robust graphs [ABP17]
Conclusions
bull Depth-robustness is a necessary and sufficient for secure iMHFsbull [AB16] [ABP16]
bull Big Challenge Improved Constructions of Depth-Robust Graphsbull We already have constructions in theory [EGS77 PR80 hellip]bull But constants matter
Thanks for Listening
Passwords vs time Look how far wersquove come
Netscape IPO Dotcom crash
Source Cormacrsquos estimate
ldquoThe password is deadrdquo
Chart1
3
48
1368
322
7791
15376
2527
39639
47953
61115
7353
94674
106021
134538
16527
194616
21681
Sheet1
Sheet1
Sheet2
Sheet3
Biometrics
59
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy
60
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Hardware Tokens
61
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around
62
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Graphical Passwords
bull Examplesbull Passfaces Cued Click Points Windows 8
63
Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13
Graphical Passwords
bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8
Challenge Multiple Passwords
64
Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
bull Password Management Software
67
Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313
Related Work
bull Password Management SoftwareChallenge Single point of failure
68
Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313
References
bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]
bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]
bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]
bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]
Course Business
CryptographyCS 555
Password Storage
Offline Attacks A Common Problem
Offline Attacks A Common Problem
A Dangerous Problem
Attempt 1 Hash Iteration
The Challenge
Goal Moderately Expensive Hash Function
Memory Costs Equitable Across Architectures
Outline
Memory Hard Function (MHF)
iMHF Candidates
iMHF (fGH)
Evaluating an iMHF (pebbling)
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example (CC)
Measuring Cost
Pebbling Example (CC)
Pebbling Equivalence
Desiderata
Depth-Robustness The Key Property
Naiumlve Pebbling Algorithms
Amortized Attack Quality
Desiderata
Desiderata
c-Ideal iMHF
Outline
Depth-Robustness The Key Property
Depth Robustness
Depth Robustness
Attacking (ed)-reducible DAGs
Depth Robustness is Necessary
Answer No
Argon2i [BDK]
Argon2i
Argon2i
Argon2i Reducing depth to 119899
Argon2i Reducing depth to 119899
Argon2i is a layered DAG (almost)
Attack Simulation [AB16b]
Ideal iMHFs Donrsquot Exist
But we cannot rule them out in practice
Outline
Depth-Robustness is Sufficient [ABP16]
Depth-Robustness is Sufficient [ABP16]
Summary
Conclusions
Thanks for Listening
Passwords vs time Look how far wersquove come
Biometrics
Biometrics
Hardware Tokens
Hardware Tokens
Graphical Passwords
Graphical Passwords
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
Related Work
References
Everybody
DATE
DATE
NUMBER OF USERS
WORLD
WORLD
INFORMATION
DATE
DATE
NUMBER OF USERS
DATE
DATE
acctsyr
POPULATION
POPULATION
SOURCE
December-90
0
3
15
020
00261
000
1
December-90
3
1
December-90
3
1
December-90
3
3
December-90
3
1
3
December-95
December-95
0
16
040
80
040
IDC
100
00522
180
12
December-95
192
December-95
16
1778
December-95
48
28448
December-95
48
3
48
December-96
December-96
0
36
090
180
090
IDC
200
00783
188
13132
December-96
472752
December-96
36
1994916
December-96
126
71816976
December-96
1368
38
126
December-97
December-97
0
70
170
350
170
IDC
300
01043
209
16263
December-97
113841
December-97
70
2238295752
December-97
280
15668070264
December-97
322
46
280
December-98
December-98
0
147
360
735
360
CI Almanac
400
01303
230
19391
December-98
2850477
December-98
147
25113678337
December-98
6615
3691710715604
December-98
7791
53
6615
December-99
December-99
0
248
410
1240
410
Nua Ltd
500
01563
251
22517
December-99
5584216
December-99
248
28177547095
December-99
1240
6988031679463
December-99
15376
62
1240
March-00
March-00
0
304
500
1520
500
Nua Ltd
600
01822
272
25638
March-00
7793952
December-00
361
3161520784
December-00
19855
11413090030294
December-00
2527
7
19855
July-00
July-00
0
359
590
1795
590
Nua Ltd
700
02081
293
28754
July-00
10322686
December-01
543
35472263197
December-01
3258
1926143891578
December-01
39639
73
3258
December-00
December-00
0
361
580
1805
580
Internet World Stats
800
02338
313
31864
December-00
11502904
December-02
607
39799879307
December-02
39455
2415852673913
December-02
47953
79
39455
March-01
March-01
0
458
760
2290
760
Nua Ltd
900
02852
334
34967
March-01
16014886
December-03
719
44655464582
December-03
5033
32107279034493
December-03
61115
85
5033
June-01
June-01
0
479
790
2395
790
Nua Ltd
1000
03107
355
38061
June-01
18231219
December-04
817
50103431261
December-04
61275
40934503340285
December-04
7353
9
61275
August-01
August-01
0
513
860
2565
860
Nua Ltd
1100
03361
396
44221
August-01
22685373
December-05
1018
56216049875
December-05
8144
57227938772657
December-05
9467
93
8144
April-02
April-02
0
558
860
2790
860
Internet World Stats
1200
03614
417
47284
April-02
26384472
December-06
1093
6307440796
December-06
9291
68940327899894
December-06
10602
97
9291
July-02
July-02
0
569
910
2845
910
Internet World Stats
1300
03866
437
50334
July-02
28640046
December-07
1319
70769485731
December-07
11871
93344951678825
December-07
13454
102
11871
September-02
September-02
0
587
940
2935
940
Internet World Stats
1400
04117
458
53371
September-02
31328777
December-08
1574
7940336299
December-08
14953
124980893346059
December-08
16527
105
14953
March-03
March-03
0
608
970
3040
970
Internet World Stats
1500
04366
478
56394
March-03
34287552
December-09
1802
89090573275
December-09
18020
160541213040896
December-09
19462
108
18020
September-03
September-03
0
677
1060
3385
1060
Internet World Stats
1600
04614
498
59401
September-03
40214477
December-10
1971
99959623214
December-10
20696
197020417355075
December-10
21681
11
20696
October-03
October-03
0
682
1070
3410
1070
Internet World Stats
1700
0486
518
62392
October-03
42551344
December-03
December-03
0
719
1110
3595
1110
Internet World Stats
1800
02852
538
65365
December-03
46997435
February-04
February-04
0
745
1150
3725
1150
Internet World Stats
1900
03107
558
6832
February-04
508984
May-04
May-04
0
757
1170
3785
1170
Internet World Stats
2000
03361
597
7417
May-04
5614669
October-04
October-04
0
812
1270
4060
1270
Internet World Stats
2100
03614
616
77064
October-04
62575968
December-04
December-04
0
817
1270
4085
1270
Internet World Stats
2200
03866
636
79935
December-04
65306895
March-05
March-05
0
888
1390
4440
1390
Internet World Stats
2300
04117
655
82782
March-05
73510416
June-05
June-05
0
938
1460
4690
1460
Internet World Stats
2400
04366
674
85606
June-05
80298428
September-05
September-05
0
957
1490
4785
1490
Internet World Stats
2500
04614
692
88404
September-05
84602628
November-05
November-05
0
972
1520
4860
1520
Internet World Stats
2600
0486
711
91176
November-05
88623072
December-05
December-05
0
1018
1570
5090
1570
Internet World Stats
2700
05348
729
93921
December-05
95611578
March-06
March-06
0
1023
1570
5115
1570
Internet World Stats
2800
05589
747
96638
March-06
98860674
June-06
June-06
0
1043
1600
5215
1600
Internet World Stats
2900
05828
783
101984
June-06
106369312
September-06
September-06
0
1086
1670
5430
1670
Internet World Stats
3000
06065
801
104611
September-06
113607546
December-06
December-06
0
1093
1670
5465
1670
Internet World Stats
3100
063
818
107207
December-06
117177251
March-07
March-07
0
1129
1720
5645
1720
Internet World Stats
3200
06534
835
109771
March-07
123931459
June-07
June-07
0
1173
1780
5865
1780
Internet World Stats
3300
06765
852
112301
June-07
131729073
September-07
September-07
0
1245
1890
6225
1890
Internet World Stats
3400
06993
869
114797
September-07
142922265
December-07
December-07
0
1319
2000
6595
2000
Internet World Stats
3500
0722
886
117258
December-07
154663302
March-08
March-08
0
1407
2110
7035
2110
Internet World Stats
3600
07665
902
119683
March-08
168393981
June-08
June-08
0
1463
2190
7315
2190
Internet World Stats
3700
07884
918
122071
June-08
178589873
September-08
September-08
0
1504
2250
7520
2250
Internet World Stats
3800
08101
949
126736
September-08
190610944
December-08
December-08
0
1574
2350
7870
2350
Internet World Stats
3900
08314
964
12901
December-08
20306174
March-09
March-09
0
1596
2380
7980
2380
Internet World Stats
4000
08525
971
13
March-09
20748
June-09
June-09
0
1669
2470
8345
2470
Internet World Stats
4100
08733
998
134
June-09
223646
September-09
September-09
0
1734
2560
8670
2560
Internet World Stats
4200
08938
1018
137
September-09
237558
December-09
December-09
0
1802
2660
9010
2660
Internet World Stats
4300
0914
1051
142
December-09
255884
June-10
June-10
0
1966
2870
9830
2870
Internet World Stats
4400
09339
1078
146
June-10
287036
September-10
September-10
0
1971
2880
9855
2880
Internet World Stats
4500
09728
1112
151
September-10
297621
09917
000
155333333333
159833333333
33208
35034
35400
35765
36130
36495
36861
37226
37591
37956
38322
38687
39052
39417
39783
40148
40513
Goal Moderately Expensive Hash Function
Fast on PC and Expensive on ASIC
Presenter
Presentation Notes
This motivates the need for moderately hard functions The basic idea is to build a password hash function that is moderately expensive to compute to limit the number of guesses that an adversary would be willing to try An honest server only needs to compute the function once during a typical authentication session However the adversary potentially has an advantage in this game While the honest server must typically evaluate the function on standard hardware the adversary could use potentially reduce the cost per password guess by developing customized hardware (GPUs FPGAs ASICs) to evaluate the password hash function Thus we want to ensure that the cost to evaluate this function is equitable across platforms13
Memory Costs Equitable Across Architectures
Presenter
Presentation Notes
By contrast memory costs tends to be much more equitable across different architectures
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)
bull Attacks on iMHF Constructionsbull Constructing iMHFsbull Open Questions
Memory Hard Function (MHF)
bull Intuition computation costs dominated by memory costsvs
bull Data Independent Memory Hard Function (iMHF)bull Memory access pattern should not depend on input
Presenter
Presentation Notes
In this work we study a special type of memory hard function called data-independent memory hard functions As the name suggests the memory access pattern will not depend on the input making the functions resistant to side-channel attacks
iMHF Candidates
bull Catena [FLW15]bull Special Recognition at Password Hashing Competitionbull Two Variants Dragonfly and Double-Butterfly
bull Argon2 [BDK15]bull Winner of the Password Hashing Competitionbull Argon2i (data-independent mode) is recommended for Password Hashing
bull Balloon Hashing [BCS16]bull Newer proposal (three variants in original proposal)
Presenter
Presentation Notes
In terms of depth-robustness two of these variants were similar to Catena and one variant was similar to Argon
We will describe our algorithms for evaluating an iMHF using the language of graph pebbling Placing a pebble on a node corresponds to computing the corresponding label and keeping a pebble on the graph corresponds to storing that label in memory Of course we can only compute a label if we have all of the dependent labels Thus in a legal pebbling we cannot place a pebble on a node until we have pebbles on the parents of that node If the adversary is parallel then we are allowed to place multiple pebbles on the graph in each round We can remove pebbles from the graph at any point in time
Pebbling Example
1 2 3 4 51 3 4 5
Pebbling Example
1 2 3 4 5
P1 = 1
Pebbling Example
1 2 3 4 5
P1 = 1P2 = 12
Pebbling Example
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
Pebbling Example
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34
Pebbling Example
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34P5 = 5
Pebbling Example (CC)
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34P5 = 5
CC 119866119866 le119894119894=1
5
119875119875119894119894
= 1 + 2 + 1 + 2 + 1= 7
Measuring Cost
bull Cumulative Complexity (CC)
CC 119866119866 = min119875119875
119894119894=1
119905119905119875119875
119875119875119894119894
bull Amortization [AS15]CC 119866119866119866119866 = 2 times CC(119866119866)
Pebbling Example (CC)
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34P5 = 5
CC 119866119866 le119894119894=1
5
119875119875119894119894
= 1 + 2 + 1 + 2 + 1= 7
Pebbling Equivalence
119827119827119827119827119827119827119827119827119827119827119827119827119827119827 119808119808119808119808119808119808119808119808 (119816119816119816119816119816119816119827119827119827119827119827119827119816119816119816119816) High pebbling complexity of G implies high amortized memory complexity for the iMHF fGH
Implication Structure of the graph G is key to iMHFsecurity
Desiderata
Find a DAG G on n nodes such that1 Constant Indegree (120575120575 = 2)
2 CC(G) ge 1198991198992
120591120591for some small value 120591120591
Maximize costs for fixed n(Users are impatient)
Depth-Robustness The Key Property
Necessary [AB16] and sufficient[ABP16] for secure iMHFs
Naiumlve Pebbling Algorithms
bull Sequential Algorithm (Naiumlve)bull Constraint One new pebble per roundbull Every iMHF is defined via its Naiumlve algorithm
bull Example Naiumlve (Pebble in Topological Order)bull Never discard pebblesbull Time nbull Average pebbles n2bull ER(Naiumlve) = θ Rn + n2
Amortized Attack Quality
Quality119877119877 119860119860 =ER(Naiumlve)
ER 119860119860times 119894119894119894119894119904119904119904119904(119860119860)
Example Algorithm A evaluates 5 iMHF instances with total cost ER 119860119860 = 100 and ER Naiumlve = 40
Quality119877119877 119860119860 =40
100times 5 = 2
Presenter
Presentation Notes
Use Example
Desiderata
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for some small value 120591120591
Memory costs should dominate
Desiderata
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for some small value 120591120591
Maximize costs for fixed n(Users are impatient)
c-Ideal iMHF
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for 120591120591 = 119874119874(1)
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Our Attacks
bull General Attack on Non Depth Robust DAGsbull Existing iMHFs are not Depth Robustbull Ideal iMHFs donrsquot exist
bull Subsequent Results (Depth-Robustness is Sufficient)bull Open Questions
Depth-Robustness The Key Property
Necessary [AB16] and sufficient[ABP16] for secure iMHFs
Depth Robustness
Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d
Otherwise we say that G is (ed)-depth robust
1 2 3 4 5
Example (12)-reducible
Depth Robustness
Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d
Otherwise we say that G is (ed)-depth robust
1 2 3 4 5
Example (12)-reducible
Attacking (ed)-reducible DAGs
bull Input |S| lee such that depth(G-S) = d g gt d
bull Light Phase (g rounds) Discard most pebblesbull Goal Pebble the next g nodes in g (sequential) stepsbull Low Memory (only keep pebbles on S and on parents of new nodes)bull Lasts a ``longrdquo time
bull Balloon Phase (d rounds) Greedily Recover Missing Pebblesbull Goal Recover needed pebbles for upcoming light phasebull Expensive but quick (at most d steps in parallel)
Theorem (Depth-Robustness is a necessary condition) If G is not (ed)-node robust then CC 119866119866 = O 119890119890119894119894 + 1198941198943119901119901 In particular CC 119866119866 = o 1198941198942 for ed=o(n)
Depth Robustness is Necessary
Are existing iMHF candidates based on depth-robust DAGs
Answer No
bull Catena [FLW15] is 119890119890 119874119874 119899119899119890119890
119813119813119816119816119813119813119813119813 Easy to reduce the depth of a path
Argon2i is a layered DAG (almost)
1 2 3 11989411989434
+2 +3 helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894
Let S = S1+S2
helliphelliphellip
Attack Simulation [AB16b]
Attack on Argon 2i-B is practical even for pessimistic parameter ranges (brown line)
Pessimistic Argon 2i-B parameter
Parameter setting could easily be chosen when following Argon2i-B guidelines
hellip
Ideal iMHFs Donrsquot Exist
Thm[AB16] Any graph G (with constant in-degree) is at least somewhat depth-reducible
Implication If CC(G)= Ω 1198941198942 there is an attack A with high quality
QualityR 119860119860 =Ωlog(119894119894)
log log(119894119894)
But we cannot rule them out in practice
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Attacksbull Constructing iMHFs (New)
bull Depth-Robustness is sufficient
bull Conclusions and Open Questions
Presenter
Presentation Notes
Joint work with Joel Alwen and Krzysztof Pietrzak
Depth-Robustness is Sufficient [ABP16]
Proof Let P1hellipPt denote an (optimal) pebbling of G For 0lt i lt d defineSi = 119875119875119894119894 cup 119875119875119889119889+119894119894 cup 1198751198752119889119889+119894119894 cup ⋯
one of the sets Si has size at most CC(G)d Now we claim that d ge depth(G-Si)
because any path in G-Si must have been completely pebbled at some point Thus it must have been pebbled entirely during some interval of length d Thus G (CC(G)dd)-reducible It follows that CC(G)ge 119890119890119901119901
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Depth-Robustness is Sufficient [ABP16]
Implications There exists a constant indegree graph G with
CC G ge Ω1198941198942
log119894119894
Previous Best [AS15] Ω 1198991198992
log10 119899119899
[AB16] We cannot do better (in an asymptotic sense)
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Summary
bull BCRYPT and PBKDF2 are no longer sufficient for password hashing
bull Argon2i is an improvement over BCRYPT and PBKDF2bull But still has its flaws [AB16AB17]
bull Current Recommendation Argon2idbull No side channel attacks Resists known attacksbull Side channel attacks reduce security to Argon2i
bull Look for improvements in the near future using depth-robust graphs [ABP17]
Conclusions
bull Depth-robustness is a necessary and sufficient for secure iMHFsbull [AB16] [ABP16]
bull Big Challenge Improved Constructions of Depth-Robust Graphsbull We already have constructions in theory [EGS77 PR80 hellip]bull But constants matter
Thanks for Listening
Passwords vs time Look how far wersquove come
Netscape IPO Dotcom crash
Source Cormacrsquos estimate
ldquoThe password is deadrdquo
Chart1
3
48
1368
322
7791
15376
2527
39639
47953
61115
7353
94674
106021
134538
16527
194616
21681
Sheet1
Sheet1
Sheet2
Sheet3
Biometrics
59
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy
60
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Hardware Tokens
61
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around
62
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Graphical Passwords
bull Examplesbull Passfaces Cued Click Points Windows 8
63
Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13
Graphical Passwords
bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8
Challenge Multiple Passwords
64
Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
bull Password Management Software
67
Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313
Related Work
bull Password Management SoftwareChallenge Single point of failure
68
Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313
References
bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]
bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]
bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]
bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]
Course Business
CryptographyCS 555
Password Storage
Offline Attacks A Common Problem
Offline Attacks A Common Problem
A Dangerous Problem
Attempt 1 Hash Iteration
The Challenge
Goal Moderately Expensive Hash Function
Memory Costs Equitable Across Architectures
Outline
Memory Hard Function (MHF)
iMHF Candidates
iMHF (fGH)
Evaluating an iMHF (pebbling)
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example (CC)
Measuring Cost
Pebbling Example (CC)
Pebbling Equivalence
Desiderata
Depth-Robustness The Key Property
Naiumlve Pebbling Algorithms
Amortized Attack Quality
Desiderata
Desiderata
c-Ideal iMHF
Outline
Depth-Robustness The Key Property
Depth Robustness
Depth Robustness
Attacking (ed)-reducible DAGs
Depth Robustness is Necessary
Answer No
Argon2i [BDK]
Argon2i
Argon2i
Argon2i Reducing depth to 119899
Argon2i Reducing depth to 119899
Argon2i is a layered DAG (almost)
Attack Simulation [AB16b]
Ideal iMHFs Donrsquot Exist
But we cannot rule them out in practice
Outline
Depth-Robustness is Sufficient [ABP16]
Depth-Robustness is Sufficient [ABP16]
Summary
Conclusions
Thanks for Listening
Passwords vs time Look how far wersquove come
Biometrics
Biometrics
Hardware Tokens
Hardware Tokens
Graphical Passwords
Graphical Passwords
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
Related Work
References
Everybody
DATE
DATE
NUMBER OF USERS
WORLD
WORLD
INFORMATION
DATE
DATE
NUMBER OF USERS
DATE
DATE
acctsyr
POPULATION
POPULATION
SOURCE
December-90
0
3
15
020
00261
000
1
December-90
3
1
December-90
3
1
December-90
3
3
December-90
3
1
3
December-95
December-95
0
16
040
80
040
IDC
100
00522
180
12
December-95
192
December-95
16
1778
December-95
48
28448
December-95
48
3
48
December-96
December-96
0
36
090
180
090
IDC
200
00783
188
13132
December-96
472752
December-96
36
1994916
December-96
126
71816976
December-96
1368
38
126
December-97
December-97
0
70
170
350
170
IDC
300
01043
209
16263
December-97
113841
December-97
70
2238295752
December-97
280
15668070264
December-97
322
46
280
December-98
December-98
0
147
360
735
360
CI Almanac
400
01303
230
19391
December-98
2850477
December-98
147
25113678337
December-98
6615
3691710715604
December-98
7791
53
6615
December-99
December-99
0
248
410
1240
410
Nua Ltd
500
01563
251
22517
December-99
5584216
December-99
248
28177547095
December-99
1240
6988031679463
December-99
15376
62
1240
March-00
March-00
0
304
500
1520
500
Nua Ltd
600
01822
272
25638
March-00
7793952
December-00
361
3161520784
December-00
19855
11413090030294
December-00
2527
7
19855
July-00
July-00
0
359
590
1795
590
Nua Ltd
700
02081
293
28754
July-00
10322686
December-01
543
35472263197
December-01
3258
1926143891578
December-01
39639
73
3258
December-00
December-00
0
361
580
1805
580
Internet World Stats
800
02338
313
31864
December-00
11502904
December-02
607
39799879307
December-02
39455
2415852673913
December-02
47953
79
39455
March-01
March-01
0
458
760
2290
760
Nua Ltd
900
02852
334
34967
March-01
16014886
December-03
719
44655464582
December-03
5033
32107279034493
December-03
61115
85
5033
June-01
June-01
0
479
790
2395
790
Nua Ltd
1000
03107
355
38061
June-01
18231219
December-04
817
50103431261
December-04
61275
40934503340285
December-04
7353
9
61275
August-01
August-01
0
513
860
2565
860
Nua Ltd
1100
03361
396
44221
August-01
22685373
December-05
1018
56216049875
December-05
8144
57227938772657
December-05
9467
93
8144
April-02
April-02
0
558
860
2790
860
Internet World Stats
1200
03614
417
47284
April-02
26384472
December-06
1093
6307440796
December-06
9291
68940327899894
December-06
10602
97
9291
July-02
July-02
0
569
910
2845
910
Internet World Stats
1300
03866
437
50334
July-02
28640046
December-07
1319
70769485731
December-07
11871
93344951678825
December-07
13454
102
11871
September-02
September-02
0
587
940
2935
940
Internet World Stats
1400
04117
458
53371
September-02
31328777
December-08
1574
7940336299
December-08
14953
124980893346059
December-08
16527
105
14953
March-03
March-03
0
608
970
3040
970
Internet World Stats
1500
04366
478
56394
March-03
34287552
December-09
1802
89090573275
December-09
18020
160541213040896
December-09
19462
108
18020
September-03
September-03
0
677
1060
3385
1060
Internet World Stats
1600
04614
498
59401
September-03
40214477
December-10
1971
99959623214
December-10
20696
197020417355075
December-10
21681
11
20696
October-03
October-03
0
682
1070
3410
1070
Internet World Stats
1700
0486
518
62392
October-03
42551344
December-03
December-03
0
719
1110
3595
1110
Internet World Stats
1800
02852
538
65365
December-03
46997435
February-04
February-04
0
745
1150
3725
1150
Internet World Stats
1900
03107
558
6832
February-04
508984
May-04
May-04
0
757
1170
3785
1170
Internet World Stats
2000
03361
597
7417
May-04
5614669
October-04
October-04
0
812
1270
4060
1270
Internet World Stats
2100
03614
616
77064
October-04
62575968
December-04
December-04
0
817
1270
4085
1270
Internet World Stats
2200
03866
636
79935
December-04
65306895
March-05
March-05
0
888
1390
4440
1390
Internet World Stats
2300
04117
655
82782
March-05
73510416
June-05
June-05
0
938
1460
4690
1460
Internet World Stats
2400
04366
674
85606
June-05
80298428
September-05
September-05
0
957
1490
4785
1490
Internet World Stats
2500
04614
692
88404
September-05
84602628
November-05
November-05
0
972
1520
4860
1520
Internet World Stats
2600
0486
711
91176
November-05
88623072
December-05
December-05
0
1018
1570
5090
1570
Internet World Stats
2700
05348
729
93921
December-05
95611578
March-06
March-06
0
1023
1570
5115
1570
Internet World Stats
2800
05589
747
96638
March-06
98860674
June-06
June-06
0
1043
1600
5215
1600
Internet World Stats
2900
05828
783
101984
June-06
106369312
September-06
September-06
0
1086
1670
5430
1670
Internet World Stats
3000
06065
801
104611
September-06
113607546
December-06
December-06
0
1093
1670
5465
1670
Internet World Stats
3100
063
818
107207
December-06
117177251
March-07
March-07
0
1129
1720
5645
1720
Internet World Stats
3200
06534
835
109771
March-07
123931459
June-07
June-07
0
1173
1780
5865
1780
Internet World Stats
3300
06765
852
112301
June-07
131729073
September-07
September-07
0
1245
1890
6225
1890
Internet World Stats
3400
06993
869
114797
September-07
142922265
December-07
December-07
0
1319
2000
6595
2000
Internet World Stats
3500
0722
886
117258
December-07
154663302
March-08
March-08
0
1407
2110
7035
2110
Internet World Stats
3600
07665
902
119683
March-08
168393981
June-08
June-08
0
1463
2190
7315
2190
Internet World Stats
3700
07884
918
122071
June-08
178589873
September-08
September-08
0
1504
2250
7520
2250
Internet World Stats
3800
08101
949
126736
September-08
190610944
December-08
December-08
0
1574
2350
7870
2350
Internet World Stats
3900
08314
964
12901
December-08
20306174
March-09
March-09
0
1596
2380
7980
2380
Internet World Stats
4000
08525
971
13
March-09
20748
June-09
June-09
0
1669
2470
8345
2470
Internet World Stats
4100
08733
998
134
June-09
223646
September-09
September-09
0
1734
2560
8670
2560
Internet World Stats
4200
08938
1018
137
September-09
237558
December-09
December-09
0
1802
2660
9010
2660
Internet World Stats
4300
0914
1051
142
December-09
255884
June-10
June-10
0
1966
2870
9830
2870
Internet World Stats
4400
09339
1078
146
June-10
287036
September-10
September-10
0
1971
2880
9855
2880
Internet World Stats
4500
09728
1112
151
September-10
297621
09917
000
155333333333
159833333333
33208
35034
35400
35765
36130
36495
36861
37226
37591
37956
38322
38687
39052
39417
39783
40148
40513
Memory Costs Equitable Across Architectures
Presenter
Presentation Notes
By contrast memory costs tends to be much more equitable across different architectures
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)
bull Attacks on iMHF Constructionsbull Constructing iMHFsbull Open Questions
Memory Hard Function (MHF)
bull Intuition computation costs dominated by memory costsvs
bull Data Independent Memory Hard Function (iMHF)bull Memory access pattern should not depend on input
Presenter
Presentation Notes
In this work we study a special type of memory hard function called data-independent memory hard functions As the name suggests the memory access pattern will not depend on the input making the functions resistant to side-channel attacks
iMHF Candidates
bull Catena [FLW15]bull Special Recognition at Password Hashing Competitionbull Two Variants Dragonfly and Double-Butterfly
bull Argon2 [BDK15]bull Winner of the Password Hashing Competitionbull Argon2i (data-independent mode) is recommended for Password Hashing
bull Balloon Hashing [BCS16]bull Newer proposal (three variants in original proposal)
Presenter
Presentation Notes
In terms of depth-robustness two of these variants were similar to Catena and one variant was similar to Argon
We will describe our algorithms for evaluating an iMHF using the language of graph pebbling Placing a pebble on a node corresponds to computing the corresponding label and keeping a pebble on the graph corresponds to storing that label in memory Of course we can only compute a label if we have all of the dependent labels Thus in a legal pebbling we cannot place a pebble on a node until we have pebbles on the parents of that node If the adversary is parallel then we are allowed to place multiple pebbles on the graph in each round We can remove pebbles from the graph at any point in time
Pebbling Example
1 2 3 4 51 3 4 5
Pebbling Example
1 2 3 4 5
P1 = 1
Pebbling Example
1 2 3 4 5
P1 = 1P2 = 12
Pebbling Example
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
Pebbling Example
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34
Pebbling Example
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34P5 = 5
Pebbling Example (CC)
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34P5 = 5
CC 119866119866 le119894119894=1
5
119875119875119894119894
= 1 + 2 + 1 + 2 + 1= 7
Measuring Cost
bull Cumulative Complexity (CC)
CC 119866119866 = min119875119875
119894119894=1
119905119905119875119875
119875119875119894119894
bull Amortization [AS15]CC 119866119866119866119866 = 2 times CC(119866119866)
Pebbling Example (CC)
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34P5 = 5
CC 119866119866 le119894119894=1
5
119875119875119894119894
= 1 + 2 + 1 + 2 + 1= 7
Pebbling Equivalence
119827119827119827119827119827119827119827119827119827119827119827119827119827119827 119808119808119808119808119808119808119808119808 (119816119816119816119816119816119816119827119827119827119827119827119827119816119816119816119816) High pebbling complexity of G implies high amortized memory complexity for the iMHF fGH
Implication Structure of the graph G is key to iMHFsecurity
Desiderata
Find a DAG G on n nodes such that1 Constant Indegree (120575120575 = 2)
2 CC(G) ge 1198991198992
120591120591for some small value 120591120591
Maximize costs for fixed n(Users are impatient)
Depth-Robustness The Key Property
Necessary [AB16] and sufficient[ABP16] for secure iMHFs
Naiumlve Pebbling Algorithms
bull Sequential Algorithm (Naiumlve)bull Constraint One new pebble per roundbull Every iMHF is defined via its Naiumlve algorithm
bull Example Naiumlve (Pebble in Topological Order)bull Never discard pebblesbull Time nbull Average pebbles n2bull ER(Naiumlve) = θ Rn + n2
Amortized Attack Quality
Quality119877119877 119860119860 =ER(Naiumlve)
ER 119860119860times 119894119894119894119894119904119904119904119904(119860119860)
Example Algorithm A evaluates 5 iMHF instances with total cost ER 119860119860 = 100 and ER Naiumlve = 40
Quality119877119877 119860119860 =40
100times 5 = 2
Presenter
Presentation Notes
Use Example
Desiderata
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for some small value 120591120591
Memory costs should dominate
Desiderata
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for some small value 120591120591
Maximize costs for fixed n(Users are impatient)
c-Ideal iMHF
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for 120591120591 = 119874119874(1)
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Our Attacks
bull General Attack on Non Depth Robust DAGsbull Existing iMHFs are not Depth Robustbull Ideal iMHFs donrsquot exist
bull Subsequent Results (Depth-Robustness is Sufficient)bull Open Questions
Depth-Robustness The Key Property
Necessary [AB16] and sufficient[ABP16] for secure iMHFs
Depth Robustness
Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d
Otherwise we say that G is (ed)-depth robust
1 2 3 4 5
Example (12)-reducible
Depth Robustness
Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d
Otherwise we say that G is (ed)-depth robust
1 2 3 4 5
Example (12)-reducible
Attacking (ed)-reducible DAGs
bull Input |S| lee such that depth(G-S) = d g gt d
bull Light Phase (g rounds) Discard most pebblesbull Goal Pebble the next g nodes in g (sequential) stepsbull Low Memory (only keep pebbles on S and on parents of new nodes)bull Lasts a ``longrdquo time
bull Balloon Phase (d rounds) Greedily Recover Missing Pebblesbull Goal Recover needed pebbles for upcoming light phasebull Expensive but quick (at most d steps in parallel)
Theorem (Depth-Robustness is a necessary condition) If G is not (ed)-node robust then CC 119866119866 = O 119890119890119894119894 + 1198941198943119901119901 In particular CC 119866119866 = o 1198941198942 for ed=o(n)
Depth Robustness is Necessary
Are existing iMHF candidates based on depth-robust DAGs
Answer No
bull Catena [FLW15] is 119890119890 119874119874 119899119899119890119890
119813119813119816119816119813119813119813119813 Easy to reduce the depth of a path
Argon2i is a layered DAG (almost)
1 2 3 11989411989434
+2 +3 helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894
Let S = S1+S2
helliphelliphellip
Attack Simulation [AB16b]
Attack on Argon 2i-B is practical even for pessimistic parameter ranges (brown line)
Pessimistic Argon 2i-B parameter
Parameter setting could easily be chosen when following Argon2i-B guidelines
hellip
Ideal iMHFs Donrsquot Exist
Thm[AB16] Any graph G (with constant in-degree) is at least somewhat depth-reducible
Implication If CC(G)= Ω 1198941198942 there is an attack A with high quality
QualityR 119860119860 =Ωlog(119894119894)
log log(119894119894)
But we cannot rule them out in practice
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Attacksbull Constructing iMHFs (New)
bull Depth-Robustness is sufficient
bull Conclusions and Open Questions
Presenter
Presentation Notes
Joint work with Joel Alwen and Krzysztof Pietrzak
Depth-Robustness is Sufficient [ABP16]
Proof Let P1hellipPt denote an (optimal) pebbling of G For 0lt i lt d defineSi = 119875119875119894119894 cup 119875119875119889119889+119894119894 cup 1198751198752119889119889+119894119894 cup ⋯
one of the sets Si has size at most CC(G)d Now we claim that d ge depth(G-Si)
because any path in G-Si must have been completely pebbled at some point Thus it must have been pebbled entirely during some interval of length d Thus G (CC(G)dd)-reducible It follows that CC(G)ge 119890119890119901119901
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Depth-Robustness is Sufficient [ABP16]
Implications There exists a constant indegree graph G with
CC G ge Ω1198941198942
log119894119894
Previous Best [AS15] Ω 1198991198992
log10 119899119899
[AB16] We cannot do better (in an asymptotic sense)
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Summary
bull BCRYPT and PBKDF2 are no longer sufficient for password hashing
bull Argon2i is an improvement over BCRYPT and PBKDF2bull But still has its flaws [AB16AB17]
bull Current Recommendation Argon2idbull No side channel attacks Resists known attacksbull Side channel attacks reduce security to Argon2i
bull Look for improvements in the near future using depth-robust graphs [ABP17]
Conclusions
bull Depth-robustness is a necessary and sufficient for secure iMHFsbull [AB16] [ABP16]
bull Big Challenge Improved Constructions of Depth-Robust Graphsbull We already have constructions in theory [EGS77 PR80 hellip]bull But constants matter
Thanks for Listening
Passwords vs time Look how far wersquove come
Netscape IPO Dotcom crash
Source Cormacrsquos estimate
ldquoThe password is deadrdquo
Chart1
3
48
1368
322
7791
15376
2527
39639
47953
61115
7353
94674
106021
134538
16527
194616
21681
Sheet1
Sheet1
Sheet2
Sheet3
Biometrics
59
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy
60
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Hardware Tokens
61
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around
62
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Graphical Passwords
bull Examplesbull Passfaces Cued Click Points Windows 8
63
Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13
Graphical Passwords
bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8
Challenge Multiple Passwords
64
Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
bull Password Management Software
67
Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313
Related Work
bull Password Management SoftwareChallenge Single point of failure
68
Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313
References
bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]
bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]
bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]
bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]
Course Business
CryptographyCS 555
Password Storage
Offline Attacks A Common Problem
Offline Attacks A Common Problem
A Dangerous Problem
Attempt 1 Hash Iteration
The Challenge
Goal Moderately Expensive Hash Function
Memory Costs Equitable Across Architectures
Outline
Memory Hard Function (MHF)
iMHF Candidates
iMHF (fGH)
Evaluating an iMHF (pebbling)
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example (CC)
Measuring Cost
Pebbling Example (CC)
Pebbling Equivalence
Desiderata
Depth-Robustness The Key Property
Naiumlve Pebbling Algorithms
Amortized Attack Quality
Desiderata
Desiderata
c-Ideal iMHF
Outline
Depth-Robustness The Key Property
Depth Robustness
Depth Robustness
Attacking (ed)-reducible DAGs
Depth Robustness is Necessary
Answer No
Argon2i [BDK]
Argon2i
Argon2i
Argon2i Reducing depth to 119899
Argon2i Reducing depth to 119899
Argon2i is a layered DAG (almost)
Attack Simulation [AB16b]
Ideal iMHFs Donrsquot Exist
But we cannot rule them out in practice
Outline
Depth-Robustness is Sufficient [ABP16]
Depth-Robustness is Sufficient [ABP16]
Summary
Conclusions
Thanks for Listening
Passwords vs time Look how far wersquove come
Biometrics
Biometrics
Hardware Tokens
Hardware Tokens
Graphical Passwords
Graphical Passwords
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
Related Work
References
Everybody
DATE
DATE
NUMBER OF USERS
WORLD
WORLD
INFORMATION
DATE
DATE
NUMBER OF USERS
DATE
DATE
acctsyr
POPULATION
POPULATION
SOURCE
December-90
0
3
15
020
00261
000
1
December-90
3
1
December-90
3
1
December-90
3
3
December-90
3
1
3
December-95
December-95
0
16
040
80
040
IDC
100
00522
180
12
December-95
192
December-95
16
1778
December-95
48
28448
December-95
48
3
48
December-96
December-96
0
36
090
180
090
IDC
200
00783
188
13132
December-96
472752
December-96
36
1994916
December-96
126
71816976
December-96
1368
38
126
December-97
December-97
0
70
170
350
170
IDC
300
01043
209
16263
December-97
113841
December-97
70
2238295752
December-97
280
15668070264
December-97
322
46
280
December-98
December-98
0
147
360
735
360
CI Almanac
400
01303
230
19391
December-98
2850477
December-98
147
25113678337
December-98
6615
3691710715604
December-98
7791
53
6615
December-99
December-99
0
248
410
1240
410
Nua Ltd
500
01563
251
22517
December-99
5584216
December-99
248
28177547095
December-99
1240
6988031679463
December-99
15376
62
1240
March-00
March-00
0
304
500
1520
500
Nua Ltd
600
01822
272
25638
March-00
7793952
December-00
361
3161520784
December-00
19855
11413090030294
December-00
2527
7
19855
July-00
July-00
0
359
590
1795
590
Nua Ltd
700
02081
293
28754
July-00
10322686
December-01
543
35472263197
December-01
3258
1926143891578
December-01
39639
73
3258
December-00
December-00
0
361
580
1805
580
Internet World Stats
800
02338
313
31864
December-00
11502904
December-02
607
39799879307
December-02
39455
2415852673913
December-02
47953
79
39455
March-01
March-01
0
458
760
2290
760
Nua Ltd
900
02852
334
34967
March-01
16014886
December-03
719
44655464582
December-03
5033
32107279034493
December-03
61115
85
5033
June-01
June-01
0
479
790
2395
790
Nua Ltd
1000
03107
355
38061
June-01
18231219
December-04
817
50103431261
December-04
61275
40934503340285
December-04
7353
9
61275
August-01
August-01
0
513
860
2565
860
Nua Ltd
1100
03361
396
44221
August-01
22685373
December-05
1018
56216049875
December-05
8144
57227938772657
December-05
9467
93
8144
April-02
April-02
0
558
860
2790
860
Internet World Stats
1200
03614
417
47284
April-02
26384472
December-06
1093
6307440796
December-06
9291
68940327899894
December-06
10602
97
9291
July-02
July-02
0
569
910
2845
910
Internet World Stats
1300
03866
437
50334
July-02
28640046
December-07
1319
70769485731
December-07
11871
93344951678825
December-07
13454
102
11871
September-02
September-02
0
587
940
2935
940
Internet World Stats
1400
04117
458
53371
September-02
31328777
December-08
1574
7940336299
December-08
14953
124980893346059
December-08
16527
105
14953
March-03
March-03
0
608
970
3040
970
Internet World Stats
1500
04366
478
56394
March-03
34287552
December-09
1802
89090573275
December-09
18020
160541213040896
December-09
19462
108
18020
September-03
September-03
0
677
1060
3385
1060
Internet World Stats
1600
04614
498
59401
September-03
40214477
December-10
1971
99959623214
December-10
20696
197020417355075
December-10
21681
11
20696
October-03
October-03
0
682
1070
3410
1070
Internet World Stats
1700
0486
518
62392
October-03
42551344
December-03
December-03
0
719
1110
3595
1110
Internet World Stats
1800
02852
538
65365
December-03
46997435
February-04
February-04
0
745
1150
3725
1150
Internet World Stats
1900
03107
558
6832
February-04
508984
May-04
May-04
0
757
1170
3785
1170
Internet World Stats
2000
03361
597
7417
May-04
5614669
October-04
October-04
0
812
1270
4060
1270
Internet World Stats
2100
03614
616
77064
October-04
62575968
December-04
December-04
0
817
1270
4085
1270
Internet World Stats
2200
03866
636
79935
December-04
65306895
March-05
March-05
0
888
1390
4440
1390
Internet World Stats
2300
04117
655
82782
March-05
73510416
June-05
June-05
0
938
1460
4690
1460
Internet World Stats
2400
04366
674
85606
June-05
80298428
September-05
September-05
0
957
1490
4785
1490
Internet World Stats
2500
04614
692
88404
September-05
84602628
November-05
November-05
0
972
1520
4860
1520
Internet World Stats
2600
0486
711
91176
November-05
88623072
December-05
December-05
0
1018
1570
5090
1570
Internet World Stats
2700
05348
729
93921
December-05
95611578
March-06
March-06
0
1023
1570
5115
1570
Internet World Stats
2800
05589
747
96638
March-06
98860674
June-06
June-06
0
1043
1600
5215
1600
Internet World Stats
2900
05828
783
101984
June-06
106369312
September-06
September-06
0
1086
1670
5430
1670
Internet World Stats
3000
06065
801
104611
September-06
113607546
December-06
December-06
0
1093
1670
5465
1670
Internet World Stats
3100
063
818
107207
December-06
117177251
March-07
March-07
0
1129
1720
5645
1720
Internet World Stats
3200
06534
835
109771
March-07
123931459
June-07
June-07
0
1173
1780
5865
1780
Internet World Stats
3300
06765
852
112301
June-07
131729073
September-07
September-07
0
1245
1890
6225
1890
Internet World Stats
3400
06993
869
114797
September-07
142922265
December-07
December-07
0
1319
2000
6595
2000
Internet World Stats
3500
0722
886
117258
December-07
154663302
March-08
March-08
0
1407
2110
7035
2110
Internet World Stats
3600
07665
902
119683
March-08
168393981
June-08
June-08
0
1463
2190
7315
2190
Internet World Stats
3700
07884
918
122071
June-08
178589873
September-08
September-08
0
1504
2250
7520
2250
Internet World Stats
3800
08101
949
126736
September-08
190610944
December-08
December-08
0
1574
2350
7870
2350
Internet World Stats
3900
08314
964
12901
December-08
20306174
March-09
March-09
0
1596
2380
7980
2380
Internet World Stats
4000
08525
971
13
March-09
20748
June-09
June-09
0
1669
2470
8345
2470
Internet World Stats
4100
08733
998
134
June-09
223646
September-09
September-09
0
1734
2560
8670
2560
Internet World Stats
4200
08938
1018
137
September-09
237558
December-09
December-09
0
1802
2660
9010
2660
Internet World Stats
4300
0914
1051
142
December-09
255884
June-10
June-10
0
1966
2870
9830
2870
Internet World Stats
4400
09339
1078
146
June-10
287036
September-10
September-10
0
1971
2880
9855
2880
Internet World Stats
4500
09728
1112
151
September-10
297621
09917
000
155333333333
159833333333
33208
35034
35400
35765
36130
36495
36861
37226
37591
37956
38322
38687
39052
39417
39783
40148
40513
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)
bull Attacks on iMHF Constructionsbull Constructing iMHFsbull Open Questions
Memory Hard Function (MHF)
bull Intuition computation costs dominated by memory costsvs
bull Data Independent Memory Hard Function (iMHF)bull Memory access pattern should not depend on input
Presenter
Presentation Notes
In this work we study a special type of memory hard function called data-independent memory hard functions As the name suggests the memory access pattern will not depend on the input making the functions resistant to side-channel attacks
iMHF Candidates
bull Catena [FLW15]bull Special Recognition at Password Hashing Competitionbull Two Variants Dragonfly and Double-Butterfly
bull Argon2 [BDK15]bull Winner of the Password Hashing Competitionbull Argon2i (data-independent mode) is recommended for Password Hashing
bull Balloon Hashing [BCS16]bull Newer proposal (three variants in original proposal)
Presenter
Presentation Notes
In terms of depth-robustness two of these variants were similar to Catena and one variant was similar to Argon
We will describe our algorithms for evaluating an iMHF using the language of graph pebbling Placing a pebble on a node corresponds to computing the corresponding label and keeping a pebble on the graph corresponds to storing that label in memory Of course we can only compute a label if we have all of the dependent labels Thus in a legal pebbling we cannot place a pebble on a node until we have pebbles on the parents of that node If the adversary is parallel then we are allowed to place multiple pebbles on the graph in each round We can remove pebbles from the graph at any point in time
Pebbling Example
1 2 3 4 51 3 4 5
Pebbling Example
1 2 3 4 5
P1 = 1
Pebbling Example
1 2 3 4 5
P1 = 1P2 = 12
Pebbling Example
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
Pebbling Example
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34
Pebbling Example
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34P5 = 5
Pebbling Example (CC)
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34P5 = 5
CC 119866119866 le119894119894=1
5
119875119875119894119894
= 1 + 2 + 1 + 2 + 1= 7
Measuring Cost
bull Cumulative Complexity (CC)
CC 119866119866 = min119875119875
119894119894=1
119905119905119875119875
119875119875119894119894
bull Amortization [AS15]CC 119866119866119866119866 = 2 times CC(119866119866)
Pebbling Example (CC)
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34P5 = 5
CC 119866119866 le119894119894=1
5
119875119875119894119894
= 1 + 2 + 1 + 2 + 1= 7
Pebbling Equivalence
119827119827119827119827119827119827119827119827119827119827119827119827119827119827 119808119808119808119808119808119808119808119808 (119816119816119816119816119816119816119827119827119827119827119827119827119816119816119816119816) High pebbling complexity of G implies high amortized memory complexity for the iMHF fGH
Implication Structure of the graph G is key to iMHFsecurity
Desiderata
Find a DAG G on n nodes such that1 Constant Indegree (120575120575 = 2)
2 CC(G) ge 1198991198992
120591120591for some small value 120591120591
Maximize costs for fixed n(Users are impatient)
Depth-Robustness The Key Property
Necessary [AB16] and sufficient[ABP16] for secure iMHFs
Naiumlve Pebbling Algorithms
bull Sequential Algorithm (Naiumlve)bull Constraint One new pebble per roundbull Every iMHF is defined via its Naiumlve algorithm
bull Example Naiumlve (Pebble in Topological Order)bull Never discard pebblesbull Time nbull Average pebbles n2bull ER(Naiumlve) = θ Rn + n2
Amortized Attack Quality
Quality119877119877 119860119860 =ER(Naiumlve)
ER 119860119860times 119894119894119894119894119904119904119904119904(119860119860)
Example Algorithm A evaluates 5 iMHF instances with total cost ER 119860119860 = 100 and ER Naiumlve = 40
Quality119877119877 119860119860 =40
100times 5 = 2
Presenter
Presentation Notes
Use Example
Desiderata
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for some small value 120591120591
Memory costs should dominate
Desiderata
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for some small value 120591120591
Maximize costs for fixed n(Users are impatient)
c-Ideal iMHF
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for 120591120591 = 119874119874(1)
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Our Attacks
bull General Attack on Non Depth Robust DAGsbull Existing iMHFs are not Depth Robustbull Ideal iMHFs donrsquot exist
bull Subsequent Results (Depth-Robustness is Sufficient)bull Open Questions
Depth-Robustness The Key Property
Necessary [AB16] and sufficient[ABP16] for secure iMHFs
Depth Robustness
Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d
Otherwise we say that G is (ed)-depth robust
1 2 3 4 5
Example (12)-reducible
Depth Robustness
Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d
Otherwise we say that G is (ed)-depth robust
1 2 3 4 5
Example (12)-reducible
Attacking (ed)-reducible DAGs
bull Input |S| lee such that depth(G-S) = d g gt d
bull Light Phase (g rounds) Discard most pebblesbull Goal Pebble the next g nodes in g (sequential) stepsbull Low Memory (only keep pebbles on S and on parents of new nodes)bull Lasts a ``longrdquo time
bull Balloon Phase (d rounds) Greedily Recover Missing Pebblesbull Goal Recover needed pebbles for upcoming light phasebull Expensive but quick (at most d steps in parallel)
Theorem (Depth-Robustness is a necessary condition) If G is not (ed)-node robust then CC 119866119866 = O 119890119890119894119894 + 1198941198943119901119901 In particular CC 119866119866 = o 1198941198942 for ed=o(n)
Depth Robustness is Necessary
Are existing iMHF candidates based on depth-robust DAGs
Answer No
bull Catena [FLW15] is 119890119890 119874119874 119899119899119890119890
119813119813119816119816119813119813119813119813 Easy to reduce the depth of a path
Argon2i is a layered DAG (almost)
1 2 3 11989411989434
+2 +3 helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894
Let S = S1+S2
helliphelliphellip
Attack Simulation [AB16b]
Attack on Argon 2i-B is practical even for pessimistic parameter ranges (brown line)
Pessimistic Argon 2i-B parameter
Parameter setting could easily be chosen when following Argon2i-B guidelines
hellip
Ideal iMHFs Donrsquot Exist
Thm[AB16] Any graph G (with constant in-degree) is at least somewhat depth-reducible
Implication If CC(G)= Ω 1198941198942 there is an attack A with high quality
QualityR 119860119860 =Ωlog(119894119894)
log log(119894119894)
But we cannot rule them out in practice
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Attacksbull Constructing iMHFs (New)
bull Depth-Robustness is sufficient
bull Conclusions and Open Questions
Presenter
Presentation Notes
Joint work with Joel Alwen and Krzysztof Pietrzak
Depth-Robustness is Sufficient [ABP16]
Proof Let P1hellipPt denote an (optimal) pebbling of G For 0lt i lt d defineSi = 119875119875119894119894 cup 119875119875119889119889+119894119894 cup 1198751198752119889119889+119894119894 cup ⋯
one of the sets Si has size at most CC(G)d Now we claim that d ge depth(G-Si)
because any path in G-Si must have been completely pebbled at some point Thus it must have been pebbled entirely during some interval of length d Thus G (CC(G)dd)-reducible It follows that CC(G)ge 119890119890119901119901
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Depth-Robustness is Sufficient [ABP16]
Implications There exists a constant indegree graph G with
CC G ge Ω1198941198942
log119894119894
Previous Best [AS15] Ω 1198991198992
log10 119899119899
[AB16] We cannot do better (in an asymptotic sense)
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Summary
bull BCRYPT and PBKDF2 are no longer sufficient for password hashing
bull Argon2i is an improvement over BCRYPT and PBKDF2bull But still has its flaws [AB16AB17]
bull Current Recommendation Argon2idbull No side channel attacks Resists known attacksbull Side channel attacks reduce security to Argon2i
bull Look for improvements in the near future using depth-robust graphs [ABP17]
Conclusions
bull Depth-robustness is a necessary and sufficient for secure iMHFsbull [AB16] [ABP16]
bull Big Challenge Improved Constructions of Depth-Robust Graphsbull We already have constructions in theory [EGS77 PR80 hellip]bull But constants matter
Thanks for Listening
Passwords vs time Look how far wersquove come
Netscape IPO Dotcom crash
Source Cormacrsquos estimate
ldquoThe password is deadrdquo
Chart1
3
48
1368
322
7791
15376
2527
39639
47953
61115
7353
94674
106021
134538
16527
194616
21681
Sheet1
Sheet1
Sheet2
Sheet3
Biometrics
59
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy
60
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Hardware Tokens
61
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around
62
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Graphical Passwords
bull Examplesbull Passfaces Cued Click Points Windows 8
63
Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13
Graphical Passwords
bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8
Challenge Multiple Passwords
64
Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
bull Password Management Software
67
Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313
Related Work
bull Password Management SoftwareChallenge Single point of failure
68
Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313
References
bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]
bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]
bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]
bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]
Course Business
CryptographyCS 555
Password Storage
Offline Attacks A Common Problem
Offline Attacks A Common Problem
A Dangerous Problem
Attempt 1 Hash Iteration
The Challenge
Goal Moderately Expensive Hash Function
Memory Costs Equitable Across Architectures
Outline
Memory Hard Function (MHF)
iMHF Candidates
iMHF (fGH)
Evaluating an iMHF (pebbling)
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example (CC)
Measuring Cost
Pebbling Example (CC)
Pebbling Equivalence
Desiderata
Depth-Robustness The Key Property
Naiumlve Pebbling Algorithms
Amortized Attack Quality
Desiderata
Desiderata
c-Ideal iMHF
Outline
Depth-Robustness The Key Property
Depth Robustness
Depth Robustness
Attacking (ed)-reducible DAGs
Depth Robustness is Necessary
Answer No
Argon2i [BDK]
Argon2i
Argon2i
Argon2i Reducing depth to 119899
Argon2i Reducing depth to 119899
Argon2i is a layered DAG (almost)
Attack Simulation [AB16b]
Ideal iMHFs Donrsquot Exist
But we cannot rule them out in practice
Outline
Depth-Robustness is Sufficient [ABP16]
Depth-Robustness is Sufficient [ABP16]
Summary
Conclusions
Thanks for Listening
Passwords vs time Look how far wersquove come
Biometrics
Biometrics
Hardware Tokens
Hardware Tokens
Graphical Passwords
Graphical Passwords
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
Related Work
References
Everybody
DATE
DATE
NUMBER OF USERS
WORLD
WORLD
INFORMATION
DATE
DATE
NUMBER OF USERS
DATE
DATE
acctsyr
POPULATION
POPULATION
SOURCE
December-90
0
3
15
020
00261
000
1
December-90
3
1
December-90
3
1
December-90
3
3
December-90
3
1
3
December-95
December-95
0
16
040
80
040
IDC
100
00522
180
12
December-95
192
December-95
16
1778
December-95
48
28448
December-95
48
3
48
December-96
December-96
0
36
090
180
090
IDC
200
00783
188
13132
December-96
472752
December-96
36
1994916
December-96
126
71816976
December-96
1368
38
126
December-97
December-97
0
70
170
350
170
IDC
300
01043
209
16263
December-97
113841
December-97
70
2238295752
December-97
280
15668070264
December-97
322
46
280
December-98
December-98
0
147
360
735
360
CI Almanac
400
01303
230
19391
December-98
2850477
December-98
147
25113678337
December-98
6615
3691710715604
December-98
7791
53
6615
December-99
December-99
0
248
410
1240
410
Nua Ltd
500
01563
251
22517
December-99
5584216
December-99
248
28177547095
December-99
1240
6988031679463
December-99
15376
62
1240
March-00
March-00
0
304
500
1520
500
Nua Ltd
600
01822
272
25638
March-00
7793952
December-00
361
3161520784
December-00
19855
11413090030294
December-00
2527
7
19855
July-00
July-00
0
359
590
1795
590
Nua Ltd
700
02081
293
28754
July-00
10322686
December-01
543
35472263197
December-01
3258
1926143891578
December-01
39639
73
3258
December-00
December-00
0
361
580
1805
580
Internet World Stats
800
02338
313
31864
December-00
11502904
December-02
607
39799879307
December-02
39455
2415852673913
December-02
47953
79
39455
March-01
March-01
0
458
760
2290
760
Nua Ltd
900
02852
334
34967
March-01
16014886
December-03
719
44655464582
December-03
5033
32107279034493
December-03
61115
85
5033
June-01
June-01
0
479
790
2395
790
Nua Ltd
1000
03107
355
38061
June-01
18231219
December-04
817
50103431261
December-04
61275
40934503340285
December-04
7353
9
61275
August-01
August-01
0
513
860
2565
860
Nua Ltd
1100
03361
396
44221
August-01
22685373
December-05
1018
56216049875
December-05
8144
57227938772657
December-05
9467
93
8144
April-02
April-02
0
558
860
2790
860
Internet World Stats
1200
03614
417
47284
April-02
26384472
December-06
1093
6307440796
December-06
9291
68940327899894
December-06
10602
97
9291
July-02
July-02
0
569
910
2845
910
Internet World Stats
1300
03866
437
50334
July-02
28640046
December-07
1319
70769485731
December-07
11871
93344951678825
December-07
13454
102
11871
September-02
September-02
0
587
940
2935
940
Internet World Stats
1400
04117
458
53371
September-02
31328777
December-08
1574
7940336299
December-08
14953
124980893346059
December-08
16527
105
14953
March-03
March-03
0
608
970
3040
970
Internet World Stats
1500
04366
478
56394
March-03
34287552
December-09
1802
89090573275
December-09
18020
160541213040896
December-09
19462
108
18020
September-03
September-03
0
677
1060
3385
1060
Internet World Stats
1600
04614
498
59401
September-03
40214477
December-10
1971
99959623214
December-10
20696
197020417355075
December-10
21681
11
20696
October-03
October-03
0
682
1070
3410
1070
Internet World Stats
1700
0486
518
62392
October-03
42551344
December-03
December-03
0
719
1110
3595
1110
Internet World Stats
1800
02852
538
65365
December-03
46997435
February-04
February-04
0
745
1150
3725
1150
Internet World Stats
1900
03107
558
6832
February-04
508984
May-04
May-04
0
757
1170
3785
1170
Internet World Stats
2000
03361
597
7417
May-04
5614669
October-04
October-04
0
812
1270
4060
1270
Internet World Stats
2100
03614
616
77064
October-04
62575968
December-04
December-04
0
817
1270
4085
1270
Internet World Stats
2200
03866
636
79935
December-04
65306895
March-05
March-05
0
888
1390
4440
1390
Internet World Stats
2300
04117
655
82782
March-05
73510416
June-05
June-05
0
938
1460
4690
1460
Internet World Stats
2400
04366
674
85606
June-05
80298428
September-05
September-05
0
957
1490
4785
1490
Internet World Stats
2500
04614
692
88404
September-05
84602628
November-05
November-05
0
972
1520
4860
1520
Internet World Stats
2600
0486
711
91176
November-05
88623072
December-05
December-05
0
1018
1570
5090
1570
Internet World Stats
2700
05348
729
93921
December-05
95611578
March-06
March-06
0
1023
1570
5115
1570
Internet World Stats
2800
05589
747
96638
March-06
98860674
June-06
June-06
0
1043
1600
5215
1600
Internet World Stats
2900
05828
783
101984
June-06
106369312
September-06
September-06
0
1086
1670
5430
1670
Internet World Stats
3000
06065
801
104611
September-06
113607546
December-06
December-06
0
1093
1670
5465
1670
Internet World Stats
3100
063
818
107207
December-06
117177251
March-07
March-07
0
1129
1720
5645
1720
Internet World Stats
3200
06534
835
109771
March-07
123931459
June-07
June-07
0
1173
1780
5865
1780
Internet World Stats
3300
06765
852
112301
June-07
131729073
September-07
September-07
0
1245
1890
6225
1890
Internet World Stats
3400
06993
869
114797
September-07
142922265
December-07
December-07
0
1319
2000
6595
2000
Internet World Stats
3500
0722
886
117258
December-07
154663302
March-08
March-08
0
1407
2110
7035
2110
Internet World Stats
3600
07665
902
119683
March-08
168393981
June-08
June-08
0
1463
2190
7315
2190
Internet World Stats
3700
07884
918
122071
June-08
178589873
September-08
September-08
0
1504
2250
7520
2250
Internet World Stats
3800
08101
949
126736
September-08
190610944
December-08
December-08
0
1574
2350
7870
2350
Internet World Stats
3900
08314
964
12901
December-08
20306174
March-09
March-09
0
1596
2380
7980
2380
Internet World Stats
4000
08525
971
13
March-09
20748
June-09
June-09
0
1669
2470
8345
2470
Internet World Stats
4100
08733
998
134
June-09
223646
September-09
September-09
0
1734
2560
8670
2560
Internet World Stats
4200
08938
1018
137
September-09
237558
December-09
December-09
0
1802
2660
9010
2660
Internet World Stats
4300
0914
1051
142
December-09
255884
June-10
June-10
0
1966
2870
9830
2870
Internet World Stats
4400
09339
1078
146
June-10
287036
September-10
September-10
0
1971
2880
9855
2880
Internet World Stats
4500
09728
1112
151
September-10
297621
09917
000
155333333333
159833333333
33208
35034
35400
35765
36130
36495
36861
37226
37591
37956
38322
38687
39052
39417
39783
40148
40513
Memory Hard Function (MHF)
bull Intuition computation costs dominated by memory costsvs
bull Data Independent Memory Hard Function (iMHF)bull Memory access pattern should not depend on input
Presenter
Presentation Notes
In this work we study a special type of memory hard function called data-independent memory hard functions As the name suggests the memory access pattern will not depend on the input making the functions resistant to side-channel attacks
iMHF Candidates
bull Catena [FLW15]bull Special Recognition at Password Hashing Competitionbull Two Variants Dragonfly and Double-Butterfly
bull Argon2 [BDK15]bull Winner of the Password Hashing Competitionbull Argon2i (data-independent mode) is recommended for Password Hashing
bull Balloon Hashing [BCS16]bull Newer proposal (three variants in original proposal)
Presenter
Presentation Notes
In terms of depth-robustness two of these variants were similar to Catena and one variant was similar to Argon
We will describe our algorithms for evaluating an iMHF using the language of graph pebbling Placing a pebble on a node corresponds to computing the corresponding label and keeping a pebble on the graph corresponds to storing that label in memory Of course we can only compute a label if we have all of the dependent labels Thus in a legal pebbling we cannot place a pebble on a node until we have pebbles on the parents of that node If the adversary is parallel then we are allowed to place multiple pebbles on the graph in each round We can remove pebbles from the graph at any point in time
Pebbling Example
1 2 3 4 51 3 4 5
Pebbling Example
1 2 3 4 5
P1 = 1
Pebbling Example
1 2 3 4 5
P1 = 1P2 = 12
Pebbling Example
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
Pebbling Example
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34
Pebbling Example
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34P5 = 5
Pebbling Example (CC)
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34P5 = 5
CC 119866119866 le119894119894=1
5
119875119875119894119894
= 1 + 2 + 1 + 2 + 1= 7
Measuring Cost
bull Cumulative Complexity (CC)
CC 119866119866 = min119875119875
119894119894=1
119905119905119875119875
119875119875119894119894
bull Amortization [AS15]CC 119866119866119866119866 = 2 times CC(119866119866)
Pebbling Example (CC)
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34P5 = 5
CC 119866119866 le119894119894=1
5
119875119875119894119894
= 1 + 2 + 1 + 2 + 1= 7
Pebbling Equivalence
119827119827119827119827119827119827119827119827119827119827119827119827119827119827 119808119808119808119808119808119808119808119808 (119816119816119816119816119816119816119827119827119827119827119827119827119816119816119816119816) High pebbling complexity of G implies high amortized memory complexity for the iMHF fGH
Implication Structure of the graph G is key to iMHFsecurity
Desiderata
Find a DAG G on n nodes such that1 Constant Indegree (120575120575 = 2)
2 CC(G) ge 1198991198992
120591120591for some small value 120591120591
Maximize costs for fixed n(Users are impatient)
Depth-Robustness The Key Property
Necessary [AB16] and sufficient[ABP16] for secure iMHFs
Naiumlve Pebbling Algorithms
bull Sequential Algorithm (Naiumlve)bull Constraint One new pebble per roundbull Every iMHF is defined via its Naiumlve algorithm
bull Example Naiumlve (Pebble in Topological Order)bull Never discard pebblesbull Time nbull Average pebbles n2bull ER(Naiumlve) = θ Rn + n2
Amortized Attack Quality
Quality119877119877 119860119860 =ER(Naiumlve)
ER 119860119860times 119894119894119894119894119904119904119904119904(119860119860)
Example Algorithm A evaluates 5 iMHF instances with total cost ER 119860119860 = 100 and ER Naiumlve = 40
Quality119877119877 119860119860 =40
100times 5 = 2
Presenter
Presentation Notes
Use Example
Desiderata
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for some small value 120591120591
Memory costs should dominate
Desiderata
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for some small value 120591120591
Maximize costs for fixed n(Users are impatient)
c-Ideal iMHF
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for 120591120591 = 119874119874(1)
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Our Attacks
bull General Attack on Non Depth Robust DAGsbull Existing iMHFs are not Depth Robustbull Ideal iMHFs donrsquot exist
bull Subsequent Results (Depth-Robustness is Sufficient)bull Open Questions
Depth-Robustness The Key Property
Necessary [AB16] and sufficient[ABP16] for secure iMHFs
Depth Robustness
Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d
Otherwise we say that G is (ed)-depth robust
1 2 3 4 5
Example (12)-reducible
Depth Robustness
Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d
Otherwise we say that G is (ed)-depth robust
1 2 3 4 5
Example (12)-reducible
Attacking (ed)-reducible DAGs
bull Input |S| lee such that depth(G-S) = d g gt d
bull Light Phase (g rounds) Discard most pebblesbull Goal Pebble the next g nodes in g (sequential) stepsbull Low Memory (only keep pebbles on S and on parents of new nodes)bull Lasts a ``longrdquo time
bull Balloon Phase (d rounds) Greedily Recover Missing Pebblesbull Goal Recover needed pebbles for upcoming light phasebull Expensive but quick (at most d steps in parallel)
Theorem (Depth-Robustness is a necessary condition) If G is not (ed)-node robust then CC 119866119866 = O 119890119890119894119894 + 1198941198943119901119901 In particular CC 119866119866 = o 1198941198942 for ed=o(n)
Depth Robustness is Necessary
Are existing iMHF candidates based on depth-robust DAGs
Answer No
bull Catena [FLW15] is 119890119890 119874119874 119899119899119890119890
119813119813119816119816119813119813119813119813 Easy to reduce the depth of a path
Argon2i is a layered DAG (almost)
1 2 3 11989411989434
+2 +3 helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894
Let S = S1+S2
helliphelliphellip
Attack Simulation [AB16b]
Attack on Argon 2i-B is practical even for pessimistic parameter ranges (brown line)
Pessimistic Argon 2i-B parameter
Parameter setting could easily be chosen when following Argon2i-B guidelines
hellip
Ideal iMHFs Donrsquot Exist
Thm[AB16] Any graph G (with constant in-degree) is at least somewhat depth-reducible
Implication If CC(G)= Ω 1198941198942 there is an attack A with high quality
QualityR 119860119860 =Ωlog(119894119894)
log log(119894119894)
But we cannot rule them out in practice
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Attacksbull Constructing iMHFs (New)
bull Depth-Robustness is sufficient
bull Conclusions and Open Questions
Presenter
Presentation Notes
Joint work with Joel Alwen and Krzysztof Pietrzak
Depth-Robustness is Sufficient [ABP16]
Proof Let P1hellipPt denote an (optimal) pebbling of G For 0lt i lt d defineSi = 119875119875119894119894 cup 119875119875119889119889+119894119894 cup 1198751198752119889119889+119894119894 cup ⋯
one of the sets Si has size at most CC(G)d Now we claim that d ge depth(G-Si)
because any path in G-Si must have been completely pebbled at some point Thus it must have been pebbled entirely during some interval of length d Thus G (CC(G)dd)-reducible It follows that CC(G)ge 119890119890119901119901
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Depth-Robustness is Sufficient [ABP16]
Implications There exists a constant indegree graph G with
CC G ge Ω1198941198942
log119894119894
Previous Best [AS15] Ω 1198991198992
log10 119899119899
[AB16] We cannot do better (in an asymptotic sense)
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Summary
bull BCRYPT and PBKDF2 are no longer sufficient for password hashing
bull Argon2i is an improvement over BCRYPT and PBKDF2bull But still has its flaws [AB16AB17]
bull Current Recommendation Argon2idbull No side channel attacks Resists known attacksbull Side channel attacks reduce security to Argon2i
bull Look for improvements in the near future using depth-robust graphs [ABP17]
Conclusions
bull Depth-robustness is a necessary and sufficient for secure iMHFsbull [AB16] [ABP16]
bull Big Challenge Improved Constructions of Depth-Robust Graphsbull We already have constructions in theory [EGS77 PR80 hellip]bull But constants matter
Thanks for Listening
Passwords vs time Look how far wersquove come
Netscape IPO Dotcom crash
Source Cormacrsquos estimate
ldquoThe password is deadrdquo
Chart1
3
48
1368
322
7791
15376
2527
39639
47953
61115
7353
94674
106021
134538
16527
194616
21681
Sheet1
Sheet1
Sheet2
Sheet3
Biometrics
59
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy
60
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Hardware Tokens
61
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around
62
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Graphical Passwords
bull Examplesbull Passfaces Cued Click Points Windows 8
63
Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13
Graphical Passwords
bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8
Challenge Multiple Passwords
64
Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
bull Password Management Software
67
Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313
Related Work
bull Password Management SoftwareChallenge Single point of failure
68
Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313
References
bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]
bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]
bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]
bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]
Course Business
CryptographyCS 555
Password Storage
Offline Attacks A Common Problem
Offline Attacks A Common Problem
A Dangerous Problem
Attempt 1 Hash Iteration
The Challenge
Goal Moderately Expensive Hash Function
Memory Costs Equitable Across Architectures
Outline
Memory Hard Function (MHF)
iMHF Candidates
iMHF (fGH)
Evaluating an iMHF (pebbling)
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example (CC)
Measuring Cost
Pebbling Example (CC)
Pebbling Equivalence
Desiderata
Depth-Robustness The Key Property
Naiumlve Pebbling Algorithms
Amortized Attack Quality
Desiderata
Desiderata
c-Ideal iMHF
Outline
Depth-Robustness The Key Property
Depth Robustness
Depth Robustness
Attacking (ed)-reducible DAGs
Depth Robustness is Necessary
Answer No
Argon2i [BDK]
Argon2i
Argon2i
Argon2i Reducing depth to 119899
Argon2i Reducing depth to 119899
Argon2i is a layered DAG (almost)
Attack Simulation [AB16b]
Ideal iMHFs Donrsquot Exist
But we cannot rule them out in practice
Outline
Depth-Robustness is Sufficient [ABP16]
Depth-Robustness is Sufficient [ABP16]
Summary
Conclusions
Thanks for Listening
Passwords vs time Look how far wersquove come
Biometrics
Biometrics
Hardware Tokens
Hardware Tokens
Graphical Passwords
Graphical Passwords
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
Related Work
References
Everybody
DATE
DATE
NUMBER OF USERS
WORLD
WORLD
INFORMATION
DATE
DATE
NUMBER OF USERS
DATE
DATE
acctsyr
POPULATION
POPULATION
SOURCE
December-90
0
3
15
020
00261
000
1
December-90
3
1
December-90
3
1
December-90
3
3
December-90
3
1
3
December-95
December-95
0
16
040
80
040
IDC
100
00522
180
12
December-95
192
December-95
16
1778
December-95
48
28448
December-95
48
3
48
December-96
December-96
0
36
090
180
090
IDC
200
00783
188
13132
December-96
472752
December-96
36
1994916
December-96
126
71816976
December-96
1368
38
126
December-97
December-97
0
70
170
350
170
IDC
300
01043
209
16263
December-97
113841
December-97
70
2238295752
December-97
280
15668070264
December-97
322
46
280
December-98
December-98
0
147
360
735
360
CI Almanac
400
01303
230
19391
December-98
2850477
December-98
147
25113678337
December-98
6615
3691710715604
December-98
7791
53
6615
December-99
December-99
0
248
410
1240
410
Nua Ltd
500
01563
251
22517
December-99
5584216
December-99
248
28177547095
December-99
1240
6988031679463
December-99
15376
62
1240
March-00
March-00
0
304
500
1520
500
Nua Ltd
600
01822
272
25638
March-00
7793952
December-00
361
3161520784
December-00
19855
11413090030294
December-00
2527
7
19855
July-00
July-00
0
359
590
1795
590
Nua Ltd
700
02081
293
28754
July-00
10322686
December-01
543
35472263197
December-01
3258
1926143891578
December-01
39639
73
3258
December-00
December-00
0
361
580
1805
580
Internet World Stats
800
02338
313
31864
December-00
11502904
December-02
607
39799879307
December-02
39455
2415852673913
December-02
47953
79
39455
March-01
March-01
0
458
760
2290
760
Nua Ltd
900
02852
334
34967
March-01
16014886
December-03
719
44655464582
December-03
5033
32107279034493
December-03
61115
85
5033
June-01
June-01
0
479
790
2395
790
Nua Ltd
1000
03107
355
38061
June-01
18231219
December-04
817
50103431261
December-04
61275
40934503340285
December-04
7353
9
61275
August-01
August-01
0
513
860
2565
860
Nua Ltd
1100
03361
396
44221
August-01
22685373
December-05
1018
56216049875
December-05
8144
57227938772657
December-05
9467
93
8144
April-02
April-02
0
558
860
2790
860
Internet World Stats
1200
03614
417
47284
April-02
26384472
December-06
1093
6307440796
December-06
9291
68940327899894
December-06
10602
97
9291
July-02
July-02
0
569
910
2845
910
Internet World Stats
1300
03866
437
50334
July-02
28640046
December-07
1319
70769485731
December-07
11871
93344951678825
December-07
13454
102
11871
September-02
September-02
0
587
940
2935
940
Internet World Stats
1400
04117
458
53371
September-02
31328777
December-08
1574
7940336299
December-08
14953
124980893346059
December-08
16527
105
14953
March-03
March-03
0
608
970
3040
970
Internet World Stats
1500
04366
478
56394
March-03
34287552
December-09
1802
89090573275
December-09
18020
160541213040896
December-09
19462
108
18020
September-03
September-03
0
677
1060
3385
1060
Internet World Stats
1600
04614
498
59401
September-03
40214477
December-10
1971
99959623214
December-10
20696
197020417355075
December-10
21681
11
20696
October-03
October-03
0
682
1070
3410
1070
Internet World Stats
1700
0486
518
62392
October-03
42551344
December-03
December-03
0
719
1110
3595
1110
Internet World Stats
1800
02852
538
65365
December-03
46997435
February-04
February-04
0
745
1150
3725
1150
Internet World Stats
1900
03107
558
6832
February-04
508984
May-04
May-04
0
757
1170
3785
1170
Internet World Stats
2000
03361
597
7417
May-04
5614669
October-04
October-04
0
812
1270
4060
1270
Internet World Stats
2100
03614
616
77064
October-04
62575968
December-04
December-04
0
817
1270
4085
1270
Internet World Stats
2200
03866
636
79935
December-04
65306895
March-05
March-05
0
888
1390
4440
1390
Internet World Stats
2300
04117
655
82782
March-05
73510416
June-05
June-05
0
938
1460
4690
1460
Internet World Stats
2400
04366
674
85606
June-05
80298428
September-05
September-05
0
957
1490
4785
1490
Internet World Stats
2500
04614
692
88404
September-05
84602628
November-05
November-05
0
972
1520
4860
1520
Internet World Stats
2600
0486
711
91176
November-05
88623072
December-05
December-05
0
1018
1570
5090
1570
Internet World Stats
2700
05348
729
93921
December-05
95611578
March-06
March-06
0
1023
1570
5115
1570
Internet World Stats
2800
05589
747
96638
March-06
98860674
June-06
June-06
0
1043
1600
5215
1600
Internet World Stats
2900
05828
783
101984
June-06
106369312
September-06
September-06
0
1086
1670
5430
1670
Internet World Stats
3000
06065
801
104611
September-06
113607546
December-06
December-06
0
1093
1670
5465
1670
Internet World Stats
3100
063
818
107207
December-06
117177251
March-07
March-07
0
1129
1720
5645
1720
Internet World Stats
3200
06534
835
109771
March-07
123931459
June-07
June-07
0
1173
1780
5865
1780
Internet World Stats
3300
06765
852
112301
June-07
131729073
September-07
September-07
0
1245
1890
6225
1890
Internet World Stats
3400
06993
869
114797
September-07
142922265
December-07
December-07
0
1319
2000
6595
2000
Internet World Stats
3500
0722
886
117258
December-07
154663302
March-08
March-08
0
1407
2110
7035
2110
Internet World Stats
3600
07665
902
119683
March-08
168393981
June-08
June-08
0
1463
2190
7315
2190
Internet World Stats
3700
07884
918
122071
June-08
178589873
September-08
September-08
0
1504
2250
7520
2250
Internet World Stats
3800
08101
949
126736
September-08
190610944
December-08
December-08
0
1574
2350
7870
2350
Internet World Stats
3900
08314
964
12901
December-08
20306174
March-09
March-09
0
1596
2380
7980
2380
Internet World Stats
4000
08525
971
13
March-09
20748
June-09
June-09
0
1669
2470
8345
2470
Internet World Stats
4100
08733
998
134
June-09
223646
September-09
September-09
0
1734
2560
8670
2560
Internet World Stats
4200
08938
1018
137
September-09
237558
December-09
December-09
0
1802
2660
9010
2660
Internet World Stats
4300
0914
1051
142
December-09
255884
June-10
June-10
0
1966
2870
9830
2870
Internet World Stats
4400
09339
1078
146
June-10
287036
September-10
September-10
0
1971
2880
9855
2880
Internet World Stats
4500
09728
1112
151
September-10
297621
09917
000
155333333333
159833333333
33208
35034
35400
35765
36130
36495
36861
37226
37591
37956
38322
38687
39052
39417
39783
40148
40513
iMHF Candidates
bull Catena [FLW15]bull Special Recognition at Password Hashing Competitionbull Two Variants Dragonfly and Double-Butterfly
bull Argon2 [BDK15]bull Winner of the Password Hashing Competitionbull Argon2i (data-independent mode) is recommended for Password Hashing
bull Balloon Hashing [BCS16]bull Newer proposal (three variants in original proposal)
Presenter
Presentation Notes
In terms of depth-robustness two of these variants were similar to Catena and one variant was similar to Argon
We will describe our algorithms for evaluating an iMHF using the language of graph pebbling Placing a pebble on a node corresponds to computing the corresponding label and keeping a pebble on the graph corresponds to storing that label in memory Of course we can only compute a label if we have all of the dependent labels Thus in a legal pebbling we cannot place a pebble on a node until we have pebbles on the parents of that node If the adversary is parallel then we are allowed to place multiple pebbles on the graph in each round We can remove pebbles from the graph at any point in time
Pebbling Example
1 2 3 4 51 3 4 5
Pebbling Example
1 2 3 4 5
P1 = 1
Pebbling Example
1 2 3 4 5
P1 = 1P2 = 12
Pebbling Example
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
Pebbling Example
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34
Pebbling Example
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34P5 = 5
Pebbling Example (CC)
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34P5 = 5
CC 119866119866 le119894119894=1
5
119875119875119894119894
= 1 + 2 + 1 + 2 + 1= 7
Measuring Cost
bull Cumulative Complexity (CC)
CC 119866119866 = min119875119875
119894119894=1
119905119905119875119875
119875119875119894119894
bull Amortization [AS15]CC 119866119866119866119866 = 2 times CC(119866119866)
Pebbling Example (CC)
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34P5 = 5
CC 119866119866 le119894119894=1
5
119875119875119894119894
= 1 + 2 + 1 + 2 + 1= 7
Pebbling Equivalence
119827119827119827119827119827119827119827119827119827119827119827119827119827119827 119808119808119808119808119808119808119808119808 (119816119816119816119816119816119816119827119827119827119827119827119827119816119816119816119816) High pebbling complexity of G implies high amortized memory complexity for the iMHF fGH
Implication Structure of the graph G is key to iMHFsecurity
Desiderata
Find a DAG G on n nodes such that1 Constant Indegree (120575120575 = 2)
2 CC(G) ge 1198991198992
120591120591for some small value 120591120591
Maximize costs for fixed n(Users are impatient)
Depth-Robustness The Key Property
Necessary [AB16] and sufficient[ABP16] for secure iMHFs
Naiumlve Pebbling Algorithms
bull Sequential Algorithm (Naiumlve)bull Constraint One new pebble per roundbull Every iMHF is defined via its Naiumlve algorithm
bull Example Naiumlve (Pebble in Topological Order)bull Never discard pebblesbull Time nbull Average pebbles n2bull ER(Naiumlve) = θ Rn + n2
Amortized Attack Quality
Quality119877119877 119860119860 =ER(Naiumlve)
ER 119860119860times 119894119894119894119894119904119904119904119904(119860119860)
Example Algorithm A evaluates 5 iMHF instances with total cost ER 119860119860 = 100 and ER Naiumlve = 40
Quality119877119877 119860119860 =40
100times 5 = 2
Presenter
Presentation Notes
Use Example
Desiderata
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for some small value 120591120591
Memory costs should dominate
Desiderata
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for some small value 120591120591
Maximize costs for fixed n(Users are impatient)
c-Ideal iMHF
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for 120591120591 = 119874119874(1)
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Our Attacks
bull General Attack on Non Depth Robust DAGsbull Existing iMHFs are not Depth Robustbull Ideal iMHFs donrsquot exist
bull Subsequent Results (Depth-Robustness is Sufficient)bull Open Questions
Depth-Robustness The Key Property
Necessary [AB16] and sufficient[ABP16] for secure iMHFs
Depth Robustness
Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d
Otherwise we say that G is (ed)-depth robust
1 2 3 4 5
Example (12)-reducible
Depth Robustness
Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d
Otherwise we say that G is (ed)-depth robust
1 2 3 4 5
Example (12)-reducible
Attacking (ed)-reducible DAGs
bull Input |S| lee such that depth(G-S) = d g gt d
bull Light Phase (g rounds) Discard most pebblesbull Goal Pebble the next g nodes in g (sequential) stepsbull Low Memory (only keep pebbles on S and on parents of new nodes)bull Lasts a ``longrdquo time
bull Balloon Phase (d rounds) Greedily Recover Missing Pebblesbull Goal Recover needed pebbles for upcoming light phasebull Expensive but quick (at most d steps in parallel)
Theorem (Depth-Robustness is a necessary condition) If G is not (ed)-node robust then CC 119866119866 = O 119890119890119894119894 + 1198941198943119901119901 In particular CC 119866119866 = o 1198941198942 for ed=o(n)
Depth Robustness is Necessary
Are existing iMHF candidates based on depth-robust DAGs
Answer No
bull Catena [FLW15] is 119890119890 119874119874 119899119899119890119890
119813119813119816119816119813119813119813119813 Easy to reduce the depth of a path
Argon2i is a layered DAG (almost)
1 2 3 11989411989434
+2 +3 helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894
Let S = S1+S2
helliphelliphellip
Attack Simulation [AB16b]
Attack on Argon 2i-B is practical even for pessimistic parameter ranges (brown line)
Pessimistic Argon 2i-B parameter
Parameter setting could easily be chosen when following Argon2i-B guidelines
hellip
Ideal iMHFs Donrsquot Exist
Thm[AB16] Any graph G (with constant in-degree) is at least somewhat depth-reducible
Implication If CC(G)= Ω 1198941198942 there is an attack A with high quality
QualityR 119860119860 =Ωlog(119894119894)
log log(119894119894)
But we cannot rule them out in practice
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Attacksbull Constructing iMHFs (New)
bull Depth-Robustness is sufficient
bull Conclusions and Open Questions
Presenter
Presentation Notes
Joint work with Joel Alwen and Krzysztof Pietrzak
Depth-Robustness is Sufficient [ABP16]
Proof Let P1hellipPt denote an (optimal) pebbling of G For 0lt i lt d defineSi = 119875119875119894119894 cup 119875119875119889119889+119894119894 cup 1198751198752119889119889+119894119894 cup ⋯
one of the sets Si has size at most CC(G)d Now we claim that d ge depth(G-Si)
because any path in G-Si must have been completely pebbled at some point Thus it must have been pebbled entirely during some interval of length d Thus G (CC(G)dd)-reducible It follows that CC(G)ge 119890119890119901119901
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Depth-Robustness is Sufficient [ABP16]
Implications There exists a constant indegree graph G with
CC G ge Ω1198941198942
log119894119894
Previous Best [AS15] Ω 1198991198992
log10 119899119899
[AB16] We cannot do better (in an asymptotic sense)
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Summary
bull BCRYPT and PBKDF2 are no longer sufficient for password hashing
bull Argon2i is an improvement over BCRYPT and PBKDF2bull But still has its flaws [AB16AB17]
bull Current Recommendation Argon2idbull No side channel attacks Resists known attacksbull Side channel attacks reduce security to Argon2i
bull Look for improvements in the near future using depth-robust graphs [ABP17]
Conclusions
bull Depth-robustness is a necessary and sufficient for secure iMHFsbull [AB16] [ABP16]
bull Big Challenge Improved Constructions of Depth-Robust Graphsbull We already have constructions in theory [EGS77 PR80 hellip]bull But constants matter
Thanks for Listening
Passwords vs time Look how far wersquove come
Netscape IPO Dotcom crash
Source Cormacrsquos estimate
ldquoThe password is deadrdquo
Chart1
3
48
1368
322
7791
15376
2527
39639
47953
61115
7353
94674
106021
134538
16527
194616
21681
Sheet1
Sheet1
Sheet2
Sheet3
Biometrics
59
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy
60
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Hardware Tokens
61
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around
62
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Graphical Passwords
bull Examplesbull Passfaces Cued Click Points Windows 8
63
Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13
Graphical Passwords
bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8
Challenge Multiple Passwords
64
Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
bull Password Management Software
67
Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313
Related Work
bull Password Management SoftwareChallenge Single point of failure
68
Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313
References
bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]
bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]
bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]
bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]
We will describe our algorithms for evaluating an iMHF using the language of graph pebbling Placing a pebble on a node corresponds to computing the corresponding label and keeping a pebble on the graph corresponds to storing that label in memory Of course we can only compute a label if we have all of the dependent labels Thus in a legal pebbling we cannot place a pebble on a node until we have pebbles on the parents of that node If the adversary is parallel then we are allowed to place multiple pebbles on the graph in each round We can remove pebbles from the graph at any point in time
Pebbling Example
1 2 3 4 51 3 4 5
Pebbling Example
1 2 3 4 5
P1 = 1
Pebbling Example
1 2 3 4 5
P1 = 1P2 = 12
Pebbling Example
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
Pebbling Example
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34
Pebbling Example
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34P5 = 5
Pebbling Example (CC)
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34P5 = 5
CC 119866119866 le119894119894=1
5
119875119875119894119894
= 1 + 2 + 1 + 2 + 1= 7
Measuring Cost
bull Cumulative Complexity (CC)
CC 119866119866 = min119875119875
119894119894=1
119905119905119875119875
119875119875119894119894
bull Amortization [AS15]CC 119866119866119866119866 = 2 times CC(119866119866)
Pebbling Example (CC)
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34P5 = 5
CC 119866119866 le119894119894=1
5
119875119875119894119894
= 1 + 2 + 1 + 2 + 1= 7
Pebbling Equivalence
119827119827119827119827119827119827119827119827119827119827119827119827119827119827 119808119808119808119808119808119808119808119808 (119816119816119816119816119816119816119827119827119827119827119827119827119816119816119816119816) High pebbling complexity of G implies high amortized memory complexity for the iMHF fGH
Implication Structure of the graph G is key to iMHFsecurity
Desiderata
Find a DAG G on n nodes such that1 Constant Indegree (120575120575 = 2)
2 CC(G) ge 1198991198992
120591120591for some small value 120591120591
Maximize costs for fixed n(Users are impatient)
Depth-Robustness The Key Property
Necessary [AB16] and sufficient[ABP16] for secure iMHFs
Naiumlve Pebbling Algorithms
bull Sequential Algorithm (Naiumlve)bull Constraint One new pebble per roundbull Every iMHF is defined via its Naiumlve algorithm
bull Example Naiumlve (Pebble in Topological Order)bull Never discard pebblesbull Time nbull Average pebbles n2bull ER(Naiumlve) = θ Rn + n2
Amortized Attack Quality
Quality119877119877 119860119860 =ER(Naiumlve)
ER 119860119860times 119894119894119894119894119904119904119904119904(119860119860)
Example Algorithm A evaluates 5 iMHF instances with total cost ER 119860119860 = 100 and ER Naiumlve = 40
Quality119877119877 119860119860 =40
100times 5 = 2
Presenter
Presentation Notes
Use Example
Desiderata
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for some small value 120591120591
Memory costs should dominate
Desiderata
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for some small value 120591120591
Maximize costs for fixed n(Users are impatient)
c-Ideal iMHF
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for 120591120591 = 119874119874(1)
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Our Attacks
bull General Attack on Non Depth Robust DAGsbull Existing iMHFs are not Depth Robustbull Ideal iMHFs donrsquot exist
bull Subsequent Results (Depth-Robustness is Sufficient)bull Open Questions
Depth-Robustness The Key Property
Necessary [AB16] and sufficient[ABP16] for secure iMHFs
Depth Robustness
Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d
Otherwise we say that G is (ed)-depth robust
1 2 3 4 5
Example (12)-reducible
Depth Robustness
Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d
Otherwise we say that G is (ed)-depth robust
1 2 3 4 5
Example (12)-reducible
Attacking (ed)-reducible DAGs
bull Input |S| lee such that depth(G-S) = d g gt d
bull Light Phase (g rounds) Discard most pebblesbull Goal Pebble the next g nodes in g (sequential) stepsbull Low Memory (only keep pebbles on S and on parents of new nodes)bull Lasts a ``longrdquo time
bull Balloon Phase (d rounds) Greedily Recover Missing Pebblesbull Goal Recover needed pebbles for upcoming light phasebull Expensive but quick (at most d steps in parallel)
Theorem (Depth-Robustness is a necessary condition) If G is not (ed)-node robust then CC 119866119866 = O 119890119890119894119894 + 1198941198943119901119901 In particular CC 119866119866 = o 1198941198942 for ed=o(n)
Depth Robustness is Necessary
Are existing iMHF candidates based on depth-robust DAGs
Answer No
bull Catena [FLW15] is 119890119890 119874119874 119899119899119890119890
119813119813119816119816119813119813119813119813 Easy to reduce the depth of a path
Argon2i is a layered DAG (almost)
1 2 3 11989411989434
+2 +3 helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894
Let S = S1+S2
helliphelliphellip
Attack Simulation [AB16b]
Attack on Argon 2i-B is practical even for pessimistic parameter ranges (brown line)
Pessimistic Argon 2i-B parameter
Parameter setting could easily be chosen when following Argon2i-B guidelines
hellip
Ideal iMHFs Donrsquot Exist
Thm[AB16] Any graph G (with constant in-degree) is at least somewhat depth-reducible
Implication If CC(G)= Ω 1198941198942 there is an attack A with high quality
QualityR 119860119860 =Ωlog(119894119894)
log log(119894119894)
But we cannot rule them out in practice
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Attacksbull Constructing iMHFs (New)
bull Depth-Robustness is sufficient
bull Conclusions and Open Questions
Presenter
Presentation Notes
Joint work with Joel Alwen and Krzysztof Pietrzak
Depth-Robustness is Sufficient [ABP16]
Proof Let P1hellipPt denote an (optimal) pebbling of G For 0lt i lt d defineSi = 119875119875119894119894 cup 119875119875119889119889+119894119894 cup 1198751198752119889119889+119894119894 cup ⋯
one of the sets Si has size at most CC(G)d Now we claim that d ge depth(G-Si)
because any path in G-Si must have been completely pebbled at some point Thus it must have been pebbled entirely during some interval of length d Thus G (CC(G)dd)-reducible It follows that CC(G)ge 119890119890119901119901
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Depth-Robustness is Sufficient [ABP16]
Implications There exists a constant indegree graph G with
CC G ge Ω1198941198942
log119894119894
Previous Best [AS15] Ω 1198991198992
log10 119899119899
[AB16] We cannot do better (in an asymptotic sense)
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Summary
bull BCRYPT and PBKDF2 are no longer sufficient for password hashing
bull Argon2i is an improvement over BCRYPT and PBKDF2bull But still has its flaws [AB16AB17]
bull Current Recommendation Argon2idbull No side channel attacks Resists known attacksbull Side channel attacks reduce security to Argon2i
bull Look for improvements in the near future using depth-robust graphs [ABP17]
Conclusions
bull Depth-robustness is a necessary and sufficient for secure iMHFsbull [AB16] [ABP16]
bull Big Challenge Improved Constructions of Depth-Robust Graphsbull We already have constructions in theory [EGS77 PR80 hellip]bull But constants matter
Thanks for Listening
Passwords vs time Look how far wersquove come
Netscape IPO Dotcom crash
Source Cormacrsquos estimate
ldquoThe password is deadrdquo
Chart1
3
48
1368
322
7791
15376
2527
39639
47953
61115
7353
94674
106021
134538
16527
194616
21681
Sheet1
Sheet1
Sheet2
Sheet3
Biometrics
59
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy
60
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Hardware Tokens
61
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around
62
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Graphical Passwords
bull Examplesbull Passfaces Cued Click Points Windows 8
63
Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13
Graphical Passwords
bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8
Challenge Multiple Passwords
64
Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
bull Password Management Software
67
Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313
Related Work
bull Password Management SoftwareChallenge Single point of failure
68
Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313
References
bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]
bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]
bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]
bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]
Course Business
CryptographyCS 555
Password Storage
Offline Attacks A Common Problem
Offline Attacks A Common Problem
A Dangerous Problem
Attempt 1 Hash Iteration
The Challenge
Goal Moderately Expensive Hash Function
Memory Costs Equitable Across Architectures
Outline
Memory Hard Function (MHF)
iMHF Candidates
iMHF (fGH)
Evaluating an iMHF (pebbling)
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example (CC)
Measuring Cost
Pebbling Example (CC)
Pebbling Equivalence
Desiderata
Depth-Robustness The Key Property
Naiumlve Pebbling Algorithms
Amortized Attack Quality
Desiderata
Desiderata
c-Ideal iMHF
Outline
Depth-Robustness The Key Property
Depth Robustness
Depth Robustness
Attacking (ed)-reducible DAGs
Depth Robustness is Necessary
Answer No
Argon2i [BDK]
Argon2i
Argon2i
Argon2i Reducing depth to 119899
Argon2i Reducing depth to 119899
Argon2i is a layered DAG (almost)
Attack Simulation [AB16b]
Ideal iMHFs Donrsquot Exist
But we cannot rule them out in practice
Outline
Depth-Robustness is Sufficient [ABP16]
Depth-Robustness is Sufficient [ABP16]
Summary
Conclusions
Thanks for Listening
Passwords vs time Look how far wersquove come
Biometrics
Biometrics
Hardware Tokens
Hardware Tokens
Graphical Passwords
Graphical Passwords
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
Related Work
References
Everybody
DATE
DATE
NUMBER OF USERS
WORLD
WORLD
INFORMATION
DATE
DATE
NUMBER OF USERS
DATE
DATE
acctsyr
POPULATION
POPULATION
SOURCE
December-90
0
3
15
020
00261
000
1
December-90
3
1
December-90
3
1
December-90
3
3
December-90
3
1
3
December-95
December-95
0
16
040
80
040
IDC
100
00522
180
12
December-95
192
December-95
16
1778
December-95
48
28448
December-95
48
3
48
December-96
December-96
0
36
090
180
090
IDC
200
00783
188
13132
December-96
472752
December-96
36
1994916
December-96
126
71816976
December-96
1368
38
126
December-97
December-97
0
70
170
350
170
IDC
300
01043
209
16263
December-97
113841
December-97
70
2238295752
December-97
280
15668070264
December-97
322
46
280
December-98
December-98
0
147
360
735
360
CI Almanac
400
01303
230
19391
December-98
2850477
December-98
147
25113678337
December-98
6615
3691710715604
December-98
7791
53
6615
December-99
December-99
0
248
410
1240
410
Nua Ltd
500
01563
251
22517
December-99
5584216
December-99
248
28177547095
December-99
1240
6988031679463
December-99
15376
62
1240
March-00
March-00
0
304
500
1520
500
Nua Ltd
600
01822
272
25638
March-00
7793952
December-00
361
3161520784
December-00
19855
11413090030294
December-00
2527
7
19855
July-00
July-00
0
359
590
1795
590
Nua Ltd
700
02081
293
28754
July-00
10322686
December-01
543
35472263197
December-01
3258
1926143891578
December-01
39639
73
3258
December-00
December-00
0
361
580
1805
580
Internet World Stats
800
02338
313
31864
December-00
11502904
December-02
607
39799879307
December-02
39455
2415852673913
December-02
47953
79
39455
March-01
March-01
0
458
760
2290
760
Nua Ltd
900
02852
334
34967
March-01
16014886
December-03
719
44655464582
December-03
5033
32107279034493
December-03
61115
85
5033
June-01
June-01
0
479
790
2395
790
Nua Ltd
1000
03107
355
38061
June-01
18231219
December-04
817
50103431261
December-04
61275
40934503340285
December-04
7353
9
61275
August-01
August-01
0
513
860
2565
860
Nua Ltd
1100
03361
396
44221
August-01
22685373
December-05
1018
56216049875
December-05
8144
57227938772657
December-05
9467
93
8144
April-02
April-02
0
558
860
2790
860
Internet World Stats
1200
03614
417
47284
April-02
26384472
December-06
1093
6307440796
December-06
9291
68940327899894
December-06
10602
97
9291
July-02
July-02
0
569
910
2845
910
Internet World Stats
1300
03866
437
50334
July-02
28640046
December-07
1319
70769485731
December-07
11871
93344951678825
December-07
13454
102
11871
September-02
September-02
0
587
940
2935
940
Internet World Stats
1400
04117
458
53371
September-02
31328777
December-08
1574
7940336299
December-08
14953
124980893346059
December-08
16527
105
14953
March-03
March-03
0
608
970
3040
970
Internet World Stats
1500
04366
478
56394
March-03
34287552
December-09
1802
89090573275
December-09
18020
160541213040896
December-09
19462
108
18020
September-03
September-03
0
677
1060
3385
1060
Internet World Stats
1600
04614
498
59401
September-03
40214477
December-10
1971
99959623214
December-10
20696
197020417355075
December-10
21681
11
20696
October-03
October-03
0
682
1070
3410
1070
Internet World Stats
1700
0486
518
62392
October-03
42551344
December-03
December-03
0
719
1110
3595
1110
Internet World Stats
1800
02852
538
65365
December-03
46997435
February-04
February-04
0
745
1150
3725
1150
Internet World Stats
1900
03107
558
6832
February-04
508984
May-04
May-04
0
757
1170
3785
1170
Internet World Stats
2000
03361
597
7417
May-04
5614669
October-04
October-04
0
812
1270
4060
1270
Internet World Stats
2100
03614
616
77064
October-04
62575968
December-04
December-04
0
817
1270
4085
1270
Internet World Stats
2200
03866
636
79935
December-04
65306895
March-05
March-05
0
888
1390
4440
1390
Internet World Stats
2300
04117
655
82782
March-05
73510416
June-05
June-05
0
938
1460
4690
1460
Internet World Stats
2400
04366
674
85606
June-05
80298428
September-05
September-05
0
957
1490
4785
1490
Internet World Stats
2500
04614
692
88404
September-05
84602628
November-05
November-05
0
972
1520
4860
1520
Internet World Stats
2600
0486
711
91176
November-05
88623072
December-05
December-05
0
1018
1570
5090
1570
Internet World Stats
2700
05348
729
93921
December-05
95611578
March-06
March-06
0
1023
1570
5115
1570
Internet World Stats
2800
05589
747
96638
March-06
98860674
June-06
June-06
0
1043
1600
5215
1600
Internet World Stats
2900
05828
783
101984
June-06
106369312
September-06
September-06
0
1086
1670
5430
1670
Internet World Stats
3000
06065
801
104611
September-06
113607546
December-06
December-06
0
1093
1670
5465
1670
Internet World Stats
3100
063
818
107207
December-06
117177251
March-07
March-07
0
1129
1720
5645
1720
Internet World Stats
3200
06534
835
109771
March-07
123931459
June-07
June-07
0
1173
1780
5865
1780
Internet World Stats
3300
06765
852
112301
June-07
131729073
September-07
September-07
0
1245
1890
6225
1890
Internet World Stats
3400
06993
869
114797
September-07
142922265
December-07
December-07
0
1319
2000
6595
2000
Internet World Stats
3500
0722
886
117258
December-07
154663302
March-08
March-08
0
1407
2110
7035
2110
Internet World Stats
3600
07665
902
119683
March-08
168393981
June-08
June-08
0
1463
2190
7315
2190
Internet World Stats
3700
07884
918
122071
June-08
178589873
September-08
September-08
0
1504
2250
7520
2250
Internet World Stats
3800
08101
949
126736
September-08
190610944
December-08
December-08
0
1574
2350
7870
2350
Internet World Stats
3900
08314
964
12901
December-08
20306174
March-09
March-09
0
1596
2380
7980
2380
Internet World Stats
4000
08525
971
13
March-09
20748
June-09
June-09
0
1669
2470
8345
2470
Internet World Stats
4100
08733
998
134
June-09
223646
September-09
September-09
0
1734
2560
8670
2560
Internet World Stats
4200
08938
1018
137
September-09
237558
December-09
December-09
0
1802
2660
9010
2660
Internet World Stats
4300
0914
1051
142
December-09
255884
June-10
June-10
0
1966
2870
9830
2870
Internet World Stats
4400
09339
1078
146
June-10
287036
September-10
September-10
0
1971
2880
9855
2880
Internet World Stats
4500
09728
1112
151
September-10
297621
09917
000
155333333333
159833333333
33208
35034
35400
35765
36130
36495
36861
37226
37591
37956
38322
38687
39052
39417
39783
40148
40513
Evaluating an iMHF (pebbling)
Pebbling Rules 119875119875=P1hellipPtsub 119881119881 stbull Pi+1sub Pi cup 119909119909 isin 119881119881 parents 119909119909 sub Pi+1 (need dependent values)bull nisin Pt (must finish and output Ln)
We will describe our algorithms for evaluating an iMHF using the language of graph pebbling Placing a pebble on a node corresponds to computing the corresponding label and keeping a pebble on the graph corresponds to storing that label in memory Of course we can only compute a label if we have all of the dependent labels Thus in a legal pebbling we cannot place a pebble on a node until we have pebbles on the parents of that node If the adversary is parallel then we are allowed to place multiple pebbles on the graph in each round We can remove pebbles from the graph at any point in time
Pebbling Example
1 2 3 4 51 3 4 5
Pebbling Example
1 2 3 4 5
P1 = 1
Pebbling Example
1 2 3 4 5
P1 = 1P2 = 12
Pebbling Example
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
Pebbling Example
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34
Pebbling Example
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34P5 = 5
Pebbling Example (CC)
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34P5 = 5
CC 119866119866 le119894119894=1
5
119875119875119894119894
= 1 + 2 + 1 + 2 + 1= 7
Measuring Cost
bull Cumulative Complexity (CC)
CC 119866119866 = min119875119875
119894119894=1
119905119905119875119875
119875119875119894119894
bull Amortization [AS15]CC 119866119866119866119866 = 2 times CC(119866119866)
Pebbling Example (CC)
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34P5 = 5
CC 119866119866 le119894119894=1
5
119875119875119894119894
= 1 + 2 + 1 + 2 + 1= 7
Pebbling Equivalence
119827119827119827119827119827119827119827119827119827119827119827119827119827119827 119808119808119808119808119808119808119808119808 (119816119816119816119816119816119816119827119827119827119827119827119827119816119816119816119816) High pebbling complexity of G implies high amortized memory complexity for the iMHF fGH
Implication Structure of the graph G is key to iMHFsecurity
Desiderata
Find a DAG G on n nodes such that1 Constant Indegree (120575120575 = 2)
2 CC(G) ge 1198991198992
120591120591for some small value 120591120591
Maximize costs for fixed n(Users are impatient)
Depth-Robustness The Key Property
Necessary [AB16] and sufficient[ABP16] for secure iMHFs
Naiumlve Pebbling Algorithms
bull Sequential Algorithm (Naiumlve)bull Constraint One new pebble per roundbull Every iMHF is defined via its Naiumlve algorithm
bull Example Naiumlve (Pebble in Topological Order)bull Never discard pebblesbull Time nbull Average pebbles n2bull ER(Naiumlve) = θ Rn + n2
Amortized Attack Quality
Quality119877119877 119860119860 =ER(Naiumlve)
ER 119860119860times 119894119894119894119894119904119904119904119904(119860119860)
Example Algorithm A evaluates 5 iMHF instances with total cost ER 119860119860 = 100 and ER Naiumlve = 40
Quality119877119877 119860119860 =40
100times 5 = 2
Presenter
Presentation Notes
Use Example
Desiderata
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for some small value 120591120591
Memory costs should dominate
Desiderata
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for some small value 120591120591
Maximize costs for fixed n(Users are impatient)
c-Ideal iMHF
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for 120591120591 = 119874119874(1)
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Our Attacks
bull General Attack on Non Depth Robust DAGsbull Existing iMHFs are not Depth Robustbull Ideal iMHFs donrsquot exist
bull Subsequent Results (Depth-Robustness is Sufficient)bull Open Questions
Depth-Robustness The Key Property
Necessary [AB16] and sufficient[ABP16] for secure iMHFs
Depth Robustness
Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d
Otherwise we say that G is (ed)-depth robust
1 2 3 4 5
Example (12)-reducible
Depth Robustness
Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d
Otherwise we say that G is (ed)-depth robust
1 2 3 4 5
Example (12)-reducible
Attacking (ed)-reducible DAGs
bull Input |S| lee such that depth(G-S) = d g gt d
bull Light Phase (g rounds) Discard most pebblesbull Goal Pebble the next g nodes in g (sequential) stepsbull Low Memory (only keep pebbles on S and on parents of new nodes)bull Lasts a ``longrdquo time
bull Balloon Phase (d rounds) Greedily Recover Missing Pebblesbull Goal Recover needed pebbles for upcoming light phasebull Expensive but quick (at most d steps in parallel)
Theorem (Depth-Robustness is a necessary condition) If G is not (ed)-node robust then CC 119866119866 = O 119890119890119894119894 + 1198941198943119901119901 In particular CC 119866119866 = o 1198941198942 for ed=o(n)
Depth Robustness is Necessary
Are existing iMHF candidates based on depth-robust DAGs
Answer No
bull Catena [FLW15] is 119890119890 119874119874 119899119899119890119890
119813119813119816119816119813119813119813119813 Easy to reduce the depth of a path
Argon2i is a layered DAG (almost)
1 2 3 11989411989434
+2 +3 helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894
Let S = S1+S2
helliphelliphellip
Attack Simulation [AB16b]
Attack on Argon 2i-B is practical even for pessimistic parameter ranges (brown line)
Pessimistic Argon 2i-B parameter
Parameter setting could easily be chosen when following Argon2i-B guidelines
hellip
Ideal iMHFs Donrsquot Exist
Thm[AB16] Any graph G (with constant in-degree) is at least somewhat depth-reducible
Implication If CC(G)= Ω 1198941198942 there is an attack A with high quality
QualityR 119860119860 =Ωlog(119894119894)
log log(119894119894)
But we cannot rule them out in practice
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Attacksbull Constructing iMHFs (New)
bull Depth-Robustness is sufficient
bull Conclusions and Open Questions
Presenter
Presentation Notes
Joint work with Joel Alwen and Krzysztof Pietrzak
Depth-Robustness is Sufficient [ABP16]
Proof Let P1hellipPt denote an (optimal) pebbling of G For 0lt i lt d defineSi = 119875119875119894119894 cup 119875119875119889119889+119894119894 cup 1198751198752119889119889+119894119894 cup ⋯
one of the sets Si has size at most CC(G)d Now we claim that d ge depth(G-Si)
because any path in G-Si must have been completely pebbled at some point Thus it must have been pebbled entirely during some interval of length d Thus G (CC(G)dd)-reducible It follows that CC(G)ge 119890119890119901119901
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Depth-Robustness is Sufficient [ABP16]
Implications There exists a constant indegree graph G with
CC G ge Ω1198941198942
log119894119894
Previous Best [AS15] Ω 1198991198992
log10 119899119899
[AB16] We cannot do better (in an asymptotic sense)
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Summary
bull BCRYPT and PBKDF2 are no longer sufficient for password hashing
bull Argon2i is an improvement over BCRYPT and PBKDF2bull But still has its flaws [AB16AB17]
bull Current Recommendation Argon2idbull No side channel attacks Resists known attacksbull Side channel attacks reduce security to Argon2i
bull Look for improvements in the near future using depth-robust graphs [ABP17]
Conclusions
bull Depth-robustness is a necessary and sufficient for secure iMHFsbull [AB16] [ABP16]
bull Big Challenge Improved Constructions of Depth-Robust Graphsbull We already have constructions in theory [EGS77 PR80 hellip]bull But constants matter
Thanks for Listening
Passwords vs time Look how far wersquove come
Netscape IPO Dotcom crash
Source Cormacrsquos estimate
ldquoThe password is deadrdquo
Chart1
3
48
1368
322
7791
15376
2527
39639
47953
61115
7353
94674
106021
134538
16527
194616
21681
Sheet1
Sheet1
Sheet2
Sheet3
Biometrics
59
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy
60
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Hardware Tokens
61
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around
62
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Graphical Passwords
bull Examplesbull Passfaces Cued Click Points Windows 8
63
Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13
Graphical Passwords
bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8
Challenge Multiple Passwords
64
Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
bull Password Management Software
67
Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313
Related Work
bull Password Management SoftwareChallenge Single point of failure
68
Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313
References
bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]
bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]
bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]
bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]
Course Business
CryptographyCS 555
Password Storage
Offline Attacks A Common Problem
Offline Attacks A Common Problem
A Dangerous Problem
Attempt 1 Hash Iteration
The Challenge
Goal Moderately Expensive Hash Function
Memory Costs Equitable Across Architectures
Outline
Memory Hard Function (MHF)
iMHF Candidates
iMHF (fGH)
Evaluating an iMHF (pebbling)
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example (CC)
Measuring Cost
Pebbling Example (CC)
Pebbling Equivalence
Desiderata
Depth-Robustness The Key Property
Naiumlve Pebbling Algorithms
Amortized Attack Quality
Desiderata
Desiderata
c-Ideal iMHF
Outline
Depth-Robustness The Key Property
Depth Robustness
Depth Robustness
Attacking (ed)-reducible DAGs
Depth Robustness is Necessary
Answer No
Argon2i [BDK]
Argon2i
Argon2i
Argon2i Reducing depth to 119899
Argon2i Reducing depth to 119899
Argon2i is a layered DAG (almost)
Attack Simulation [AB16b]
Ideal iMHFs Donrsquot Exist
But we cannot rule them out in practice
Outline
Depth-Robustness is Sufficient [ABP16]
Depth-Robustness is Sufficient [ABP16]
Summary
Conclusions
Thanks for Listening
Passwords vs time Look how far wersquove come
Biometrics
Biometrics
Hardware Tokens
Hardware Tokens
Graphical Passwords
Graphical Passwords
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
Related Work
References
Everybody
DATE
DATE
NUMBER OF USERS
WORLD
WORLD
INFORMATION
DATE
DATE
NUMBER OF USERS
DATE
DATE
acctsyr
POPULATION
POPULATION
SOURCE
December-90
0
3
15
020
00261
000
1
December-90
3
1
December-90
3
1
December-90
3
3
December-90
3
1
3
December-95
December-95
0
16
040
80
040
IDC
100
00522
180
12
December-95
192
December-95
16
1778
December-95
48
28448
December-95
48
3
48
December-96
December-96
0
36
090
180
090
IDC
200
00783
188
13132
December-96
472752
December-96
36
1994916
December-96
126
71816976
December-96
1368
38
126
December-97
December-97
0
70
170
350
170
IDC
300
01043
209
16263
December-97
113841
December-97
70
2238295752
December-97
280
15668070264
December-97
322
46
280
December-98
December-98
0
147
360
735
360
CI Almanac
400
01303
230
19391
December-98
2850477
December-98
147
25113678337
December-98
6615
3691710715604
December-98
7791
53
6615
December-99
December-99
0
248
410
1240
410
Nua Ltd
500
01563
251
22517
December-99
5584216
December-99
248
28177547095
December-99
1240
6988031679463
December-99
15376
62
1240
March-00
March-00
0
304
500
1520
500
Nua Ltd
600
01822
272
25638
March-00
7793952
December-00
361
3161520784
December-00
19855
11413090030294
December-00
2527
7
19855
July-00
July-00
0
359
590
1795
590
Nua Ltd
700
02081
293
28754
July-00
10322686
December-01
543
35472263197
December-01
3258
1926143891578
December-01
39639
73
3258
December-00
December-00
0
361
580
1805
580
Internet World Stats
800
02338
313
31864
December-00
11502904
December-02
607
39799879307
December-02
39455
2415852673913
December-02
47953
79
39455
March-01
March-01
0
458
760
2290
760
Nua Ltd
900
02852
334
34967
March-01
16014886
December-03
719
44655464582
December-03
5033
32107279034493
December-03
61115
85
5033
June-01
June-01
0
479
790
2395
790
Nua Ltd
1000
03107
355
38061
June-01
18231219
December-04
817
50103431261
December-04
61275
40934503340285
December-04
7353
9
61275
August-01
August-01
0
513
860
2565
860
Nua Ltd
1100
03361
396
44221
August-01
22685373
December-05
1018
56216049875
December-05
8144
57227938772657
December-05
9467
93
8144
April-02
April-02
0
558
860
2790
860
Internet World Stats
1200
03614
417
47284
April-02
26384472
December-06
1093
6307440796
December-06
9291
68940327899894
December-06
10602
97
9291
July-02
July-02
0
569
910
2845
910
Internet World Stats
1300
03866
437
50334
July-02
28640046
December-07
1319
70769485731
December-07
11871
93344951678825
December-07
13454
102
11871
September-02
September-02
0
587
940
2935
940
Internet World Stats
1400
04117
458
53371
September-02
31328777
December-08
1574
7940336299
December-08
14953
124980893346059
December-08
16527
105
14953
March-03
March-03
0
608
970
3040
970
Internet World Stats
1500
04366
478
56394
March-03
34287552
December-09
1802
89090573275
December-09
18020
160541213040896
December-09
19462
108
18020
September-03
September-03
0
677
1060
3385
1060
Internet World Stats
1600
04614
498
59401
September-03
40214477
December-10
1971
99959623214
December-10
20696
197020417355075
December-10
21681
11
20696
October-03
October-03
0
682
1070
3410
1070
Internet World Stats
1700
0486
518
62392
October-03
42551344
December-03
December-03
0
719
1110
3595
1110
Internet World Stats
1800
02852
538
65365
December-03
46997435
February-04
February-04
0
745
1150
3725
1150
Internet World Stats
1900
03107
558
6832
February-04
508984
May-04
May-04
0
757
1170
3785
1170
Internet World Stats
2000
03361
597
7417
May-04
5614669
October-04
October-04
0
812
1270
4060
1270
Internet World Stats
2100
03614
616
77064
October-04
62575968
December-04
December-04
0
817
1270
4085
1270
Internet World Stats
2200
03866
636
79935
December-04
65306895
March-05
March-05
0
888
1390
4440
1390
Internet World Stats
2300
04117
655
82782
March-05
73510416
June-05
June-05
0
938
1460
4690
1460
Internet World Stats
2400
04366
674
85606
June-05
80298428
September-05
September-05
0
957
1490
4785
1490
Internet World Stats
2500
04614
692
88404
September-05
84602628
November-05
November-05
0
972
1520
4860
1520
Internet World Stats
2600
0486
711
91176
November-05
88623072
December-05
December-05
0
1018
1570
5090
1570
Internet World Stats
2700
05348
729
93921
December-05
95611578
March-06
March-06
0
1023
1570
5115
1570
Internet World Stats
2800
05589
747
96638
March-06
98860674
June-06
June-06
0
1043
1600
5215
1600
Internet World Stats
2900
05828
783
101984
June-06
106369312
September-06
September-06
0
1086
1670
5430
1670
Internet World Stats
3000
06065
801
104611
September-06
113607546
December-06
December-06
0
1093
1670
5465
1670
Internet World Stats
3100
063
818
107207
December-06
117177251
March-07
March-07
0
1129
1720
5645
1720
Internet World Stats
3200
06534
835
109771
March-07
123931459
June-07
June-07
0
1173
1780
5865
1780
Internet World Stats
3300
06765
852
112301
June-07
131729073
September-07
September-07
0
1245
1890
6225
1890
Internet World Stats
3400
06993
869
114797
September-07
142922265
December-07
December-07
0
1319
2000
6595
2000
Internet World Stats
3500
0722
886
117258
December-07
154663302
March-08
March-08
0
1407
2110
7035
2110
Internet World Stats
3600
07665
902
119683
March-08
168393981
June-08
June-08
0
1463
2190
7315
2190
Internet World Stats
3700
07884
918
122071
June-08
178589873
September-08
September-08
0
1504
2250
7520
2250
Internet World Stats
3800
08101
949
126736
September-08
190610944
December-08
December-08
0
1574
2350
7870
2350
Internet World Stats
3900
08314
964
12901
December-08
20306174
March-09
March-09
0
1596
2380
7980
2380
Internet World Stats
4000
08525
971
13
March-09
20748
June-09
June-09
0
1669
2470
8345
2470
Internet World Stats
4100
08733
998
134
June-09
223646
September-09
September-09
0
1734
2560
8670
2560
Internet World Stats
4200
08938
1018
137
September-09
237558
December-09
December-09
0
1802
2660
9010
2660
Internet World Stats
4300
0914
1051
142
December-09
255884
June-10
June-10
0
1966
2870
9830
2870
Internet World Stats
4400
09339
1078
146
June-10
287036
September-10
September-10
0
1971
2880
9855
2880
Internet World Stats
4500
09728
1112
151
September-10
297621
09917
000
155333333333
159833333333
33208
35034
35400
35765
36130
36495
36861
37226
37591
37956
38322
38687
39052
39417
39783
40148
40513
Pebbling Example
1 2 3 4 51 3 4 5
Pebbling Example
1 2 3 4 5
P1 = 1
Pebbling Example
1 2 3 4 5
P1 = 1P2 = 12
Pebbling Example
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
Pebbling Example
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34
Pebbling Example
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34P5 = 5
Pebbling Example (CC)
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34P5 = 5
CC 119866119866 le119894119894=1
5
119875119875119894119894
= 1 + 2 + 1 + 2 + 1= 7
Measuring Cost
bull Cumulative Complexity (CC)
CC 119866119866 = min119875119875
119894119894=1
119905119905119875119875
119875119875119894119894
bull Amortization [AS15]CC 119866119866119866119866 = 2 times CC(119866119866)
Pebbling Example (CC)
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34P5 = 5
CC 119866119866 le119894119894=1
5
119875119875119894119894
= 1 + 2 + 1 + 2 + 1= 7
Pebbling Equivalence
119827119827119827119827119827119827119827119827119827119827119827119827119827119827 119808119808119808119808119808119808119808119808 (119816119816119816119816119816119816119827119827119827119827119827119827119816119816119816119816) High pebbling complexity of G implies high amortized memory complexity for the iMHF fGH
Implication Structure of the graph G is key to iMHFsecurity
Desiderata
Find a DAG G on n nodes such that1 Constant Indegree (120575120575 = 2)
2 CC(G) ge 1198991198992
120591120591for some small value 120591120591
Maximize costs for fixed n(Users are impatient)
Depth-Robustness The Key Property
Necessary [AB16] and sufficient[ABP16] for secure iMHFs
Naiumlve Pebbling Algorithms
bull Sequential Algorithm (Naiumlve)bull Constraint One new pebble per roundbull Every iMHF is defined via its Naiumlve algorithm
bull Example Naiumlve (Pebble in Topological Order)bull Never discard pebblesbull Time nbull Average pebbles n2bull ER(Naiumlve) = θ Rn + n2
Amortized Attack Quality
Quality119877119877 119860119860 =ER(Naiumlve)
ER 119860119860times 119894119894119894119894119904119904119904119904(119860119860)
Example Algorithm A evaluates 5 iMHF instances with total cost ER 119860119860 = 100 and ER Naiumlve = 40
Quality119877119877 119860119860 =40
100times 5 = 2
Presenter
Presentation Notes
Use Example
Desiderata
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for some small value 120591120591
Memory costs should dominate
Desiderata
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for some small value 120591120591
Maximize costs for fixed n(Users are impatient)
c-Ideal iMHF
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for 120591120591 = 119874119874(1)
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Our Attacks
bull General Attack on Non Depth Robust DAGsbull Existing iMHFs are not Depth Robustbull Ideal iMHFs donrsquot exist
bull Subsequent Results (Depth-Robustness is Sufficient)bull Open Questions
Depth-Robustness The Key Property
Necessary [AB16] and sufficient[ABP16] for secure iMHFs
Depth Robustness
Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d
Otherwise we say that G is (ed)-depth robust
1 2 3 4 5
Example (12)-reducible
Depth Robustness
Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d
Otherwise we say that G is (ed)-depth robust
1 2 3 4 5
Example (12)-reducible
Attacking (ed)-reducible DAGs
bull Input |S| lee such that depth(G-S) = d g gt d
bull Light Phase (g rounds) Discard most pebblesbull Goal Pebble the next g nodes in g (sequential) stepsbull Low Memory (only keep pebbles on S and on parents of new nodes)bull Lasts a ``longrdquo time
bull Balloon Phase (d rounds) Greedily Recover Missing Pebblesbull Goal Recover needed pebbles for upcoming light phasebull Expensive but quick (at most d steps in parallel)
Theorem (Depth-Robustness is a necessary condition) If G is not (ed)-node robust then CC 119866119866 = O 119890119890119894119894 + 1198941198943119901119901 In particular CC 119866119866 = o 1198941198942 for ed=o(n)
Depth Robustness is Necessary
Are existing iMHF candidates based on depth-robust DAGs
Answer No
bull Catena [FLW15] is 119890119890 119874119874 119899119899119890119890
119813119813119816119816119813119813119813119813 Easy to reduce the depth of a path
Argon2i is a layered DAG (almost)
1 2 3 11989411989434
+2 +3 helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894
Let S = S1+S2
helliphelliphellip
Attack Simulation [AB16b]
Attack on Argon 2i-B is practical even for pessimistic parameter ranges (brown line)
Pessimistic Argon 2i-B parameter
Parameter setting could easily be chosen when following Argon2i-B guidelines
hellip
Ideal iMHFs Donrsquot Exist
Thm[AB16] Any graph G (with constant in-degree) is at least somewhat depth-reducible
Implication If CC(G)= Ω 1198941198942 there is an attack A with high quality
QualityR 119860119860 =Ωlog(119894119894)
log log(119894119894)
But we cannot rule them out in practice
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Attacksbull Constructing iMHFs (New)
bull Depth-Robustness is sufficient
bull Conclusions and Open Questions
Presenter
Presentation Notes
Joint work with Joel Alwen and Krzysztof Pietrzak
Depth-Robustness is Sufficient [ABP16]
Proof Let P1hellipPt denote an (optimal) pebbling of G For 0lt i lt d defineSi = 119875119875119894119894 cup 119875119875119889119889+119894119894 cup 1198751198752119889119889+119894119894 cup ⋯
one of the sets Si has size at most CC(G)d Now we claim that d ge depth(G-Si)
because any path in G-Si must have been completely pebbled at some point Thus it must have been pebbled entirely during some interval of length d Thus G (CC(G)dd)-reducible It follows that CC(G)ge 119890119890119901119901
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Depth-Robustness is Sufficient [ABP16]
Implications There exists a constant indegree graph G with
CC G ge Ω1198941198942
log119894119894
Previous Best [AS15] Ω 1198991198992
log10 119899119899
[AB16] We cannot do better (in an asymptotic sense)
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Summary
bull BCRYPT and PBKDF2 are no longer sufficient for password hashing
bull Argon2i is an improvement over BCRYPT and PBKDF2bull But still has its flaws [AB16AB17]
bull Current Recommendation Argon2idbull No side channel attacks Resists known attacksbull Side channel attacks reduce security to Argon2i
bull Look for improvements in the near future using depth-robust graphs [ABP17]
Conclusions
bull Depth-robustness is a necessary and sufficient for secure iMHFsbull [AB16] [ABP16]
bull Big Challenge Improved Constructions of Depth-Robust Graphsbull We already have constructions in theory [EGS77 PR80 hellip]bull But constants matter
Thanks for Listening
Passwords vs time Look how far wersquove come
Netscape IPO Dotcom crash
Source Cormacrsquos estimate
ldquoThe password is deadrdquo
Chart1
3
48
1368
322
7791
15376
2527
39639
47953
61115
7353
94674
106021
134538
16527
194616
21681
Sheet1
Sheet1
Sheet2
Sheet3
Biometrics
59
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy
60
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Hardware Tokens
61
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around
62
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Graphical Passwords
bull Examplesbull Passfaces Cued Click Points Windows 8
63
Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13
Graphical Passwords
bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8
Challenge Multiple Passwords
64
Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
bull Password Management Software
67
Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313
Related Work
bull Password Management SoftwareChallenge Single point of failure
68
Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313
References
bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]
bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]
bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]
bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]
Course Business
CryptographyCS 555
Password Storage
Offline Attacks A Common Problem
Offline Attacks A Common Problem
A Dangerous Problem
Attempt 1 Hash Iteration
The Challenge
Goal Moderately Expensive Hash Function
Memory Costs Equitable Across Architectures
Outline
Memory Hard Function (MHF)
iMHF Candidates
iMHF (fGH)
Evaluating an iMHF (pebbling)
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example (CC)
Measuring Cost
Pebbling Example (CC)
Pebbling Equivalence
Desiderata
Depth-Robustness The Key Property
Naiumlve Pebbling Algorithms
Amortized Attack Quality
Desiderata
Desiderata
c-Ideal iMHF
Outline
Depth-Robustness The Key Property
Depth Robustness
Depth Robustness
Attacking (ed)-reducible DAGs
Depth Robustness is Necessary
Answer No
Argon2i [BDK]
Argon2i
Argon2i
Argon2i Reducing depth to 119899
Argon2i Reducing depth to 119899
Argon2i is a layered DAG (almost)
Attack Simulation [AB16b]
Ideal iMHFs Donrsquot Exist
But we cannot rule them out in practice
Outline
Depth-Robustness is Sufficient [ABP16]
Depth-Robustness is Sufficient [ABP16]
Summary
Conclusions
Thanks for Listening
Passwords vs time Look how far wersquove come
Biometrics
Biometrics
Hardware Tokens
Hardware Tokens
Graphical Passwords
Graphical Passwords
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
Related Work
References
Everybody
DATE
DATE
NUMBER OF USERS
WORLD
WORLD
INFORMATION
DATE
DATE
NUMBER OF USERS
DATE
DATE
acctsyr
POPULATION
POPULATION
SOURCE
December-90
0
3
15
020
00261
000
1
December-90
3
1
December-90
3
1
December-90
3
3
December-90
3
1
3
December-95
December-95
0
16
040
80
040
IDC
100
00522
180
12
December-95
192
December-95
16
1778
December-95
48
28448
December-95
48
3
48
December-96
December-96
0
36
090
180
090
IDC
200
00783
188
13132
December-96
472752
December-96
36
1994916
December-96
126
71816976
December-96
1368
38
126
December-97
December-97
0
70
170
350
170
IDC
300
01043
209
16263
December-97
113841
December-97
70
2238295752
December-97
280
15668070264
December-97
322
46
280
December-98
December-98
0
147
360
735
360
CI Almanac
400
01303
230
19391
December-98
2850477
December-98
147
25113678337
December-98
6615
3691710715604
December-98
7791
53
6615
December-99
December-99
0
248
410
1240
410
Nua Ltd
500
01563
251
22517
December-99
5584216
December-99
248
28177547095
December-99
1240
6988031679463
December-99
15376
62
1240
March-00
March-00
0
304
500
1520
500
Nua Ltd
600
01822
272
25638
March-00
7793952
December-00
361
3161520784
December-00
19855
11413090030294
December-00
2527
7
19855
July-00
July-00
0
359
590
1795
590
Nua Ltd
700
02081
293
28754
July-00
10322686
December-01
543
35472263197
December-01
3258
1926143891578
December-01
39639
73
3258
December-00
December-00
0
361
580
1805
580
Internet World Stats
800
02338
313
31864
December-00
11502904
December-02
607
39799879307
December-02
39455
2415852673913
December-02
47953
79
39455
March-01
March-01
0
458
760
2290
760
Nua Ltd
900
02852
334
34967
March-01
16014886
December-03
719
44655464582
December-03
5033
32107279034493
December-03
61115
85
5033
June-01
June-01
0
479
790
2395
790
Nua Ltd
1000
03107
355
38061
June-01
18231219
December-04
817
50103431261
December-04
61275
40934503340285
December-04
7353
9
61275
August-01
August-01
0
513
860
2565
860
Nua Ltd
1100
03361
396
44221
August-01
22685373
December-05
1018
56216049875
December-05
8144
57227938772657
December-05
9467
93
8144
April-02
April-02
0
558
860
2790
860
Internet World Stats
1200
03614
417
47284
April-02
26384472
December-06
1093
6307440796
December-06
9291
68940327899894
December-06
10602
97
9291
July-02
July-02
0
569
910
2845
910
Internet World Stats
1300
03866
437
50334
July-02
28640046
December-07
1319
70769485731
December-07
11871
93344951678825
December-07
13454
102
11871
September-02
September-02
0
587
940
2935
940
Internet World Stats
1400
04117
458
53371
September-02
31328777
December-08
1574
7940336299
December-08
14953
124980893346059
December-08
16527
105
14953
March-03
March-03
0
608
970
3040
970
Internet World Stats
1500
04366
478
56394
March-03
34287552
December-09
1802
89090573275
December-09
18020
160541213040896
December-09
19462
108
18020
September-03
September-03
0
677
1060
3385
1060
Internet World Stats
1600
04614
498
59401
September-03
40214477
December-10
1971
99959623214
December-10
20696
197020417355075
December-10
21681
11
20696
October-03
October-03
0
682
1070
3410
1070
Internet World Stats
1700
0486
518
62392
October-03
42551344
December-03
December-03
0
719
1110
3595
1110
Internet World Stats
1800
02852
538
65365
December-03
46997435
February-04
February-04
0
745
1150
3725
1150
Internet World Stats
1900
03107
558
6832
February-04
508984
May-04
May-04
0
757
1170
3785
1170
Internet World Stats
2000
03361
597
7417
May-04
5614669
October-04
October-04
0
812
1270
4060
1270
Internet World Stats
2100
03614
616
77064
October-04
62575968
December-04
December-04
0
817
1270
4085
1270
Internet World Stats
2200
03866
636
79935
December-04
65306895
March-05
March-05
0
888
1390
4440
1390
Internet World Stats
2300
04117
655
82782
March-05
73510416
June-05
June-05
0
938
1460
4690
1460
Internet World Stats
2400
04366
674
85606
June-05
80298428
September-05
September-05
0
957
1490
4785
1490
Internet World Stats
2500
04614
692
88404
September-05
84602628
November-05
November-05
0
972
1520
4860
1520
Internet World Stats
2600
0486
711
91176
November-05
88623072
December-05
December-05
0
1018
1570
5090
1570
Internet World Stats
2700
05348
729
93921
December-05
95611578
March-06
March-06
0
1023
1570
5115
1570
Internet World Stats
2800
05589
747
96638
March-06
98860674
June-06
June-06
0
1043
1600
5215
1600
Internet World Stats
2900
05828
783
101984
June-06
106369312
September-06
September-06
0
1086
1670
5430
1670
Internet World Stats
3000
06065
801
104611
September-06
113607546
December-06
December-06
0
1093
1670
5465
1670
Internet World Stats
3100
063
818
107207
December-06
117177251
March-07
March-07
0
1129
1720
5645
1720
Internet World Stats
3200
06534
835
109771
March-07
123931459
June-07
June-07
0
1173
1780
5865
1780
Internet World Stats
3300
06765
852
112301
June-07
131729073
September-07
September-07
0
1245
1890
6225
1890
Internet World Stats
3400
06993
869
114797
September-07
142922265
December-07
December-07
0
1319
2000
6595
2000
Internet World Stats
3500
0722
886
117258
December-07
154663302
March-08
March-08
0
1407
2110
7035
2110
Internet World Stats
3600
07665
902
119683
March-08
168393981
June-08
June-08
0
1463
2190
7315
2190
Internet World Stats
3700
07884
918
122071
June-08
178589873
September-08
September-08
0
1504
2250
7520
2250
Internet World Stats
3800
08101
949
126736
September-08
190610944
December-08
December-08
0
1574
2350
7870
2350
Internet World Stats
3900
08314
964
12901
December-08
20306174
March-09
March-09
0
1596
2380
7980
2380
Internet World Stats
4000
08525
971
13
March-09
20748
June-09
June-09
0
1669
2470
8345
2470
Internet World Stats
4100
08733
998
134
June-09
223646
September-09
September-09
0
1734
2560
8670
2560
Internet World Stats
4200
08938
1018
137
September-09
237558
December-09
December-09
0
1802
2660
9010
2660
Internet World Stats
4300
0914
1051
142
December-09
255884
June-10
June-10
0
1966
2870
9830
2870
Internet World Stats
4400
09339
1078
146
June-10
287036
September-10
September-10
0
1971
2880
9855
2880
Internet World Stats
4500
09728
1112
151
September-10
297621
09917
000
155333333333
159833333333
33208
35034
35400
35765
36130
36495
36861
37226
37591
37956
38322
38687
39052
39417
39783
40148
40513
Pebbling Example
1 2 3 4 5
P1 = 1
Pebbling Example
1 2 3 4 5
P1 = 1P2 = 12
Pebbling Example
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
Pebbling Example
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34
Pebbling Example
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34P5 = 5
Pebbling Example (CC)
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34P5 = 5
CC 119866119866 le119894119894=1
5
119875119875119894119894
= 1 + 2 + 1 + 2 + 1= 7
Measuring Cost
bull Cumulative Complexity (CC)
CC 119866119866 = min119875119875
119894119894=1
119905119905119875119875
119875119875119894119894
bull Amortization [AS15]CC 119866119866119866119866 = 2 times CC(119866119866)
Pebbling Example (CC)
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34P5 = 5
CC 119866119866 le119894119894=1
5
119875119875119894119894
= 1 + 2 + 1 + 2 + 1= 7
Pebbling Equivalence
119827119827119827119827119827119827119827119827119827119827119827119827119827119827 119808119808119808119808119808119808119808119808 (119816119816119816119816119816119816119827119827119827119827119827119827119816119816119816119816) High pebbling complexity of G implies high amortized memory complexity for the iMHF fGH
Implication Structure of the graph G is key to iMHFsecurity
Desiderata
Find a DAG G on n nodes such that1 Constant Indegree (120575120575 = 2)
2 CC(G) ge 1198991198992
120591120591for some small value 120591120591
Maximize costs for fixed n(Users are impatient)
Depth-Robustness The Key Property
Necessary [AB16] and sufficient[ABP16] for secure iMHFs
Naiumlve Pebbling Algorithms
bull Sequential Algorithm (Naiumlve)bull Constraint One new pebble per roundbull Every iMHF is defined via its Naiumlve algorithm
bull Example Naiumlve (Pebble in Topological Order)bull Never discard pebblesbull Time nbull Average pebbles n2bull ER(Naiumlve) = θ Rn + n2
Amortized Attack Quality
Quality119877119877 119860119860 =ER(Naiumlve)
ER 119860119860times 119894119894119894119894119904119904119904119904(119860119860)
Example Algorithm A evaluates 5 iMHF instances with total cost ER 119860119860 = 100 and ER Naiumlve = 40
Quality119877119877 119860119860 =40
100times 5 = 2
Presenter
Presentation Notes
Use Example
Desiderata
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for some small value 120591120591
Memory costs should dominate
Desiderata
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for some small value 120591120591
Maximize costs for fixed n(Users are impatient)
c-Ideal iMHF
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for 120591120591 = 119874119874(1)
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Our Attacks
bull General Attack on Non Depth Robust DAGsbull Existing iMHFs are not Depth Robustbull Ideal iMHFs donrsquot exist
bull Subsequent Results (Depth-Robustness is Sufficient)bull Open Questions
Depth-Robustness The Key Property
Necessary [AB16] and sufficient[ABP16] for secure iMHFs
Depth Robustness
Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d
Otherwise we say that G is (ed)-depth robust
1 2 3 4 5
Example (12)-reducible
Depth Robustness
Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d
Otherwise we say that G is (ed)-depth robust
1 2 3 4 5
Example (12)-reducible
Attacking (ed)-reducible DAGs
bull Input |S| lee such that depth(G-S) = d g gt d
bull Light Phase (g rounds) Discard most pebblesbull Goal Pebble the next g nodes in g (sequential) stepsbull Low Memory (only keep pebbles on S and on parents of new nodes)bull Lasts a ``longrdquo time
bull Balloon Phase (d rounds) Greedily Recover Missing Pebblesbull Goal Recover needed pebbles for upcoming light phasebull Expensive but quick (at most d steps in parallel)
Theorem (Depth-Robustness is a necessary condition) If G is not (ed)-node robust then CC 119866119866 = O 119890119890119894119894 + 1198941198943119901119901 In particular CC 119866119866 = o 1198941198942 for ed=o(n)
Depth Robustness is Necessary
Are existing iMHF candidates based on depth-robust DAGs
Answer No
bull Catena [FLW15] is 119890119890 119874119874 119899119899119890119890
119813119813119816119816119813119813119813119813 Easy to reduce the depth of a path
Argon2i is a layered DAG (almost)
1 2 3 11989411989434
+2 +3 helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894
Let S = S1+S2
helliphelliphellip
Attack Simulation [AB16b]
Attack on Argon 2i-B is practical even for pessimistic parameter ranges (brown line)
Pessimistic Argon 2i-B parameter
Parameter setting could easily be chosen when following Argon2i-B guidelines
hellip
Ideal iMHFs Donrsquot Exist
Thm[AB16] Any graph G (with constant in-degree) is at least somewhat depth-reducible
Implication If CC(G)= Ω 1198941198942 there is an attack A with high quality
QualityR 119860119860 =Ωlog(119894119894)
log log(119894119894)
But we cannot rule them out in practice
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Attacksbull Constructing iMHFs (New)
bull Depth-Robustness is sufficient
bull Conclusions and Open Questions
Presenter
Presentation Notes
Joint work with Joel Alwen and Krzysztof Pietrzak
Depth-Robustness is Sufficient [ABP16]
Proof Let P1hellipPt denote an (optimal) pebbling of G For 0lt i lt d defineSi = 119875119875119894119894 cup 119875119875119889119889+119894119894 cup 1198751198752119889119889+119894119894 cup ⋯
one of the sets Si has size at most CC(G)d Now we claim that d ge depth(G-Si)
because any path in G-Si must have been completely pebbled at some point Thus it must have been pebbled entirely during some interval of length d Thus G (CC(G)dd)-reducible It follows that CC(G)ge 119890119890119901119901
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Depth-Robustness is Sufficient [ABP16]
Implications There exists a constant indegree graph G with
CC G ge Ω1198941198942
log119894119894
Previous Best [AS15] Ω 1198991198992
log10 119899119899
[AB16] We cannot do better (in an asymptotic sense)
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Summary
bull BCRYPT and PBKDF2 are no longer sufficient for password hashing
bull Argon2i is an improvement over BCRYPT and PBKDF2bull But still has its flaws [AB16AB17]
bull Current Recommendation Argon2idbull No side channel attacks Resists known attacksbull Side channel attacks reduce security to Argon2i
bull Look for improvements in the near future using depth-robust graphs [ABP17]
Conclusions
bull Depth-robustness is a necessary and sufficient for secure iMHFsbull [AB16] [ABP16]
bull Big Challenge Improved Constructions of Depth-Robust Graphsbull We already have constructions in theory [EGS77 PR80 hellip]bull But constants matter
Thanks for Listening
Passwords vs time Look how far wersquove come
Netscape IPO Dotcom crash
Source Cormacrsquos estimate
ldquoThe password is deadrdquo
Chart1
3
48
1368
322
7791
15376
2527
39639
47953
61115
7353
94674
106021
134538
16527
194616
21681
Sheet1
Sheet1
Sheet2
Sheet3
Biometrics
59
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy
60
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Hardware Tokens
61
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around
62
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Graphical Passwords
bull Examplesbull Passfaces Cued Click Points Windows 8
63
Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13
Graphical Passwords
bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8
Challenge Multiple Passwords
64
Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
bull Password Management Software
67
Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313
Related Work
bull Password Management SoftwareChallenge Single point of failure
68
Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313
References
bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]
bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]
bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]
bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]
Course Business
CryptographyCS 555
Password Storage
Offline Attacks A Common Problem
Offline Attacks A Common Problem
A Dangerous Problem
Attempt 1 Hash Iteration
The Challenge
Goal Moderately Expensive Hash Function
Memory Costs Equitable Across Architectures
Outline
Memory Hard Function (MHF)
iMHF Candidates
iMHF (fGH)
Evaluating an iMHF (pebbling)
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example (CC)
Measuring Cost
Pebbling Example (CC)
Pebbling Equivalence
Desiderata
Depth-Robustness The Key Property
Naiumlve Pebbling Algorithms
Amortized Attack Quality
Desiderata
Desiderata
c-Ideal iMHF
Outline
Depth-Robustness The Key Property
Depth Robustness
Depth Robustness
Attacking (ed)-reducible DAGs
Depth Robustness is Necessary
Answer No
Argon2i [BDK]
Argon2i
Argon2i
Argon2i Reducing depth to 119899
Argon2i Reducing depth to 119899
Argon2i is a layered DAG (almost)
Attack Simulation [AB16b]
Ideal iMHFs Donrsquot Exist
But we cannot rule them out in practice
Outline
Depth-Robustness is Sufficient [ABP16]
Depth-Robustness is Sufficient [ABP16]
Summary
Conclusions
Thanks for Listening
Passwords vs time Look how far wersquove come
Biometrics
Biometrics
Hardware Tokens
Hardware Tokens
Graphical Passwords
Graphical Passwords
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
Related Work
References
Everybody
DATE
DATE
NUMBER OF USERS
WORLD
WORLD
INFORMATION
DATE
DATE
NUMBER OF USERS
DATE
DATE
acctsyr
POPULATION
POPULATION
SOURCE
December-90
0
3
15
020
00261
000
1
December-90
3
1
December-90
3
1
December-90
3
3
December-90
3
1
3
December-95
December-95
0
16
040
80
040
IDC
100
00522
180
12
December-95
192
December-95
16
1778
December-95
48
28448
December-95
48
3
48
December-96
December-96
0
36
090
180
090
IDC
200
00783
188
13132
December-96
472752
December-96
36
1994916
December-96
126
71816976
December-96
1368
38
126
December-97
December-97
0
70
170
350
170
IDC
300
01043
209
16263
December-97
113841
December-97
70
2238295752
December-97
280
15668070264
December-97
322
46
280
December-98
December-98
0
147
360
735
360
CI Almanac
400
01303
230
19391
December-98
2850477
December-98
147
25113678337
December-98
6615
3691710715604
December-98
7791
53
6615
December-99
December-99
0
248
410
1240
410
Nua Ltd
500
01563
251
22517
December-99
5584216
December-99
248
28177547095
December-99
1240
6988031679463
December-99
15376
62
1240
March-00
March-00
0
304
500
1520
500
Nua Ltd
600
01822
272
25638
March-00
7793952
December-00
361
3161520784
December-00
19855
11413090030294
December-00
2527
7
19855
July-00
July-00
0
359
590
1795
590
Nua Ltd
700
02081
293
28754
July-00
10322686
December-01
543
35472263197
December-01
3258
1926143891578
December-01
39639
73
3258
December-00
December-00
0
361
580
1805
580
Internet World Stats
800
02338
313
31864
December-00
11502904
December-02
607
39799879307
December-02
39455
2415852673913
December-02
47953
79
39455
March-01
March-01
0
458
760
2290
760
Nua Ltd
900
02852
334
34967
March-01
16014886
December-03
719
44655464582
December-03
5033
32107279034493
December-03
61115
85
5033
June-01
June-01
0
479
790
2395
790
Nua Ltd
1000
03107
355
38061
June-01
18231219
December-04
817
50103431261
December-04
61275
40934503340285
December-04
7353
9
61275
August-01
August-01
0
513
860
2565
860
Nua Ltd
1100
03361
396
44221
August-01
22685373
December-05
1018
56216049875
December-05
8144
57227938772657
December-05
9467
93
8144
April-02
April-02
0
558
860
2790
860
Internet World Stats
1200
03614
417
47284
April-02
26384472
December-06
1093
6307440796
December-06
9291
68940327899894
December-06
10602
97
9291
July-02
July-02
0
569
910
2845
910
Internet World Stats
1300
03866
437
50334
July-02
28640046
December-07
1319
70769485731
December-07
11871
93344951678825
December-07
13454
102
11871
September-02
September-02
0
587
940
2935
940
Internet World Stats
1400
04117
458
53371
September-02
31328777
December-08
1574
7940336299
December-08
14953
124980893346059
December-08
16527
105
14953
March-03
March-03
0
608
970
3040
970
Internet World Stats
1500
04366
478
56394
March-03
34287552
December-09
1802
89090573275
December-09
18020
160541213040896
December-09
19462
108
18020
September-03
September-03
0
677
1060
3385
1060
Internet World Stats
1600
04614
498
59401
September-03
40214477
December-10
1971
99959623214
December-10
20696
197020417355075
December-10
21681
11
20696
October-03
October-03
0
682
1070
3410
1070
Internet World Stats
1700
0486
518
62392
October-03
42551344
December-03
December-03
0
719
1110
3595
1110
Internet World Stats
1800
02852
538
65365
December-03
46997435
February-04
February-04
0
745
1150
3725
1150
Internet World Stats
1900
03107
558
6832
February-04
508984
May-04
May-04
0
757
1170
3785
1170
Internet World Stats
2000
03361
597
7417
May-04
5614669
October-04
October-04
0
812
1270
4060
1270
Internet World Stats
2100
03614
616
77064
October-04
62575968
December-04
December-04
0
817
1270
4085
1270
Internet World Stats
2200
03866
636
79935
December-04
65306895
March-05
March-05
0
888
1390
4440
1390
Internet World Stats
2300
04117
655
82782
March-05
73510416
June-05
June-05
0
938
1460
4690
1460
Internet World Stats
2400
04366
674
85606
June-05
80298428
September-05
September-05
0
957
1490
4785
1490
Internet World Stats
2500
04614
692
88404
September-05
84602628
November-05
November-05
0
972
1520
4860
1520
Internet World Stats
2600
0486
711
91176
November-05
88623072
December-05
December-05
0
1018
1570
5090
1570
Internet World Stats
2700
05348
729
93921
December-05
95611578
March-06
March-06
0
1023
1570
5115
1570
Internet World Stats
2800
05589
747
96638
March-06
98860674
June-06
June-06
0
1043
1600
5215
1600
Internet World Stats
2900
05828
783
101984
June-06
106369312
September-06
September-06
0
1086
1670
5430
1670
Internet World Stats
3000
06065
801
104611
September-06
113607546
December-06
December-06
0
1093
1670
5465
1670
Internet World Stats
3100
063
818
107207
December-06
117177251
March-07
March-07
0
1129
1720
5645
1720
Internet World Stats
3200
06534
835
109771
March-07
123931459
June-07
June-07
0
1173
1780
5865
1780
Internet World Stats
3300
06765
852
112301
June-07
131729073
September-07
September-07
0
1245
1890
6225
1890
Internet World Stats
3400
06993
869
114797
September-07
142922265
December-07
December-07
0
1319
2000
6595
2000
Internet World Stats
3500
0722
886
117258
December-07
154663302
March-08
March-08
0
1407
2110
7035
2110
Internet World Stats
3600
07665
902
119683
March-08
168393981
June-08
June-08
0
1463
2190
7315
2190
Internet World Stats
3700
07884
918
122071
June-08
178589873
September-08
September-08
0
1504
2250
7520
2250
Internet World Stats
3800
08101
949
126736
September-08
190610944
December-08
December-08
0
1574
2350
7870
2350
Internet World Stats
3900
08314
964
12901
December-08
20306174
March-09
March-09
0
1596
2380
7980
2380
Internet World Stats
4000
08525
971
13
March-09
20748
June-09
June-09
0
1669
2470
8345
2470
Internet World Stats
4100
08733
998
134
June-09
223646
September-09
September-09
0
1734
2560
8670
2560
Internet World Stats
4200
08938
1018
137
September-09
237558
December-09
December-09
0
1802
2660
9010
2660
Internet World Stats
4300
0914
1051
142
December-09
255884
June-10
June-10
0
1966
2870
9830
2870
Internet World Stats
4400
09339
1078
146
June-10
287036
September-10
September-10
0
1971
2880
9855
2880
Internet World Stats
4500
09728
1112
151
September-10
297621
09917
000
155333333333
159833333333
33208
35034
35400
35765
36130
36495
36861
37226
37591
37956
38322
38687
39052
39417
39783
40148
40513
Pebbling Example
1 2 3 4 5
P1 = 1P2 = 12
Pebbling Example
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
Pebbling Example
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34
Pebbling Example
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34P5 = 5
Pebbling Example (CC)
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34P5 = 5
CC 119866119866 le119894119894=1
5
119875119875119894119894
= 1 + 2 + 1 + 2 + 1= 7
Measuring Cost
bull Cumulative Complexity (CC)
CC 119866119866 = min119875119875
119894119894=1
119905119905119875119875
119875119875119894119894
bull Amortization [AS15]CC 119866119866119866119866 = 2 times CC(119866119866)
Pebbling Example (CC)
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34P5 = 5
CC 119866119866 le119894119894=1
5
119875119875119894119894
= 1 + 2 + 1 + 2 + 1= 7
Pebbling Equivalence
119827119827119827119827119827119827119827119827119827119827119827119827119827119827 119808119808119808119808119808119808119808119808 (119816119816119816119816119816119816119827119827119827119827119827119827119816119816119816119816) High pebbling complexity of G implies high amortized memory complexity for the iMHF fGH
Implication Structure of the graph G is key to iMHFsecurity
Desiderata
Find a DAG G on n nodes such that1 Constant Indegree (120575120575 = 2)
2 CC(G) ge 1198991198992
120591120591for some small value 120591120591
Maximize costs for fixed n(Users are impatient)
Depth-Robustness The Key Property
Necessary [AB16] and sufficient[ABP16] for secure iMHFs
Naiumlve Pebbling Algorithms
bull Sequential Algorithm (Naiumlve)bull Constraint One new pebble per roundbull Every iMHF is defined via its Naiumlve algorithm
bull Example Naiumlve (Pebble in Topological Order)bull Never discard pebblesbull Time nbull Average pebbles n2bull ER(Naiumlve) = θ Rn + n2
Amortized Attack Quality
Quality119877119877 119860119860 =ER(Naiumlve)
ER 119860119860times 119894119894119894119894119904119904119904119904(119860119860)
Example Algorithm A evaluates 5 iMHF instances with total cost ER 119860119860 = 100 and ER Naiumlve = 40
Quality119877119877 119860119860 =40
100times 5 = 2
Presenter
Presentation Notes
Use Example
Desiderata
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for some small value 120591120591
Memory costs should dominate
Desiderata
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for some small value 120591120591
Maximize costs for fixed n(Users are impatient)
c-Ideal iMHF
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for 120591120591 = 119874119874(1)
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Our Attacks
bull General Attack on Non Depth Robust DAGsbull Existing iMHFs are not Depth Robustbull Ideal iMHFs donrsquot exist
bull Subsequent Results (Depth-Robustness is Sufficient)bull Open Questions
Depth-Robustness The Key Property
Necessary [AB16] and sufficient[ABP16] for secure iMHFs
Depth Robustness
Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d
Otherwise we say that G is (ed)-depth robust
1 2 3 4 5
Example (12)-reducible
Depth Robustness
Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d
Otherwise we say that G is (ed)-depth robust
1 2 3 4 5
Example (12)-reducible
Attacking (ed)-reducible DAGs
bull Input |S| lee such that depth(G-S) = d g gt d
bull Light Phase (g rounds) Discard most pebblesbull Goal Pebble the next g nodes in g (sequential) stepsbull Low Memory (only keep pebbles on S and on parents of new nodes)bull Lasts a ``longrdquo time
bull Balloon Phase (d rounds) Greedily Recover Missing Pebblesbull Goal Recover needed pebbles for upcoming light phasebull Expensive but quick (at most d steps in parallel)
Theorem (Depth-Robustness is a necessary condition) If G is not (ed)-node robust then CC 119866119866 = O 119890119890119894119894 + 1198941198943119901119901 In particular CC 119866119866 = o 1198941198942 for ed=o(n)
Depth Robustness is Necessary
Are existing iMHF candidates based on depth-robust DAGs
Answer No
bull Catena [FLW15] is 119890119890 119874119874 119899119899119890119890
119813119813119816119816119813119813119813119813 Easy to reduce the depth of a path
Argon2i is a layered DAG (almost)
1 2 3 11989411989434
+2 +3 helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894
Let S = S1+S2
helliphelliphellip
Attack Simulation [AB16b]
Attack on Argon 2i-B is practical even for pessimistic parameter ranges (brown line)
Pessimistic Argon 2i-B parameter
Parameter setting could easily be chosen when following Argon2i-B guidelines
hellip
Ideal iMHFs Donrsquot Exist
Thm[AB16] Any graph G (with constant in-degree) is at least somewhat depth-reducible
Implication If CC(G)= Ω 1198941198942 there is an attack A with high quality
QualityR 119860119860 =Ωlog(119894119894)
log log(119894119894)
But we cannot rule them out in practice
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Attacksbull Constructing iMHFs (New)
bull Depth-Robustness is sufficient
bull Conclusions and Open Questions
Presenter
Presentation Notes
Joint work with Joel Alwen and Krzysztof Pietrzak
Depth-Robustness is Sufficient [ABP16]
Proof Let P1hellipPt denote an (optimal) pebbling of G For 0lt i lt d defineSi = 119875119875119894119894 cup 119875119875119889119889+119894119894 cup 1198751198752119889119889+119894119894 cup ⋯
one of the sets Si has size at most CC(G)d Now we claim that d ge depth(G-Si)
because any path in G-Si must have been completely pebbled at some point Thus it must have been pebbled entirely during some interval of length d Thus G (CC(G)dd)-reducible It follows that CC(G)ge 119890119890119901119901
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Depth-Robustness is Sufficient [ABP16]
Implications There exists a constant indegree graph G with
CC G ge Ω1198941198942
log119894119894
Previous Best [AS15] Ω 1198991198992
log10 119899119899
[AB16] We cannot do better (in an asymptotic sense)
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Summary
bull BCRYPT and PBKDF2 are no longer sufficient for password hashing
bull Argon2i is an improvement over BCRYPT and PBKDF2bull But still has its flaws [AB16AB17]
bull Current Recommendation Argon2idbull No side channel attacks Resists known attacksbull Side channel attacks reduce security to Argon2i
bull Look for improvements in the near future using depth-robust graphs [ABP17]
Conclusions
bull Depth-robustness is a necessary and sufficient for secure iMHFsbull [AB16] [ABP16]
bull Big Challenge Improved Constructions of Depth-Robust Graphsbull We already have constructions in theory [EGS77 PR80 hellip]bull But constants matter
Thanks for Listening
Passwords vs time Look how far wersquove come
Netscape IPO Dotcom crash
Source Cormacrsquos estimate
ldquoThe password is deadrdquo
Chart1
3
48
1368
322
7791
15376
2527
39639
47953
61115
7353
94674
106021
134538
16527
194616
21681
Sheet1
Sheet1
Sheet2
Sheet3
Biometrics
59
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy
60
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Hardware Tokens
61
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around
62
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Graphical Passwords
bull Examplesbull Passfaces Cued Click Points Windows 8
63
Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13
Graphical Passwords
bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8
Challenge Multiple Passwords
64
Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
bull Password Management Software
67
Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313
Related Work
bull Password Management SoftwareChallenge Single point of failure
68
Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313
References
bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]
bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]
bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]
bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]
Course Business
CryptographyCS 555
Password Storage
Offline Attacks A Common Problem
Offline Attacks A Common Problem
A Dangerous Problem
Attempt 1 Hash Iteration
The Challenge
Goal Moderately Expensive Hash Function
Memory Costs Equitable Across Architectures
Outline
Memory Hard Function (MHF)
iMHF Candidates
iMHF (fGH)
Evaluating an iMHF (pebbling)
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example (CC)
Measuring Cost
Pebbling Example (CC)
Pebbling Equivalence
Desiderata
Depth-Robustness The Key Property
Naiumlve Pebbling Algorithms
Amortized Attack Quality
Desiderata
Desiderata
c-Ideal iMHF
Outline
Depth-Robustness The Key Property
Depth Robustness
Depth Robustness
Attacking (ed)-reducible DAGs
Depth Robustness is Necessary
Answer No
Argon2i [BDK]
Argon2i
Argon2i
Argon2i Reducing depth to 119899
Argon2i Reducing depth to 119899
Argon2i is a layered DAG (almost)
Attack Simulation [AB16b]
Ideal iMHFs Donrsquot Exist
But we cannot rule them out in practice
Outline
Depth-Robustness is Sufficient [ABP16]
Depth-Robustness is Sufficient [ABP16]
Summary
Conclusions
Thanks for Listening
Passwords vs time Look how far wersquove come
Biometrics
Biometrics
Hardware Tokens
Hardware Tokens
Graphical Passwords
Graphical Passwords
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
Related Work
References
Everybody
DATE
DATE
NUMBER OF USERS
WORLD
WORLD
INFORMATION
DATE
DATE
NUMBER OF USERS
DATE
DATE
acctsyr
POPULATION
POPULATION
SOURCE
December-90
0
3
15
020
00261
000
1
December-90
3
1
December-90
3
1
December-90
3
3
December-90
3
1
3
December-95
December-95
0
16
040
80
040
IDC
100
00522
180
12
December-95
192
December-95
16
1778
December-95
48
28448
December-95
48
3
48
December-96
December-96
0
36
090
180
090
IDC
200
00783
188
13132
December-96
472752
December-96
36
1994916
December-96
126
71816976
December-96
1368
38
126
December-97
December-97
0
70
170
350
170
IDC
300
01043
209
16263
December-97
113841
December-97
70
2238295752
December-97
280
15668070264
December-97
322
46
280
December-98
December-98
0
147
360
735
360
CI Almanac
400
01303
230
19391
December-98
2850477
December-98
147
25113678337
December-98
6615
3691710715604
December-98
7791
53
6615
December-99
December-99
0
248
410
1240
410
Nua Ltd
500
01563
251
22517
December-99
5584216
December-99
248
28177547095
December-99
1240
6988031679463
December-99
15376
62
1240
March-00
March-00
0
304
500
1520
500
Nua Ltd
600
01822
272
25638
March-00
7793952
December-00
361
3161520784
December-00
19855
11413090030294
December-00
2527
7
19855
July-00
July-00
0
359
590
1795
590
Nua Ltd
700
02081
293
28754
July-00
10322686
December-01
543
35472263197
December-01
3258
1926143891578
December-01
39639
73
3258
December-00
December-00
0
361
580
1805
580
Internet World Stats
800
02338
313
31864
December-00
11502904
December-02
607
39799879307
December-02
39455
2415852673913
December-02
47953
79
39455
March-01
March-01
0
458
760
2290
760
Nua Ltd
900
02852
334
34967
March-01
16014886
December-03
719
44655464582
December-03
5033
32107279034493
December-03
61115
85
5033
June-01
June-01
0
479
790
2395
790
Nua Ltd
1000
03107
355
38061
June-01
18231219
December-04
817
50103431261
December-04
61275
40934503340285
December-04
7353
9
61275
August-01
August-01
0
513
860
2565
860
Nua Ltd
1100
03361
396
44221
August-01
22685373
December-05
1018
56216049875
December-05
8144
57227938772657
December-05
9467
93
8144
April-02
April-02
0
558
860
2790
860
Internet World Stats
1200
03614
417
47284
April-02
26384472
December-06
1093
6307440796
December-06
9291
68940327899894
December-06
10602
97
9291
July-02
July-02
0
569
910
2845
910
Internet World Stats
1300
03866
437
50334
July-02
28640046
December-07
1319
70769485731
December-07
11871
93344951678825
December-07
13454
102
11871
September-02
September-02
0
587
940
2935
940
Internet World Stats
1400
04117
458
53371
September-02
31328777
December-08
1574
7940336299
December-08
14953
124980893346059
December-08
16527
105
14953
March-03
March-03
0
608
970
3040
970
Internet World Stats
1500
04366
478
56394
March-03
34287552
December-09
1802
89090573275
December-09
18020
160541213040896
December-09
19462
108
18020
September-03
September-03
0
677
1060
3385
1060
Internet World Stats
1600
04614
498
59401
September-03
40214477
December-10
1971
99959623214
December-10
20696
197020417355075
December-10
21681
11
20696
October-03
October-03
0
682
1070
3410
1070
Internet World Stats
1700
0486
518
62392
October-03
42551344
December-03
December-03
0
719
1110
3595
1110
Internet World Stats
1800
02852
538
65365
December-03
46997435
February-04
February-04
0
745
1150
3725
1150
Internet World Stats
1900
03107
558
6832
February-04
508984
May-04
May-04
0
757
1170
3785
1170
Internet World Stats
2000
03361
597
7417
May-04
5614669
October-04
October-04
0
812
1270
4060
1270
Internet World Stats
2100
03614
616
77064
October-04
62575968
December-04
December-04
0
817
1270
4085
1270
Internet World Stats
2200
03866
636
79935
December-04
65306895
March-05
March-05
0
888
1390
4440
1390
Internet World Stats
2300
04117
655
82782
March-05
73510416
June-05
June-05
0
938
1460
4690
1460
Internet World Stats
2400
04366
674
85606
June-05
80298428
September-05
September-05
0
957
1490
4785
1490
Internet World Stats
2500
04614
692
88404
September-05
84602628
November-05
November-05
0
972
1520
4860
1520
Internet World Stats
2600
0486
711
91176
November-05
88623072
December-05
December-05
0
1018
1570
5090
1570
Internet World Stats
2700
05348
729
93921
December-05
95611578
March-06
March-06
0
1023
1570
5115
1570
Internet World Stats
2800
05589
747
96638
March-06
98860674
June-06
June-06
0
1043
1600
5215
1600
Internet World Stats
2900
05828
783
101984
June-06
106369312
September-06
September-06
0
1086
1670
5430
1670
Internet World Stats
3000
06065
801
104611
September-06
113607546
December-06
December-06
0
1093
1670
5465
1670
Internet World Stats
3100
063
818
107207
December-06
117177251
March-07
March-07
0
1129
1720
5645
1720
Internet World Stats
3200
06534
835
109771
March-07
123931459
June-07
June-07
0
1173
1780
5865
1780
Internet World Stats
3300
06765
852
112301
June-07
131729073
September-07
September-07
0
1245
1890
6225
1890
Internet World Stats
3400
06993
869
114797
September-07
142922265
December-07
December-07
0
1319
2000
6595
2000
Internet World Stats
3500
0722
886
117258
December-07
154663302
March-08
March-08
0
1407
2110
7035
2110
Internet World Stats
3600
07665
902
119683
March-08
168393981
June-08
June-08
0
1463
2190
7315
2190
Internet World Stats
3700
07884
918
122071
June-08
178589873
September-08
September-08
0
1504
2250
7520
2250
Internet World Stats
3800
08101
949
126736
September-08
190610944
December-08
December-08
0
1574
2350
7870
2350
Internet World Stats
3900
08314
964
12901
December-08
20306174
March-09
March-09
0
1596
2380
7980
2380
Internet World Stats
4000
08525
971
13
March-09
20748
June-09
June-09
0
1669
2470
8345
2470
Internet World Stats
4100
08733
998
134
June-09
223646
September-09
September-09
0
1734
2560
8670
2560
Internet World Stats
4200
08938
1018
137
September-09
237558
December-09
December-09
0
1802
2660
9010
2660
Internet World Stats
4300
0914
1051
142
December-09
255884
June-10
June-10
0
1966
2870
9830
2870
Internet World Stats
4400
09339
1078
146
June-10
287036
September-10
September-10
0
1971
2880
9855
2880
Internet World Stats
4500
09728
1112
151
September-10
297621
09917
000
155333333333
159833333333
33208
35034
35400
35765
36130
36495
36861
37226
37591
37956
38322
38687
39052
39417
39783
40148
40513
Pebbling Example
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
Pebbling Example
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34
Pebbling Example
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34P5 = 5
Pebbling Example (CC)
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34P5 = 5
CC 119866119866 le119894119894=1
5
119875119875119894119894
= 1 + 2 + 1 + 2 + 1= 7
Measuring Cost
bull Cumulative Complexity (CC)
CC 119866119866 = min119875119875
119894119894=1
119905119905119875119875
119875119875119894119894
bull Amortization [AS15]CC 119866119866119866119866 = 2 times CC(119866119866)
Pebbling Example (CC)
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34P5 = 5
CC 119866119866 le119894119894=1
5
119875119875119894119894
= 1 + 2 + 1 + 2 + 1= 7
Pebbling Equivalence
119827119827119827119827119827119827119827119827119827119827119827119827119827119827 119808119808119808119808119808119808119808119808 (119816119816119816119816119816119816119827119827119827119827119827119827119816119816119816119816) High pebbling complexity of G implies high amortized memory complexity for the iMHF fGH
Implication Structure of the graph G is key to iMHFsecurity
Desiderata
Find a DAG G on n nodes such that1 Constant Indegree (120575120575 = 2)
2 CC(G) ge 1198991198992
120591120591for some small value 120591120591
Maximize costs for fixed n(Users are impatient)
Depth-Robustness The Key Property
Necessary [AB16] and sufficient[ABP16] for secure iMHFs
Naiumlve Pebbling Algorithms
bull Sequential Algorithm (Naiumlve)bull Constraint One new pebble per roundbull Every iMHF is defined via its Naiumlve algorithm
bull Example Naiumlve (Pebble in Topological Order)bull Never discard pebblesbull Time nbull Average pebbles n2bull ER(Naiumlve) = θ Rn + n2
Amortized Attack Quality
Quality119877119877 119860119860 =ER(Naiumlve)
ER 119860119860times 119894119894119894119894119904119904119904119904(119860119860)
Example Algorithm A evaluates 5 iMHF instances with total cost ER 119860119860 = 100 and ER Naiumlve = 40
Quality119877119877 119860119860 =40
100times 5 = 2
Presenter
Presentation Notes
Use Example
Desiderata
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for some small value 120591120591
Memory costs should dominate
Desiderata
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for some small value 120591120591
Maximize costs for fixed n(Users are impatient)
c-Ideal iMHF
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for 120591120591 = 119874119874(1)
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Our Attacks
bull General Attack on Non Depth Robust DAGsbull Existing iMHFs are not Depth Robustbull Ideal iMHFs donrsquot exist
bull Subsequent Results (Depth-Robustness is Sufficient)bull Open Questions
Depth-Robustness The Key Property
Necessary [AB16] and sufficient[ABP16] for secure iMHFs
Depth Robustness
Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d
Otherwise we say that G is (ed)-depth robust
1 2 3 4 5
Example (12)-reducible
Depth Robustness
Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d
Otherwise we say that G is (ed)-depth robust
1 2 3 4 5
Example (12)-reducible
Attacking (ed)-reducible DAGs
bull Input |S| lee such that depth(G-S) = d g gt d
bull Light Phase (g rounds) Discard most pebblesbull Goal Pebble the next g nodes in g (sequential) stepsbull Low Memory (only keep pebbles on S and on parents of new nodes)bull Lasts a ``longrdquo time
bull Balloon Phase (d rounds) Greedily Recover Missing Pebblesbull Goal Recover needed pebbles for upcoming light phasebull Expensive but quick (at most d steps in parallel)
Theorem (Depth-Robustness is a necessary condition) If G is not (ed)-node robust then CC 119866119866 = O 119890119890119894119894 + 1198941198943119901119901 In particular CC 119866119866 = o 1198941198942 for ed=o(n)
Depth Robustness is Necessary
Are existing iMHF candidates based on depth-robust DAGs
Answer No
bull Catena [FLW15] is 119890119890 119874119874 119899119899119890119890
119813119813119816119816119813119813119813119813 Easy to reduce the depth of a path
Argon2i is a layered DAG (almost)
1 2 3 11989411989434
+2 +3 helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894
Let S = S1+S2
helliphelliphellip
Attack Simulation [AB16b]
Attack on Argon 2i-B is practical even for pessimistic parameter ranges (brown line)
Pessimistic Argon 2i-B parameter
Parameter setting could easily be chosen when following Argon2i-B guidelines
hellip
Ideal iMHFs Donrsquot Exist
Thm[AB16] Any graph G (with constant in-degree) is at least somewhat depth-reducible
Implication If CC(G)= Ω 1198941198942 there is an attack A with high quality
QualityR 119860119860 =Ωlog(119894119894)
log log(119894119894)
But we cannot rule them out in practice
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Attacksbull Constructing iMHFs (New)
bull Depth-Robustness is sufficient
bull Conclusions and Open Questions
Presenter
Presentation Notes
Joint work with Joel Alwen and Krzysztof Pietrzak
Depth-Robustness is Sufficient [ABP16]
Proof Let P1hellipPt denote an (optimal) pebbling of G For 0lt i lt d defineSi = 119875119875119894119894 cup 119875119875119889119889+119894119894 cup 1198751198752119889119889+119894119894 cup ⋯
one of the sets Si has size at most CC(G)d Now we claim that d ge depth(G-Si)
because any path in G-Si must have been completely pebbled at some point Thus it must have been pebbled entirely during some interval of length d Thus G (CC(G)dd)-reducible It follows that CC(G)ge 119890119890119901119901
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Depth-Robustness is Sufficient [ABP16]
Implications There exists a constant indegree graph G with
CC G ge Ω1198941198942
log119894119894
Previous Best [AS15] Ω 1198991198992
log10 119899119899
[AB16] We cannot do better (in an asymptotic sense)
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Summary
bull BCRYPT and PBKDF2 are no longer sufficient for password hashing
bull Argon2i is an improvement over BCRYPT and PBKDF2bull But still has its flaws [AB16AB17]
bull Current Recommendation Argon2idbull No side channel attacks Resists known attacksbull Side channel attacks reduce security to Argon2i
bull Look for improvements in the near future using depth-robust graphs [ABP17]
Conclusions
bull Depth-robustness is a necessary and sufficient for secure iMHFsbull [AB16] [ABP16]
bull Big Challenge Improved Constructions of Depth-Robust Graphsbull We already have constructions in theory [EGS77 PR80 hellip]bull But constants matter
Thanks for Listening
Passwords vs time Look how far wersquove come
Netscape IPO Dotcom crash
Source Cormacrsquos estimate
ldquoThe password is deadrdquo
Chart1
3
48
1368
322
7791
15376
2527
39639
47953
61115
7353
94674
106021
134538
16527
194616
21681
Sheet1
Sheet1
Sheet2
Sheet3
Biometrics
59
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy
60
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Hardware Tokens
61
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around
62
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Graphical Passwords
bull Examplesbull Passfaces Cued Click Points Windows 8
63
Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13
Graphical Passwords
bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8
Challenge Multiple Passwords
64
Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
bull Password Management Software
67
Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313
Related Work
bull Password Management SoftwareChallenge Single point of failure
68
Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313
References
bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]
bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]
bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]
bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]
Course Business
CryptographyCS 555
Password Storage
Offline Attacks A Common Problem
Offline Attacks A Common Problem
A Dangerous Problem
Attempt 1 Hash Iteration
The Challenge
Goal Moderately Expensive Hash Function
Memory Costs Equitable Across Architectures
Outline
Memory Hard Function (MHF)
iMHF Candidates
iMHF (fGH)
Evaluating an iMHF (pebbling)
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example (CC)
Measuring Cost
Pebbling Example (CC)
Pebbling Equivalence
Desiderata
Depth-Robustness The Key Property
Naiumlve Pebbling Algorithms
Amortized Attack Quality
Desiderata
Desiderata
c-Ideal iMHF
Outline
Depth-Robustness The Key Property
Depth Robustness
Depth Robustness
Attacking (ed)-reducible DAGs
Depth Robustness is Necessary
Answer No
Argon2i [BDK]
Argon2i
Argon2i
Argon2i Reducing depth to 119899
Argon2i Reducing depth to 119899
Argon2i is a layered DAG (almost)
Attack Simulation [AB16b]
Ideal iMHFs Donrsquot Exist
But we cannot rule them out in practice
Outline
Depth-Robustness is Sufficient [ABP16]
Depth-Robustness is Sufficient [ABP16]
Summary
Conclusions
Thanks for Listening
Passwords vs time Look how far wersquove come
Biometrics
Biometrics
Hardware Tokens
Hardware Tokens
Graphical Passwords
Graphical Passwords
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
Related Work
References
Everybody
DATE
DATE
NUMBER OF USERS
WORLD
WORLD
INFORMATION
DATE
DATE
NUMBER OF USERS
DATE
DATE
acctsyr
POPULATION
POPULATION
SOURCE
December-90
0
3
15
020
00261
000
1
December-90
3
1
December-90
3
1
December-90
3
3
December-90
3
1
3
December-95
December-95
0
16
040
80
040
IDC
100
00522
180
12
December-95
192
December-95
16
1778
December-95
48
28448
December-95
48
3
48
December-96
December-96
0
36
090
180
090
IDC
200
00783
188
13132
December-96
472752
December-96
36
1994916
December-96
126
71816976
December-96
1368
38
126
December-97
December-97
0
70
170
350
170
IDC
300
01043
209
16263
December-97
113841
December-97
70
2238295752
December-97
280
15668070264
December-97
322
46
280
December-98
December-98
0
147
360
735
360
CI Almanac
400
01303
230
19391
December-98
2850477
December-98
147
25113678337
December-98
6615
3691710715604
December-98
7791
53
6615
December-99
December-99
0
248
410
1240
410
Nua Ltd
500
01563
251
22517
December-99
5584216
December-99
248
28177547095
December-99
1240
6988031679463
December-99
15376
62
1240
March-00
March-00
0
304
500
1520
500
Nua Ltd
600
01822
272
25638
March-00
7793952
December-00
361
3161520784
December-00
19855
11413090030294
December-00
2527
7
19855
July-00
July-00
0
359
590
1795
590
Nua Ltd
700
02081
293
28754
July-00
10322686
December-01
543
35472263197
December-01
3258
1926143891578
December-01
39639
73
3258
December-00
December-00
0
361
580
1805
580
Internet World Stats
800
02338
313
31864
December-00
11502904
December-02
607
39799879307
December-02
39455
2415852673913
December-02
47953
79
39455
March-01
March-01
0
458
760
2290
760
Nua Ltd
900
02852
334
34967
March-01
16014886
December-03
719
44655464582
December-03
5033
32107279034493
December-03
61115
85
5033
June-01
June-01
0
479
790
2395
790
Nua Ltd
1000
03107
355
38061
June-01
18231219
December-04
817
50103431261
December-04
61275
40934503340285
December-04
7353
9
61275
August-01
August-01
0
513
860
2565
860
Nua Ltd
1100
03361
396
44221
August-01
22685373
December-05
1018
56216049875
December-05
8144
57227938772657
December-05
9467
93
8144
April-02
April-02
0
558
860
2790
860
Internet World Stats
1200
03614
417
47284
April-02
26384472
December-06
1093
6307440796
December-06
9291
68940327899894
December-06
10602
97
9291
July-02
July-02
0
569
910
2845
910
Internet World Stats
1300
03866
437
50334
July-02
28640046
December-07
1319
70769485731
December-07
11871
93344951678825
December-07
13454
102
11871
September-02
September-02
0
587
940
2935
940
Internet World Stats
1400
04117
458
53371
September-02
31328777
December-08
1574
7940336299
December-08
14953
124980893346059
December-08
16527
105
14953
March-03
March-03
0
608
970
3040
970
Internet World Stats
1500
04366
478
56394
March-03
34287552
December-09
1802
89090573275
December-09
18020
160541213040896
December-09
19462
108
18020
September-03
September-03
0
677
1060
3385
1060
Internet World Stats
1600
04614
498
59401
September-03
40214477
December-10
1971
99959623214
December-10
20696
197020417355075
December-10
21681
11
20696
October-03
October-03
0
682
1070
3410
1070
Internet World Stats
1700
0486
518
62392
October-03
42551344
December-03
December-03
0
719
1110
3595
1110
Internet World Stats
1800
02852
538
65365
December-03
46997435
February-04
February-04
0
745
1150
3725
1150
Internet World Stats
1900
03107
558
6832
February-04
508984
May-04
May-04
0
757
1170
3785
1170
Internet World Stats
2000
03361
597
7417
May-04
5614669
October-04
October-04
0
812
1270
4060
1270
Internet World Stats
2100
03614
616
77064
October-04
62575968
December-04
December-04
0
817
1270
4085
1270
Internet World Stats
2200
03866
636
79935
December-04
65306895
March-05
March-05
0
888
1390
4440
1390
Internet World Stats
2300
04117
655
82782
March-05
73510416
June-05
June-05
0
938
1460
4690
1460
Internet World Stats
2400
04366
674
85606
June-05
80298428
September-05
September-05
0
957
1490
4785
1490
Internet World Stats
2500
04614
692
88404
September-05
84602628
November-05
November-05
0
972
1520
4860
1520
Internet World Stats
2600
0486
711
91176
November-05
88623072
December-05
December-05
0
1018
1570
5090
1570
Internet World Stats
2700
05348
729
93921
December-05
95611578
March-06
March-06
0
1023
1570
5115
1570
Internet World Stats
2800
05589
747
96638
March-06
98860674
June-06
June-06
0
1043
1600
5215
1600
Internet World Stats
2900
05828
783
101984
June-06
106369312
September-06
September-06
0
1086
1670
5430
1670
Internet World Stats
3000
06065
801
104611
September-06
113607546
December-06
December-06
0
1093
1670
5465
1670
Internet World Stats
3100
063
818
107207
December-06
117177251
March-07
March-07
0
1129
1720
5645
1720
Internet World Stats
3200
06534
835
109771
March-07
123931459
June-07
June-07
0
1173
1780
5865
1780
Internet World Stats
3300
06765
852
112301
June-07
131729073
September-07
September-07
0
1245
1890
6225
1890
Internet World Stats
3400
06993
869
114797
September-07
142922265
December-07
December-07
0
1319
2000
6595
2000
Internet World Stats
3500
0722
886
117258
December-07
154663302
March-08
March-08
0
1407
2110
7035
2110
Internet World Stats
3600
07665
902
119683
March-08
168393981
June-08
June-08
0
1463
2190
7315
2190
Internet World Stats
3700
07884
918
122071
June-08
178589873
September-08
September-08
0
1504
2250
7520
2250
Internet World Stats
3800
08101
949
126736
September-08
190610944
December-08
December-08
0
1574
2350
7870
2350
Internet World Stats
3900
08314
964
12901
December-08
20306174
March-09
March-09
0
1596
2380
7980
2380
Internet World Stats
4000
08525
971
13
March-09
20748
June-09
June-09
0
1669
2470
8345
2470
Internet World Stats
4100
08733
998
134
June-09
223646
September-09
September-09
0
1734
2560
8670
2560
Internet World Stats
4200
08938
1018
137
September-09
237558
December-09
December-09
0
1802
2660
9010
2660
Internet World Stats
4300
0914
1051
142
December-09
255884
June-10
June-10
0
1966
2870
9830
2870
Internet World Stats
4400
09339
1078
146
June-10
287036
September-10
September-10
0
1971
2880
9855
2880
Internet World Stats
4500
09728
1112
151
September-10
297621
09917
000
155333333333
159833333333
33208
35034
35400
35765
36130
36495
36861
37226
37591
37956
38322
38687
39052
39417
39783
40148
40513
Pebbling Example
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34
Pebbling Example
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34P5 = 5
Pebbling Example (CC)
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34P5 = 5
CC 119866119866 le119894119894=1
5
119875119875119894119894
= 1 + 2 + 1 + 2 + 1= 7
Measuring Cost
bull Cumulative Complexity (CC)
CC 119866119866 = min119875119875
119894119894=1
119905119905119875119875
119875119875119894119894
bull Amortization [AS15]CC 119866119866119866119866 = 2 times CC(119866119866)
Pebbling Example (CC)
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34P5 = 5
CC 119866119866 le119894119894=1
5
119875119875119894119894
= 1 + 2 + 1 + 2 + 1= 7
Pebbling Equivalence
119827119827119827119827119827119827119827119827119827119827119827119827119827119827 119808119808119808119808119808119808119808119808 (119816119816119816119816119816119816119827119827119827119827119827119827119816119816119816119816) High pebbling complexity of G implies high amortized memory complexity for the iMHF fGH
Implication Structure of the graph G is key to iMHFsecurity
Desiderata
Find a DAG G on n nodes such that1 Constant Indegree (120575120575 = 2)
2 CC(G) ge 1198991198992
120591120591for some small value 120591120591
Maximize costs for fixed n(Users are impatient)
Depth-Robustness The Key Property
Necessary [AB16] and sufficient[ABP16] for secure iMHFs
Naiumlve Pebbling Algorithms
bull Sequential Algorithm (Naiumlve)bull Constraint One new pebble per roundbull Every iMHF is defined via its Naiumlve algorithm
bull Example Naiumlve (Pebble in Topological Order)bull Never discard pebblesbull Time nbull Average pebbles n2bull ER(Naiumlve) = θ Rn + n2
Amortized Attack Quality
Quality119877119877 119860119860 =ER(Naiumlve)
ER 119860119860times 119894119894119894119894119904119904119904119904(119860119860)
Example Algorithm A evaluates 5 iMHF instances with total cost ER 119860119860 = 100 and ER Naiumlve = 40
Quality119877119877 119860119860 =40
100times 5 = 2
Presenter
Presentation Notes
Use Example
Desiderata
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for some small value 120591120591
Memory costs should dominate
Desiderata
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for some small value 120591120591
Maximize costs for fixed n(Users are impatient)
c-Ideal iMHF
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for 120591120591 = 119874119874(1)
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Our Attacks
bull General Attack on Non Depth Robust DAGsbull Existing iMHFs are not Depth Robustbull Ideal iMHFs donrsquot exist
bull Subsequent Results (Depth-Robustness is Sufficient)bull Open Questions
Depth-Robustness The Key Property
Necessary [AB16] and sufficient[ABP16] for secure iMHFs
Depth Robustness
Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d
Otherwise we say that G is (ed)-depth robust
1 2 3 4 5
Example (12)-reducible
Depth Robustness
Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d
Otherwise we say that G is (ed)-depth robust
1 2 3 4 5
Example (12)-reducible
Attacking (ed)-reducible DAGs
bull Input |S| lee such that depth(G-S) = d g gt d
bull Light Phase (g rounds) Discard most pebblesbull Goal Pebble the next g nodes in g (sequential) stepsbull Low Memory (only keep pebbles on S and on parents of new nodes)bull Lasts a ``longrdquo time
bull Balloon Phase (d rounds) Greedily Recover Missing Pebblesbull Goal Recover needed pebbles for upcoming light phasebull Expensive but quick (at most d steps in parallel)
Theorem (Depth-Robustness is a necessary condition) If G is not (ed)-node robust then CC 119866119866 = O 119890119890119894119894 + 1198941198943119901119901 In particular CC 119866119866 = o 1198941198942 for ed=o(n)
Depth Robustness is Necessary
Are existing iMHF candidates based on depth-robust DAGs
Answer No
bull Catena [FLW15] is 119890119890 119874119874 119899119899119890119890
119813119813119816119816119813119813119813119813 Easy to reduce the depth of a path
Argon2i is a layered DAG (almost)
1 2 3 11989411989434
+2 +3 helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894
Let S = S1+S2
helliphelliphellip
Attack Simulation [AB16b]
Attack on Argon 2i-B is practical even for pessimistic parameter ranges (brown line)
Pessimistic Argon 2i-B parameter
Parameter setting could easily be chosen when following Argon2i-B guidelines
hellip
Ideal iMHFs Donrsquot Exist
Thm[AB16] Any graph G (with constant in-degree) is at least somewhat depth-reducible
Implication If CC(G)= Ω 1198941198942 there is an attack A with high quality
QualityR 119860119860 =Ωlog(119894119894)
log log(119894119894)
But we cannot rule them out in practice
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Attacksbull Constructing iMHFs (New)
bull Depth-Robustness is sufficient
bull Conclusions and Open Questions
Presenter
Presentation Notes
Joint work with Joel Alwen and Krzysztof Pietrzak
Depth-Robustness is Sufficient [ABP16]
Proof Let P1hellipPt denote an (optimal) pebbling of G For 0lt i lt d defineSi = 119875119875119894119894 cup 119875119875119889119889+119894119894 cup 1198751198752119889119889+119894119894 cup ⋯
one of the sets Si has size at most CC(G)d Now we claim that d ge depth(G-Si)
because any path in G-Si must have been completely pebbled at some point Thus it must have been pebbled entirely during some interval of length d Thus G (CC(G)dd)-reducible It follows that CC(G)ge 119890119890119901119901
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Depth-Robustness is Sufficient [ABP16]
Implications There exists a constant indegree graph G with
CC G ge Ω1198941198942
log119894119894
Previous Best [AS15] Ω 1198991198992
log10 119899119899
[AB16] We cannot do better (in an asymptotic sense)
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Summary
bull BCRYPT and PBKDF2 are no longer sufficient for password hashing
bull Argon2i is an improvement over BCRYPT and PBKDF2bull But still has its flaws [AB16AB17]
bull Current Recommendation Argon2idbull No side channel attacks Resists known attacksbull Side channel attacks reduce security to Argon2i
bull Look for improvements in the near future using depth-robust graphs [ABP17]
Conclusions
bull Depth-robustness is a necessary and sufficient for secure iMHFsbull [AB16] [ABP16]
bull Big Challenge Improved Constructions of Depth-Robust Graphsbull We already have constructions in theory [EGS77 PR80 hellip]bull But constants matter
Thanks for Listening
Passwords vs time Look how far wersquove come
Netscape IPO Dotcom crash
Source Cormacrsquos estimate
ldquoThe password is deadrdquo
Chart1
3
48
1368
322
7791
15376
2527
39639
47953
61115
7353
94674
106021
134538
16527
194616
21681
Sheet1
Sheet1
Sheet2
Sheet3
Biometrics
59
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy
60
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Hardware Tokens
61
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around
62
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Graphical Passwords
bull Examplesbull Passfaces Cued Click Points Windows 8
63
Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13
Graphical Passwords
bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8
Challenge Multiple Passwords
64
Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
bull Password Management Software
67
Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313
Related Work
bull Password Management SoftwareChallenge Single point of failure
68
Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313
References
bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]
bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]
bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]
bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]
Course Business
CryptographyCS 555
Password Storage
Offline Attacks A Common Problem
Offline Attacks A Common Problem
A Dangerous Problem
Attempt 1 Hash Iteration
The Challenge
Goal Moderately Expensive Hash Function
Memory Costs Equitable Across Architectures
Outline
Memory Hard Function (MHF)
iMHF Candidates
iMHF (fGH)
Evaluating an iMHF (pebbling)
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example (CC)
Measuring Cost
Pebbling Example (CC)
Pebbling Equivalence
Desiderata
Depth-Robustness The Key Property
Naiumlve Pebbling Algorithms
Amortized Attack Quality
Desiderata
Desiderata
c-Ideal iMHF
Outline
Depth-Robustness The Key Property
Depth Robustness
Depth Robustness
Attacking (ed)-reducible DAGs
Depth Robustness is Necessary
Answer No
Argon2i [BDK]
Argon2i
Argon2i
Argon2i Reducing depth to 119899
Argon2i Reducing depth to 119899
Argon2i is a layered DAG (almost)
Attack Simulation [AB16b]
Ideal iMHFs Donrsquot Exist
But we cannot rule them out in practice
Outline
Depth-Robustness is Sufficient [ABP16]
Depth-Robustness is Sufficient [ABP16]
Summary
Conclusions
Thanks for Listening
Passwords vs time Look how far wersquove come
Biometrics
Biometrics
Hardware Tokens
Hardware Tokens
Graphical Passwords
Graphical Passwords
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
Related Work
References
Everybody
DATE
DATE
NUMBER OF USERS
WORLD
WORLD
INFORMATION
DATE
DATE
NUMBER OF USERS
DATE
DATE
acctsyr
POPULATION
POPULATION
SOURCE
December-90
0
3
15
020
00261
000
1
December-90
3
1
December-90
3
1
December-90
3
3
December-90
3
1
3
December-95
December-95
0
16
040
80
040
IDC
100
00522
180
12
December-95
192
December-95
16
1778
December-95
48
28448
December-95
48
3
48
December-96
December-96
0
36
090
180
090
IDC
200
00783
188
13132
December-96
472752
December-96
36
1994916
December-96
126
71816976
December-96
1368
38
126
December-97
December-97
0
70
170
350
170
IDC
300
01043
209
16263
December-97
113841
December-97
70
2238295752
December-97
280
15668070264
December-97
322
46
280
December-98
December-98
0
147
360
735
360
CI Almanac
400
01303
230
19391
December-98
2850477
December-98
147
25113678337
December-98
6615
3691710715604
December-98
7791
53
6615
December-99
December-99
0
248
410
1240
410
Nua Ltd
500
01563
251
22517
December-99
5584216
December-99
248
28177547095
December-99
1240
6988031679463
December-99
15376
62
1240
March-00
March-00
0
304
500
1520
500
Nua Ltd
600
01822
272
25638
March-00
7793952
December-00
361
3161520784
December-00
19855
11413090030294
December-00
2527
7
19855
July-00
July-00
0
359
590
1795
590
Nua Ltd
700
02081
293
28754
July-00
10322686
December-01
543
35472263197
December-01
3258
1926143891578
December-01
39639
73
3258
December-00
December-00
0
361
580
1805
580
Internet World Stats
800
02338
313
31864
December-00
11502904
December-02
607
39799879307
December-02
39455
2415852673913
December-02
47953
79
39455
March-01
March-01
0
458
760
2290
760
Nua Ltd
900
02852
334
34967
March-01
16014886
December-03
719
44655464582
December-03
5033
32107279034493
December-03
61115
85
5033
June-01
June-01
0
479
790
2395
790
Nua Ltd
1000
03107
355
38061
June-01
18231219
December-04
817
50103431261
December-04
61275
40934503340285
December-04
7353
9
61275
August-01
August-01
0
513
860
2565
860
Nua Ltd
1100
03361
396
44221
August-01
22685373
December-05
1018
56216049875
December-05
8144
57227938772657
December-05
9467
93
8144
April-02
April-02
0
558
860
2790
860
Internet World Stats
1200
03614
417
47284
April-02
26384472
December-06
1093
6307440796
December-06
9291
68940327899894
December-06
10602
97
9291
July-02
July-02
0
569
910
2845
910
Internet World Stats
1300
03866
437
50334
July-02
28640046
December-07
1319
70769485731
December-07
11871
93344951678825
December-07
13454
102
11871
September-02
September-02
0
587
940
2935
940
Internet World Stats
1400
04117
458
53371
September-02
31328777
December-08
1574
7940336299
December-08
14953
124980893346059
December-08
16527
105
14953
March-03
March-03
0
608
970
3040
970
Internet World Stats
1500
04366
478
56394
March-03
34287552
December-09
1802
89090573275
December-09
18020
160541213040896
December-09
19462
108
18020
September-03
September-03
0
677
1060
3385
1060
Internet World Stats
1600
04614
498
59401
September-03
40214477
December-10
1971
99959623214
December-10
20696
197020417355075
December-10
21681
11
20696
October-03
October-03
0
682
1070
3410
1070
Internet World Stats
1700
0486
518
62392
October-03
42551344
December-03
December-03
0
719
1110
3595
1110
Internet World Stats
1800
02852
538
65365
December-03
46997435
February-04
February-04
0
745
1150
3725
1150
Internet World Stats
1900
03107
558
6832
February-04
508984
May-04
May-04
0
757
1170
3785
1170
Internet World Stats
2000
03361
597
7417
May-04
5614669
October-04
October-04
0
812
1270
4060
1270
Internet World Stats
2100
03614
616
77064
October-04
62575968
December-04
December-04
0
817
1270
4085
1270
Internet World Stats
2200
03866
636
79935
December-04
65306895
March-05
March-05
0
888
1390
4440
1390
Internet World Stats
2300
04117
655
82782
March-05
73510416
June-05
June-05
0
938
1460
4690
1460
Internet World Stats
2400
04366
674
85606
June-05
80298428
September-05
September-05
0
957
1490
4785
1490
Internet World Stats
2500
04614
692
88404
September-05
84602628
November-05
November-05
0
972
1520
4860
1520
Internet World Stats
2600
0486
711
91176
November-05
88623072
December-05
December-05
0
1018
1570
5090
1570
Internet World Stats
2700
05348
729
93921
December-05
95611578
March-06
March-06
0
1023
1570
5115
1570
Internet World Stats
2800
05589
747
96638
March-06
98860674
June-06
June-06
0
1043
1600
5215
1600
Internet World Stats
2900
05828
783
101984
June-06
106369312
September-06
September-06
0
1086
1670
5430
1670
Internet World Stats
3000
06065
801
104611
September-06
113607546
December-06
December-06
0
1093
1670
5465
1670
Internet World Stats
3100
063
818
107207
December-06
117177251
March-07
March-07
0
1129
1720
5645
1720
Internet World Stats
3200
06534
835
109771
March-07
123931459
June-07
June-07
0
1173
1780
5865
1780
Internet World Stats
3300
06765
852
112301
June-07
131729073
September-07
September-07
0
1245
1890
6225
1890
Internet World Stats
3400
06993
869
114797
September-07
142922265
December-07
December-07
0
1319
2000
6595
2000
Internet World Stats
3500
0722
886
117258
December-07
154663302
March-08
March-08
0
1407
2110
7035
2110
Internet World Stats
3600
07665
902
119683
March-08
168393981
June-08
June-08
0
1463
2190
7315
2190
Internet World Stats
3700
07884
918
122071
June-08
178589873
September-08
September-08
0
1504
2250
7520
2250
Internet World Stats
3800
08101
949
126736
September-08
190610944
December-08
December-08
0
1574
2350
7870
2350
Internet World Stats
3900
08314
964
12901
December-08
20306174
March-09
March-09
0
1596
2380
7980
2380
Internet World Stats
4000
08525
971
13
March-09
20748
June-09
June-09
0
1669
2470
8345
2470
Internet World Stats
4100
08733
998
134
June-09
223646
September-09
September-09
0
1734
2560
8670
2560
Internet World Stats
4200
08938
1018
137
September-09
237558
December-09
December-09
0
1802
2660
9010
2660
Internet World Stats
4300
0914
1051
142
December-09
255884
June-10
June-10
0
1966
2870
9830
2870
Internet World Stats
4400
09339
1078
146
June-10
287036
September-10
September-10
0
1971
2880
9855
2880
Internet World Stats
4500
09728
1112
151
September-10
297621
09917
000
155333333333
159833333333
33208
35034
35400
35765
36130
36495
36861
37226
37591
37956
38322
38687
39052
39417
39783
40148
40513
Pebbling Example
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34P5 = 5
Pebbling Example (CC)
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34P5 = 5
CC 119866119866 le119894119894=1
5
119875119875119894119894
= 1 + 2 + 1 + 2 + 1= 7
Measuring Cost
bull Cumulative Complexity (CC)
CC 119866119866 = min119875119875
119894119894=1
119905119905119875119875
119875119875119894119894
bull Amortization [AS15]CC 119866119866119866119866 = 2 times CC(119866119866)
Pebbling Example (CC)
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34P5 = 5
CC 119866119866 le119894119894=1
5
119875119875119894119894
= 1 + 2 + 1 + 2 + 1= 7
Pebbling Equivalence
119827119827119827119827119827119827119827119827119827119827119827119827119827119827 119808119808119808119808119808119808119808119808 (119816119816119816119816119816119816119827119827119827119827119827119827119816119816119816119816) High pebbling complexity of G implies high amortized memory complexity for the iMHF fGH
Implication Structure of the graph G is key to iMHFsecurity
Desiderata
Find a DAG G on n nodes such that1 Constant Indegree (120575120575 = 2)
2 CC(G) ge 1198991198992
120591120591for some small value 120591120591
Maximize costs for fixed n(Users are impatient)
Depth-Robustness The Key Property
Necessary [AB16] and sufficient[ABP16] for secure iMHFs
Naiumlve Pebbling Algorithms
bull Sequential Algorithm (Naiumlve)bull Constraint One new pebble per roundbull Every iMHF is defined via its Naiumlve algorithm
bull Example Naiumlve (Pebble in Topological Order)bull Never discard pebblesbull Time nbull Average pebbles n2bull ER(Naiumlve) = θ Rn + n2
Amortized Attack Quality
Quality119877119877 119860119860 =ER(Naiumlve)
ER 119860119860times 119894119894119894119894119904119904119904119904(119860119860)
Example Algorithm A evaluates 5 iMHF instances with total cost ER 119860119860 = 100 and ER Naiumlve = 40
Quality119877119877 119860119860 =40
100times 5 = 2
Presenter
Presentation Notes
Use Example
Desiderata
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for some small value 120591120591
Memory costs should dominate
Desiderata
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for some small value 120591120591
Maximize costs for fixed n(Users are impatient)
c-Ideal iMHF
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for 120591120591 = 119874119874(1)
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Our Attacks
bull General Attack on Non Depth Robust DAGsbull Existing iMHFs are not Depth Robustbull Ideal iMHFs donrsquot exist
bull Subsequent Results (Depth-Robustness is Sufficient)bull Open Questions
Depth-Robustness The Key Property
Necessary [AB16] and sufficient[ABP16] for secure iMHFs
Depth Robustness
Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d
Otherwise we say that G is (ed)-depth robust
1 2 3 4 5
Example (12)-reducible
Depth Robustness
Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d
Otherwise we say that G is (ed)-depth robust
1 2 3 4 5
Example (12)-reducible
Attacking (ed)-reducible DAGs
bull Input |S| lee such that depth(G-S) = d g gt d
bull Light Phase (g rounds) Discard most pebblesbull Goal Pebble the next g nodes in g (sequential) stepsbull Low Memory (only keep pebbles on S and on parents of new nodes)bull Lasts a ``longrdquo time
bull Balloon Phase (d rounds) Greedily Recover Missing Pebblesbull Goal Recover needed pebbles for upcoming light phasebull Expensive but quick (at most d steps in parallel)
Theorem (Depth-Robustness is a necessary condition) If G is not (ed)-node robust then CC 119866119866 = O 119890119890119894119894 + 1198941198943119901119901 In particular CC 119866119866 = o 1198941198942 for ed=o(n)
Depth Robustness is Necessary
Are existing iMHF candidates based on depth-robust DAGs
Answer No
bull Catena [FLW15] is 119890119890 119874119874 119899119899119890119890
119813119813119816119816119813119813119813119813 Easy to reduce the depth of a path
Argon2i is a layered DAG (almost)
1 2 3 11989411989434
+2 +3 helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894
Let S = S1+S2
helliphelliphellip
Attack Simulation [AB16b]
Attack on Argon 2i-B is practical even for pessimistic parameter ranges (brown line)
Pessimistic Argon 2i-B parameter
Parameter setting could easily be chosen when following Argon2i-B guidelines
hellip
Ideal iMHFs Donrsquot Exist
Thm[AB16] Any graph G (with constant in-degree) is at least somewhat depth-reducible
Implication If CC(G)= Ω 1198941198942 there is an attack A with high quality
QualityR 119860119860 =Ωlog(119894119894)
log log(119894119894)
But we cannot rule them out in practice
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Attacksbull Constructing iMHFs (New)
bull Depth-Robustness is sufficient
bull Conclusions and Open Questions
Presenter
Presentation Notes
Joint work with Joel Alwen and Krzysztof Pietrzak
Depth-Robustness is Sufficient [ABP16]
Proof Let P1hellipPt denote an (optimal) pebbling of G For 0lt i lt d defineSi = 119875119875119894119894 cup 119875119875119889119889+119894119894 cup 1198751198752119889119889+119894119894 cup ⋯
one of the sets Si has size at most CC(G)d Now we claim that d ge depth(G-Si)
because any path in G-Si must have been completely pebbled at some point Thus it must have been pebbled entirely during some interval of length d Thus G (CC(G)dd)-reducible It follows that CC(G)ge 119890119890119901119901
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Depth-Robustness is Sufficient [ABP16]
Implications There exists a constant indegree graph G with
CC G ge Ω1198941198942
log119894119894
Previous Best [AS15] Ω 1198991198992
log10 119899119899
[AB16] We cannot do better (in an asymptotic sense)
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Summary
bull BCRYPT and PBKDF2 are no longer sufficient for password hashing
bull Argon2i is an improvement over BCRYPT and PBKDF2bull But still has its flaws [AB16AB17]
bull Current Recommendation Argon2idbull No side channel attacks Resists known attacksbull Side channel attacks reduce security to Argon2i
bull Look for improvements in the near future using depth-robust graphs [ABP17]
Conclusions
bull Depth-robustness is a necessary and sufficient for secure iMHFsbull [AB16] [ABP16]
bull Big Challenge Improved Constructions of Depth-Robust Graphsbull We already have constructions in theory [EGS77 PR80 hellip]bull But constants matter
Thanks for Listening
Passwords vs time Look how far wersquove come
Netscape IPO Dotcom crash
Source Cormacrsquos estimate
ldquoThe password is deadrdquo
Chart1
3
48
1368
322
7791
15376
2527
39639
47953
61115
7353
94674
106021
134538
16527
194616
21681
Sheet1
Sheet1
Sheet2
Sheet3
Biometrics
59
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy
60
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Hardware Tokens
61
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around
62
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Graphical Passwords
bull Examplesbull Passfaces Cued Click Points Windows 8
63
Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13
Graphical Passwords
bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8
Challenge Multiple Passwords
64
Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
bull Password Management Software
67
Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313
Related Work
bull Password Management SoftwareChallenge Single point of failure
68
Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313
References
bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]
bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]
bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]
bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]
Course Business
CryptographyCS 555
Password Storage
Offline Attacks A Common Problem
Offline Attacks A Common Problem
A Dangerous Problem
Attempt 1 Hash Iteration
The Challenge
Goal Moderately Expensive Hash Function
Memory Costs Equitable Across Architectures
Outline
Memory Hard Function (MHF)
iMHF Candidates
iMHF (fGH)
Evaluating an iMHF (pebbling)
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example (CC)
Measuring Cost
Pebbling Example (CC)
Pebbling Equivalence
Desiderata
Depth-Robustness The Key Property
Naiumlve Pebbling Algorithms
Amortized Attack Quality
Desiderata
Desiderata
c-Ideal iMHF
Outline
Depth-Robustness The Key Property
Depth Robustness
Depth Robustness
Attacking (ed)-reducible DAGs
Depth Robustness is Necessary
Answer No
Argon2i [BDK]
Argon2i
Argon2i
Argon2i Reducing depth to 119899
Argon2i Reducing depth to 119899
Argon2i is a layered DAG (almost)
Attack Simulation [AB16b]
Ideal iMHFs Donrsquot Exist
But we cannot rule them out in practice
Outline
Depth-Robustness is Sufficient [ABP16]
Depth-Robustness is Sufficient [ABP16]
Summary
Conclusions
Thanks for Listening
Passwords vs time Look how far wersquove come
Biometrics
Biometrics
Hardware Tokens
Hardware Tokens
Graphical Passwords
Graphical Passwords
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
Related Work
References
Everybody
DATE
DATE
NUMBER OF USERS
WORLD
WORLD
INFORMATION
DATE
DATE
NUMBER OF USERS
DATE
DATE
acctsyr
POPULATION
POPULATION
SOURCE
December-90
0
3
15
020
00261
000
1
December-90
3
1
December-90
3
1
December-90
3
3
December-90
3
1
3
December-95
December-95
0
16
040
80
040
IDC
100
00522
180
12
December-95
192
December-95
16
1778
December-95
48
28448
December-95
48
3
48
December-96
December-96
0
36
090
180
090
IDC
200
00783
188
13132
December-96
472752
December-96
36
1994916
December-96
126
71816976
December-96
1368
38
126
December-97
December-97
0
70
170
350
170
IDC
300
01043
209
16263
December-97
113841
December-97
70
2238295752
December-97
280
15668070264
December-97
322
46
280
December-98
December-98
0
147
360
735
360
CI Almanac
400
01303
230
19391
December-98
2850477
December-98
147
25113678337
December-98
6615
3691710715604
December-98
7791
53
6615
December-99
December-99
0
248
410
1240
410
Nua Ltd
500
01563
251
22517
December-99
5584216
December-99
248
28177547095
December-99
1240
6988031679463
December-99
15376
62
1240
March-00
March-00
0
304
500
1520
500
Nua Ltd
600
01822
272
25638
March-00
7793952
December-00
361
3161520784
December-00
19855
11413090030294
December-00
2527
7
19855
July-00
July-00
0
359
590
1795
590
Nua Ltd
700
02081
293
28754
July-00
10322686
December-01
543
35472263197
December-01
3258
1926143891578
December-01
39639
73
3258
December-00
December-00
0
361
580
1805
580
Internet World Stats
800
02338
313
31864
December-00
11502904
December-02
607
39799879307
December-02
39455
2415852673913
December-02
47953
79
39455
March-01
March-01
0
458
760
2290
760
Nua Ltd
900
02852
334
34967
March-01
16014886
December-03
719
44655464582
December-03
5033
32107279034493
December-03
61115
85
5033
June-01
June-01
0
479
790
2395
790
Nua Ltd
1000
03107
355
38061
June-01
18231219
December-04
817
50103431261
December-04
61275
40934503340285
December-04
7353
9
61275
August-01
August-01
0
513
860
2565
860
Nua Ltd
1100
03361
396
44221
August-01
22685373
December-05
1018
56216049875
December-05
8144
57227938772657
December-05
9467
93
8144
April-02
April-02
0
558
860
2790
860
Internet World Stats
1200
03614
417
47284
April-02
26384472
December-06
1093
6307440796
December-06
9291
68940327899894
December-06
10602
97
9291
July-02
July-02
0
569
910
2845
910
Internet World Stats
1300
03866
437
50334
July-02
28640046
December-07
1319
70769485731
December-07
11871
93344951678825
December-07
13454
102
11871
September-02
September-02
0
587
940
2935
940
Internet World Stats
1400
04117
458
53371
September-02
31328777
December-08
1574
7940336299
December-08
14953
124980893346059
December-08
16527
105
14953
March-03
March-03
0
608
970
3040
970
Internet World Stats
1500
04366
478
56394
March-03
34287552
December-09
1802
89090573275
December-09
18020
160541213040896
December-09
19462
108
18020
September-03
September-03
0
677
1060
3385
1060
Internet World Stats
1600
04614
498
59401
September-03
40214477
December-10
1971
99959623214
December-10
20696
197020417355075
December-10
21681
11
20696
October-03
October-03
0
682
1070
3410
1070
Internet World Stats
1700
0486
518
62392
October-03
42551344
December-03
December-03
0
719
1110
3595
1110
Internet World Stats
1800
02852
538
65365
December-03
46997435
February-04
February-04
0
745
1150
3725
1150
Internet World Stats
1900
03107
558
6832
February-04
508984
May-04
May-04
0
757
1170
3785
1170
Internet World Stats
2000
03361
597
7417
May-04
5614669
October-04
October-04
0
812
1270
4060
1270
Internet World Stats
2100
03614
616
77064
October-04
62575968
December-04
December-04
0
817
1270
4085
1270
Internet World Stats
2200
03866
636
79935
December-04
65306895
March-05
March-05
0
888
1390
4440
1390
Internet World Stats
2300
04117
655
82782
March-05
73510416
June-05
June-05
0
938
1460
4690
1460
Internet World Stats
2400
04366
674
85606
June-05
80298428
September-05
September-05
0
957
1490
4785
1490
Internet World Stats
2500
04614
692
88404
September-05
84602628
November-05
November-05
0
972
1520
4860
1520
Internet World Stats
2600
0486
711
91176
November-05
88623072
December-05
December-05
0
1018
1570
5090
1570
Internet World Stats
2700
05348
729
93921
December-05
95611578
March-06
March-06
0
1023
1570
5115
1570
Internet World Stats
2800
05589
747
96638
March-06
98860674
June-06
June-06
0
1043
1600
5215
1600
Internet World Stats
2900
05828
783
101984
June-06
106369312
September-06
September-06
0
1086
1670
5430
1670
Internet World Stats
3000
06065
801
104611
September-06
113607546
December-06
December-06
0
1093
1670
5465
1670
Internet World Stats
3100
063
818
107207
December-06
117177251
March-07
March-07
0
1129
1720
5645
1720
Internet World Stats
3200
06534
835
109771
March-07
123931459
June-07
June-07
0
1173
1780
5865
1780
Internet World Stats
3300
06765
852
112301
June-07
131729073
September-07
September-07
0
1245
1890
6225
1890
Internet World Stats
3400
06993
869
114797
September-07
142922265
December-07
December-07
0
1319
2000
6595
2000
Internet World Stats
3500
0722
886
117258
December-07
154663302
March-08
March-08
0
1407
2110
7035
2110
Internet World Stats
3600
07665
902
119683
March-08
168393981
June-08
June-08
0
1463
2190
7315
2190
Internet World Stats
3700
07884
918
122071
June-08
178589873
September-08
September-08
0
1504
2250
7520
2250
Internet World Stats
3800
08101
949
126736
September-08
190610944
December-08
December-08
0
1574
2350
7870
2350
Internet World Stats
3900
08314
964
12901
December-08
20306174
March-09
March-09
0
1596
2380
7980
2380
Internet World Stats
4000
08525
971
13
March-09
20748
June-09
June-09
0
1669
2470
8345
2470
Internet World Stats
4100
08733
998
134
June-09
223646
September-09
September-09
0
1734
2560
8670
2560
Internet World Stats
4200
08938
1018
137
September-09
237558
December-09
December-09
0
1802
2660
9010
2660
Internet World Stats
4300
0914
1051
142
December-09
255884
June-10
June-10
0
1966
2870
9830
2870
Internet World Stats
4400
09339
1078
146
June-10
287036
September-10
September-10
0
1971
2880
9855
2880
Internet World Stats
4500
09728
1112
151
September-10
297621
09917
000
155333333333
159833333333
33208
35034
35400
35765
36130
36495
36861
37226
37591
37956
38322
38687
39052
39417
39783
40148
40513
Pebbling Example (CC)
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34P5 = 5
CC 119866119866 le119894119894=1
5
119875119875119894119894
= 1 + 2 + 1 + 2 + 1= 7
Measuring Cost
bull Cumulative Complexity (CC)
CC 119866119866 = min119875119875
119894119894=1
119905119905119875119875
119875119875119894119894
bull Amortization [AS15]CC 119866119866119866119866 = 2 times CC(119866119866)
Pebbling Example (CC)
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34P5 = 5
CC 119866119866 le119894119894=1
5
119875119875119894119894
= 1 + 2 + 1 + 2 + 1= 7
Pebbling Equivalence
119827119827119827119827119827119827119827119827119827119827119827119827119827119827 119808119808119808119808119808119808119808119808 (119816119816119816119816119816119816119827119827119827119827119827119827119816119816119816119816) High pebbling complexity of G implies high amortized memory complexity for the iMHF fGH
Implication Structure of the graph G is key to iMHFsecurity
Desiderata
Find a DAG G on n nodes such that1 Constant Indegree (120575120575 = 2)
2 CC(G) ge 1198991198992
120591120591for some small value 120591120591
Maximize costs for fixed n(Users are impatient)
Depth-Robustness The Key Property
Necessary [AB16] and sufficient[ABP16] for secure iMHFs
Naiumlve Pebbling Algorithms
bull Sequential Algorithm (Naiumlve)bull Constraint One new pebble per roundbull Every iMHF is defined via its Naiumlve algorithm
bull Example Naiumlve (Pebble in Topological Order)bull Never discard pebblesbull Time nbull Average pebbles n2bull ER(Naiumlve) = θ Rn + n2
Amortized Attack Quality
Quality119877119877 119860119860 =ER(Naiumlve)
ER 119860119860times 119894119894119894119894119904119904119904119904(119860119860)
Example Algorithm A evaluates 5 iMHF instances with total cost ER 119860119860 = 100 and ER Naiumlve = 40
Quality119877119877 119860119860 =40
100times 5 = 2
Presenter
Presentation Notes
Use Example
Desiderata
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for some small value 120591120591
Memory costs should dominate
Desiderata
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for some small value 120591120591
Maximize costs for fixed n(Users are impatient)
c-Ideal iMHF
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for 120591120591 = 119874119874(1)
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Our Attacks
bull General Attack on Non Depth Robust DAGsbull Existing iMHFs are not Depth Robustbull Ideal iMHFs donrsquot exist
bull Subsequent Results (Depth-Robustness is Sufficient)bull Open Questions
Depth-Robustness The Key Property
Necessary [AB16] and sufficient[ABP16] for secure iMHFs
Depth Robustness
Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d
Otherwise we say that G is (ed)-depth robust
1 2 3 4 5
Example (12)-reducible
Depth Robustness
Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d
Otherwise we say that G is (ed)-depth robust
1 2 3 4 5
Example (12)-reducible
Attacking (ed)-reducible DAGs
bull Input |S| lee such that depth(G-S) = d g gt d
bull Light Phase (g rounds) Discard most pebblesbull Goal Pebble the next g nodes in g (sequential) stepsbull Low Memory (only keep pebbles on S and on parents of new nodes)bull Lasts a ``longrdquo time
bull Balloon Phase (d rounds) Greedily Recover Missing Pebblesbull Goal Recover needed pebbles for upcoming light phasebull Expensive but quick (at most d steps in parallel)
Theorem (Depth-Robustness is a necessary condition) If G is not (ed)-node robust then CC 119866119866 = O 119890119890119894119894 + 1198941198943119901119901 In particular CC 119866119866 = o 1198941198942 for ed=o(n)
Depth Robustness is Necessary
Are existing iMHF candidates based on depth-robust DAGs
Answer No
bull Catena [FLW15] is 119890119890 119874119874 119899119899119890119890
119813119813119816119816119813119813119813119813 Easy to reduce the depth of a path
Argon2i is a layered DAG (almost)
1 2 3 11989411989434
+2 +3 helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894
Let S = S1+S2
helliphelliphellip
Attack Simulation [AB16b]
Attack on Argon 2i-B is practical even for pessimistic parameter ranges (brown line)
Pessimistic Argon 2i-B parameter
Parameter setting could easily be chosen when following Argon2i-B guidelines
hellip
Ideal iMHFs Donrsquot Exist
Thm[AB16] Any graph G (with constant in-degree) is at least somewhat depth-reducible
Implication If CC(G)= Ω 1198941198942 there is an attack A with high quality
QualityR 119860119860 =Ωlog(119894119894)
log log(119894119894)
But we cannot rule them out in practice
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Attacksbull Constructing iMHFs (New)
bull Depth-Robustness is sufficient
bull Conclusions and Open Questions
Presenter
Presentation Notes
Joint work with Joel Alwen and Krzysztof Pietrzak
Depth-Robustness is Sufficient [ABP16]
Proof Let P1hellipPt denote an (optimal) pebbling of G For 0lt i lt d defineSi = 119875119875119894119894 cup 119875119875119889119889+119894119894 cup 1198751198752119889119889+119894119894 cup ⋯
one of the sets Si has size at most CC(G)d Now we claim that d ge depth(G-Si)
because any path in G-Si must have been completely pebbled at some point Thus it must have been pebbled entirely during some interval of length d Thus G (CC(G)dd)-reducible It follows that CC(G)ge 119890119890119901119901
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Depth-Robustness is Sufficient [ABP16]
Implications There exists a constant indegree graph G with
CC G ge Ω1198941198942
log119894119894
Previous Best [AS15] Ω 1198991198992
log10 119899119899
[AB16] We cannot do better (in an asymptotic sense)
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Summary
bull BCRYPT and PBKDF2 are no longer sufficient for password hashing
bull Argon2i is an improvement over BCRYPT and PBKDF2bull But still has its flaws [AB16AB17]
bull Current Recommendation Argon2idbull No side channel attacks Resists known attacksbull Side channel attacks reduce security to Argon2i
bull Look for improvements in the near future using depth-robust graphs [ABP17]
Conclusions
bull Depth-robustness is a necessary and sufficient for secure iMHFsbull [AB16] [ABP16]
bull Big Challenge Improved Constructions of Depth-Robust Graphsbull We already have constructions in theory [EGS77 PR80 hellip]bull But constants matter
Thanks for Listening
Passwords vs time Look how far wersquove come
Netscape IPO Dotcom crash
Source Cormacrsquos estimate
ldquoThe password is deadrdquo
Chart1
3
48
1368
322
7791
15376
2527
39639
47953
61115
7353
94674
106021
134538
16527
194616
21681
Sheet1
Sheet1
Sheet2
Sheet3
Biometrics
59
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy
60
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Hardware Tokens
61
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around
62
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Graphical Passwords
bull Examplesbull Passfaces Cued Click Points Windows 8
63
Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13
Graphical Passwords
bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8
Challenge Multiple Passwords
64
Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
bull Password Management Software
67
Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313
Related Work
bull Password Management SoftwareChallenge Single point of failure
68
Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313
References
bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]
bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]
bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]
bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]
Course Business
CryptographyCS 555
Password Storage
Offline Attacks A Common Problem
Offline Attacks A Common Problem
A Dangerous Problem
Attempt 1 Hash Iteration
The Challenge
Goal Moderately Expensive Hash Function
Memory Costs Equitable Across Architectures
Outline
Memory Hard Function (MHF)
iMHF Candidates
iMHF (fGH)
Evaluating an iMHF (pebbling)
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example (CC)
Measuring Cost
Pebbling Example (CC)
Pebbling Equivalence
Desiderata
Depth-Robustness The Key Property
Naiumlve Pebbling Algorithms
Amortized Attack Quality
Desiderata
Desiderata
c-Ideal iMHF
Outline
Depth-Robustness The Key Property
Depth Robustness
Depth Robustness
Attacking (ed)-reducible DAGs
Depth Robustness is Necessary
Answer No
Argon2i [BDK]
Argon2i
Argon2i
Argon2i Reducing depth to 119899
Argon2i Reducing depth to 119899
Argon2i is a layered DAG (almost)
Attack Simulation [AB16b]
Ideal iMHFs Donrsquot Exist
But we cannot rule them out in practice
Outline
Depth-Robustness is Sufficient [ABP16]
Depth-Robustness is Sufficient [ABP16]
Summary
Conclusions
Thanks for Listening
Passwords vs time Look how far wersquove come
Biometrics
Biometrics
Hardware Tokens
Hardware Tokens
Graphical Passwords
Graphical Passwords
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
Related Work
References
Everybody
DATE
DATE
NUMBER OF USERS
WORLD
WORLD
INFORMATION
DATE
DATE
NUMBER OF USERS
DATE
DATE
acctsyr
POPULATION
POPULATION
SOURCE
December-90
0
3
15
020
00261
000
1
December-90
3
1
December-90
3
1
December-90
3
3
December-90
3
1
3
December-95
December-95
0
16
040
80
040
IDC
100
00522
180
12
December-95
192
December-95
16
1778
December-95
48
28448
December-95
48
3
48
December-96
December-96
0
36
090
180
090
IDC
200
00783
188
13132
December-96
472752
December-96
36
1994916
December-96
126
71816976
December-96
1368
38
126
December-97
December-97
0
70
170
350
170
IDC
300
01043
209
16263
December-97
113841
December-97
70
2238295752
December-97
280
15668070264
December-97
322
46
280
December-98
December-98
0
147
360
735
360
CI Almanac
400
01303
230
19391
December-98
2850477
December-98
147
25113678337
December-98
6615
3691710715604
December-98
7791
53
6615
December-99
December-99
0
248
410
1240
410
Nua Ltd
500
01563
251
22517
December-99
5584216
December-99
248
28177547095
December-99
1240
6988031679463
December-99
15376
62
1240
March-00
March-00
0
304
500
1520
500
Nua Ltd
600
01822
272
25638
March-00
7793952
December-00
361
3161520784
December-00
19855
11413090030294
December-00
2527
7
19855
July-00
July-00
0
359
590
1795
590
Nua Ltd
700
02081
293
28754
July-00
10322686
December-01
543
35472263197
December-01
3258
1926143891578
December-01
39639
73
3258
December-00
December-00
0
361
580
1805
580
Internet World Stats
800
02338
313
31864
December-00
11502904
December-02
607
39799879307
December-02
39455
2415852673913
December-02
47953
79
39455
March-01
March-01
0
458
760
2290
760
Nua Ltd
900
02852
334
34967
March-01
16014886
December-03
719
44655464582
December-03
5033
32107279034493
December-03
61115
85
5033
June-01
June-01
0
479
790
2395
790
Nua Ltd
1000
03107
355
38061
June-01
18231219
December-04
817
50103431261
December-04
61275
40934503340285
December-04
7353
9
61275
August-01
August-01
0
513
860
2565
860
Nua Ltd
1100
03361
396
44221
August-01
22685373
December-05
1018
56216049875
December-05
8144
57227938772657
December-05
9467
93
8144
April-02
April-02
0
558
860
2790
860
Internet World Stats
1200
03614
417
47284
April-02
26384472
December-06
1093
6307440796
December-06
9291
68940327899894
December-06
10602
97
9291
July-02
July-02
0
569
910
2845
910
Internet World Stats
1300
03866
437
50334
July-02
28640046
December-07
1319
70769485731
December-07
11871
93344951678825
December-07
13454
102
11871
September-02
September-02
0
587
940
2935
940
Internet World Stats
1400
04117
458
53371
September-02
31328777
December-08
1574
7940336299
December-08
14953
124980893346059
December-08
16527
105
14953
March-03
March-03
0
608
970
3040
970
Internet World Stats
1500
04366
478
56394
March-03
34287552
December-09
1802
89090573275
December-09
18020
160541213040896
December-09
19462
108
18020
September-03
September-03
0
677
1060
3385
1060
Internet World Stats
1600
04614
498
59401
September-03
40214477
December-10
1971
99959623214
December-10
20696
197020417355075
December-10
21681
11
20696
October-03
October-03
0
682
1070
3410
1070
Internet World Stats
1700
0486
518
62392
October-03
42551344
December-03
December-03
0
719
1110
3595
1110
Internet World Stats
1800
02852
538
65365
December-03
46997435
February-04
February-04
0
745
1150
3725
1150
Internet World Stats
1900
03107
558
6832
February-04
508984
May-04
May-04
0
757
1170
3785
1170
Internet World Stats
2000
03361
597
7417
May-04
5614669
October-04
October-04
0
812
1270
4060
1270
Internet World Stats
2100
03614
616
77064
October-04
62575968
December-04
December-04
0
817
1270
4085
1270
Internet World Stats
2200
03866
636
79935
December-04
65306895
March-05
March-05
0
888
1390
4440
1390
Internet World Stats
2300
04117
655
82782
March-05
73510416
June-05
June-05
0
938
1460
4690
1460
Internet World Stats
2400
04366
674
85606
June-05
80298428
September-05
September-05
0
957
1490
4785
1490
Internet World Stats
2500
04614
692
88404
September-05
84602628
November-05
November-05
0
972
1520
4860
1520
Internet World Stats
2600
0486
711
91176
November-05
88623072
December-05
December-05
0
1018
1570
5090
1570
Internet World Stats
2700
05348
729
93921
December-05
95611578
March-06
March-06
0
1023
1570
5115
1570
Internet World Stats
2800
05589
747
96638
March-06
98860674
June-06
June-06
0
1043
1600
5215
1600
Internet World Stats
2900
05828
783
101984
June-06
106369312
September-06
September-06
0
1086
1670
5430
1670
Internet World Stats
3000
06065
801
104611
September-06
113607546
December-06
December-06
0
1093
1670
5465
1670
Internet World Stats
3100
063
818
107207
December-06
117177251
March-07
March-07
0
1129
1720
5645
1720
Internet World Stats
3200
06534
835
109771
March-07
123931459
June-07
June-07
0
1173
1780
5865
1780
Internet World Stats
3300
06765
852
112301
June-07
131729073
September-07
September-07
0
1245
1890
6225
1890
Internet World Stats
3400
06993
869
114797
September-07
142922265
December-07
December-07
0
1319
2000
6595
2000
Internet World Stats
3500
0722
886
117258
December-07
154663302
March-08
March-08
0
1407
2110
7035
2110
Internet World Stats
3600
07665
902
119683
March-08
168393981
June-08
June-08
0
1463
2190
7315
2190
Internet World Stats
3700
07884
918
122071
June-08
178589873
September-08
September-08
0
1504
2250
7520
2250
Internet World Stats
3800
08101
949
126736
September-08
190610944
December-08
December-08
0
1574
2350
7870
2350
Internet World Stats
3900
08314
964
12901
December-08
20306174
March-09
March-09
0
1596
2380
7980
2380
Internet World Stats
4000
08525
971
13
March-09
20748
June-09
June-09
0
1669
2470
8345
2470
Internet World Stats
4100
08733
998
134
June-09
223646
September-09
September-09
0
1734
2560
8670
2560
Internet World Stats
4200
08938
1018
137
September-09
237558
December-09
December-09
0
1802
2660
9010
2660
Internet World Stats
4300
0914
1051
142
December-09
255884
June-10
June-10
0
1966
2870
9830
2870
Internet World Stats
4400
09339
1078
146
June-10
287036
September-10
September-10
0
1971
2880
9855
2880
Internet World Stats
4500
09728
1112
151
September-10
297621
09917
000
155333333333
159833333333
33208
35034
35400
35765
36130
36495
36861
37226
37591
37956
38322
38687
39052
39417
39783
40148
40513
Measuring Cost
bull Cumulative Complexity (CC)
CC 119866119866 = min119875119875
119894119894=1
119905119905119875119875
119875119875119894119894
bull Amortization [AS15]CC 119866119866119866119866 = 2 times CC(119866119866)
Pebbling Example (CC)
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34P5 = 5
CC 119866119866 le119894119894=1
5
119875119875119894119894
= 1 + 2 + 1 + 2 + 1= 7
Pebbling Equivalence
119827119827119827119827119827119827119827119827119827119827119827119827119827119827 119808119808119808119808119808119808119808119808 (119816119816119816119816119816119816119827119827119827119827119827119827119816119816119816119816) High pebbling complexity of G implies high amortized memory complexity for the iMHF fGH
Implication Structure of the graph G is key to iMHFsecurity
Desiderata
Find a DAG G on n nodes such that1 Constant Indegree (120575120575 = 2)
2 CC(G) ge 1198991198992
120591120591for some small value 120591120591
Maximize costs for fixed n(Users are impatient)
Depth-Robustness The Key Property
Necessary [AB16] and sufficient[ABP16] for secure iMHFs
Naiumlve Pebbling Algorithms
bull Sequential Algorithm (Naiumlve)bull Constraint One new pebble per roundbull Every iMHF is defined via its Naiumlve algorithm
bull Example Naiumlve (Pebble in Topological Order)bull Never discard pebblesbull Time nbull Average pebbles n2bull ER(Naiumlve) = θ Rn + n2
Amortized Attack Quality
Quality119877119877 119860119860 =ER(Naiumlve)
ER 119860119860times 119894119894119894119894119904119904119904119904(119860119860)
Example Algorithm A evaluates 5 iMHF instances with total cost ER 119860119860 = 100 and ER Naiumlve = 40
Quality119877119877 119860119860 =40
100times 5 = 2
Presenter
Presentation Notes
Use Example
Desiderata
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for some small value 120591120591
Memory costs should dominate
Desiderata
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for some small value 120591120591
Maximize costs for fixed n(Users are impatient)
c-Ideal iMHF
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for 120591120591 = 119874119874(1)
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Our Attacks
bull General Attack on Non Depth Robust DAGsbull Existing iMHFs are not Depth Robustbull Ideal iMHFs donrsquot exist
bull Subsequent Results (Depth-Robustness is Sufficient)bull Open Questions
Depth-Robustness The Key Property
Necessary [AB16] and sufficient[ABP16] for secure iMHFs
Depth Robustness
Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d
Otherwise we say that G is (ed)-depth robust
1 2 3 4 5
Example (12)-reducible
Depth Robustness
Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d
Otherwise we say that G is (ed)-depth robust
1 2 3 4 5
Example (12)-reducible
Attacking (ed)-reducible DAGs
bull Input |S| lee such that depth(G-S) = d g gt d
bull Light Phase (g rounds) Discard most pebblesbull Goal Pebble the next g nodes in g (sequential) stepsbull Low Memory (only keep pebbles on S and on parents of new nodes)bull Lasts a ``longrdquo time
bull Balloon Phase (d rounds) Greedily Recover Missing Pebblesbull Goal Recover needed pebbles for upcoming light phasebull Expensive but quick (at most d steps in parallel)
Theorem (Depth-Robustness is a necessary condition) If G is not (ed)-node robust then CC 119866119866 = O 119890119890119894119894 + 1198941198943119901119901 In particular CC 119866119866 = o 1198941198942 for ed=o(n)
Depth Robustness is Necessary
Are existing iMHF candidates based on depth-robust DAGs
Answer No
bull Catena [FLW15] is 119890119890 119874119874 119899119899119890119890
119813119813119816119816119813119813119813119813 Easy to reduce the depth of a path
Argon2i is a layered DAG (almost)
1 2 3 11989411989434
+2 +3 helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894
Let S = S1+S2
helliphelliphellip
Attack Simulation [AB16b]
Attack on Argon 2i-B is practical even for pessimistic parameter ranges (brown line)
Pessimistic Argon 2i-B parameter
Parameter setting could easily be chosen when following Argon2i-B guidelines
hellip
Ideal iMHFs Donrsquot Exist
Thm[AB16] Any graph G (with constant in-degree) is at least somewhat depth-reducible
Implication If CC(G)= Ω 1198941198942 there is an attack A with high quality
QualityR 119860119860 =Ωlog(119894119894)
log log(119894119894)
But we cannot rule them out in practice
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Attacksbull Constructing iMHFs (New)
bull Depth-Robustness is sufficient
bull Conclusions and Open Questions
Presenter
Presentation Notes
Joint work with Joel Alwen and Krzysztof Pietrzak
Depth-Robustness is Sufficient [ABP16]
Proof Let P1hellipPt denote an (optimal) pebbling of G For 0lt i lt d defineSi = 119875119875119894119894 cup 119875119875119889119889+119894119894 cup 1198751198752119889119889+119894119894 cup ⋯
one of the sets Si has size at most CC(G)d Now we claim that d ge depth(G-Si)
because any path in G-Si must have been completely pebbled at some point Thus it must have been pebbled entirely during some interval of length d Thus G (CC(G)dd)-reducible It follows that CC(G)ge 119890119890119901119901
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Depth-Robustness is Sufficient [ABP16]
Implications There exists a constant indegree graph G with
CC G ge Ω1198941198942
log119894119894
Previous Best [AS15] Ω 1198991198992
log10 119899119899
[AB16] We cannot do better (in an asymptotic sense)
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Summary
bull BCRYPT and PBKDF2 are no longer sufficient for password hashing
bull Argon2i is an improvement over BCRYPT and PBKDF2bull But still has its flaws [AB16AB17]
bull Current Recommendation Argon2idbull No side channel attacks Resists known attacksbull Side channel attacks reduce security to Argon2i
bull Look for improvements in the near future using depth-robust graphs [ABP17]
Conclusions
bull Depth-robustness is a necessary and sufficient for secure iMHFsbull [AB16] [ABP16]
bull Big Challenge Improved Constructions of Depth-Robust Graphsbull We already have constructions in theory [EGS77 PR80 hellip]bull But constants matter
Thanks for Listening
Passwords vs time Look how far wersquove come
Netscape IPO Dotcom crash
Source Cormacrsquos estimate
ldquoThe password is deadrdquo
Chart1
3
48
1368
322
7791
15376
2527
39639
47953
61115
7353
94674
106021
134538
16527
194616
21681
Sheet1
Sheet1
Sheet2
Sheet3
Biometrics
59
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy
60
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Hardware Tokens
61
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around
62
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Graphical Passwords
bull Examplesbull Passfaces Cued Click Points Windows 8
63
Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13
Graphical Passwords
bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8
Challenge Multiple Passwords
64
Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
bull Password Management Software
67
Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313
Related Work
bull Password Management SoftwareChallenge Single point of failure
68
Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313
References
bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]
bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]
bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]
bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]
Course Business
CryptographyCS 555
Password Storage
Offline Attacks A Common Problem
Offline Attacks A Common Problem
A Dangerous Problem
Attempt 1 Hash Iteration
The Challenge
Goal Moderately Expensive Hash Function
Memory Costs Equitable Across Architectures
Outline
Memory Hard Function (MHF)
iMHF Candidates
iMHF (fGH)
Evaluating an iMHF (pebbling)
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example (CC)
Measuring Cost
Pebbling Example (CC)
Pebbling Equivalence
Desiderata
Depth-Robustness The Key Property
Naiumlve Pebbling Algorithms
Amortized Attack Quality
Desiderata
Desiderata
c-Ideal iMHF
Outline
Depth-Robustness The Key Property
Depth Robustness
Depth Robustness
Attacking (ed)-reducible DAGs
Depth Robustness is Necessary
Answer No
Argon2i [BDK]
Argon2i
Argon2i
Argon2i Reducing depth to 119899
Argon2i Reducing depth to 119899
Argon2i is a layered DAG (almost)
Attack Simulation [AB16b]
Ideal iMHFs Donrsquot Exist
But we cannot rule them out in practice
Outline
Depth-Robustness is Sufficient [ABP16]
Depth-Robustness is Sufficient [ABP16]
Summary
Conclusions
Thanks for Listening
Passwords vs time Look how far wersquove come
Biometrics
Biometrics
Hardware Tokens
Hardware Tokens
Graphical Passwords
Graphical Passwords
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
Related Work
References
Everybody
DATE
DATE
NUMBER OF USERS
WORLD
WORLD
INFORMATION
DATE
DATE
NUMBER OF USERS
DATE
DATE
acctsyr
POPULATION
POPULATION
SOURCE
December-90
0
3
15
020
00261
000
1
December-90
3
1
December-90
3
1
December-90
3
3
December-90
3
1
3
December-95
December-95
0
16
040
80
040
IDC
100
00522
180
12
December-95
192
December-95
16
1778
December-95
48
28448
December-95
48
3
48
December-96
December-96
0
36
090
180
090
IDC
200
00783
188
13132
December-96
472752
December-96
36
1994916
December-96
126
71816976
December-96
1368
38
126
December-97
December-97
0
70
170
350
170
IDC
300
01043
209
16263
December-97
113841
December-97
70
2238295752
December-97
280
15668070264
December-97
322
46
280
December-98
December-98
0
147
360
735
360
CI Almanac
400
01303
230
19391
December-98
2850477
December-98
147
25113678337
December-98
6615
3691710715604
December-98
7791
53
6615
December-99
December-99
0
248
410
1240
410
Nua Ltd
500
01563
251
22517
December-99
5584216
December-99
248
28177547095
December-99
1240
6988031679463
December-99
15376
62
1240
March-00
March-00
0
304
500
1520
500
Nua Ltd
600
01822
272
25638
March-00
7793952
December-00
361
3161520784
December-00
19855
11413090030294
December-00
2527
7
19855
July-00
July-00
0
359
590
1795
590
Nua Ltd
700
02081
293
28754
July-00
10322686
December-01
543
35472263197
December-01
3258
1926143891578
December-01
39639
73
3258
December-00
December-00
0
361
580
1805
580
Internet World Stats
800
02338
313
31864
December-00
11502904
December-02
607
39799879307
December-02
39455
2415852673913
December-02
47953
79
39455
March-01
March-01
0
458
760
2290
760
Nua Ltd
900
02852
334
34967
March-01
16014886
December-03
719
44655464582
December-03
5033
32107279034493
December-03
61115
85
5033
June-01
June-01
0
479
790
2395
790
Nua Ltd
1000
03107
355
38061
June-01
18231219
December-04
817
50103431261
December-04
61275
40934503340285
December-04
7353
9
61275
August-01
August-01
0
513
860
2565
860
Nua Ltd
1100
03361
396
44221
August-01
22685373
December-05
1018
56216049875
December-05
8144
57227938772657
December-05
9467
93
8144
April-02
April-02
0
558
860
2790
860
Internet World Stats
1200
03614
417
47284
April-02
26384472
December-06
1093
6307440796
December-06
9291
68940327899894
December-06
10602
97
9291
July-02
July-02
0
569
910
2845
910
Internet World Stats
1300
03866
437
50334
July-02
28640046
December-07
1319
70769485731
December-07
11871
93344951678825
December-07
13454
102
11871
September-02
September-02
0
587
940
2935
940
Internet World Stats
1400
04117
458
53371
September-02
31328777
December-08
1574
7940336299
December-08
14953
124980893346059
December-08
16527
105
14953
March-03
March-03
0
608
970
3040
970
Internet World Stats
1500
04366
478
56394
March-03
34287552
December-09
1802
89090573275
December-09
18020
160541213040896
December-09
19462
108
18020
September-03
September-03
0
677
1060
3385
1060
Internet World Stats
1600
04614
498
59401
September-03
40214477
December-10
1971
99959623214
December-10
20696
197020417355075
December-10
21681
11
20696
October-03
October-03
0
682
1070
3410
1070
Internet World Stats
1700
0486
518
62392
October-03
42551344
December-03
December-03
0
719
1110
3595
1110
Internet World Stats
1800
02852
538
65365
December-03
46997435
February-04
February-04
0
745
1150
3725
1150
Internet World Stats
1900
03107
558
6832
February-04
508984
May-04
May-04
0
757
1170
3785
1170
Internet World Stats
2000
03361
597
7417
May-04
5614669
October-04
October-04
0
812
1270
4060
1270
Internet World Stats
2100
03614
616
77064
October-04
62575968
December-04
December-04
0
817
1270
4085
1270
Internet World Stats
2200
03866
636
79935
December-04
65306895
March-05
March-05
0
888
1390
4440
1390
Internet World Stats
2300
04117
655
82782
March-05
73510416
June-05
June-05
0
938
1460
4690
1460
Internet World Stats
2400
04366
674
85606
June-05
80298428
September-05
September-05
0
957
1490
4785
1490
Internet World Stats
2500
04614
692
88404
September-05
84602628
November-05
November-05
0
972
1520
4860
1520
Internet World Stats
2600
0486
711
91176
November-05
88623072
December-05
December-05
0
1018
1570
5090
1570
Internet World Stats
2700
05348
729
93921
December-05
95611578
March-06
March-06
0
1023
1570
5115
1570
Internet World Stats
2800
05589
747
96638
March-06
98860674
June-06
June-06
0
1043
1600
5215
1600
Internet World Stats
2900
05828
783
101984
June-06
106369312
September-06
September-06
0
1086
1670
5430
1670
Internet World Stats
3000
06065
801
104611
September-06
113607546
December-06
December-06
0
1093
1670
5465
1670
Internet World Stats
3100
063
818
107207
December-06
117177251
March-07
March-07
0
1129
1720
5645
1720
Internet World Stats
3200
06534
835
109771
March-07
123931459
June-07
June-07
0
1173
1780
5865
1780
Internet World Stats
3300
06765
852
112301
June-07
131729073
September-07
September-07
0
1245
1890
6225
1890
Internet World Stats
3400
06993
869
114797
September-07
142922265
December-07
December-07
0
1319
2000
6595
2000
Internet World Stats
3500
0722
886
117258
December-07
154663302
March-08
March-08
0
1407
2110
7035
2110
Internet World Stats
3600
07665
902
119683
March-08
168393981
June-08
June-08
0
1463
2190
7315
2190
Internet World Stats
3700
07884
918
122071
June-08
178589873
September-08
September-08
0
1504
2250
7520
2250
Internet World Stats
3800
08101
949
126736
September-08
190610944
December-08
December-08
0
1574
2350
7870
2350
Internet World Stats
3900
08314
964
12901
December-08
20306174
March-09
March-09
0
1596
2380
7980
2380
Internet World Stats
4000
08525
971
13
March-09
20748
June-09
June-09
0
1669
2470
8345
2470
Internet World Stats
4100
08733
998
134
June-09
223646
September-09
September-09
0
1734
2560
8670
2560
Internet World Stats
4200
08938
1018
137
September-09
237558
December-09
December-09
0
1802
2660
9010
2660
Internet World Stats
4300
0914
1051
142
December-09
255884
June-10
June-10
0
1966
2870
9830
2870
Internet World Stats
4400
09339
1078
146
June-10
287036
September-10
September-10
0
1971
2880
9855
2880
Internet World Stats
4500
09728
1112
151
September-10
297621
09917
000
155333333333
159833333333
33208
35034
35400
35765
36130
36495
36861
37226
37591
37956
38322
38687
39052
39417
39783
40148
40513
Pebbling Example (CC)
P1 = 1P2 = 12P3 = 3
1 2 3 4 5
P4 = 34P5 = 5
CC 119866119866 le119894119894=1
5
119875119875119894119894
= 1 + 2 + 1 + 2 + 1= 7
Pebbling Equivalence
119827119827119827119827119827119827119827119827119827119827119827119827119827119827 119808119808119808119808119808119808119808119808 (119816119816119816119816119816119816119827119827119827119827119827119827119816119816119816119816) High pebbling complexity of G implies high amortized memory complexity for the iMHF fGH
Implication Structure of the graph G is key to iMHFsecurity
Desiderata
Find a DAG G on n nodes such that1 Constant Indegree (120575120575 = 2)
2 CC(G) ge 1198991198992
120591120591for some small value 120591120591
Maximize costs for fixed n(Users are impatient)
Depth-Robustness The Key Property
Necessary [AB16] and sufficient[ABP16] for secure iMHFs
Naiumlve Pebbling Algorithms
bull Sequential Algorithm (Naiumlve)bull Constraint One new pebble per roundbull Every iMHF is defined via its Naiumlve algorithm
bull Example Naiumlve (Pebble in Topological Order)bull Never discard pebblesbull Time nbull Average pebbles n2bull ER(Naiumlve) = θ Rn + n2
Amortized Attack Quality
Quality119877119877 119860119860 =ER(Naiumlve)
ER 119860119860times 119894119894119894119894119904119904119904119904(119860119860)
Example Algorithm A evaluates 5 iMHF instances with total cost ER 119860119860 = 100 and ER Naiumlve = 40
Quality119877119877 119860119860 =40
100times 5 = 2
Presenter
Presentation Notes
Use Example
Desiderata
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for some small value 120591120591
Memory costs should dominate
Desiderata
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for some small value 120591120591
Maximize costs for fixed n(Users are impatient)
c-Ideal iMHF
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for 120591120591 = 119874119874(1)
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Our Attacks
bull General Attack on Non Depth Robust DAGsbull Existing iMHFs are not Depth Robustbull Ideal iMHFs donrsquot exist
bull Subsequent Results (Depth-Robustness is Sufficient)bull Open Questions
Depth-Robustness The Key Property
Necessary [AB16] and sufficient[ABP16] for secure iMHFs
Depth Robustness
Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d
Otherwise we say that G is (ed)-depth robust
1 2 3 4 5
Example (12)-reducible
Depth Robustness
Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d
Otherwise we say that G is (ed)-depth robust
1 2 3 4 5
Example (12)-reducible
Attacking (ed)-reducible DAGs
bull Input |S| lee such that depth(G-S) = d g gt d
bull Light Phase (g rounds) Discard most pebblesbull Goal Pebble the next g nodes in g (sequential) stepsbull Low Memory (only keep pebbles on S and on parents of new nodes)bull Lasts a ``longrdquo time
bull Balloon Phase (d rounds) Greedily Recover Missing Pebblesbull Goal Recover needed pebbles for upcoming light phasebull Expensive but quick (at most d steps in parallel)
Theorem (Depth-Robustness is a necessary condition) If G is not (ed)-node robust then CC 119866119866 = O 119890119890119894119894 + 1198941198943119901119901 In particular CC 119866119866 = o 1198941198942 for ed=o(n)
Depth Robustness is Necessary
Are existing iMHF candidates based on depth-robust DAGs
Answer No
bull Catena [FLW15] is 119890119890 119874119874 119899119899119890119890
119813119813119816119816119813119813119813119813 Easy to reduce the depth of a path
Argon2i is a layered DAG (almost)
1 2 3 11989411989434
+2 +3 helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894
Let S = S1+S2
helliphelliphellip
Attack Simulation [AB16b]
Attack on Argon 2i-B is practical even for pessimistic parameter ranges (brown line)
Pessimistic Argon 2i-B parameter
Parameter setting could easily be chosen when following Argon2i-B guidelines
hellip
Ideal iMHFs Donrsquot Exist
Thm[AB16] Any graph G (with constant in-degree) is at least somewhat depth-reducible
Implication If CC(G)= Ω 1198941198942 there is an attack A with high quality
QualityR 119860119860 =Ωlog(119894119894)
log log(119894119894)
But we cannot rule them out in practice
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Attacksbull Constructing iMHFs (New)
bull Depth-Robustness is sufficient
bull Conclusions and Open Questions
Presenter
Presentation Notes
Joint work with Joel Alwen and Krzysztof Pietrzak
Depth-Robustness is Sufficient [ABP16]
Proof Let P1hellipPt denote an (optimal) pebbling of G For 0lt i lt d defineSi = 119875119875119894119894 cup 119875119875119889119889+119894119894 cup 1198751198752119889119889+119894119894 cup ⋯
one of the sets Si has size at most CC(G)d Now we claim that d ge depth(G-Si)
because any path in G-Si must have been completely pebbled at some point Thus it must have been pebbled entirely during some interval of length d Thus G (CC(G)dd)-reducible It follows that CC(G)ge 119890119890119901119901
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Depth-Robustness is Sufficient [ABP16]
Implications There exists a constant indegree graph G with
CC G ge Ω1198941198942
log119894119894
Previous Best [AS15] Ω 1198991198992
log10 119899119899
[AB16] We cannot do better (in an asymptotic sense)
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Summary
bull BCRYPT and PBKDF2 are no longer sufficient for password hashing
bull Argon2i is an improvement over BCRYPT and PBKDF2bull But still has its flaws [AB16AB17]
bull Current Recommendation Argon2idbull No side channel attacks Resists known attacksbull Side channel attacks reduce security to Argon2i
bull Look for improvements in the near future using depth-robust graphs [ABP17]
Conclusions
bull Depth-robustness is a necessary and sufficient for secure iMHFsbull [AB16] [ABP16]
bull Big Challenge Improved Constructions of Depth-Robust Graphsbull We already have constructions in theory [EGS77 PR80 hellip]bull But constants matter
Thanks for Listening
Passwords vs time Look how far wersquove come
Netscape IPO Dotcom crash
Source Cormacrsquos estimate
ldquoThe password is deadrdquo
Chart1
3
48
1368
322
7791
15376
2527
39639
47953
61115
7353
94674
106021
134538
16527
194616
21681
Sheet1
Sheet1
Sheet2
Sheet3
Biometrics
59
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy
60
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Hardware Tokens
61
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around
62
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Graphical Passwords
bull Examplesbull Passfaces Cued Click Points Windows 8
63
Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13
Graphical Passwords
bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8
Challenge Multiple Passwords
64
Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
bull Password Management Software
67
Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313
Related Work
bull Password Management SoftwareChallenge Single point of failure
68
Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313
References
bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]
bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]
bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]
bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]
Course Business
CryptographyCS 555
Password Storage
Offline Attacks A Common Problem
Offline Attacks A Common Problem
A Dangerous Problem
Attempt 1 Hash Iteration
The Challenge
Goal Moderately Expensive Hash Function
Memory Costs Equitable Across Architectures
Outline
Memory Hard Function (MHF)
iMHF Candidates
iMHF (fGH)
Evaluating an iMHF (pebbling)
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example (CC)
Measuring Cost
Pebbling Example (CC)
Pebbling Equivalence
Desiderata
Depth-Robustness The Key Property
Naiumlve Pebbling Algorithms
Amortized Attack Quality
Desiderata
Desiderata
c-Ideal iMHF
Outline
Depth-Robustness The Key Property
Depth Robustness
Depth Robustness
Attacking (ed)-reducible DAGs
Depth Robustness is Necessary
Answer No
Argon2i [BDK]
Argon2i
Argon2i
Argon2i Reducing depth to 119899
Argon2i Reducing depth to 119899
Argon2i is a layered DAG (almost)
Attack Simulation [AB16b]
Ideal iMHFs Donrsquot Exist
But we cannot rule them out in practice
Outline
Depth-Robustness is Sufficient [ABP16]
Depth-Robustness is Sufficient [ABP16]
Summary
Conclusions
Thanks for Listening
Passwords vs time Look how far wersquove come
Biometrics
Biometrics
Hardware Tokens
Hardware Tokens
Graphical Passwords
Graphical Passwords
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
Related Work
References
Everybody
DATE
DATE
NUMBER OF USERS
WORLD
WORLD
INFORMATION
DATE
DATE
NUMBER OF USERS
DATE
DATE
acctsyr
POPULATION
POPULATION
SOURCE
December-90
0
3
15
020
00261
000
1
December-90
3
1
December-90
3
1
December-90
3
3
December-90
3
1
3
December-95
December-95
0
16
040
80
040
IDC
100
00522
180
12
December-95
192
December-95
16
1778
December-95
48
28448
December-95
48
3
48
December-96
December-96
0
36
090
180
090
IDC
200
00783
188
13132
December-96
472752
December-96
36
1994916
December-96
126
71816976
December-96
1368
38
126
December-97
December-97
0
70
170
350
170
IDC
300
01043
209
16263
December-97
113841
December-97
70
2238295752
December-97
280
15668070264
December-97
322
46
280
December-98
December-98
0
147
360
735
360
CI Almanac
400
01303
230
19391
December-98
2850477
December-98
147
25113678337
December-98
6615
3691710715604
December-98
7791
53
6615
December-99
December-99
0
248
410
1240
410
Nua Ltd
500
01563
251
22517
December-99
5584216
December-99
248
28177547095
December-99
1240
6988031679463
December-99
15376
62
1240
March-00
March-00
0
304
500
1520
500
Nua Ltd
600
01822
272
25638
March-00
7793952
December-00
361
3161520784
December-00
19855
11413090030294
December-00
2527
7
19855
July-00
July-00
0
359
590
1795
590
Nua Ltd
700
02081
293
28754
July-00
10322686
December-01
543
35472263197
December-01
3258
1926143891578
December-01
39639
73
3258
December-00
December-00
0
361
580
1805
580
Internet World Stats
800
02338
313
31864
December-00
11502904
December-02
607
39799879307
December-02
39455
2415852673913
December-02
47953
79
39455
March-01
March-01
0
458
760
2290
760
Nua Ltd
900
02852
334
34967
March-01
16014886
December-03
719
44655464582
December-03
5033
32107279034493
December-03
61115
85
5033
June-01
June-01
0
479
790
2395
790
Nua Ltd
1000
03107
355
38061
June-01
18231219
December-04
817
50103431261
December-04
61275
40934503340285
December-04
7353
9
61275
August-01
August-01
0
513
860
2565
860
Nua Ltd
1100
03361
396
44221
August-01
22685373
December-05
1018
56216049875
December-05
8144
57227938772657
December-05
9467
93
8144
April-02
April-02
0
558
860
2790
860
Internet World Stats
1200
03614
417
47284
April-02
26384472
December-06
1093
6307440796
December-06
9291
68940327899894
December-06
10602
97
9291
July-02
July-02
0
569
910
2845
910
Internet World Stats
1300
03866
437
50334
July-02
28640046
December-07
1319
70769485731
December-07
11871
93344951678825
December-07
13454
102
11871
September-02
September-02
0
587
940
2935
940
Internet World Stats
1400
04117
458
53371
September-02
31328777
December-08
1574
7940336299
December-08
14953
124980893346059
December-08
16527
105
14953
March-03
March-03
0
608
970
3040
970
Internet World Stats
1500
04366
478
56394
March-03
34287552
December-09
1802
89090573275
December-09
18020
160541213040896
December-09
19462
108
18020
September-03
September-03
0
677
1060
3385
1060
Internet World Stats
1600
04614
498
59401
September-03
40214477
December-10
1971
99959623214
December-10
20696
197020417355075
December-10
21681
11
20696
October-03
October-03
0
682
1070
3410
1070
Internet World Stats
1700
0486
518
62392
October-03
42551344
December-03
December-03
0
719
1110
3595
1110
Internet World Stats
1800
02852
538
65365
December-03
46997435
February-04
February-04
0
745
1150
3725
1150
Internet World Stats
1900
03107
558
6832
February-04
508984
May-04
May-04
0
757
1170
3785
1170
Internet World Stats
2000
03361
597
7417
May-04
5614669
October-04
October-04
0
812
1270
4060
1270
Internet World Stats
2100
03614
616
77064
October-04
62575968
December-04
December-04
0
817
1270
4085
1270
Internet World Stats
2200
03866
636
79935
December-04
65306895
March-05
March-05
0
888
1390
4440
1390
Internet World Stats
2300
04117
655
82782
March-05
73510416
June-05
June-05
0
938
1460
4690
1460
Internet World Stats
2400
04366
674
85606
June-05
80298428
September-05
September-05
0
957
1490
4785
1490
Internet World Stats
2500
04614
692
88404
September-05
84602628
November-05
November-05
0
972
1520
4860
1520
Internet World Stats
2600
0486
711
91176
November-05
88623072
December-05
December-05
0
1018
1570
5090
1570
Internet World Stats
2700
05348
729
93921
December-05
95611578
March-06
March-06
0
1023
1570
5115
1570
Internet World Stats
2800
05589
747
96638
March-06
98860674
June-06
June-06
0
1043
1600
5215
1600
Internet World Stats
2900
05828
783
101984
June-06
106369312
September-06
September-06
0
1086
1670
5430
1670
Internet World Stats
3000
06065
801
104611
September-06
113607546
December-06
December-06
0
1093
1670
5465
1670
Internet World Stats
3100
063
818
107207
December-06
117177251
March-07
March-07
0
1129
1720
5645
1720
Internet World Stats
3200
06534
835
109771
March-07
123931459
June-07
June-07
0
1173
1780
5865
1780
Internet World Stats
3300
06765
852
112301
June-07
131729073
September-07
September-07
0
1245
1890
6225
1890
Internet World Stats
3400
06993
869
114797
September-07
142922265
December-07
December-07
0
1319
2000
6595
2000
Internet World Stats
3500
0722
886
117258
December-07
154663302
March-08
March-08
0
1407
2110
7035
2110
Internet World Stats
3600
07665
902
119683
March-08
168393981
June-08
June-08
0
1463
2190
7315
2190
Internet World Stats
3700
07884
918
122071
June-08
178589873
September-08
September-08
0
1504
2250
7520
2250
Internet World Stats
3800
08101
949
126736
September-08
190610944
December-08
December-08
0
1574
2350
7870
2350
Internet World Stats
3900
08314
964
12901
December-08
20306174
March-09
March-09
0
1596
2380
7980
2380
Internet World Stats
4000
08525
971
13
March-09
20748
June-09
June-09
0
1669
2470
8345
2470
Internet World Stats
4100
08733
998
134
June-09
223646
September-09
September-09
0
1734
2560
8670
2560
Internet World Stats
4200
08938
1018
137
September-09
237558
December-09
December-09
0
1802
2660
9010
2660
Internet World Stats
4300
0914
1051
142
December-09
255884
June-10
June-10
0
1966
2870
9830
2870
Internet World Stats
4400
09339
1078
146
June-10
287036
September-10
September-10
0
1971
2880
9855
2880
Internet World Stats
4500
09728
1112
151
September-10
297621
09917
000
155333333333
159833333333
33208
35034
35400
35765
36130
36495
36861
37226
37591
37956
38322
38687
39052
39417
39783
40148
40513
Pebbling Equivalence
119827119827119827119827119827119827119827119827119827119827119827119827119827119827 119808119808119808119808119808119808119808119808 (119816119816119816119816119816119816119827119827119827119827119827119827119816119816119816119816) High pebbling complexity of G implies high amortized memory complexity for the iMHF fGH
Implication Structure of the graph G is key to iMHFsecurity
Desiderata
Find a DAG G on n nodes such that1 Constant Indegree (120575120575 = 2)
2 CC(G) ge 1198991198992
120591120591for some small value 120591120591
Maximize costs for fixed n(Users are impatient)
Depth-Robustness The Key Property
Necessary [AB16] and sufficient[ABP16] for secure iMHFs
Naiumlve Pebbling Algorithms
bull Sequential Algorithm (Naiumlve)bull Constraint One new pebble per roundbull Every iMHF is defined via its Naiumlve algorithm
bull Example Naiumlve (Pebble in Topological Order)bull Never discard pebblesbull Time nbull Average pebbles n2bull ER(Naiumlve) = θ Rn + n2
Amortized Attack Quality
Quality119877119877 119860119860 =ER(Naiumlve)
ER 119860119860times 119894119894119894119894119904119904119904119904(119860119860)
Example Algorithm A evaluates 5 iMHF instances with total cost ER 119860119860 = 100 and ER Naiumlve = 40
Quality119877119877 119860119860 =40
100times 5 = 2
Presenter
Presentation Notes
Use Example
Desiderata
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for some small value 120591120591
Memory costs should dominate
Desiderata
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for some small value 120591120591
Maximize costs for fixed n(Users are impatient)
c-Ideal iMHF
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for 120591120591 = 119874119874(1)
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Our Attacks
bull General Attack on Non Depth Robust DAGsbull Existing iMHFs are not Depth Robustbull Ideal iMHFs donrsquot exist
bull Subsequent Results (Depth-Robustness is Sufficient)bull Open Questions
Depth-Robustness The Key Property
Necessary [AB16] and sufficient[ABP16] for secure iMHFs
Depth Robustness
Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d
Otherwise we say that G is (ed)-depth robust
1 2 3 4 5
Example (12)-reducible
Depth Robustness
Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d
Otherwise we say that G is (ed)-depth robust
1 2 3 4 5
Example (12)-reducible
Attacking (ed)-reducible DAGs
bull Input |S| lee such that depth(G-S) = d g gt d
bull Light Phase (g rounds) Discard most pebblesbull Goal Pebble the next g nodes in g (sequential) stepsbull Low Memory (only keep pebbles on S and on parents of new nodes)bull Lasts a ``longrdquo time
bull Balloon Phase (d rounds) Greedily Recover Missing Pebblesbull Goal Recover needed pebbles for upcoming light phasebull Expensive but quick (at most d steps in parallel)
Theorem (Depth-Robustness is a necessary condition) If G is not (ed)-node robust then CC 119866119866 = O 119890119890119894119894 + 1198941198943119901119901 In particular CC 119866119866 = o 1198941198942 for ed=o(n)
Depth Robustness is Necessary
Are existing iMHF candidates based on depth-robust DAGs
Answer No
bull Catena [FLW15] is 119890119890 119874119874 119899119899119890119890
119813119813119816119816119813119813119813119813 Easy to reduce the depth of a path
Argon2i is a layered DAG (almost)
1 2 3 11989411989434
+2 +3 helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894
Let S = S1+S2
helliphelliphellip
Attack Simulation [AB16b]
Attack on Argon 2i-B is practical even for pessimistic parameter ranges (brown line)
Pessimistic Argon 2i-B parameter
Parameter setting could easily be chosen when following Argon2i-B guidelines
hellip
Ideal iMHFs Donrsquot Exist
Thm[AB16] Any graph G (with constant in-degree) is at least somewhat depth-reducible
Implication If CC(G)= Ω 1198941198942 there is an attack A with high quality
QualityR 119860119860 =Ωlog(119894119894)
log log(119894119894)
But we cannot rule them out in practice
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Attacksbull Constructing iMHFs (New)
bull Depth-Robustness is sufficient
bull Conclusions and Open Questions
Presenter
Presentation Notes
Joint work with Joel Alwen and Krzysztof Pietrzak
Depth-Robustness is Sufficient [ABP16]
Proof Let P1hellipPt denote an (optimal) pebbling of G For 0lt i lt d defineSi = 119875119875119894119894 cup 119875119875119889119889+119894119894 cup 1198751198752119889119889+119894119894 cup ⋯
one of the sets Si has size at most CC(G)d Now we claim that d ge depth(G-Si)
because any path in G-Si must have been completely pebbled at some point Thus it must have been pebbled entirely during some interval of length d Thus G (CC(G)dd)-reducible It follows that CC(G)ge 119890119890119901119901
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Depth-Robustness is Sufficient [ABP16]
Implications There exists a constant indegree graph G with
CC G ge Ω1198941198942
log119894119894
Previous Best [AS15] Ω 1198991198992
log10 119899119899
[AB16] We cannot do better (in an asymptotic sense)
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Summary
bull BCRYPT and PBKDF2 are no longer sufficient for password hashing
bull Argon2i is an improvement over BCRYPT and PBKDF2bull But still has its flaws [AB16AB17]
bull Current Recommendation Argon2idbull No side channel attacks Resists known attacksbull Side channel attacks reduce security to Argon2i
bull Look for improvements in the near future using depth-robust graphs [ABP17]
Conclusions
bull Depth-robustness is a necessary and sufficient for secure iMHFsbull [AB16] [ABP16]
bull Big Challenge Improved Constructions of Depth-Robust Graphsbull We already have constructions in theory [EGS77 PR80 hellip]bull But constants matter
Thanks for Listening
Passwords vs time Look how far wersquove come
Netscape IPO Dotcom crash
Source Cormacrsquos estimate
ldquoThe password is deadrdquo
Chart1
3
48
1368
322
7791
15376
2527
39639
47953
61115
7353
94674
106021
134538
16527
194616
21681
Sheet1
Sheet1
Sheet2
Sheet3
Biometrics
59
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy
60
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Hardware Tokens
61
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around
62
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Graphical Passwords
bull Examplesbull Passfaces Cued Click Points Windows 8
63
Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13
Graphical Passwords
bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8
Challenge Multiple Passwords
64
Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
bull Password Management Software
67
Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313
Related Work
bull Password Management SoftwareChallenge Single point of failure
68
Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313
References
bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]
bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]
bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]
bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]
Course Business
CryptographyCS 555
Password Storage
Offline Attacks A Common Problem
Offline Attacks A Common Problem
A Dangerous Problem
Attempt 1 Hash Iteration
The Challenge
Goal Moderately Expensive Hash Function
Memory Costs Equitable Across Architectures
Outline
Memory Hard Function (MHF)
iMHF Candidates
iMHF (fGH)
Evaluating an iMHF (pebbling)
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example (CC)
Measuring Cost
Pebbling Example (CC)
Pebbling Equivalence
Desiderata
Depth-Robustness The Key Property
Naiumlve Pebbling Algorithms
Amortized Attack Quality
Desiderata
Desiderata
c-Ideal iMHF
Outline
Depth-Robustness The Key Property
Depth Robustness
Depth Robustness
Attacking (ed)-reducible DAGs
Depth Robustness is Necessary
Answer No
Argon2i [BDK]
Argon2i
Argon2i
Argon2i Reducing depth to 119899
Argon2i Reducing depth to 119899
Argon2i is a layered DAG (almost)
Attack Simulation [AB16b]
Ideal iMHFs Donrsquot Exist
But we cannot rule them out in practice
Outline
Depth-Robustness is Sufficient [ABP16]
Depth-Robustness is Sufficient [ABP16]
Summary
Conclusions
Thanks for Listening
Passwords vs time Look how far wersquove come
Biometrics
Biometrics
Hardware Tokens
Hardware Tokens
Graphical Passwords
Graphical Passwords
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
Related Work
References
Everybody
DATE
DATE
NUMBER OF USERS
WORLD
WORLD
INFORMATION
DATE
DATE
NUMBER OF USERS
DATE
DATE
acctsyr
POPULATION
POPULATION
SOURCE
December-90
0
3
15
020
00261
000
1
December-90
3
1
December-90
3
1
December-90
3
3
December-90
3
1
3
December-95
December-95
0
16
040
80
040
IDC
100
00522
180
12
December-95
192
December-95
16
1778
December-95
48
28448
December-95
48
3
48
December-96
December-96
0
36
090
180
090
IDC
200
00783
188
13132
December-96
472752
December-96
36
1994916
December-96
126
71816976
December-96
1368
38
126
December-97
December-97
0
70
170
350
170
IDC
300
01043
209
16263
December-97
113841
December-97
70
2238295752
December-97
280
15668070264
December-97
322
46
280
December-98
December-98
0
147
360
735
360
CI Almanac
400
01303
230
19391
December-98
2850477
December-98
147
25113678337
December-98
6615
3691710715604
December-98
7791
53
6615
December-99
December-99
0
248
410
1240
410
Nua Ltd
500
01563
251
22517
December-99
5584216
December-99
248
28177547095
December-99
1240
6988031679463
December-99
15376
62
1240
March-00
March-00
0
304
500
1520
500
Nua Ltd
600
01822
272
25638
March-00
7793952
December-00
361
3161520784
December-00
19855
11413090030294
December-00
2527
7
19855
July-00
July-00
0
359
590
1795
590
Nua Ltd
700
02081
293
28754
July-00
10322686
December-01
543
35472263197
December-01
3258
1926143891578
December-01
39639
73
3258
December-00
December-00
0
361
580
1805
580
Internet World Stats
800
02338
313
31864
December-00
11502904
December-02
607
39799879307
December-02
39455
2415852673913
December-02
47953
79
39455
March-01
March-01
0
458
760
2290
760
Nua Ltd
900
02852
334
34967
March-01
16014886
December-03
719
44655464582
December-03
5033
32107279034493
December-03
61115
85
5033
June-01
June-01
0
479
790
2395
790
Nua Ltd
1000
03107
355
38061
June-01
18231219
December-04
817
50103431261
December-04
61275
40934503340285
December-04
7353
9
61275
August-01
August-01
0
513
860
2565
860
Nua Ltd
1100
03361
396
44221
August-01
22685373
December-05
1018
56216049875
December-05
8144
57227938772657
December-05
9467
93
8144
April-02
April-02
0
558
860
2790
860
Internet World Stats
1200
03614
417
47284
April-02
26384472
December-06
1093
6307440796
December-06
9291
68940327899894
December-06
10602
97
9291
July-02
July-02
0
569
910
2845
910
Internet World Stats
1300
03866
437
50334
July-02
28640046
December-07
1319
70769485731
December-07
11871
93344951678825
December-07
13454
102
11871
September-02
September-02
0
587
940
2935
940
Internet World Stats
1400
04117
458
53371
September-02
31328777
December-08
1574
7940336299
December-08
14953
124980893346059
December-08
16527
105
14953
March-03
March-03
0
608
970
3040
970
Internet World Stats
1500
04366
478
56394
March-03
34287552
December-09
1802
89090573275
December-09
18020
160541213040896
December-09
19462
108
18020
September-03
September-03
0
677
1060
3385
1060
Internet World Stats
1600
04614
498
59401
September-03
40214477
December-10
1971
99959623214
December-10
20696
197020417355075
December-10
21681
11
20696
October-03
October-03
0
682
1070
3410
1070
Internet World Stats
1700
0486
518
62392
October-03
42551344
December-03
December-03
0
719
1110
3595
1110
Internet World Stats
1800
02852
538
65365
December-03
46997435
February-04
February-04
0
745
1150
3725
1150
Internet World Stats
1900
03107
558
6832
February-04
508984
May-04
May-04
0
757
1170
3785
1170
Internet World Stats
2000
03361
597
7417
May-04
5614669
October-04
October-04
0
812
1270
4060
1270
Internet World Stats
2100
03614
616
77064
October-04
62575968
December-04
December-04
0
817
1270
4085
1270
Internet World Stats
2200
03866
636
79935
December-04
65306895
March-05
March-05
0
888
1390
4440
1390
Internet World Stats
2300
04117
655
82782
March-05
73510416
June-05
June-05
0
938
1460
4690
1460
Internet World Stats
2400
04366
674
85606
June-05
80298428
September-05
September-05
0
957
1490
4785
1490
Internet World Stats
2500
04614
692
88404
September-05
84602628
November-05
November-05
0
972
1520
4860
1520
Internet World Stats
2600
0486
711
91176
November-05
88623072
December-05
December-05
0
1018
1570
5090
1570
Internet World Stats
2700
05348
729
93921
December-05
95611578
March-06
March-06
0
1023
1570
5115
1570
Internet World Stats
2800
05589
747
96638
March-06
98860674
June-06
June-06
0
1043
1600
5215
1600
Internet World Stats
2900
05828
783
101984
June-06
106369312
September-06
September-06
0
1086
1670
5430
1670
Internet World Stats
3000
06065
801
104611
September-06
113607546
December-06
December-06
0
1093
1670
5465
1670
Internet World Stats
3100
063
818
107207
December-06
117177251
March-07
March-07
0
1129
1720
5645
1720
Internet World Stats
3200
06534
835
109771
March-07
123931459
June-07
June-07
0
1173
1780
5865
1780
Internet World Stats
3300
06765
852
112301
June-07
131729073
September-07
September-07
0
1245
1890
6225
1890
Internet World Stats
3400
06993
869
114797
September-07
142922265
December-07
December-07
0
1319
2000
6595
2000
Internet World Stats
3500
0722
886
117258
December-07
154663302
March-08
March-08
0
1407
2110
7035
2110
Internet World Stats
3600
07665
902
119683
March-08
168393981
June-08
June-08
0
1463
2190
7315
2190
Internet World Stats
3700
07884
918
122071
June-08
178589873
September-08
September-08
0
1504
2250
7520
2250
Internet World Stats
3800
08101
949
126736
September-08
190610944
December-08
December-08
0
1574
2350
7870
2350
Internet World Stats
3900
08314
964
12901
December-08
20306174
March-09
March-09
0
1596
2380
7980
2380
Internet World Stats
4000
08525
971
13
March-09
20748
June-09
June-09
0
1669
2470
8345
2470
Internet World Stats
4100
08733
998
134
June-09
223646
September-09
September-09
0
1734
2560
8670
2560
Internet World Stats
4200
08938
1018
137
September-09
237558
December-09
December-09
0
1802
2660
9010
2660
Internet World Stats
4300
0914
1051
142
December-09
255884
June-10
June-10
0
1966
2870
9830
2870
Internet World Stats
4400
09339
1078
146
June-10
287036
September-10
September-10
0
1971
2880
9855
2880
Internet World Stats
4500
09728
1112
151
September-10
297621
09917
000
155333333333
159833333333
33208
35034
35400
35765
36130
36495
36861
37226
37591
37956
38322
38687
39052
39417
39783
40148
40513
Desiderata
Find a DAG G on n nodes such that1 Constant Indegree (120575120575 = 2)
2 CC(G) ge 1198991198992
120591120591for some small value 120591120591
Maximize costs for fixed n(Users are impatient)
Depth-Robustness The Key Property
Necessary [AB16] and sufficient[ABP16] for secure iMHFs
Naiumlve Pebbling Algorithms
bull Sequential Algorithm (Naiumlve)bull Constraint One new pebble per roundbull Every iMHF is defined via its Naiumlve algorithm
bull Example Naiumlve (Pebble in Topological Order)bull Never discard pebblesbull Time nbull Average pebbles n2bull ER(Naiumlve) = θ Rn + n2
Amortized Attack Quality
Quality119877119877 119860119860 =ER(Naiumlve)
ER 119860119860times 119894119894119894119894119904119904119904119904(119860119860)
Example Algorithm A evaluates 5 iMHF instances with total cost ER 119860119860 = 100 and ER Naiumlve = 40
Quality119877119877 119860119860 =40
100times 5 = 2
Presenter
Presentation Notes
Use Example
Desiderata
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for some small value 120591120591
Memory costs should dominate
Desiderata
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for some small value 120591120591
Maximize costs for fixed n(Users are impatient)
c-Ideal iMHF
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for 120591120591 = 119874119874(1)
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Our Attacks
bull General Attack on Non Depth Robust DAGsbull Existing iMHFs are not Depth Robustbull Ideal iMHFs donrsquot exist
bull Subsequent Results (Depth-Robustness is Sufficient)bull Open Questions
Depth-Robustness The Key Property
Necessary [AB16] and sufficient[ABP16] for secure iMHFs
Depth Robustness
Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d
Otherwise we say that G is (ed)-depth robust
1 2 3 4 5
Example (12)-reducible
Depth Robustness
Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d
Otherwise we say that G is (ed)-depth robust
1 2 3 4 5
Example (12)-reducible
Attacking (ed)-reducible DAGs
bull Input |S| lee such that depth(G-S) = d g gt d
bull Light Phase (g rounds) Discard most pebblesbull Goal Pebble the next g nodes in g (sequential) stepsbull Low Memory (only keep pebbles on S and on parents of new nodes)bull Lasts a ``longrdquo time
bull Balloon Phase (d rounds) Greedily Recover Missing Pebblesbull Goal Recover needed pebbles for upcoming light phasebull Expensive but quick (at most d steps in parallel)
Theorem (Depth-Robustness is a necessary condition) If G is not (ed)-node robust then CC 119866119866 = O 119890119890119894119894 + 1198941198943119901119901 In particular CC 119866119866 = o 1198941198942 for ed=o(n)
Depth Robustness is Necessary
Are existing iMHF candidates based on depth-robust DAGs
Answer No
bull Catena [FLW15] is 119890119890 119874119874 119899119899119890119890
119813119813119816119816119813119813119813119813 Easy to reduce the depth of a path
Argon2i is a layered DAG (almost)
1 2 3 11989411989434
+2 +3 helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894
Let S = S1+S2
helliphelliphellip
Attack Simulation [AB16b]
Attack on Argon 2i-B is practical even for pessimistic parameter ranges (brown line)
Pessimistic Argon 2i-B parameter
Parameter setting could easily be chosen when following Argon2i-B guidelines
hellip
Ideal iMHFs Donrsquot Exist
Thm[AB16] Any graph G (with constant in-degree) is at least somewhat depth-reducible
Implication If CC(G)= Ω 1198941198942 there is an attack A with high quality
QualityR 119860119860 =Ωlog(119894119894)
log log(119894119894)
But we cannot rule them out in practice
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Attacksbull Constructing iMHFs (New)
bull Depth-Robustness is sufficient
bull Conclusions and Open Questions
Presenter
Presentation Notes
Joint work with Joel Alwen and Krzysztof Pietrzak
Depth-Robustness is Sufficient [ABP16]
Proof Let P1hellipPt denote an (optimal) pebbling of G For 0lt i lt d defineSi = 119875119875119894119894 cup 119875119875119889119889+119894119894 cup 1198751198752119889119889+119894119894 cup ⋯
one of the sets Si has size at most CC(G)d Now we claim that d ge depth(G-Si)
because any path in G-Si must have been completely pebbled at some point Thus it must have been pebbled entirely during some interval of length d Thus G (CC(G)dd)-reducible It follows that CC(G)ge 119890119890119901119901
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Depth-Robustness is Sufficient [ABP16]
Implications There exists a constant indegree graph G with
CC G ge Ω1198941198942
log119894119894
Previous Best [AS15] Ω 1198991198992
log10 119899119899
[AB16] We cannot do better (in an asymptotic sense)
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Summary
bull BCRYPT and PBKDF2 are no longer sufficient for password hashing
bull Argon2i is an improvement over BCRYPT and PBKDF2bull But still has its flaws [AB16AB17]
bull Current Recommendation Argon2idbull No side channel attacks Resists known attacksbull Side channel attacks reduce security to Argon2i
bull Look for improvements in the near future using depth-robust graphs [ABP17]
Conclusions
bull Depth-robustness is a necessary and sufficient for secure iMHFsbull [AB16] [ABP16]
bull Big Challenge Improved Constructions of Depth-Robust Graphsbull We already have constructions in theory [EGS77 PR80 hellip]bull But constants matter
Thanks for Listening
Passwords vs time Look how far wersquove come
Netscape IPO Dotcom crash
Source Cormacrsquos estimate
ldquoThe password is deadrdquo
Chart1
3
48
1368
322
7791
15376
2527
39639
47953
61115
7353
94674
106021
134538
16527
194616
21681
Sheet1
Sheet1
Sheet2
Sheet3
Biometrics
59
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy
60
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Hardware Tokens
61
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around
62
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Graphical Passwords
bull Examplesbull Passfaces Cued Click Points Windows 8
63
Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13
Graphical Passwords
bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8
Challenge Multiple Passwords
64
Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
bull Password Management Software
67
Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313
Related Work
bull Password Management SoftwareChallenge Single point of failure
68
Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313
References
bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]
bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]
bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]
bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]
Course Business
CryptographyCS 555
Password Storage
Offline Attacks A Common Problem
Offline Attacks A Common Problem
A Dangerous Problem
Attempt 1 Hash Iteration
The Challenge
Goal Moderately Expensive Hash Function
Memory Costs Equitable Across Architectures
Outline
Memory Hard Function (MHF)
iMHF Candidates
iMHF (fGH)
Evaluating an iMHF (pebbling)
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example (CC)
Measuring Cost
Pebbling Example (CC)
Pebbling Equivalence
Desiderata
Depth-Robustness The Key Property
Naiumlve Pebbling Algorithms
Amortized Attack Quality
Desiderata
Desiderata
c-Ideal iMHF
Outline
Depth-Robustness The Key Property
Depth Robustness
Depth Robustness
Attacking (ed)-reducible DAGs
Depth Robustness is Necessary
Answer No
Argon2i [BDK]
Argon2i
Argon2i
Argon2i Reducing depth to 119899
Argon2i Reducing depth to 119899
Argon2i is a layered DAG (almost)
Attack Simulation [AB16b]
Ideal iMHFs Donrsquot Exist
But we cannot rule them out in practice
Outline
Depth-Robustness is Sufficient [ABP16]
Depth-Robustness is Sufficient [ABP16]
Summary
Conclusions
Thanks for Listening
Passwords vs time Look how far wersquove come
Biometrics
Biometrics
Hardware Tokens
Hardware Tokens
Graphical Passwords
Graphical Passwords
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
Related Work
References
Everybody
DATE
DATE
NUMBER OF USERS
WORLD
WORLD
INFORMATION
DATE
DATE
NUMBER OF USERS
DATE
DATE
acctsyr
POPULATION
POPULATION
SOURCE
December-90
0
3
15
020
00261
000
1
December-90
3
1
December-90
3
1
December-90
3
3
December-90
3
1
3
December-95
December-95
0
16
040
80
040
IDC
100
00522
180
12
December-95
192
December-95
16
1778
December-95
48
28448
December-95
48
3
48
December-96
December-96
0
36
090
180
090
IDC
200
00783
188
13132
December-96
472752
December-96
36
1994916
December-96
126
71816976
December-96
1368
38
126
December-97
December-97
0
70
170
350
170
IDC
300
01043
209
16263
December-97
113841
December-97
70
2238295752
December-97
280
15668070264
December-97
322
46
280
December-98
December-98
0
147
360
735
360
CI Almanac
400
01303
230
19391
December-98
2850477
December-98
147
25113678337
December-98
6615
3691710715604
December-98
7791
53
6615
December-99
December-99
0
248
410
1240
410
Nua Ltd
500
01563
251
22517
December-99
5584216
December-99
248
28177547095
December-99
1240
6988031679463
December-99
15376
62
1240
March-00
March-00
0
304
500
1520
500
Nua Ltd
600
01822
272
25638
March-00
7793952
December-00
361
3161520784
December-00
19855
11413090030294
December-00
2527
7
19855
July-00
July-00
0
359
590
1795
590
Nua Ltd
700
02081
293
28754
July-00
10322686
December-01
543
35472263197
December-01
3258
1926143891578
December-01
39639
73
3258
December-00
December-00
0
361
580
1805
580
Internet World Stats
800
02338
313
31864
December-00
11502904
December-02
607
39799879307
December-02
39455
2415852673913
December-02
47953
79
39455
March-01
March-01
0
458
760
2290
760
Nua Ltd
900
02852
334
34967
March-01
16014886
December-03
719
44655464582
December-03
5033
32107279034493
December-03
61115
85
5033
June-01
June-01
0
479
790
2395
790
Nua Ltd
1000
03107
355
38061
June-01
18231219
December-04
817
50103431261
December-04
61275
40934503340285
December-04
7353
9
61275
August-01
August-01
0
513
860
2565
860
Nua Ltd
1100
03361
396
44221
August-01
22685373
December-05
1018
56216049875
December-05
8144
57227938772657
December-05
9467
93
8144
April-02
April-02
0
558
860
2790
860
Internet World Stats
1200
03614
417
47284
April-02
26384472
December-06
1093
6307440796
December-06
9291
68940327899894
December-06
10602
97
9291
July-02
July-02
0
569
910
2845
910
Internet World Stats
1300
03866
437
50334
July-02
28640046
December-07
1319
70769485731
December-07
11871
93344951678825
December-07
13454
102
11871
September-02
September-02
0
587
940
2935
940
Internet World Stats
1400
04117
458
53371
September-02
31328777
December-08
1574
7940336299
December-08
14953
124980893346059
December-08
16527
105
14953
March-03
March-03
0
608
970
3040
970
Internet World Stats
1500
04366
478
56394
March-03
34287552
December-09
1802
89090573275
December-09
18020
160541213040896
December-09
19462
108
18020
September-03
September-03
0
677
1060
3385
1060
Internet World Stats
1600
04614
498
59401
September-03
40214477
December-10
1971
99959623214
December-10
20696
197020417355075
December-10
21681
11
20696
October-03
October-03
0
682
1070
3410
1070
Internet World Stats
1700
0486
518
62392
October-03
42551344
December-03
December-03
0
719
1110
3595
1110
Internet World Stats
1800
02852
538
65365
December-03
46997435
February-04
February-04
0
745
1150
3725
1150
Internet World Stats
1900
03107
558
6832
February-04
508984
May-04
May-04
0
757
1170
3785
1170
Internet World Stats
2000
03361
597
7417
May-04
5614669
October-04
October-04
0
812
1270
4060
1270
Internet World Stats
2100
03614
616
77064
October-04
62575968
December-04
December-04
0
817
1270
4085
1270
Internet World Stats
2200
03866
636
79935
December-04
65306895
March-05
March-05
0
888
1390
4440
1390
Internet World Stats
2300
04117
655
82782
March-05
73510416
June-05
June-05
0
938
1460
4690
1460
Internet World Stats
2400
04366
674
85606
June-05
80298428
September-05
September-05
0
957
1490
4785
1490
Internet World Stats
2500
04614
692
88404
September-05
84602628
November-05
November-05
0
972
1520
4860
1520
Internet World Stats
2600
0486
711
91176
November-05
88623072
December-05
December-05
0
1018
1570
5090
1570
Internet World Stats
2700
05348
729
93921
December-05
95611578
March-06
March-06
0
1023
1570
5115
1570
Internet World Stats
2800
05589
747
96638
March-06
98860674
June-06
June-06
0
1043
1600
5215
1600
Internet World Stats
2900
05828
783
101984
June-06
106369312
September-06
September-06
0
1086
1670
5430
1670
Internet World Stats
3000
06065
801
104611
September-06
113607546
December-06
December-06
0
1093
1670
5465
1670
Internet World Stats
3100
063
818
107207
December-06
117177251
March-07
March-07
0
1129
1720
5645
1720
Internet World Stats
3200
06534
835
109771
March-07
123931459
June-07
June-07
0
1173
1780
5865
1780
Internet World Stats
3300
06765
852
112301
June-07
131729073
September-07
September-07
0
1245
1890
6225
1890
Internet World Stats
3400
06993
869
114797
September-07
142922265
December-07
December-07
0
1319
2000
6595
2000
Internet World Stats
3500
0722
886
117258
December-07
154663302
March-08
March-08
0
1407
2110
7035
2110
Internet World Stats
3600
07665
902
119683
March-08
168393981
June-08
June-08
0
1463
2190
7315
2190
Internet World Stats
3700
07884
918
122071
June-08
178589873
September-08
September-08
0
1504
2250
7520
2250
Internet World Stats
3800
08101
949
126736
September-08
190610944
December-08
December-08
0
1574
2350
7870
2350
Internet World Stats
3900
08314
964
12901
December-08
20306174
March-09
March-09
0
1596
2380
7980
2380
Internet World Stats
4000
08525
971
13
March-09
20748
June-09
June-09
0
1669
2470
8345
2470
Internet World Stats
4100
08733
998
134
June-09
223646
September-09
September-09
0
1734
2560
8670
2560
Internet World Stats
4200
08938
1018
137
September-09
237558
December-09
December-09
0
1802
2660
9010
2660
Internet World Stats
4300
0914
1051
142
December-09
255884
June-10
June-10
0
1966
2870
9830
2870
Internet World Stats
4400
09339
1078
146
June-10
287036
September-10
September-10
0
1971
2880
9855
2880
Internet World Stats
4500
09728
1112
151
September-10
297621
09917
000
155333333333
159833333333
33208
35034
35400
35765
36130
36495
36861
37226
37591
37956
38322
38687
39052
39417
39783
40148
40513
Depth-Robustness The Key Property
Necessary [AB16] and sufficient[ABP16] for secure iMHFs
Naiumlve Pebbling Algorithms
bull Sequential Algorithm (Naiumlve)bull Constraint One new pebble per roundbull Every iMHF is defined via its Naiumlve algorithm
bull Example Naiumlve (Pebble in Topological Order)bull Never discard pebblesbull Time nbull Average pebbles n2bull ER(Naiumlve) = θ Rn + n2
Amortized Attack Quality
Quality119877119877 119860119860 =ER(Naiumlve)
ER 119860119860times 119894119894119894119894119904119904119904119904(119860119860)
Example Algorithm A evaluates 5 iMHF instances with total cost ER 119860119860 = 100 and ER Naiumlve = 40
Quality119877119877 119860119860 =40
100times 5 = 2
Presenter
Presentation Notes
Use Example
Desiderata
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for some small value 120591120591
Memory costs should dominate
Desiderata
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for some small value 120591120591
Maximize costs for fixed n(Users are impatient)
c-Ideal iMHF
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for 120591120591 = 119874119874(1)
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Our Attacks
bull General Attack on Non Depth Robust DAGsbull Existing iMHFs are not Depth Robustbull Ideal iMHFs donrsquot exist
bull Subsequent Results (Depth-Robustness is Sufficient)bull Open Questions
Depth-Robustness The Key Property
Necessary [AB16] and sufficient[ABP16] for secure iMHFs
Depth Robustness
Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d
Otherwise we say that G is (ed)-depth robust
1 2 3 4 5
Example (12)-reducible
Depth Robustness
Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d
Otherwise we say that G is (ed)-depth robust
1 2 3 4 5
Example (12)-reducible
Attacking (ed)-reducible DAGs
bull Input |S| lee such that depth(G-S) = d g gt d
bull Light Phase (g rounds) Discard most pebblesbull Goal Pebble the next g nodes in g (sequential) stepsbull Low Memory (only keep pebbles on S and on parents of new nodes)bull Lasts a ``longrdquo time
bull Balloon Phase (d rounds) Greedily Recover Missing Pebblesbull Goal Recover needed pebbles for upcoming light phasebull Expensive but quick (at most d steps in parallel)
Theorem (Depth-Robustness is a necessary condition) If G is not (ed)-node robust then CC 119866119866 = O 119890119890119894119894 + 1198941198943119901119901 In particular CC 119866119866 = o 1198941198942 for ed=o(n)
Depth Robustness is Necessary
Are existing iMHF candidates based on depth-robust DAGs
Answer No
bull Catena [FLW15] is 119890119890 119874119874 119899119899119890119890
119813119813119816119816119813119813119813119813 Easy to reduce the depth of a path
Argon2i is a layered DAG (almost)
1 2 3 11989411989434
+2 +3 helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894
Let S = S1+S2
helliphelliphellip
Attack Simulation [AB16b]
Attack on Argon 2i-B is practical even for pessimistic parameter ranges (brown line)
Pessimistic Argon 2i-B parameter
Parameter setting could easily be chosen when following Argon2i-B guidelines
hellip
Ideal iMHFs Donrsquot Exist
Thm[AB16] Any graph G (with constant in-degree) is at least somewhat depth-reducible
Implication If CC(G)= Ω 1198941198942 there is an attack A with high quality
QualityR 119860119860 =Ωlog(119894119894)
log log(119894119894)
But we cannot rule them out in practice
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Attacksbull Constructing iMHFs (New)
bull Depth-Robustness is sufficient
bull Conclusions and Open Questions
Presenter
Presentation Notes
Joint work with Joel Alwen and Krzysztof Pietrzak
Depth-Robustness is Sufficient [ABP16]
Proof Let P1hellipPt denote an (optimal) pebbling of G For 0lt i lt d defineSi = 119875119875119894119894 cup 119875119875119889119889+119894119894 cup 1198751198752119889119889+119894119894 cup ⋯
one of the sets Si has size at most CC(G)d Now we claim that d ge depth(G-Si)
because any path in G-Si must have been completely pebbled at some point Thus it must have been pebbled entirely during some interval of length d Thus G (CC(G)dd)-reducible It follows that CC(G)ge 119890119890119901119901
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Depth-Robustness is Sufficient [ABP16]
Implications There exists a constant indegree graph G with
CC G ge Ω1198941198942
log119894119894
Previous Best [AS15] Ω 1198991198992
log10 119899119899
[AB16] We cannot do better (in an asymptotic sense)
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Summary
bull BCRYPT and PBKDF2 are no longer sufficient for password hashing
bull Argon2i is an improvement over BCRYPT and PBKDF2bull But still has its flaws [AB16AB17]
bull Current Recommendation Argon2idbull No side channel attacks Resists known attacksbull Side channel attacks reduce security to Argon2i
bull Look for improvements in the near future using depth-robust graphs [ABP17]
Conclusions
bull Depth-robustness is a necessary and sufficient for secure iMHFsbull [AB16] [ABP16]
bull Big Challenge Improved Constructions of Depth-Robust Graphsbull We already have constructions in theory [EGS77 PR80 hellip]bull But constants matter
Thanks for Listening
Passwords vs time Look how far wersquove come
Netscape IPO Dotcom crash
Source Cormacrsquos estimate
ldquoThe password is deadrdquo
Chart1
3
48
1368
322
7791
15376
2527
39639
47953
61115
7353
94674
106021
134538
16527
194616
21681
Sheet1
Sheet1
Sheet2
Sheet3
Biometrics
59
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy
60
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Hardware Tokens
61
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around
62
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Graphical Passwords
bull Examplesbull Passfaces Cued Click Points Windows 8
63
Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13
Graphical Passwords
bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8
Challenge Multiple Passwords
64
Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
bull Password Management Software
67
Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313
Related Work
bull Password Management SoftwareChallenge Single point of failure
68
Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313
References
bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]
bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]
bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]
bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]
Course Business
CryptographyCS 555
Password Storage
Offline Attacks A Common Problem
Offline Attacks A Common Problem
A Dangerous Problem
Attempt 1 Hash Iteration
The Challenge
Goal Moderately Expensive Hash Function
Memory Costs Equitable Across Architectures
Outline
Memory Hard Function (MHF)
iMHF Candidates
iMHF (fGH)
Evaluating an iMHF (pebbling)
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example (CC)
Measuring Cost
Pebbling Example (CC)
Pebbling Equivalence
Desiderata
Depth-Robustness The Key Property
Naiumlve Pebbling Algorithms
Amortized Attack Quality
Desiderata
Desiderata
c-Ideal iMHF
Outline
Depth-Robustness The Key Property
Depth Robustness
Depth Robustness
Attacking (ed)-reducible DAGs
Depth Robustness is Necessary
Answer No
Argon2i [BDK]
Argon2i
Argon2i
Argon2i Reducing depth to 119899
Argon2i Reducing depth to 119899
Argon2i is a layered DAG (almost)
Attack Simulation [AB16b]
Ideal iMHFs Donrsquot Exist
But we cannot rule them out in practice
Outline
Depth-Robustness is Sufficient [ABP16]
Depth-Robustness is Sufficient [ABP16]
Summary
Conclusions
Thanks for Listening
Passwords vs time Look how far wersquove come
Biometrics
Biometrics
Hardware Tokens
Hardware Tokens
Graphical Passwords
Graphical Passwords
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
Related Work
References
Everybody
DATE
DATE
NUMBER OF USERS
WORLD
WORLD
INFORMATION
DATE
DATE
NUMBER OF USERS
DATE
DATE
acctsyr
POPULATION
POPULATION
SOURCE
December-90
0
3
15
020
00261
000
1
December-90
3
1
December-90
3
1
December-90
3
3
December-90
3
1
3
December-95
December-95
0
16
040
80
040
IDC
100
00522
180
12
December-95
192
December-95
16
1778
December-95
48
28448
December-95
48
3
48
December-96
December-96
0
36
090
180
090
IDC
200
00783
188
13132
December-96
472752
December-96
36
1994916
December-96
126
71816976
December-96
1368
38
126
December-97
December-97
0
70
170
350
170
IDC
300
01043
209
16263
December-97
113841
December-97
70
2238295752
December-97
280
15668070264
December-97
322
46
280
December-98
December-98
0
147
360
735
360
CI Almanac
400
01303
230
19391
December-98
2850477
December-98
147
25113678337
December-98
6615
3691710715604
December-98
7791
53
6615
December-99
December-99
0
248
410
1240
410
Nua Ltd
500
01563
251
22517
December-99
5584216
December-99
248
28177547095
December-99
1240
6988031679463
December-99
15376
62
1240
March-00
March-00
0
304
500
1520
500
Nua Ltd
600
01822
272
25638
March-00
7793952
December-00
361
3161520784
December-00
19855
11413090030294
December-00
2527
7
19855
July-00
July-00
0
359
590
1795
590
Nua Ltd
700
02081
293
28754
July-00
10322686
December-01
543
35472263197
December-01
3258
1926143891578
December-01
39639
73
3258
December-00
December-00
0
361
580
1805
580
Internet World Stats
800
02338
313
31864
December-00
11502904
December-02
607
39799879307
December-02
39455
2415852673913
December-02
47953
79
39455
March-01
March-01
0
458
760
2290
760
Nua Ltd
900
02852
334
34967
March-01
16014886
December-03
719
44655464582
December-03
5033
32107279034493
December-03
61115
85
5033
June-01
June-01
0
479
790
2395
790
Nua Ltd
1000
03107
355
38061
June-01
18231219
December-04
817
50103431261
December-04
61275
40934503340285
December-04
7353
9
61275
August-01
August-01
0
513
860
2565
860
Nua Ltd
1100
03361
396
44221
August-01
22685373
December-05
1018
56216049875
December-05
8144
57227938772657
December-05
9467
93
8144
April-02
April-02
0
558
860
2790
860
Internet World Stats
1200
03614
417
47284
April-02
26384472
December-06
1093
6307440796
December-06
9291
68940327899894
December-06
10602
97
9291
July-02
July-02
0
569
910
2845
910
Internet World Stats
1300
03866
437
50334
July-02
28640046
December-07
1319
70769485731
December-07
11871
93344951678825
December-07
13454
102
11871
September-02
September-02
0
587
940
2935
940
Internet World Stats
1400
04117
458
53371
September-02
31328777
December-08
1574
7940336299
December-08
14953
124980893346059
December-08
16527
105
14953
March-03
March-03
0
608
970
3040
970
Internet World Stats
1500
04366
478
56394
March-03
34287552
December-09
1802
89090573275
December-09
18020
160541213040896
December-09
19462
108
18020
September-03
September-03
0
677
1060
3385
1060
Internet World Stats
1600
04614
498
59401
September-03
40214477
December-10
1971
99959623214
December-10
20696
197020417355075
December-10
21681
11
20696
October-03
October-03
0
682
1070
3410
1070
Internet World Stats
1700
0486
518
62392
October-03
42551344
December-03
December-03
0
719
1110
3595
1110
Internet World Stats
1800
02852
538
65365
December-03
46997435
February-04
February-04
0
745
1150
3725
1150
Internet World Stats
1900
03107
558
6832
February-04
508984
May-04
May-04
0
757
1170
3785
1170
Internet World Stats
2000
03361
597
7417
May-04
5614669
October-04
October-04
0
812
1270
4060
1270
Internet World Stats
2100
03614
616
77064
October-04
62575968
December-04
December-04
0
817
1270
4085
1270
Internet World Stats
2200
03866
636
79935
December-04
65306895
March-05
March-05
0
888
1390
4440
1390
Internet World Stats
2300
04117
655
82782
March-05
73510416
June-05
June-05
0
938
1460
4690
1460
Internet World Stats
2400
04366
674
85606
June-05
80298428
September-05
September-05
0
957
1490
4785
1490
Internet World Stats
2500
04614
692
88404
September-05
84602628
November-05
November-05
0
972
1520
4860
1520
Internet World Stats
2600
0486
711
91176
November-05
88623072
December-05
December-05
0
1018
1570
5090
1570
Internet World Stats
2700
05348
729
93921
December-05
95611578
March-06
March-06
0
1023
1570
5115
1570
Internet World Stats
2800
05589
747
96638
March-06
98860674
June-06
June-06
0
1043
1600
5215
1600
Internet World Stats
2900
05828
783
101984
June-06
106369312
September-06
September-06
0
1086
1670
5430
1670
Internet World Stats
3000
06065
801
104611
September-06
113607546
December-06
December-06
0
1093
1670
5465
1670
Internet World Stats
3100
063
818
107207
December-06
117177251
March-07
March-07
0
1129
1720
5645
1720
Internet World Stats
3200
06534
835
109771
March-07
123931459
June-07
June-07
0
1173
1780
5865
1780
Internet World Stats
3300
06765
852
112301
June-07
131729073
September-07
September-07
0
1245
1890
6225
1890
Internet World Stats
3400
06993
869
114797
September-07
142922265
December-07
December-07
0
1319
2000
6595
2000
Internet World Stats
3500
0722
886
117258
December-07
154663302
March-08
March-08
0
1407
2110
7035
2110
Internet World Stats
3600
07665
902
119683
March-08
168393981
June-08
June-08
0
1463
2190
7315
2190
Internet World Stats
3700
07884
918
122071
June-08
178589873
September-08
September-08
0
1504
2250
7520
2250
Internet World Stats
3800
08101
949
126736
September-08
190610944
December-08
December-08
0
1574
2350
7870
2350
Internet World Stats
3900
08314
964
12901
December-08
20306174
March-09
March-09
0
1596
2380
7980
2380
Internet World Stats
4000
08525
971
13
March-09
20748
June-09
June-09
0
1669
2470
8345
2470
Internet World Stats
4100
08733
998
134
June-09
223646
September-09
September-09
0
1734
2560
8670
2560
Internet World Stats
4200
08938
1018
137
September-09
237558
December-09
December-09
0
1802
2660
9010
2660
Internet World Stats
4300
0914
1051
142
December-09
255884
June-10
June-10
0
1966
2870
9830
2870
Internet World Stats
4400
09339
1078
146
June-10
287036
September-10
September-10
0
1971
2880
9855
2880
Internet World Stats
4500
09728
1112
151
September-10
297621
09917
000
155333333333
159833333333
33208
35034
35400
35765
36130
36495
36861
37226
37591
37956
38322
38687
39052
39417
39783
40148
40513
Naiumlve Pebbling Algorithms
bull Sequential Algorithm (Naiumlve)bull Constraint One new pebble per roundbull Every iMHF is defined via its Naiumlve algorithm
bull Example Naiumlve (Pebble in Topological Order)bull Never discard pebblesbull Time nbull Average pebbles n2bull ER(Naiumlve) = θ Rn + n2
Amortized Attack Quality
Quality119877119877 119860119860 =ER(Naiumlve)
ER 119860119860times 119894119894119894119894119904119904119904119904(119860119860)
Example Algorithm A evaluates 5 iMHF instances with total cost ER 119860119860 = 100 and ER Naiumlve = 40
Quality119877119877 119860119860 =40
100times 5 = 2
Presenter
Presentation Notes
Use Example
Desiderata
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for some small value 120591120591
Memory costs should dominate
Desiderata
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for some small value 120591120591
Maximize costs for fixed n(Users are impatient)
c-Ideal iMHF
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for 120591120591 = 119874119874(1)
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Our Attacks
bull General Attack on Non Depth Robust DAGsbull Existing iMHFs are not Depth Robustbull Ideal iMHFs donrsquot exist
bull Subsequent Results (Depth-Robustness is Sufficient)bull Open Questions
Depth-Robustness The Key Property
Necessary [AB16] and sufficient[ABP16] for secure iMHFs
Depth Robustness
Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d
Otherwise we say that G is (ed)-depth robust
1 2 3 4 5
Example (12)-reducible
Depth Robustness
Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d
Otherwise we say that G is (ed)-depth robust
1 2 3 4 5
Example (12)-reducible
Attacking (ed)-reducible DAGs
bull Input |S| lee such that depth(G-S) = d g gt d
bull Light Phase (g rounds) Discard most pebblesbull Goal Pebble the next g nodes in g (sequential) stepsbull Low Memory (only keep pebbles on S and on parents of new nodes)bull Lasts a ``longrdquo time
bull Balloon Phase (d rounds) Greedily Recover Missing Pebblesbull Goal Recover needed pebbles for upcoming light phasebull Expensive but quick (at most d steps in parallel)
Theorem (Depth-Robustness is a necessary condition) If G is not (ed)-node robust then CC 119866119866 = O 119890119890119894119894 + 1198941198943119901119901 In particular CC 119866119866 = o 1198941198942 for ed=o(n)
Depth Robustness is Necessary
Are existing iMHF candidates based on depth-robust DAGs
Answer No
bull Catena [FLW15] is 119890119890 119874119874 119899119899119890119890
119813119813119816119816119813119813119813119813 Easy to reduce the depth of a path
Argon2i is a layered DAG (almost)
1 2 3 11989411989434
+2 +3 helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894
Let S = S1+S2
helliphelliphellip
Attack Simulation [AB16b]
Attack on Argon 2i-B is practical even for pessimistic parameter ranges (brown line)
Pessimistic Argon 2i-B parameter
Parameter setting could easily be chosen when following Argon2i-B guidelines
hellip
Ideal iMHFs Donrsquot Exist
Thm[AB16] Any graph G (with constant in-degree) is at least somewhat depth-reducible
Implication If CC(G)= Ω 1198941198942 there is an attack A with high quality
QualityR 119860119860 =Ωlog(119894119894)
log log(119894119894)
But we cannot rule them out in practice
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Attacksbull Constructing iMHFs (New)
bull Depth-Robustness is sufficient
bull Conclusions and Open Questions
Presenter
Presentation Notes
Joint work with Joel Alwen and Krzysztof Pietrzak
Depth-Robustness is Sufficient [ABP16]
Proof Let P1hellipPt denote an (optimal) pebbling of G For 0lt i lt d defineSi = 119875119875119894119894 cup 119875119875119889119889+119894119894 cup 1198751198752119889119889+119894119894 cup ⋯
one of the sets Si has size at most CC(G)d Now we claim that d ge depth(G-Si)
because any path in G-Si must have been completely pebbled at some point Thus it must have been pebbled entirely during some interval of length d Thus G (CC(G)dd)-reducible It follows that CC(G)ge 119890119890119901119901
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Depth-Robustness is Sufficient [ABP16]
Implications There exists a constant indegree graph G with
CC G ge Ω1198941198942
log119894119894
Previous Best [AS15] Ω 1198991198992
log10 119899119899
[AB16] We cannot do better (in an asymptotic sense)
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Summary
bull BCRYPT and PBKDF2 are no longer sufficient for password hashing
bull Argon2i is an improvement over BCRYPT and PBKDF2bull But still has its flaws [AB16AB17]
bull Current Recommendation Argon2idbull No side channel attacks Resists known attacksbull Side channel attacks reduce security to Argon2i
bull Look for improvements in the near future using depth-robust graphs [ABP17]
Conclusions
bull Depth-robustness is a necessary and sufficient for secure iMHFsbull [AB16] [ABP16]
bull Big Challenge Improved Constructions of Depth-Robust Graphsbull We already have constructions in theory [EGS77 PR80 hellip]bull But constants matter
Thanks for Listening
Passwords vs time Look how far wersquove come
Netscape IPO Dotcom crash
Source Cormacrsquos estimate
ldquoThe password is deadrdquo
Chart1
3
48
1368
322
7791
15376
2527
39639
47953
61115
7353
94674
106021
134538
16527
194616
21681
Sheet1
Sheet1
Sheet2
Sheet3
Biometrics
59
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy
60
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Hardware Tokens
61
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around
62
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Graphical Passwords
bull Examplesbull Passfaces Cued Click Points Windows 8
63
Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13
Graphical Passwords
bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8
Challenge Multiple Passwords
64
Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
bull Password Management Software
67
Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313
Related Work
bull Password Management SoftwareChallenge Single point of failure
68
Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313
References
bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]
bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]
bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]
bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]
Course Business
CryptographyCS 555
Password Storage
Offline Attacks A Common Problem
Offline Attacks A Common Problem
A Dangerous Problem
Attempt 1 Hash Iteration
The Challenge
Goal Moderately Expensive Hash Function
Memory Costs Equitable Across Architectures
Outline
Memory Hard Function (MHF)
iMHF Candidates
iMHF (fGH)
Evaluating an iMHF (pebbling)
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example (CC)
Measuring Cost
Pebbling Example (CC)
Pebbling Equivalence
Desiderata
Depth-Robustness The Key Property
Naiumlve Pebbling Algorithms
Amortized Attack Quality
Desiderata
Desiderata
c-Ideal iMHF
Outline
Depth-Robustness The Key Property
Depth Robustness
Depth Robustness
Attacking (ed)-reducible DAGs
Depth Robustness is Necessary
Answer No
Argon2i [BDK]
Argon2i
Argon2i
Argon2i Reducing depth to 119899
Argon2i Reducing depth to 119899
Argon2i is a layered DAG (almost)
Attack Simulation [AB16b]
Ideal iMHFs Donrsquot Exist
But we cannot rule them out in practice
Outline
Depth-Robustness is Sufficient [ABP16]
Depth-Robustness is Sufficient [ABP16]
Summary
Conclusions
Thanks for Listening
Passwords vs time Look how far wersquove come
Biometrics
Biometrics
Hardware Tokens
Hardware Tokens
Graphical Passwords
Graphical Passwords
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
Related Work
References
Everybody
DATE
DATE
NUMBER OF USERS
WORLD
WORLD
INFORMATION
DATE
DATE
NUMBER OF USERS
DATE
DATE
acctsyr
POPULATION
POPULATION
SOURCE
December-90
0
3
15
020
00261
000
1
December-90
3
1
December-90
3
1
December-90
3
3
December-90
3
1
3
December-95
December-95
0
16
040
80
040
IDC
100
00522
180
12
December-95
192
December-95
16
1778
December-95
48
28448
December-95
48
3
48
December-96
December-96
0
36
090
180
090
IDC
200
00783
188
13132
December-96
472752
December-96
36
1994916
December-96
126
71816976
December-96
1368
38
126
December-97
December-97
0
70
170
350
170
IDC
300
01043
209
16263
December-97
113841
December-97
70
2238295752
December-97
280
15668070264
December-97
322
46
280
December-98
December-98
0
147
360
735
360
CI Almanac
400
01303
230
19391
December-98
2850477
December-98
147
25113678337
December-98
6615
3691710715604
December-98
7791
53
6615
December-99
December-99
0
248
410
1240
410
Nua Ltd
500
01563
251
22517
December-99
5584216
December-99
248
28177547095
December-99
1240
6988031679463
December-99
15376
62
1240
March-00
March-00
0
304
500
1520
500
Nua Ltd
600
01822
272
25638
March-00
7793952
December-00
361
3161520784
December-00
19855
11413090030294
December-00
2527
7
19855
July-00
July-00
0
359
590
1795
590
Nua Ltd
700
02081
293
28754
July-00
10322686
December-01
543
35472263197
December-01
3258
1926143891578
December-01
39639
73
3258
December-00
December-00
0
361
580
1805
580
Internet World Stats
800
02338
313
31864
December-00
11502904
December-02
607
39799879307
December-02
39455
2415852673913
December-02
47953
79
39455
March-01
March-01
0
458
760
2290
760
Nua Ltd
900
02852
334
34967
March-01
16014886
December-03
719
44655464582
December-03
5033
32107279034493
December-03
61115
85
5033
June-01
June-01
0
479
790
2395
790
Nua Ltd
1000
03107
355
38061
June-01
18231219
December-04
817
50103431261
December-04
61275
40934503340285
December-04
7353
9
61275
August-01
August-01
0
513
860
2565
860
Nua Ltd
1100
03361
396
44221
August-01
22685373
December-05
1018
56216049875
December-05
8144
57227938772657
December-05
9467
93
8144
April-02
April-02
0
558
860
2790
860
Internet World Stats
1200
03614
417
47284
April-02
26384472
December-06
1093
6307440796
December-06
9291
68940327899894
December-06
10602
97
9291
July-02
July-02
0
569
910
2845
910
Internet World Stats
1300
03866
437
50334
July-02
28640046
December-07
1319
70769485731
December-07
11871
93344951678825
December-07
13454
102
11871
September-02
September-02
0
587
940
2935
940
Internet World Stats
1400
04117
458
53371
September-02
31328777
December-08
1574
7940336299
December-08
14953
124980893346059
December-08
16527
105
14953
March-03
March-03
0
608
970
3040
970
Internet World Stats
1500
04366
478
56394
March-03
34287552
December-09
1802
89090573275
December-09
18020
160541213040896
December-09
19462
108
18020
September-03
September-03
0
677
1060
3385
1060
Internet World Stats
1600
04614
498
59401
September-03
40214477
December-10
1971
99959623214
December-10
20696
197020417355075
December-10
21681
11
20696
October-03
October-03
0
682
1070
3410
1070
Internet World Stats
1700
0486
518
62392
October-03
42551344
December-03
December-03
0
719
1110
3595
1110
Internet World Stats
1800
02852
538
65365
December-03
46997435
February-04
February-04
0
745
1150
3725
1150
Internet World Stats
1900
03107
558
6832
February-04
508984
May-04
May-04
0
757
1170
3785
1170
Internet World Stats
2000
03361
597
7417
May-04
5614669
October-04
October-04
0
812
1270
4060
1270
Internet World Stats
2100
03614
616
77064
October-04
62575968
December-04
December-04
0
817
1270
4085
1270
Internet World Stats
2200
03866
636
79935
December-04
65306895
March-05
March-05
0
888
1390
4440
1390
Internet World Stats
2300
04117
655
82782
March-05
73510416
June-05
June-05
0
938
1460
4690
1460
Internet World Stats
2400
04366
674
85606
June-05
80298428
September-05
September-05
0
957
1490
4785
1490
Internet World Stats
2500
04614
692
88404
September-05
84602628
November-05
November-05
0
972
1520
4860
1520
Internet World Stats
2600
0486
711
91176
November-05
88623072
December-05
December-05
0
1018
1570
5090
1570
Internet World Stats
2700
05348
729
93921
December-05
95611578
March-06
March-06
0
1023
1570
5115
1570
Internet World Stats
2800
05589
747
96638
March-06
98860674
June-06
June-06
0
1043
1600
5215
1600
Internet World Stats
2900
05828
783
101984
June-06
106369312
September-06
September-06
0
1086
1670
5430
1670
Internet World Stats
3000
06065
801
104611
September-06
113607546
December-06
December-06
0
1093
1670
5465
1670
Internet World Stats
3100
063
818
107207
December-06
117177251
March-07
March-07
0
1129
1720
5645
1720
Internet World Stats
3200
06534
835
109771
March-07
123931459
June-07
June-07
0
1173
1780
5865
1780
Internet World Stats
3300
06765
852
112301
June-07
131729073
September-07
September-07
0
1245
1890
6225
1890
Internet World Stats
3400
06993
869
114797
September-07
142922265
December-07
December-07
0
1319
2000
6595
2000
Internet World Stats
3500
0722
886
117258
December-07
154663302
March-08
March-08
0
1407
2110
7035
2110
Internet World Stats
3600
07665
902
119683
March-08
168393981
June-08
June-08
0
1463
2190
7315
2190
Internet World Stats
3700
07884
918
122071
June-08
178589873
September-08
September-08
0
1504
2250
7520
2250
Internet World Stats
3800
08101
949
126736
September-08
190610944
December-08
December-08
0
1574
2350
7870
2350
Internet World Stats
3900
08314
964
12901
December-08
20306174
March-09
March-09
0
1596
2380
7980
2380
Internet World Stats
4000
08525
971
13
March-09
20748
June-09
June-09
0
1669
2470
8345
2470
Internet World Stats
4100
08733
998
134
June-09
223646
September-09
September-09
0
1734
2560
8670
2560
Internet World Stats
4200
08938
1018
137
September-09
237558
December-09
December-09
0
1802
2660
9010
2660
Internet World Stats
4300
0914
1051
142
December-09
255884
June-10
June-10
0
1966
2870
9830
2870
Internet World Stats
4400
09339
1078
146
June-10
287036
September-10
September-10
0
1971
2880
9855
2880
Internet World Stats
4500
09728
1112
151
September-10
297621
09917
000
155333333333
159833333333
33208
35034
35400
35765
36130
36495
36861
37226
37591
37956
38322
38687
39052
39417
39783
40148
40513
Amortized Attack Quality
Quality119877119877 119860119860 =ER(Naiumlve)
ER 119860119860times 119894119894119894119894119904119904119904119904(119860119860)
Example Algorithm A evaluates 5 iMHF instances with total cost ER 119860119860 = 100 and ER Naiumlve = 40
Quality119877119877 119860119860 =40
100times 5 = 2
Presenter
Presentation Notes
Use Example
Desiderata
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for some small value 120591120591
Memory costs should dominate
Desiderata
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for some small value 120591120591
Maximize costs for fixed n(Users are impatient)
c-Ideal iMHF
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for 120591120591 = 119874119874(1)
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Our Attacks
bull General Attack on Non Depth Robust DAGsbull Existing iMHFs are not Depth Robustbull Ideal iMHFs donrsquot exist
bull Subsequent Results (Depth-Robustness is Sufficient)bull Open Questions
Depth-Robustness The Key Property
Necessary [AB16] and sufficient[ABP16] for secure iMHFs
Depth Robustness
Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d
Otherwise we say that G is (ed)-depth robust
1 2 3 4 5
Example (12)-reducible
Depth Robustness
Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d
Otherwise we say that G is (ed)-depth robust
1 2 3 4 5
Example (12)-reducible
Attacking (ed)-reducible DAGs
bull Input |S| lee such that depth(G-S) = d g gt d
bull Light Phase (g rounds) Discard most pebblesbull Goal Pebble the next g nodes in g (sequential) stepsbull Low Memory (only keep pebbles on S and on parents of new nodes)bull Lasts a ``longrdquo time
bull Balloon Phase (d rounds) Greedily Recover Missing Pebblesbull Goal Recover needed pebbles for upcoming light phasebull Expensive but quick (at most d steps in parallel)
Theorem (Depth-Robustness is a necessary condition) If G is not (ed)-node robust then CC 119866119866 = O 119890119890119894119894 + 1198941198943119901119901 In particular CC 119866119866 = o 1198941198942 for ed=o(n)
Depth Robustness is Necessary
Are existing iMHF candidates based on depth-robust DAGs
Answer No
bull Catena [FLW15] is 119890119890 119874119874 119899119899119890119890
119813119813119816119816119813119813119813119813 Easy to reduce the depth of a path
Argon2i is a layered DAG (almost)
1 2 3 11989411989434
+2 +3 helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894
Let S = S1+S2
helliphelliphellip
Attack Simulation [AB16b]
Attack on Argon 2i-B is practical even for pessimistic parameter ranges (brown line)
Pessimistic Argon 2i-B parameter
Parameter setting could easily be chosen when following Argon2i-B guidelines
hellip
Ideal iMHFs Donrsquot Exist
Thm[AB16] Any graph G (with constant in-degree) is at least somewhat depth-reducible
Implication If CC(G)= Ω 1198941198942 there is an attack A with high quality
QualityR 119860119860 =Ωlog(119894119894)
log log(119894119894)
But we cannot rule them out in practice
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Attacksbull Constructing iMHFs (New)
bull Depth-Robustness is sufficient
bull Conclusions and Open Questions
Presenter
Presentation Notes
Joint work with Joel Alwen and Krzysztof Pietrzak
Depth-Robustness is Sufficient [ABP16]
Proof Let P1hellipPt denote an (optimal) pebbling of G For 0lt i lt d defineSi = 119875119875119894119894 cup 119875119875119889119889+119894119894 cup 1198751198752119889119889+119894119894 cup ⋯
one of the sets Si has size at most CC(G)d Now we claim that d ge depth(G-Si)
because any path in G-Si must have been completely pebbled at some point Thus it must have been pebbled entirely during some interval of length d Thus G (CC(G)dd)-reducible It follows that CC(G)ge 119890119890119901119901
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Depth-Robustness is Sufficient [ABP16]
Implications There exists a constant indegree graph G with
CC G ge Ω1198941198942
log119894119894
Previous Best [AS15] Ω 1198991198992
log10 119899119899
[AB16] We cannot do better (in an asymptotic sense)
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Summary
bull BCRYPT and PBKDF2 are no longer sufficient for password hashing
bull Argon2i is an improvement over BCRYPT and PBKDF2bull But still has its flaws [AB16AB17]
bull Current Recommendation Argon2idbull No side channel attacks Resists known attacksbull Side channel attacks reduce security to Argon2i
bull Look for improvements in the near future using depth-robust graphs [ABP17]
Conclusions
bull Depth-robustness is a necessary and sufficient for secure iMHFsbull [AB16] [ABP16]
bull Big Challenge Improved Constructions of Depth-Robust Graphsbull We already have constructions in theory [EGS77 PR80 hellip]bull But constants matter
Thanks for Listening
Passwords vs time Look how far wersquove come
Netscape IPO Dotcom crash
Source Cormacrsquos estimate
ldquoThe password is deadrdquo
Chart1
3
48
1368
322
7791
15376
2527
39639
47953
61115
7353
94674
106021
134538
16527
194616
21681
Sheet1
Sheet1
Sheet2
Sheet3
Biometrics
59
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy
60
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Hardware Tokens
61
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around
62
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Graphical Passwords
bull Examplesbull Passfaces Cued Click Points Windows 8
63
Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13
Graphical Passwords
bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8
Challenge Multiple Passwords
64
Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
bull Password Management Software
67
Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313
Related Work
bull Password Management SoftwareChallenge Single point of failure
68
Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313
References
bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]
bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]
bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]
bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]
Course Business
CryptographyCS 555
Password Storage
Offline Attacks A Common Problem
Offline Attacks A Common Problem
A Dangerous Problem
Attempt 1 Hash Iteration
The Challenge
Goal Moderately Expensive Hash Function
Memory Costs Equitable Across Architectures
Outline
Memory Hard Function (MHF)
iMHF Candidates
iMHF (fGH)
Evaluating an iMHF (pebbling)
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example (CC)
Measuring Cost
Pebbling Example (CC)
Pebbling Equivalence
Desiderata
Depth-Robustness The Key Property
Naiumlve Pebbling Algorithms
Amortized Attack Quality
Desiderata
Desiderata
c-Ideal iMHF
Outline
Depth-Robustness The Key Property
Depth Robustness
Depth Robustness
Attacking (ed)-reducible DAGs
Depth Robustness is Necessary
Answer No
Argon2i [BDK]
Argon2i
Argon2i
Argon2i Reducing depth to 119899
Argon2i Reducing depth to 119899
Argon2i is a layered DAG (almost)
Attack Simulation [AB16b]
Ideal iMHFs Donrsquot Exist
But we cannot rule them out in practice
Outline
Depth-Robustness is Sufficient [ABP16]
Depth-Robustness is Sufficient [ABP16]
Summary
Conclusions
Thanks for Listening
Passwords vs time Look how far wersquove come
Biometrics
Biometrics
Hardware Tokens
Hardware Tokens
Graphical Passwords
Graphical Passwords
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
Related Work
References
Everybody
DATE
DATE
NUMBER OF USERS
WORLD
WORLD
INFORMATION
DATE
DATE
NUMBER OF USERS
DATE
DATE
acctsyr
POPULATION
POPULATION
SOURCE
December-90
0
3
15
020
00261
000
1
December-90
3
1
December-90
3
1
December-90
3
3
December-90
3
1
3
December-95
December-95
0
16
040
80
040
IDC
100
00522
180
12
December-95
192
December-95
16
1778
December-95
48
28448
December-95
48
3
48
December-96
December-96
0
36
090
180
090
IDC
200
00783
188
13132
December-96
472752
December-96
36
1994916
December-96
126
71816976
December-96
1368
38
126
December-97
December-97
0
70
170
350
170
IDC
300
01043
209
16263
December-97
113841
December-97
70
2238295752
December-97
280
15668070264
December-97
322
46
280
December-98
December-98
0
147
360
735
360
CI Almanac
400
01303
230
19391
December-98
2850477
December-98
147
25113678337
December-98
6615
3691710715604
December-98
7791
53
6615
December-99
December-99
0
248
410
1240
410
Nua Ltd
500
01563
251
22517
December-99
5584216
December-99
248
28177547095
December-99
1240
6988031679463
December-99
15376
62
1240
March-00
March-00
0
304
500
1520
500
Nua Ltd
600
01822
272
25638
March-00
7793952
December-00
361
3161520784
December-00
19855
11413090030294
December-00
2527
7
19855
July-00
July-00
0
359
590
1795
590
Nua Ltd
700
02081
293
28754
July-00
10322686
December-01
543
35472263197
December-01
3258
1926143891578
December-01
39639
73
3258
December-00
December-00
0
361
580
1805
580
Internet World Stats
800
02338
313
31864
December-00
11502904
December-02
607
39799879307
December-02
39455
2415852673913
December-02
47953
79
39455
March-01
March-01
0
458
760
2290
760
Nua Ltd
900
02852
334
34967
March-01
16014886
December-03
719
44655464582
December-03
5033
32107279034493
December-03
61115
85
5033
June-01
June-01
0
479
790
2395
790
Nua Ltd
1000
03107
355
38061
June-01
18231219
December-04
817
50103431261
December-04
61275
40934503340285
December-04
7353
9
61275
August-01
August-01
0
513
860
2565
860
Nua Ltd
1100
03361
396
44221
August-01
22685373
December-05
1018
56216049875
December-05
8144
57227938772657
December-05
9467
93
8144
April-02
April-02
0
558
860
2790
860
Internet World Stats
1200
03614
417
47284
April-02
26384472
December-06
1093
6307440796
December-06
9291
68940327899894
December-06
10602
97
9291
July-02
July-02
0
569
910
2845
910
Internet World Stats
1300
03866
437
50334
July-02
28640046
December-07
1319
70769485731
December-07
11871
93344951678825
December-07
13454
102
11871
September-02
September-02
0
587
940
2935
940
Internet World Stats
1400
04117
458
53371
September-02
31328777
December-08
1574
7940336299
December-08
14953
124980893346059
December-08
16527
105
14953
March-03
March-03
0
608
970
3040
970
Internet World Stats
1500
04366
478
56394
March-03
34287552
December-09
1802
89090573275
December-09
18020
160541213040896
December-09
19462
108
18020
September-03
September-03
0
677
1060
3385
1060
Internet World Stats
1600
04614
498
59401
September-03
40214477
December-10
1971
99959623214
December-10
20696
197020417355075
December-10
21681
11
20696
October-03
October-03
0
682
1070
3410
1070
Internet World Stats
1700
0486
518
62392
October-03
42551344
December-03
December-03
0
719
1110
3595
1110
Internet World Stats
1800
02852
538
65365
December-03
46997435
February-04
February-04
0
745
1150
3725
1150
Internet World Stats
1900
03107
558
6832
February-04
508984
May-04
May-04
0
757
1170
3785
1170
Internet World Stats
2000
03361
597
7417
May-04
5614669
October-04
October-04
0
812
1270
4060
1270
Internet World Stats
2100
03614
616
77064
October-04
62575968
December-04
December-04
0
817
1270
4085
1270
Internet World Stats
2200
03866
636
79935
December-04
65306895
March-05
March-05
0
888
1390
4440
1390
Internet World Stats
2300
04117
655
82782
March-05
73510416
June-05
June-05
0
938
1460
4690
1460
Internet World Stats
2400
04366
674
85606
June-05
80298428
September-05
September-05
0
957
1490
4785
1490
Internet World Stats
2500
04614
692
88404
September-05
84602628
November-05
November-05
0
972
1520
4860
1520
Internet World Stats
2600
0486
711
91176
November-05
88623072
December-05
December-05
0
1018
1570
5090
1570
Internet World Stats
2700
05348
729
93921
December-05
95611578
March-06
March-06
0
1023
1570
5115
1570
Internet World Stats
2800
05589
747
96638
March-06
98860674
June-06
June-06
0
1043
1600
5215
1600
Internet World Stats
2900
05828
783
101984
June-06
106369312
September-06
September-06
0
1086
1670
5430
1670
Internet World Stats
3000
06065
801
104611
September-06
113607546
December-06
December-06
0
1093
1670
5465
1670
Internet World Stats
3100
063
818
107207
December-06
117177251
March-07
March-07
0
1129
1720
5645
1720
Internet World Stats
3200
06534
835
109771
March-07
123931459
June-07
June-07
0
1173
1780
5865
1780
Internet World Stats
3300
06765
852
112301
June-07
131729073
September-07
September-07
0
1245
1890
6225
1890
Internet World Stats
3400
06993
869
114797
September-07
142922265
December-07
December-07
0
1319
2000
6595
2000
Internet World Stats
3500
0722
886
117258
December-07
154663302
March-08
March-08
0
1407
2110
7035
2110
Internet World Stats
3600
07665
902
119683
March-08
168393981
June-08
June-08
0
1463
2190
7315
2190
Internet World Stats
3700
07884
918
122071
June-08
178589873
September-08
September-08
0
1504
2250
7520
2250
Internet World Stats
3800
08101
949
126736
September-08
190610944
December-08
December-08
0
1574
2350
7870
2350
Internet World Stats
3900
08314
964
12901
December-08
20306174
March-09
March-09
0
1596
2380
7980
2380
Internet World Stats
4000
08525
971
13
March-09
20748
June-09
June-09
0
1669
2470
8345
2470
Internet World Stats
4100
08733
998
134
June-09
223646
September-09
September-09
0
1734
2560
8670
2560
Internet World Stats
4200
08938
1018
137
September-09
237558
December-09
December-09
0
1802
2660
9010
2660
Internet World Stats
4300
0914
1051
142
December-09
255884
June-10
June-10
0
1966
2870
9830
2870
Internet World Stats
4400
09339
1078
146
June-10
287036
September-10
September-10
0
1971
2880
9855
2880
Internet World Stats
4500
09728
1112
151
September-10
297621
09917
000
155333333333
159833333333
33208
35034
35400
35765
36130
36495
36861
37226
37591
37956
38322
38687
39052
39417
39783
40148
40513
Desiderata
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for some small value 120591120591
Memory costs should dominate
Desiderata
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for some small value 120591120591
Maximize costs for fixed n(Users are impatient)
c-Ideal iMHF
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for 120591120591 = 119874119874(1)
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Our Attacks
bull General Attack on Non Depth Robust DAGsbull Existing iMHFs are not Depth Robustbull Ideal iMHFs donrsquot exist
bull Subsequent Results (Depth-Robustness is Sufficient)bull Open Questions
Depth-Robustness The Key Property
Necessary [AB16] and sufficient[ABP16] for secure iMHFs
Depth Robustness
Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d
Otherwise we say that G is (ed)-depth robust
1 2 3 4 5
Example (12)-reducible
Depth Robustness
Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d
Otherwise we say that G is (ed)-depth robust
1 2 3 4 5
Example (12)-reducible
Attacking (ed)-reducible DAGs
bull Input |S| lee such that depth(G-S) = d g gt d
bull Light Phase (g rounds) Discard most pebblesbull Goal Pebble the next g nodes in g (sequential) stepsbull Low Memory (only keep pebbles on S and on parents of new nodes)bull Lasts a ``longrdquo time
bull Balloon Phase (d rounds) Greedily Recover Missing Pebblesbull Goal Recover needed pebbles for upcoming light phasebull Expensive but quick (at most d steps in parallel)
Theorem (Depth-Robustness is a necessary condition) If G is not (ed)-node robust then CC 119866119866 = O 119890119890119894119894 + 1198941198943119901119901 In particular CC 119866119866 = o 1198941198942 for ed=o(n)
Depth Robustness is Necessary
Are existing iMHF candidates based on depth-robust DAGs
Answer No
bull Catena [FLW15] is 119890119890 119874119874 119899119899119890119890
119813119813119816119816119813119813119813119813 Easy to reduce the depth of a path
Argon2i is a layered DAG (almost)
1 2 3 11989411989434
+2 +3 helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894
Let S = S1+S2
helliphelliphellip
Attack Simulation [AB16b]
Attack on Argon 2i-B is practical even for pessimistic parameter ranges (brown line)
Pessimistic Argon 2i-B parameter
Parameter setting could easily be chosen when following Argon2i-B guidelines
hellip
Ideal iMHFs Donrsquot Exist
Thm[AB16] Any graph G (with constant in-degree) is at least somewhat depth-reducible
Implication If CC(G)= Ω 1198941198942 there is an attack A with high quality
QualityR 119860119860 =Ωlog(119894119894)
log log(119894119894)
But we cannot rule them out in practice
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Attacksbull Constructing iMHFs (New)
bull Depth-Robustness is sufficient
bull Conclusions and Open Questions
Presenter
Presentation Notes
Joint work with Joel Alwen and Krzysztof Pietrzak
Depth-Robustness is Sufficient [ABP16]
Proof Let P1hellipPt denote an (optimal) pebbling of G For 0lt i lt d defineSi = 119875119875119894119894 cup 119875119875119889119889+119894119894 cup 1198751198752119889119889+119894119894 cup ⋯
one of the sets Si has size at most CC(G)d Now we claim that d ge depth(G-Si)
because any path in G-Si must have been completely pebbled at some point Thus it must have been pebbled entirely during some interval of length d Thus G (CC(G)dd)-reducible It follows that CC(G)ge 119890119890119901119901
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Depth-Robustness is Sufficient [ABP16]
Implications There exists a constant indegree graph G with
CC G ge Ω1198941198942
log119894119894
Previous Best [AS15] Ω 1198991198992
log10 119899119899
[AB16] We cannot do better (in an asymptotic sense)
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Summary
bull BCRYPT and PBKDF2 are no longer sufficient for password hashing
bull Argon2i is an improvement over BCRYPT and PBKDF2bull But still has its flaws [AB16AB17]
bull Current Recommendation Argon2idbull No side channel attacks Resists known attacksbull Side channel attacks reduce security to Argon2i
bull Look for improvements in the near future using depth-robust graphs [ABP17]
Conclusions
bull Depth-robustness is a necessary and sufficient for secure iMHFsbull [AB16] [ABP16]
bull Big Challenge Improved Constructions of Depth-Robust Graphsbull We already have constructions in theory [EGS77 PR80 hellip]bull But constants matter
Thanks for Listening
Passwords vs time Look how far wersquove come
Netscape IPO Dotcom crash
Source Cormacrsquos estimate
ldquoThe password is deadrdquo
Chart1
3
48
1368
322
7791
15376
2527
39639
47953
61115
7353
94674
106021
134538
16527
194616
21681
Sheet1
Sheet1
Sheet2
Sheet3
Biometrics
59
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy
60
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Hardware Tokens
61
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around
62
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Graphical Passwords
bull Examplesbull Passfaces Cued Click Points Windows 8
63
Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13
Graphical Passwords
bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8
Challenge Multiple Passwords
64
Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
bull Password Management Software
67
Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313
Related Work
bull Password Management SoftwareChallenge Single point of failure
68
Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313
References
bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]
bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]
bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]
bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]
Course Business
CryptographyCS 555
Password Storage
Offline Attacks A Common Problem
Offline Attacks A Common Problem
A Dangerous Problem
Attempt 1 Hash Iteration
The Challenge
Goal Moderately Expensive Hash Function
Memory Costs Equitable Across Architectures
Outline
Memory Hard Function (MHF)
iMHF Candidates
iMHF (fGH)
Evaluating an iMHF (pebbling)
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example (CC)
Measuring Cost
Pebbling Example (CC)
Pebbling Equivalence
Desiderata
Depth-Robustness The Key Property
Naiumlve Pebbling Algorithms
Amortized Attack Quality
Desiderata
Desiderata
c-Ideal iMHF
Outline
Depth-Robustness The Key Property
Depth Robustness
Depth Robustness
Attacking (ed)-reducible DAGs
Depth Robustness is Necessary
Answer No
Argon2i [BDK]
Argon2i
Argon2i
Argon2i Reducing depth to 119899
Argon2i Reducing depth to 119899
Argon2i is a layered DAG (almost)
Attack Simulation [AB16b]
Ideal iMHFs Donrsquot Exist
But we cannot rule them out in practice
Outline
Depth-Robustness is Sufficient [ABP16]
Depth-Robustness is Sufficient [ABP16]
Summary
Conclusions
Thanks for Listening
Passwords vs time Look how far wersquove come
Biometrics
Biometrics
Hardware Tokens
Hardware Tokens
Graphical Passwords
Graphical Passwords
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
Related Work
References
Everybody
DATE
DATE
NUMBER OF USERS
WORLD
WORLD
INFORMATION
DATE
DATE
NUMBER OF USERS
DATE
DATE
acctsyr
POPULATION
POPULATION
SOURCE
December-90
0
3
15
020
00261
000
1
December-90
3
1
December-90
3
1
December-90
3
3
December-90
3
1
3
December-95
December-95
0
16
040
80
040
IDC
100
00522
180
12
December-95
192
December-95
16
1778
December-95
48
28448
December-95
48
3
48
December-96
December-96
0
36
090
180
090
IDC
200
00783
188
13132
December-96
472752
December-96
36
1994916
December-96
126
71816976
December-96
1368
38
126
December-97
December-97
0
70
170
350
170
IDC
300
01043
209
16263
December-97
113841
December-97
70
2238295752
December-97
280
15668070264
December-97
322
46
280
December-98
December-98
0
147
360
735
360
CI Almanac
400
01303
230
19391
December-98
2850477
December-98
147
25113678337
December-98
6615
3691710715604
December-98
7791
53
6615
December-99
December-99
0
248
410
1240
410
Nua Ltd
500
01563
251
22517
December-99
5584216
December-99
248
28177547095
December-99
1240
6988031679463
December-99
15376
62
1240
March-00
March-00
0
304
500
1520
500
Nua Ltd
600
01822
272
25638
March-00
7793952
December-00
361
3161520784
December-00
19855
11413090030294
December-00
2527
7
19855
July-00
July-00
0
359
590
1795
590
Nua Ltd
700
02081
293
28754
July-00
10322686
December-01
543
35472263197
December-01
3258
1926143891578
December-01
39639
73
3258
December-00
December-00
0
361
580
1805
580
Internet World Stats
800
02338
313
31864
December-00
11502904
December-02
607
39799879307
December-02
39455
2415852673913
December-02
47953
79
39455
March-01
March-01
0
458
760
2290
760
Nua Ltd
900
02852
334
34967
March-01
16014886
December-03
719
44655464582
December-03
5033
32107279034493
December-03
61115
85
5033
June-01
June-01
0
479
790
2395
790
Nua Ltd
1000
03107
355
38061
June-01
18231219
December-04
817
50103431261
December-04
61275
40934503340285
December-04
7353
9
61275
August-01
August-01
0
513
860
2565
860
Nua Ltd
1100
03361
396
44221
August-01
22685373
December-05
1018
56216049875
December-05
8144
57227938772657
December-05
9467
93
8144
April-02
April-02
0
558
860
2790
860
Internet World Stats
1200
03614
417
47284
April-02
26384472
December-06
1093
6307440796
December-06
9291
68940327899894
December-06
10602
97
9291
July-02
July-02
0
569
910
2845
910
Internet World Stats
1300
03866
437
50334
July-02
28640046
December-07
1319
70769485731
December-07
11871
93344951678825
December-07
13454
102
11871
September-02
September-02
0
587
940
2935
940
Internet World Stats
1400
04117
458
53371
September-02
31328777
December-08
1574
7940336299
December-08
14953
124980893346059
December-08
16527
105
14953
March-03
March-03
0
608
970
3040
970
Internet World Stats
1500
04366
478
56394
March-03
34287552
December-09
1802
89090573275
December-09
18020
160541213040896
December-09
19462
108
18020
September-03
September-03
0
677
1060
3385
1060
Internet World Stats
1600
04614
498
59401
September-03
40214477
December-10
1971
99959623214
December-10
20696
197020417355075
December-10
21681
11
20696
October-03
October-03
0
682
1070
3410
1070
Internet World Stats
1700
0486
518
62392
October-03
42551344
December-03
December-03
0
719
1110
3595
1110
Internet World Stats
1800
02852
538
65365
December-03
46997435
February-04
February-04
0
745
1150
3725
1150
Internet World Stats
1900
03107
558
6832
February-04
508984
May-04
May-04
0
757
1170
3785
1170
Internet World Stats
2000
03361
597
7417
May-04
5614669
October-04
October-04
0
812
1270
4060
1270
Internet World Stats
2100
03614
616
77064
October-04
62575968
December-04
December-04
0
817
1270
4085
1270
Internet World Stats
2200
03866
636
79935
December-04
65306895
March-05
March-05
0
888
1390
4440
1390
Internet World Stats
2300
04117
655
82782
March-05
73510416
June-05
June-05
0
938
1460
4690
1460
Internet World Stats
2400
04366
674
85606
June-05
80298428
September-05
September-05
0
957
1490
4785
1490
Internet World Stats
2500
04614
692
88404
September-05
84602628
November-05
November-05
0
972
1520
4860
1520
Internet World Stats
2600
0486
711
91176
November-05
88623072
December-05
December-05
0
1018
1570
5090
1570
Internet World Stats
2700
05348
729
93921
December-05
95611578
March-06
March-06
0
1023
1570
5115
1570
Internet World Stats
2800
05589
747
96638
March-06
98860674
June-06
June-06
0
1043
1600
5215
1600
Internet World Stats
2900
05828
783
101984
June-06
106369312
September-06
September-06
0
1086
1670
5430
1670
Internet World Stats
3000
06065
801
104611
September-06
113607546
December-06
December-06
0
1093
1670
5465
1670
Internet World Stats
3100
063
818
107207
December-06
117177251
March-07
March-07
0
1129
1720
5645
1720
Internet World Stats
3200
06534
835
109771
March-07
123931459
June-07
June-07
0
1173
1780
5865
1780
Internet World Stats
3300
06765
852
112301
June-07
131729073
September-07
September-07
0
1245
1890
6225
1890
Internet World Stats
3400
06993
869
114797
September-07
142922265
December-07
December-07
0
1319
2000
6595
2000
Internet World Stats
3500
0722
886
117258
December-07
154663302
March-08
March-08
0
1407
2110
7035
2110
Internet World Stats
3600
07665
902
119683
March-08
168393981
June-08
June-08
0
1463
2190
7315
2190
Internet World Stats
3700
07884
918
122071
June-08
178589873
September-08
September-08
0
1504
2250
7520
2250
Internet World Stats
3800
08101
949
126736
September-08
190610944
December-08
December-08
0
1574
2350
7870
2350
Internet World Stats
3900
08314
964
12901
December-08
20306174
March-09
March-09
0
1596
2380
7980
2380
Internet World Stats
4000
08525
971
13
March-09
20748
June-09
June-09
0
1669
2470
8345
2470
Internet World Stats
4100
08733
998
134
June-09
223646
September-09
September-09
0
1734
2560
8670
2560
Internet World Stats
4200
08938
1018
137
September-09
237558
December-09
December-09
0
1802
2660
9010
2660
Internet World Stats
4300
0914
1051
142
December-09
255884
June-10
June-10
0
1966
2870
9830
2870
Internet World Stats
4400
09339
1078
146
June-10
287036
September-10
September-10
0
1971
2880
9855
2880
Internet World Stats
4500
09728
1112
151
September-10
297621
09917
000
155333333333
159833333333
33208
35034
35400
35765
36130
36495
36861
37226
37591
37956
38322
38687
39052
39417
39783
40148
40513
Desiderata
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for some small value 120591120591
Maximize costs for fixed n(Users are impatient)
c-Ideal iMHF
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for 120591120591 = 119874119874(1)
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Our Attacks
bull General Attack on Non Depth Robust DAGsbull Existing iMHFs are not Depth Robustbull Ideal iMHFs donrsquot exist
bull Subsequent Results (Depth-Robustness is Sufficient)bull Open Questions
Depth-Robustness The Key Property
Necessary [AB16] and sufficient[ABP16] for secure iMHFs
Depth Robustness
Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d
Otherwise we say that G is (ed)-depth robust
1 2 3 4 5
Example (12)-reducible
Depth Robustness
Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d
Otherwise we say that G is (ed)-depth robust
1 2 3 4 5
Example (12)-reducible
Attacking (ed)-reducible DAGs
bull Input |S| lee such that depth(G-S) = d g gt d
bull Light Phase (g rounds) Discard most pebblesbull Goal Pebble the next g nodes in g (sequential) stepsbull Low Memory (only keep pebbles on S and on parents of new nodes)bull Lasts a ``longrdquo time
bull Balloon Phase (d rounds) Greedily Recover Missing Pebblesbull Goal Recover needed pebbles for upcoming light phasebull Expensive but quick (at most d steps in parallel)
Theorem (Depth-Robustness is a necessary condition) If G is not (ed)-node robust then CC 119866119866 = O 119890119890119894119894 + 1198941198943119901119901 In particular CC 119866119866 = o 1198941198942 for ed=o(n)
Depth Robustness is Necessary
Are existing iMHF candidates based on depth-robust DAGs
Answer No
bull Catena [FLW15] is 119890119890 119874119874 119899119899119890119890
119813119813119816119816119813119813119813119813 Easy to reduce the depth of a path
Argon2i is a layered DAG (almost)
1 2 3 11989411989434
+2 +3 helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894
Let S = S1+S2
helliphelliphellip
Attack Simulation [AB16b]
Attack on Argon 2i-B is practical even for pessimistic parameter ranges (brown line)
Pessimistic Argon 2i-B parameter
Parameter setting could easily be chosen when following Argon2i-B guidelines
hellip
Ideal iMHFs Donrsquot Exist
Thm[AB16] Any graph G (with constant in-degree) is at least somewhat depth-reducible
Implication If CC(G)= Ω 1198941198942 there is an attack A with high quality
QualityR 119860119860 =Ωlog(119894119894)
log log(119894119894)
But we cannot rule them out in practice
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Attacksbull Constructing iMHFs (New)
bull Depth-Robustness is sufficient
bull Conclusions and Open Questions
Presenter
Presentation Notes
Joint work with Joel Alwen and Krzysztof Pietrzak
Depth-Robustness is Sufficient [ABP16]
Proof Let P1hellipPt denote an (optimal) pebbling of G For 0lt i lt d defineSi = 119875119875119894119894 cup 119875119875119889119889+119894119894 cup 1198751198752119889119889+119894119894 cup ⋯
one of the sets Si has size at most CC(G)d Now we claim that d ge depth(G-Si)
because any path in G-Si must have been completely pebbled at some point Thus it must have been pebbled entirely during some interval of length d Thus G (CC(G)dd)-reducible It follows that CC(G)ge 119890119890119901119901
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Depth-Robustness is Sufficient [ABP16]
Implications There exists a constant indegree graph G with
CC G ge Ω1198941198942
log119894119894
Previous Best [AS15] Ω 1198991198992
log10 119899119899
[AB16] We cannot do better (in an asymptotic sense)
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Summary
bull BCRYPT and PBKDF2 are no longer sufficient for password hashing
bull Argon2i is an improvement over BCRYPT and PBKDF2bull But still has its flaws [AB16AB17]
bull Current Recommendation Argon2idbull No side channel attacks Resists known attacksbull Side channel attacks reduce security to Argon2i
bull Look for improvements in the near future using depth-robust graphs [ABP17]
Conclusions
bull Depth-robustness is a necessary and sufficient for secure iMHFsbull [AB16] [ABP16]
bull Big Challenge Improved Constructions of Depth-Robust Graphsbull We already have constructions in theory [EGS77 PR80 hellip]bull But constants matter
Thanks for Listening
Passwords vs time Look how far wersquove come
Netscape IPO Dotcom crash
Source Cormacrsquos estimate
ldquoThe password is deadrdquo
Chart1
3
48
1368
322
7791
15376
2527
39639
47953
61115
7353
94674
106021
134538
16527
194616
21681
Sheet1
Sheet1
Sheet2
Sheet3
Biometrics
59
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy
60
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Hardware Tokens
61
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around
62
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Graphical Passwords
bull Examplesbull Passfaces Cued Click Points Windows 8
63
Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13
Graphical Passwords
bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8
Challenge Multiple Passwords
64
Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
bull Password Management Software
67
Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313
Related Work
bull Password Management SoftwareChallenge Single point of failure
68
Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313
References
bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]
bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]
bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]
bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]
Course Business
CryptographyCS 555
Password Storage
Offline Attacks A Common Problem
Offline Attacks A Common Problem
A Dangerous Problem
Attempt 1 Hash Iteration
The Challenge
Goal Moderately Expensive Hash Function
Memory Costs Equitable Across Architectures
Outline
Memory Hard Function (MHF)
iMHF Candidates
iMHF (fGH)
Evaluating an iMHF (pebbling)
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example (CC)
Measuring Cost
Pebbling Example (CC)
Pebbling Equivalence
Desiderata
Depth-Robustness The Key Property
Naiumlve Pebbling Algorithms
Amortized Attack Quality
Desiderata
Desiderata
c-Ideal iMHF
Outline
Depth-Robustness The Key Property
Depth Robustness
Depth Robustness
Attacking (ed)-reducible DAGs
Depth Robustness is Necessary
Answer No
Argon2i [BDK]
Argon2i
Argon2i
Argon2i Reducing depth to 119899
Argon2i Reducing depth to 119899
Argon2i is a layered DAG (almost)
Attack Simulation [AB16b]
Ideal iMHFs Donrsquot Exist
But we cannot rule them out in practice
Outline
Depth-Robustness is Sufficient [ABP16]
Depth-Robustness is Sufficient [ABP16]
Summary
Conclusions
Thanks for Listening
Passwords vs time Look how far wersquove come
Biometrics
Biometrics
Hardware Tokens
Hardware Tokens
Graphical Passwords
Graphical Passwords
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
Related Work
References
Everybody
DATE
DATE
NUMBER OF USERS
WORLD
WORLD
INFORMATION
DATE
DATE
NUMBER OF USERS
DATE
DATE
acctsyr
POPULATION
POPULATION
SOURCE
December-90
0
3
15
020
00261
000
1
December-90
3
1
December-90
3
1
December-90
3
3
December-90
3
1
3
December-95
December-95
0
16
040
80
040
IDC
100
00522
180
12
December-95
192
December-95
16
1778
December-95
48
28448
December-95
48
3
48
December-96
December-96
0
36
090
180
090
IDC
200
00783
188
13132
December-96
472752
December-96
36
1994916
December-96
126
71816976
December-96
1368
38
126
December-97
December-97
0
70
170
350
170
IDC
300
01043
209
16263
December-97
113841
December-97
70
2238295752
December-97
280
15668070264
December-97
322
46
280
December-98
December-98
0
147
360
735
360
CI Almanac
400
01303
230
19391
December-98
2850477
December-98
147
25113678337
December-98
6615
3691710715604
December-98
7791
53
6615
December-99
December-99
0
248
410
1240
410
Nua Ltd
500
01563
251
22517
December-99
5584216
December-99
248
28177547095
December-99
1240
6988031679463
December-99
15376
62
1240
March-00
March-00
0
304
500
1520
500
Nua Ltd
600
01822
272
25638
March-00
7793952
December-00
361
3161520784
December-00
19855
11413090030294
December-00
2527
7
19855
July-00
July-00
0
359
590
1795
590
Nua Ltd
700
02081
293
28754
July-00
10322686
December-01
543
35472263197
December-01
3258
1926143891578
December-01
39639
73
3258
December-00
December-00
0
361
580
1805
580
Internet World Stats
800
02338
313
31864
December-00
11502904
December-02
607
39799879307
December-02
39455
2415852673913
December-02
47953
79
39455
March-01
March-01
0
458
760
2290
760
Nua Ltd
900
02852
334
34967
March-01
16014886
December-03
719
44655464582
December-03
5033
32107279034493
December-03
61115
85
5033
June-01
June-01
0
479
790
2395
790
Nua Ltd
1000
03107
355
38061
June-01
18231219
December-04
817
50103431261
December-04
61275
40934503340285
December-04
7353
9
61275
August-01
August-01
0
513
860
2565
860
Nua Ltd
1100
03361
396
44221
August-01
22685373
December-05
1018
56216049875
December-05
8144
57227938772657
December-05
9467
93
8144
April-02
April-02
0
558
860
2790
860
Internet World Stats
1200
03614
417
47284
April-02
26384472
December-06
1093
6307440796
December-06
9291
68940327899894
December-06
10602
97
9291
July-02
July-02
0
569
910
2845
910
Internet World Stats
1300
03866
437
50334
July-02
28640046
December-07
1319
70769485731
December-07
11871
93344951678825
December-07
13454
102
11871
September-02
September-02
0
587
940
2935
940
Internet World Stats
1400
04117
458
53371
September-02
31328777
December-08
1574
7940336299
December-08
14953
124980893346059
December-08
16527
105
14953
March-03
March-03
0
608
970
3040
970
Internet World Stats
1500
04366
478
56394
March-03
34287552
December-09
1802
89090573275
December-09
18020
160541213040896
December-09
19462
108
18020
September-03
September-03
0
677
1060
3385
1060
Internet World Stats
1600
04614
498
59401
September-03
40214477
December-10
1971
99959623214
December-10
20696
197020417355075
December-10
21681
11
20696
October-03
October-03
0
682
1070
3410
1070
Internet World Stats
1700
0486
518
62392
October-03
42551344
December-03
December-03
0
719
1110
3595
1110
Internet World Stats
1800
02852
538
65365
December-03
46997435
February-04
February-04
0
745
1150
3725
1150
Internet World Stats
1900
03107
558
6832
February-04
508984
May-04
May-04
0
757
1170
3785
1170
Internet World Stats
2000
03361
597
7417
May-04
5614669
October-04
October-04
0
812
1270
4060
1270
Internet World Stats
2100
03614
616
77064
October-04
62575968
December-04
December-04
0
817
1270
4085
1270
Internet World Stats
2200
03866
636
79935
December-04
65306895
March-05
March-05
0
888
1390
4440
1390
Internet World Stats
2300
04117
655
82782
March-05
73510416
June-05
June-05
0
938
1460
4690
1460
Internet World Stats
2400
04366
674
85606
June-05
80298428
September-05
September-05
0
957
1490
4785
1490
Internet World Stats
2500
04614
692
88404
September-05
84602628
November-05
November-05
0
972
1520
4860
1520
Internet World Stats
2600
0486
711
91176
November-05
88623072
December-05
December-05
0
1018
1570
5090
1570
Internet World Stats
2700
05348
729
93921
December-05
95611578
March-06
March-06
0
1023
1570
5115
1570
Internet World Stats
2800
05589
747
96638
March-06
98860674
June-06
June-06
0
1043
1600
5215
1600
Internet World Stats
2900
05828
783
101984
June-06
106369312
September-06
September-06
0
1086
1670
5430
1670
Internet World Stats
3000
06065
801
104611
September-06
113607546
December-06
December-06
0
1093
1670
5465
1670
Internet World Stats
3100
063
818
107207
December-06
117177251
March-07
March-07
0
1129
1720
5645
1720
Internet World Stats
3200
06534
835
109771
March-07
123931459
June-07
June-07
0
1173
1780
5865
1780
Internet World Stats
3300
06765
852
112301
June-07
131729073
September-07
September-07
0
1245
1890
6225
1890
Internet World Stats
3400
06993
869
114797
September-07
142922265
December-07
December-07
0
1319
2000
6595
2000
Internet World Stats
3500
0722
886
117258
December-07
154663302
March-08
March-08
0
1407
2110
7035
2110
Internet World Stats
3600
07665
902
119683
March-08
168393981
June-08
June-08
0
1463
2190
7315
2190
Internet World Stats
3700
07884
918
122071
June-08
178589873
September-08
September-08
0
1504
2250
7520
2250
Internet World Stats
3800
08101
949
126736
September-08
190610944
December-08
December-08
0
1574
2350
7870
2350
Internet World Stats
3900
08314
964
12901
December-08
20306174
March-09
March-09
0
1596
2380
7980
2380
Internet World Stats
4000
08525
971
13
March-09
20748
June-09
June-09
0
1669
2470
8345
2470
Internet World Stats
4100
08733
998
134
June-09
223646
September-09
September-09
0
1734
2560
8670
2560
Internet World Stats
4200
08938
1018
137
September-09
237558
December-09
December-09
0
1802
2660
9010
2660
Internet World Stats
4300
0914
1051
142
December-09
255884
June-10
June-10
0
1966
2870
9830
2870
Internet World Stats
4400
09339
1078
146
June-10
287036
September-10
September-10
0
1971
2880
9855
2880
Internet World Stats
4500
09728
1112
151
September-10
297621
09917
000
155333333333
159833333333
33208
35034
35400
35765
36130
36495
36861
37226
37591
37956
38322
38687
39052
39417
39783
40148
40513
c-Ideal iMHF
Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)
2 QualityR(A) le 119888119888 for every adversary A (c small)
3 ER(Naive) ge 1198991198992
120591120591+ R119894119894 for 120591120591 = 119874119874(1)
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Our Attacks
bull General Attack on Non Depth Robust DAGsbull Existing iMHFs are not Depth Robustbull Ideal iMHFs donrsquot exist
bull Subsequent Results (Depth-Robustness is Sufficient)bull Open Questions
Depth-Robustness The Key Property
Necessary [AB16] and sufficient[ABP16] for secure iMHFs
Depth Robustness
Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d
Otherwise we say that G is (ed)-depth robust
1 2 3 4 5
Example (12)-reducible
Depth Robustness
Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d
Otherwise we say that G is (ed)-depth robust
1 2 3 4 5
Example (12)-reducible
Attacking (ed)-reducible DAGs
bull Input |S| lee such that depth(G-S) = d g gt d
bull Light Phase (g rounds) Discard most pebblesbull Goal Pebble the next g nodes in g (sequential) stepsbull Low Memory (only keep pebbles on S and on parents of new nodes)bull Lasts a ``longrdquo time
bull Balloon Phase (d rounds) Greedily Recover Missing Pebblesbull Goal Recover needed pebbles for upcoming light phasebull Expensive but quick (at most d steps in parallel)
Theorem (Depth-Robustness is a necessary condition) If G is not (ed)-node robust then CC 119866119866 = O 119890119890119894119894 + 1198941198943119901119901 In particular CC 119866119866 = o 1198941198942 for ed=o(n)
Depth Robustness is Necessary
Are existing iMHF candidates based on depth-robust DAGs
Answer No
bull Catena [FLW15] is 119890119890 119874119874 119899119899119890119890
119813119813119816119816119813119813119813119813 Easy to reduce the depth of a path
Argon2i is a layered DAG (almost)
1 2 3 11989411989434
+2 +3 helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894
Let S = S1+S2
helliphelliphellip
Attack Simulation [AB16b]
Attack on Argon 2i-B is practical even for pessimistic parameter ranges (brown line)
Pessimistic Argon 2i-B parameter
Parameter setting could easily be chosen when following Argon2i-B guidelines
hellip
Ideal iMHFs Donrsquot Exist
Thm[AB16] Any graph G (with constant in-degree) is at least somewhat depth-reducible
Implication If CC(G)= Ω 1198941198942 there is an attack A with high quality
QualityR 119860119860 =Ωlog(119894119894)
log log(119894119894)
But we cannot rule them out in practice
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Attacksbull Constructing iMHFs (New)
bull Depth-Robustness is sufficient
bull Conclusions and Open Questions
Presenter
Presentation Notes
Joint work with Joel Alwen and Krzysztof Pietrzak
Depth-Robustness is Sufficient [ABP16]
Proof Let P1hellipPt denote an (optimal) pebbling of G For 0lt i lt d defineSi = 119875119875119894119894 cup 119875119875119889119889+119894119894 cup 1198751198752119889119889+119894119894 cup ⋯
one of the sets Si has size at most CC(G)d Now we claim that d ge depth(G-Si)
because any path in G-Si must have been completely pebbled at some point Thus it must have been pebbled entirely during some interval of length d Thus G (CC(G)dd)-reducible It follows that CC(G)ge 119890119890119901119901
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Depth-Robustness is Sufficient [ABP16]
Implications There exists a constant indegree graph G with
CC G ge Ω1198941198942
log119894119894
Previous Best [AS15] Ω 1198991198992
log10 119899119899
[AB16] We cannot do better (in an asymptotic sense)
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Summary
bull BCRYPT and PBKDF2 are no longer sufficient for password hashing
bull Argon2i is an improvement over BCRYPT and PBKDF2bull But still has its flaws [AB16AB17]
bull Current Recommendation Argon2idbull No side channel attacks Resists known attacksbull Side channel attacks reduce security to Argon2i
bull Look for improvements in the near future using depth-robust graphs [ABP17]
Conclusions
bull Depth-robustness is a necessary and sufficient for secure iMHFsbull [AB16] [ABP16]
bull Big Challenge Improved Constructions of Depth-Robust Graphsbull We already have constructions in theory [EGS77 PR80 hellip]bull But constants matter
Thanks for Listening
Passwords vs time Look how far wersquove come
Netscape IPO Dotcom crash
Source Cormacrsquos estimate
ldquoThe password is deadrdquo
Chart1
3
48
1368
322
7791
15376
2527
39639
47953
61115
7353
94674
106021
134538
16527
194616
21681
Sheet1
Sheet1
Sheet2
Sheet3
Biometrics
59
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy
60
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Hardware Tokens
61
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around
62
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Graphical Passwords
bull Examplesbull Passfaces Cued Click Points Windows 8
63
Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13
Graphical Passwords
bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8
Challenge Multiple Passwords
64
Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
bull Password Management Software
67
Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313
Related Work
bull Password Management SoftwareChallenge Single point of failure
68
Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313
References
bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]
bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]
bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]
bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]
Course Business
CryptographyCS 555
Password Storage
Offline Attacks A Common Problem
Offline Attacks A Common Problem
A Dangerous Problem
Attempt 1 Hash Iteration
The Challenge
Goal Moderately Expensive Hash Function
Memory Costs Equitable Across Architectures
Outline
Memory Hard Function (MHF)
iMHF Candidates
iMHF (fGH)
Evaluating an iMHF (pebbling)
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example (CC)
Measuring Cost
Pebbling Example (CC)
Pebbling Equivalence
Desiderata
Depth-Robustness The Key Property
Naiumlve Pebbling Algorithms
Amortized Attack Quality
Desiderata
Desiderata
c-Ideal iMHF
Outline
Depth-Robustness The Key Property
Depth Robustness
Depth Robustness
Attacking (ed)-reducible DAGs
Depth Robustness is Necessary
Answer No
Argon2i [BDK]
Argon2i
Argon2i
Argon2i Reducing depth to 119899
Argon2i Reducing depth to 119899
Argon2i is a layered DAG (almost)
Attack Simulation [AB16b]
Ideal iMHFs Donrsquot Exist
But we cannot rule them out in practice
Outline
Depth-Robustness is Sufficient [ABP16]
Depth-Robustness is Sufficient [ABP16]
Summary
Conclusions
Thanks for Listening
Passwords vs time Look how far wersquove come
Biometrics
Biometrics
Hardware Tokens
Hardware Tokens
Graphical Passwords
Graphical Passwords
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
Related Work
References
Everybody
DATE
DATE
NUMBER OF USERS
WORLD
WORLD
INFORMATION
DATE
DATE
NUMBER OF USERS
DATE
DATE
acctsyr
POPULATION
POPULATION
SOURCE
December-90
0
3
15
020
00261
000
1
December-90
3
1
December-90
3
1
December-90
3
3
December-90
3
1
3
December-95
December-95
0
16
040
80
040
IDC
100
00522
180
12
December-95
192
December-95
16
1778
December-95
48
28448
December-95
48
3
48
December-96
December-96
0
36
090
180
090
IDC
200
00783
188
13132
December-96
472752
December-96
36
1994916
December-96
126
71816976
December-96
1368
38
126
December-97
December-97
0
70
170
350
170
IDC
300
01043
209
16263
December-97
113841
December-97
70
2238295752
December-97
280
15668070264
December-97
322
46
280
December-98
December-98
0
147
360
735
360
CI Almanac
400
01303
230
19391
December-98
2850477
December-98
147
25113678337
December-98
6615
3691710715604
December-98
7791
53
6615
December-99
December-99
0
248
410
1240
410
Nua Ltd
500
01563
251
22517
December-99
5584216
December-99
248
28177547095
December-99
1240
6988031679463
December-99
15376
62
1240
March-00
March-00
0
304
500
1520
500
Nua Ltd
600
01822
272
25638
March-00
7793952
December-00
361
3161520784
December-00
19855
11413090030294
December-00
2527
7
19855
July-00
July-00
0
359
590
1795
590
Nua Ltd
700
02081
293
28754
July-00
10322686
December-01
543
35472263197
December-01
3258
1926143891578
December-01
39639
73
3258
December-00
December-00
0
361
580
1805
580
Internet World Stats
800
02338
313
31864
December-00
11502904
December-02
607
39799879307
December-02
39455
2415852673913
December-02
47953
79
39455
March-01
March-01
0
458
760
2290
760
Nua Ltd
900
02852
334
34967
March-01
16014886
December-03
719
44655464582
December-03
5033
32107279034493
December-03
61115
85
5033
June-01
June-01
0
479
790
2395
790
Nua Ltd
1000
03107
355
38061
June-01
18231219
December-04
817
50103431261
December-04
61275
40934503340285
December-04
7353
9
61275
August-01
August-01
0
513
860
2565
860
Nua Ltd
1100
03361
396
44221
August-01
22685373
December-05
1018
56216049875
December-05
8144
57227938772657
December-05
9467
93
8144
April-02
April-02
0
558
860
2790
860
Internet World Stats
1200
03614
417
47284
April-02
26384472
December-06
1093
6307440796
December-06
9291
68940327899894
December-06
10602
97
9291
July-02
July-02
0
569
910
2845
910
Internet World Stats
1300
03866
437
50334
July-02
28640046
December-07
1319
70769485731
December-07
11871
93344951678825
December-07
13454
102
11871
September-02
September-02
0
587
940
2935
940
Internet World Stats
1400
04117
458
53371
September-02
31328777
December-08
1574
7940336299
December-08
14953
124980893346059
December-08
16527
105
14953
March-03
March-03
0
608
970
3040
970
Internet World Stats
1500
04366
478
56394
March-03
34287552
December-09
1802
89090573275
December-09
18020
160541213040896
December-09
19462
108
18020
September-03
September-03
0
677
1060
3385
1060
Internet World Stats
1600
04614
498
59401
September-03
40214477
December-10
1971
99959623214
December-10
20696
197020417355075
December-10
21681
11
20696
October-03
October-03
0
682
1070
3410
1070
Internet World Stats
1700
0486
518
62392
October-03
42551344
December-03
December-03
0
719
1110
3595
1110
Internet World Stats
1800
02852
538
65365
December-03
46997435
February-04
February-04
0
745
1150
3725
1150
Internet World Stats
1900
03107
558
6832
February-04
508984
May-04
May-04
0
757
1170
3785
1170
Internet World Stats
2000
03361
597
7417
May-04
5614669
October-04
October-04
0
812
1270
4060
1270
Internet World Stats
2100
03614
616
77064
October-04
62575968
December-04
December-04
0
817
1270
4085
1270
Internet World Stats
2200
03866
636
79935
December-04
65306895
March-05
March-05
0
888
1390
4440
1390
Internet World Stats
2300
04117
655
82782
March-05
73510416
June-05
June-05
0
938
1460
4690
1460
Internet World Stats
2400
04366
674
85606
June-05
80298428
September-05
September-05
0
957
1490
4785
1490
Internet World Stats
2500
04614
692
88404
September-05
84602628
November-05
November-05
0
972
1520
4860
1520
Internet World Stats
2600
0486
711
91176
November-05
88623072
December-05
December-05
0
1018
1570
5090
1570
Internet World Stats
2700
05348
729
93921
December-05
95611578
March-06
March-06
0
1023
1570
5115
1570
Internet World Stats
2800
05589
747
96638
March-06
98860674
June-06
June-06
0
1043
1600
5215
1600
Internet World Stats
2900
05828
783
101984
June-06
106369312
September-06
September-06
0
1086
1670
5430
1670
Internet World Stats
3000
06065
801
104611
September-06
113607546
December-06
December-06
0
1093
1670
5465
1670
Internet World Stats
3100
063
818
107207
December-06
117177251
March-07
March-07
0
1129
1720
5645
1720
Internet World Stats
3200
06534
835
109771
March-07
123931459
June-07
June-07
0
1173
1780
5865
1780
Internet World Stats
3300
06765
852
112301
June-07
131729073
September-07
September-07
0
1245
1890
6225
1890
Internet World Stats
3400
06993
869
114797
September-07
142922265
December-07
December-07
0
1319
2000
6595
2000
Internet World Stats
3500
0722
886
117258
December-07
154663302
March-08
March-08
0
1407
2110
7035
2110
Internet World Stats
3600
07665
902
119683
March-08
168393981
June-08
June-08
0
1463
2190
7315
2190
Internet World Stats
3700
07884
918
122071
June-08
178589873
September-08
September-08
0
1504
2250
7520
2250
Internet World Stats
3800
08101
949
126736
September-08
190610944
December-08
December-08
0
1574
2350
7870
2350
Internet World Stats
3900
08314
964
12901
December-08
20306174
March-09
March-09
0
1596
2380
7980
2380
Internet World Stats
4000
08525
971
13
March-09
20748
June-09
June-09
0
1669
2470
8345
2470
Internet World Stats
4100
08733
998
134
June-09
223646
September-09
September-09
0
1734
2560
8670
2560
Internet World Stats
4200
08938
1018
137
September-09
237558
December-09
December-09
0
1802
2660
9010
2660
Internet World Stats
4300
0914
1051
142
December-09
255884
June-10
June-10
0
1966
2870
9830
2870
Internet World Stats
4400
09339
1078
146
June-10
287036
September-10
September-10
0
1971
2880
9855
2880
Internet World Stats
4500
09728
1112
151
September-10
297621
09917
000
155333333333
159833333333
33208
35034
35400
35765
36130
36495
36861
37226
37591
37956
38322
38687
39052
39417
39783
40148
40513
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Our Attacks
bull General Attack on Non Depth Robust DAGsbull Existing iMHFs are not Depth Robustbull Ideal iMHFs donrsquot exist
bull Subsequent Results (Depth-Robustness is Sufficient)bull Open Questions
Depth-Robustness The Key Property
Necessary [AB16] and sufficient[ABP16] for secure iMHFs
Depth Robustness
Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d
Otherwise we say that G is (ed)-depth robust
1 2 3 4 5
Example (12)-reducible
Depth Robustness
Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d
Otherwise we say that G is (ed)-depth robust
1 2 3 4 5
Example (12)-reducible
Attacking (ed)-reducible DAGs
bull Input |S| lee such that depth(G-S) = d g gt d
bull Light Phase (g rounds) Discard most pebblesbull Goal Pebble the next g nodes in g (sequential) stepsbull Low Memory (only keep pebbles on S and on parents of new nodes)bull Lasts a ``longrdquo time
bull Balloon Phase (d rounds) Greedily Recover Missing Pebblesbull Goal Recover needed pebbles for upcoming light phasebull Expensive but quick (at most d steps in parallel)
Theorem (Depth-Robustness is a necessary condition) If G is not (ed)-node robust then CC 119866119866 = O 119890119890119894119894 + 1198941198943119901119901 In particular CC 119866119866 = o 1198941198942 for ed=o(n)
Depth Robustness is Necessary
Are existing iMHF candidates based on depth-robust DAGs
Answer No
bull Catena [FLW15] is 119890119890 119874119874 119899119899119890119890
119813119813119816119816119813119813119813119813 Easy to reduce the depth of a path
Argon2i is a layered DAG (almost)
1 2 3 11989411989434
+2 +3 helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894
Let S = S1+S2
helliphelliphellip
Attack Simulation [AB16b]
Attack on Argon 2i-B is practical even for pessimistic parameter ranges (brown line)
Pessimistic Argon 2i-B parameter
Parameter setting could easily be chosen when following Argon2i-B guidelines
hellip
Ideal iMHFs Donrsquot Exist
Thm[AB16] Any graph G (with constant in-degree) is at least somewhat depth-reducible
Implication If CC(G)= Ω 1198941198942 there is an attack A with high quality
QualityR 119860119860 =Ωlog(119894119894)
log log(119894119894)
But we cannot rule them out in practice
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Attacksbull Constructing iMHFs (New)
bull Depth-Robustness is sufficient
bull Conclusions and Open Questions
Presenter
Presentation Notes
Joint work with Joel Alwen and Krzysztof Pietrzak
Depth-Robustness is Sufficient [ABP16]
Proof Let P1hellipPt denote an (optimal) pebbling of G For 0lt i lt d defineSi = 119875119875119894119894 cup 119875119875119889119889+119894119894 cup 1198751198752119889119889+119894119894 cup ⋯
one of the sets Si has size at most CC(G)d Now we claim that d ge depth(G-Si)
because any path in G-Si must have been completely pebbled at some point Thus it must have been pebbled entirely during some interval of length d Thus G (CC(G)dd)-reducible It follows that CC(G)ge 119890119890119901119901
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Depth-Robustness is Sufficient [ABP16]
Implications There exists a constant indegree graph G with
CC G ge Ω1198941198942
log119894119894
Previous Best [AS15] Ω 1198991198992
log10 119899119899
[AB16] We cannot do better (in an asymptotic sense)
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Summary
bull BCRYPT and PBKDF2 are no longer sufficient for password hashing
bull Argon2i is an improvement over BCRYPT and PBKDF2bull But still has its flaws [AB16AB17]
bull Current Recommendation Argon2idbull No side channel attacks Resists known attacksbull Side channel attacks reduce security to Argon2i
bull Look for improvements in the near future using depth-robust graphs [ABP17]
Conclusions
bull Depth-robustness is a necessary and sufficient for secure iMHFsbull [AB16] [ABP16]
bull Big Challenge Improved Constructions of Depth-Robust Graphsbull We already have constructions in theory [EGS77 PR80 hellip]bull But constants matter
Thanks for Listening
Passwords vs time Look how far wersquove come
Netscape IPO Dotcom crash
Source Cormacrsquos estimate
ldquoThe password is deadrdquo
Chart1
3
48
1368
322
7791
15376
2527
39639
47953
61115
7353
94674
106021
134538
16527
194616
21681
Sheet1
Sheet1
Sheet2
Sheet3
Biometrics
59
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy
60
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Hardware Tokens
61
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around
62
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Graphical Passwords
bull Examplesbull Passfaces Cued Click Points Windows 8
63
Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13
Graphical Passwords
bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8
Challenge Multiple Passwords
64
Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
bull Password Management Software
67
Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313
Related Work
bull Password Management SoftwareChallenge Single point of failure
68
Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313
References
bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]
bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]
bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]
bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]
Course Business
CryptographyCS 555
Password Storage
Offline Attacks A Common Problem
Offline Attacks A Common Problem
A Dangerous Problem
Attempt 1 Hash Iteration
The Challenge
Goal Moderately Expensive Hash Function
Memory Costs Equitable Across Architectures
Outline
Memory Hard Function (MHF)
iMHF Candidates
iMHF (fGH)
Evaluating an iMHF (pebbling)
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example (CC)
Measuring Cost
Pebbling Example (CC)
Pebbling Equivalence
Desiderata
Depth-Robustness The Key Property
Naiumlve Pebbling Algorithms
Amortized Attack Quality
Desiderata
Desiderata
c-Ideal iMHF
Outline
Depth-Robustness The Key Property
Depth Robustness
Depth Robustness
Attacking (ed)-reducible DAGs
Depth Robustness is Necessary
Answer No
Argon2i [BDK]
Argon2i
Argon2i
Argon2i Reducing depth to 119899
Argon2i Reducing depth to 119899
Argon2i is a layered DAG (almost)
Attack Simulation [AB16b]
Ideal iMHFs Donrsquot Exist
But we cannot rule them out in practice
Outline
Depth-Robustness is Sufficient [ABP16]
Depth-Robustness is Sufficient [ABP16]
Summary
Conclusions
Thanks for Listening
Passwords vs time Look how far wersquove come
Biometrics
Biometrics
Hardware Tokens
Hardware Tokens
Graphical Passwords
Graphical Passwords
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
Related Work
References
Everybody
DATE
DATE
NUMBER OF USERS
WORLD
WORLD
INFORMATION
DATE
DATE
NUMBER OF USERS
DATE
DATE
acctsyr
POPULATION
POPULATION
SOURCE
December-90
0
3
15
020
00261
000
1
December-90
3
1
December-90
3
1
December-90
3
3
December-90
3
1
3
December-95
December-95
0
16
040
80
040
IDC
100
00522
180
12
December-95
192
December-95
16
1778
December-95
48
28448
December-95
48
3
48
December-96
December-96
0
36
090
180
090
IDC
200
00783
188
13132
December-96
472752
December-96
36
1994916
December-96
126
71816976
December-96
1368
38
126
December-97
December-97
0
70
170
350
170
IDC
300
01043
209
16263
December-97
113841
December-97
70
2238295752
December-97
280
15668070264
December-97
322
46
280
December-98
December-98
0
147
360
735
360
CI Almanac
400
01303
230
19391
December-98
2850477
December-98
147
25113678337
December-98
6615
3691710715604
December-98
7791
53
6615
December-99
December-99
0
248
410
1240
410
Nua Ltd
500
01563
251
22517
December-99
5584216
December-99
248
28177547095
December-99
1240
6988031679463
December-99
15376
62
1240
March-00
March-00
0
304
500
1520
500
Nua Ltd
600
01822
272
25638
March-00
7793952
December-00
361
3161520784
December-00
19855
11413090030294
December-00
2527
7
19855
July-00
July-00
0
359
590
1795
590
Nua Ltd
700
02081
293
28754
July-00
10322686
December-01
543
35472263197
December-01
3258
1926143891578
December-01
39639
73
3258
December-00
December-00
0
361
580
1805
580
Internet World Stats
800
02338
313
31864
December-00
11502904
December-02
607
39799879307
December-02
39455
2415852673913
December-02
47953
79
39455
March-01
March-01
0
458
760
2290
760
Nua Ltd
900
02852
334
34967
March-01
16014886
December-03
719
44655464582
December-03
5033
32107279034493
December-03
61115
85
5033
June-01
June-01
0
479
790
2395
790
Nua Ltd
1000
03107
355
38061
June-01
18231219
December-04
817
50103431261
December-04
61275
40934503340285
December-04
7353
9
61275
August-01
August-01
0
513
860
2565
860
Nua Ltd
1100
03361
396
44221
August-01
22685373
December-05
1018
56216049875
December-05
8144
57227938772657
December-05
9467
93
8144
April-02
April-02
0
558
860
2790
860
Internet World Stats
1200
03614
417
47284
April-02
26384472
December-06
1093
6307440796
December-06
9291
68940327899894
December-06
10602
97
9291
July-02
July-02
0
569
910
2845
910
Internet World Stats
1300
03866
437
50334
July-02
28640046
December-07
1319
70769485731
December-07
11871
93344951678825
December-07
13454
102
11871
September-02
September-02
0
587
940
2935
940
Internet World Stats
1400
04117
458
53371
September-02
31328777
December-08
1574
7940336299
December-08
14953
124980893346059
December-08
16527
105
14953
March-03
March-03
0
608
970
3040
970
Internet World Stats
1500
04366
478
56394
March-03
34287552
December-09
1802
89090573275
December-09
18020
160541213040896
December-09
19462
108
18020
September-03
September-03
0
677
1060
3385
1060
Internet World Stats
1600
04614
498
59401
September-03
40214477
December-10
1971
99959623214
December-10
20696
197020417355075
December-10
21681
11
20696
October-03
October-03
0
682
1070
3410
1070
Internet World Stats
1700
0486
518
62392
October-03
42551344
December-03
December-03
0
719
1110
3595
1110
Internet World Stats
1800
02852
538
65365
December-03
46997435
February-04
February-04
0
745
1150
3725
1150
Internet World Stats
1900
03107
558
6832
February-04
508984
May-04
May-04
0
757
1170
3785
1170
Internet World Stats
2000
03361
597
7417
May-04
5614669
October-04
October-04
0
812
1270
4060
1270
Internet World Stats
2100
03614
616
77064
October-04
62575968
December-04
December-04
0
817
1270
4085
1270
Internet World Stats
2200
03866
636
79935
December-04
65306895
March-05
March-05
0
888
1390
4440
1390
Internet World Stats
2300
04117
655
82782
March-05
73510416
June-05
June-05
0
938
1460
4690
1460
Internet World Stats
2400
04366
674
85606
June-05
80298428
September-05
September-05
0
957
1490
4785
1490
Internet World Stats
2500
04614
692
88404
September-05
84602628
November-05
November-05
0
972
1520
4860
1520
Internet World Stats
2600
0486
711
91176
November-05
88623072
December-05
December-05
0
1018
1570
5090
1570
Internet World Stats
2700
05348
729
93921
December-05
95611578
March-06
March-06
0
1023
1570
5115
1570
Internet World Stats
2800
05589
747
96638
March-06
98860674
June-06
June-06
0
1043
1600
5215
1600
Internet World Stats
2900
05828
783
101984
June-06
106369312
September-06
September-06
0
1086
1670
5430
1670
Internet World Stats
3000
06065
801
104611
September-06
113607546
December-06
December-06
0
1093
1670
5465
1670
Internet World Stats
3100
063
818
107207
December-06
117177251
March-07
March-07
0
1129
1720
5645
1720
Internet World Stats
3200
06534
835
109771
March-07
123931459
June-07
June-07
0
1173
1780
5865
1780
Internet World Stats
3300
06765
852
112301
June-07
131729073
September-07
September-07
0
1245
1890
6225
1890
Internet World Stats
3400
06993
869
114797
September-07
142922265
December-07
December-07
0
1319
2000
6595
2000
Internet World Stats
3500
0722
886
117258
December-07
154663302
March-08
March-08
0
1407
2110
7035
2110
Internet World Stats
3600
07665
902
119683
March-08
168393981
June-08
June-08
0
1463
2190
7315
2190
Internet World Stats
3700
07884
918
122071
June-08
178589873
September-08
September-08
0
1504
2250
7520
2250
Internet World Stats
3800
08101
949
126736
September-08
190610944
December-08
December-08
0
1574
2350
7870
2350
Internet World Stats
3900
08314
964
12901
December-08
20306174
March-09
March-09
0
1596
2380
7980
2380
Internet World Stats
4000
08525
971
13
March-09
20748
June-09
June-09
0
1669
2470
8345
2470
Internet World Stats
4100
08733
998
134
June-09
223646
September-09
September-09
0
1734
2560
8670
2560
Internet World Stats
4200
08938
1018
137
September-09
237558
December-09
December-09
0
1802
2660
9010
2660
Internet World Stats
4300
0914
1051
142
December-09
255884
June-10
June-10
0
1966
2870
9830
2870
Internet World Stats
4400
09339
1078
146
June-10
287036
September-10
September-10
0
1971
2880
9855
2880
Internet World Stats
4500
09728
1112
151
September-10
297621
09917
000
155333333333
159833333333
33208
35034
35400
35765
36130
36495
36861
37226
37591
37956
38322
38687
39052
39417
39783
40148
40513
Depth-Robustness The Key Property
Necessary [AB16] and sufficient[ABP16] for secure iMHFs
Depth Robustness
Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d
Otherwise we say that G is (ed)-depth robust
1 2 3 4 5
Example (12)-reducible
Depth Robustness
Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d
Otherwise we say that G is (ed)-depth robust
1 2 3 4 5
Example (12)-reducible
Attacking (ed)-reducible DAGs
bull Input |S| lee such that depth(G-S) = d g gt d
bull Light Phase (g rounds) Discard most pebblesbull Goal Pebble the next g nodes in g (sequential) stepsbull Low Memory (only keep pebbles on S and on parents of new nodes)bull Lasts a ``longrdquo time
bull Balloon Phase (d rounds) Greedily Recover Missing Pebblesbull Goal Recover needed pebbles for upcoming light phasebull Expensive but quick (at most d steps in parallel)
Theorem (Depth-Robustness is a necessary condition) If G is not (ed)-node robust then CC 119866119866 = O 119890119890119894119894 + 1198941198943119901119901 In particular CC 119866119866 = o 1198941198942 for ed=o(n)
Depth Robustness is Necessary
Are existing iMHF candidates based on depth-robust DAGs
Answer No
bull Catena [FLW15] is 119890119890 119874119874 119899119899119890119890
119813119813119816119816119813119813119813119813 Easy to reduce the depth of a path
Argon2i is a layered DAG (almost)
1 2 3 11989411989434
+2 +3 helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894
Let S = S1+S2
helliphelliphellip
Attack Simulation [AB16b]
Attack on Argon 2i-B is practical even for pessimistic parameter ranges (brown line)
Pessimistic Argon 2i-B parameter
Parameter setting could easily be chosen when following Argon2i-B guidelines
hellip
Ideal iMHFs Donrsquot Exist
Thm[AB16] Any graph G (with constant in-degree) is at least somewhat depth-reducible
Implication If CC(G)= Ω 1198941198942 there is an attack A with high quality
QualityR 119860119860 =Ωlog(119894119894)
log log(119894119894)
But we cannot rule them out in practice
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Attacksbull Constructing iMHFs (New)
bull Depth-Robustness is sufficient
bull Conclusions and Open Questions
Presenter
Presentation Notes
Joint work with Joel Alwen and Krzysztof Pietrzak
Depth-Robustness is Sufficient [ABP16]
Proof Let P1hellipPt denote an (optimal) pebbling of G For 0lt i lt d defineSi = 119875119875119894119894 cup 119875119875119889119889+119894119894 cup 1198751198752119889119889+119894119894 cup ⋯
one of the sets Si has size at most CC(G)d Now we claim that d ge depth(G-Si)
because any path in G-Si must have been completely pebbled at some point Thus it must have been pebbled entirely during some interval of length d Thus G (CC(G)dd)-reducible It follows that CC(G)ge 119890119890119901119901
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Depth-Robustness is Sufficient [ABP16]
Implications There exists a constant indegree graph G with
CC G ge Ω1198941198942
log119894119894
Previous Best [AS15] Ω 1198991198992
log10 119899119899
[AB16] We cannot do better (in an asymptotic sense)
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Summary
bull BCRYPT and PBKDF2 are no longer sufficient for password hashing
bull Argon2i is an improvement over BCRYPT and PBKDF2bull But still has its flaws [AB16AB17]
bull Current Recommendation Argon2idbull No side channel attacks Resists known attacksbull Side channel attacks reduce security to Argon2i
bull Look for improvements in the near future using depth-robust graphs [ABP17]
Conclusions
bull Depth-robustness is a necessary and sufficient for secure iMHFsbull [AB16] [ABP16]
bull Big Challenge Improved Constructions of Depth-Robust Graphsbull We already have constructions in theory [EGS77 PR80 hellip]bull But constants matter
Thanks for Listening
Passwords vs time Look how far wersquove come
Netscape IPO Dotcom crash
Source Cormacrsquos estimate
ldquoThe password is deadrdquo
Chart1
3
48
1368
322
7791
15376
2527
39639
47953
61115
7353
94674
106021
134538
16527
194616
21681
Sheet1
Sheet1
Sheet2
Sheet3
Biometrics
59
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy
60
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Hardware Tokens
61
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around
62
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Graphical Passwords
bull Examplesbull Passfaces Cued Click Points Windows 8
63
Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13
Graphical Passwords
bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8
Challenge Multiple Passwords
64
Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
bull Password Management Software
67
Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313
Related Work
bull Password Management SoftwareChallenge Single point of failure
68
Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313
References
bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]
bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]
bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]
bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]
Course Business
CryptographyCS 555
Password Storage
Offline Attacks A Common Problem
Offline Attacks A Common Problem
A Dangerous Problem
Attempt 1 Hash Iteration
The Challenge
Goal Moderately Expensive Hash Function
Memory Costs Equitable Across Architectures
Outline
Memory Hard Function (MHF)
iMHF Candidates
iMHF (fGH)
Evaluating an iMHF (pebbling)
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example (CC)
Measuring Cost
Pebbling Example (CC)
Pebbling Equivalence
Desiderata
Depth-Robustness The Key Property
Naiumlve Pebbling Algorithms
Amortized Attack Quality
Desiderata
Desiderata
c-Ideal iMHF
Outline
Depth-Robustness The Key Property
Depth Robustness
Depth Robustness
Attacking (ed)-reducible DAGs
Depth Robustness is Necessary
Answer No
Argon2i [BDK]
Argon2i
Argon2i
Argon2i Reducing depth to 119899
Argon2i Reducing depth to 119899
Argon2i is a layered DAG (almost)
Attack Simulation [AB16b]
Ideal iMHFs Donrsquot Exist
But we cannot rule them out in practice
Outline
Depth-Robustness is Sufficient [ABP16]
Depth-Robustness is Sufficient [ABP16]
Summary
Conclusions
Thanks for Listening
Passwords vs time Look how far wersquove come
Biometrics
Biometrics
Hardware Tokens
Hardware Tokens
Graphical Passwords
Graphical Passwords
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
Related Work
References
Everybody
DATE
DATE
NUMBER OF USERS
WORLD
WORLD
INFORMATION
DATE
DATE
NUMBER OF USERS
DATE
DATE
acctsyr
POPULATION
POPULATION
SOURCE
December-90
0
3
15
020
00261
000
1
December-90
3
1
December-90
3
1
December-90
3
3
December-90
3
1
3
December-95
December-95
0
16
040
80
040
IDC
100
00522
180
12
December-95
192
December-95
16
1778
December-95
48
28448
December-95
48
3
48
December-96
December-96
0
36
090
180
090
IDC
200
00783
188
13132
December-96
472752
December-96
36
1994916
December-96
126
71816976
December-96
1368
38
126
December-97
December-97
0
70
170
350
170
IDC
300
01043
209
16263
December-97
113841
December-97
70
2238295752
December-97
280
15668070264
December-97
322
46
280
December-98
December-98
0
147
360
735
360
CI Almanac
400
01303
230
19391
December-98
2850477
December-98
147
25113678337
December-98
6615
3691710715604
December-98
7791
53
6615
December-99
December-99
0
248
410
1240
410
Nua Ltd
500
01563
251
22517
December-99
5584216
December-99
248
28177547095
December-99
1240
6988031679463
December-99
15376
62
1240
March-00
March-00
0
304
500
1520
500
Nua Ltd
600
01822
272
25638
March-00
7793952
December-00
361
3161520784
December-00
19855
11413090030294
December-00
2527
7
19855
July-00
July-00
0
359
590
1795
590
Nua Ltd
700
02081
293
28754
July-00
10322686
December-01
543
35472263197
December-01
3258
1926143891578
December-01
39639
73
3258
December-00
December-00
0
361
580
1805
580
Internet World Stats
800
02338
313
31864
December-00
11502904
December-02
607
39799879307
December-02
39455
2415852673913
December-02
47953
79
39455
March-01
March-01
0
458
760
2290
760
Nua Ltd
900
02852
334
34967
March-01
16014886
December-03
719
44655464582
December-03
5033
32107279034493
December-03
61115
85
5033
June-01
June-01
0
479
790
2395
790
Nua Ltd
1000
03107
355
38061
June-01
18231219
December-04
817
50103431261
December-04
61275
40934503340285
December-04
7353
9
61275
August-01
August-01
0
513
860
2565
860
Nua Ltd
1100
03361
396
44221
August-01
22685373
December-05
1018
56216049875
December-05
8144
57227938772657
December-05
9467
93
8144
April-02
April-02
0
558
860
2790
860
Internet World Stats
1200
03614
417
47284
April-02
26384472
December-06
1093
6307440796
December-06
9291
68940327899894
December-06
10602
97
9291
July-02
July-02
0
569
910
2845
910
Internet World Stats
1300
03866
437
50334
July-02
28640046
December-07
1319
70769485731
December-07
11871
93344951678825
December-07
13454
102
11871
September-02
September-02
0
587
940
2935
940
Internet World Stats
1400
04117
458
53371
September-02
31328777
December-08
1574
7940336299
December-08
14953
124980893346059
December-08
16527
105
14953
March-03
March-03
0
608
970
3040
970
Internet World Stats
1500
04366
478
56394
March-03
34287552
December-09
1802
89090573275
December-09
18020
160541213040896
December-09
19462
108
18020
September-03
September-03
0
677
1060
3385
1060
Internet World Stats
1600
04614
498
59401
September-03
40214477
December-10
1971
99959623214
December-10
20696
197020417355075
December-10
21681
11
20696
October-03
October-03
0
682
1070
3410
1070
Internet World Stats
1700
0486
518
62392
October-03
42551344
December-03
December-03
0
719
1110
3595
1110
Internet World Stats
1800
02852
538
65365
December-03
46997435
February-04
February-04
0
745
1150
3725
1150
Internet World Stats
1900
03107
558
6832
February-04
508984
May-04
May-04
0
757
1170
3785
1170
Internet World Stats
2000
03361
597
7417
May-04
5614669
October-04
October-04
0
812
1270
4060
1270
Internet World Stats
2100
03614
616
77064
October-04
62575968
December-04
December-04
0
817
1270
4085
1270
Internet World Stats
2200
03866
636
79935
December-04
65306895
March-05
March-05
0
888
1390
4440
1390
Internet World Stats
2300
04117
655
82782
March-05
73510416
June-05
June-05
0
938
1460
4690
1460
Internet World Stats
2400
04366
674
85606
June-05
80298428
September-05
September-05
0
957
1490
4785
1490
Internet World Stats
2500
04614
692
88404
September-05
84602628
November-05
November-05
0
972
1520
4860
1520
Internet World Stats
2600
0486
711
91176
November-05
88623072
December-05
December-05
0
1018
1570
5090
1570
Internet World Stats
2700
05348
729
93921
December-05
95611578
March-06
March-06
0
1023
1570
5115
1570
Internet World Stats
2800
05589
747
96638
March-06
98860674
June-06
June-06
0
1043
1600
5215
1600
Internet World Stats
2900
05828
783
101984
June-06
106369312
September-06
September-06
0
1086
1670
5430
1670
Internet World Stats
3000
06065
801
104611
September-06
113607546
December-06
December-06
0
1093
1670
5465
1670
Internet World Stats
3100
063
818
107207
December-06
117177251
March-07
March-07
0
1129
1720
5645
1720
Internet World Stats
3200
06534
835
109771
March-07
123931459
June-07
June-07
0
1173
1780
5865
1780
Internet World Stats
3300
06765
852
112301
June-07
131729073
September-07
September-07
0
1245
1890
6225
1890
Internet World Stats
3400
06993
869
114797
September-07
142922265
December-07
December-07
0
1319
2000
6595
2000
Internet World Stats
3500
0722
886
117258
December-07
154663302
March-08
March-08
0
1407
2110
7035
2110
Internet World Stats
3600
07665
902
119683
March-08
168393981
June-08
June-08
0
1463
2190
7315
2190
Internet World Stats
3700
07884
918
122071
June-08
178589873
September-08
September-08
0
1504
2250
7520
2250
Internet World Stats
3800
08101
949
126736
September-08
190610944
December-08
December-08
0
1574
2350
7870
2350
Internet World Stats
3900
08314
964
12901
December-08
20306174
March-09
March-09
0
1596
2380
7980
2380
Internet World Stats
4000
08525
971
13
March-09
20748
June-09
June-09
0
1669
2470
8345
2470
Internet World Stats
4100
08733
998
134
June-09
223646
September-09
September-09
0
1734
2560
8670
2560
Internet World Stats
4200
08938
1018
137
September-09
237558
December-09
December-09
0
1802
2660
9010
2660
Internet World Stats
4300
0914
1051
142
December-09
255884
June-10
June-10
0
1966
2870
9830
2870
Internet World Stats
4400
09339
1078
146
June-10
287036
September-10
September-10
0
1971
2880
9855
2880
Internet World Stats
4500
09728
1112
151
September-10
297621
09917
000
155333333333
159833333333
33208
35034
35400
35765
36130
36495
36861
37226
37591
37956
38322
38687
39052
39417
39783
40148
40513
Depth Robustness
Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d
Otherwise we say that G is (ed)-depth robust
1 2 3 4 5
Example (12)-reducible
Depth Robustness
Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d
Otherwise we say that G is (ed)-depth robust
1 2 3 4 5
Example (12)-reducible
Attacking (ed)-reducible DAGs
bull Input |S| lee such that depth(G-S) = d g gt d
bull Light Phase (g rounds) Discard most pebblesbull Goal Pebble the next g nodes in g (sequential) stepsbull Low Memory (only keep pebbles on S and on parents of new nodes)bull Lasts a ``longrdquo time
bull Balloon Phase (d rounds) Greedily Recover Missing Pebblesbull Goal Recover needed pebbles for upcoming light phasebull Expensive but quick (at most d steps in parallel)
Theorem (Depth-Robustness is a necessary condition) If G is not (ed)-node robust then CC 119866119866 = O 119890119890119894119894 + 1198941198943119901119901 In particular CC 119866119866 = o 1198941198942 for ed=o(n)
Depth Robustness is Necessary
Are existing iMHF candidates based on depth-robust DAGs
Answer No
bull Catena [FLW15] is 119890119890 119874119874 119899119899119890119890
119813119813119816119816119813119813119813119813 Easy to reduce the depth of a path
Argon2i is a layered DAG (almost)
1 2 3 11989411989434
+2 +3 helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894
Let S = S1+S2
helliphelliphellip
Attack Simulation [AB16b]
Attack on Argon 2i-B is practical even for pessimistic parameter ranges (brown line)
Pessimistic Argon 2i-B parameter
Parameter setting could easily be chosen when following Argon2i-B guidelines
hellip
Ideal iMHFs Donrsquot Exist
Thm[AB16] Any graph G (with constant in-degree) is at least somewhat depth-reducible
Implication If CC(G)= Ω 1198941198942 there is an attack A with high quality
QualityR 119860119860 =Ωlog(119894119894)
log log(119894119894)
But we cannot rule them out in practice
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Attacksbull Constructing iMHFs (New)
bull Depth-Robustness is sufficient
bull Conclusions and Open Questions
Presenter
Presentation Notes
Joint work with Joel Alwen and Krzysztof Pietrzak
Depth-Robustness is Sufficient [ABP16]
Proof Let P1hellipPt denote an (optimal) pebbling of G For 0lt i lt d defineSi = 119875119875119894119894 cup 119875119875119889119889+119894119894 cup 1198751198752119889119889+119894119894 cup ⋯
one of the sets Si has size at most CC(G)d Now we claim that d ge depth(G-Si)
because any path in G-Si must have been completely pebbled at some point Thus it must have been pebbled entirely during some interval of length d Thus G (CC(G)dd)-reducible It follows that CC(G)ge 119890119890119901119901
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Depth-Robustness is Sufficient [ABP16]
Implications There exists a constant indegree graph G with
CC G ge Ω1198941198942
log119894119894
Previous Best [AS15] Ω 1198991198992
log10 119899119899
[AB16] We cannot do better (in an asymptotic sense)
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Summary
bull BCRYPT and PBKDF2 are no longer sufficient for password hashing
bull Argon2i is an improvement over BCRYPT and PBKDF2bull But still has its flaws [AB16AB17]
bull Current Recommendation Argon2idbull No side channel attacks Resists known attacksbull Side channel attacks reduce security to Argon2i
bull Look for improvements in the near future using depth-robust graphs [ABP17]
Conclusions
bull Depth-robustness is a necessary and sufficient for secure iMHFsbull [AB16] [ABP16]
bull Big Challenge Improved Constructions of Depth-Robust Graphsbull We already have constructions in theory [EGS77 PR80 hellip]bull But constants matter
Thanks for Listening
Passwords vs time Look how far wersquove come
Netscape IPO Dotcom crash
Source Cormacrsquos estimate
ldquoThe password is deadrdquo
Chart1
3
48
1368
322
7791
15376
2527
39639
47953
61115
7353
94674
106021
134538
16527
194616
21681
Sheet1
Sheet1
Sheet2
Sheet3
Biometrics
59
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy
60
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Hardware Tokens
61
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around
62
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Graphical Passwords
bull Examplesbull Passfaces Cued Click Points Windows 8
63
Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13
Graphical Passwords
bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8
Challenge Multiple Passwords
64
Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
bull Password Management Software
67
Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313
Related Work
bull Password Management SoftwareChallenge Single point of failure
68
Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313
References
bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]
bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]
bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]
bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]
Course Business
CryptographyCS 555
Password Storage
Offline Attacks A Common Problem
Offline Attacks A Common Problem
A Dangerous Problem
Attempt 1 Hash Iteration
The Challenge
Goal Moderately Expensive Hash Function
Memory Costs Equitable Across Architectures
Outline
Memory Hard Function (MHF)
iMHF Candidates
iMHF (fGH)
Evaluating an iMHF (pebbling)
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example (CC)
Measuring Cost
Pebbling Example (CC)
Pebbling Equivalence
Desiderata
Depth-Robustness The Key Property
Naiumlve Pebbling Algorithms
Amortized Attack Quality
Desiderata
Desiderata
c-Ideal iMHF
Outline
Depth-Robustness The Key Property
Depth Robustness
Depth Robustness
Attacking (ed)-reducible DAGs
Depth Robustness is Necessary
Answer No
Argon2i [BDK]
Argon2i
Argon2i
Argon2i Reducing depth to 119899
Argon2i Reducing depth to 119899
Argon2i is a layered DAG (almost)
Attack Simulation [AB16b]
Ideal iMHFs Donrsquot Exist
But we cannot rule them out in practice
Outline
Depth-Robustness is Sufficient [ABP16]
Depth-Robustness is Sufficient [ABP16]
Summary
Conclusions
Thanks for Listening
Passwords vs time Look how far wersquove come
Biometrics
Biometrics
Hardware Tokens
Hardware Tokens
Graphical Passwords
Graphical Passwords
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
Related Work
References
Everybody
DATE
DATE
NUMBER OF USERS
WORLD
WORLD
INFORMATION
DATE
DATE
NUMBER OF USERS
DATE
DATE
acctsyr
POPULATION
POPULATION
SOURCE
December-90
0
3
15
020
00261
000
1
December-90
3
1
December-90
3
1
December-90
3
3
December-90
3
1
3
December-95
December-95
0
16
040
80
040
IDC
100
00522
180
12
December-95
192
December-95
16
1778
December-95
48
28448
December-95
48
3
48
December-96
December-96
0
36
090
180
090
IDC
200
00783
188
13132
December-96
472752
December-96
36
1994916
December-96
126
71816976
December-96
1368
38
126
December-97
December-97
0
70
170
350
170
IDC
300
01043
209
16263
December-97
113841
December-97
70
2238295752
December-97
280
15668070264
December-97
322
46
280
December-98
December-98
0
147
360
735
360
CI Almanac
400
01303
230
19391
December-98
2850477
December-98
147
25113678337
December-98
6615
3691710715604
December-98
7791
53
6615
December-99
December-99
0
248
410
1240
410
Nua Ltd
500
01563
251
22517
December-99
5584216
December-99
248
28177547095
December-99
1240
6988031679463
December-99
15376
62
1240
March-00
March-00
0
304
500
1520
500
Nua Ltd
600
01822
272
25638
March-00
7793952
December-00
361
3161520784
December-00
19855
11413090030294
December-00
2527
7
19855
July-00
July-00
0
359
590
1795
590
Nua Ltd
700
02081
293
28754
July-00
10322686
December-01
543
35472263197
December-01
3258
1926143891578
December-01
39639
73
3258
December-00
December-00
0
361
580
1805
580
Internet World Stats
800
02338
313
31864
December-00
11502904
December-02
607
39799879307
December-02
39455
2415852673913
December-02
47953
79
39455
March-01
March-01
0
458
760
2290
760
Nua Ltd
900
02852
334
34967
March-01
16014886
December-03
719
44655464582
December-03
5033
32107279034493
December-03
61115
85
5033
June-01
June-01
0
479
790
2395
790
Nua Ltd
1000
03107
355
38061
June-01
18231219
December-04
817
50103431261
December-04
61275
40934503340285
December-04
7353
9
61275
August-01
August-01
0
513
860
2565
860
Nua Ltd
1100
03361
396
44221
August-01
22685373
December-05
1018
56216049875
December-05
8144
57227938772657
December-05
9467
93
8144
April-02
April-02
0
558
860
2790
860
Internet World Stats
1200
03614
417
47284
April-02
26384472
December-06
1093
6307440796
December-06
9291
68940327899894
December-06
10602
97
9291
July-02
July-02
0
569
910
2845
910
Internet World Stats
1300
03866
437
50334
July-02
28640046
December-07
1319
70769485731
December-07
11871
93344951678825
December-07
13454
102
11871
September-02
September-02
0
587
940
2935
940
Internet World Stats
1400
04117
458
53371
September-02
31328777
December-08
1574
7940336299
December-08
14953
124980893346059
December-08
16527
105
14953
March-03
March-03
0
608
970
3040
970
Internet World Stats
1500
04366
478
56394
March-03
34287552
December-09
1802
89090573275
December-09
18020
160541213040896
December-09
19462
108
18020
September-03
September-03
0
677
1060
3385
1060
Internet World Stats
1600
04614
498
59401
September-03
40214477
December-10
1971
99959623214
December-10
20696
197020417355075
December-10
21681
11
20696
October-03
October-03
0
682
1070
3410
1070
Internet World Stats
1700
0486
518
62392
October-03
42551344
December-03
December-03
0
719
1110
3595
1110
Internet World Stats
1800
02852
538
65365
December-03
46997435
February-04
February-04
0
745
1150
3725
1150
Internet World Stats
1900
03107
558
6832
February-04
508984
May-04
May-04
0
757
1170
3785
1170
Internet World Stats
2000
03361
597
7417
May-04
5614669
October-04
October-04
0
812
1270
4060
1270
Internet World Stats
2100
03614
616
77064
October-04
62575968
December-04
December-04
0
817
1270
4085
1270
Internet World Stats
2200
03866
636
79935
December-04
65306895
March-05
March-05
0
888
1390
4440
1390
Internet World Stats
2300
04117
655
82782
March-05
73510416
June-05
June-05
0
938
1460
4690
1460
Internet World Stats
2400
04366
674
85606
June-05
80298428
September-05
September-05
0
957
1490
4785
1490
Internet World Stats
2500
04614
692
88404
September-05
84602628
November-05
November-05
0
972
1520
4860
1520
Internet World Stats
2600
0486
711
91176
November-05
88623072
December-05
December-05
0
1018
1570
5090
1570
Internet World Stats
2700
05348
729
93921
December-05
95611578
March-06
March-06
0
1023
1570
5115
1570
Internet World Stats
2800
05589
747
96638
March-06
98860674
June-06
June-06
0
1043
1600
5215
1600
Internet World Stats
2900
05828
783
101984
June-06
106369312
September-06
September-06
0
1086
1670
5430
1670
Internet World Stats
3000
06065
801
104611
September-06
113607546
December-06
December-06
0
1093
1670
5465
1670
Internet World Stats
3100
063
818
107207
December-06
117177251
March-07
March-07
0
1129
1720
5645
1720
Internet World Stats
3200
06534
835
109771
March-07
123931459
June-07
June-07
0
1173
1780
5865
1780
Internet World Stats
3300
06765
852
112301
June-07
131729073
September-07
September-07
0
1245
1890
6225
1890
Internet World Stats
3400
06993
869
114797
September-07
142922265
December-07
December-07
0
1319
2000
6595
2000
Internet World Stats
3500
0722
886
117258
December-07
154663302
March-08
March-08
0
1407
2110
7035
2110
Internet World Stats
3600
07665
902
119683
March-08
168393981
June-08
June-08
0
1463
2190
7315
2190
Internet World Stats
3700
07884
918
122071
June-08
178589873
September-08
September-08
0
1504
2250
7520
2250
Internet World Stats
3800
08101
949
126736
September-08
190610944
December-08
December-08
0
1574
2350
7870
2350
Internet World Stats
3900
08314
964
12901
December-08
20306174
March-09
March-09
0
1596
2380
7980
2380
Internet World Stats
4000
08525
971
13
March-09
20748
June-09
June-09
0
1669
2470
8345
2470
Internet World Stats
4100
08733
998
134
June-09
223646
September-09
September-09
0
1734
2560
8670
2560
Internet World Stats
4200
08938
1018
137
September-09
237558
December-09
December-09
0
1802
2660
9010
2660
Internet World Stats
4300
0914
1051
142
December-09
255884
June-10
June-10
0
1966
2870
9830
2870
Internet World Stats
4400
09339
1078
146
June-10
287036
September-10
September-10
0
1971
2880
9855
2880
Internet World Stats
4500
09728
1112
151
September-10
297621
09917
000
155333333333
159833333333
33208
35034
35400
35765
36130
36495
36861
37226
37591
37956
38322
38687
39052
39417
39783
40148
40513
Depth Robustness
Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d
Otherwise we say that G is (ed)-depth robust
1 2 3 4 5
Example (12)-reducible
Attacking (ed)-reducible DAGs
bull Input |S| lee such that depth(G-S) = d g gt d
bull Light Phase (g rounds) Discard most pebblesbull Goal Pebble the next g nodes in g (sequential) stepsbull Low Memory (only keep pebbles on S and on parents of new nodes)bull Lasts a ``longrdquo time
bull Balloon Phase (d rounds) Greedily Recover Missing Pebblesbull Goal Recover needed pebbles for upcoming light phasebull Expensive but quick (at most d steps in parallel)
Theorem (Depth-Robustness is a necessary condition) If G is not (ed)-node robust then CC 119866119866 = O 119890119890119894119894 + 1198941198943119901119901 In particular CC 119866119866 = o 1198941198942 for ed=o(n)
Depth Robustness is Necessary
Are existing iMHF candidates based on depth-robust DAGs
Answer No
bull Catena [FLW15] is 119890119890 119874119874 119899119899119890119890
119813119813119816119816119813119813119813119813 Easy to reduce the depth of a path
Argon2i is a layered DAG (almost)
1 2 3 11989411989434
+2 +3 helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894
Let S = S1+S2
helliphelliphellip
Attack Simulation [AB16b]
Attack on Argon 2i-B is practical even for pessimistic parameter ranges (brown line)
Pessimistic Argon 2i-B parameter
Parameter setting could easily be chosen when following Argon2i-B guidelines
hellip
Ideal iMHFs Donrsquot Exist
Thm[AB16] Any graph G (with constant in-degree) is at least somewhat depth-reducible
Implication If CC(G)= Ω 1198941198942 there is an attack A with high quality
QualityR 119860119860 =Ωlog(119894119894)
log log(119894119894)
But we cannot rule them out in practice
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Attacksbull Constructing iMHFs (New)
bull Depth-Robustness is sufficient
bull Conclusions and Open Questions
Presenter
Presentation Notes
Joint work with Joel Alwen and Krzysztof Pietrzak
Depth-Robustness is Sufficient [ABP16]
Proof Let P1hellipPt denote an (optimal) pebbling of G For 0lt i lt d defineSi = 119875119875119894119894 cup 119875119875119889119889+119894119894 cup 1198751198752119889119889+119894119894 cup ⋯
one of the sets Si has size at most CC(G)d Now we claim that d ge depth(G-Si)
because any path in G-Si must have been completely pebbled at some point Thus it must have been pebbled entirely during some interval of length d Thus G (CC(G)dd)-reducible It follows that CC(G)ge 119890119890119901119901
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Depth-Robustness is Sufficient [ABP16]
Implications There exists a constant indegree graph G with
CC G ge Ω1198941198942
log119894119894
Previous Best [AS15] Ω 1198991198992
log10 119899119899
[AB16] We cannot do better (in an asymptotic sense)
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Summary
bull BCRYPT and PBKDF2 are no longer sufficient for password hashing
bull Argon2i is an improvement over BCRYPT and PBKDF2bull But still has its flaws [AB16AB17]
bull Current Recommendation Argon2idbull No side channel attacks Resists known attacksbull Side channel attacks reduce security to Argon2i
bull Look for improvements in the near future using depth-robust graphs [ABP17]
Conclusions
bull Depth-robustness is a necessary and sufficient for secure iMHFsbull [AB16] [ABP16]
bull Big Challenge Improved Constructions of Depth-Robust Graphsbull We already have constructions in theory [EGS77 PR80 hellip]bull But constants matter
Thanks for Listening
Passwords vs time Look how far wersquove come
Netscape IPO Dotcom crash
Source Cormacrsquos estimate
ldquoThe password is deadrdquo
Chart1
3
48
1368
322
7791
15376
2527
39639
47953
61115
7353
94674
106021
134538
16527
194616
21681
Sheet1
Sheet1
Sheet2
Sheet3
Biometrics
59
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy
60
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Hardware Tokens
61
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around
62
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Graphical Passwords
bull Examplesbull Passfaces Cued Click Points Windows 8
63
Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13
Graphical Passwords
bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8
Challenge Multiple Passwords
64
Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
bull Password Management Software
67
Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313
Related Work
bull Password Management SoftwareChallenge Single point of failure
68
Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313
References
bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]
bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]
bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]
bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]
Course Business
CryptographyCS 555
Password Storage
Offline Attacks A Common Problem
Offline Attacks A Common Problem
A Dangerous Problem
Attempt 1 Hash Iteration
The Challenge
Goal Moderately Expensive Hash Function
Memory Costs Equitable Across Architectures
Outline
Memory Hard Function (MHF)
iMHF Candidates
iMHF (fGH)
Evaluating an iMHF (pebbling)
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example (CC)
Measuring Cost
Pebbling Example (CC)
Pebbling Equivalence
Desiderata
Depth-Robustness The Key Property
Naiumlve Pebbling Algorithms
Amortized Attack Quality
Desiderata
Desiderata
c-Ideal iMHF
Outline
Depth-Robustness The Key Property
Depth Robustness
Depth Robustness
Attacking (ed)-reducible DAGs
Depth Robustness is Necessary
Answer No
Argon2i [BDK]
Argon2i
Argon2i
Argon2i Reducing depth to 119899
Argon2i Reducing depth to 119899
Argon2i is a layered DAG (almost)
Attack Simulation [AB16b]
Ideal iMHFs Donrsquot Exist
But we cannot rule them out in practice
Outline
Depth-Robustness is Sufficient [ABP16]
Depth-Robustness is Sufficient [ABP16]
Summary
Conclusions
Thanks for Listening
Passwords vs time Look how far wersquove come
Biometrics
Biometrics
Hardware Tokens
Hardware Tokens
Graphical Passwords
Graphical Passwords
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
Related Work
References
Everybody
DATE
DATE
NUMBER OF USERS
WORLD
WORLD
INFORMATION
DATE
DATE
NUMBER OF USERS
DATE
DATE
acctsyr
POPULATION
POPULATION
SOURCE
December-90
0
3
15
020
00261
000
1
December-90
3
1
December-90
3
1
December-90
3
3
December-90
3
1
3
December-95
December-95
0
16
040
80
040
IDC
100
00522
180
12
December-95
192
December-95
16
1778
December-95
48
28448
December-95
48
3
48
December-96
December-96
0
36
090
180
090
IDC
200
00783
188
13132
December-96
472752
December-96
36
1994916
December-96
126
71816976
December-96
1368
38
126
December-97
December-97
0
70
170
350
170
IDC
300
01043
209
16263
December-97
113841
December-97
70
2238295752
December-97
280
15668070264
December-97
322
46
280
December-98
December-98
0
147
360
735
360
CI Almanac
400
01303
230
19391
December-98
2850477
December-98
147
25113678337
December-98
6615
3691710715604
December-98
7791
53
6615
December-99
December-99
0
248
410
1240
410
Nua Ltd
500
01563
251
22517
December-99
5584216
December-99
248
28177547095
December-99
1240
6988031679463
December-99
15376
62
1240
March-00
March-00
0
304
500
1520
500
Nua Ltd
600
01822
272
25638
March-00
7793952
December-00
361
3161520784
December-00
19855
11413090030294
December-00
2527
7
19855
July-00
July-00
0
359
590
1795
590
Nua Ltd
700
02081
293
28754
July-00
10322686
December-01
543
35472263197
December-01
3258
1926143891578
December-01
39639
73
3258
December-00
December-00
0
361
580
1805
580
Internet World Stats
800
02338
313
31864
December-00
11502904
December-02
607
39799879307
December-02
39455
2415852673913
December-02
47953
79
39455
March-01
March-01
0
458
760
2290
760
Nua Ltd
900
02852
334
34967
March-01
16014886
December-03
719
44655464582
December-03
5033
32107279034493
December-03
61115
85
5033
June-01
June-01
0
479
790
2395
790
Nua Ltd
1000
03107
355
38061
June-01
18231219
December-04
817
50103431261
December-04
61275
40934503340285
December-04
7353
9
61275
August-01
August-01
0
513
860
2565
860
Nua Ltd
1100
03361
396
44221
August-01
22685373
December-05
1018
56216049875
December-05
8144
57227938772657
December-05
9467
93
8144
April-02
April-02
0
558
860
2790
860
Internet World Stats
1200
03614
417
47284
April-02
26384472
December-06
1093
6307440796
December-06
9291
68940327899894
December-06
10602
97
9291
July-02
July-02
0
569
910
2845
910
Internet World Stats
1300
03866
437
50334
July-02
28640046
December-07
1319
70769485731
December-07
11871
93344951678825
December-07
13454
102
11871
September-02
September-02
0
587
940
2935
940
Internet World Stats
1400
04117
458
53371
September-02
31328777
December-08
1574
7940336299
December-08
14953
124980893346059
December-08
16527
105
14953
March-03
March-03
0
608
970
3040
970
Internet World Stats
1500
04366
478
56394
March-03
34287552
December-09
1802
89090573275
December-09
18020
160541213040896
December-09
19462
108
18020
September-03
September-03
0
677
1060
3385
1060
Internet World Stats
1600
04614
498
59401
September-03
40214477
December-10
1971
99959623214
December-10
20696
197020417355075
December-10
21681
11
20696
October-03
October-03
0
682
1070
3410
1070
Internet World Stats
1700
0486
518
62392
October-03
42551344
December-03
December-03
0
719
1110
3595
1110
Internet World Stats
1800
02852
538
65365
December-03
46997435
February-04
February-04
0
745
1150
3725
1150
Internet World Stats
1900
03107
558
6832
February-04
508984
May-04
May-04
0
757
1170
3785
1170
Internet World Stats
2000
03361
597
7417
May-04
5614669
October-04
October-04
0
812
1270
4060
1270
Internet World Stats
2100
03614
616
77064
October-04
62575968
December-04
December-04
0
817
1270
4085
1270
Internet World Stats
2200
03866
636
79935
December-04
65306895
March-05
March-05
0
888
1390
4440
1390
Internet World Stats
2300
04117
655
82782
March-05
73510416
June-05
June-05
0
938
1460
4690
1460
Internet World Stats
2400
04366
674
85606
June-05
80298428
September-05
September-05
0
957
1490
4785
1490
Internet World Stats
2500
04614
692
88404
September-05
84602628
November-05
November-05
0
972
1520
4860
1520
Internet World Stats
2600
0486
711
91176
November-05
88623072
December-05
December-05
0
1018
1570
5090
1570
Internet World Stats
2700
05348
729
93921
December-05
95611578
March-06
March-06
0
1023
1570
5115
1570
Internet World Stats
2800
05589
747
96638
March-06
98860674
June-06
June-06
0
1043
1600
5215
1600
Internet World Stats
2900
05828
783
101984
June-06
106369312
September-06
September-06
0
1086
1670
5430
1670
Internet World Stats
3000
06065
801
104611
September-06
113607546
December-06
December-06
0
1093
1670
5465
1670
Internet World Stats
3100
063
818
107207
December-06
117177251
March-07
March-07
0
1129
1720
5645
1720
Internet World Stats
3200
06534
835
109771
March-07
123931459
June-07
June-07
0
1173
1780
5865
1780
Internet World Stats
3300
06765
852
112301
June-07
131729073
September-07
September-07
0
1245
1890
6225
1890
Internet World Stats
3400
06993
869
114797
September-07
142922265
December-07
December-07
0
1319
2000
6595
2000
Internet World Stats
3500
0722
886
117258
December-07
154663302
March-08
March-08
0
1407
2110
7035
2110
Internet World Stats
3600
07665
902
119683
March-08
168393981
June-08
June-08
0
1463
2190
7315
2190
Internet World Stats
3700
07884
918
122071
June-08
178589873
September-08
September-08
0
1504
2250
7520
2250
Internet World Stats
3800
08101
949
126736
September-08
190610944
December-08
December-08
0
1574
2350
7870
2350
Internet World Stats
3900
08314
964
12901
December-08
20306174
March-09
March-09
0
1596
2380
7980
2380
Internet World Stats
4000
08525
971
13
March-09
20748
June-09
June-09
0
1669
2470
8345
2470
Internet World Stats
4100
08733
998
134
June-09
223646
September-09
September-09
0
1734
2560
8670
2560
Internet World Stats
4200
08938
1018
137
September-09
237558
December-09
December-09
0
1802
2660
9010
2660
Internet World Stats
4300
0914
1051
142
December-09
255884
June-10
June-10
0
1966
2870
9830
2870
Internet World Stats
4400
09339
1078
146
June-10
287036
September-10
September-10
0
1971
2880
9855
2880
Internet World Stats
4500
09728
1112
151
September-10
297621
09917
000
155333333333
159833333333
33208
35034
35400
35765
36130
36495
36861
37226
37591
37956
38322
38687
39052
39417
39783
40148
40513
Attacking (ed)-reducible DAGs
bull Input |S| lee such that depth(G-S) = d g gt d
bull Light Phase (g rounds) Discard most pebblesbull Goal Pebble the next g nodes in g (sequential) stepsbull Low Memory (only keep pebbles on S and on parents of new nodes)bull Lasts a ``longrdquo time
bull Balloon Phase (d rounds) Greedily Recover Missing Pebblesbull Goal Recover needed pebbles for upcoming light phasebull Expensive but quick (at most d steps in parallel)
Theorem (Depth-Robustness is a necessary condition) If G is not (ed)-node robust then CC 119866119866 = O 119890119890119894119894 + 1198941198943119901119901 In particular CC 119866119866 = o 1198941198942 for ed=o(n)
Depth Robustness is Necessary
Are existing iMHF candidates based on depth-robust DAGs
Answer No
bull Catena [FLW15] is 119890119890 119874119874 119899119899119890119890
119813119813119816119816119813119813119813119813 Easy to reduce the depth of a path
Argon2i is a layered DAG (almost)
1 2 3 11989411989434
+2 +3 helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894
Let S = S1+S2
helliphelliphellip
Attack Simulation [AB16b]
Attack on Argon 2i-B is practical even for pessimistic parameter ranges (brown line)
Pessimistic Argon 2i-B parameter
Parameter setting could easily be chosen when following Argon2i-B guidelines
hellip
Ideal iMHFs Donrsquot Exist
Thm[AB16] Any graph G (with constant in-degree) is at least somewhat depth-reducible
Implication If CC(G)= Ω 1198941198942 there is an attack A with high quality
QualityR 119860119860 =Ωlog(119894119894)
log log(119894119894)
But we cannot rule them out in practice
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Attacksbull Constructing iMHFs (New)
bull Depth-Robustness is sufficient
bull Conclusions and Open Questions
Presenter
Presentation Notes
Joint work with Joel Alwen and Krzysztof Pietrzak
Depth-Robustness is Sufficient [ABP16]
Proof Let P1hellipPt denote an (optimal) pebbling of G For 0lt i lt d defineSi = 119875119875119894119894 cup 119875119875119889119889+119894119894 cup 1198751198752119889119889+119894119894 cup ⋯
one of the sets Si has size at most CC(G)d Now we claim that d ge depth(G-Si)
because any path in G-Si must have been completely pebbled at some point Thus it must have been pebbled entirely during some interval of length d Thus G (CC(G)dd)-reducible It follows that CC(G)ge 119890119890119901119901
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Depth-Robustness is Sufficient [ABP16]
Implications There exists a constant indegree graph G with
CC G ge Ω1198941198942
log119894119894
Previous Best [AS15] Ω 1198991198992
log10 119899119899
[AB16] We cannot do better (in an asymptotic sense)
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Summary
bull BCRYPT and PBKDF2 are no longer sufficient for password hashing
bull Argon2i is an improvement over BCRYPT and PBKDF2bull But still has its flaws [AB16AB17]
bull Current Recommendation Argon2idbull No side channel attacks Resists known attacksbull Side channel attacks reduce security to Argon2i
bull Look for improvements in the near future using depth-robust graphs [ABP17]
Conclusions
bull Depth-robustness is a necessary and sufficient for secure iMHFsbull [AB16] [ABP16]
bull Big Challenge Improved Constructions of Depth-Robust Graphsbull We already have constructions in theory [EGS77 PR80 hellip]bull But constants matter
Thanks for Listening
Passwords vs time Look how far wersquove come
Netscape IPO Dotcom crash
Source Cormacrsquos estimate
ldquoThe password is deadrdquo
Chart1
3
48
1368
322
7791
15376
2527
39639
47953
61115
7353
94674
106021
134538
16527
194616
21681
Sheet1
Sheet1
Sheet2
Sheet3
Biometrics
59
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy
60
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Hardware Tokens
61
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around
62
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Graphical Passwords
bull Examplesbull Passfaces Cued Click Points Windows 8
63
Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13
Graphical Passwords
bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8
Challenge Multiple Passwords
64
Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
bull Password Management Software
67
Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313
Related Work
bull Password Management SoftwareChallenge Single point of failure
68
Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313
References
bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]
bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]
bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]
bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]
Course Business
CryptographyCS 555
Password Storage
Offline Attacks A Common Problem
Offline Attacks A Common Problem
A Dangerous Problem
Attempt 1 Hash Iteration
The Challenge
Goal Moderately Expensive Hash Function
Memory Costs Equitable Across Architectures
Outline
Memory Hard Function (MHF)
iMHF Candidates
iMHF (fGH)
Evaluating an iMHF (pebbling)
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example (CC)
Measuring Cost
Pebbling Example (CC)
Pebbling Equivalence
Desiderata
Depth-Robustness The Key Property
Naiumlve Pebbling Algorithms
Amortized Attack Quality
Desiderata
Desiderata
c-Ideal iMHF
Outline
Depth-Robustness The Key Property
Depth Robustness
Depth Robustness
Attacking (ed)-reducible DAGs
Depth Robustness is Necessary
Answer No
Argon2i [BDK]
Argon2i
Argon2i
Argon2i Reducing depth to 119899
Argon2i Reducing depth to 119899
Argon2i is a layered DAG (almost)
Attack Simulation [AB16b]
Ideal iMHFs Donrsquot Exist
But we cannot rule them out in practice
Outline
Depth-Robustness is Sufficient [ABP16]
Depth-Robustness is Sufficient [ABP16]
Summary
Conclusions
Thanks for Listening
Passwords vs time Look how far wersquove come
Biometrics
Biometrics
Hardware Tokens
Hardware Tokens
Graphical Passwords
Graphical Passwords
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
Related Work
References
Everybody
DATE
DATE
NUMBER OF USERS
WORLD
WORLD
INFORMATION
DATE
DATE
NUMBER OF USERS
DATE
DATE
acctsyr
POPULATION
POPULATION
SOURCE
December-90
0
3
15
020
00261
000
1
December-90
3
1
December-90
3
1
December-90
3
3
December-90
3
1
3
December-95
December-95
0
16
040
80
040
IDC
100
00522
180
12
December-95
192
December-95
16
1778
December-95
48
28448
December-95
48
3
48
December-96
December-96
0
36
090
180
090
IDC
200
00783
188
13132
December-96
472752
December-96
36
1994916
December-96
126
71816976
December-96
1368
38
126
December-97
December-97
0
70
170
350
170
IDC
300
01043
209
16263
December-97
113841
December-97
70
2238295752
December-97
280
15668070264
December-97
322
46
280
December-98
December-98
0
147
360
735
360
CI Almanac
400
01303
230
19391
December-98
2850477
December-98
147
25113678337
December-98
6615
3691710715604
December-98
7791
53
6615
December-99
December-99
0
248
410
1240
410
Nua Ltd
500
01563
251
22517
December-99
5584216
December-99
248
28177547095
December-99
1240
6988031679463
December-99
15376
62
1240
March-00
March-00
0
304
500
1520
500
Nua Ltd
600
01822
272
25638
March-00
7793952
December-00
361
3161520784
December-00
19855
11413090030294
December-00
2527
7
19855
July-00
July-00
0
359
590
1795
590
Nua Ltd
700
02081
293
28754
July-00
10322686
December-01
543
35472263197
December-01
3258
1926143891578
December-01
39639
73
3258
December-00
December-00
0
361
580
1805
580
Internet World Stats
800
02338
313
31864
December-00
11502904
December-02
607
39799879307
December-02
39455
2415852673913
December-02
47953
79
39455
March-01
March-01
0
458
760
2290
760
Nua Ltd
900
02852
334
34967
March-01
16014886
December-03
719
44655464582
December-03
5033
32107279034493
December-03
61115
85
5033
June-01
June-01
0
479
790
2395
790
Nua Ltd
1000
03107
355
38061
June-01
18231219
December-04
817
50103431261
December-04
61275
40934503340285
December-04
7353
9
61275
August-01
August-01
0
513
860
2565
860
Nua Ltd
1100
03361
396
44221
August-01
22685373
December-05
1018
56216049875
December-05
8144
57227938772657
December-05
9467
93
8144
April-02
April-02
0
558
860
2790
860
Internet World Stats
1200
03614
417
47284
April-02
26384472
December-06
1093
6307440796
December-06
9291
68940327899894
December-06
10602
97
9291
July-02
July-02
0
569
910
2845
910
Internet World Stats
1300
03866
437
50334
July-02
28640046
December-07
1319
70769485731
December-07
11871
93344951678825
December-07
13454
102
11871
September-02
September-02
0
587
940
2935
940
Internet World Stats
1400
04117
458
53371
September-02
31328777
December-08
1574
7940336299
December-08
14953
124980893346059
December-08
16527
105
14953
March-03
March-03
0
608
970
3040
970
Internet World Stats
1500
04366
478
56394
March-03
34287552
December-09
1802
89090573275
December-09
18020
160541213040896
December-09
19462
108
18020
September-03
September-03
0
677
1060
3385
1060
Internet World Stats
1600
04614
498
59401
September-03
40214477
December-10
1971
99959623214
December-10
20696
197020417355075
December-10
21681
11
20696
October-03
October-03
0
682
1070
3410
1070
Internet World Stats
1700
0486
518
62392
October-03
42551344
December-03
December-03
0
719
1110
3595
1110
Internet World Stats
1800
02852
538
65365
December-03
46997435
February-04
February-04
0
745
1150
3725
1150
Internet World Stats
1900
03107
558
6832
February-04
508984
May-04
May-04
0
757
1170
3785
1170
Internet World Stats
2000
03361
597
7417
May-04
5614669
October-04
October-04
0
812
1270
4060
1270
Internet World Stats
2100
03614
616
77064
October-04
62575968
December-04
December-04
0
817
1270
4085
1270
Internet World Stats
2200
03866
636
79935
December-04
65306895
March-05
March-05
0
888
1390
4440
1390
Internet World Stats
2300
04117
655
82782
March-05
73510416
June-05
June-05
0
938
1460
4690
1460
Internet World Stats
2400
04366
674
85606
June-05
80298428
September-05
September-05
0
957
1490
4785
1490
Internet World Stats
2500
04614
692
88404
September-05
84602628
November-05
November-05
0
972
1520
4860
1520
Internet World Stats
2600
0486
711
91176
November-05
88623072
December-05
December-05
0
1018
1570
5090
1570
Internet World Stats
2700
05348
729
93921
December-05
95611578
March-06
March-06
0
1023
1570
5115
1570
Internet World Stats
2800
05589
747
96638
March-06
98860674
June-06
June-06
0
1043
1600
5215
1600
Internet World Stats
2900
05828
783
101984
June-06
106369312
September-06
September-06
0
1086
1670
5430
1670
Internet World Stats
3000
06065
801
104611
September-06
113607546
December-06
December-06
0
1093
1670
5465
1670
Internet World Stats
3100
063
818
107207
December-06
117177251
March-07
March-07
0
1129
1720
5645
1720
Internet World Stats
3200
06534
835
109771
March-07
123931459
June-07
June-07
0
1173
1780
5865
1780
Internet World Stats
3300
06765
852
112301
June-07
131729073
September-07
September-07
0
1245
1890
6225
1890
Internet World Stats
3400
06993
869
114797
September-07
142922265
December-07
December-07
0
1319
2000
6595
2000
Internet World Stats
3500
0722
886
117258
December-07
154663302
March-08
March-08
0
1407
2110
7035
2110
Internet World Stats
3600
07665
902
119683
March-08
168393981
June-08
June-08
0
1463
2190
7315
2190
Internet World Stats
3700
07884
918
122071
June-08
178589873
September-08
September-08
0
1504
2250
7520
2250
Internet World Stats
3800
08101
949
126736
September-08
190610944
December-08
December-08
0
1574
2350
7870
2350
Internet World Stats
3900
08314
964
12901
December-08
20306174
March-09
March-09
0
1596
2380
7980
2380
Internet World Stats
4000
08525
971
13
March-09
20748
June-09
June-09
0
1669
2470
8345
2470
Internet World Stats
4100
08733
998
134
June-09
223646
September-09
September-09
0
1734
2560
8670
2560
Internet World Stats
4200
08938
1018
137
September-09
237558
December-09
December-09
0
1802
2660
9010
2660
Internet World Stats
4300
0914
1051
142
December-09
255884
June-10
June-10
0
1966
2870
9830
2870
Internet World Stats
4400
09339
1078
146
June-10
287036
September-10
September-10
0
1971
2880
9855
2880
Internet World Stats
4500
09728
1112
151
September-10
297621
09917
000
155333333333
159833333333
33208
35034
35400
35765
36130
36495
36861
37226
37591
37956
38322
38687
39052
39417
39783
40148
40513
Theorem (Depth-Robustness is a necessary condition) If G is not (ed)-node robust then CC 119866119866 = O 119890119890119894119894 + 1198941198943119901119901 In particular CC 119866119866 = o 1198941198942 for ed=o(n)
Depth Robustness is Necessary
Are existing iMHF candidates based on depth-robust DAGs
Answer No
bull Catena [FLW15] is 119890119890 119874119874 119899119899119890119890
119813119813119816119816119813119813119813119813 Easy to reduce the depth of a path
Argon2i is a layered DAG (almost)
1 2 3 11989411989434
+2 +3 helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894
Let S = S1+S2
helliphelliphellip
Attack Simulation [AB16b]
Attack on Argon 2i-B is practical even for pessimistic parameter ranges (brown line)
Pessimistic Argon 2i-B parameter
Parameter setting could easily be chosen when following Argon2i-B guidelines
hellip
Ideal iMHFs Donrsquot Exist
Thm[AB16] Any graph G (with constant in-degree) is at least somewhat depth-reducible
Implication If CC(G)= Ω 1198941198942 there is an attack A with high quality
QualityR 119860119860 =Ωlog(119894119894)
log log(119894119894)
But we cannot rule them out in practice
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Attacksbull Constructing iMHFs (New)
bull Depth-Robustness is sufficient
bull Conclusions and Open Questions
Presenter
Presentation Notes
Joint work with Joel Alwen and Krzysztof Pietrzak
Depth-Robustness is Sufficient [ABP16]
Proof Let P1hellipPt denote an (optimal) pebbling of G For 0lt i lt d defineSi = 119875119875119894119894 cup 119875119875119889119889+119894119894 cup 1198751198752119889119889+119894119894 cup ⋯
one of the sets Si has size at most CC(G)d Now we claim that d ge depth(G-Si)
because any path in G-Si must have been completely pebbled at some point Thus it must have been pebbled entirely during some interval of length d Thus G (CC(G)dd)-reducible It follows that CC(G)ge 119890119890119901119901
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Depth-Robustness is Sufficient [ABP16]
Implications There exists a constant indegree graph G with
CC G ge Ω1198941198942
log119894119894
Previous Best [AS15] Ω 1198991198992
log10 119899119899
[AB16] We cannot do better (in an asymptotic sense)
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Summary
bull BCRYPT and PBKDF2 are no longer sufficient for password hashing
bull Argon2i is an improvement over BCRYPT and PBKDF2bull But still has its flaws [AB16AB17]
bull Current Recommendation Argon2idbull No side channel attacks Resists known attacksbull Side channel attacks reduce security to Argon2i
bull Look for improvements in the near future using depth-robust graphs [ABP17]
Conclusions
bull Depth-robustness is a necessary and sufficient for secure iMHFsbull [AB16] [ABP16]
bull Big Challenge Improved Constructions of Depth-Robust Graphsbull We already have constructions in theory [EGS77 PR80 hellip]bull But constants matter
Thanks for Listening
Passwords vs time Look how far wersquove come
Netscape IPO Dotcom crash
Source Cormacrsquos estimate
ldquoThe password is deadrdquo
Chart1
3
48
1368
322
7791
15376
2527
39639
47953
61115
7353
94674
106021
134538
16527
194616
21681
Sheet1
Sheet1
Sheet2
Sheet3
Biometrics
59
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy
60
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Hardware Tokens
61
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around
62
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Graphical Passwords
bull Examplesbull Passfaces Cued Click Points Windows 8
63
Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13
Graphical Passwords
bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8
Challenge Multiple Passwords
64
Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
bull Password Management Software
67
Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313
Related Work
bull Password Management SoftwareChallenge Single point of failure
68
Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313
References
bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]
bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]
bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]
bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]
Course Business
CryptographyCS 555
Password Storage
Offline Attacks A Common Problem
Offline Attacks A Common Problem
A Dangerous Problem
Attempt 1 Hash Iteration
The Challenge
Goal Moderately Expensive Hash Function
Memory Costs Equitable Across Architectures
Outline
Memory Hard Function (MHF)
iMHF Candidates
iMHF (fGH)
Evaluating an iMHF (pebbling)
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example (CC)
Measuring Cost
Pebbling Example (CC)
Pebbling Equivalence
Desiderata
Depth-Robustness The Key Property
Naiumlve Pebbling Algorithms
Amortized Attack Quality
Desiderata
Desiderata
c-Ideal iMHF
Outline
Depth-Robustness The Key Property
Depth Robustness
Depth Robustness
Attacking (ed)-reducible DAGs
Depth Robustness is Necessary
Answer No
Argon2i [BDK]
Argon2i
Argon2i
Argon2i Reducing depth to 119899
Argon2i Reducing depth to 119899
Argon2i is a layered DAG (almost)
Attack Simulation [AB16b]
Ideal iMHFs Donrsquot Exist
But we cannot rule them out in practice
Outline
Depth-Robustness is Sufficient [ABP16]
Depth-Robustness is Sufficient [ABP16]
Summary
Conclusions
Thanks for Listening
Passwords vs time Look how far wersquove come
Biometrics
Biometrics
Hardware Tokens
Hardware Tokens
Graphical Passwords
Graphical Passwords
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
Related Work
References
Everybody
DATE
DATE
NUMBER OF USERS
WORLD
WORLD
INFORMATION
DATE
DATE
NUMBER OF USERS
DATE
DATE
acctsyr
POPULATION
POPULATION
SOURCE
December-90
0
3
15
020
00261
000
1
December-90
3
1
December-90
3
1
December-90
3
3
December-90
3
1
3
December-95
December-95
0
16
040
80
040
IDC
100
00522
180
12
December-95
192
December-95
16
1778
December-95
48
28448
December-95
48
3
48
December-96
December-96
0
36
090
180
090
IDC
200
00783
188
13132
December-96
472752
December-96
36
1994916
December-96
126
71816976
December-96
1368
38
126
December-97
December-97
0
70
170
350
170
IDC
300
01043
209
16263
December-97
113841
December-97
70
2238295752
December-97
280
15668070264
December-97
322
46
280
December-98
December-98
0
147
360
735
360
CI Almanac
400
01303
230
19391
December-98
2850477
December-98
147
25113678337
December-98
6615
3691710715604
December-98
7791
53
6615
December-99
December-99
0
248
410
1240
410
Nua Ltd
500
01563
251
22517
December-99
5584216
December-99
248
28177547095
December-99
1240
6988031679463
December-99
15376
62
1240
March-00
March-00
0
304
500
1520
500
Nua Ltd
600
01822
272
25638
March-00
7793952
December-00
361
3161520784
December-00
19855
11413090030294
December-00
2527
7
19855
July-00
July-00
0
359
590
1795
590
Nua Ltd
700
02081
293
28754
July-00
10322686
December-01
543
35472263197
December-01
3258
1926143891578
December-01
39639
73
3258
December-00
December-00
0
361
580
1805
580
Internet World Stats
800
02338
313
31864
December-00
11502904
December-02
607
39799879307
December-02
39455
2415852673913
December-02
47953
79
39455
March-01
March-01
0
458
760
2290
760
Nua Ltd
900
02852
334
34967
March-01
16014886
December-03
719
44655464582
December-03
5033
32107279034493
December-03
61115
85
5033
June-01
June-01
0
479
790
2395
790
Nua Ltd
1000
03107
355
38061
June-01
18231219
December-04
817
50103431261
December-04
61275
40934503340285
December-04
7353
9
61275
August-01
August-01
0
513
860
2565
860
Nua Ltd
1100
03361
396
44221
August-01
22685373
December-05
1018
56216049875
December-05
8144
57227938772657
December-05
9467
93
8144
April-02
April-02
0
558
860
2790
860
Internet World Stats
1200
03614
417
47284
April-02
26384472
December-06
1093
6307440796
December-06
9291
68940327899894
December-06
10602
97
9291
July-02
July-02
0
569
910
2845
910
Internet World Stats
1300
03866
437
50334
July-02
28640046
December-07
1319
70769485731
December-07
11871
93344951678825
December-07
13454
102
11871
September-02
September-02
0
587
940
2935
940
Internet World Stats
1400
04117
458
53371
September-02
31328777
December-08
1574
7940336299
December-08
14953
124980893346059
December-08
16527
105
14953
March-03
March-03
0
608
970
3040
970
Internet World Stats
1500
04366
478
56394
March-03
34287552
December-09
1802
89090573275
December-09
18020
160541213040896
December-09
19462
108
18020
September-03
September-03
0
677
1060
3385
1060
Internet World Stats
1600
04614
498
59401
September-03
40214477
December-10
1971
99959623214
December-10
20696
197020417355075
December-10
21681
11
20696
October-03
October-03
0
682
1070
3410
1070
Internet World Stats
1700
0486
518
62392
October-03
42551344
December-03
December-03
0
719
1110
3595
1110
Internet World Stats
1800
02852
538
65365
December-03
46997435
February-04
February-04
0
745
1150
3725
1150
Internet World Stats
1900
03107
558
6832
February-04
508984
May-04
May-04
0
757
1170
3785
1170
Internet World Stats
2000
03361
597
7417
May-04
5614669
October-04
October-04
0
812
1270
4060
1270
Internet World Stats
2100
03614
616
77064
October-04
62575968
December-04
December-04
0
817
1270
4085
1270
Internet World Stats
2200
03866
636
79935
December-04
65306895
March-05
March-05
0
888
1390
4440
1390
Internet World Stats
2300
04117
655
82782
March-05
73510416
June-05
June-05
0
938
1460
4690
1460
Internet World Stats
2400
04366
674
85606
June-05
80298428
September-05
September-05
0
957
1490
4785
1490
Internet World Stats
2500
04614
692
88404
September-05
84602628
November-05
November-05
0
972
1520
4860
1520
Internet World Stats
2600
0486
711
91176
November-05
88623072
December-05
December-05
0
1018
1570
5090
1570
Internet World Stats
2700
05348
729
93921
December-05
95611578
March-06
March-06
0
1023
1570
5115
1570
Internet World Stats
2800
05589
747
96638
March-06
98860674
June-06
June-06
0
1043
1600
5215
1600
Internet World Stats
2900
05828
783
101984
June-06
106369312
September-06
September-06
0
1086
1670
5430
1670
Internet World Stats
3000
06065
801
104611
September-06
113607546
December-06
December-06
0
1093
1670
5465
1670
Internet World Stats
3100
063
818
107207
December-06
117177251
March-07
March-07
0
1129
1720
5645
1720
Internet World Stats
3200
06534
835
109771
March-07
123931459
June-07
June-07
0
1173
1780
5865
1780
Internet World Stats
3300
06765
852
112301
June-07
131729073
September-07
September-07
0
1245
1890
6225
1890
Internet World Stats
3400
06993
869
114797
September-07
142922265
December-07
December-07
0
1319
2000
6595
2000
Internet World Stats
3500
0722
886
117258
December-07
154663302
March-08
March-08
0
1407
2110
7035
2110
Internet World Stats
3600
07665
902
119683
March-08
168393981
June-08
June-08
0
1463
2190
7315
2190
Internet World Stats
3700
07884
918
122071
June-08
178589873
September-08
September-08
0
1504
2250
7520
2250
Internet World Stats
3800
08101
949
126736
September-08
190610944
December-08
December-08
0
1574
2350
7870
2350
Internet World Stats
3900
08314
964
12901
December-08
20306174
March-09
March-09
0
1596
2380
7980
2380
Internet World Stats
4000
08525
971
13
March-09
20748
June-09
June-09
0
1669
2470
8345
2470
Internet World Stats
4100
08733
998
134
June-09
223646
September-09
September-09
0
1734
2560
8670
2560
Internet World Stats
4200
08938
1018
137
September-09
237558
December-09
December-09
0
1802
2660
9010
2660
Internet World Stats
4300
0914
1051
142
December-09
255884
June-10
June-10
0
1966
2870
9830
2870
Internet World Stats
4400
09339
1078
146
June-10
287036
September-10
September-10
0
1971
2880
9855
2880
Internet World Stats
4500
09728
1112
151
September-10
297621
09917
000
155333333333
159833333333
33208
35034
35400
35765
36130
36495
36861
37226
37591
37956
38322
38687
39052
39417
39783
40148
40513
Answer No
bull Catena [FLW15] is 119890119890 119874119874 119899119899119890119890
119813119813119816119816119813119813119813119813 Easy to reduce the depth of a path
Argon2i is a layered DAG (almost)
1 2 3 11989411989434
+2 +3 helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894
Let S = S1+S2
helliphelliphellip
Attack Simulation [AB16b]
Attack on Argon 2i-B is practical even for pessimistic parameter ranges (brown line)
Pessimistic Argon 2i-B parameter
Parameter setting could easily be chosen when following Argon2i-B guidelines
hellip
Ideal iMHFs Donrsquot Exist
Thm[AB16] Any graph G (with constant in-degree) is at least somewhat depth-reducible
Implication If CC(G)= Ω 1198941198942 there is an attack A with high quality
QualityR 119860119860 =Ωlog(119894119894)
log log(119894119894)
But we cannot rule them out in practice
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Attacksbull Constructing iMHFs (New)
bull Depth-Robustness is sufficient
bull Conclusions and Open Questions
Presenter
Presentation Notes
Joint work with Joel Alwen and Krzysztof Pietrzak
Depth-Robustness is Sufficient [ABP16]
Proof Let P1hellipPt denote an (optimal) pebbling of G For 0lt i lt d defineSi = 119875119875119894119894 cup 119875119875119889119889+119894119894 cup 1198751198752119889119889+119894119894 cup ⋯
one of the sets Si has size at most CC(G)d Now we claim that d ge depth(G-Si)
because any path in G-Si must have been completely pebbled at some point Thus it must have been pebbled entirely during some interval of length d Thus G (CC(G)dd)-reducible It follows that CC(G)ge 119890119890119901119901
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Depth-Robustness is Sufficient [ABP16]
Implications There exists a constant indegree graph G with
CC G ge Ω1198941198942
log119894119894
Previous Best [AS15] Ω 1198991198992
log10 119899119899
[AB16] We cannot do better (in an asymptotic sense)
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Summary
bull BCRYPT and PBKDF2 are no longer sufficient for password hashing
bull Argon2i is an improvement over BCRYPT and PBKDF2bull But still has its flaws [AB16AB17]
bull Current Recommendation Argon2idbull No side channel attacks Resists known attacksbull Side channel attacks reduce security to Argon2i
bull Look for improvements in the near future using depth-robust graphs [ABP17]
Conclusions
bull Depth-robustness is a necessary and sufficient for secure iMHFsbull [AB16] [ABP16]
bull Big Challenge Improved Constructions of Depth-Robust Graphsbull We already have constructions in theory [EGS77 PR80 hellip]bull But constants matter
Thanks for Listening
Passwords vs time Look how far wersquove come
Netscape IPO Dotcom crash
Source Cormacrsquos estimate
ldquoThe password is deadrdquo
Chart1
3
48
1368
322
7791
15376
2527
39639
47953
61115
7353
94674
106021
134538
16527
194616
21681
Sheet1
Sheet1
Sheet2
Sheet3
Biometrics
59
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy
60
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Hardware Tokens
61
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around
62
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Graphical Passwords
bull Examplesbull Passfaces Cued Click Points Windows 8
63
Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13
Graphical Passwords
bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8
Challenge Multiple Passwords
64
Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
bull Password Management Software
67
Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313
Related Work
bull Password Management SoftwareChallenge Single point of failure
68
Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313
References
bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]
bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]
bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]
bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]
Course Business
CryptographyCS 555
Password Storage
Offline Attacks A Common Problem
Offline Attacks A Common Problem
A Dangerous Problem
Attempt 1 Hash Iteration
The Challenge
Goal Moderately Expensive Hash Function
Memory Costs Equitable Across Architectures
Outline
Memory Hard Function (MHF)
iMHF Candidates
iMHF (fGH)
Evaluating an iMHF (pebbling)
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example (CC)
Measuring Cost
Pebbling Example (CC)
Pebbling Equivalence
Desiderata
Depth-Robustness The Key Property
Naiumlve Pebbling Algorithms
Amortized Attack Quality
Desiderata
Desiderata
c-Ideal iMHF
Outline
Depth-Robustness The Key Property
Depth Robustness
Depth Robustness
Attacking (ed)-reducible DAGs
Depth Robustness is Necessary
Answer No
Argon2i [BDK]
Argon2i
Argon2i
Argon2i Reducing depth to 119899
Argon2i Reducing depth to 119899
Argon2i is a layered DAG (almost)
Attack Simulation [AB16b]
Ideal iMHFs Donrsquot Exist
But we cannot rule them out in practice
Outline
Depth-Robustness is Sufficient [ABP16]
Depth-Robustness is Sufficient [ABP16]
Summary
Conclusions
Thanks for Listening
Passwords vs time Look how far wersquove come
Biometrics
Biometrics
Hardware Tokens
Hardware Tokens
Graphical Passwords
Graphical Passwords
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
Related Work
References
Everybody
DATE
DATE
NUMBER OF USERS
WORLD
WORLD
INFORMATION
DATE
DATE
NUMBER OF USERS
DATE
DATE
acctsyr
POPULATION
POPULATION
SOURCE
December-90
0
3
15
020
00261
000
1
December-90
3
1
December-90
3
1
December-90
3
3
December-90
3
1
3
December-95
December-95
0
16
040
80
040
IDC
100
00522
180
12
December-95
192
December-95
16
1778
December-95
48
28448
December-95
48
3
48
December-96
December-96
0
36
090
180
090
IDC
200
00783
188
13132
December-96
472752
December-96
36
1994916
December-96
126
71816976
December-96
1368
38
126
December-97
December-97
0
70
170
350
170
IDC
300
01043
209
16263
December-97
113841
December-97
70
2238295752
December-97
280
15668070264
December-97
322
46
280
December-98
December-98
0
147
360
735
360
CI Almanac
400
01303
230
19391
December-98
2850477
December-98
147
25113678337
December-98
6615
3691710715604
December-98
7791
53
6615
December-99
December-99
0
248
410
1240
410
Nua Ltd
500
01563
251
22517
December-99
5584216
December-99
248
28177547095
December-99
1240
6988031679463
December-99
15376
62
1240
March-00
March-00
0
304
500
1520
500
Nua Ltd
600
01822
272
25638
March-00
7793952
December-00
361
3161520784
December-00
19855
11413090030294
December-00
2527
7
19855
July-00
July-00
0
359
590
1795
590
Nua Ltd
700
02081
293
28754
July-00
10322686
December-01
543
35472263197
December-01
3258
1926143891578
December-01
39639
73
3258
December-00
December-00
0
361
580
1805
580
Internet World Stats
800
02338
313
31864
December-00
11502904
December-02
607
39799879307
December-02
39455
2415852673913
December-02
47953
79
39455
March-01
March-01
0
458
760
2290
760
Nua Ltd
900
02852
334
34967
March-01
16014886
December-03
719
44655464582
December-03
5033
32107279034493
December-03
61115
85
5033
June-01
June-01
0
479
790
2395
790
Nua Ltd
1000
03107
355
38061
June-01
18231219
December-04
817
50103431261
December-04
61275
40934503340285
December-04
7353
9
61275
August-01
August-01
0
513
860
2565
860
Nua Ltd
1100
03361
396
44221
August-01
22685373
December-05
1018
56216049875
December-05
8144
57227938772657
December-05
9467
93
8144
April-02
April-02
0
558
860
2790
860
Internet World Stats
1200
03614
417
47284
April-02
26384472
December-06
1093
6307440796
December-06
9291
68940327899894
December-06
10602
97
9291
July-02
July-02
0
569
910
2845
910
Internet World Stats
1300
03866
437
50334
July-02
28640046
December-07
1319
70769485731
December-07
11871
93344951678825
December-07
13454
102
11871
September-02
September-02
0
587
940
2935
940
Internet World Stats
1400
04117
458
53371
September-02
31328777
December-08
1574
7940336299
December-08
14953
124980893346059
December-08
16527
105
14953
March-03
March-03
0
608
970
3040
970
Internet World Stats
1500
04366
478
56394
March-03
34287552
December-09
1802
89090573275
December-09
18020
160541213040896
December-09
19462
108
18020
September-03
September-03
0
677
1060
3385
1060
Internet World Stats
1600
04614
498
59401
September-03
40214477
December-10
1971
99959623214
December-10
20696
197020417355075
December-10
21681
11
20696
October-03
October-03
0
682
1070
3410
1070
Internet World Stats
1700
0486
518
62392
October-03
42551344
December-03
December-03
0
719
1110
3595
1110
Internet World Stats
1800
02852
538
65365
December-03
46997435
February-04
February-04
0
745
1150
3725
1150
Internet World Stats
1900
03107
558
6832
February-04
508984
May-04
May-04
0
757
1170
3785
1170
Internet World Stats
2000
03361
597
7417
May-04
5614669
October-04
October-04
0
812
1270
4060
1270
Internet World Stats
2100
03614
616
77064
October-04
62575968
December-04
December-04
0
817
1270
4085
1270
Internet World Stats
2200
03866
636
79935
December-04
65306895
March-05
March-05
0
888
1390
4440
1390
Internet World Stats
2300
04117
655
82782
March-05
73510416
June-05
June-05
0
938
1460
4690
1460
Internet World Stats
2400
04366
674
85606
June-05
80298428
September-05
September-05
0
957
1490
4785
1490
Internet World Stats
2500
04614
692
88404
September-05
84602628
November-05
November-05
0
972
1520
4860
1520
Internet World Stats
2600
0486
711
91176
November-05
88623072
December-05
December-05
0
1018
1570
5090
1570
Internet World Stats
2700
05348
729
93921
December-05
95611578
March-06
March-06
0
1023
1570
5115
1570
Internet World Stats
2800
05589
747
96638
March-06
98860674
June-06
June-06
0
1043
1600
5215
1600
Internet World Stats
2900
05828
783
101984
June-06
106369312
September-06
September-06
0
1086
1670
5430
1670
Internet World Stats
3000
06065
801
104611
September-06
113607546
December-06
December-06
0
1093
1670
5465
1670
Internet World Stats
3100
063
818
107207
December-06
117177251
March-07
March-07
0
1129
1720
5645
1720
Internet World Stats
3200
06534
835
109771
March-07
123931459
June-07
June-07
0
1173
1780
5865
1780
Internet World Stats
3300
06765
852
112301
June-07
131729073
September-07
September-07
0
1245
1890
6225
1890
Internet World Stats
3400
06993
869
114797
September-07
142922265
December-07
December-07
0
1319
2000
6595
2000
Internet World Stats
3500
0722
886
117258
December-07
154663302
March-08
March-08
0
1407
2110
7035
2110
Internet World Stats
3600
07665
902
119683
March-08
168393981
June-08
June-08
0
1463
2190
7315
2190
Internet World Stats
3700
07884
918
122071
June-08
178589873
September-08
September-08
0
1504
2250
7520
2250
Internet World Stats
3800
08101
949
126736
September-08
190610944
December-08
December-08
0
1574
2350
7870
2350
Internet World Stats
3900
08314
964
12901
December-08
20306174
March-09
March-09
0
1596
2380
7980
2380
Internet World Stats
4000
08525
971
13
March-09
20748
June-09
June-09
0
1669
2470
8345
2470
Internet World Stats
4100
08733
998
134
June-09
223646
September-09
September-09
0
1734
2560
8670
2560
Internet World Stats
4200
08938
1018
137
September-09
237558
December-09
December-09
0
1802
2660
9010
2660
Internet World Stats
4300
0914
1051
142
December-09
255884
June-10
June-10
0
1966
2870
9830
2870
Internet World Stats
4400
09339
1078
146
June-10
287036
September-10
September-10
0
1971
2880
9855
2880
Internet World Stats
4500
09728
1112
151
September-10
297621
09917
000
155333333333
159833333333
33208
35034
35400
35765
36130
36495
36861
37226
37591
37956
38322
38687
39052
39417
39783
40148
40513
Argon2i [BDK]
bull Argon2 Winner of the password hashing competition[2015]
bull Authors recommend Argon2i variant (data-independent) for password hashing
Presenter
Presentation Notes
Alex Biryukov Daniel Dinu and Dmitry Khovratovich from University of Luxembourg
Argon2i
1 2 3 4 ihellip n
Argon2i
1 2 3 4 ihellip n
random predecessor r(i) lt i
Indegree 120575120575 = 2
Argon2i Reducing depth to 119894119894
1 2 3 11989411989434
helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894helliphelliphellip
Argon2i Reducing depth to 119894119894
1 2 3 11989411989434
helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894
Definition 1198781198782 = 119907119907119894119894 119907119907119903119903(119894119894)and v119894119894 in same layer
119813119813119816119816119813119813119813119813 Easy to reduce the depth of a path
Argon2i is a layered DAG (almost)
1 2 3 11989411989434
+2 +3 helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894
Let S = S1+S2
helliphelliphellip
Attack Simulation [AB16b]
Attack on Argon 2i-B is practical even for pessimistic parameter ranges (brown line)
Pessimistic Argon 2i-B parameter
Parameter setting could easily be chosen when following Argon2i-B guidelines
hellip
Ideal iMHFs Donrsquot Exist
Thm[AB16] Any graph G (with constant in-degree) is at least somewhat depth-reducible
Implication If CC(G)= Ω 1198941198942 there is an attack A with high quality
QualityR 119860119860 =Ωlog(119894119894)
log log(119894119894)
But we cannot rule them out in practice
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Attacksbull Constructing iMHFs (New)
bull Depth-Robustness is sufficient
bull Conclusions and Open Questions
Presenter
Presentation Notes
Joint work with Joel Alwen and Krzysztof Pietrzak
Depth-Robustness is Sufficient [ABP16]
Proof Let P1hellipPt denote an (optimal) pebbling of G For 0lt i lt d defineSi = 119875119875119894119894 cup 119875119875119889119889+119894119894 cup 1198751198752119889119889+119894119894 cup ⋯
one of the sets Si has size at most CC(G)d Now we claim that d ge depth(G-Si)
because any path in G-Si must have been completely pebbled at some point Thus it must have been pebbled entirely during some interval of length d Thus G (CC(G)dd)-reducible It follows that CC(G)ge 119890119890119901119901
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Depth-Robustness is Sufficient [ABP16]
Implications There exists a constant indegree graph G with
CC G ge Ω1198941198942
log119894119894
Previous Best [AS15] Ω 1198991198992
log10 119899119899
[AB16] We cannot do better (in an asymptotic sense)
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Summary
bull BCRYPT and PBKDF2 are no longer sufficient for password hashing
bull Argon2i is an improvement over BCRYPT and PBKDF2bull But still has its flaws [AB16AB17]
bull Current Recommendation Argon2idbull No side channel attacks Resists known attacksbull Side channel attacks reduce security to Argon2i
bull Look for improvements in the near future using depth-robust graphs [ABP17]
Conclusions
bull Depth-robustness is a necessary and sufficient for secure iMHFsbull [AB16] [ABP16]
bull Big Challenge Improved Constructions of Depth-Robust Graphsbull We already have constructions in theory [EGS77 PR80 hellip]bull But constants matter
Thanks for Listening
Passwords vs time Look how far wersquove come
Netscape IPO Dotcom crash
Source Cormacrsquos estimate
ldquoThe password is deadrdquo
Chart1
3
48
1368
322
7791
15376
2527
39639
47953
61115
7353
94674
106021
134538
16527
194616
21681
Sheet1
Sheet1
Sheet2
Sheet3
Biometrics
59
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy
60
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Hardware Tokens
61
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around
62
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Graphical Passwords
bull Examplesbull Passfaces Cued Click Points Windows 8
63
Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13
Graphical Passwords
bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8
Challenge Multiple Passwords
64
Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
bull Password Management Software
67
Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313
Related Work
bull Password Management SoftwareChallenge Single point of failure
68
Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313
References
bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]
bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]
bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]
bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]
Course Business
CryptographyCS 555
Password Storage
Offline Attacks A Common Problem
Offline Attacks A Common Problem
A Dangerous Problem
Attempt 1 Hash Iteration
The Challenge
Goal Moderately Expensive Hash Function
Memory Costs Equitable Across Architectures
Outline
Memory Hard Function (MHF)
iMHF Candidates
iMHF (fGH)
Evaluating an iMHF (pebbling)
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example (CC)
Measuring Cost
Pebbling Example (CC)
Pebbling Equivalence
Desiderata
Depth-Robustness The Key Property
Naiumlve Pebbling Algorithms
Amortized Attack Quality
Desiderata
Desiderata
c-Ideal iMHF
Outline
Depth-Robustness The Key Property
Depth Robustness
Depth Robustness
Attacking (ed)-reducible DAGs
Depth Robustness is Necessary
Answer No
Argon2i [BDK]
Argon2i
Argon2i
Argon2i Reducing depth to 119899
Argon2i Reducing depth to 119899
Argon2i is a layered DAG (almost)
Attack Simulation [AB16b]
Ideal iMHFs Donrsquot Exist
But we cannot rule them out in practice
Outline
Depth-Robustness is Sufficient [ABP16]
Depth-Robustness is Sufficient [ABP16]
Summary
Conclusions
Thanks for Listening
Passwords vs time Look how far wersquove come
Biometrics
Biometrics
Hardware Tokens
Hardware Tokens
Graphical Passwords
Graphical Passwords
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
Related Work
References
Everybody
DATE
DATE
NUMBER OF USERS
WORLD
WORLD
INFORMATION
DATE
DATE
NUMBER OF USERS
DATE
DATE
acctsyr
POPULATION
POPULATION
SOURCE
December-90
0
3
15
020
00261
000
1
December-90
3
1
December-90
3
1
December-90
3
3
December-90
3
1
3
December-95
December-95
0
16
040
80
040
IDC
100
00522
180
12
December-95
192
December-95
16
1778
December-95
48
28448
December-95
48
3
48
December-96
December-96
0
36
090
180
090
IDC
200
00783
188
13132
December-96
472752
December-96
36
1994916
December-96
126
71816976
December-96
1368
38
126
December-97
December-97
0
70
170
350
170
IDC
300
01043
209
16263
December-97
113841
December-97
70
2238295752
December-97
280
15668070264
December-97
322
46
280
December-98
December-98
0
147
360
735
360
CI Almanac
400
01303
230
19391
December-98
2850477
December-98
147
25113678337
December-98
6615
3691710715604
December-98
7791
53
6615
December-99
December-99
0
248
410
1240
410
Nua Ltd
500
01563
251
22517
December-99
5584216
December-99
248
28177547095
December-99
1240
6988031679463
December-99
15376
62
1240
March-00
March-00
0
304
500
1520
500
Nua Ltd
600
01822
272
25638
March-00
7793952
December-00
361
3161520784
December-00
19855
11413090030294
December-00
2527
7
19855
July-00
July-00
0
359
590
1795
590
Nua Ltd
700
02081
293
28754
July-00
10322686
December-01
543
35472263197
December-01
3258
1926143891578
December-01
39639
73
3258
December-00
December-00
0
361
580
1805
580
Internet World Stats
800
02338
313
31864
December-00
11502904
December-02
607
39799879307
December-02
39455
2415852673913
December-02
47953
79
39455
March-01
March-01
0
458
760
2290
760
Nua Ltd
900
02852
334
34967
March-01
16014886
December-03
719
44655464582
December-03
5033
32107279034493
December-03
61115
85
5033
June-01
June-01
0
479
790
2395
790
Nua Ltd
1000
03107
355
38061
June-01
18231219
December-04
817
50103431261
December-04
61275
40934503340285
December-04
7353
9
61275
August-01
August-01
0
513
860
2565
860
Nua Ltd
1100
03361
396
44221
August-01
22685373
December-05
1018
56216049875
December-05
8144
57227938772657
December-05
9467
93
8144
April-02
April-02
0
558
860
2790
860
Internet World Stats
1200
03614
417
47284
April-02
26384472
December-06
1093
6307440796
December-06
9291
68940327899894
December-06
10602
97
9291
July-02
July-02
0
569
910
2845
910
Internet World Stats
1300
03866
437
50334
July-02
28640046
December-07
1319
70769485731
December-07
11871
93344951678825
December-07
13454
102
11871
September-02
September-02
0
587
940
2935
940
Internet World Stats
1400
04117
458
53371
September-02
31328777
December-08
1574
7940336299
December-08
14953
124980893346059
December-08
16527
105
14953
March-03
March-03
0
608
970
3040
970
Internet World Stats
1500
04366
478
56394
March-03
34287552
December-09
1802
89090573275
December-09
18020
160541213040896
December-09
19462
108
18020
September-03
September-03
0
677
1060
3385
1060
Internet World Stats
1600
04614
498
59401
September-03
40214477
December-10
1971
99959623214
December-10
20696
197020417355075
December-10
21681
11
20696
October-03
October-03
0
682
1070
3410
1070
Internet World Stats
1700
0486
518
62392
October-03
42551344
December-03
December-03
0
719
1110
3595
1110
Internet World Stats
1800
02852
538
65365
December-03
46997435
February-04
February-04
0
745
1150
3725
1150
Internet World Stats
1900
03107
558
6832
February-04
508984
May-04
May-04
0
757
1170
3785
1170
Internet World Stats
2000
03361
597
7417
May-04
5614669
October-04
October-04
0
812
1270
4060
1270
Internet World Stats
2100
03614
616
77064
October-04
62575968
December-04
December-04
0
817
1270
4085
1270
Internet World Stats
2200
03866
636
79935
December-04
65306895
March-05
March-05
0
888
1390
4440
1390
Internet World Stats
2300
04117
655
82782
March-05
73510416
June-05
June-05
0
938
1460
4690
1460
Internet World Stats
2400
04366
674
85606
June-05
80298428
September-05
September-05
0
957
1490
4785
1490
Internet World Stats
2500
04614
692
88404
September-05
84602628
November-05
November-05
0
972
1520
4860
1520
Internet World Stats
2600
0486
711
91176
November-05
88623072
December-05
December-05
0
1018
1570
5090
1570
Internet World Stats
2700
05348
729
93921
December-05
95611578
March-06
March-06
0
1023
1570
5115
1570
Internet World Stats
2800
05589
747
96638
March-06
98860674
June-06
June-06
0
1043
1600
5215
1600
Internet World Stats
2900
05828
783
101984
June-06
106369312
September-06
September-06
0
1086
1670
5430
1670
Internet World Stats
3000
06065
801
104611
September-06
113607546
December-06
December-06
0
1093
1670
5465
1670
Internet World Stats
3100
063
818
107207
December-06
117177251
March-07
March-07
0
1129
1720
5645
1720
Internet World Stats
3200
06534
835
109771
March-07
123931459
June-07
June-07
0
1173
1780
5865
1780
Internet World Stats
3300
06765
852
112301
June-07
131729073
September-07
September-07
0
1245
1890
6225
1890
Internet World Stats
3400
06993
869
114797
September-07
142922265
December-07
December-07
0
1319
2000
6595
2000
Internet World Stats
3500
0722
886
117258
December-07
154663302
March-08
March-08
0
1407
2110
7035
2110
Internet World Stats
3600
07665
902
119683
March-08
168393981
June-08
June-08
0
1463
2190
7315
2190
Internet World Stats
3700
07884
918
122071
June-08
178589873
September-08
September-08
0
1504
2250
7520
2250
Internet World Stats
3800
08101
949
126736
September-08
190610944
December-08
December-08
0
1574
2350
7870
2350
Internet World Stats
3900
08314
964
12901
December-08
20306174
March-09
March-09
0
1596
2380
7980
2380
Internet World Stats
4000
08525
971
13
March-09
20748
June-09
June-09
0
1669
2470
8345
2470
Internet World Stats
4100
08733
998
134
June-09
223646
September-09
September-09
0
1734
2560
8670
2560
Internet World Stats
4200
08938
1018
137
September-09
237558
December-09
December-09
0
1802
2660
9010
2660
Internet World Stats
4300
0914
1051
142
December-09
255884
June-10
June-10
0
1966
2870
9830
2870
Internet World Stats
4400
09339
1078
146
June-10
287036
September-10
September-10
0
1971
2880
9855
2880
Internet World Stats
4500
09728
1112
151
September-10
297621
09917
000
155333333333
159833333333
33208
35034
35400
35765
36130
36495
36861
37226
37591
37956
38322
38687
39052
39417
39783
40148
40513
Argon2i
1 2 3 4 ihellip n
Argon2i
1 2 3 4 ihellip n
random predecessor r(i) lt i
Indegree 120575120575 = 2
Argon2i Reducing depth to 119894119894
1 2 3 11989411989434
helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894helliphelliphellip
Argon2i Reducing depth to 119894119894
1 2 3 11989411989434
helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894
Definition 1198781198782 = 119907119907119894119894 119907119907119903119903(119894119894)and v119894119894 in same layer
119813119813119816119816119813119813119813119813 Easy to reduce the depth of a path
Argon2i is a layered DAG (almost)
1 2 3 11989411989434
+2 +3 helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894
Let S = S1+S2
helliphelliphellip
Attack Simulation [AB16b]
Attack on Argon 2i-B is practical even for pessimistic parameter ranges (brown line)
Pessimistic Argon 2i-B parameter
Parameter setting could easily be chosen when following Argon2i-B guidelines
hellip
Ideal iMHFs Donrsquot Exist
Thm[AB16] Any graph G (with constant in-degree) is at least somewhat depth-reducible
Implication If CC(G)= Ω 1198941198942 there is an attack A with high quality
QualityR 119860119860 =Ωlog(119894119894)
log log(119894119894)
But we cannot rule them out in practice
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Attacksbull Constructing iMHFs (New)
bull Depth-Robustness is sufficient
bull Conclusions and Open Questions
Presenter
Presentation Notes
Joint work with Joel Alwen and Krzysztof Pietrzak
Depth-Robustness is Sufficient [ABP16]
Proof Let P1hellipPt denote an (optimal) pebbling of G For 0lt i lt d defineSi = 119875119875119894119894 cup 119875119875119889119889+119894119894 cup 1198751198752119889119889+119894119894 cup ⋯
one of the sets Si has size at most CC(G)d Now we claim that d ge depth(G-Si)
because any path in G-Si must have been completely pebbled at some point Thus it must have been pebbled entirely during some interval of length d Thus G (CC(G)dd)-reducible It follows that CC(G)ge 119890119890119901119901
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Depth-Robustness is Sufficient [ABP16]
Implications There exists a constant indegree graph G with
CC G ge Ω1198941198942
log119894119894
Previous Best [AS15] Ω 1198991198992
log10 119899119899
[AB16] We cannot do better (in an asymptotic sense)
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Summary
bull BCRYPT and PBKDF2 are no longer sufficient for password hashing
bull Argon2i is an improvement over BCRYPT and PBKDF2bull But still has its flaws [AB16AB17]
bull Current Recommendation Argon2idbull No side channel attacks Resists known attacksbull Side channel attacks reduce security to Argon2i
bull Look for improvements in the near future using depth-robust graphs [ABP17]
Conclusions
bull Depth-robustness is a necessary and sufficient for secure iMHFsbull [AB16] [ABP16]
bull Big Challenge Improved Constructions of Depth-Robust Graphsbull We already have constructions in theory [EGS77 PR80 hellip]bull But constants matter
Thanks for Listening
Passwords vs time Look how far wersquove come
Netscape IPO Dotcom crash
Source Cormacrsquos estimate
ldquoThe password is deadrdquo
Chart1
3
48
1368
322
7791
15376
2527
39639
47953
61115
7353
94674
106021
134538
16527
194616
21681
Sheet1
Sheet1
Sheet2
Sheet3
Biometrics
59
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy
60
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Hardware Tokens
61
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around
62
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Graphical Passwords
bull Examplesbull Passfaces Cued Click Points Windows 8
63
Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13
Graphical Passwords
bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8
Challenge Multiple Passwords
64
Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
bull Password Management Software
67
Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313
Related Work
bull Password Management SoftwareChallenge Single point of failure
68
Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313
References
bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]
bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]
bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]
bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]
Course Business
CryptographyCS 555
Password Storage
Offline Attacks A Common Problem
Offline Attacks A Common Problem
A Dangerous Problem
Attempt 1 Hash Iteration
The Challenge
Goal Moderately Expensive Hash Function
Memory Costs Equitable Across Architectures
Outline
Memory Hard Function (MHF)
iMHF Candidates
iMHF (fGH)
Evaluating an iMHF (pebbling)
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example (CC)
Measuring Cost
Pebbling Example (CC)
Pebbling Equivalence
Desiderata
Depth-Robustness The Key Property
Naiumlve Pebbling Algorithms
Amortized Attack Quality
Desiderata
Desiderata
c-Ideal iMHF
Outline
Depth-Robustness The Key Property
Depth Robustness
Depth Robustness
Attacking (ed)-reducible DAGs
Depth Robustness is Necessary
Answer No
Argon2i [BDK]
Argon2i
Argon2i
Argon2i Reducing depth to 119899
Argon2i Reducing depth to 119899
Argon2i is a layered DAG (almost)
Attack Simulation [AB16b]
Ideal iMHFs Donrsquot Exist
But we cannot rule them out in practice
Outline
Depth-Robustness is Sufficient [ABP16]
Depth-Robustness is Sufficient [ABP16]
Summary
Conclusions
Thanks for Listening
Passwords vs time Look how far wersquove come
Biometrics
Biometrics
Hardware Tokens
Hardware Tokens
Graphical Passwords
Graphical Passwords
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
Related Work
References
Everybody
DATE
DATE
NUMBER OF USERS
WORLD
WORLD
INFORMATION
DATE
DATE
NUMBER OF USERS
DATE
DATE
acctsyr
POPULATION
POPULATION
SOURCE
December-90
0
3
15
020
00261
000
1
December-90
3
1
December-90
3
1
December-90
3
3
December-90
3
1
3
December-95
December-95
0
16
040
80
040
IDC
100
00522
180
12
December-95
192
December-95
16
1778
December-95
48
28448
December-95
48
3
48
December-96
December-96
0
36
090
180
090
IDC
200
00783
188
13132
December-96
472752
December-96
36
1994916
December-96
126
71816976
December-96
1368
38
126
December-97
December-97
0
70
170
350
170
IDC
300
01043
209
16263
December-97
113841
December-97
70
2238295752
December-97
280
15668070264
December-97
322
46
280
December-98
December-98
0
147
360
735
360
CI Almanac
400
01303
230
19391
December-98
2850477
December-98
147
25113678337
December-98
6615
3691710715604
December-98
7791
53
6615
December-99
December-99
0
248
410
1240
410
Nua Ltd
500
01563
251
22517
December-99
5584216
December-99
248
28177547095
December-99
1240
6988031679463
December-99
15376
62
1240
March-00
March-00
0
304
500
1520
500
Nua Ltd
600
01822
272
25638
March-00
7793952
December-00
361
3161520784
December-00
19855
11413090030294
December-00
2527
7
19855
July-00
July-00
0
359
590
1795
590
Nua Ltd
700
02081
293
28754
July-00
10322686
December-01
543
35472263197
December-01
3258
1926143891578
December-01
39639
73
3258
December-00
December-00
0
361
580
1805
580
Internet World Stats
800
02338
313
31864
December-00
11502904
December-02
607
39799879307
December-02
39455
2415852673913
December-02
47953
79
39455
March-01
March-01
0
458
760
2290
760
Nua Ltd
900
02852
334
34967
March-01
16014886
December-03
719
44655464582
December-03
5033
32107279034493
December-03
61115
85
5033
June-01
June-01
0
479
790
2395
790
Nua Ltd
1000
03107
355
38061
June-01
18231219
December-04
817
50103431261
December-04
61275
40934503340285
December-04
7353
9
61275
August-01
August-01
0
513
860
2565
860
Nua Ltd
1100
03361
396
44221
August-01
22685373
December-05
1018
56216049875
December-05
8144
57227938772657
December-05
9467
93
8144
April-02
April-02
0
558
860
2790
860
Internet World Stats
1200
03614
417
47284
April-02
26384472
December-06
1093
6307440796
December-06
9291
68940327899894
December-06
10602
97
9291
July-02
July-02
0
569
910
2845
910
Internet World Stats
1300
03866
437
50334
July-02
28640046
December-07
1319
70769485731
December-07
11871
93344951678825
December-07
13454
102
11871
September-02
September-02
0
587
940
2935
940
Internet World Stats
1400
04117
458
53371
September-02
31328777
December-08
1574
7940336299
December-08
14953
124980893346059
December-08
16527
105
14953
March-03
March-03
0
608
970
3040
970
Internet World Stats
1500
04366
478
56394
March-03
34287552
December-09
1802
89090573275
December-09
18020
160541213040896
December-09
19462
108
18020
September-03
September-03
0
677
1060
3385
1060
Internet World Stats
1600
04614
498
59401
September-03
40214477
December-10
1971
99959623214
December-10
20696
197020417355075
December-10
21681
11
20696
October-03
October-03
0
682
1070
3410
1070
Internet World Stats
1700
0486
518
62392
October-03
42551344
December-03
December-03
0
719
1110
3595
1110
Internet World Stats
1800
02852
538
65365
December-03
46997435
February-04
February-04
0
745
1150
3725
1150
Internet World Stats
1900
03107
558
6832
February-04
508984
May-04
May-04
0
757
1170
3785
1170
Internet World Stats
2000
03361
597
7417
May-04
5614669
October-04
October-04
0
812
1270
4060
1270
Internet World Stats
2100
03614
616
77064
October-04
62575968
December-04
December-04
0
817
1270
4085
1270
Internet World Stats
2200
03866
636
79935
December-04
65306895
March-05
March-05
0
888
1390
4440
1390
Internet World Stats
2300
04117
655
82782
March-05
73510416
June-05
June-05
0
938
1460
4690
1460
Internet World Stats
2400
04366
674
85606
June-05
80298428
September-05
September-05
0
957
1490
4785
1490
Internet World Stats
2500
04614
692
88404
September-05
84602628
November-05
November-05
0
972
1520
4860
1520
Internet World Stats
2600
0486
711
91176
November-05
88623072
December-05
December-05
0
1018
1570
5090
1570
Internet World Stats
2700
05348
729
93921
December-05
95611578
March-06
March-06
0
1023
1570
5115
1570
Internet World Stats
2800
05589
747
96638
March-06
98860674
June-06
June-06
0
1043
1600
5215
1600
Internet World Stats
2900
05828
783
101984
June-06
106369312
September-06
September-06
0
1086
1670
5430
1670
Internet World Stats
3000
06065
801
104611
September-06
113607546
December-06
December-06
0
1093
1670
5465
1670
Internet World Stats
3100
063
818
107207
December-06
117177251
March-07
March-07
0
1129
1720
5645
1720
Internet World Stats
3200
06534
835
109771
March-07
123931459
June-07
June-07
0
1173
1780
5865
1780
Internet World Stats
3300
06765
852
112301
June-07
131729073
September-07
September-07
0
1245
1890
6225
1890
Internet World Stats
3400
06993
869
114797
September-07
142922265
December-07
December-07
0
1319
2000
6595
2000
Internet World Stats
3500
0722
886
117258
December-07
154663302
March-08
March-08
0
1407
2110
7035
2110
Internet World Stats
3600
07665
902
119683
March-08
168393981
June-08
June-08
0
1463
2190
7315
2190
Internet World Stats
3700
07884
918
122071
June-08
178589873
September-08
September-08
0
1504
2250
7520
2250
Internet World Stats
3800
08101
949
126736
September-08
190610944
December-08
December-08
0
1574
2350
7870
2350
Internet World Stats
3900
08314
964
12901
December-08
20306174
March-09
March-09
0
1596
2380
7980
2380
Internet World Stats
4000
08525
971
13
March-09
20748
June-09
June-09
0
1669
2470
8345
2470
Internet World Stats
4100
08733
998
134
June-09
223646
September-09
September-09
0
1734
2560
8670
2560
Internet World Stats
4200
08938
1018
137
September-09
237558
December-09
December-09
0
1802
2660
9010
2660
Internet World Stats
4300
0914
1051
142
December-09
255884
June-10
June-10
0
1966
2870
9830
2870
Internet World Stats
4400
09339
1078
146
June-10
287036
September-10
September-10
0
1971
2880
9855
2880
Internet World Stats
4500
09728
1112
151
September-10
297621
09917
000
155333333333
159833333333
33208
35034
35400
35765
36130
36495
36861
37226
37591
37956
38322
38687
39052
39417
39783
40148
40513
Argon2i
1 2 3 4 ihellip n
random predecessor r(i) lt i
Indegree 120575120575 = 2
Argon2i Reducing depth to 119894119894
1 2 3 11989411989434
helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894helliphelliphellip
Argon2i Reducing depth to 119894119894
1 2 3 11989411989434
helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894
Definition 1198781198782 = 119907119907119894119894 119907119907119903119903(119894119894)and v119894119894 in same layer
119813119813119816119816119813119813119813119813 Easy to reduce the depth of a path
Argon2i is a layered DAG (almost)
1 2 3 11989411989434
+2 +3 helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894
Let S = S1+S2
helliphelliphellip
Attack Simulation [AB16b]
Attack on Argon 2i-B is practical even for pessimistic parameter ranges (brown line)
Pessimistic Argon 2i-B parameter
Parameter setting could easily be chosen when following Argon2i-B guidelines
hellip
Ideal iMHFs Donrsquot Exist
Thm[AB16] Any graph G (with constant in-degree) is at least somewhat depth-reducible
Implication If CC(G)= Ω 1198941198942 there is an attack A with high quality
QualityR 119860119860 =Ωlog(119894119894)
log log(119894119894)
But we cannot rule them out in practice
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Attacksbull Constructing iMHFs (New)
bull Depth-Robustness is sufficient
bull Conclusions and Open Questions
Presenter
Presentation Notes
Joint work with Joel Alwen and Krzysztof Pietrzak
Depth-Robustness is Sufficient [ABP16]
Proof Let P1hellipPt denote an (optimal) pebbling of G For 0lt i lt d defineSi = 119875119875119894119894 cup 119875119875119889119889+119894119894 cup 1198751198752119889119889+119894119894 cup ⋯
one of the sets Si has size at most CC(G)d Now we claim that d ge depth(G-Si)
because any path in G-Si must have been completely pebbled at some point Thus it must have been pebbled entirely during some interval of length d Thus G (CC(G)dd)-reducible It follows that CC(G)ge 119890119890119901119901
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Depth-Robustness is Sufficient [ABP16]
Implications There exists a constant indegree graph G with
CC G ge Ω1198941198942
log119894119894
Previous Best [AS15] Ω 1198991198992
log10 119899119899
[AB16] We cannot do better (in an asymptotic sense)
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Summary
bull BCRYPT and PBKDF2 are no longer sufficient for password hashing
bull Argon2i is an improvement over BCRYPT and PBKDF2bull But still has its flaws [AB16AB17]
bull Current Recommendation Argon2idbull No side channel attacks Resists known attacksbull Side channel attacks reduce security to Argon2i
bull Look for improvements in the near future using depth-robust graphs [ABP17]
Conclusions
bull Depth-robustness is a necessary and sufficient for secure iMHFsbull [AB16] [ABP16]
bull Big Challenge Improved Constructions of Depth-Robust Graphsbull We already have constructions in theory [EGS77 PR80 hellip]bull But constants matter
Thanks for Listening
Passwords vs time Look how far wersquove come
Netscape IPO Dotcom crash
Source Cormacrsquos estimate
ldquoThe password is deadrdquo
Chart1
3
48
1368
322
7791
15376
2527
39639
47953
61115
7353
94674
106021
134538
16527
194616
21681
Sheet1
Sheet1
Sheet2
Sheet3
Biometrics
59
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy
60
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Hardware Tokens
61
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around
62
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Graphical Passwords
bull Examplesbull Passfaces Cued Click Points Windows 8
63
Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13
Graphical Passwords
bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8
Challenge Multiple Passwords
64
Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
bull Password Management Software
67
Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313
Related Work
bull Password Management SoftwareChallenge Single point of failure
68
Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313
References
bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]
bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]
bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]
bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]
Course Business
CryptographyCS 555
Password Storage
Offline Attacks A Common Problem
Offline Attacks A Common Problem
A Dangerous Problem
Attempt 1 Hash Iteration
The Challenge
Goal Moderately Expensive Hash Function
Memory Costs Equitable Across Architectures
Outline
Memory Hard Function (MHF)
iMHF Candidates
iMHF (fGH)
Evaluating an iMHF (pebbling)
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example (CC)
Measuring Cost
Pebbling Example (CC)
Pebbling Equivalence
Desiderata
Depth-Robustness The Key Property
Naiumlve Pebbling Algorithms
Amortized Attack Quality
Desiderata
Desiderata
c-Ideal iMHF
Outline
Depth-Robustness The Key Property
Depth Robustness
Depth Robustness
Attacking (ed)-reducible DAGs
Depth Robustness is Necessary
Answer No
Argon2i [BDK]
Argon2i
Argon2i
Argon2i Reducing depth to 119899
Argon2i Reducing depth to 119899
Argon2i is a layered DAG (almost)
Attack Simulation [AB16b]
Ideal iMHFs Donrsquot Exist
But we cannot rule them out in practice
Outline
Depth-Robustness is Sufficient [ABP16]
Depth-Robustness is Sufficient [ABP16]
Summary
Conclusions
Thanks for Listening
Passwords vs time Look how far wersquove come
Biometrics
Biometrics
Hardware Tokens
Hardware Tokens
Graphical Passwords
Graphical Passwords
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
Related Work
References
Everybody
DATE
DATE
NUMBER OF USERS
WORLD
WORLD
INFORMATION
DATE
DATE
NUMBER OF USERS
DATE
DATE
acctsyr
POPULATION
POPULATION
SOURCE
December-90
0
3
15
020
00261
000
1
December-90
3
1
December-90
3
1
December-90
3
3
December-90
3
1
3
December-95
December-95
0
16
040
80
040
IDC
100
00522
180
12
December-95
192
December-95
16
1778
December-95
48
28448
December-95
48
3
48
December-96
December-96
0
36
090
180
090
IDC
200
00783
188
13132
December-96
472752
December-96
36
1994916
December-96
126
71816976
December-96
1368
38
126
December-97
December-97
0
70
170
350
170
IDC
300
01043
209
16263
December-97
113841
December-97
70
2238295752
December-97
280
15668070264
December-97
322
46
280
December-98
December-98
0
147
360
735
360
CI Almanac
400
01303
230
19391
December-98
2850477
December-98
147
25113678337
December-98
6615
3691710715604
December-98
7791
53
6615
December-99
December-99
0
248
410
1240
410
Nua Ltd
500
01563
251
22517
December-99
5584216
December-99
248
28177547095
December-99
1240
6988031679463
December-99
15376
62
1240
March-00
March-00
0
304
500
1520
500
Nua Ltd
600
01822
272
25638
March-00
7793952
December-00
361
3161520784
December-00
19855
11413090030294
December-00
2527
7
19855
July-00
July-00
0
359
590
1795
590
Nua Ltd
700
02081
293
28754
July-00
10322686
December-01
543
35472263197
December-01
3258
1926143891578
December-01
39639
73
3258
December-00
December-00
0
361
580
1805
580
Internet World Stats
800
02338
313
31864
December-00
11502904
December-02
607
39799879307
December-02
39455
2415852673913
December-02
47953
79
39455
March-01
March-01
0
458
760
2290
760
Nua Ltd
900
02852
334
34967
March-01
16014886
December-03
719
44655464582
December-03
5033
32107279034493
December-03
61115
85
5033
June-01
June-01
0
479
790
2395
790
Nua Ltd
1000
03107
355
38061
June-01
18231219
December-04
817
50103431261
December-04
61275
40934503340285
December-04
7353
9
61275
August-01
August-01
0
513
860
2565
860
Nua Ltd
1100
03361
396
44221
August-01
22685373
December-05
1018
56216049875
December-05
8144
57227938772657
December-05
9467
93
8144
April-02
April-02
0
558
860
2790
860
Internet World Stats
1200
03614
417
47284
April-02
26384472
December-06
1093
6307440796
December-06
9291
68940327899894
December-06
10602
97
9291
July-02
July-02
0
569
910
2845
910
Internet World Stats
1300
03866
437
50334
July-02
28640046
December-07
1319
70769485731
December-07
11871
93344951678825
December-07
13454
102
11871
September-02
September-02
0
587
940
2935
940
Internet World Stats
1400
04117
458
53371
September-02
31328777
December-08
1574
7940336299
December-08
14953
124980893346059
December-08
16527
105
14953
March-03
March-03
0
608
970
3040
970
Internet World Stats
1500
04366
478
56394
March-03
34287552
December-09
1802
89090573275
December-09
18020
160541213040896
December-09
19462
108
18020
September-03
September-03
0
677
1060
3385
1060
Internet World Stats
1600
04614
498
59401
September-03
40214477
December-10
1971
99959623214
December-10
20696
197020417355075
December-10
21681
11
20696
October-03
October-03
0
682
1070
3410
1070
Internet World Stats
1700
0486
518
62392
October-03
42551344
December-03
December-03
0
719
1110
3595
1110
Internet World Stats
1800
02852
538
65365
December-03
46997435
February-04
February-04
0
745
1150
3725
1150
Internet World Stats
1900
03107
558
6832
February-04
508984
May-04
May-04
0
757
1170
3785
1170
Internet World Stats
2000
03361
597
7417
May-04
5614669
October-04
October-04
0
812
1270
4060
1270
Internet World Stats
2100
03614
616
77064
October-04
62575968
December-04
December-04
0
817
1270
4085
1270
Internet World Stats
2200
03866
636
79935
December-04
65306895
March-05
March-05
0
888
1390
4440
1390
Internet World Stats
2300
04117
655
82782
March-05
73510416
June-05
June-05
0
938
1460
4690
1460
Internet World Stats
2400
04366
674
85606
June-05
80298428
September-05
September-05
0
957
1490
4785
1490
Internet World Stats
2500
04614
692
88404
September-05
84602628
November-05
November-05
0
972
1520
4860
1520
Internet World Stats
2600
0486
711
91176
November-05
88623072
December-05
December-05
0
1018
1570
5090
1570
Internet World Stats
2700
05348
729
93921
December-05
95611578
March-06
March-06
0
1023
1570
5115
1570
Internet World Stats
2800
05589
747
96638
March-06
98860674
June-06
June-06
0
1043
1600
5215
1600
Internet World Stats
2900
05828
783
101984
June-06
106369312
September-06
September-06
0
1086
1670
5430
1670
Internet World Stats
3000
06065
801
104611
September-06
113607546
December-06
December-06
0
1093
1670
5465
1670
Internet World Stats
3100
063
818
107207
December-06
117177251
March-07
March-07
0
1129
1720
5645
1720
Internet World Stats
3200
06534
835
109771
March-07
123931459
June-07
June-07
0
1173
1780
5865
1780
Internet World Stats
3300
06765
852
112301
June-07
131729073
September-07
September-07
0
1245
1890
6225
1890
Internet World Stats
3400
06993
869
114797
September-07
142922265
December-07
December-07
0
1319
2000
6595
2000
Internet World Stats
3500
0722
886
117258
December-07
154663302
March-08
March-08
0
1407
2110
7035
2110
Internet World Stats
3600
07665
902
119683
March-08
168393981
June-08
June-08
0
1463
2190
7315
2190
Internet World Stats
3700
07884
918
122071
June-08
178589873
September-08
September-08
0
1504
2250
7520
2250
Internet World Stats
3800
08101
949
126736
September-08
190610944
December-08
December-08
0
1574
2350
7870
2350
Internet World Stats
3900
08314
964
12901
December-08
20306174
March-09
March-09
0
1596
2380
7980
2380
Internet World Stats
4000
08525
971
13
March-09
20748
June-09
June-09
0
1669
2470
8345
2470
Internet World Stats
4100
08733
998
134
June-09
223646
September-09
September-09
0
1734
2560
8670
2560
Internet World Stats
4200
08938
1018
137
September-09
237558
December-09
December-09
0
1802
2660
9010
2660
Internet World Stats
4300
0914
1051
142
December-09
255884
June-10
June-10
0
1966
2870
9830
2870
Internet World Stats
4400
09339
1078
146
June-10
287036
September-10
September-10
0
1971
2880
9855
2880
Internet World Stats
4500
09728
1112
151
September-10
297621
09917
000
155333333333
159833333333
33208
35034
35400
35765
36130
36495
36861
37226
37591
37956
38322
38687
39052
39417
39783
40148
40513
Argon2i Reducing depth to 119894119894
1 2 3 11989411989434
helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894helliphelliphellip
Argon2i Reducing depth to 119894119894
1 2 3 11989411989434
helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894
Definition 1198781198782 = 119907119907119894119894 119907119907119903119903(119894119894)and v119894119894 in same layer
119813119813119816119816119813119813119813119813 Easy to reduce the depth of a path
Argon2i is a layered DAG (almost)
1 2 3 11989411989434
+2 +3 helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894
Let S = S1+S2
helliphelliphellip
Attack Simulation [AB16b]
Attack on Argon 2i-B is practical even for pessimistic parameter ranges (brown line)
Pessimistic Argon 2i-B parameter
Parameter setting could easily be chosen when following Argon2i-B guidelines
hellip
Ideal iMHFs Donrsquot Exist
Thm[AB16] Any graph G (with constant in-degree) is at least somewhat depth-reducible
Implication If CC(G)= Ω 1198941198942 there is an attack A with high quality
QualityR 119860119860 =Ωlog(119894119894)
log log(119894119894)
But we cannot rule them out in practice
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Attacksbull Constructing iMHFs (New)
bull Depth-Robustness is sufficient
bull Conclusions and Open Questions
Presenter
Presentation Notes
Joint work with Joel Alwen and Krzysztof Pietrzak
Depth-Robustness is Sufficient [ABP16]
Proof Let P1hellipPt denote an (optimal) pebbling of G For 0lt i lt d defineSi = 119875119875119894119894 cup 119875119875119889119889+119894119894 cup 1198751198752119889119889+119894119894 cup ⋯
one of the sets Si has size at most CC(G)d Now we claim that d ge depth(G-Si)
because any path in G-Si must have been completely pebbled at some point Thus it must have been pebbled entirely during some interval of length d Thus G (CC(G)dd)-reducible It follows that CC(G)ge 119890119890119901119901
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Depth-Robustness is Sufficient [ABP16]
Implications There exists a constant indegree graph G with
CC G ge Ω1198941198942
log119894119894
Previous Best [AS15] Ω 1198991198992
log10 119899119899
[AB16] We cannot do better (in an asymptotic sense)
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Summary
bull BCRYPT and PBKDF2 are no longer sufficient for password hashing
bull Argon2i is an improvement over BCRYPT and PBKDF2bull But still has its flaws [AB16AB17]
bull Current Recommendation Argon2idbull No side channel attacks Resists known attacksbull Side channel attacks reduce security to Argon2i
bull Look for improvements in the near future using depth-robust graphs [ABP17]
Conclusions
bull Depth-robustness is a necessary and sufficient for secure iMHFsbull [AB16] [ABP16]
bull Big Challenge Improved Constructions of Depth-Robust Graphsbull We already have constructions in theory [EGS77 PR80 hellip]bull But constants matter
Thanks for Listening
Passwords vs time Look how far wersquove come
Netscape IPO Dotcom crash
Source Cormacrsquos estimate
ldquoThe password is deadrdquo
Chart1
3
48
1368
322
7791
15376
2527
39639
47953
61115
7353
94674
106021
134538
16527
194616
21681
Sheet1
Sheet1
Sheet2
Sheet3
Biometrics
59
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy
60
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Hardware Tokens
61
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around
62
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Graphical Passwords
bull Examplesbull Passfaces Cued Click Points Windows 8
63
Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13
Graphical Passwords
bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8
Challenge Multiple Passwords
64
Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
bull Password Management Software
67
Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313
Related Work
bull Password Management SoftwareChallenge Single point of failure
68
Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313
References
bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]
bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]
bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]
bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]
Course Business
CryptographyCS 555
Password Storage
Offline Attacks A Common Problem
Offline Attacks A Common Problem
A Dangerous Problem
Attempt 1 Hash Iteration
The Challenge
Goal Moderately Expensive Hash Function
Memory Costs Equitable Across Architectures
Outline
Memory Hard Function (MHF)
iMHF Candidates
iMHF (fGH)
Evaluating an iMHF (pebbling)
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example (CC)
Measuring Cost
Pebbling Example (CC)
Pebbling Equivalence
Desiderata
Depth-Robustness The Key Property
Naiumlve Pebbling Algorithms
Amortized Attack Quality
Desiderata
Desiderata
c-Ideal iMHF
Outline
Depth-Robustness The Key Property
Depth Robustness
Depth Robustness
Attacking (ed)-reducible DAGs
Depth Robustness is Necessary
Answer No
Argon2i [BDK]
Argon2i
Argon2i
Argon2i Reducing depth to 119899
Argon2i Reducing depth to 119899
Argon2i is a layered DAG (almost)
Attack Simulation [AB16b]
Ideal iMHFs Donrsquot Exist
But we cannot rule them out in practice
Outline
Depth-Robustness is Sufficient [ABP16]
Depth-Robustness is Sufficient [ABP16]
Summary
Conclusions
Thanks for Listening
Passwords vs time Look how far wersquove come
Biometrics
Biometrics
Hardware Tokens
Hardware Tokens
Graphical Passwords
Graphical Passwords
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
Related Work
References
Everybody
DATE
DATE
NUMBER OF USERS
WORLD
WORLD
INFORMATION
DATE
DATE
NUMBER OF USERS
DATE
DATE
acctsyr
POPULATION
POPULATION
SOURCE
December-90
0
3
15
020
00261
000
1
December-90
3
1
December-90
3
1
December-90
3
3
December-90
3
1
3
December-95
December-95
0
16
040
80
040
IDC
100
00522
180
12
December-95
192
December-95
16
1778
December-95
48
28448
December-95
48
3
48
December-96
December-96
0
36
090
180
090
IDC
200
00783
188
13132
December-96
472752
December-96
36
1994916
December-96
126
71816976
December-96
1368
38
126
December-97
December-97
0
70
170
350
170
IDC
300
01043
209
16263
December-97
113841
December-97
70
2238295752
December-97
280
15668070264
December-97
322
46
280
December-98
December-98
0
147
360
735
360
CI Almanac
400
01303
230
19391
December-98
2850477
December-98
147
25113678337
December-98
6615
3691710715604
December-98
7791
53
6615
December-99
December-99
0
248
410
1240
410
Nua Ltd
500
01563
251
22517
December-99
5584216
December-99
248
28177547095
December-99
1240
6988031679463
December-99
15376
62
1240
March-00
March-00
0
304
500
1520
500
Nua Ltd
600
01822
272
25638
March-00
7793952
December-00
361
3161520784
December-00
19855
11413090030294
December-00
2527
7
19855
July-00
July-00
0
359
590
1795
590
Nua Ltd
700
02081
293
28754
July-00
10322686
December-01
543
35472263197
December-01
3258
1926143891578
December-01
39639
73
3258
December-00
December-00
0
361
580
1805
580
Internet World Stats
800
02338
313
31864
December-00
11502904
December-02
607
39799879307
December-02
39455
2415852673913
December-02
47953
79
39455
March-01
March-01
0
458
760
2290
760
Nua Ltd
900
02852
334
34967
March-01
16014886
December-03
719
44655464582
December-03
5033
32107279034493
December-03
61115
85
5033
June-01
June-01
0
479
790
2395
790
Nua Ltd
1000
03107
355
38061
June-01
18231219
December-04
817
50103431261
December-04
61275
40934503340285
December-04
7353
9
61275
August-01
August-01
0
513
860
2565
860
Nua Ltd
1100
03361
396
44221
August-01
22685373
December-05
1018
56216049875
December-05
8144
57227938772657
December-05
9467
93
8144
April-02
April-02
0
558
860
2790
860
Internet World Stats
1200
03614
417
47284
April-02
26384472
December-06
1093
6307440796
December-06
9291
68940327899894
December-06
10602
97
9291
July-02
July-02
0
569
910
2845
910
Internet World Stats
1300
03866
437
50334
July-02
28640046
December-07
1319
70769485731
December-07
11871
93344951678825
December-07
13454
102
11871
September-02
September-02
0
587
940
2935
940
Internet World Stats
1400
04117
458
53371
September-02
31328777
December-08
1574
7940336299
December-08
14953
124980893346059
December-08
16527
105
14953
March-03
March-03
0
608
970
3040
970
Internet World Stats
1500
04366
478
56394
March-03
34287552
December-09
1802
89090573275
December-09
18020
160541213040896
December-09
19462
108
18020
September-03
September-03
0
677
1060
3385
1060
Internet World Stats
1600
04614
498
59401
September-03
40214477
December-10
1971
99959623214
December-10
20696
197020417355075
December-10
21681
11
20696
October-03
October-03
0
682
1070
3410
1070
Internet World Stats
1700
0486
518
62392
October-03
42551344
December-03
December-03
0
719
1110
3595
1110
Internet World Stats
1800
02852
538
65365
December-03
46997435
February-04
February-04
0
745
1150
3725
1150
Internet World Stats
1900
03107
558
6832
February-04
508984
May-04
May-04
0
757
1170
3785
1170
Internet World Stats
2000
03361
597
7417
May-04
5614669
October-04
October-04
0
812
1270
4060
1270
Internet World Stats
2100
03614
616
77064
October-04
62575968
December-04
December-04
0
817
1270
4085
1270
Internet World Stats
2200
03866
636
79935
December-04
65306895
March-05
March-05
0
888
1390
4440
1390
Internet World Stats
2300
04117
655
82782
March-05
73510416
June-05
June-05
0
938
1460
4690
1460
Internet World Stats
2400
04366
674
85606
June-05
80298428
September-05
September-05
0
957
1490
4785
1490
Internet World Stats
2500
04614
692
88404
September-05
84602628
November-05
November-05
0
972
1520
4860
1520
Internet World Stats
2600
0486
711
91176
November-05
88623072
December-05
December-05
0
1018
1570
5090
1570
Internet World Stats
2700
05348
729
93921
December-05
95611578
March-06
March-06
0
1023
1570
5115
1570
Internet World Stats
2800
05589
747
96638
March-06
98860674
June-06
June-06
0
1043
1600
5215
1600
Internet World Stats
2900
05828
783
101984
June-06
106369312
September-06
September-06
0
1086
1670
5430
1670
Internet World Stats
3000
06065
801
104611
September-06
113607546
December-06
December-06
0
1093
1670
5465
1670
Internet World Stats
3100
063
818
107207
December-06
117177251
March-07
March-07
0
1129
1720
5645
1720
Internet World Stats
3200
06534
835
109771
March-07
123931459
June-07
June-07
0
1173
1780
5865
1780
Internet World Stats
3300
06765
852
112301
June-07
131729073
September-07
September-07
0
1245
1890
6225
1890
Internet World Stats
3400
06993
869
114797
September-07
142922265
December-07
December-07
0
1319
2000
6595
2000
Internet World Stats
3500
0722
886
117258
December-07
154663302
March-08
March-08
0
1407
2110
7035
2110
Internet World Stats
3600
07665
902
119683
March-08
168393981
June-08
June-08
0
1463
2190
7315
2190
Internet World Stats
3700
07884
918
122071
June-08
178589873
September-08
September-08
0
1504
2250
7520
2250
Internet World Stats
3800
08101
949
126736
September-08
190610944
December-08
December-08
0
1574
2350
7870
2350
Internet World Stats
3900
08314
964
12901
December-08
20306174
March-09
March-09
0
1596
2380
7980
2380
Internet World Stats
4000
08525
971
13
March-09
20748
June-09
June-09
0
1669
2470
8345
2470
Internet World Stats
4100
08733
998
134
June-09
223646
September-09
September-09
0
1734
2560
8670
2560
Internet World Stats
4200
08938
1018
137
September-09
237558
December-09
December-09
0
1802
2660
9010
2660
Internet World Stats
4300
0914
1051
142
December-09
255884
June-10
June-10
0
1966
2870
9830
2870
Internet World Stats
4400
09339
1078
146
June-10
287036
September-10
September-10
0
1971
2880
9855
2880
Internet World Stats
4500
09728
1112
151
September-10
297621
09917
000
155333333333
159833333333
33208
35034
35400
35765
36130
36495
36861
37226
37591
37956
38322
38687
39052
39417
39783
40148
40513
Argon2i Reducing depth to 119894119894
1 2 3 11989411989434
helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894
Definition 1198781198782 = 119907119907119894119894 119907119907119903119903(119894119894)and v119894119894 in same layer
119813119813119816119816119813119813119813119813 Easy to reduce the depth of a path
Argon2i is a layered DAG (almost)
1 2 3 11989411989434
+2 +3 helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894
Let S = S1+S2
helliphelliphellip
Attack Simulation [AB16b]
Attack on Argon 2i-B is practical even for pessimistic parameter ranges (brown line)
Pessimistic Argon 2i-B parameter
Parameter setting could easily be chosen when following Argon2i-B guidelines
hellip
Ideal iMHFs Donrsquot Exist
Thm[AB16] Any graph G (with constant in-degree) is at least somewhat depth-reducible
Implication If CC(G)= Ω 1198941198942 there is an attack A with high quality
QualityR 119860119860 =Ωlog(119894119894)
log log(119894119894)
But we cannot rule them out in practice
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Attacksbull Constructing iMHFs (New)
bull Depth-Robustness is sufficient
bull Conclusions and Open Questions
Presenter
Presentation Notes
Joint work with Joel Alwen and Krzysztof Pietrzak
Depth-Robustness is Sufficient [ABP16]
Proof Let P1hellipPt denote an (optimal) pebbling of G For 0lt i lt d defineSi = 119875119875119894119894 cup 119875119875119889119889+119894119894 cup 1198751198752119889119889+119894119894 cup ⋯
one of the sets Si has size at most CC(G)d Now we claim that d ge depth(G-Si)
because any path in G-Si must have been completely pebbled at some point Thus it must have been pebbled entirely during some interval of length d Thus G (CC(G)dd)-reducible It follows that CC(G)ge 119890119890119901119901
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Depth-Robustness is Sufficient [ABP16]
Implications There exists a constant indegree graph G with
CC G ge Ω1198941198942
log119894119894
Previous Best [AS15] Ω 1198991198992
log10 119899119899
[AB16] We cannot do better (in an asymptotic sense)
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Summary
bull BCRYPT and PBKDF2 are no longer sufficient for password hashing
bull Argon2i is an improvement over BCRYPT and PBKDF2bull But still has its flaws [AB16AB17]
bull Current Recommendation Argon2idbull No side channel attacks Resists known attacksbull Side channel attacks reduce security to Argon2i
bull Look for improvements in the near future using depth-robust graphs [ABP17]
Conclusions
bull Depth-robustness is a necessary and sufficient for secure iMHFsbull [AB16] [ABP16]
bull Big Challenge Improved Constructions of Depth-Robust Graphsbull We already have constructions in theory [EGS77 PR80 hellip]bull But constants matter
Thanks for Listening
Passwords vs time Look how far wersquove come
Netscape IPO Dotcom crash
Source Cormacrsquos estimate
ldquoThe password is deadrdquo
Chart1
3
48
1368
322
7791
15376
2527
39639
47953
61115
7353
94674
106021
134538
16527
194616
21681
Sheet1
Sheet1
Sheet2
Sheet3
Biometrics
59
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy
60
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Hardware Tokens
61
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around
62
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Graphical Passwords
bull Examplesbull Passfaces Cued Click Points Windows 8
63
Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13
Graphical Passwords
bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8
Challenge Multiple Passwords
64
Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
bull Password Management Software
67
Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313
Related Work
bull Password Management SoftwareChallenge Single point of failure
68
Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313
References
bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]
bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]
bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]
bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]
Course Business
CryptographyCS 555
Password Storage
Offline Attacks A Common Problem
Offline Attacks A Common Problem
A Dangerous Problem
Attempt 1 Hash Iteration
The Challenge
Goal Moderately Expensive Hash Function
Memory Costs Equitable Across Architectures
Outline
Memory Hard Function (MHF)
iMHF Candidates
iMHF (fGH)
Evaluating an iMHF (pebbling)
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example (CC)
Measuring Cost
Pebbling Example (CC)
Pebbling Equivalence
Desiderata
Depth-Robustness The Key Property
Naiumlve Pebbling Algorithms
Amortized Attack Quality
Desiderata
Desiderata
c-Ideal iMHF
Outline
Depth-Robustness The Key Property
Depth Robustness
Depth Robustness
Attacking (ed)-reducible DAGs
Depth Robustness is Necessary
Answer No
Argon2i [BDK]
Argon2i
Argon2i
Argon2i Reducing depth to 119899
Argon2i Reducing depth to 119899
Argon2i is a layered DAG (almost)
Attack Simulation [AB16b]
Ideal iMHFs Donrsquot Exist
But we cannot rule them out in practice
Outline
Depth-Robustness is Sufficient [ABP16]
Depth-Robustness is Sufficient [ABP16]
Summary
Conclusions
Thanks for Listening
Passwords vs time Look how far wersquove come
Biometrics
Biometrics
Hardware Tokens
Hardware Tokens
Graphical Passwords
Graphical Passwords
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
Related Work
References
Everybody
DATE
DATE
NUMBER OF USERS
WORLD
WORLD
INFORMATION
DATE
DATE
NUMBER OF USERS
DATE
DATE
acctsyr
POPULATION
POPULATION
SOURCE
December-90
0
3
15
020
00261
000
1
December-90
3
1
December-90
3
1
December-90
3
3
December-90
3
1
3
December-95
December-95
0
16
040
80
040
IDC
100
00522
180
12
December-95
192
December-95
16
1778
December-95
48
28448
December-95
48
3
48
December-96
December-96
0
36
090
180
090
IDC
200
00783
188
13132
December-96
472752
December-96
36
1994916
December-96
126
71816976
December-96
1368
38
126
December-97
December-97
0
70
170
350
170
IDC
300
01043
209
16263
December-97
113841
December-97
70
2238295752
December-97
280
15668070264
December-97
322
46
280
December-98
December-98
0
147
360
735
360
CI Almanac
400
01303
230
19391
December-98
2850477
December-98
147
25113678337
December-98
6615
3691710715604
December-98
7791
53
6615
December-99
December-99
0
248
410
1240
410
Nua Ltd
500
01563
251
22517
December-99
5584216
December-99
248
28177547095
December-99
1240
6988031679463
December-99
15376
62
1240
March-00
March-00
0
304
500
1520
500
Nua Ltd
600
01822
272
25638
March-00
7793952
December-00
361
3161520784
December-00
19855
11413090030294
December-00
2527
7
19855
July-00
July-00
0
359
590
1795
590
Nua Ltd
700
02081
293
28754
July-00
10322686
December-01
543
35472263197
December-01
3258
1926143891578
December-01
39639
73
3258
December-00
December-00
0
361
580
1805
580
Internet World Stats
800
02338
313
31864
December-00
11502904
December-02
607
39799879307
December-02
39455
2415852673913
December-02
47953
79
39455
March-01
March-01
0
458
760
2290
760
Nua Ltd
900
02852
334
34967
March-01
16014886
December-03
719
44655464582
December-03
5033
32107279034493
December-03
61115
85
5033
June-01
June-01
0
479
790
2395
790
Nua Ltd
1000
03107
355
38061
June-01
18231219
December-04
817
50103431261
December-04
61275
40934503340285
December-04
7353
9
61275
August-01
August-01
0
513
860
2565
860
Nua Ltd
1100
03361
396
44221
August-01
22685373
December-05
1018
56216049875
December-05
8144
57227938772657
December-05
9467
93
8144
April-02
April-02
0
558
860
2790
860
Internet World Stats
1200
03614
417
47284
April-02
26384472
December-06
1093
6307440796
December-06
9291
68940327899894
December-06
10602
97
9291
July-02
July-02
0
569
910
2845
910
Internet World Stats
1300
03866
437
50334
July-02
28640046
December-07
1319
70769485731
December-07
11871
93344951678825
December-07
13454
102
11871
September-02
September-02
0
587
940
2935
940
Internet World Stats
1400
04117
458
53371
September-02
31328777
December-08
1574
7940336299
December-08
14953
124980893346059
December-08
16527
105
14953
March-03
March-03
0
608
970
3040
970
Internet World Stats
1500
04366
478
56394
March-03
34287552
December-09
1802
89090573275
December-09
18020
160541213040896
December-09
19462
108
18020
September-03
September-03
0
677
1060
3385
1060
Internet World Stats
1600
04614
498
59401
September-03
40214477
December-10
1971
99959623214
December-10
20696
197020417355075
December-10
21681
11
20696
October-03
October-03
0
682
1070
3410
1070
Internet World Stats
1700
0486
518
62392
October-03
42551344
December-03
December-03
0
719
1110
3595
1110
Internet World Stats
1800
02852
538
65365
December-03
46997435
February-04
February-04
0
745
1150
3725
1150
Internet World Stats
1900
03107
558
6832
February-04
508984
May-04
May-04
0
757
1170
3785
1170
Internet World Stats
2000
03361
597
7417
May-04
5614669
October-04
October-04
0
812
1270
4060
1270
Internet World Stats
2100
03614
616
77064
October-04
62575968
December-04
December-04
0
817
1270
4085
1270
Internet World Stats
2200
03866
636
79935
December-04
65306895
March-05
March-05
0
888
1390
4440
1390
Internet World Stats
2300
04117
655
82782
March-05
73510416
June-05
June-05
0
938
1460
4690
1460
Internet World Stats
2400
04366
674
85606
June-05
80298428
September-05
September-05
0
957
1490
4785
1490
Internet World Stats
2500
04614
692
88404
September-05
84602628
November-05
November-05
0
972
1520
4860
1520
Internet World Stats
2600
0486
711
91176
November-05
88623072
December-05
December-05
0
1018
1570
5090
1570
Internet World Stats
2700
05348
729
93921
December-05
95611578
March-06
March-06
0
1023
1570
5115
1570
Internet World Stats
2800
05589
747
96638
March-06
98860674
June-06
June-06
0
1043
1600
5215
1600
Internet World Stats
2900
05828
783
101984
June-06
106369312
September-06
September-06
0
1086
1670
5430
1670
Internet World Stats
3000
06065
801
104611
September-06
113607546
December-06
December-06
0
1093
1670
5465
1670
Internet World Stats
3100
063
818
107207
December-06
117177251
March-07
March-07
0
1129
1720
5645
1720
Internet World Stats
3200
06534
835
109771
March-07
123931459
June-07
June-07
0
1173
1780
5865
1780
Internet World Stats
3300
06765
852
112301
June-07
131729073
September-07
September-07
0
1245
1890
6225
1890
Internet World Stats
3400
06993
869
114797
September-07
142922265
December-07
December-07
0
1319
2000
6595
2000
Internet World Stats
3500
0722
886
117258
December-07
154663302
March-08
March-08
0
1407
2110
7035
2110
Internet World Stats
3600
07665
902
119683
March-08
168393981
June-08
June-08
0
1463
2190
7315
2190
Internet World Stats
3700
07884
918
122071
June-08
178589873
September-08
September-08
0
1504
2250
7520
2250
Internet World Stats
3800
08101
949
126736
September-08
190610944
December-08
December-08
0
1574
2350
7870
2350
Internet World Stats
3900
08314
964
12901
December-08
20306174
March-09
March-09
0
1596
2380
7980
2380
Internet World Stats
4000
08525
971
13
March-09
20748
June-09
June-09
0
1669
2470
8345
2470
Internet World Stats
4100
08733
998
134
June-09
223646
September-09
September-09
0
1734
2560
8670
2560
Internet World Stats
4200
08938
1018
137
September-09
237558
December-09
December-09
0
1802
2660
9010
2660
Internet World Stats
4300
0914
1051
142
December-09
255884
June-10
June-10
0
1966
2870
9830
2870
Internet World Stats
4400
09339
1078
146
June-10
287036
September-10
September-10
0
1971
2880
9855
2880
Internet World Stats
4500
09728
1112
151
September-10
297621
09917
000
155333333333
159833333333
33208
35034
35400
35765
36130
36495
36861
37226
37591
37956
38322
38687
39052
39417
39783
40148
40513
119813119813119816119816119813119813119813119813 Easy to reduce the depth of a path
Argon2i is a layered DAG (almost)
1 2 3 11989411989434
+2 +3 helliphellip
211989411989434
hellip 4 119894119894
n
Layer 0Layer 1
Layer 4 119894119894
Let S = S1+S2
helliphelliphellip
Attack Simulation [AB16b]
Attack on Argon 2i-B is practical even for pessimistic parameter ranges (brown line)
Pessimistic Argon 2i-B parameter
Parameter setting could easily be chosen when following Argon2i-B guidelines
hellip
Ideal iMHFs Donrsquot Exist
Thm[AB16] Any graph G (with constant in-degree) is at least somewhat depth-reducible
Implication If CC(G)= Ω 1198941198942 there is an attack A with high quality
QualityR 119860119860 =Ωlog(119894119894)
log log(119894119894)
But we cannot rule them out in practice
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Attacksbull Constructing iMHFs (New)
bull Depth-Robustness is sufficient
bull Conclusions and Open Questions
Presenter
Presentation Notes
Joint work with Joel Alwen and Krzysztof Pietrzak
Depth-Robustness is Sufficient [ABP16]
Proof Let P1hellipPt denote an (optimal) pebbling of G For 0lt i lt d defineSi = 119875119875119894119894 cup 119875119875119889119889+119894119894 cup 1198751198752119889119889+119894119894 cup ⋯
one of the sets Si has size at most CC(G)d Now we claim that d ge depth(G-Si)
because any path in G-Si must have been completely pebbled at some point Thus it must have been pebbled entirely during some interval of length d Thus G (CC(G)dd)-reducible It follows that CC(G)ge 119890119890119901119901
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Depth-Robustness is Sufficient [ABP16]
Implications There exists a constant indegree graph G with
CC G ge Ω1198941198942
log119894119894
Previous Best [AS15] Ω 1198991198992
log10 119899119899
[AB16] We cannot do better (in an asymptotic sense)
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Summary
bull BCRYPT and PBKDF2 are no longer sufficient for password hashing
bull Argon2i is an improvement over BCRYPT and PBKDF2bull But still has its flaws [AB16AB17]
bull Current Recommendation Argon2idbull No side channel attacks Resists known attacksbull Side channel attacks reduce security to Argon2i
bull Look for improvements in the near future using depth-robust graphs [ABP17]
Conclusions
bull Depth-robustness is a necessary and sufficient for secure iMHFsbull [AB16] [ABP16]
bull Big Challenge Improved Constructions of Depth-Robust Graphsbull We already have constructions in theory [EGS77 PR80 hellip]bull But constants matter
Thanks for Listening
Passwords vs time Look how far wersquove come
Netscape IPO Dotcom crash
Source Cormacrsquos estimate
ldquoThe password is deadrdquo
Chart1
3
48
1368
322
7791
15376
2527
39639
47953
61115
7353
94674
106021
134538
16527
194616
21681
Sheet1
Sheet1
Sheet2
Sheet3
Biometrics
59
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy
60
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Hardware Tokens
61
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around
62
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Graphical Passwords
bull Examplesbull Passfaces Cued Click Points Windows 8
63
Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13
Graphical Passwords
bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8
Challenge Multiple Passwords
64
Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
bull Password Management Software
67
Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313
Related Work
bull Password Management SoftwareChallenge Single point of failure
68
Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313
References
bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]
bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]
bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]
bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]
Course Business
CryptographyCS 555
Password Storage
Offline Attacks A Common Problem
Offline Attacks A Common Problem
A Dangerous Problem
Attempt 1 Hash Iteration
The Challenge
Goal Moderately Expensive Hash Function
Memory Costs Equitable Across Architectures
Outline
Memory Hard Function (MHF)
iMHF Candidates
iMHF (fGH)
Evaluating an iMHF (pebbling)
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example (CC)
Measuring Cost
Pebbling Example (CC)
Pebbling Equivalence
Desiderata
Depth-Robustness The Key Property
Naiumlve Pebbling Algorithms
Amortized Attack Quality
Desiderata
Desiderata
c-Ideal iMHF
Outline
Depth-Robustness The Key Property
Depth Robustness
Depth Robustness
Attacking (ed)-reducible DAGs
Depth Robustness is Necessary
Answer No
Argon2i [BDK]
Argon2i
Argon2i
Argon2i Reducing depth to 119899
Argon2i Reducing depth to 119899
Argon2i is a layered DAG (almost)
Attack Simulation [AB16b]
Ideal iMHFs Donrsquot Exist
But we cannot rule them out in practice
Outline
Depth-Robustness is Sufficient [ABP16]
Depth-Robustness is Sufficient [ABP16]
Summary
Conclusions
Thanks for Listening
Passwords vs time Look how far wersquove come
Biometrics
Biometrics
Hardware Tokens
Hardware Tokens
Graphical Passwords
Graphical Passwords
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
Related Work
References
Everybody
DATE
DATE
NUMBER OF USERS
WORLD
WORLD
INFORMATION
DATE
DATE
NUMBER OF USERS
DATE
DATE
acctsyr
POPULATION
POPULATION
SOURCE
December-90
0
3
15
020
00261
000
1
December-90
3
1
December-90
3
1
December-90
3
3
December-90
3
1
3
December-95
December-95
0
16
040
80
040
IDC
100
00522
180
12
December-95
192
December-95
16
1778
December-95
48
28448
December-95
48
3
48
December-96
December-96
0
36
090
180
090
IDC
200
00783
188
13132
December-96
472752
December-96
36
1994916
December-96
126
71816976
December-96
1368
38
126
December-97
December-97
0
70
170
350
170
IDC
300
01043
209
16263
December-97
113841
December-97
70
2238295752
December-97
280
15668070264
December-97
322
46
280
December-98
December-98
0
147
360
735
360
CI Almanac
400
01303
230
19391
December-98
2850477
December-98
147
25113678337
December-98
6615
3691710715604
December-98
7791
53
6615
December-99
December-99
0
248
410
1240
410
Nua Ltd
500
01563
251
22517
December-99
5584216
December-99
248
28177547095
December-99
1240
6988031679463
December-99
15376
62
1240
March-00
March-00
0
304
500
1520
500
Nua Ltd
600
01822
272
25638
March-00
7793952
December-00
361
3161520784
December-00
19855
11413090030294
December-00
2527
7
19855
July-00
July-00
0
359
590
1795
590
Nua Ltd
700
02081
293
28754
July-00
10322686
December-01
543
35472263197
December-01
3258
1926143891578
December-01
39639
73
3258
December-00
December-00
0
361
580
1805
580
Internet World Stats
800
02338
313
31864
December-00
11502904
December-02
607
39799879307
December-02
39455
2415852673913
December-02
47953
79
39455
March-01
March-01
0
458
760
2290
760
Nua Ltd
900
02852
334
34967
March-01
16014886
December-03
719
44655464582
December-03
5033
32107279034493
December-03
61115
85
5033
June-01
June-01
0
479
790
2395
790
Nua Ltd
1000
03107
355
38061
June-01
18231219
December-04
817
50103431261
December-04
61275
40934503340285
December-04
7353
9
61275
August-01
August-01
0
513
860
2565
860
Nua Ltd
1100
03361
396
44221
August-01
22685373
December-05
1018
56216049875
December-05
8144
57227938772657
December-05
9467
93
8144
April-02
April-02
0
558
860
2790
860
Internet World Stats
1200
03614
417
47284
April-02
26384472
December-06
1093
6307440796
December-06
9291
68940327899894
December-06
10602
97
9291
July-02
July-02
0
569
910
2845
910
Internet World Stats
1300
03866
437
50334
July-02
28640046
December-07
1319
70769485731
December-07
11871
93344951678825
December-07
13454
102
11871
September-02
September-02
0
587
940
2935
940
Internet World Stats
1400
04117
458
53371
September-02
31328777
December-08
1574
7940336299
December-08
14953
124980893346059
December-08
16527
105
14953
March-03
March-03
0
608
970
3040
970
Internet World Stats
1500
04366
478
56394
March-03
34287552
December-09
1802
89090573275
December-09
18020
160541213040896
December-09
19462
108
18020
September-03
September-03
0
677
1060
3385
1060
Internet World Stats
1600
04614
498
59401
September-03
40214477
December-10
1971
99959623214
December-10
20696
197020417355075
December-10
21681
11
20696
October-03
October-03
0
682
1070
3410
1070
Internet World Stats
1700
0486
518
62392
October-03
42551344
December-03
December-03
0
719
1110
3595
1110
Internet World Stats
1800
02852
538
65365
December-03
46997435
February-04
February-04
0
745
1150
3725
1150
Internet World Stats
1900
03107
558
6832
February-04
508984
May-04
May-04
0
757
1170
3785
1170
Internet World Stats
2000
03361
597
7417
May-04
5614669
October-04
October-04
0
812
1270
4060
1270
Internet World Stats
2100
03614
616
77064
October-04
62575968
December-04
December-04
0
817
1270
4085
1270
Internet World Stats
2200
03866
636
79935
December-04
65306895
March-05
March-05
0
888
1390
4440
1390
Internet World Stats
2300
04117
655
82782
March-05
73510416
June-05
June-05
0
938
1460
4690
1460
Internet World Stats
2400
04366
674
85606
June-05
80298428
September-05
September-05
0
957
1490
4785
1490
Internet World Stats
2500
04614
692
88404
September-05
84602628
November-05
November-05
0
972
1520
4860
1520
Internet World Stats
2600
0486
711
91176
November-05
88623072
December-05
December-05
0
1018
1570
5090
1570
Internet World Stats
2700
05348
729
93921
December-05
95611578
March-06
March-06
0
1023
1570
5115
1570
Internet World Stats
2800
05589
747
96638
March-06
98860674
June-06
June-06
0
1043
1600
5215
1600
Internet World Stats
2900
05828
783
101984
June-06
106369312
September-06
September-06
0
1086
1670
5430
1670
Internet World Stats
3000
06065
801
104611
September-06
113607546
December-06
December-06
0
1093
1670
5465
1670
Internet World Stats
3100
063
818
107207
December-06
117177251
March-07
March-07
0
1129
1720
5645
1720
Internet World Stats
3200
06534
835
109771
March-07
123931459
June-07
June-07
0
1173
1780
5865
1780
Internet World Stats
3300
06765
852
112301
June-07
131729073
September-07
September-07
0
1245
1890
6225
1890
Internet World Stats
3400
06993
869
114797
September-07
142922265
December-07
December-07
0
1319
2000
6595
2000
Internet World Stats
3500
0722
886
117258
December-07
154663302
March-08
March-08
0
1407
2110
7035
2110
Internet World Stats
3600
07665
902
119683
March-08
168393981
June-08
June-08
0
1463
2190
7315
2190
Internet World Stats
3700
07884
918
122071
June-08
178589873
September-08
September-08
0
1504
2250
7520
2250
Internet World Stats
3800
08101
949
126736
September-08
190610944
December-08
December-08
0
1574
2350
7870
2350
Internet World Stats
3900
08314
964
12901
December-08
20306174
March-09
March-09
0
1596
2380
7980
2380
Internet World Stats
4000
08525
971
13
March-09
20748
June-09
June-09
0
1669
2470
8345
2470
Internet World Stats
4100
08733
998
134
June-09
223646
September-09
September-09
0
1734
2560
8670
2560
Internet World Stats
4200
08938
1018
137
September-09
237558
December-09
December-09
0
1802
2660
9010
2660
Internet World Stats
4300
0914
1051
142
December-09
255884
June-10
June-10
0
1966
2870
9830
2870
Internet World Stats
4400
09339
1078
146
June-10
287036
September-10
September-10
0
1971
2880
9855
2880
Internet World Stats
4500
09728
1112
151
September-10
297621
09917
000
155333333333
159833333333
33208
35034
35400
35765
36130
36495
36861
37226
37591
37956
38322
38687
39052
39417
39783
40148
40513
Attack Simulation [AB16b]
Attack on Argon 2i-B is practical even for pessimistic parameter ranges (brown line)
Pessimistic Argon 2i-B parameter
Parameter setting could easily be chosen when following Argon2i-B guidelines
hellip
Ideal iMHFs Donrsquot Exist
Thm[AB16] Any graph G (with constant in-degree) is at least somewhat depth-reducible
Implication If CC(G)= Ω 1198941198942 there is an attack A with high quality
QualityR 119860119860 =Ωlog(119894119894)
log log(119894119894)
But we cannot rule them out in practice
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Attacksbull Constructing iMHFs (New)
bull Depth-Robustness is sufficient
bull Conclusions and Open Questions
Presenter
Presentation Notes
Joint work with Joel Alwen and Krzysztof Pietrzak
Depth-Robustness is Sufficient [ABP16]
Proof Let P1hellipPt denote an (optimal) pebbling of G For 0lt i lt d defineSi = 119875119875119894119894 cup 119875119875119889119889+119894119894 cup 1198751198752119889119889+119894119894 cup ⋯
one of the sets Si has size at most CC(G)d Now we claim that d ge depth(G-Si)
because any path in G-Si must have been completely pebbled at some point Thus it must have been pebbled entirely during some interval of length d Thus G (CC(G)dd)-reducible It follows that CC(G)ge 119890119890119901119901
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Depth-Robustness is Sufficient [ABP16]
Implications There exists a constant indegree graph G with
CC G ge Ω1198941198942
log119894119894
Previous Best [AS15] Ω 1198991198992
log10 119899119899
[AB16] We cannot do better (in an asymptotic sense)
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Summary
bull BCRYPT and PBKDF2 are no longer sufficient for password hashing
bull Argon2i is an improvement over BCRYPT and PBKDF2bull But still has its flaws [AB16AB17]
bull Current Recommendation Argon2idbull No side channel attacks Resists known attacksbull Side channel attacks reduce security to Argon2i
bull Look for improvements in the near future using depth-robust graphs [ABP17]
Conclusions
bull Depth-robustness is a necessary and sufficient for secure iMHFsbull [AB16] [ABP16]
bull Big Challenge Improved Constructions of Depth-Robust Graphsbull We already have constructions in theory [EGS77 PR80 hellip]bull But constants matter
Thanks for Listening
Passwords vs time Look how far wersquove come
Netscape IPO Dotcom crash
Source Cormacrsquos estimate
ldquoThe password is deadrdquo
Chart1
3
48
1368
322
7791
15376
2527
39639
47953
61115
7353
94674
106021
134538
16527
194616
21681
Sheet1
Sheet1
Sheet2
Sheet3
Biometrics
59
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy
60
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Hardware Tokens
61
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around
62
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Graphical Passwords
bull Examplesbull Passfaces Cued Click Points Windows 8
63
Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13
Graphical Passwords
bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8
Challenge Multiple Passwords
64
Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
bull Password Management Software
67
Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313
Related Work
bull Password Management SoftwareChallenge Single point of failure
68
Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313
References
bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]
bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]
bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]
bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]
Course Business
CryptographyCS 555
Password Storage
Offline Attacks A Common Problem
Offline Attacks A Common Problem
A Dangerous Problem
Attempt 1 Hash Iteration
The Challenge
Goal Moderately Expensive Hash Function
Memory Costs Equitable Across Architectures
Outline
Memory Hard Function (MHF)
iMHF Candidates
iMHF (fGH)
Evaluating an iMHF (pebbling)
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example (CC)
Measuring Cost
Pebbling Example (CC)
Pebbling Equivalence
Desiderata
Depth-Robustness The Key Property
Naiumlve Pebbling Algorithms
Amortized Attack Quality
Desiderata
Desiderata
c-Ideal iMHF
Outline
Depth-Robustness The Key Property
Depth Robustness
Depth Robustness
Attacking (ed)-reducible DAGs
Depth Robustness is Necessary
Answer No
Argon2i [BDK]
Argon2i
Argon2i
Argon2i Reducing depth to 119899
Argon2i Reducing depth to 119899
Argon2i is a layered DAG (almost)
Attack Simulation [AB16b]
Ideal iMHFs Donrsquot Exist
But we cannot rule them out in practice
Outline
Depth-Robustness is Sufficient [ABP16]
Depth-Robustness is Sufficient [ABP16]
Summary
Conclusions
Thanks for Listening
Passwords vs time Look how far wersquove come
Biometrics
Biometrics
Hardware Tokens
Hardware Tokens
Graphical Passwords
Graphical Passwords
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
Related Work
References
Everybody
DATE
DATE
NUMBER OF USERS
WORLD
WORLD
INFORMATION
DATE
DATE
NUMBER OF USERS
DATE
DATE
acctsyr
POPULATION
POPULATION
SOURCE
December-90
0
3
15
020
00261
000
1
December-90
3
1
December-90
3
1
December-90
3
3
December-90
3
1
3
December-95
December-95
0
16
040
80
040
IDC
100
00522
180
12
December-95
192
December-95
16
1778
December-95
48
28448
December-95
48
3
48
December-96
December-96
0
36
090
180
090
IDC
200
00783
188
13132
December-96
472752
December-96
36
1994916
December-96
126
71816976
December-96
1368
38
126
December-97
December-97
0
70
170
350
170
IDC
300
01043
209
16263
December-97
113841
December-97
70
2238295752
December-97
280
15668070264
December-97
322
46
280
December-98
December-98
0
147
360
735
360
CI Almanac
400
01303
230
19391
December-98
2850477
December-98
147
25113678337
December-98
6615
3691710715604
December-98
7791
53
6615
December-99
December-99
0
248
410
1240
410
Nua Ltd
500
01563
251
22517
December-99
5584216
December-99
248
28177547095
December-99
1240
6988031679463
December-99
15376
62
1240
March-00
March-00
0
304
500
1520
500
Nua Ltd
600
01822
272
25638
March-00
7793952
December-00
361
3161520784
December-00
19855
11413090030294
December-00
2527
7
19855
July-00
July-00
0
359
590
1795
590
Nua Ltd
700
02081
293
28754
July-00
10322686
December-01
543
35472263197
December-01
3258
1926143891578
December-01
39639
73
3258
December-00
December-00
0
361
580
1805
580
Internet World Stats
800
02338
313
31864
December-00
11502904
December-02
607
39799879307
December-02
39455
2415852673913
December-02
47953
79
39455
March-01
March-01
0
458
760
2290
760
Nua Ltd
900
02852
334
34967
March-01
16014886
December-03
719
44655464582
December-03
5033
32107279034493
December-03
61115
85
5033
June-01
June-01
0
479
790
2395
790
Nua Ltd
1000
03107
355
38061
June-01
18231219
December-04
817
50103431261
December-04
61275
40934503340285
December-04
7353
9
61275
August-01
August-01
0
513
860
2565
860
Nua Ltd
1100
03361
396
44221
August-01
22685373
December-05
1018
56216049875
December-05
8144
57227938772657
December-05
9467
93
8144
April-02
April-02
0
558
860
2790
860
Internet World Stats
1200
03614
417
47284
April-02
26384472
December-06
1093
6307440796
December-06
9291
68940327899894
December-06
10602
97
9291
July-02
July-02
0
569
910
2845
910
Internet World Stats
1300
03866
437
50334
July-02
28640046
December-07
1319
70769485731
December-07
11871
93344951678825
December-07
13454
102
11871
September-02
September-02
0
587
940
2935
940
Internet World Stats
1400
04117
458
53371
September-02
31328777
December-08
1574
7940336299
December-08
14953
124980893346059
December-08
16527
105
14953
March-03
March-03
0
608
970
3040
970
Internet World Stats
1500
04366
478
56394
March-03
34287552
December-09
1802
89090573275
December-09
18020
160541213040896
December-09
19462
108
18020
September-03
September-03
0
677
1060
3385
1060
Internet World Stats
1600
04614
498
59401
September-03
40214477
December-10
1971
99959623214
December-10
20696
197020417355075
December-10
21681
11
20696
October-03
October-03
0
682
1070
3410
1070
Internet World Stats
1700
0486
518
62392
October-03
42551344
December-03
December-03
0
719
1110
3595
1110
Internet World Stats
1800
02852
538
65365
December-03
46997435
February-04
February-04
0
745
1150
3725
1150
Internet World Stats
1900
03107
558
6832
February-04
508984
May-04
May-04
0
757
1170
3785
1170
Internet World Stats
2000
03361
597
7417
May-04
5614669
October-04
October-04
0
812
1270
4060
1270
Internet World Stats
2100
03614
616
77064
October-04
62575968
December-04
December-04
0
817
1270
4085
1270
Internet World Stats
2200
03866
636
79935
December-04
65306895
March-05
March-05
0
888
1390
4440
1390
Internet World Stats
2300
04117
655
82782
March-05
73510416
June-05
June-05
0
938
1460
4690
1460
Internet World Stats
2400
04366
674
85606
June-05
80298428
September-05
September-05
0
957
1490
4785
1490
Internet World Stats
2500
04614
692
88404
September-05
84602628
November-05
November-05
0
972
1520
4860
1520
Internet World Stats
2600
0486
711
91176
November-05
88623072
December-05
December-05
0
1018
1570
5090
1570
Internet World Stats
2700
05348
729
93921
December-05
95611578
March-06
March-06
0
1023
1570
5115
1570
Internet World Stats
2800
05589
747
96638
March-06
98860674
June-06
June-06
0
1043
1600
5215
1600
Internet World Stats
2900
05828
783
101984
June-06
106369312
September-06
September-06
0
1086
1670
5430
1670
Internet World Stats
3000
06065
801
104611
September-06
113607546
December-06
December-06
0
1093
1670
5465
1670
Internet World Stats
3100
063
818
107207
December-06
117177251
March-07
March-07
0
1129
1720
5645
1720
Internet World Stats
3200
06534
835
109771
March-07
123931459
June-07
June-07
0
1173
1780
5865
1780
Internet World Stats
3300
06765
852
112301
June-07
131729073
September-07
September-07
0
1245
1890
6225
1890
Internet World Stats
3400
06993
869
114797
September-07
142922265
December-07
December-07
0
1319
2000
6595
2000
Internet World Stats
3500
0722
886
117258
December-07
154663302
March-08
March-08
0
1407
2110
7035
2110
Internet World Stats
3600
07665
902
119683
March-08
168393981
June-08
June-08
0
1463
2190
7315
2190
Internet World Stats
3700
07884
918
122071
June-08
178589873
September-08
September-08
0
1504
2250
7520
2250
Internet World Stats
3800
08101
949
126736
September-08
190610944
December-08
December-08
0
1574
2350
7870
2350
Internet World Stats
3900
08314
964
12901
December-08
20306174
March-09
March-09
0
1596
2380
7980
2380
Internet World Stats
4000
08525
971
13
March-09
20748
June-09
June-09
0
1669
2470
8345
2470
Internet World Stats
4100
08733
998
134
June-09
223646
September-09
September-09
0
1734
2560
8670
2560
Internet World Stats
4200
08938
1018
137
September-09
237558
December-09
December-09
0
1802
2660
9010
2660
Internet World Stats
4300
0914
1051
142
December-09
255884
June-10
June-10
0
1966
2870
9830
2870
Internet World Stats
4400
09339
1078
146
June-10
287036
September-10
September-10
0
1971
2880
9855
2880
Internet World Stats
4500
09728
1112
151
September-10
297621
09917
000
155333333333
159833333333
33208
35034
35400
35765
36130
36495
36861
37226
37591
37956
38322
38687
39052
39417
39783
40148
40513
Ideal iMHFs Donrsquot Exist
Thm[AB16] Any graph G (with constant in-degree) is at least somewhat depth-reducible
Implication If CC(G)= Ω 1198941198942 there is an attack A with high quality
QualityR 119860119860 =Ωlog(119894119894)
log log(119894119894)
But we cannot rule them out in practice
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Attacksbull Constructing iMHFs (New)
bull Depth-Robustness is sufficient
bull Conclusions and Open Questions
Presenter
Presentation Notes
Joint work with Joel Alwen and Krzysztof Pietrzak
Depth-Robustness is Sufficient [ABP16]
Proof Let P1hellipPt denote an (optimal) pebbling of G For 0lt i lt d defineSi = 119875119875119894119894 cup 119875119875119889119889+119894119894 cup 1198751198752119889119889+119894119894 cup ⋯
one of the sets Si has size at most CC(G)d Now we claim that d ge depth(G-Si)
because any path in G-Si must have been completely pebbled at some point Thus it must have been pebbled entirely during some interval of length d Thus G (CC(G)dd)-reducible It follows that CC(G)ge 119890119890119901119901
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Depth-Robustness is Sufficient [ABP16]
Implications There exists a constant indegree graph G with
CC G ge Ω1198941198942
log119894119894
Previous Best [AS15] Ω 1198991198992
log10 119899119899
[AB16] We cannot do better (in an asymptotic sense)
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Summary
bull BCRYPT and PBKDF2 are no longer sufficient for password hashing
bull Argon2i is an improvement over BCRYPT and PBKDF2bull But still has its flaws [AB16AB17]
bull Current Recommendation Argon2idbull No side channel attacks Resists known attacksbull Side channel attacks reduce security to Argon2i
bull Look for improvements in the near future using depth-robust graphs [ABP17]
Conclusions
bull Depth-robustness is a necessary and sufficient for secure iMHFsbull [AB16] [ABP16]
bull Big Challenge Improved Constructions of Depth-Robust Graphsbull We already have constructions in theory [EGS77 PR80 hellip]bull But constants matter
Thanks for Listening
Passwords vs time Look how far wersquove come
Netscape IPO Dotcom crash
Source Cormacrsquos estimate
ldquoThe password is deadrdquo
Chart1
3
48
1368
322
7791
15376
2527
39639
47953
61115
7353
94674
106021
134538
16527
194616
21681
Sheet1
Sheet1
Sheet2
Sheet3
Biometrics
59
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy
60
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Hardware Tokens
61
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around
62
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Graphical Passwords
bull Examplesbull Passfaces Cued Click Points Windows 8
63
Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13
Graphical Passwords
bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8
Challenge Multiple Passwords
64
Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
bull Password Management Software
67
Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313
Related Work
bull Password Management SoftwareChallenge Single point of failure
68
Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313
References
bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]
bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]
bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]
bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]
Course Business
CryptographyCS 555
Password Storage
Offline Attacks A Common Problem
Offline Attacks A Common Problem
A Dangerous Problem
Attempt 1 Hash Iteration
The Challenge
Goal Moderately Expensive Hash Function
Memory Costs Equitable Across Architectures
Outline
Memory Hard Function (MHF)
iMHF Candidates
iMHF (fGH)
Evaluating an iMHF (pebbling)
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example (CC)
Measuring Cost
Pebbling Example (CC)
Pebbling Equivalence
Desiderata
Depth-Robustness The Key Property
Naiumlve Pebbling Algorithms
Amortized Attack Quality
Desiderata
Desiderata
c-Ideal iMHF
Outline
Depth-Robustness The Key Property
Depth Robustness
Depth Robustness
Attacking (ed)-reducible DAGs
Depth Robustness is Necessary
Answer No
Argon2i [BDK]
Argon2i
Argon2i
Argon2i Reducing depth to 119899
Argon2i Reducing depth to 119899
Argon2i is a layered DAG (almost)
Attack Simulation [AB16b]
Ideal iMHFs Donrsquot Exist
But we cannot rule them out in practice
Outline
Depth-Robustness is Sufficient [ABP16]
Depth-Robustness is Sufficient [ABP16]
Summary
Conclusions
Thanks for Listening
Passwords vs time Look how far wersquove come
Biometrics
Biometrics
Hardware Tokens
Hardware Tokens
Graphical Passwords
Graphical Passwords
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
Related Work
References
Everybody
DATE
DATE
NUMBER OF USERS
WORLD
WORLD
INFORMATION
DATE
DATE
NUMBER OF USERS
DATE
DATE
acctsyr
POPULATION
POPULATION
SOURCE
December-90
0
3
15
020
00261
000
1
December-90
3
1
December-90
3
1
December-90
3
3
December-90
3
1
3
December-95
December-95
0
16
040
80
040
IDC
100
00522
180
12
December-95
192
December-95
16
1778
December-95
48
28448
December-95
48
3
48
December-96
December-96
0
36
090
180
090
IDC
200
00783
188
13132
December-96
472752
December-96
36
1994916
December-96
126
71816976
December-96
1368
38
126
December-97
December-97
0
70
170
350
170
IDC
300
01043
209
16263
December-97
113841
December-97
70
2238295752
December-97
280
15668070264
December-97
322
46
280
December-98
December-98
0
147
360
735
360
CI Almanac
400
01303
230
19391
December-98
2850477
December-98
147
25113678337
December-98
6615
3691710715604
December-98
7791
53
6615
December-99
December-99
0
248
410
1240
410
Nua Ltd
500
01563
251
22517
December-99
5584216
December-99
248
28177547095
December-99
1240
6988031679463
December-99
15376
62
1240
March-00
March-00
0
304
500
1520
500
Nua Ltd
600
01822
272
25638
March-00
7793952
December-00
361
3161520784
December-00
19855
11413090030294
December-00
2527
7
19855
July-00
July-00
0
359
590
1795
590
Nua Ltd
700
02081
293
28754
July-00
10322686
December-01
543
35472263197
December-01
3258
1926143891578
December-01
39639
73
3258
December-00
December-00
0
361
580
1805
580
Internet World Stats
800
02338
313
31864
December-00
11502904
December-02
607
39799879307
December-02
39455
2415852673913
December-02
47953
79
39455
March-01
March-01
0
458
760
2290
760
Nua Ltd
900
02852
334
34967
March-01
16014886
December-03
719
44655464582
December-03
5033
32107279034493
December-03
61115
85
5033
June-01
June-01
0
479
790
2395
790
Nua Ltd
1000
03107
355
38061
June-01
18231219
December-04
817
50103431261
December-04
61275
40934503340285
December-04
7353
9
61275
August-01
August-01
0
513
860
2565
860
Nua Ltd
1100
03361
396
44221
August-01
22685373
December-05
1018
56216049875
December-05
8144
57227938772657
December-05
9467
93
8144
April-02
April-02
0
558
860
2790
860
Internet World Stats
1200
03614
417
47284
April-02
26384472
December-06
1093
6307440796
December-06
9291
68940327899894
December-06
10602
97
9291
July-02
July-02
0
569
910
2845
910
Internet World Stats
1300
03866
437
50334
July-02
28640046
December-07
1319
70769485731
December-07
11871
93344951678825
December-07
13454
102
11871
September-02
September-02
0
587
940
2935
940
Internet World Stats
1400
04117
458
53371
September-02
31328777
December-08
1574
7940336299
December-08
14953
124980893346059
December-08
16527
105
14953
March-03
March-03
0
608
970
3040
970
Internet World Stats
1500
04366
478
56394
March-03
34287552
December-09
1802
89090573275
December-09
18020
160541213040896
December-09
19462
108
18020
September-03
September-03
0
677
1060
3385
1060
Internet World Stats
1600
04614
498
59401
September-03
40214477
December-10
1971
99959623214
December-10
20696
197020417355075
December-10
21681
11
20696
October-03
October-03
0
682
1070
3410
1070
Internet World Stats
1700
0486
518
62392
October-03
42551344
December-03
December-03
0
719
1110
3595
1110
Internet World Stats
1800
02852
538
65365
December-03
46997435
February-04
February-04
0
745
1150
3725
1150
Internet World Stats
1900
03107
558
6832
February-04
508984
May-04
May-04
0
757
1170
3785
1170
Internet World Stats
2000
03361
597
7417
May-04
5614669
October-04
October-04
0
812
1270
4060
1270
Internet World Stats
2100
03614
616
77064
October-04
62575968
December-04
December-04
0
817
1270
4085
1270
Internet World Stats
2200
03866
636
79935
December-04
65306895
March-05
March-05
0
888
1390
4440
1390
Internet World Stats
2300
04117
655
82782
March-05
73510416
June-05
June-05
0
938
1460
4690
1460
Internet World Stats
2400
04366
674
85606
June-05
80298428
September-05
September-05
0
957
1490
4785
1490
Internet World Stats
2500
04614
692
88404
September-05
84602628
November-05
November-05
0
972
1520
4860
1520
Internet World Stats
2600
0486
711
91176
November-05
88623072
December-05
December-05
0
1018
1570
5090
1570
Internet World Stats
2700
05348
729
93921
December-05
95611578
March-06
March-06
0
1023
1570
5115
1570
Internet World Stats
2800
05589
747
96638
March-06
98860674
June-06
June-06
0
1043
1600
5215
1600
Internet World Stats
2900
05828
783
101984
June-06
106369312
September-06
September-06
0
1086
1670
5430
1670
Internet World Stats
3000
06065
801
104611
September-06
113607546
December-06
December-06
0
1093
1670
5465
1670
Internet World Stats
3100
063
818
107207
December-06
117177251
March-07
March-07
0
1129
1720
5645
1720
Internet World Stats
3200
06534
835
109771
March-07
123931459
June-07
June-07
0
1173
1780
5865
1780
Internet World Stats
3300
06765
852
112301
June-07
131729073
September-07
September-07
0
1245
1890
6225
1890
Internet World Stats
3400
06993
869
114797
September-07
142922265
December-07
December-07
0
1319
2000
6595
2000
Internet World Stats
3500
0722
886
117258
December-07
154663302
March-08
March-08
0
1407
2110
7035
2110
Internet World Stats
3600
07665
902
119683
March-08
168393981
June-08
June-08
0
1463
2190
7315
2190
Internet World Stats
3700
07884
918
122071
June-08
178589873
September-08
September-08
0
1504
2250
7520
2250
Internet World Stats
3800
08101
949
126736
September-08
190610944
December-08
December-08
0
1574
2350
7870
2350
Internet World Stats
3900
08314
964
12901
December-08
20306174
March-09
March-09
0
1596
2380
7980
2380
Internet World Stats
4000
08525
971
13
March-09
20748
June-09
June-09
0
1669
2470
8345
2470
Internet World Stats
4100
08733
998
134
June-09
223646
September-09
September-09
0
1734
2560
8670
2560
Internet World Stats
4200
08938
1018
137
September-09
237558
December-09
December-09
0
1802
2660
9010
2660
Internet World Stats
4300
0914
1051
142
December-09
255884
June-10
June-10
0
1966
2870
9830
2870
Internet World Stats
4400
09339
1078
146
June-10
287036
September-10
September-10
0
1971
2880
9855
2880
Internet World Stats
4500
09728
1112
151
September-10
297621
09917
000
155333333333
159833333333
33208
35034
35400
35765
36130
36495
36861
37226
37591
37956
38322
38687
39052
39417
39783
40148
40513
But we cannot rule them out in practice
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Attacksbull Constructing iMHFs (New)
bull Depth-Robustness is sufficient
bull Conclusions and Open Questions
Presenter
Presentation Notes
Joint work with Joel Alwen and Krzysztof Pietrzak
Depth-Robustness is Sufficient [ABP16]
Proof Let P1hellipPt denote an (optimal) pebbling of G For 0lt i lt d defineSi = 119875119875119894119894 cup 119875119875119889119889+119894119894 cup 1198751198752119889119889+119894119894 cup ⋯
one of the sets Si has size at most CC(G)d Now we claim that d ge depth(G-Si)
because any path in G-Si must have been completely pebbled at some point Thus it must have been pebbled entirely during some interval of length d Thus G (CC(G)dd)-reducible It follows that CC(G)ge 119890119890119901119901
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Depth-Robustness is Sufficient [ABP16]
Implications There exists a constant indegree graph G with
CC G ge Ω1198941198942
log119894119894
Previous Best [AS15] Ω 1198991198992
log10 119899119899
[AB16] We cannot do better (in an asymptotic sense)
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Summary
bull BCRYPT and PBKDF2 are no longer sufficient for password hashing
bull Argon2i is an improvement over BCRYPT and PBKDF2bull But still has its flaws [AB16AB17]
bull Current Recommendation Argon2idbull No side channel attacks Resists known attacksbull Side channel attacks reduce security to Argon2i
bull Look for improvements in the near future using depth-robust graphs [ABP17]
Conclusions
bull Depth-robustness is a necessary and sufficient for secure iMHFsbull [AB16] [ABP16]
bull Big Challenge Improved Constructions of Depth-Robust Graphsbull We already have constructions in theory [EGS77 PR80 hellip]bull But constants matter
Thanks for Listening
Passwords vs time Look how far wersquove come
Netscape IPO Dotcom crash
Source Cormacrsquos estimate
ldquoThe password is deadrdquo
Chart1
3
48
1368
322
7791
15376
2527
39639
47953
61115
7353
94674
106021
134538
16527
194616
21681
Sheet1
Sheet1
Sheet2
Sheet3
Biometrics
59
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy
60
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Hardware Tokens
61
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around
62
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Graphical Passwords
bull Examplesbull Passfaces Cued Click Points Windows 8
63
Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13
Graphical Passwords
bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8
Challenge Multiple Passwords
64
Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
bull Password Management Software
67
Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313
Related Work
bull Password Management SoftwareChallenge Single point of failure
68
Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313
References
bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]
bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]
bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]
bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]
Course Business
CryptographyCS 555
Password Storage
Offline Attacks A Common Problem
Offline Attacks A Common Problem
A Dangerous Problem
Attempt 1 Hash Iteration
The Challenge
Goal Moderately Expensive Hash Function
Memory Costs Equitable Across Architectures
Outline
Memory Hard Function (MHF)
iMHF Candidates
iMHF (fGH)
Evaluating an iMHF (pebbling)
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example (CC)
Measuring Cost
Pebbling Example (CC)
Pebbling Equivalence
Desiderata
Depth-Robustness The Key Property
Naiumlve Pebbling Algorithms
Amortized Attack Quality
Desiderata
Desiderata
c-Ideal iMHF
Outline
Depth-Robustness The Key Property
Depth Robustness
Depth Robustness
Attacking (ed)-reducible DAGs
Depth Robustness is Necessary
Answer No
Argon2i [BDK]
Argon2i
Argon2i
Argon2i Reducing depth to 119899
Argon2i Reducing depth to 119899
Argon2i is a layered DAG (almost)
Attack Simulation [AB16b]
Ideal iMHFs Donrsquot Exist
But we cannot rule them out in practice
Outline
Depth-Robustness is Sufficient [ABP16]
Depth-Robustness is Sufficient [ABP16]
Summary
Conclusions
Thanks for Listening
Passwords vs time Look how far wersquove come
Biometrics
Biometrics
Hardware Tokens
Hardware Tokens
Graphical Passwords
Graphical Passwords
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
Related Work
References
Everybody
DATE
DATE
NUMBER OF USERS
WORLD
WORLD
INFORMATION
DATE
DATE
NUMBER OF USERS
DATE
DATE
acctsyr
POPULATION
POPULATION
SOURCE
December-90
0
3
15
020
00261
000
1
December-90
3
1
December-90
3
1
December-90
3
3
December-90
3
1
3
December-95
December-95
0
16
040
80
040
IDC
100
00522
180
12
December-95
192
December-95
16
1778
December-95
48
28448
December-95
48
3
48
December-96
December-96
0
36
090
180
090
IDC
200
00783
188
13132
December-96
472752
December-96
36
1994916
December-96
126
71816976
December-96
1368
38
126
December-97
December-97
0
70
170
350
170
IDC
300
01043
209
16263
December-97
113841
December-97
70
2238295752
December-97
280
15668070264
December-97
322
46
280
December-98
December-98
0
147
360
735
360
CI Almanac
400
01303
230
19391
December-98
2850477
December-98
147
25113678337
December-98
6615
3691710715604
December-98
7791
53
6615
December-99
December-99
0
248
410
1240
410
Nua Ltd
500
01563
251
22517
December-99
5584216
December-99
248
28177547095
December-99
1240
6988031679463
December-99
15376
62
1240
March-00
March-00
0
304
500
1520
500
Nua Ltd
600
01822
272
25638
March-00
7793952
December-00
361
3161520784
December-00
19855
11413090030294
December-00
2527
7
19855
July-00
July-00
0
359
590
1795
590
Nua Ltd
700
02081
293
28754
July-00
10322686
December-01
543
35472263197
December-01
3258
1926143891578
December-01
39639
73
3258
December-00
December-00
0
361
580
1805
580
Internet World Stats
800
02338
313
31864
December-00
11502904
December-02
607
39799879307
December-02
39455
2415852673913
December-02
47953
79
39455
March-01
March-01
0
458
760
2290
760
Nua Ltd
900
02852
334
34967
March-01
16014886
December-03
719
44655464582
December-03
5033
32107279034493
December-03
61115
85
5033
June-01
June-01
0
479
790
2395
790
Nua Ltd
1000
03107
355
38061
June-01
18231219
December-04
817
50103431261
December-04
61275
40934503340285
December-04
7353
9
61275
August-01
August-01
0
513
860
2565
860
Nua Ltd
1100
03361
396
44221
August-01
22685373
December-05
1018
56216049875
December-05
8144
57227938772657
December-05
9467
93
8144
April-02
April-02
0
558
860
2790
860
Internet World Stats
1200
03614
417
47284
April-02
26384472
December-06
1093
6307440796
December-06
9291
68940327899894
December-06
10602
97
9291
July-02
July-02
0
569
910
2845
910
Internet World Stats
1300
03866
437
50334
July-02
28640046
December-07
1319
70769485731
December-07
11871
93344951678825
December-07
13454
102
11871
September-02
September-02
0
587
940
2935
940
Internet World Stats
1400
04117
458
53371
September-02
31328777
December-08
1574
7940336299
December-08
14953
124980893346059
December-08
16527
105
14953
March-03
March-03
0
608
970
3040
970
Internet World Stats
1500
04366
478
56394
March-03
34287552
December-09
1802
89090573275
December-09
18020
160541213040896
December-09
19462
108
18020
September-03
September-03
0
677
1060
3385
1060
Internet World Stats
1600
04614
498
59401
September-03
40214477
December-10
1971
99959623214
December-10
20696
197020417355075
December-10
21681
11
20696
October-03
October-03
0
682
1070
3410
1070
Internet World Stats
1700
0486
518
62392
October-03
42551344
December-03
December-03
0
719
1110
3595
1110
Internet World Stats
1800
02852
538
65365
December-03
46997435
February-04
February-04
0
745
1150
3725
1150
Internet World Stats
1900
03107
558
6832
February-04
508984
May-04
May-04
0
757
1170
3785
1170
Internet World Stats
2000
03361
597
7417
May-04
5614669
October-04
October-04
0
812
1270
4060
1270
Internet World Stats
2100
03614
616
77064
October-04
62575968
December-04
December-04
0
817
1270
4085
1270
Internet World Stats
2200
03866
636
79935
December-04
65306895
March-05
March-05
0
888
1390
4440
1390
Internet World Stats
2300
04117
655
82782
March-05
73510416
June-05
June-05
0
938
1460
4690
1460
Internet World Stats
2400
04366
674
85606
June-05
80298428
September-05
September-05
0
957
1490
4785
1490
Internet World Stats
2500
04614
692
88404
September-05
84602628
November-05
November-05
0
972
1520
4860
1520
Internet World Stats
2600
0486
711
91176
November-05
88623072
December-05
December-05
0
1018
1570
5090
1570
Internet World Stats
2700
05348
729
93921
December-05
95611578
March-06
March-06
0
1023
1570
5115
1570
Internet World Stats
2800
05589
747
96638
March-06
98860674
June-06
June-06
0
1043
1600
5215
1600
Internet World Stats
2900
05828
783
101984
June-06
106369312
September-06
September-06
0
1086
1670
5430
1670
Internet World Stats
3000
06065
801
104611
September-06
113607546
December-06
December-06
0
1093
1670
5465
1670
Internet World Stats
3100
063
818
107207
December-06
117177251
March-07
March-07
0
1129
1720
5645
1720
Internet World Stats
3200
06534
835
109771
March-07
123931459
June-07
June-07
0
1173
1780
5865
1780
Internet World Stats
3300
06765
852
112301
June-07
131729073
September-07
September-07
0
1245
1890
6225
1890
Internet World Stats
3400
06993
869
114797
September-07
142922265
December-07
December-07
0
1319
2000
6595
2000
Internet World Stats
3500
0722
886
117258
December-07
154663302
March-08
March-08
0
1407
2110
7035
2110
Internet World Stats
3600
07665
902
119683
March-08
168393981
June-08
June-08
0
1463
2190
7315
2190
Internet World Stats
3700
07884
918
122071
June-08
178589873
September-08
September-08
0
1504
2250
7520
2250
Internet World Stats
3800
08101
949
126736
September-08
190610944
December-08
December-08
0
1574
2350
7870
2350
Internet World Stats
3900
08314
964
12901
December-08
20306174
March-09
March-09
0
1596
2380
7980
2380
Internet World Stats
4000
08525
971
13
March-09
20748
June-09
June-09
0
1669
2470
8345
2470
Internet World Stats
4100
08733
998
134
June-09
223646
September-09
September-09
0
1734
2560
8670
2560
Internet World Stats
4200
08938
1018
137
September-09
237558
December-09
December-09
0
1802
2660
9010
2660
Internet World Stats
4300
0914
1051
142
December-09
255884
June-10
June-10
0
1966
2870
9830
2870
Internet World Stats
4400
09339
1078
146
June-10
287036
September-10
September-10
0
1971
2880
9855
2880
Internet World Stats
4500
09728
1112
151
September-10
297621
09917
000
155333333333
159833333333
33208
35034
35400
35765
36130
36495
36861
37226
37591
37956
38322
38687
39052
39417
39783
40148
40513
Outline
bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Attacksbull Constructing iMHFs (New)
bull Depth-Robustness is sufficient
bull Conclusions and Open Questions
Presenter
Presentation Notes
Joint work with Joel Alwen and Krzysztof Pietrzak
Depth-Robustness is Sufficient [ABP16]
Proof Let P1hellipPt denote an (optimal) pebbling of G For 0lt i lt d defineSi = 119875119875119894119894 cup 119875119875119889119889+119894119894 cup 1198751198752119889119889+119894119894 cup ⋯
one of the sets Si has size at most CC(G)d Now we claim that d ge depth(G-Si)
because any path in G-Si must have been completely pebbled at some point Thus it must have been pebbled entirely during some interval of length d Thus G (CC(G)dd)-reducible It follows that CC(G)ge 119890119890119901119901
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Depth-Robustness is Sufficient [ABP16]
Implications There exists a constant indegree graph G with
CC G ge Ω1198941198942
log119894119894
Previous Best [AS15] Ω 1198991198992
log10 119899119899
[AB16] We cannot do better (in an asymptotic sense)
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Summary
bull BCRYPT and PBKDF2 are no longer sufficient for password hashing
bull Argon2i is an improvement over BCRYPT and PBKDF2bull But still has its flaws [AB16AB17]
bull Current Recommendation Argon2idbull No side channel attacks Resists known attacksbull Side channel attacks reduce security to Argon2i
bull Look for improvements in the near future using depth-robust graphs [ABP17]
Conclusions
bull Depth-robustness is a necessary and sufficient for secure iMHFsbull [AB16] [ABP16]
bull Big Challenge Improved Constructions of Depth-Robust Graphsbull We already have constructions in theory [EGS77 PR80 hellip]bull But constants matter
Thanks for Listening
Passwords vs time Look how far wersquove come
Netscape IPO Dotcom crash
Source Cormacrsquos estimate
ldquoThe password is deadrdquo
Chart1
3
48
1368
322
7791
15376
2527
39639
47953
61115
7353
94674
106021
134538
16527
194616
21681
Sheet1
Sheet1
Sheet2
Sheet3
Biometrics
59
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy
60
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Hardware Tokens
61
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around
62
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Graphical Passwords
bull Examplesbull Passfaces Cued Click Points Windows 8
63
Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13
Graphical Passwords
bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8
Challenge Multiple Passwords
64
Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
bull Password Management Software
67
Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313
Related Work
bull Password Management SoftwareChallenge Single point of failure
68
Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313
References
bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]
bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]
bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]
bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]
Course Business
CryptographyCS 555
Password Storage
Offline Attacks A Common Problem
Offline Attacks A Common Problem
A Dangerous Problem
Attempt 1 Hash Iteration
The Challenge
Goal Moderately Expensive Hash Function
Memory Costs Equitable Across Architectures
Outline
Memory Hard Function (MHF)
iMHF Candidates
iMHF (fGH)
Evaluating an iMHF (pebbling)
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example (CC)
Measuring Cost
Pebbling Example (CC)
Pebbling Equivalence
Desiderata
Depth-Robustness The Key Property
Naiumlve Pebbling Algorithms
Amortized Attack Quality
Desiderata
Desiderata
c-Ideal iMHF
Outline
Depth-Robustness The Key Property
Depth Robustness
Depth Robustness
Attacking (ed)-reducible DAGs
Depth Robustness is Necessary
Answer No
Argon2i [BDK]
Argon2i
Argon2i
Argon2i Reducing depth to 119899
Argon2i Reducing depth to 119899
Argon2i is a layered DAG (almost)
Attack Simulation [AB16b]
Ideal iMHFs Donrsquot Exist
But we cannot rule them out in practice
Outline
Depth-Robustness is Sufficient [ABP16]
Depth-Robustness is Sufficient [ABP16]
Summary
Conclusions
Thanks for Listening
Passwords vs time Look how far wersquove come
Biometrics
Biometrics
Hardware Tokens
Hardware Tokens
Graphical Passwords
Graphical Passwords
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
Related Work
References
Everybody
DATE
DATE
NUMBER OF USERS
WORLD
WORLD
INFORMATION
DATE
DATE
NUMBER OF USERS
DATE
DATE
acctsyr
POPULATION
POPULATION
SOURCE
December-90
0
3
15
020
00261
000
1
December-90
3
1
December-90
3
1
December-90
3
3
December-90
3
1
3
December-95
December-95
0
16
040
80
040
IDC
100
00522
180
12
December-95
192
December-95
16
1778
December-95
48
28448
December-95
48
3
48
December-96
December-96
0
36
090
180
090
IDC
200
00783
188
13132
December-96
472752
December-96
36
1994916
December-96
126
71816976
December-96
1368
38
126
December-97
December-97
0
70
170
350
170
IDC
300
01043
209
16263
December-97
113841
December-97
70
2238295752
December-97
280
15668070264
December-97
322
46
280
December-98
December-98
0
147
360
735
360
CI Almanac
400
01303
230
19391
December-98
2850477
December-98
147
25113678337
December-98
6615
3691710715604
December-98
7791
53
6615
December-99
December-99
0
248
410
1240
410
Nua Ltd
500
01563
251
22517
December-99
5584216
December-99
248
28177547095
December-99
1240
6988031679463
December-99
15376
62
1240
March-00
March-00
0
304
500
1520
500
Nua Ltd
600
01822
272
25638
March-00
7793952
December-00
361
3161520784
December-00
19855
11413090030294
December-00
2527
7
19855
July-00
July-00
0
359
590
1795
590
Nua Ltd
700
02081
293
28754
July-00
10322686
December-01
543
35472263197
December-01
3258
1926143891578
December-01
39639
73
3258
December-00
December-00
0
361
580
1805
580
Internet World Stats
800
02338
313
31864
December-00
11502904
December-02
607
39799879307
December-02
39455
2415852673913
December-02
47953
79
39455
March-01
March-01
0
458
760
2290
760
Nua Ltd
900
02852
334
34967
March-01
16014886
December-03
719
44655464582
December-03
5033
32107279034493
December-03
61115
85
5033
June-01
June-01
0
479
790
2395
790
Nua Ltd
1000
03107
355
38061
June-01
18231219
December-04
817
50103431261
December-04
61275
40934503340285
December-04
7353
9
61275
August-01
August-01
0
513
860
2565
860
Nua Ltd
1100
03361
396
44221
August-01
22685373
December-05
1018
56216049875
December-05
8144
57227938772657
December-05
9467
93
8144
April-02
April-02
0
558
860
2790
860
Internet World Stats
1200
03614
417
47284
April-02
26384472
December-06
1093
6307440796
December-06
9291
68940327899894
December-06
10602
97
9291
July-02
July-02
0
569
910
2845
910
Internet World Stats
1300
03866
437
50334
July-02
28640046
December-07
1319
70769485731
December-07
11871
93344951678825
December-07
13454
102
11871
September-02
September-02
0
587
940
2935
940
Internet World Stats
1400
04117
458
53371
September-02
31328777
December-08
1574
7940336299
December-08
14953
124980893346059
December-08
16527
105
14953
March-03
March-03
0
608
970
3040
970
Internet World Stats
1500
04366
478
56394
March-03
34287552
December-09
1802
89090573275
December-09
18020
160541213040896
December-09
19462
108
18020
September-03
September-03
0
677
1060
3385
1060
Internet World Stats
1600
04614
498
59401
September-03
40214477
December-10
1971
99959623214
December-10
20696
197020417355075
December-10
21681
11
20696
October-03
October-03
0
682
1070
3410
1070
Internet World Stats
1700
0486
518
62392
October-03
42551344
December-03
December-03
0
719
1110
3595
1110
Internet World Stats
1800
02852
538
65365
December-03
46997435
February-04
February-04
0
745
1150
3725
1150
Internet World Stats
1900
03107
558
6832
February-04
508984
May-04
May-04
0
757
1170
3785
1170
Internet World Stats
2000
03361
597
7417
May-04
5614669
October-04
October-04
0
812
1270
4060
1270
Internet World Stats
2100
03614
616
77064
October-04
62575968
December-04
December-04
0
817
1270
4085
1270
Internet World Stats
2200
03866
636
79935
December-04
65306895
March-05
March-05
0
888
1390
4440
1390
Internet World Stats
2300
04117
655
82782
March-05
73510416
June-05
June-05
0
938
1460
4690
1460
Internet World Stats
2400
04366
674
85606
June-05
80298428
September-05
September-05
0
957
1490
4785
1490
Internet World Stats
2500
04614
692
88404
September-05
84602628
November-05
November-05
0
972
1520
4860
1520
Internet World Stats
2600
0486
711
91176
November-05
88623072
December-05
December-05
0
1018
1570
5090
1570
Internet World Stats
2700
05348
729
93921
December-05
95611578
March-06
March-06
0
1023
1570
5115
1570
Internet World Stats
2800
05589
747
96638
March-06
98860674
June-06
June-06
0
1043
1600
5215
1600
Internet World Stats
2900
05828
783
101984
June-06
106369312
September-06
September-06
0
1086
1670
5430
1670
Internet World Stats
3000
06065
801
104611
September-06
113607546
December-06
December-06
0
1093
1670
5465
1670
Internet World Stats
3100
063
818
107207
December-06
117177251
March-07
March-07
0
1129
1720
5645
1720
Internet World Stats
3200
06534
835
109771
March-07
123931459
June-07
June-07
0
1173
1780
5865
1780
Internet World Stats
3300
06765
852
112301
June-07
131729073
September-07
September-07
0
1245
1890
6225
1890
Internet World Stats
3400
06993
869
114797
September-07
142922265
December-07
December-07
0
1319
2000
6595
2000
Internet World Stats
3500
0722
886
117258
December-07
154663302
March-08
March-08
0
1407
2110
7035
2110
Internet World Stats
3600
07665
902
119683
March-08
168393981
June-08
June-08
0
1463
2190
7315
2190
Internet World Stats
3700
07884
918
122071
June-08
178589873
September-08
September-08
0
1504
2250
7520
2250
Internet World Stats
3800
08101
949
126736
September-08
190610944
December-08
December-08
0
1574
2350
7870
2350
Internet World Stats
3900
08314
964
12901
December-08
20306174
March-09
March-09
0
1596
2380
7980
2380
Internet World Stats
4000
08525
971
13
March-09
20748
June-09
June-09
0
1669
2470
8345
2470
Internet World Stats
4100
08733
998
134
June-09
223646
September-09
September-09
0
1734
2560
8670
2560
Internet World Stats
4200
08938
1018
137
September-09
237558
December-09
December-09
0
1802
2660
9010
2660
Internet World Stats
4300
0914
1051
142
December-09
255884
June-10
June-10
0
1966
2870
9830
2870
Internet World Stats
4400
09339
1078
146
June-10
287036
September-10
September-10
0
1971
2880
9855
2880
Internet World Stats
4500
09728
1112
151
September-10
297621
09917
000
155333333333
159833333333
33208
35034
35400
35765
36130
36495
36861
37226
37591
37956
38322
38687
39052
39417
39783
40148
40513
Depth-Robustness is Sufficient [ABP16]
Proof Let P1hellipPt denote an (optimal) pebbling of G For 0lt i lt d defineSi = 119875119875119894119894 cup 119875119875119889119889+119894119894 cup 1198751198752119889119889+119894119894 cup ⋯
one of the sets Si has size at most CC(G)d Now we claim that d ge depth(G-Si)
because any path in G-Si must have been completely pebbled at some point Thus it must have been pebbled entirely during some interval of length d Thus G (CC(G)dd)-reducible It follows that CC(G)ge 119890119890119901119901
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Depth-Robustness is Sufficient [ABP16]
Implications There exists a constant indegree graph G with
CC G ge Ω1198941198942
log119894119894
Previous Best [AS15] Ω 1198991198992
log10 119899119899
[AB16] We cannot do better (in an asymptotic sense)
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Summary
bull BCRYPT and PBKDF2 are no longer sufficient for password hashing
bull Argon2i is an improvement over BCRYPT and PBKDF2bull But still has its flaws [AB16AB17]
bull Current Recommendation Argon2idbull No side channel attacks Resists known attacksbull Side channel attacks reduce security to Argon2i
bull Look for improvements in the near future using depth-robust graphs [ABP17]
Conclusions
bull Depth-robustness is a necessary and sufficient for secure iMHFsbull [AB16] [ABP16]
bull Big Challenge Improved Constructions of Depth-Robust Graphsbull We already have constructions in theory [EGS77 PR80 hellip]bull But constants matter
Thanks for Listening
Passwords vs time Look how far wersquove come
Netscape IPO Dotcom crash
Source Cormacrsquos estimate
ldquoThe password is deadrdquo
Chart1
3
48
1368
322
7791
15376
2527
39639
47953
61115
7353
94674
106021
134538
16527
194616
21681
Sheet1
Sheet1
Sheet2
Sheet3
Biometrics
59
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy
60
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Hardware Tokens
61
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around
62
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Graphical Passwords
bull Examplesbull Passfaces Cued Click Points Windows 8
63
Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13
Graphical Passwords
bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8
Challenge Multiple Passwords
64
Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
bull Password Management Software
67
Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313
Related Work
bull Password Management SoftwareChallenge Single point of failure
68
Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313
References
bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]
bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]
bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]
bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]
Course Business
CryptographyCS 555
Password Storage
Offline Attacks A Common Problem
Offline Attacks A Common Problem
A Dangerous Problem
Attempt 1 Hash Iteration
The Challenge
Goal Moderately Expensive Hash Function
Memory Costs Equitable Across Architectures
Outline
Memory Hard Function (MHF)
iMHF Candidates
iMHF (fGH)
Evaluating an iMHF (pebbling)
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example (CC)
Measuring Cost
Pebbling Example (CC)
Pebbling Equivalence
Desiderata
Depth-Robustness The Key Property
Naiumlve Pebbling Algorithms
Amortized Attack Quality
Desiderata
Desiderata
c-Ideal iMHF
Outline
Depth-Robustness The Key Property
Depth Robustness
Depth Robustness
Attacking (ed)-reducible DAGs
Depth Robustness is Necessary
Answer No
Argon2i [BDK]
Argon2i
Argon2i
Argon2i Reducing depth to 119899
Argon2i Reducing depth to 119899
Argon2i is a layered DAG (almost)
Attack Simulation [AB16b]
Ideal iMHFs Donrsquot Exist
But we cannot rule them out in practice
Outline
Depth-Robustness is Sufficient [ABP16]
Depth-Robustness is Sufficient [ABP16]
Summary
Conclusions
Thanks for Listening
Passwords vs time Look how far wersquove come
Biometrics
Biometrics
Hardware Tokens
Hardware Tokens
Graphical Passwords
Graphical Passwords
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
Related Work
References
Everybody
DATE
DATE
NUMBER OF USERS
WORLD
WORLD
INFORMATION
DATE
DATE
NUMBER OF USERS
DATE
DATE
acctsyr
POPULATION
POPULATION
SOURCE
December-90
0
3
15
020
00261
000
1
December-90
3
1
December-90
3
1
December-90
3
3
December-90
3
1
3
December-95
December-95
0
16
040
80
040
IDC
100
00522
180
12
December-95
192
December-95
16
1778
December-95
48
28448
December-95
48
3
48
December-96
December-96
0
36
090
180
090
IDC
200
00783
188
13132
December-96
472752
December-96
36
1994916
December-96
126
71816976
December-96
1368
38
126
December-97
December-97
0
70
170
350
170
IDC
300
01043
209
16263
December-97
113841
December-97
70
2238295752
December-97
280
15668070264
December-97
322
46
280
December-98
December-98
0
147
360
735
360
CI Almanac
400
01303
230
19391
December-98
2850477
December-98
147
25113678337
December-98
6615
3691710715604
December-98
7791
53
6615
December-99
December-99
0
248
410
1240
410
Nua Ltd
500
01563
251
22517
December-99
5584216
December-99
248
28177547095
December-99
1240
6988031679463
December-99
15376
62
1240
March-00
March-00
0
304
500
1520
500
Nua Ltd
600
01822
272
25638
March-00
7793952
December-00
361
3161520784
December-00
19855
11413090030294
December-00
2527
7
19855
July-00
July-00
0
359
590
1795
590
Nua Ltd
700
02081
293
28754
July-00
10322686
December-01
543
35472263197
December-01
3258
1926143891578
December-01
39639
73
3258
December-00
December-00
0
361
580
1805
580
Internet World Stats
800
02338
313
31864
December-00
11502904
December-02
607
39799879307
December-02
39455
2415852673913
December-02
47953
79
39455
March-01
March-01
0
458
760
2290
760
Nua Ltd
900
02852
334
34967
March-01
16014886
December-03
719
44655464582
December-03
5033
32107279034493
December-03
61115
85
5033
June-01
June-01
0
479
790
2395
790
Nua Ltd
1000
03107
355
38061
June-01
18231219
December-04
817
50103431261
December-04
61275
40934503340285
December-04
7353
9
61275
August-01
August-01
0
513
860
2565
860
Nua Ltd
1100
03361
396
44221
August-01
22685373
December-05
1018
56216049875
December-05
8144
57227938772657
December-05
9467
93
8144
April-02
April-02
0
558
860
2790
860
Internet World Stats
1200
03614
417
47284
April-02
26384472
December-06
1093
6307440796
December-06
9291
68940327899894
December-06
10602
97
9291
July-02
July-02
0
569
910
2845
910
Internet World Stats
1300
03866
437
50334
July-02
28640046
December-07
1319
70769485731
December-07
11871
93344951678825
December-07
13454
102
11871
September-02
September-02
0
587
940
2935
940
Internet World Stats
1400
04117
458
53371
September-02
31328777
December-08
1574
7940336299
December-08
14953
124980893346059
December-08
16527
105
14953
March-03
March-03
0
608
970
3040
970
Internet World Stats
1500
04366
478
56394
March-03
34287552
December-09
1802
89090573275
December-09
18020
160541213040896
December-09
19462
108
18020
September-03
September-03
0
677
1060
3385
1060
Internet World Stats
1600
04614
498
59401
September-03
40214477
December-10
1971
99959623214
December-10
20696
197020417355075
December-10
21681
11
20696
October-03
October-03
0
682
1070
3410
1070
Internet World Stats
1700
0486
518
62392
October-03
42551344
December-03
December-03
0
719
1110
3595
1110
Internet World Stats
1800
02852
538
65365
December-03
46997435
February-04
February-04
0
745
1150
3725
1150
Internet World Stats
1900
03107
558
6832
February-04
508984
May-04
May-04
0
757
1170
3785
1170
Internet World Stats
2000
03361
597
7417
May-04
5614669
October-04
October-04
0
812
1270
4060
1270
Internet World Stats
2100
03614
616
77064
October-04
62575968
December-04
December-04
0
817
1270
4085
1270
Internet World Stats
2200
03866
636
79935
December-04
65306895
March-05
March-05
0
888
1390
4440
1390
Internet World Stats
2300
04117
655
82782
March-05
73510416
June-05
June-05
0
938
1460
4690
1460
Internet World Stats
2400
04366
674
85606
June-05
80298428
September-05
September-05
0
957
1490
4785
1490
Internet World Stats
2500
04614
692
88404
September-05
84602628
November-05
November-05
0
972
1520
4860
1520
Internet World Stats
2600
0486
711
91176
November-05
88623072
December-05
December-05
0
1018
1570
5090
1570
Internet World Stats
2700
05348
729
93921
December-05
95611578
March-06
March-06
0
1023
1570
5115
1570
Internet World Stats
2800
05589
747
96638
March-06
98860674
June-06
June-06
0
1043
1600
5215
1600
Internet World Stats
2900
05828
783
101984
June-06
106369312
September-06
September-06
0
1086
1670
5430
1670
Internet World Stats
3000
06065
801
104611
September-06
113607546
December-06
December-06
0
1093
1670
5465
1670
Internet World Stats
3100
063
818
107207
December-06
117177251
March-07
March-07
0
1129
1720
5645
1720
Internet World Stats
3200
06534
835
109771
March-07
123931459
June-07
June-07
0
1173
1780
5865
1780
Internet World Stats
3300
06765
852
112301
June-07
131729073
September-07
September-07
0
1245
1890
6225
1890
Internet World Stats
3400
06993
869
114797
September-07
142922265
December-07
December-07
0
1319
2000
6595
2000
Internet World Stats
3500
0722
886
117258
December-07
154663302
March-08
March-08
0
1407
2110
7035
2110
Internet World Stats
3600
07665
902
119683
March-08
168393981
June-08
June-08
0
1463
2190
7315
2190
Internet World Stats
3700
07884
918
122071
June-08
178589873
September-08
September-08
0
1504
2250
7520
2250
Internet World Stats
3800
08101
949
126736
September-08
190610944
December-08
December-08
0
1574
2350
7870
2350
Internet World Stats
3900
08314
964
12901
December-08
20306174
March-09
March-09
0
1596
2380
7980
2380
Internet World Stats
4000
08525
971
13
March-09
20748
June-09
June-09
0
1669
2470
8345
2470
Internet World Stats
4100
08733
998
134
June-09
223646
September-09
September-09
0
1734
2560
8670
2560
Internet World Stats
4200
08938
1018
137
September-09
237558
December-09
December-09
0
1802
2660
9010
2660
Internet World Stats
4300
0914
1051
142
December-09
255884
June-10
June-10
0
1966
2870
9830
2870
Internet World Stats
4400
09339
1078
146
June-10
287036
September-10
September-10
0
1971
2880
9855
2880
Internet World Stats
4500
09728
1112
151
September-10
297621
09917
000
155333333333
159833333333
33208
35034
35400
35765
36130
36495
36861
37226
37591
37956
38322
38687
39052
39417
39783
40148
40513
Depth-Robustness is Sufficient [ABP16]
Implications There exists a constant indegree graph G with
CC G ge Ω1198941198942
log119894119894
Previous Best [AS15] Ω 1198991198992
log10 119899119899
[AB16] We cannot do better (in an asymptotic sense)
119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901
Summary
bull BCRYPT and PBKDF2 are no longer sufficient for password hashing
bull Argon2i is an improvement over BCRYPT and PBKDF2bull But still has its flaws [AB16AB17]
bull Current Recommendation Argon2idbull No side channel attacks Resists known attacksbull Side channel attacks reduce security to Argon2i
bull Look for improvements in the near future using depth-robust graphs [ABP17]
Conclusions
bull Depth-robustness is a necessary and sufficient for secure iMHFsbull [AB16] [ABP16]
bull Big Challenge Improved Constructions of Depth-Robust Graphsbull We already have constructions in theory [EGS77 PR80 hellip]bull But constants matter
Thanks for Listening
Passwords vs time Look how far wersquove come
Netscape IPO Dotcom crash
Source Cormacrsquos estimate
ldquoThe password is deadrdquo
Chart1
3
48
1368
322
7791
15376
2527
39639
47953
61115
7353
94674
106021
134538
16527
194616
21681
Sheet1
Sheet1
Sheet2
Sheet3
Biometrics
59
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy
60
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Hardware Tokens
61
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around
62
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Graphical Passwords
bull Examplesbull Passfaces Cued Click Points Windows 8
63
Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13
Graphical Passwords
bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8
Challenge Multiple Passwords
64
Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
bull Password Management Software
67
Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313
Related Work
bull Password Management SoftwareChallenge Single point of failure
68
Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313
References
bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]
bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]
bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]
bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]
Course Business
CryptographyCS 555
Password Storage
Offline Attacks A Common Problem
Offline Attacks A Common Problem
A Dangerous Problem
Attempt 1 Hash Iteration
The Challenge
Goal Moderately Expensive Hash Function
Memory Costs Equitable Across Architectures
Outline
Memory Hard Function (MHF)
iMHF Candidates
iMHF (fGH)
Evaluating an iMHF (pebbling)
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example (CC)
Measuring Cost
Pebbling Example (CC)
Pebbling Equivalence
Desiderata
Depth-Robustness The Key Property
Naiumlve Pebbling Algorithms
Amortized Attack Quality
Desiderata
Desiderata
c-Ideal iMHF
Outline
Depth-Robustness The Key Property
Depth Robustness
Depth Robustness
Attacking (ed)-reducible DAGs
Depth Robustness is Necessary
Answer No
Argon2i [BDK]
Argon2i
Argon2i
Argon2i Reducing depth to 119899
Argon2i Reducing depth to 119899
Argon2i is a layered DAG (almost)
Attack Simulation [AB16b]
Ideal iMHFs Donrsquot Exist
But we cannot rule them out in practice
Outline
Depth-Robustness is Sufficient [ABP16]
Depth-Robustness is Sufficient [ABP16]
Summary
Conclusions
Thanks for Listening
Passwords vs time Look how far wersquove come
Biometrics
Biometrics
Hardware Tokens
Hardware Tokens
Graphical Passwords
Graphical Passwords
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
Related Work
References
Everybody
DATE
DATE
NUMBER OF USERS
WORLD
WORLD
INFORMATION
DATE
DATE
NUMBER OF USERS
DATE
DATE
acctsyr
POPULATION
POPULATION
SOURCE
December-90
0
3
15
020
00261
000
1
December-90
3
1
December-90
3
1
December-90
3
3
December-90
3
1
3
December-95
December-95
0
16
040
80
040
IDC
100
00522
180
12
December-95
192
December-95
16
1778
December-95
48
28448
December-95
48
3
48
December-96
December-96
0
36
090
180
090
IDC
200
00783
188
13132
December-96
472752
December-96
36
1994916
December-96
126
71816976
December-96
1368
38
126
December-97
December-97
0
70
170
350
170
IDC
300
01043
209
16263
December-97
113841
December-97
70
2238295752
December-97
280
15668070264
December-97
322
46
280
December-98
December-98
0
147
360
735
360
CI Almanac
400
01303
230
19391
December-98
2850477
December-98
147
25113678337
December-98
6615
3691710715604
December-98
7791
53
6615
December-99
December-99
0
248
410
1240
410
Nua Ltd
500
01563
251
22517
December-99
5584216
December-99
248
28177547095
December-99
1240
6988031679463
December-99
15376
62
1240
March-00
March-00
0
304
500
1520
500
Nua Ltd
600
01822
272
25638
March-00
7793952
December-00
361
3161520784
December-00
19855
11413090030294
December-00
2527
7
19855
July-00
July-00
0
359
590
1795
590
Nua Ltd
700
02081
293
28754
July-00
10322686
December-01
543
35472263197
December-01
3258
1926143891578
December-01
39639
73
3258
December-00
December-00
0
361
580
1805
580
Internet World Stats
800
02338
313
31864
December-00
11502904
December-02
607
39799879307
December-02
39455
2415852673913
December-02
47953
79
39455
March-01
March-01
0
458
760
2290
760
Nua Ltd
900
02852
334
34967
March-01
16014886
December-03
719
44655464582
December-03
5033
32107279034493
December-03
61115
85
5033
June-01
June-01
0
479
790
2395
790
Nua Ltd
1000
03107
355
38061
June-01
18231219
December-04
817
50103431261
December-04
61275
40934503340285
December-04
7353
9
61275
August-01
August-01
0
513
860
2565
860
Nua Ltd
1100
03361
396
44221
August-01
22685373
December-05
1018
56216049875
December-05
8144
57227938772657
December-05
9467
93
8144
April-02
April-02
0
558
860
2790
860
Internet World Stats
1200
03614
417
47284
April-02
26384472
December-06
1093
6307440796
December-06
9291
68940327899894
December-06
10602
97
9291
July-02
July-02
0
569
910
2845
910
Internet World Stats
1300
03866
437
50334
July-02
28640046
December-07
1319
70769485731
December-07
11871
93344951678825
December-07
13454
102
11871
September-02
September-02
0
587
940
2935
940
Internet World Stats
1400
04117
458
53371
September-02
31328777
December-08
1574
7940336299
December-08
14953
124980893346059
December-08
16527
105
14953
March-03
March-03
0
608
970
3040
970
Internet World Stats
1500
04366
478
56394
March-03
34287552
December-09
1802
89090573275
December-09
18020
160541213040896
December-09
19462
108
18020
September-03
September-03
0
677
1060
3385
1060
Internet World Stats
1600
04614
498
59401
September-03
40214477
December-10
1971
99959623214
December-10
20696
197020417355075
December-10
21681
11
20696
October-03
October-03
0
682
1070
3410
1070
Internet World Stats
1700
0486
518
62392
October-03
42551344
December-03
December-03
0
719
1110
3595
1110
Internet World Stats
1800
02852
538
65365
December-03
46997435
February-04
February-04
0
745
1150
3725
1150
Internet World Stats
1900
03107
558
6832
February-04
508984
May-04
May-04
0
757
1170
3785
1170
Internet World Stats
2000
03361
597
7417
May-04
5614669
October-04
October-04
0
812
1270
4060
1270
Internet World Stats
2100
03614
616
77064
October-04
62575968
December-04
December-04
0
817
1270
4085
1270
Internet World Stats
2200
03866
636
79935
December-04
65306895
March-05
March-05
0
888
1390
4440
1390
Internet World Stats
2300
04117
655
82782
March-05
73510416
June-05
June-05
0
938
1460
4690
1460
Internet World Stats
2400
04366
674
85606
June-05
80298428
September-05
September-05
0
957
1490
4785
1490
Internet World Stats
2500
04614
692
88404
September-05
84602628
November-05
November-05
0
972
1520
4860
1520
Internet World Stats
2600
0486
711
91176
November-05
88623072
December-05
December-05
0
1018
1570
5090
1570
Internet World Stats
2700
05348
729
93921
December-05
95611578
March-06
March-06
0
1023
1570
5115
1570
Internet World Stats
2800
05589
747
96638
March-06
98860674
June-06
June-06
0
1043
1600
5215
1600
Internet World Stats
2900
05828
783
101984
June-06
106369312
September-06
September-06
0
1086
1670
5430
1670
Internet World Stats
3000
06065
801
104611
September-06
113607546
December-06
December-06
0
1093
1670
5465
1670
Internet World Stats
3100
063
818
107207
December-06
117177251
March-07
March-07
0
1129
1720
5645
1720
Internet World Stats
3200
06534
835
109771
March-07
123931459
June-07
June-07
0
1173
1780
5865
1780
Internet World Stats
3300
06765
852
112301
June-07
131729073
September-07
September-07
0
1245
1890
6225
1890
Internet World Stats
3400
06993
869
114797
September-07
142922265
December-07
December-07
0
1319
2000
6595
2000
Internet World Stats
3500
0722
886
117258
December-07
154663302
March-08
March-08
0
1407
2110
7035
2110
Internet World Stats
3600
07665
902
119683
March-08
168393981
June-08
June-08
0
1463
2190
7315
2190
Internet World Stats
3700
07884
918
122071
June-08
178589873
September-08
September-08
0
1504
2250
7520
2250
Internet World Stats
3800
08101
949
126736
September-08
190610944
December-08
December-08
0
1574
2350
7870
2350
Internet World Stats
3900
08314
964
12901
December-08
20306174
March-09
March-09
0
1596
2380
7980
2380
Internet World Stats
4000
08525
971
13
March-09
20748
June-09
June-09
0
1669
2470
8345
2470
Internet World Stats
4100
08733
998
134
June-09
223646
September-09
September-09
0
1734
2560
8670
2560
Internet World Stats
4200
08938
1018
137
September-09
237558
December-09
December-09
0
1802
2660
9010
2660
Internet World Stats
4300
0914
1051
142
December-09
255884
June-10
June-10
0
1966
2870
9830
2870
Internet World Stats
4400
09339
1078
146
June-10
287036
September-10
September-10
0
1971
2880
9855
2880
Internet World Stats
4500
09728
1112
151
September-10
297621
09917
000
155333333333
159833333333
33208
35034
35400
35765
36130
36495
36861
37226
37591
37956
38322
38687
39052
39417
39783
40148
40513
Summary
bull BCRYPT and PBKDF2 are no longer sufficient for password hashing
bull Argon2i is an improvement over BCRYPT and PBKDF2bull But still has its flaws [AB16AB17]
bull Current Recommendation Argon2idbull No side channel attacks Resists known attacksbull Side channel attacks reduce security to Argon2i
bull Look for improvements in the near future using depth-robust graphs [ABP17]
Conclusions
bull Depth-robustness is a necessary and sufficient for secure iMHFsbull [AB16] [ABP16]
bull Big Challenge Improved Constructions of Depth-Robust Graphsbull We already have constructions in theory [EGS77 PR80 hellip]bull But constants matter
Thanks for Listening
Passwords vs time Look how far wersquove come
Netscape IPO Dotcom crash
Source Cormacrsquos estimate
ldquoThe password is deadrdquo
Chart1
3
48
1368
322
7791
15376
2527
39639
47953
61115
7353
94674
106021
134538
16527
194616
21681
Sheet1
Sheet1
Sheet2
Sheet3
Biometrics
59
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy
60
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Hardware Tokens
61
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around
62
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Graphical Passwords
bull Examplesbull Passfaces Cued Click Points Windows 8
63
Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13
Graphical Passwords
bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8
Challenge Multiple Passwords
64
Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
bull Password Management Software
67
Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313
Related Work
bull Password Management SoftwareChallenge Single point of failure
68
Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313
References
bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]
bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]
bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]
bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]
Course Business
CryptographyCS 555
Password Storage
Offline Attacks A Common Problem
Offline Attacks A Common Problem
A Dangerous Problem
Attempt 1 Hash Iteration
The Challenge
Goal Moderately Expensive Hash Function
Memory Costs Equitable Across Architectures
Outline
Memory Hard Function (MHF)
iMHF Candidates
iMHF (fGH)
Evaluating an iMHF (pebbling)
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example (CC)
Measuring Cost
Pebbling Example (CC)
Pebbling Equivalence
Desiderata
Depth-Robustness The Key Property
Naiumlve Pebbling Algorithms
Amortized Attack Quality
Desiderata
Desiderata
c-Ideal iMHF
Outline
Depth-Robustness The Key Property
Depth Robustness
Depth Robustness
Attacking (ed)-reducible DAGs
Depth Robustness is Necessary
Answer No
Argon2i [BDK]
Argon2i
Argon2i
Argon2i Reducing depth to 119899
Argon2i Reducing depth to 119899
Argon2i is a layered DAG (almost)
Attack Simulation [AB16b]
Ideal iMHFs Donrsquot Exist
But we cannot rule them out in practice
Outline
Depth-Robustness is Sufficient [ABP16]
Depth-Robustness is Sufficient [ABP16]
Summary
Conclusions
Thanks for Listening
Passwords vs time Look how far wersquove come
Biometrics
Biometrics
Hardware Tokens
Hardware Tokens
Graphical Passwords
Graphical Passwords
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
Related Work
References
Everybody
DATE
DATE
NUMBER OF USERS
WORLD
WORLD
INFORMATION
DATE
DATE
NUMBER OF USERS
DATE
DATE
acctsyr
POPULATION
POPULATION
SOURCE
December-90
0
3
15
020
00261
000
1
December-90
3
1
December-90
3
1
December-90
3
3
December-90
3
1
3
December-95
December-95
0
16
040
80
040
IDC
100
00522
180
12
December-95
192
December-95
16
1778
December-95
48
28448
December-95
48
3
48
December-96
December-96
0
36
090
180
090
IDC
200
00783
188
13132
December-96
472752
December-96
36
1994916
December-96
126
71816976
December-96
1368
38
126
December-97
December-97
0
70
170
350
170
IDC
300
01043
209
16263
December-97
113841
December-97
70
2238295752
December-97
280
15668070264
December-97
322
46
280
December-98
December-98
0
147
360
735
360
CI Almanac
400
01303
230
19391
December-98
2850477
December-98
147
25113678337
December-98
6615
3691710715604
December-98
7791
53
6615
December-99
December-99
0
248
410
1240
410
Nua Ltd
500
01563
251
22517
December-99
5584216
December-99
248
28177547095
December-99
1240
6988031679463
December-99
15376
62
1240
March-00
March-00
0
304
500
1520
500
Nua Ltd
600
01822
272
25638
March-00
7793952
December-00
361
3161520784
December-00
19855
11413090030294
December-00
2527
7
19855
July-00
July-00
0
359
590
1795
590
Nua Ltd
700
02081
293
28754
July-00
10322686
December-01
543
35472263197
December-01
3258
1926143891578
December-01
39639
73
3258
December-00
December-00
0
361
580
1805
580
Internet World Stats
800
02338
313
31864
December-00
11502904
December-02
607
39799879307
December-02
39455
2415852673913
December-02
47953
79
39455
March-01
March-01
0
458
760
2290
760
Nua Ltd
900
02852
334
34967
March-01
16014886
December-03
719
44655464582
December-03
5033
32107279034493
December-03
61115
85
5033
June-01
June-01
0
479
790
2395
790
Nua Ltd
1000
03107
355
38061
June-01
18231219
December-04
817
50103431261
December-04
61275
40934503340285
December-04
7353
9
61275
August-01
August-01
0
513
860
2565
860
Nua Ltd
1100
03361
396
44221
August-01
22685373
December-05
1018
56216049875
December-05
8144
57227938772657
December-05
9467
93
8144
April-02
April-02
0
558
860
2790
860
Internet World Stats
1200
03614
417
47284
April-02
26384472
December-06
1093
6307440796
December-06
9291
68940327899894
December-06
10602
97
9291
July-02
July-02
0
569
910
2845
910
Internet World Stats
1300
03866
437
50334
July-02
28640046
December-07
1319
70769485731
December-07
11871
93344951678825
December-07
13454
102
11871
September-02
September-02
0
587
940
2935
940
Internet World Stats
1400
04117
458
53371
September-02
31328777
December-08
1574
7940336299
December-08
14953
124980893346059
December-08
16527
105
14953
March-03
March-03
0
608
970
3040
970
Internet World Stats
1500
04366
478
56394
March-03
34287552
December-09
1802
89090573275
December-09
18020
160541213040896
December-09
19462
108
18020
September-03
September-03
0
677
1060
3385
1060
Internet World Stats
1600
04614
498
59401
September-03
40214477
December-10
1971
99959623214
December-10
20696
197020417355075
December-10
21681
11
20696
October-03
October-03
0
682
1070
3410
1070
Internet World Stats
1700
0486
518
62392
October-03
42551344
December-03
December-03
0
719
1110
3595
1110
Internet World Stats
1800
02852
538
65365
December-03
46997435
February-04
February-04
0
745
1150
3725
1150
Internet World Stats
1900
03107
558
6832
February-04
508984
May-04
May-04
0
757
1170
3785
1170
Internet World Stats
2000
03361
597
7417
May-04
5614669
October-04
October-04
0
812
1270
4060
1270
Internet World Stats
2100
03614
616
77064
October-04
62575968
December-04
December-04
0
817
1270
4085
1270
Internet World Stats
2200
03866
636
79935
December-04
65306895
March-05
March-05
0
888
1390
4440
1390
Internet World Stats
2300
04117
655
82782
March-05
73510416
June-05
June-05
0
938
1460
4690
1460
Internet World Stats
2400
04366
674
85606
June-05
80298428
September-05
September-05
0
957
1490
4785
1490
Internet World Stats
2500
04614
692
88404
September-05
84602628
November-05
November-05
0
972
1520
4860
1520
Internet World Stats
2600
0486
711
91176
November-05
88623072
December-05
December-05
0
1018
1570
5090
1570
Internet World Stats
2700
05348
729
93921
December-05
95611578
March-06
March-06
0
1023
1570
5115
1570
Internet World Stats
2800
05589
747
96638
March-06
98860674
June-06
June-06
0
1043
1600
5215
1600
Internet World Stats
2900
05828
783
101984
June-06
106369312
September-06
September-06
0
1086
1670
5430
1670
Internet World Stats
3000
06065
801
104611
September-06
113607546
December-06
December-06
0
1093
1670
5465
1670
Internet World Stats
3100
063
818
107207
December-06
117177251
March-07
March-07
0
1129
1720
5645
1720
Internet World Stats
3200
06534
835
109771
March-07
123931459
June-07
June-07
0
1173
1780
5865
1780
Internet World Stats
3300
06765
852
112301
June-07
131729073
September-07
September-07
0
1245
1890
6225
1890
Internet World Stats
3400
06993
869
114797
September-07
142922265
December-07
December-07
0
1319
2000
6595
2000
Internet World Stats
3500
0722
886
117258
December-07
154663302
March-08
March-08
0
1407
2110
7035
2110
Internet World Stats
3600
07665
902
119683
March-08
168393981
June-08
June-08
0
1463
2190
7315
2190
Internet World Stats
3700
07884
918
122071
June-08
178589873
September-08
September-08
0
1504
2250
7520
2250
Internet World Stats
3800
08101
949
126736
September-08
190610944
December-08
December-08
0
1574
2350
7870
2350
Internet World Stats
3900
08314
964
12901
December-08
20306174
March-09
March-09
0
1596
2380
7980
2380
Internet World Stats
4000
08525
971
13
March-09
20748
June-09
June-09
0
1669
2470
8345
2470
Internet World Stats
4100
08733
998
134
June-09
223646
September-09
September-09
0
1734
2560
8670
2560
Internet World Stats
4200
08938
1018
137
September-09
237558
December-09
December-09
0
1802
2660
9010
2660
Internet World Stats
4300
0914
1051
142
December-09
255884
June-10
June-10
0
1966
2870
9830
2870
Internet World Stats
4400
09339
1078
146
June-10
287036
September-10
September-10
0
1971
2880
9855
2880
Internet World Stats
4500
09728
1112
151
September-10
297621
09917
000
155333333333
159833333333
33208
35034
35400
35765
36130
36495
36861
37226
37591
37956
38322
38687
39052
39417
39783
40148
40513
Conclusions
bull Depth-robustness is a necessary and sufficient for secure iMHFsbull [AB16] [ABP16]
bull Big Challenge Improved Constructions of Depth-Robust Graphsbull We already have constructions in theory [EGS77 PR80 hellip]bull But constants matter
Thanks for Listening
Passwords vs time Look how far wersquove come
Netscape IPO Dotcom crash
Source Cormacrsquos estimate
ldquoThe password is deadrdquo
Chart1
3
48
1368
322
7791
15376
2527
39639
47953
61115
7353
94674
106021
134538
16527
194616
21681
Sheet1
Sheet1
Sheet2
Sheet3
Biometrics
59
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy
60
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Hardware Tokens
61
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around
62
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Graphical Passwords
bull Examplesbull Passfaces Cued Click Points Windows 8
63
Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13
Graphical Passwords
bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8
Challenge Multiple Passwords
64
Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
bull Password Management Software
67
Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313
Related Work
bull Password Management SoftwareChallenge Single point of failure
68
Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313
References
bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]
bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]
bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]
bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]
Course Business
CryptographyCS 555
Password Storage
Offline Attacks A Common Problem
Offline Attacks A Common Problem
A Dangerous Problem
Attempt 1 Hash Iteration
The Challenge
Goal Moderately Expensive Hash Function
Memory Costs Equitable Across Architectures
Outline
Memory Hard Function (MHF)
iMHF Candidates
iMHF (fGH)
Evaluating an iMHF (pebbling)
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example (CC)
Measuring Cost
Pebbling Example (CC)
Pebbling Equivalence
Desiderata
Depth-Robustness The Key Property
Naiumlve Pebbling Algorithms
Amortized Attack Quality
Desiderata
Desiderata
c-Ideal iMHF
Outline
Depth-Robustness The Key Property
Depth Robustness
Depth Robustness
Attacking (ed)-reducible DAGs
Depth Robustness is Necessary
Answer No
Argon2i [BDK]
Argon2i
Argon2i
Argon2i Reducing depth to 119899
Argon2i Reducing depth to 119899
Argon2i is a layered DAG (almost)
Attack Simulation [AB16b]
Ideal iMHFs Donrsquot Exist
But we cannot rule them out in practice
Outline
Depth-Robustness is Sufficient [ABP16]
Depth-Robustness is Sufficient [ABP16]
Summary
Conclusions
Thanks for Listening
Passwords vs time Look how far wersquove come
Biometrics
Biometrics
Hardware Tokens
Hardware Tokens
Graphical Passwords
Graphical Passwords
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
Related Work
References
Everybody
DATE
DATE
NUMBER OF USERS
WORLD
WORLD
INFORMATION
DATE
DATE
NUMBER OF USERS
DATE
DATE
acctsyr
POPULATION
POPULATION
SOURCE
December-90
0
3
15
020
00261
000
1
December-90
3
1
December-90
3
1
December-90
3
3
December-90
3
1
3
December-95
December-95
0
16
040
80
040
IDC
100
00522
180
12
December-95
192
December-95
16
1778
December-95
48
28448
December-95
48
3
48
December-96
December-96
0
36
090
180
090
IDC
200
00783
188
13132
December-96
472752
December-96
36
1994916
December-96
126
71816976
December-96
1368
38
126
December-97
December-97
0
70
170
350
170
IDC
300
01043
209
16263
December-97
113841
December-97
70
2238295752
December-97
280
15668070264
December-97
322
46
280
December-98
December-98
0
147
360
735
360
CI Almanac
400
01303
230
19391
December-98
2850477
December-98
147
25113678337
December-98
6615
3691710715604
December-98
7791
53
6615
December-99
December-99
0
248
410
1240
410
Nua Ltd
500
01563
251
22517
December-99
5584216
December-99
248
28177547095
December-99
1240
6988031679463
December-99
15376
62
1240
March-00
March-00
0
304
500
1520
500
Nua Ltd
600
01822
272
25638
March-00
7793952
December-00
361
3161520784
December-00
19855
11413090030294
December-00
2527
7
19855
July-00
July-00
0
359
590
1795
590
Nua Ltd
700
02081
293
28754
July-00
10322686
December-01
543
35472263197
December-01
3258
1926143891578
December-01
39639
73
3258
December-00
December-00
0
361
580
1805
580
Internet World Stats
800
02338
313
31864
December-00
11502904
December-02
607
39799879307
December-02
39455
2415852673913
December-02
47953
79
39455
March-01
March-01
0
458
760
2290
760
Nua Ltd
900
02852
334
34967
March-01
16014886
December-03
719
44655464582
December-03
5033
32107279034493
December-03
61115
85
5033
June-01
June-01
0
479
790
2395
790
Nua Ltd
1000
03107
355
38061
June-01
18231219
December-04
817
50103431261
December-04
61275
40934503340285
December-04
7353
9
61275
August-01
August-01
0
513
860
2565
860
Nua Ltd
1100
03361
396
44221
August-01
22685373
December-05
1018
56216049875
December-05
8144
57227938772657
December-05
9467
93
8144
April-02
April-02
0
558
860
2790
860
Internet World Stats
1200
03614
417
47284
April-02
26384472
December-06
1093
6307440796
December-06
9291
68940327899894
December-06
10602
97
9291
July-02
July-02
0
569
910
2845
910
Internet World Stats
1300
03866
437
50334
July-02
28640046
December-07
1319
70769485731
December-07
11871
93344951678825
December-07
13454
102
11871
September-02
September-02
0
587
940
2935
940
Internet World Stats
1400
04117
458
53371
September-02
31328777
December-08
1574
7940336299
December-08
14953
124980893346059
December-08
16527
105
14953
March-03
March-03
0
608
970
3040
970
Internet World Stats
1500
04366
478
56394
March-03
34287552
December-09
1802
89090573275
December-09
18020
160541213040896
December-09
19462
108
18020
September-03
September-03
0
677
1060
3385
1060
Internet World Stats
1600
04614
498
59401
September-03
40214477
December-10
1971
99959623214
December-10
20696
197020417355075
December-10
21681
11
20696
October-03
October-03
0
682
1070
3410
1070
Internet World Stats
1700
0486
518
62392
October-03
42551344
December-03
December-03
0
719
1110
3595
1110
Internet World Stats
1800
02852
538
65365
December-03
46997435
February-04
February-04
0
745
1150
3725
1150
Internet World Stats
1900
03107
558
6832
February-04
508984
May-04
May-04
0
757
1170
3785
1170
Internet World Stats
2000
03361
597
7417
May-04
5614669
October-04
October-04
0
812
1270
4060
1270
Internet World Stats
2100
03614
616
77064
October-04
62575968
December-04
December-04
0
817
1270
4085
1270
Internet World Stats
2200
03866
636
79935
December-04
65306895
March-05
March-05
0
888
1390
4440
1390
Internet World Stats
2300
04117
655
82782
March-05
73510416
June-05
June-05
0
938
1460
4690
1460
Internet World Stats
2400
04366
674
85606
June-05
80298428
September-05
September-05
0
957
1490
4785
1490
Internet World Stats
2500
04614
692
88404
September-05
84602628
November-05
November-05
0
972
1520
4860
1520
Internet World Stats
2600
0486
711
91176
November-05
88623072
December-05
December-05
0
1018
1570
5090
1570
Internet World Stats
2700
05348
729
93921
December-05
95611578
March-06
March-06
0
1023
1570
5115
1570
Internet World Stats
2800
05589
747
96638
March-06
98860674
June-06
June-06
0
1043
1600
5215
1600
Internet World Stats
2900
05828
783
101984
June-06
106369312
September-06
September-06
0
1086
1670
5430
1670
Internet World Stats
3000
06065
801
104611
September-06
113607546
December-06
December-06
0
1093
1670
5465
1670
Internet World Stats
3100
063
818
107207
December-06
117177251
March-07
March-07
0
1129
1720
5645
1720
Internet World Stats
3200
06534
835
109771
March-07
123931459
June-07
June-07
0
1173
1780
5865
1780
Internet World Stats
3300
06765
852
112301
June-07
131729073
September-07
September-07
0
1245
1890
6225
1890
Internet World Stats
3400
06993
869
114797
September-07
142922265
December-07
December-07
0
1319
2000
6595
2000
Internet World Stats
3500
0722
886
117258
December-07
154663302
March-08
March-08
0
1407
2110
7035
2110
Internet World Stats
3600
07665
902
119683
March-08
168393981
June-08
June-08
0
1463
2190
7315
2190
Internet World Stats
3700
07884
918
122071
June-08
178589873
September-08
September-08
0
1504
2250
7520
2250
Internet World Stats
3800
08101
949
126736
September-08
190610944
December-08
December-08
0
1574
2350
7870
2350
Internet World Stats
3900
08314
964
12901
December-08
20306174
March-09
March-09
0
1596
2380
7980
2380
Internet World Stats
4000
08525
971
13
March-09
20748
June-09
June-09
0
1669
2470
8345
2470
Internet World Stats
4100
08733
998
134
June-09
223646
September-09
September-09
0
1734
2560
8670
2560
Internet World Stats
4200
08938
1018
137
September-09
237558
December-09
December-09
0
1802
2660
9010
2660
Internet World Stats
4300
0914
1051
142
December-09
255884
June-10
June-10
0
1966
2870
9830
2870
Internet World Stats
4400
09339
1078
146
June-10
287036
September-10
September-10
0
1971
2880
9855
2880
Internet World Stats
4500
09728
1112
151
September-10
297621
09917
000
155333333333
159833333333
33208
35034
35400
35765
36130
36495
36861
37226
37591
37956
38322
38687
39052
39417
39783
40148
40513
Thanks for Listening
Passwords vs time Look how far wersquove come
Netscape IPO Dotcom crash
Source Cormacrsquos estimate
ldquoThe password is deadrdquo
Chart1
3
48
1368
322
7791
15376
2527
39639
47953
61115
7353
94674
106021
134538
16527
194616
21681
Sheet1
Sheet1
Sheet2
Sheet3
Biometrics
59
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy
60
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Hardware Tokens
61
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around
62
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Graphical Passwords
bull Examplesbull Passfaces Cued Click Points Windows 8
63
Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13
Graphical Passwords
bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8
Challenge Multiple Passwords
64
Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
bull Password Management Software
67
Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313
Related Work
bull Password Management SoftwareChallenge Single point of failure
68
Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313
References
bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]
bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]
bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]
bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]
Course Business
CryptographyCS 555
Password Storage
Offline Attacks A Common Problem
Offline Attacks A Common Problem
A Dangerous Problem
Attempt 1 Hash Iteration
The Challenge
Goal Moderately Expensive Hash Function
Memory Costs Equitable Across Architectures
Outline
Memory Hard Function (MHF)
iMHF Candidates
iMHF (fGH)
Evaluating an iMHF (pebbling)
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example (CC)
Measuring Cost
Pebbling Example (CC)
Pebbling Equivalence
Desiderata
Depth-Robustness The Key Property
Naiumlve Pebbling Algorithms
Amortized Attack Quality
Desiderata
Desiderata
c-Ideal iMHF
Outline
Depth-Robustness The Key Property
Depth Robustness
Depth Robustness
Attacking (ed)-reducible DAGs
Depth Robustness is Necessary
Answer No
Argon2i [BDK]
Argon2i
Argon2i
Argon2i Reducing depth to 119899
Argon2i Reducing depth to 119899
Argon2i is a layered DAG (almost)
Attack Simulation [AB16b]
Ideal iMHFs Donrsquot Exist
But we cannot rule them out in practice
Outline
Depth-Robustness is Sufficient [ABP16]
Depth-Robustness is Sufficient [ABP16]
Summary
Conclusions
Thanks for Listening
Passwords vs time Look how far wersquove come
Biometrics
Biometrics
Hardware Tokens
Hardware Tokens
Graphical Passwords
Graphical Passwords
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
Related Work
References
Everybody
DATE
DATE
NUMBER OF USERS
WORLD
WORLD
INFORMATION
DATE
DATE
NUMBER OF USERS
DATE
DATE
acctsyr
POPULATION
POPULATION
SOURCE
December-90
0
3
15
020
00261
000
1
December-90
3
1
December-90
3
1
December-90
3
3
December-90
3
1
3
December-95
December-95
0
16
040
80
040
IDC
100
00522
180
12
December-95
192
December-95
16
1778
December-95
48
28448
December-95
48
3
48
December-96
December-96
0
36
090
180
090
IDC
200
00783
188
13132
December-96
472752
December-96
36
1994916
December-96
126
71816976
December-96
1368
38
126
December-97
December-97
0
70
170
350
170
IDC
300
01043
209
16263
December-97
113841
December-97
70
2238295752
December-97
280
15668070264
December-97
322
46
280
December-98
December-98
0
147
360
735
360
CI Almanac
400
01303
230
19391
December-98
2850477
December-98
147
25113678337
December-98
6615
3691710715604
December-98
7791
53
6615
December-99
December-99
0
248
410
1240
410
Nua Ltd
500
01563
251
22517
December-99
5584216
December-99
248
28177547095
December-99
1240
6988031679463
December-99
15376
62
1240
March-00
March-00
0
304
500
1520
500
Nua Ltd
600
01822
272
25638
March-00
7793952
December-00
361
3161520784
December-00
19855
11413090030294
December-00
2527
7
19855
July-00
July-00
0
359
590
1795
590
Nua Ltd
700
02081
293
28754
July-00
10322686
December-01
543
35472263197
December-01
3258
1926143891578
December-01
39639
73
3258
December-00
December-00
0
361
580
1805
580
Internet World Stats
800
02338
313
31864
December-00
11502904
December-02
607
39799879307
December-02
39455
2415852673913
December-02
47953
79
39455
March-01
March-01
0
458
760
2290
760
Nua Ltd
900
02852
334
34967
March-01
16014886
December-03
719
44655464582
December-03
5033
32107279034493
December-03
61115
85
5033
June-01
June-01
0
479
790
2395
790
Nua Ltd
1000
03107
355
38061
June-01
18231219
December-04
817
50103431261
December-04
61275
40934503340285
December-04
7353
9
61275
August-01
August-01
0
513
860
2565
860
Nua Ltd
1100
03361
396
44221
August-01
22685373
December-05
1018
56216049875
December-05
8144
57227938772657
December-05
9467
93
8144
April-02
April-02
0
558
860
2790
860
Internet World Stats
1200
03614
417
47284
April-02
26384472
December-06
1093
6307440796
December-06
9291
68940327899894
December-06
10602
97
9291
July-02
July-02
0
569
910
2845
910
Internet World Stats
1300
03866
437
50334
July-02
28640046
December-07
1319
70769485731
December-07
11871
93344951678825
December-07
13454
102
11871
September-02
September-02
0
587
940
2935
940
Internet World Stats
1400
04117
458
53371
September-02
31328777
December-08
1574
7940336299
December-08
14953
124980893346059
December-08
16527
105
14953
March-03
March-03
0
608
970
3040
970
Internet World Stats
1500
04366
478
56394
March-03
34287552
December-09
1802
89090573275
December-09
18020
160541213040896
December-09
19462
108
18020
September-03
September-03
0
677
1060
3385
1060
Internet World Stats
1600
04614
498
59401
September-03
40214477
December-10
1971
99959623214
December-10
20696
197020417355075
December-10
21681
11
20696
October-03
October-03
0
682
1070
3410
1070
Internet World Stats
1700
0486
518
62392
October-03
42551344
December-03
December-03
0
719
1110
3595
1110
Internet World Stats
1800
02852
538
65365
December-03
46997435
February-04
February-04
0
745
1150
3725
1150
Internet World Stats
1900
03107
558
6832
February-04
508984
May-04
May-04
0
757
1170
3785
1170
Internet World Stats
2000
03361
597
7417
May-04
5614669
October-04
October-04
0
812
1270
4060
1270
Internet World Stats
2100
03614
616
77064
October-04
62575968
December-04
December-04
0
817
1270
4085
1270
Internet World Stats
2200
03866
636
79935
December-04
65306895
March-05
March-05
0
888
1390
4440
1390
Internet World Stats
2300
04117
655
82782
March-05
73510416
June-05
June-05
0
938
1460
4690
1460
Internet World Stats
2400
04366
674
85606
June-05
80298428
September-05
September-05
0
957
1490
4785
1490
Internet World Stats
2500
04614
692
88404
September-05
84602628
November-05
November-05
0
972
1520
4860
1520
Internet World Stats
2600
0486
711
91176
November-05
88623072
December-05
December-05
0
1018
1570
5090
1570
Internet World Stats
2700
05348
729
93921
December-05
95611578
March-06
March-06
0
1023
1570
5115
1570
Internet World Stats
2800
05589
747
96638
March-06
98860674
June-06
June-06
0
1043
1600
5215
1600
Internet World Stats
2900
05828
783
101984
June-06
106369312
September-06
September-06
0
1086
1670
5430
1670
Internet World Stats
3000
06065
801
104611
September-06
113607546
December-06
December-06
0
1093
1670
5465
1670
Internet World Stats
3100
063
818
107207
December-06
117177251
March-07
March-07
0
1129
1720
5645
1720
Internet World Stats
3200
06534
835
109771
March-07
123931459
June-07
June-07
0
1173
1780
5865
1780
Internet World Stats
3300
06765
852
112301
June-07
131729073
September-07
September-07
0
1245
1890
6225
1890
Internet World Stats
3400
06993
869
114797
September-07
142922265
December-07
December-07
0
1319
2000
6595
2000
Internet World Stats
3500
0722
886
117258
December-07
154663302
March-08
March-08
0
1407
2110
7035
2110
Internet World Stats
3600
07665
902
119683
March-08
168393981
June-08
June-08
0
1463
2190
7315
2190
Internet World Stats
3700
07884
918
122071
June-08
178589873
September-08
September-08
0
1504
2250
7520
2250
Internet World Stats
3800
08101
949
126736
September-08
190610944
December-08
December-08
0
1574
2350
7870
2350
Internet World Stats
3900
08314
964
12901
December-08
20306174
March-09
March-09
0
1596
2380
7980
2380
Internet World Stats
4000
08525
971
13
March-09
20748
June-09
June-09
0
1669
2470
8345
2470
Internet World Stats
4100
08733
998
134
June-09
223646
September-09
September-09
0
1734
2560
8670
2560
Internet World Stats
4200
08938
1018
137
September-09
237558
December-09
December-09
0
1802
2660
9010
2660
Internet World Stats
4300
0914
1051
142
December-09
255884
June-10
June-10
0
1966
2870
9830
2870
Internet World Stats
4400
09339
1078
146
June-10
287036
September-10
September-10
0
1971
2880
9855
2880
Internet World Stats
4500
09728
1112
151
September-10
297621
09917
000
155333333333
159833333333
33208
35034
35400
35765
36130
36495
36861
37226
37591
37956
38322
38687
39052
39417
39783
40148
40513
Passwords vs time Look how far wersquove come
Netscape IPO Dotcom crash
Source Cormacrsquos estimate
ldquoThe password is deadrdquo
Chart1
3
48
1368
322
7791
15376
2527
39639
47953
61115
7353
94674
106021
134538
16527
194616
21681
Sheet1
Sheet1
Sheet2
Sheet3
Biometrics
59
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy
60
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Hardware Tokens
61
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around
62
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Graphical Passwords
bull Examplesbull Passfaces Cued Click Points Windows 8
63
Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13
Graphical Passwords
bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8
Challenge Multiple Passwords
64
Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
bull Password Management Software
67
Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313
Related Work
bull Password Management SoftwareChallenge Single point of failure
68
Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313
References
bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]
bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]
bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]
bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]
Course Business
CryptographyCS 555
Password Storage
Offline Attacks A Common Problem
Offline Attacks A Common Problem
A Dangerous Problem
Attempt 1 Hash Iteration
The Challenge
Goal Moderately Expensive Hash Function
Memory Costs Equitable Across Architectures
Outline
Memory Hard Function (MHF)
iMHF Candidates
iMHF (fGH)
Evaluating an iMHF (pebbling)
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example (CC)
Measuring Cost
Pebbling Example (CC)
Pebbling Equivalence
Desiderata
Depth-Robustness The Key Property
Naiumlve Pebbling Algorithms
Amortized Attack Quality
Desiderata
Desiderata
c-Ideal iMHF
Outline
Depth-Robustness The Key Property
Depth Robustness
Depth Robustness
Attacking (ed)-reducible DAGs
Depth Robustness is Necessary
Answer No
Argon2i [BDK]
Argon2i
Argon2i
Argon2i Reducing depth to 119899
Argon2i Reducing depth to 119899
Argon2i is a layered DAG (almost)
Attack Simulation [AB16b]
Ideal iMHFs Donrsquot Exist
But we cannot rule them out in practice
Outline
Depth-Robustness is Sufficient [ABP16]
Depth-Robustness is Sufficient [ABP16]
Summary
Conclusions
Thanks for Listening
Passwords vs time Look how far wersquove come
Biometrics
Biometrics
Hardware Tokens
Hardware Tokens
Graphical Passwords
Graphical Passwords
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
Related Work
References
Everybody
DATE
DATE
NUMBER OF USERS
WORLD
WORLD
INFORMATION
DATE
DATE
NUMBER OF USERS
DATE
DATE
acctsyr
POPULATION
POPULATION
SOURCE
December-90
0
3
15
020
00261
000
1
December-90
3
1
December-90
3
1
December-90
3
3
December-90
3
1
3
December-95
December-95
0
16
040
80
040
IDC
100
00522
180
12
December-95
192
December-95
16
1778
December-95
48
28448
December-95
48
3
48
December-96
December-96
0
36
090
180
090
IDC
200
00783
188
13132
December-96
472752
December-96
36
1994916
December-96
126
71816976
December-96
1368
38
126
December-97
December-97
0
70
170
350
170
IDC
300
01043
209
16263
December-97
113841
December-97
70
2238295752
December-97
280
15668070264
December-97
322
46
280
December-98
December-98
0
147
360
735
360
CI Almanac
400
01303
230
19391
December-98
2850477
December-98
147
25113678337
December-98
6615
3691710715604
December-98
7791
53
6615
December-99
December-99
0
248
410
1240
410
Nua Ltd
500
01563
251
22517
December-99
5584216
December-99
248
28177547095
December-99
1240
6988031679463
December-99
15376
62
1240
March-00
March-00
0
304
500
1520
500
Nua Ltd
600
01822
272
25638
March-00
7793952
December-00
361
3161520784
December-00
19855
11413090030294
December-00
2527
7
19855
July-00
July-00
0
359
590
1795
590
Nua Ltd
700
02081
293
28754
July-00
10322686
December-01
543
35472263197
December-01
3258
1926143891578
December-01
39639
73
3258
December-00
December-00
0
361
580
1805
580
Internet World Stats
800
02338
313
31864
December-00
11502904
December-02
607
39799879307
December-02
39455
2415852673913
December-02
47953
79
39455
March-01
March-01
0
458
760
2290
760
Nua Ltd
900
02852
334
34967
March-01
16014886
December-03
719
44655464582
December-03
5033
32107279034493
December-03
61115
85
5033
June-01
June-01
0
479
790
2395
790
Nua Ltd
1000
03107
355
38061
June-01
18231219
December-04
817
50103431261
December-04
61275
40934503340285
December-04
7353
9
61275
August-01
August-01
0
513
860
2565
860
Nua Ltd
1100
03361
396
44221
August-01
22685373
December-05
1018
56216049875
December-05
8144
57227938772657
December-05
9467
93
8144
April-02
April-02
0
558
860
2790
860
Internet World Stats
1200
03614
417
47284
April-02
26384472
December-06
1093
6307440796
December-06
9291
68940327899894
December-06
10602
97
9291
July-02
July-02
0
569
910
2845
910
Internet World Stats
1300
03866
437
50334
July-02
28640046
December-07
1319
70769485731
December-07
11871
93344951678825
December-07
13454
102
11871
September-02
September-02
0
587
940
2935
940
Internet World Stats
1400
04117
458
53371
September-02
31328777
December-08
1574
7940336299
December-08
14953
124980893346059
December-08
16527
105
14953
March-03
March-03
0
608
970
3040
970
Internet World Stats
1500
04366
478
56394
March-03
34287552
December-09
1802
89090573275
December-09
18020
160541213040896
December-09
19462
108
18020
September-03
September-03
0
677
1060
3385
1060
Internet World Stats
1600
04614
498
59401
September-03
40214477
December-10
1971
99959623214
December-10
20696
197020417355075
December-10
21681
11
20696
October-03
October-03
0
682
1070
3410
1070
Internet World Stats
1700
0486
518
62392
October-03
42551344
December-03
December-03
0
719
1110
3595
1110
Internet World Stats
1800
02852
538
65365
December-03
46997435
February-04
February-04
0
745
1150
3725
1150
Internet World Stats
1900
03107
558
6832
February-04
508984
May-04
May-04
0
757
1170
3785
1170
Internet World Stats
2000
03361
597
7417
May-04
5614669
October-04
October-04
0
812
1270
4060
1270
Internet World Stats
2100
03614
616
77064
October-04
62575968
December-04
December-04
0
817
1270
4085
1270
Internet World Stats
2200
03866
636
79935
December-04
65306895
March-05
March-05
0
888
1390
4440
1390
Internet World Stats
2300
04117
655
82782
March-05
73510416
June-05
June-05
0
938
1460
4690
1460
Internet World Stats
2400
04366
674
85606
June-05
80298428
September-05
September-05
0
957
1490
4785
1490
Internet World Stats
2500
04614
692
88404
September-05
84602628
November-05
November-05
0
972
1520
4860
1520
Internet World Stats
2600
0486
711
91176
November-05
88623072
December-05
December-05
0
1018
1570
5090
1570
Internet World Stats
2700
05348
729
93921
December-05
95611578
March-06
March-06
0
1023
1570
5115
1570
Internet World Stats
2800
05589
747
96638
March-06
98860674
June-06
June-06
0
1043
1600
5215
1600
Internet World Stats
2900
05828
783
101984
June-06
106369312
September-06
September-06
0
1086
1670
5430
1670
Internet World Stats
3000
06065
801
104611
September-06
113607546
December-06
December-06
0
1093
1670
5465
1670
Internet World Stats
3100
063
818
107207
December-06
117177251
March-07
March-07
0
1129
1720
5645
1720
Internet World Stats
3200
06534
835
109771
March-07
123931459
June-07
June-07
0
1173
1780
5865
1780
Internet World Stats
3300
06765
852
112301
June-07
131729073
September-07
September-07
0
1245
1890
6225
1890
Internet World Stats
3400
06993
869
114797
September-07
142922265
December-07
December-07
0
1319
2000
6595
2000
Internet World Stats
3500
0722
886
117258
December-07
154663302
March-08
March-08
0
1407
2110
7035
2110
Internet World Stats
3600
07665
902
119683
March-08
168393981
June-08
June-08
0
1463
2190
7315
2190
Internet World Stats
3700
07884
918
122071
June-08
178589873
September-08
September-08
0
1504
2250
7520
2250
Internet World Stats
3800
08101
949
126736
September-08
190610944
December-08
December-08
0
1574
2350
7870
2350
Internet World Stats
3900
08314
964
12901
December-08
20306174
March-09
March-09
0
1596
2380
7980
2380
Internet World Stats
4000
08525
971
13
March-09
20748
June-09
June-09
0
1669
2470
8345
2470
Internet World Stats
4100
08733
998
134
June-09
223646
September-09
September-09
0
1734
2560
8670
2560
Internet World Stats
4200
08938
1018
137
September-09
237558
December-09
December-09
0
1802
2660
9010
2660
Internet World Stats
4300
0914
1051
142
December-09
255884
June-10
June-10
0
1966
2870
9830
2870
Internet World Stats
4400
09339
1078
146
June-10
287036
September-10
September-10
0
1971
2880
9855
2880
Internet World Stats
4500
09728
1112
151
September-10
297621
09917
000
155333333333
159833333333
33208
35034
35400
35765
36130
36495
36861
37226
37591
37956
38322
38687
39052
39417
39783
40148
40513
Chart1
3
48
1368
322
7791
15376
2527
39639
47953
61115
7353
94674
106021
134538
16527
194616
21681
Sheet1
Sheet1
Sheet2
Sheet3
Biometrics
59
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy
60
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Hardware Tokens
61
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around
62
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Graphical Passwords
bull Examplesbull Passfaces Cued Click Points Windows 8
63
Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13
Graphical Passwords
bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8
Challenge Multiple Passwords
64
Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
bull Password Management Software
67
Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313
Related Work
bull Password Management SoftwareChallenge Single point of failure
68
Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313
References
bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]
bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]
bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]
bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]
Course Business
CryptographyCS 555
Password Storage
Offline Attacks A Common Problem
Offline Attacks A Common Problem
A Dangerous Problem
Attempt 1 Hash Iteration
The Challenge
Goal Moderately Expensive Hash Function
Memory Costs Equitable Across Architectures
Outline
Memory Hard Function (MHF)
iMHF Candidates
iMHF (fGH)
Evaluating an iMHF (pebbling)
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example (CC)
Measuring Cost
Pebbling Example (CC)
Pebbling Equivalence
Desiderata
Depth-Robustness The Key Property
Naiumlve Pebbling Algorithms
Amortized Attack Quality
Desiderata
Desiderata
c-Ideal iMHF
Outline
Depth-Robustness The Key Property
Depth Robustness
Depth Robustness
Attacking (ed)-reducible DAGs
Depth Robustness is Necessary
Answer No
Argon2i [BDK]
Argon2i
Argon2i
Argon2i Reducing depth to 119899
Argon2i Reducing depth to 119899
Argon2i is a layered DAG (almost)
Attack Simulation [AB16b]
Ideal iMHFs Donrsquot Exist
But we cannot rule them out in practice
Outline
Depth-Robustness is Sufficient [ABP16]
Depth-Robustness is Sufficient [ABP16]
Summary
Conclusions
Thanks for Listening
Passwords vs time Look how far wersquove come
Biometrics
Biometrics
Hardware Tokens
Hardware Tokens
Graphical Passwords
Graphical Passwords
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
Related Work
References
Everybody
DATE
DATE
NUMBER OF USERS
WORLD
WORLD
INFORMATION
DATE
DATE
NUMBER OF USERS
DATE
DATE
acctsyr
POPULATION
POPULATION
SOURCE
December-90
0
3
15
020
00261
000
1
December-90
3
1
December-90
3
1
December-90
3
3
December-90
3
1
3
December-95
December-95
0
16
040
80
040
IDC
100
00522
180
12
December-95
192
December-95
16
1778
December-95
48
28448
December-95
48
3
48
December-96
December-96
0
36
090
180
090
IDC
200
00783
188
13132
December-96
472752
December-96
36
1994916
December-96
126
71816976
December-96
1368
38
126
December-97
December-97
0
70
170
350
170
IDC
300
01043
209
16263
December-97
113841
December-97
70
2238295752
December-97
280
15668070264
December-97
322
46
280
December-98
December-98
0
147
360
735
360
CI Almanac
400
01303
230
19391
December-98
2850477
December-98
147
25113678337
December-98
6615
3691710715604
December-98
7791
53
6615
December-99
December-99
0
248
410
1240
410
Nua Ltd
500
01563
251
22517
December-99
5584216
December-99
248
28177547095
December-99
1240
6988031679463
December-99
15376
62
1240
March-00
March-00
0
304
500
1520
500
Nua Ltd
600
01822
272
25638
March-00
7793952
December-00
361
3161520784
December-00
19855
11413090030294
December-00
2527
7
19855
July-00
July-00
0
359
590
1795
590
Nua Ltd
700
02081
293
28754
July-00
10322686
December-01
543
35472263197
December-01
3258
1926143891578
December-01
39639
73
3258
December-00
December-00
0
361
580
1805
580
Internet World Stats
800
02338
313
31864
December-00
11502904
December-02
607
39799879307
December-02
39455
2415852673913
December-02
47953
79
39455
March-01
March-01
0
458
760
2290
760
Nua Ltd
900
02852
334
34967
March-01
16014886
December-03
719
44655464582
December-03
5033
32107279034493
December-03
61115
85
5033
June-01
June-01
0
479
790
2395
790
Nua Ltd
1000
03107
355
38061
June-01
18231219
December-04
817
50103431261
December-04
61275
40934503340285
December-04
7353
9
61275
August-01
August-01
0
513
860
2565
860
Nua Ltd
1100
03361
396
44221
August-01
22685373
December-05
1018
56216049875
December-05
8144
57227938772657
December-05
9467
93
8144
April-02
April-02
0
558
860
2790
860
Internet World Stats
1200
03614
417
47284
April-02
26384472
December-06
1093
6307440796
December-06
9291
68940327899894
December-06
10602
97
9291
July-02
July-02
0
569
910
2845
910
Internet World Stats
1300
03866
437
50334
July-02
28640046
December-07
1319
70769485731
December-07
11871
93344951678825
December-07
13454
102
11871
September-02
September-02
0
587
940
2935
940
Internet World Stats
1400
04117
458
53371
September-02
31328777
December-08
1574
7940336299
December-08
14953
124980893346059
December-08
16527
105
14953
March-03
March-03
0
608
970
3040
970
Internet World Stats
1500
04366
478
56394
March-03
34287552
December-09
1802
89090573275
December-09
18020
160541213040896
December-09
19462
108
18020
September-03
September-03
0
677
1060
3385
1060
Internet World Stats
1600
04614
498
59401
September-03
40214477
December-10
1971
99959623214
December-10
20696
197020417355075
December-10
21681
11
20696
October-03
October-03
0
682
1070
3410
1070
Internet World Stats
1700
0486
518
62392
October-03
42551344
December-03
December-03
0
719
1110
3595
1110
Internet World Stats
1800
02852
538
65365
December-03
46997435
February-04
February-04
0
745
1150
3725
1150
Internet World Stats
1900
03107
558
6832
February-04
508984
May-04
May-04
0
757
1170
3785
1170
Internet World Stats
2000
03361
597
7417
May-04
5614669
October-04
October-04
0
812
1270
4060
1270
Internet World Stats
2100
03614
616
77064
October-04
62575968
December-04
December-04
0
817
1270
4085
1270
Internet World Stats
2200
03866
636
79935
December-04
65306895
March-05
March-05
0
888
1390
4440
1390
Internet World Stats
2300
04117
655
82782
March-05
73510416
June-05
June-05
0
938
1460
4690
1460
Internet World Stats
2400
04366
674
85606
June-05
80298428
September-05
September-05
0
957
1490
4785
1490
Internet World Stats
2500
04614
692
88404
September-05
84602628
November-05
November-05
0
972
1520
4860
1520
Internet World Stats
2600
0486
711
91176
November-05
88623072
December-05
December-05
0
1018
1570
5090
1570
Internet World Stats
2700
05348
729
93921
December-05
95611578
March-06
March-06
0
1023
1570
5115
1570
Internet World Stats
2800
05589
747
96638
March-06
98860674
June-06
June-06
0
1043
1600
5215
1600
Internet World Stats
2900
05828
783
101984
June-06
106369312
September-06
September-06
0
1086
1670
5430
1670
Internet World Stats
3000
06065
801
104611
September-06
113607546
December-06
December-06
0
1093
1670
5465
1670
Internet World Stats
3100
063
818
107207
December-06
117177251
March-07
March-07
0
1129
1720
5645
1720
Internet World Stats
3200
06534
835
109771
March-07
123931459
June-07
June-07
0
1173
1780
5865
1780
Internet World Stats
3300
06765
852
112301
June-07
131729073
September-07
September-07
0
1245
1890
6225
1890
Internet World Stats
3400
06993
869
114797
September-07
142922265
December-07
December-07
0
1319
2000
6595
2000
Internet World Stats
3500
0722
886
117258
December-07
154663302
March-08
March-08
0
1407
2110
7035
2110
Internet World Stats
3600
07665
902
119683
March-08
168393981
June-08
June-08
0
1463
2190
7315
2190
Internet World Stats
3700
07884
918
122071
June-08
178589873
September-08
September-08
0
1504
2250
7520
2250
Internet World Stats
3800
08101
949
126736
September-08
190610944
December-08
December-08
0
1574
2350
7870
2350
Internet World Stats
3900
08314
964
12901
December-08
20306174
March-09
March-09
0
1596
2380
7980
2380
Internet World Stats
4000
08525
971
13
March-09
20748
June-09
June-09
0
1669
2470
8345
2470
Internet World Stats
4100
08733
998
134
June-09
223646
September-09
September-09
0
1734
2560
8670
2560
Internet World Stats
4200
08938
1018
137
September-09
237558
December-09
December-09
0
1802
2660
9010
2660
Internet World Stats
4300
0914
1051
142
December-09
255884
June-10
June-10
0
1966
2870
9830
2870
Internet World Stats
4400
09339
1078
146
June-10
287036
September-10
September-10
0
1971
2880
9855
2880
Internet World Stats
4500
09728
1112
151
September-10
297621
09917
000
155333333333
159833333333
33208
35034
35400
35765
36130
36495
36861
37226
37591
37956
38322
38687
39052
39417
39783
40148
40513
Sheet1
Sheet1
Sheet2
Sheet3
Biometrics
59
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy
60
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Hardware Tokens
61
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around
62
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Graphical Passwords
bull Examplesbull Passfaces Cued Click Points Windows 8
63
Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13
Graphical Passwords
bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8
Challenge Multiple Passwords
64
Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
bull Password Management Software
67
Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313
Related Work
bull Password Management SoftwareChallenge Single point of failure
68
Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313
References
bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]
bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]
bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]
bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]
Course Business
CryptographyCS 555
Password Storage
Offline Attacks A Common Problem
Offline Attacks A Common Problem
A Dangerous Problem
Attempt 1 Hash Iteration
The Challenge
Goal Moderately Expensive Hash Function
Memory Costs Equitable Across Architectures
Outline
Memory Hard Function (MHF)
iMHF Candidates
iMHF (fGH)
Evaluating an iMHF (pebbling)
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example (CC)
Measuring Cost
Pebbling Example (CC)
Pebbling Equivalence
Desiderata
Depth-Robustness The Key Property
Naiumlve Pebbling Algorithms
Amortized Attack Quality
Desiderata
Desiderata
c-Ideal iMHF
Outline
Depth-Robustness The Key Property
Depth Robustness
Depth Robustness
Attacking (ed)-reducible DAGs
Depth Robustness is Necessary
Answer No
Argon2i [BDK]
Argon2i
Argon2i
Argon2i Reducing depth to 119899
Argon2i Reducing depth to 119899
Argon2i is a layered DAG (almost)
Attack Simulation [AB16b]
Ideal iMHFs Donrsquot Exist
But we cannot rule them out in practice
Outline
Depth-Robustness is Sufficient [ABP16]
Depth-Robustness is Sufficient [ABP16]
Summary
Conclusions
Thanks for Listening
Passwords vs time Look how far wersquove come
Biometrics
Biometrics
Hardware Tokens
Hardware Tokens
Graphical Passwords
Graphical Passwords
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
Related Work
References
Everybody
DATE
DATE
NUMBER OF USERS
WORLD
WORLD
INFORMATION
DATE
DATE
NUMBER OF USERS
DATE
DATE
acctsyr
POPULATION
POPULATION
SOURCE
December-90
0
3
15
020
00261
000
1
December-90
3
1
December-90
3
1
December-90
3
3
December-90
3
1
3
December-95
December-95
0
16
040
80
040
IDC
100
00522
180
12
December-95
192
December-95
16
1778
December-95
48
28448
December-95
48
3
48
December-96
December-96
0
36
090
180
090
IDC
200
00783
188
13132
December-96
472752
December-96
36
1994916
December-96
126
71816976
December-96
1368
38
126
December-97
December-97
0
70
170
350
170
IDC
300
01043
209
16263
December-97
113841
December-97
70
2238295752
December-97
280
15668070264
December-97
322
46
280
December-98
December-98
0
147
360
735
360
CI Almanac
400
01303
230
19391
December-98
2850477
December-98
147
25113678337
December-98
6615
3691710715604
December-98
7791
53
6615
December-99
December-99
0
248
410
1240
410
Nua Ltd
500
01563
251
22517
December-99
5584216
December-99
248
28177547095
December-99
1240
6988031679463
December-99
15376
62
1240
March-00
March-00
0
304
500
1520
500
Nua Ltd
600
01822
272
25638
March-00
7793952
December-00
361
3161520784
December-00
19855
11413090030294
December-00
2527
7
19855
July-00
July-00
0
359
590
1795
590
Nua Ltd
700
02081
293
28754
July-00
10322686
December-01
543
35472263197
December-01
3258
1926143891578
December-01
39639
73
3258
December-00
December-00
0
361
580
1805
580
Internet World Stats
800
02338
313
31864
December-00
11502904
December-02
607
39799879307
December-02
39455
2415852673913
December-02
47953
79
39455
March-01
March-01
0
458
760
2290
760
Nua Ltd
900
02852
334
34967
March-01
16014886
December-03
719
44655464582
December-03
5033
32107279034493
December-03
61115
85
5033
June-01
June-01
0
479
790
2395
790
Nua Ltd
1000
03107
355
38061
June-01
18231219
December-04
817
50103431261
December-04
61275
40934503340285
December-04
7353
9
61275
August-01
August-01
0
513
860
2565
860
Nua Ltd
1100
03361
396
44221
August-01
22685373
December-05
1018
56216049875
December-05
8144
57227938772657
December-05
9467
93
8144
April-02
April-02
0
558
860
2790
860
Internet World Stats
1200
03614
417
47284
April-02
26384472
December-06
1093
6307440796
December-06
9291
68940327899894
December-06
10602
97
9291
July-02
July-02
0
569
910
2845
910
Internet World Stats
1300
03866
437
50334
July-02
28640046
December-07
1319
70769485731
December-07
11871
93344951678825
December-07
13454
102
11871
September-02
September-02
0
587
940
2935
940
Internet World Stats
1400
04117
458
53371
September-02
31328777
December-08
1574
7940336299
December-08
14953
124980893346059
December-08
16527
105
14953
March-03
March-03
0
608
970
3040
970
Internet World Stats
1500
04366
478
56394
March-03
34287552
December-09
1802
89090573275
December-09
18020
160541213040896
December-09
19462
108
18020
September-03
September-03
0
677
1060
3385
1060
Internet World Stats
1600
04614
498
59401
September-03
40214477
December-10
1971
99959623214
December-10
20696
197020417355075
December-10
21681
11
20696
October-03
October-03
0
682
1070
3410
1070
Internet World Stats
1700
0486
518
62392
October-03
42551344
December-03
December-03
0
719
1110
3595
1110
Internet World Stats
1800
02852
538
65365
December-03
46997435
February-04
February-04
0
745
1150
3725
1150
Internet World Stats
1900
03107
558
6832
February-04
508984
May-04
May-04
0
757
1170
3785
1170
Internet World Stats
2000
03361
597
7417
May-04
5614669
October-04
October-04
0
812
1270
4060
1270
Internet World Stats
2100
03614
616
77064
October-04
62575968
December-04
December-04
0
817
1270
4085
1270
Internet World Stats
2200
03866
636
79935
December-04
65306895
March-05
March-05
0
888
1390
4440
1390
Internet World Stats
2300
04117
655
82782
March-05
73510416
June-05
June-05
0
938
1460
4690
1460
Internet World Stats
2400
04366
674
85606
June-05
80298428
September-05
September-05
0
957
1490
4785
1490
Internet World Stats
2500
04614
692
88404
September-05
84602628
November-05
November-05
0
972
1520
4860
1520
Internet World Stats
2600
0486
711
91176
November-05
88623072
December-05
December-05
0
1018
1570
5090
1570
Internet World Stats
2700
05348
729
93921
December-05
95611578
March-06
March-06
0
1023
1570
5115
1570
Internet World Stats
2800
05589
747
96638
March-06
98860674
June-06
June-06
0
1043
1600
5215
1600
Internet World Stats
2900
05828
783
101984
June-06
106369312
September-06
September-06
0
1086
1670
5430
1670
Internet World Stats
3000
06065
801
104611
September-06
113607546
December-06
December-06
0
1093
1670
5465
1670
Internet World Stats
3100
063
818
107207
December-06
117177251
March-07
March-07
0
1129
1720
5645
1720
Internet World Stats
3200
06534
835
109771
March-07
123931459
June-07
June-07
0
1173
1780
5865
1780
Internet World Stats
3300
06765
852
112301
June-07
131729073
September-07
September-07
0
1245
1890
6225
1890
Internet World Stats
3400
06993
869
114797
September-07
142922265
December-07
December-07
0
1319
2000
6595
2000
Internet World Stats
3500
0722
886
117258
December-07
154663302
March-08
March-08
0
1407
2110
7035
2110
Internet World Stats
3600
07665
902
119683
March-08
168393981
June-08
June-08
0
1463
2190
7315
2190
Internet World Stats
3700
07884
918
122071
June-08
178589873
September-08
September-08
0
1504
2250
7520
2250
Internet World Stats
3800
08101
949
126736
September-08
190610944
December-08
December-08
0
1574
2350
7870
2350
Internet World Stats
3900
08314
964
12901
December-08
20306174
March-09
March-09
0
1596
2380
7980
2380
Internet World Stats
4000
08525
971
13
March-09
20748
June-09
June-09
0
1669
2470
8345
2470
Internet World Stats
4100
08733
998
134
June-09
223646
September-09
September-09
0
1734
2560
8670
2560
Internet World Stats
4200
08938
1018
137
September-09
237558
December-09
December-09
0
1802
2660
9010
2660
Internet World Stats
4300
0914
1051
142
December-09
255884
June-10
June-10
0
1966
2870
9830
2870
Internet World Stats
4400
09339
1078
146
June-10
287036
September-10
September-10
0
1971
2880
9855
2880
Internet World Stats
4500
09728
1112
151
September-10
297621
09917
000
155333333333
159833333333
Sheet1
Sheet2
Sheet3
Biometrics
59
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy
60
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Hardware Tokens
61
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around
62
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Graphical Passwords
bull Examplesbull Passfaces Cued Click Points Windows 8
63
Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13
Graphical Passwords
bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8
Challenge Multiple Passwords
64
Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
bull Password Management Software
67
Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313
Related Work
bull Password Management SoftwareChallenge Single point of failure
68
Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313
References
bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]
bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]
bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]
bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]
Course Business
CryptographyCS 555
Password Storage
Offline Attacks A Common Problem
Offline Attacks A Common Problem
A Dangerous Problem
Attempt 1 Hash Iteration
The Challenge
Goal Moderately Expensive Hash Function
Memory Costs Equitable Across Architectures
Outline
Memory Hard Function (MHF)
iMHF Candidates
iMHF (fGH)
Evaluating an iMHF (pebbling)
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example (CC)
Measuring Cost
Pebbling Example (CC)
Pebbling Equivalence
Desiderata
Depth-Robustness The Key Property
Naiumlve Pebbling Algorithms
Amortized Attack Quality
Desiderata
Desiderata
c-Ideal iMHF
Outline
Depth-Robustness The Key Property
Depth Robustness
Depth Robustness
Attacking (ed)-reducible DAGs
Depth Robustness is Necessary
Answer No
Argon2i [BDK]
Argon2i
Argon2i
Argon2i Reducing depth to 119899
Argon2i Reducing depth to 119899
Argon2i is a layered DAG (almost)
Attack Simulation [AB16b]
Ideal iMHFs Donrsquot Exist
But we cannot rule them out in practice
Outline
Depth-Robustness is Sufficient [ABP16]
Depth-Robustness is Sufficient [ABP16]
Summary
Conclusions
Thanks for Listening
Passwords vs time Look how far wersquove come
Biometrics
Biometrics
Hardware Tokens
Hardware Tokens
Graphical Passwords
Graphical Passwords
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
Related Work
References
Everybody
Sheet2
Sheet3
Biometrics
59
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy
60
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Hardware Tokens
61
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around
62
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Graphical Passwords
bull Examplesbull Passfaces Cued Click Points Windows 8
63
Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13
Graphical Passwords
bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8
Challenge Multiple Passwords
64
Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
bull Password Management Software
67
Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313
Related Work
bull Password Management SoftwareChallenge Single point of failure
68
Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313
References
bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]
bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]
bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]
bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]
Course Business
CryptographyCS 555
Password Storage
Offline Attacks A Common Problem
Offline Attacks A Common Problem
A Dangerous Problem
Attempt 1 Hash Iteration
The Challenge
Goal Moderately Expensive Hash Function
Memory Costs Equitable Across Architectures
Outline
Memory Hard Function (MHF)
iMHF Candidates
iMHF (fGH)
Evaluating an iMHF (pebbling)
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example (CC)
Measuring Cost
Pebbling Example (CC)
Pebbling Equivalence
Desiderata
Depth-Robustness The Key Property
Naiumlve Pebbling Algorithms
Amortized Attack Quality
Desiderata
Desiderata
c-Ideal iMHF
Outline
Depth-Robustness The Key Property
Depth Robustness
Depth Robustness
Attacking (ed)-reducible DAGs
Depth Robustness is Necessary
Answer No
Argon2i [BDK]
Argon2i
Argon2i
Argon2i Reducing depth to 119899
Argon2i Reducing depth to 119899
Argon2i is a layered DAG (almost)
Attack Simulation [AB16b]
Ideal iMHFs Donrsquot Exist
But we cannot rule them out in practice
Outline
Depth-Robustness is Sufficient [ABP16]
Depth-Robustness is Sufficient [ABP16]
Summary
Conclusions
Thanks for Listening
Passwords vs time Look how far wersquove come
Biometrics
Biometrics
Hardware Tokens
Hardware Tokens
Graphical Passwords
Graphical Passwords
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
Related Work
References
Everybody
Sheet3
Biometrics
59
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy
60
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Hardware Tokens
61
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around
62
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Graphical Passwords
bull Examplesbull Passfaces Cued Click Points Windows 8
63
Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13
Graphical Passwords
bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8
Challenge Multiple Passwords
64
Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
bull Password Management Software
67
Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313
Related Work
bull Password Management SoftwareChallenge Single point of failure
68
Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313
References
bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]
bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]
bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]
bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]
Course Business
CryptographyCS 555
Password Storage
Offline Attacks A Common Problem
Offline Attacks A Common Problem
A Dangerous Problem
Attempt 1 Hash Iteration
The Challenge
Goal Moderately Expensive Hash Function
Memory Costs Equitable Across Architectures
Outline
Memory Hard Function (MHF)
iMHF Candidates
iMHF (fGH)
Evaluating an iMHF (pebbling)
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example (CC)
Measuring Cost
Pebbling Example (CC)
Pebbling Equivalence
Desiderata
Depth-Robustness The Key Property
Naiumlve Pebbling Algorithms
Amortized Attack Quality
Desiderata
Desiderata
c-Ideal iMHF
Outline
Depth-Robustness The Key Property
Depth Robustness
Depth Robustness
Attacking (ed)-reducible DAGs
Depth Robustness is Necessary
Answer No
Argon2i [BDK]
Argon2i
Argon2i
Argon2i Reducing depth to 119899
Argon2i Reducing depth to 119899
Argon2i is a layered DAG (almost)
Attack Simulation [AB16b]
Ideal iMHFs Donrsquot Exist
But we cannot rule them out in practice
Outline
Depth-Robustness is Sufficient [ABP16]
Depth-Robustness is Sufficient [ABP16]
Summary
Conclusions
Thanks for Listening
Passwords vs time Look how far wersquove come
Biometrics
Biometrics
Hardware Tokens
Hardware Tokens
Graphical Passwords
Graphical Passwords
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
Related Work
References
Everybody
Biometrics
59
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy
60
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Hardware Tokens
61
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around
62
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Graphical Passwords
bull Examplesbull Passfaces Cued Click Points Windows 8
63
Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13
Graphical Passwords
bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8
Challenge Multiple Passwords
64
Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
bull Password Management Software
67
Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313
Related Work
bull Password Management SoftwareChallenge Single point of failure
68
Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313
References
bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]
bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]
bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]
bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]
Course Business
CryptographyCS 555
Password Storage
Offline Attacks A Common Problem
Offline Attacks A Common Problem
A Dangerous Problem
Attempt 1 Hash Iteration
The Challenge
Goal Moderately Expensive Hash Function
Memory Costs Equitable Across Architectures
Outline
Memory Hard Function (MHF)
iMHF Candidates
iMHF (fGH)
Evaluating an iMHF (pebbling)
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example (CC)
Measuring Cost
Pebbling Example (CC)
Pebbling Equivalence
Desiderata
Depth-Robustness The Key Property
Naiumlve Pebbling Algorithms
Amortized Attack Quality
Desiderata
Desiderata
c-Ideal iMHF
Outline
Depth-Robustness The Key Property
Depth Robustness
Depth Robustness
Attacking (ed)-reducible DAGs
Depth Robustness is Necessary
Answer No
Argon2i [BDK]
Argon2i
Argon2i
Argon2i Reducing depth to 119899
Argon2i Reducing depth to 119899
Argon2i is a layered DAG (almost)
Attack Simulation [AB16b]
Ideal iMHFs Donrsquot Exist
But we cannot rule them out in practice
Outline
Depth-Robustness is Sufficient [ABP16]
Depth-Robustness is Sufficient [ABP16]
Summary
Conclusions
Thanks for Listening
Passwords vs time Look how far wersquove come
Biometrics
Biometrics
Hardware Tokens
Hardware Tokens
Graphical Passwords
Graphical Passwords
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
Related Work
References
Everybody
Biometrics
59
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy
60
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Hardware Tokens
61
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around
62
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Graphical Passwords
bull Examplesbull Passfaces Cued Click Points Windows 8
63
Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13
Graphical Passwords
bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8
Challenge Multiple Passwords
64
Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
bull Password Management Software
67
Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313
Related Work
bull Password Management SoftwareChallenge Single point of failure
68
Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313
References
bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]
bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]
bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]
bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]
Course Business
CryptographyCS 555
Password Storage
Offline Attacks A Common Problem
Offline Attacks A Common Problem
A Dangerous Problem
Attempt 1 Hash Iteration
The Challenge
Goal Moderately Expensive Hash Function
Memory Costs Equitable Across Architectures
Outline
Memory Hard Function (MHF)
iMHF Candidates
iMHF (fGH)
Evaluating an iMHF (pebbling)
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example (CC)
Measuring Cost
Pebbling Example (CC)
Pebbling Equivalence
Desiderata
Depth-Robustness The Key Property
Naiumlve Pebbling Algorithms
Amortized Attack Quality
Desiderata
Desiderata
c-Ideal iMHF
Outline
Depth-Robustness The Key Property
Depth Robustness
Depth Robustness
Attacking (ed)-reducible DAGs
Depth Robustness is Necessary
Answer No
Argon2i [BDK]
Argon2i
Argon2i
Argon2i Reducing depth to 119899
Argon2i Reducing depth to 119899
Argon2i is a layered DAG (almost)
Attack Simulation [AB16b]
Ideal iMHFs Donrsquot Exist
But we cannot rule them out in practice
Outline
Depth-Robustness is Sufficient [ABP16]
Depth-Robustness is Sufficient [ABP16]
Summary
Conclusions
Thanks for Listening
Passwords vs time Look how far wersquove come
Biometrics
Biometrics
Hardware Tokens
Hardware Tokens
Graphical Passwords
Graphical Passwords
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
Related Work
References
Everybody
Biometrics
59
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy
60
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Hardware Tokens
61
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around
62
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Graphical Passwords
bull Examplesbull Passfaces Cued Click Points Windows 8
63
Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13
Graphical Passwords
bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8
Challenge Multiple Passwords
64
Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
bull Password Management Software
67
Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313
Related Work
bull Password Management SoftwareChallenge Single point of failure
68
Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313
References
bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]
bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]
bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]
bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]
Course Business
CryptographyCS 555
Password Storage
Offline Attacks A Common Problem
Offline Attacks A Common Problem
A Dangerous Problem
Attempt 1 Hash Iteration
The Challenge
Goal Moderately Expensive Hash Function
Memory Costs Equitable Across Architectures
Outline
Memory Hard Function (MHF)
iMHF Candidates
iMHF (fGH)
Evaluating an iMHF (pebbling)
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example (CC)
Measuring Cost
Pebbling Example (CC)
Pebbling Equivalence
Desiderata
Depth-Robustness The Key Property
Naiumlve Pebbling Algorithms
Amortized Attack Quality
Desiderata
Desiderata
c-Ideal iMHF
Outline
Depth-Robustness The Key Property
Depth Robustness
Depth Robustness
Attacking (ed)-reducible DAGs
Depth Robustness is Necessary
Answer No
Argon2i [BDK]
Argon2i
Argon2i
Argon2i Reducing depth to 119899
Argon2i Reducing depth to 119899
Argon2i is a layered DAG (almost)
Attack Simulation [AB16b]
Ideal iMHFs Donrsquot Exist
But we cannot rule them out in practice
Outline
Depth-Robustness is Sufficient [ABP16]
Depth-Robustness is Sufficient [ABP16]
Summary
Conclusions
Thanks for Listening
Passwords vs time Look how far wersquove come
Biometrics
Biometrics
Hardware Tokens
Hardware Tokens
Graphical Passwords
Graphical Passwords
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
Related Work
References
Everybody
Biometrics
59
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy
60
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Hardware Tokens
61
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around
62
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Graphical Passwords
bull Examplesbull Passfaces Cued Click Points Windows 8
63
Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13
Graphical Passwords
bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8
Challenge Multiple Passwords
64
Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
bull Password Management Software
67
Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313
Related Work
bull Password Management SoftwareChallenge Single point of failure
68
Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313
References
bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]
bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]
bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]
bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]
Course Business
CryptographyCS 555
Password Storage
Offline Attacks A Common Problem
Offline Attacks A Common Problem
A Dangerous Problem
Attempt 1 Hash Iteration
The Challenge
Goal Moderately Expensive Hash Function
Memory Costs Equitable Across Architectures
Outline
Memory Hard Function (MHF)
iMHF Candidates
iMHF (fGH)
Evaluating an iMHF (pebbling)
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example (CC)
Measuring Cost
Pebbling Example (CC)
Pebbling Equivalence
Desiderata
Depth-Robustness The Key Property
Naiumlve Pebbling Algorithms
Amortized Attack Quality
Desiderata
Desiderata
c-Ideal iMHF
Outline
Depth-Robustness The Key Property
Depth Robustness
Depth Robustness
Attacking (ed)-reducible DAGs
Depth Robustness is Necessary
Answer No
Argon2i [BDK]
Argon2i
Argon2i
Argon2i Reducing depth to 119899
Argon2i Reducing depth to 119899
Argon2i is a layered DAG (almost)
Attack Simulation [AB16b]
Ideal iMHFs Donrsquot Exist
But we cannot rule them out in practice
Outline
Depth-Robustness is Sufficient [ABP16]
Depth-Robustness is Sufficient [ABP16]
Summary
Conclusions
Thanks for Listening
Passwords vs time Look how far wersquove come
Biometrics
Biometrics
Hardware Tokens
Hardware Tokens
Graphical Passwords
Graphical Passwords
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
Related Work
References
Everybody
Biometrics
59
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy
60
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Hardware Tokens
61
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around
62
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Graphical Passwords
bull Examplesbull Passfaces Cued Click Points Windows 8
63
Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13
Graphical Passwords
bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8
Challenge Multiple Passwords
64
Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
bull Password Management Software
67
Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313
Related Work
bull Password Management SoftwareChallenge Single point of failure
68
Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313
References
bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]
bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]
bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]
bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]
Course Business
CryptographyCS 555
Password Storage
Offline Attacks A Common Problem
Offline Attacks A Common Problem
A Dangerous Problem
Attempt 1 Hash Iteration
The Challenge
Goal Moderately Expensive Hash Function
Memory Costs Equitable Across Architectures
Outline
Memory Hard Function (MHF)
iMHF Candidates
iMHF (fGH)
Evaluating an iMHF (pebbling)
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example (CC)
Measuring Cost
Pebbling Example (CC)
Pebbling Equivalence
Desiderata
Depth-Robustness The Key Property
Naiumlve Pebbling Algorithms
Amortized Attack Quality
Desiderata
Desiderata
c-Ideal iMHF
Outline
Depth-Robustness The Key Property
Depth Robustness
Depth Robustness
Attacking (ed)-reducible DAGs
Depth Robustness is Necessary
Answer No
Argon2i [BDK]
Argon2i
Argon2i
Argon2i Reducing depth to 119899
Argon2i Reducing depth to 119899
Argon2i is a layered DAG (almost)
Attack Simulation [AB16b]
Ideal iMHFs Donrsquot Exist
But we cannot rule them out in practice
Outline
Depth-Robustness is Sufficient [ABP16]
Depth-Robustness is Sufficient [ABP16]
Summary
Conclusions
Thanks for Listening
Passwords vs time Look how far wersquove come
Biometrics
Biometrics
Hardware Tokens
Hardware Tokens
Graphical Passwords
Graphical Passwords
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
Related Work
References
Biometrics
59
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy
60
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Hardware Tokens
61
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around
62
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Graphical Passwords
bull Examplesbull Passfaces Cued Click Points Windows 8
63
Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13
Graphical Passwords
bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8
Challenge Multiple Passwords
64
Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
bull Password Management Software
67
Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313
Related Work
bull Password Management SoftwareChallenge Single point of failure
68
Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313
References
bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]
bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]
bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]
bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]
Course Business
CryptographyCS 555
Password Storage
Offline Attacks A Common Problem
Offline Attacks A Common Problem
A Dangerous Problem
Attempt 1 Hash Iteration
The Challenge
Goal Moderately Expensive Hash Function
Memory Costs Equitable Across Architectures
Outline
Memory Hard Function (MHF)
iMHF Candidates
iMHF (fGH)
Evaluating an iMHF (pebbling)
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example (CC)
Measuring Cost
Pebbling Example (CC)
Pebbling Equivalence
Desiderata
Depth-Robustness The Key Property
Naiumlve Pebbling Algorithms
Amortized Attack Quality
Desiderata
Desiderata
c-Ideal iMHF
Outline
Depth-Robustness The Key Property
Depth Robustness
Depth Robustness
Attacking (ed)-reducible DAGs
Depth Robustness is Necessary
Answer No
Argon2i [BDK]
Argon2i
Argon2i
Argon2i Reducing depth to 119899
Argon2i Reducing depth to 119899
Argon2i is a layered DAG (almost)
Attack Simulation [AB16b]
Ideal iMHFs Donrsquot Exist
But we cannot rule them out in practice
Outline
Depth-Robustness is Sufficient [ABP16]
Depth-Robustness is Sufficient [ABP16]
Summary
Conclusions
Thanks for Listening
Passwords vs time Look how far wersquove come
Biometrics
Biometrics
Hardware Tokens
Hardware Tokens
Graphical Passwords
Graphical Passwords
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
Related Work
References
Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy
60
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Hardware Tokens
61
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around
62
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Graphical Passwords
bull Examplesbull Passfaces Cued Click Points Windows 8
63
Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13
Graphical Passwords
bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8
Challenge Multiple Passwords
64
Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
bull Password Management Software
67
Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313
Related Work
bull Password Management SoftwareChallenge Single point of failure
68
Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313
References
bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]
bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]
bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]
bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]
Course Business
CryptographyCS 555
Password Storage
Offline Attacks A Common Problem
Offline Attacks A Common Problem
A Dangerous Problem
Attempt 1 Hash Iteration
The Challenge
Goal Moderately Expensive Hash Function
Memory Costs Equitable Across Architectures
Outline
Memory Hard Function (MHF)
iMHF Candidates
iMHF (fGH)
Evaluating an iMHF (pebbling)
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example (CC)
Measuring Cost
Pebbling Example (CC)
Pebbling Equivalence
Desiderata
Depth-Robustness The Key Property
Naiumlve Pebbling Algorithms
Amortized Attack Quality
Desiderata
Desiderata
c-Ideal iMHF
Outline
Depth-Robustness The Key Property
Depth Robustness
Depth Robustness
Attacking (ed)-reducible DAGs
Depth Robustness is Necessary
Answer No
Argon2i [BDK]
Argon2i
Argon2i
Argon2i Reducing depth to 119899
Argon2i Reducing depth to 119899
Argon2i is a layered DAG (almost)
Attack Simulation [AB16b]
Ideal iMHFs Donrsquot Exist
But we cannot rule them out in practice
Outline
Depth-Robustness is Sufficient [ABP16]
Depth-Robustness is Sufficient [ABP16]
Summary
Conclusions
Thanks for Listening
Passwords vs time Look how far wersquove come
Biometrics
Biometrics
Hardware Tokens
Hardware Tokens
Graphical Passwords
Graphical Passwords
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
Related Work
References
Hardware Tokens
61
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around
62
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Graphical Passwords
bull Examplesbull Passfaces Cued Click Points Windows 8
63
Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13
Graphical Passwords
bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8
Challenge Multiple Passwords
64
Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
bull Password Management Software
67
Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313
Related Work
bull Password Management SoftwareChallenge Single point of failure
68
Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313
References
bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]
bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]
bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]
bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]
Course Business
CryptographyCS 555
Password Storage
Offline Attacks A Common Problem
Offline Attacks A Common Problem
A Dangerous Problem
Attempt 1 Hash Iteration
The Challenge
Goal Moderately Expensive Hash Function
Memory Costs Equitable Across Architectures
Outline
Memory Hard Function (MHF)
iMHF Candidates
iMHF (fGH)
Evaluating an iMHF (pebbling)
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example (CC)
Measuring Cost
Pebbling Example (CC)
Pebbling Equivalence
Desiderata
Depth-Robustness The Key Property
Naiumlve Pebbling Algorithms
Amortized Attack Quality
Desiderata
Desiderata
c-Ideal iMHF
Outline
Depth-Robustness The Key Property
Depth Robustness
Depth Robustness
Attacking (ed)-reducible DAGs
Depth Robustness is Necessary
Answer No
Argon2i [BDK]
Argon2i
Argon2i
Argon2i Reducing depth to 119899
Argon2i Reducing depth to 119899
Argon2i is a layered DAG (almost)
Attack Simulation [AB16b]
Ideal iMHFs Donrsquot Exist
But we cannot rule them out in practice
Outline
Depth-Robustness is Sufficient [ABP16]
Depth-Robustness is Sufficient [ABP16]
Summary
Conclusions
Thanks for Listening
Passwords vs time Look how far wersquove come
Biometrics
Biometrics
Hardware Tokens
Hardware Tokens
Graphical Passwords
Graphical Passwords
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
Related Work
References
Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around
62
Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13
Graphical Passwords
bull Examplesbull Passfaces Cued Click Points Windows 8
63
Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13
Graphical Passwords
bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8
Challenge Multiple Passwords
64
Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
bull Password Management Software
67
Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313
Related Work
bull Password Management SoftwareChallenge Single point of failure
68
Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313
References
bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]
bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]
bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]
bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]
Course Business
CryptographyCS 555
Password Storage
Offline Attacks A Common Problem
Offline Attacks A Common Problem
A Dangerous Problem
Attempt 1 Hash Iteration
The Challenge
Goal Moderately Expensive Hash Function
Memory Costs Equitable Across Architectures
Outline
Memory Hard Function (MHF)
iMHF Candidates
iMHF (fGH)
Evaluating an iMHF (pebbling)
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example (CC)
Measuring Cost
Pebbling Example (CC)
Pebbling Equivalence
Desiderata
Depth-Robustness The Key Property
Naiumlve Pebbling Algorithms
Amortized Attack Quality
Desiderata
Desiderata
c-Ideal iMHF
Outline
Depth-Robustness The Key Property
Depth Robustness
Depth Robustness
Attacking (ed)-reducible DAGs
Depth Robustness is Necessary
Answer No
Argon2i [BDK]
Argon2i
Argon2i
Argon2i Reducing depth to 119899
Argon2i Reducing depth to 119899
Argon2i is a layered DAG (almost)
Attack Simulation [AB16b]
Ideal iMHFs Donrsquot Exist
But we cannot rule them out in practice
Outline
Depth-Robustness is Sufficient [ABP16]
Depth-Robustness is Sufficient [ABP16]
Summary
Conclusions
Thanks for Listening
Passwords vs time Look how far wersquove come
Biometrics
Biometrics
Hardware Tokens
Hardware Tokens
Graphical Passwords
Graphical Passwords
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
Related Work
References
Graphical Passwords
bull Examplesbull Passfaces Cued Click Points Windows 8
63
Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13
Graphical Passwords
bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8
Challenge Multiple Passwords
64
Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
bull Password Management Software
67
Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313
Related Work
bull Password Management SoftwareChallenge Single point of failure
68
Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313
References
bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]
bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]
bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]
bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]
Course Business
CryptographyCS 555
Password Storage
Offline Attacks A Common Problem
Offline Attacks A Common Problem
A Dangerous Problem
Attempt 1 Hash Iteration
The Challenge
Goal Moderately Expensive Hash Function
Memory Costs Equitable Across Architectures
Outline
Memory Hard Function (MHF)
iMHF Candidates
iMHF (fGH)
Evaluating an iMHF (pebbling)
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example (CC)
Measuring Cost
Pebbling Example (CC)
Pebbling Equivalence
Desiderata
Depth-Robustness The Key Property
Naiumlve Pebbling Algorithms
Amortized Attack Quality
Desiderata
Desiderata
c-Ideal iMHF
Outline
Depth-Robustness The Key Property
Depth Robustness
Depth Robustness
Attacking (ed)-reducible DAGs
Depth Robustness is Necessary
Answer No
Argon2i [BDK]
Argon2i
Argon2i
Argon2i Reducing depth to 119899
Argon2i Reducing depth to 119899
Argon2i is a layered DAG (almost)
Attack Simulation [AB16b]
Ideal iMHFs Donrsquot Exist
But we cannot rule them out in practice
Outline
Depth-Robustness is Sufficient [ABP16]
Depth-Robustness is Sufficient [ABP16]
Summary
Conclusions
Thanks for Listening
Passwords vs time Look how far wersquove come
Biometrics
Biometrics
Hardware Tokens
Hardware Tokens
Graphical Passwords
Graphical Passwords
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
Related Work
References
Graphical Passwords
bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8
Challenge Multiple Passwords
64
Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
bull Password Management Software
67
Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313
Related Work
bull Password Management SoftwareChallenge Single point of failure
68
Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313
References
bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]
bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]
bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]
bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]
Course Business
CryptographyCS 555
Password Storage
Offline Attacks A Common Problem
Offline Attacks A Common Problem
A Dangerous Problem
Attempt 1 Hash Iteration
The Challenge
Goal Moderately Expensive Hash Function
Memory Costs Equitable Across Architectures
Outline
Memory Hard Function (MHF)
iMHF Candidates
iMHF (fGH)
Evaluating an iMHF (pebbling)
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example (CC)
Measuring Cost
Pebbling Example (CC)
Pebbling Equivalence
Desiderata
Depth-Robustness The Key Property
Naiumlve Pebbling Algorithms
Amortized Attack Quality
Desiderata
Desiderata
c-Ideal iMHF
Outline
Depth-Robustness The Key Property
Depth Robustness
Depth Robustness
Attacking (ed)-reducible DAGs
Depth Robustness is Necessary
Answer No
Argon2i [BDK]
Argon2i
Argon2i
Argon2i Reducing depth to 119899
Argon2i Reducing depth to 119899
Argon2i is a layered DAG (almost)
Attack Simulation [AB16b]
Ideal iMHFs Donrsquot Exist
But we cannot rule them out in practice
Outline
Depth-Robustness is Sufficient [ABP16]
Depth-Robustness is Sufficient [ABP16]
Summary
Conclusions
Thanks for Listening
Passwords vs time Look how far wersquove come
Biometrics
Biometrics
Hardware Tokens
Hardware Tokens
Graphical Passwords
Graphical Passwords
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
Related Work
References
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
bull Password Management Software
67
Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313
Related Work
bull Password Management SoftwareChallenge Single point of failure
68
Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313
References
bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]
bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]
bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]
bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]
Course Business
CryptographyCS 555
Password Storage
Offline Attacks A Common Problem
Offline Attacks A Common Problem
A Dangerous Problem
Attempt 1 Hash Iteration
The Challenge
Goal Moderately Expensive Hash Function
Memory Costs Equitable Across Architectures
Outline
Memory Hard Function (MHF)
iMHF Candidates
iMHF (fGH)
Evaluating an iMHF (pebbling)
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example (CC)
Measuring Cost
Pebbling Example (CC)
Pebbling Equivalence
Desiderata
Depth-Robustness The Key Property
Naiumlve Pebbling Algorithms
Amortized Attack Quality
Desiderata
Desiderata
c-Ideal iMHF
Outline
Depth-Robustness The Key Property
Depth Robustness
Depth Robustness
Attacking (ed)-reducible DAGs
Depth Robustness is Necessary
Answer No
Argon2i [BDK]
Argon2i
Argon2i
Argon2i Reducing depth to 119899
Argon2i Reducing depth to 119899
Argon2i is a layered DAG (almost)
Attack Simulation [AB16b]
Ideal iMHFs Donrsquot Exist
But we cannot rule them out in practice
Outline
Depth-Robustness is Sufficient [ABP16]
Depth-Robustness is Sufficient [ABP16]
Summary
Conclusions
Thanks for Listening
Passwords vs time Look how far wersquove come
Biometrics
Biometrics
Hardware Tokens
Hardware Tokens
Graphical Passwords
Graphical Passwords
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
Related Work
References
Graphical Passwords Hotspots
Password Managers
bull Password Management Software
67
Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313
Related Work
bull Password Management SoftwareChallenge Single point of failure
68
Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313
References
bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]
bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]
bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]
bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]
Course Business
CryptographyCS 555
Password Storage
Offline Attacks A Common Problem
Offline Attacks A Common Problem
A Dangerous Problem
Attempt 1 Hash Iteration
The Challenge
Goal Moderately Expensive Hash Function
Memory Costs Equitable Across Architectures
Outline
Memory Hard Function (MHF)
iMHF Candidates
iMHF (fGH)
Evaluating an iMHF (pebbling)
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example (CC)
Measuring Cost
Pebbling Example (CC)
Pebbling Equivalence
Desiderata
Depth-Robustness The Key Property
Naiumlve Pebbling Algorithms
Amortized Attack Quality
Desiderata
Desiderata
c-Ideal iMHF
Outline
Depth-Robustness The Key Property
Depth Robustness
Depth Robustness
Attacking (ed)-reducible DAGs
Depth Robustness is Necessary
Answer No
Argon2i [BDK]
Argon2i
Argon2i
Argon2i Reducing depth to 119899
Argon2i Reducing depth to 119899
Argon2i is a layered DAG (almost)
Attack Simulation [AB16b]
Ideal iMHFs Donrsquot Exist
But we cannot rule them out in practice
Outline
Depth-Robustness is Sufficient [ABP16]
Depth-Robustness is Sufficient [ABP16]
Summary
Conclusions
Thanks for Listening
Passwords vs time Look how far wersquove come
Biometrics
Biometrics
Hardware Tokens
Hardware Tokens
Graphical Passwords
Graphical Passwords
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
Related Work
References
Password Managers
bull Password Management Software
67
Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313
Related Work
bull Password Management SoftwareChallenge Single point of failure
68
Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313
References
bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]
bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]
bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]
bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]
Course Business
CryptographyCS 555
Password Storage
Offline Attacks A Common Problem
Offline Attacks A Common Problem
A Dangerous Problem
Attempt 1 Hash Iteration
The Challenge
Goal Moderately Expensive Hash Function
Memory Costs Equitable Across Architectures
Outline
Memory Hard Function (MHF)
iMHF Candidates
iMHF (fGH)
Evaluating an iMHF (pebbling)
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example (CC)
Measuring Cost
Pebbling Example (CC)
Pebbling Equivalence
Desiderata
Depth-Robustness The Key Property
Naiumlve Pebbling Algorithms
Amortized Attack Quality
Desiderata
Desiderata
c-Ideal iMHF
Outline
Depth-Robustness The Key Property
Depth Robustness
Depth Robustness
Attacking (ed)-reducible DAGs
Depth Robustness is Necessary
Answer No
Argon2i [BDK]
Argon2i
Argon2i
Argon2i Reducing depth to 119899
Argon2i Reducing depth to 119899
Argon2i is a layered DAG (almost)
Attack Simulation [AB16b]
Ideal iMHFs Donrsquot Exist
But we cannot rule them out in practice
Outline
Depth-Robustness is Sufficient [ABP16]
Depth-Robustness is Sufficient [ABP16]
Summary
Conclusions
Thanks for Listening
Passwords vs time Look how far wersquove come
Biometrics
Biometrics
Hardware Tokens
Hardware Tokens
Graphical Passwords
Graphical Passwords
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
Related Work
References
Related Work
bull Password Management SoftwareChallenge Single point of failure
68
Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313
References
bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]
bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]
bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]
bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]
Course Business
CryptographyCS 555
Password Storage
Offline Attacks A Common Problem
Offline Attacks A Common Problem
A Dangerous Problem
Attempt 1 Hash Iteration
The Challenge
Goal Moderately Expensive Hash Function
Memory Costs Equitable Across Architectures
Outline
Memory Hard Function (MHF)
iMHF Candidates
iMHF (fGH)
Evaluating an iMHF (pebbling)
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example
Pebbling Example (CC)
Measuring Cost
Pebbling Example (CC)
Pebbling Equivalence
Desiderata
Depth-Robustness The Key Property
Naiumlve Pebbling Algorithms
Amortized Attack Quality
Desiderata
Desiderata
c-Ideal iMHF
Outline
Depth-Robustness The Key Property
Depth Robustness
Depth Robustness
Attacking (ed)-reducible DAGs
Depth Robustness is Necessary
Answer No
Argon2i [BDK]
Argon2i
Argon2i
Argon2i Reducing depth to 119899
Argon2i Reducing depth to 119899
Argon2i is a layered DAG (almost)
Attack Simulation [AB16b]
Ideal iMHFs Donrsquot Exist
But we cannot rule them out in practice
Outline
Depth-Robustness is Sufficient [ABP16]
Depth-Robustness is Sufficient [ABP16]
Summary
Conclusions
Thanks for Listening
Passwords vs time Look how far wersquove come
Biometrics
Biometrics
Hardware Tokens
Hardware Tokens
Graphical Passwords
Graphical Passwords
Graphical Passwords Hotspots
Graphical Passwords Hotspots
Password Managers
Related Work
References
References
bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]
bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]
bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]
bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]