Attacking Data Independent Memory Hard Functions · As a motivating example consider an adversary...

66
Course Business I am traveling April 25-May 3 rd Will still be available by e-mail to answer questions Final Exam Review on Monday, April 24 th Guest Lectures on April 26 and 28 (TBD) Final Exam on Monday, May 1 st (in this classroom) Adib will proctor Practice Final Exam released soon 1

Transcript of Attacking Data Independent Memory Hard Functions · As a motivating example consider an adversary...

Page 1: Attacking Data Independent Memory Hard Functions · As a motivating example consider an adversary who breaks into an authentication server and steals a users crptographic hash va\൬ue.

Course Business

bull I am traveling April 25-May 3rd

bull Will still be available by e-mail to answer questions

bull Final Exam Review on Monday April 24th

bull Guest Lectures on April 26 and 28 (TBD)

bull Final Exam on Monday May 1st (in this classroom)bull Adib will proctor

bull Practice Final Exam released soon

1

CryptographyCS 555

Topic 39 Password Hashing

2

Password Storage

3

Username

jblocki

+

jblocki 123456

SHA1(12345689d978034a3f6)=85e23cfe0021f584e3db87aa72630a9a2345c062

Hash

85e23cfe0021f584e3db87aa72630a9a2345c062

Salt

89d978034a3f6

Presenter
Presentation Notes
As a motivating example consider an adversary who breaks into an authentication server and steals a users crptographic hash value The adversary can execute an offline attack against the password by comparing the hash value with the hashes of likely password guesses The adversary is limited only by the resources that he is willing to invest cracking the passwords

bull Password breaches at major companies have affected millions of users

Offline Attacks A Common Problem

Presenter
Presentation Notes
Unfortunately offline dictionary attacks are quite common Password breaches at major companies have affected millions of users In the past few years I have had to update the slide several times

Offline Attacks A Common Problem

bull Password breaches at major companies have affected millions of users

Presenter
Presentation Notes
Unfortunately offline dictionary attacks are quite common Password breaches at major companies have affected millions of users

A Dangerous Problem

$2400 onAmazon

Can we increase guessing costs for the attacker

Attempt 1 Hash Iteration

bull BCRYPT

bull PBKDF2 100000 SHA256 computations(iterative)

Estimated Cost on ASIC $1 per billion password guesses [BS14]

The Challenge

User Patience

Disclaimer This slide is entirely for humorous effect Donrsquot take it too seriously

Time

Uni

ts o

f Pat

ienc

e

USD

$

Goal Moderately Expensive Hash Function

Fast on PC and Expensive on ASIC

Presenter
Presentation Notes
This motivates the need for moderately hard functions The basic idea is to build a password hash function that is moderately expensive to compute to limit the number of guesses that an adversary would be willing to try An honest server only needs to compute the function once during a typical authentication session However the adversary potentially has an advantage in this game While the honest server must typically evaluate the function on standard hardware the adversary could use potentially reduce the cost per password guess by developing customized hardware (GPUs FPGAs ASICs) to evaluate the password hash function Thus we want to ensure that the cost to evaluate this function is equitable across platforms13

Memory Costs Equitable Across Architectures

Presenter
Presentation Notes
By contrast memory costs tends to be much more equitable across different architectures

Outline

bull Motivationbull Data Independent Memory Hard Functions (iMHFs)

bull Graph Pebblingbull Measuring Pebbling Costsbull Desiderata

bull Attacks on iMHF Constructionsbull Constructing iMHFsbull Open Questions

Memory Hard Function (MHF)

bull Intuition computation costs dominated by memory costsvs

bull Data Independent Memory Hard Function (iMHF)bull Memory access pattern should not depend on input

Presenter
Presentation Notes
In this work we study a special type of memory hard function called data-independent memory hard functions As the name suggests the memory access pattern will not depend on the input making the functions resistant to side-channel attacks

iMHF Candidates

bull Catena [FLW15]bull Special Recognition at Password Hashing Competitionbull Two Variants Dragonfly and Double-Butterfly

bull Argon2 [BDK15]bull Winner of the Password Hashing Competitionbull Argon2i (data-independent mode) is recommended for Password Hashing

bull Balloon Hashing [BCS16]bull Newer proposal (three variants in original proposal)

Presenter
Presentation Notes
In terms of depth-robustness two of these variants were similar to Catena and one variant was similar to Argon

iMHF (fGH)

12

3

4Output fGH (pwdsalt)= L4

Input pwd salt

1198711198713 = 119867119867(1198711198712 1198711198711)1198711198711 = 119867119867(119901119901119901119901119901119901 119904119904119904119904119904119904119904119904)

Defined by bull H 01 2119896119896 rarr 01 119896119896 (Random Oracle)bull DAG G (encodes data-dependencies)

bull Maximum indegree 120575120575 = O 1

1

Evaluating an iMHF (pebbling)

Pebbling Rules 119875119875=P1hellipPtsub 119881119881 stbull Pi+1sub Pi cup 119909119909 isin 119881119881 parents 119909119909 sub Pi+1 (need dependent values)bull nisin Pt (must finish and output Ln)

12

3

4 Output L4Inputpwd salt

1198711198713 = 119867119867(1198711198712 1198711198711)1198711198711 = 119867119867(119901119901119901119901119901119901 119904119904119904119904119904119904119904119904)

1

Presenter
Presentation Notes
We will describe our algorithms for evaluating an iMHF using the language of graph pebbling Placing a pebble on a node corresponds to computing the corresponding label and keeping a pebble on the graph corresponds to storing that label in memory Of course we can only compute a label if we have all of the dependent labels Thus in a legal pebbling we cannot place a pebble on a node until we have pebbles on the parents of that node If the adversary is parallel then we are allowed to place multiple pebbles on the graph in each round We can remove pebbles from the graph at any point in time

Pebbling Example

1 2 3 4 51 3 4 5

Pebbling Example

1 2 3 4 5

P1 = 1

Pebbling Example

1 2 3 4 5

P1 = 1P2 = 12

Pebbling Example

P1 = 1P2 = 12P3 = 3

1 2 3 4 5

Pebbling Example

P1 = 1P2 = 12P3 = 3

1 2 3 4 5

P4 = 34

Pebbling Example

P1 = 1P2 = 12P3 = 3

1 2 3 4 5

P4 = 34P5 = 5

Pebbling Example (CC)

P1 = 1P2 = 12P3 = 3

1 2 3 4 5

P4 = 34P5 = 5

CC 119866119866 le119894119894=1

5

119875119875119894119894

= 1 + 2 + 1 + 2 + 1= 7

Measuring Cost

bull Cumulative Complexity (CC)

CC 119866119866 = min119875119875

119894119894=1

119905119905119875119875

119875119875119894119894

bull Amortization [AS15]CC 119866119866119866119866 = 2 times CC(119866119866)

Pebbling Example (CC)

P1 = 1P2 = 12P3 = 3

1 2 3 4 5

P4 = 34P5 = 5

CC 119866119866 le119894119894=1

5

119875119875119894119894

= 1 + 2 + 1 + 2 + 1= 7

Pebbling Equivalence

119827119827119827119827119827119827119827119827119827119827119827119827119827119827 119808119808119808119808119808119808119808119808 (119816119816119816119816119816119816119827119827119827119827119827119827119816119816119816119816) High pebbling complexity of G implies high amortized memory complexity for the iMHF fGH

Implication Structure of the graph G is key to iMHFsecurity

Desiderata

Find a DAG G on n nodes such that1 Constant Indegree (120575120575 = 2)

2 CC(G) ge 1198991198992

120591120591for some small value 120591120591

Maximize costs for fixed n(Users are impatient)

Depth-Robustness The Key Property

Necessary [AB16] and sufficient[ABP16] for secure iMHFs

Naiumlve Pebbling Algorithms

bull Sequential Algorithm (Naiumlve)bull Constraint One new pebble per roundbull Every iMHF is defined via its Naiumlve algorithm

bull Example Naiumlve (Pebble in Topological Order)bull Never discard pebblesbull Time nbull Average pebbles n2bull ER(Naiumlve) = θ Rn + n2

Amortized Attack Quality

Quality119877119877 119860119860 =ER(Naiumlve)

ER 119860119860times 119894119894119894119894119904119904119904119904(119860119860)

Example Algorithm A evaluates 5 iMHF instances with total cost ER 119860119860 = 100 and ER Naiumlve = 40

Quality119877119877 119860119860 =40

100times 5 = 2

Presenter
Presentation Notes
Use Example

Desiderata

Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)

2 QualityR(A) le 119888119888 for every adversary A (c small)

3 ER(Naive) ge 1198991198992

120591120591+ R119894119894 for some small value 120591120591

Memory costs should dominate

Desiderata

Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)

2 QualityR(A) le 119888119888 for every adversary A (c small)

3 ER(Naive) ge 1198991198992

120591120591+ R119894119894 for some small value 120591120591

Maximize costs for fixed n(Users are impatient)

c-Ideal iMHF

Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)

2 QualityR(A) le 119888119888 for every adversary A (c small)

3 ER(Naive) ge 1198991198992

120591120591+ R119894119894 for 120591120591 = 119874119874(1)

Outline

bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Our Attacks

bull General Attack on Non Depth Robust DAGsbull Existing iMHFs are not Depth Robustbull Ideal iMHFs donrsquot exist

bull Subsequent Results (Depth-Robustness is Sufficient)bull Open Questions

Depth-Robustness The Key Property

Necessary [AB16] and sufficient[ABP16] for secure iMHFs

Depth Robustness

Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d

Otherwise we say that G is (ed)-depth robust

1 2 3 4 5

Example (12)-reducible

Depth Robustness

Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d

Otherwise we say that G is (ed)-depth robust

1 2 3 4 5

Example (12)-reducible

Attacking (ed)-reducible DAGs

bull Input |S| lee such that depth(G-S) = d g gt d

bull Light Phase (g rounds) Discard most pebblesbull Goal Pebble the next g nodes in g (sequential) stepsbull Low Memory (only keep pebbles on S and on parents of new nodes)bull Lasts a ``longrdquo time

bull Balloon Phase (d rounds) Greedily Recover Missing Pebblesbull Goal Recover needed pebbles for upcoming light phasebull Expensive but quick (at most d steps in parallel)

Theorem (Depth-Robustness is a necessary condition) If G is not (ed)-node robust then CC 119866119866 = O 119890119890119894119894 + 1198941198943119901119901 In particular CC 119866119866 = o 1198941198942 for ed=o(n)

Depth Robustness is Necessary

Are existing iMHF candidates based on depth-robust DAGs

Answer No

bull Catena [FLW15] is 119890119890 119874119874 119899119899119890119890

-reducible

119862119862119862119862 = 119874119874 119894119894162

bull Balloon Hashing and Argon2i (old version) are 119890119890 119874119874 1198991198992

1198901198902-reducible

119862119862119862119862 = 119874119874 119894119894171

bull Argon2i (latest version) is 119890119890 119874119874 1198991198993

1198901198903-reducible

119862119862119862119862 = 119874119874 119894119894177

bull Similar picture for most other iMHF candidates [AGKKOPRRR16]

Argon2i [BDK]

bull Argon2 Winner of the password hashing competition[2015]

bull Authors recommend Argon2i variant (data-independent) for password hashing

Presenter
Presentation Notes
Alex Biryukov Daniel Dinu and Dmitry Khovratovich from University of Luxembourg

Argon2i

1 2 3 4 ihellip n

Argon2i

1 2 3 4 ihellip n

random predecessor r(i) lt i

Indegree 120575120575 = 2

Argon2i Reducing depth to 119894119894

1 2 3 11989411989434

helliphellip

211989411989434

hellip 4 119894119894

n

Layer 0Layer 1

Layer 4 119894119894helliphelliphellip

Argon2i Reducing depth to 119894119894

1 2 3 11989411989434

helliphellip

211989411989434

hellip 4 119894119894

n

Layer 0Layer 1

Layer 4 119894119894

Definition 1198781198782 = 119907119907119894119894 119907119907119903119903(119894119894)and v119894119894 in same layer

119810119810119816119816119816119816119810119810119827119827 1198781198782119810119810119842119842 119842119842119827119827119816119816119816119816119816119816

helliphelliphellip

119813119813119816119816119813119813119813119813 Easy to reduce the depth of a path

Argon2i is a layered DAG (almost)

1 2 3 11989411989434

+2 +3 helliphellip

211989411989434

hellip 4 119894119894

n

Layer 0Layer 1

Layer 4 119894119894

Let S = S1+S2

helliphelliphellip

Attack Simulation [AB16b]

Attack on Argon 2i-B is practical even for pessimistic parameter ranges (brown line)

Pessimistic Argon 2i-B parameter

Parameter setting could easily be chosen when following Argon2i-B guidelines

hellip

Ideal iMHFs Donrsquot Exist

Thm[AB16] Any graph G (with constant in-degree) is at least somewhat depth-reducible

Implication If CC(G)= Ω 1198941198942 there is an attack A with high quality

QualityR 119860119860 =Ωlog(119894119894)

log log(119894119894)

But we cannot rule them out in practice

Outline

bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Attacksbull Constructing iMHFs (New)

bull Depth-Robustness is sufficient

bull Conclusions and Open Questions

Presenter
Presentation Notes
Joint work with Joel Alwen and Krzysztof Pietrzak

Depth-Robustness is Sufficient [ABP16]

Proof Let P1hellipPt denote an (optimal) pebbling of G For 0lt i lt d defineSi = 119875119875119894119894 cup 119875119875119889119889+119894119894 cup 1198751198752119889119889+119894119894 cup ⋯

one of the sets Si has size at most CC(G)d Now we claim that d ge depth(G-Si)

because any path in G-Si must have been completely pebbled at some point Thus it must have been pebbled entirely during some interval of length d Thus G (CC(G)dd)-reducible It follows that CC(G)ge 119890119890119901119901

119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901

Depth-Robustness is Sufficient [ABP16]

Implications There exists a constant indegree graph G with

CC G ge Ω1198941198942

log119894119894

Previous Best [AS15] Ω 1198991198992

log10 119899119899

[AB16] We cannot do better (in an asymptotic sense)

119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901

Summary

bull BCRYPT and PBKDF2 are no longer sufficient for password hashing

bull Argon2i is an improvement over BCRYPT and PBKDF2bull But still has its flaws [AB16AB17]

bull Current Recommendation Argon2idbull No side channel attacks Resists known attacksbull Side channel attacks reduce security to Argon2i

bull Look for improvements in the near future using depth-robust graphs [ABP17]

Conclusions

bull Depth-robustness is a necessary and sufficient for secure iMHFsbull [AB16] [ABP16]

bull Big Challenge Improved Constructions of Depth-Robust Graphsbull We already have constructions in theory [EGS77 PR80 hellip]bull But constants matter

Thanks for Listening

Passwords vs time Look how far wersquove come

Netscape IPO Dotcom crash

Source Cormacrsquos estimate

ldquoThe password is deadrdquo

Chart1

3
48
1368
322
7791
15376
2527
39639
47953
61115
7353
94674
106021
134538
16527
194616
21681

Sheet1

Sheet1

Sheet2

Sheet3

Biometrics

59

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy

60

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Hardware Tokens

61

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around

62

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Graphical Passwords

bull Examplesbull Passfaces Cued Click Points Windows 8

63

Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13

Graphical Passwords

bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8

Challenge Multiple Passwords

64

Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13

Graphical Passwords Hotspots

Graphical Passwords Hotspots

Password Managers

bull Password Management Software

67

Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313

Related Work

bull Password Management SoftwareChallenge Single point of failure

68

Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313

References

bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]

bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]

bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]

bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]

  • Course Business
  • CryptographyCS 555
  • Password Storage
  • Offline Attacks A Common Problem
  • Offline Attacks A Common Problem
  • A Dangerous Problem
  • Attempt 1 Hash Iteration
  • The Challenge
  • Goal Moderately Expensive Hash Function
  • Memory Costs Equitable Across Architectures
  • Outline
  • Memory Hard Function (MHF)
  • iMHF Candidates
  • iMHF (fGH)
  • Evaluating an iMHF (pebbling)
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example (CC)
  • Measuring Cost
  • Pebbling Example (CC)
  • Pebbling Equivalence
  • Desiderata
  • Depth-Robustness The Key Property
  • Naiumlve Pebbling Algorithms
  • Amortized Attack Quality
  • Desiderata
  • Desiderata
  • c-Ideal iMHF
  • Outline
  • Depth-Robustness The Key Property
  • Depth Robustness
  • Depth Robustness
  • Attacking (ed)-reducible DAGs
  • Depth Robustness is Necessary
  • Answer No
  • Argon2i [BDK]
  • Argon2i
  • Argon2i
  • Argon2i Reducing depth to 119899
  • Argon2i Reducing depth to 119899
  • Argon2i is a layered DAG (almost)
  • Attack Simulation [AB16b]
  • Ideal iMHFs Donrsquot Exist
  • But we cannot rule them out in practice
  • Outline
  • Depth-Robustness is Sufficient [ABP16]
  • Depth-Robustness is Sufficient [ABP16]
  • Summary
  • Conclusions
  • Thanks for Listening
  • Passwords vs time Look how far wersquove come
  • Biometrics
  • Biometrics
  • Hardware Tokens
  • Hardware Tokens
  • Graphical Passwords
  • Graphical Passwords
  • Graphical Passwords Hotspots
  • Graphical Passwords Hotspots
  • Password Managers
  • Related Work
  • References
Everybody
DATE DATE NUMBER OF USERS WORLD WORLD INFORMATION DATE DATE NUMBER OF USERS DATE DATE acctsyr
POPULATION POPULATION SOURCE
December-90 0 3 15 020 00261 000 1 December-90 3 1 December-90 3 1 December-90 3 3 December-90 3 1 3
December-95 December-95 0 16 040 80 040 IDC 100 00522 180 12 December-95 192 December-95 16 1778 December-95 48 28448 December-95 48 3 48
December-96 December-96 0 36 090 180 090 IDC 200 00783 188 13132 December-96 472752 December-96 36 1994916 December-96 126 71816976 December-96 1368 38 126
December-97 December-97 0 70 170 350 170 IDC 300 01043 209 16263 December-97 113841 December-97 70 2238295752 December-97 280 15668070264 December-97 322 46 280
December-98 December-98 0 147 360 735 360 CI Almanac 400 01303 230 19391 December-98 2850477 December-98 147 25113678337 December-98 6615 3691710715604 December-98 7791 53 6615
December-99 December-99 0 248 410 1240 410 Nua Ltd 500 01563 251 22517 December-99 5584216 December-99 248 28177547095 December-99 1240 6988031679463 December-99 15376 62 1240
March-00 March-00 0 304 500 1520 500 Nua Ltd 600 01822 272 25638 March-00 7793952 December-00 361 3161520784 December-00 19855 11413090030294 December-00 2527 7 19855
July-00 July-00 0 359 590 1795 590 Nua Ltd 700 02081 293 28754 July-00 10322686 December-01 543 35472263197 December-01 3258 1926143891578 December-01 39639 73 3258
December-00 December-00 0 361 580 1805 580 Internet World Stats 800 02338 313 31864 December-00 11502904 December-02 607 39799879307 December-02 39455 2415852673913 December-02 47953 79 39455
March-01 March-01 0 458 760 2290 760 Nua Ltd 900 02852 334 34967 March-01 16014886 December-03 719 44655464582 December-03 5033 32107279034493 December-03 61115 85 5033
June-01 June-01 0 479 790 2395 790 Nua Ltd 1000 03107 355 38061 June-01 18231219 December-04 817 50103431261 December-04 61275 40934503340285 December-04 7353 9 61275
August-01 August-01 0 513 860 2565 860 Nua Ltd 1100 03361 396 44221 August-01 22685373 December-05 1018 56216049875 December-05 8144 57227938772657 December-05 9467 93 8144
April-02 April-02 0 558 860 2790 860 Internet World Stats 1200 03614 417 47284 April-02 26384472 December-06 1093 6307440796 December-06 9291 68940327899894 December-06 10602 97 9291
July-02 July-02 0 569 910 2845 910 Internet World Stats 1300 03866 437 50334 July-02 28640046 December-07 1319 70769485731 December-07 11871 93344951678825 December-07 13454 102 11871
September-02 September-02 0 587 940 2935 940 Internet World Stats 1400 04117 458 53371 September-02 31328777 December-08 1574 7940336299 December-08 14953 124980893346059 December-08 16527 105 14953
March-03 March-03 0 608 970 3040 970 Internet World Stats 1500 04366 478 56394 March-03 34287552 December-09 1802 89090573275 December-09 18020 160541213040896 December-09 19462 108 18020
September-03 September-03 0 677 1060 3385 1060 Internet World Stats 1600 04614 498 59401 September-03 40214477 December-10 1971 99959623214 December-10 20696 197020417355075 December-10 21681 11 20696
October-03 October-03 0 682 1070 3410 1070 Internet World Stats 1700 0486 518 62392 October-03 42551344
December-03 December-03 0 719 1110 3595 1110 Internet World Stats 1800 02852 538 65365 December-03 46997435
February-04 February-04 0 745 1150 3725 1150 Internet World Stats 1900 03107 558 6832 February-04 508984
May-04 May-04 0 757 1170 3785 1170 Internet World Stats 2000 03361 597 7417 May-04 5614669
October-04 October-04 0 812 1270 4060 1270 Internet World Stats 2100 03614 616 77064 October-04 62575968
December-04 December-04 0 817 1270 4085 1270 Internet World Stats 2200 03866 636 79935 December-04 65306895
March-05 March-05 0 888 1390 4440 1390 Internet World Stats 2300 04117 655 82782 March-05 73510416
June-05 June-05 0 938 1460 4690 1460 Internet World Stats 2400 04366 674 85606 June-05 80298428
September-05 September-05 0 957 1490 4785 1490 Internet World Stats 2500 04614 692 88404 September-05 84602628
November-05 November-05 0 972 1520 4860 1520 Internet World Stats 2600 0486 711 91176 November-05 88623072
December-05 December-05 0 1018 1570 5090 1570 Internet World Stats 2700 05348 729 93921 December-05 95611578
March-06 March-06 0 1023 1570 5115 1570 Internet World Stats 2800 05589 747 96638 March-06 98860674
June-06 June-06 0 1043 1600 5215 1600 Internet World Stats 2900 05828 783 101984 June-06 106369312
September-06 September-06 0 1086 1670 5430 1670 Internet World Stats 3000 06065 801 104611 September-06 113607546
December-06 December-06 0 1093 1670 5465 1670 Internet World Stats 3100 063 818 107207 December-06 117177251
March-07 March-07 0 1129 1720 5645 1720 Internet World Stats 3200 06534 835 109771 March-07 123931459
June-07 June-07 0 1173 1780 5865 1780 Internet World Stats 3300 06765 852 112301 June-07 131729073
September-07 September-07 0 1245 1890 6225 1890 Internet World Stats 3400 06993 869 114797 September-07 142922265
December-07 December-07 0 1319 2000 6595 2000 Internet World Stats 3500 0722 886 117258 December-07 154663302
March-08 March-08 0 1407 2110 7035 2110 Internet World Stats 3600 07665 902 119683 March-08 168393981
June-08 June-08 0 1463 2190 7315 2190 Internet World Stats 3700 07884 918 122071 June-08 178589873
September-08 September-08 0 1504 2250 7520 2250 Internet World Stats 3800 08101 949 126736 September-08 190610944
December-08 December-08 0 1574 2350 7870 2350 Internet World Stats 3900 08314 964 12901 December-08 20306174
March-09 March-09 0 1596 2380 7980 2380 Internet World Stats 4000 08525 971 13 March-09 20748
June-09 June-09 0 1669 2470 8345 2470 Internet World Stats 4100 08733 998 134 June-09 223646
September-09 September-09 0 1734 2560 8670 2560 Internet World Stats 4200 08938 1018 137 September-09 237558
December-09 December-09 0 1802 2660 9010 2660 Internet World Stats 4300 0914 1051 142 December-09 255884
June-10 June-10 0 1966 2870 9830 2870 Internet World Stats 4400 09339 1078 146 June-10 287036
September-10 September-10 0 1971 2880 9855 2880 Internet World Stats 4500 09728 1112 151 September-10 297621
09917 000 155333333333
159833333333
33208
35034
35400
35765
36130
36495
36861
37226
37591
37956
38322
38687
39052
39417
39783
40148
40513
Page 2: Attacking Data Independent Memory Hard Functions · As a motivating example consider an adversary who breaks into an authentication server and steals a users crptographic hash va\൬ue.

CryptographyCS 555

Topic 39 Password Hashing

2

Password Storage

3

Username

jblocki

+

jblocki 123456

SHA1(12345689d978034a3f6)=85e23cfe0021f584e3db87aa72630a9a2345c062

Hash

85e23cfe0021f584e3db87aa72630a9a2345c062

Salt

89d978034a3f6

Presenter
Presentation Notes
As a motivating example consider an adversary who breaks into an authentication server and steals a users crptographic hash value The adversary can execute an offline attack against the password by comparing the hash value with the hashes of likely password guesses The adversary is limited only by the resources that he is willing to invest cracking the passwords

bull Password breaches at major companies have affected millions of users

Offline Attacks A Common Problem

Presenter
Presentation Notes
Unfortunately offline dictionary attacks are quite common Password breaches at major companies have affected millions of users In the past few years I have had to update the slide several times

Offline Attacks A Common Problem

bull Password breaches at major companies have affected millions of users

Presenter
Presentation Notes
Unfortunately offline dictionary attacks are quite common Password breaches at major companies have affected millions of users

A Dangerous Problem

$2400 onAmazon

Can we increase guessing costs for the attacker

Attempt 1 Hash Iteration

bull BCRYPT

bull PBKDF2 100000 SHA256 computations(iterative)

Estimated Cost on ASIC $1 per billion password guesses [BS14]

The Challenge

User Patience

Disclaimer This slide is entirely for humorous effect Donrsquot take it too seriously

Time

Uni

ts o

f Pat

ienc

e

USD

$

Goal Moderately Expensive Hash Function

Fast on PC and Expensive on ASIC

Presenter
Presentation Notes
This motivates the need for moderately hard functions The basic idea is to build a password hash function that is moderately expensive to compute to limit the number of guesses that an adversary would be willing to try An honest server only needs to compute the function once during a typical authentication session However the adversary potentially has an advantage in this game While the honest server must typically evaluate the function on standard hardware the adversary could use potentially reduce the cost per password guess by developing customized hardware (GPUs FPGAs ASICs) to evaluate the password hash function Thus we want to ensure that the cost to evaluate this function is equitable across platforms13

Memory Costs Equitable Across Architectures

Presenter
Presentation Notes
By contrast memory costs tends to be much more equitable across different architectures

Outline

bull Motivationbull Data Independent Memory Hard Functions (iMHFs)

bull Graph Pebblingbull Measuring Pebbling Costsbull Desiderata

bull Attacks on iMHF Constructionsbull Constructing iMHFsbull Open Questions

Memory Hard Function (MHF)

bull Intuition computation costs dominated by memory costsvs

bull Data Independent Memory Hard Function (iMHF)bull Memory access pattern should not depend on input

Presenter
Presentation Notes
In this work we study a special type of memory hard function called data-independent memory hard functions As the name suggests the memory access pattern will not depend on the input making the functions resistant to side-channel attacks

iMHF Candidates

bull Catena [FLW15]bull Special Recognition at Password Hashing Competitionbull Two Variants Dragonfly and Double-Butterfly

bull Argon2 [BDK15]bull Winner of the Password Hashing Competitionbull Argon2i (data-independent mode) is recommended for Password Hashing

bull Balloon Hashing [BCS16]bull Newer proposal (three variants in original proposal)

Presenter
Presentation Notes
In terms of depth-robustness two of these variants were similar to Catena and one variant was similar to Argon

iMHF (fGH)

12

3

4Output fGH (pwdsalt)= L4

Input pwd salt

1198711198713 = 119867119867(1198711198712 1198711198711)1198711198711 = 119867119867(119901119901119901119901119901119901 119904119904119904119904119904119904119904119904)

Defined by bull H 01 2119896119896 rarr 01 119896119896 (Random Oracle)bull DAG G (encodes data-dependencies)

bull Maximum indegree 120575120575 = O 1

1

Evaluating an iMHF (pebbling)

Pebbling Rules 119875119875=P1hellipPtsub 119881119881 stbull Pi+1sub Pi cup 119909119909 isin 119881119881 parents 119909119909 sub Pi+1 (need dependent values)bull nisin Pt (must finish and output Ln)

12

3

4 Output L4Inputpwd salt

1198711198713 = 119867119867(1198711198712 1198711198711)1198711198711 = 119867119867(119901119901119901119901119901119901 119904119904119904119904119904119904119904119904)

1

Presenter
Presentation Notes
We will describe our algorithms for evaluating an iMHF using the language of graph pebbling Placing a pebble on a node corresponds to computing the corresponding label and keeping a pebble on the graph corresponds to storing that label in memory Of course we can only compute a label if we have all of the dependent labels Thus in a legal pebbling we cannot place a pebble on a node until we have pebbles on the parents of that node If the adversary is parallel then we are allowed to place multiple pebbles on the graph in each round We can remove pebbles from the graph at any point in time

Pebbling Example

1 2 3 4 51 3 4 5

Pebbling Example

1 2 3 4 5

P1 = 1

Pebbling Example

1 2 3 4 5

P1 = 1P2 = 12

Pebbling Example

P1 = 1P2 = 12P3 = 3

1 2 3 4 5

Pebbling Example

P1 = 1P2 = 12P3 = 3

1 2 3 4 5

P4 = 34

Pebbling Example

P1 = 1P2 = 12P3 = 3

1 2 3 4 5

P4 = 34P5 = 5

Pebbling Example (CC)

P1 = 1P2 = 12P3 = 3

1 2 3 4 5

P4 = 34P5 = 5

CC 119866119866 le119894119894=1

5

119875119875119894119894

= 1 + 2 + 1 + 2 + 1= 7

Measuring Cost

bull Cumulative Complexity (CC)

CC 119866119866 = min119875119875

119894119894=1

119905119905119875119875

119875119875119894119894

bull Amortization [AS15]CC 119866119866119866119866 = 2 times CC(119866119866)

Pebbling Example (CC)

P1 = 1P2 = 12P3 = 3

1 2 3 4 5

P4 = 34P5 = 5

CC 119866119866 le119894119894=1

5

119875119875119894119894

= 1 + 2 + 1 + 2 + 1= 7

Pebbling Equivalence

119827119827119827119827119827119827119827119827119827119827119827119827119827119827 119808119808119808119808119808119808119808119808 (119816119816119816119816119816119816119827119827119827119827119827119827119816119816119816119816) High pebbling complexity of G implies high amortized memory complexity for the iMHF fGH

Implication Structure of the graph G is key to iMHFsecurity

Desiderata

Find a DAG G on n nodes such that1 Constant Indegree (120575120575 = 2)

2 CC(G) ge 1198991198992

120591120591for some small value 120591120591

Maximize costs for fixed n(Users are impatient)

Depth-Robustness The Key Property

Necessary [AB16] and sufficient[ABP16] for secure iMHFs

Naiumlve Pebbling Algorithms

bull Sequential Algorithm (Naiumlve)bull Constraint One new pebble per roundbull Every iMHF is defined via its Naiumlve algorithm

bull Example Naiumlve (Pebble in Topological Order)bull Never discard pebblesbull Time nbull Average pebbles n2bull ER(Naiumlve) = θ Rn + n2

Amortized Attack Quality

Quality119877119877 119860119860 =ER(Naiumlve)

ER 119860119860times 119894119894119894119894119904119904119904119904(119860119860)

Example Algorithm A evaluates 5 iMHF instances with total cost ER 119860119860 = 100 and ER Naiumlve = 40

Quality119877119877 119860119860 =40

100times 5 = 2

Presenter
Presentation Notes
Use Example

Desiderata

Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)

2 QualityR(A) le 119888119888 for every adversary A (c small)

3 ER(Naive) ge 1198991198992

120591120591+ R119894119894 for some small value 120591120591

Memory costs should dominate

Desiderata

Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)

2 QualityR(A) le 119888119888 for every adversary A (c small)

3 ER(Naive) ge 1198991198992

120591120591+ R119894119894 for some small value 120591120591

Maximize costs for fixed n(Users are impatient)

c-Ideal iMHF

Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)

2 QualityR(A) le 119888119888 for every adversary A (c small)

3 ER(Naive) ge 1198991198992

120591120591+ R119894119894 for 120591120591 = 119874119874(1)

Outline

bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Our Attacks

bull General Attack on Non Depth Robust DAGsbull Existing iMHFs are not Depth Robustbull Ideal iMHFs donrsquot exist

bull Subsequent Results (Depth-Robustness is Sufficient)bull Open Questions

Depth-Robustness The Key Property

Necessary [AB16] and sufficient[ABP16] for secure iMHFs

Depth Robustness

Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d

Otherwise we say that G is (ed)-depth robust

1 2 3 4 5

Example (12)-reducible

Depth Robustness

Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d

Otherwise we say that G is (ed)-depth robust

1 2 3 4 5

Example (12)-reducible

Attacking (ed)-reducible DAGs

bull Input |S| lee such that depth(G-S) = d g gt d

bull Light Phase (g rounds) Discard most pebblesbull Goal Pebble the next g nodes in g (sequential) stepsbull Low Memory (only keep pebbles on S and on parents of new nodes)bull Lasts a ``longrdquo time

bull Balloon Phase (d rounds) Greedily Recover Missing Pebblesbull Goal Recover needed pebbles for upcoming light phasebull Expensive but quick (at most d steps in parallel)

Theorem (Depth-Robustness is a necessary condition) If G is not (ed)-node robust then CC 119866119866 = O 119890119890119894119894 + 1198941198943119901119901 In particular CC 119866119866 = o 1198941198942 for ed=o(n)

Depth Robustness is Necessary

Are existing iMHF candidates based on depth-robust DAGs

Answer No

bull Catena [FLW15] is 119890119890 119874119874 119899119899119890119890

-reducible

119862119862119862119862 = 119874119874 119894119894162

bull Balloon Hashing and Argon2i (old version) are 119890119890 119874119874 1198991198992

1198901198902-reducible

119862119862119862119862 = 119874119874 119894119894171

bull Argon2i (latest version) is 119890119890 119874119874 1198991198993

1198901198903-reducible

119862119862119862119862 = 119874119874 119894119894177

bull Similar picture for most other iMHF candidates [AGKKOPRRR16]

Argon2i [BDK]

bull Argon2 Winner of the password hashing competition[2015]

bull Authors recommend Argon2i variant (data-independent) for password hashing

Presenter
Presentation Notes
Alex Biryukov Daniel Dinu and Dmitry Khovratovich from University of Luxembourg

Argon2i

1 2 3 4 ihellip n

Argon2i

1 2 3 4 ihellip n

random predecessor r(i) lt i

Indegree 120575120575 = 2

Argon2i Reducing depth to 119894119894

1 2 3 11989411989434

helliphellip

211989411989434

hellip 4 119894119894

n

Layer 0Layer 1

Layer 4 119894119894helliphelliphellip

Argon2i Reducing depth to 119894119894

1 2 3 11989411989434

helliphellip

211989411989434

hellip 4 119894119894

n

Layer 0Layer 1

Layer 4 119894119894

Definition 1198781198782 = 119907119907119894119894 119907119907119903119903(119894119894)and v119894119894 in same layer

119810119810119816119816119816119816119810119810119827119827 1198781198782119810119810119842119842 119842119842119827119827119816119816119816119816119816119816

helliphelliphellip

119813119813119816119816119813119813119813119813 Easy to reduce the depth of a path

Argon2i is a layered DAG (almost)

1 2 3 11989411989434

+2 +3 helliphellip

211989411989434

hellip 4 119894119894

n

Layer 0Layer 1

Layer 4 119894119894

Let S = S1+S2

helliphelliphellip

Attack Simulation [AB16b]

Attack on Argon 2i-B is practical even for pessimistic parameter ranges (brown line)

Pessimistic Argon 2i-B parameter

Parameter setting could easily be chosen when following Argon2i-B guidelines

hellip

Ideal iMHFs Donrsquot Exist

Thm[AB16] Any graph G (with constant in-degree) is at least somewhat depth-reducible

Implication If CC(G)= Ω 1198941198942 there is an attack A with high quality

QualityR 119860119860 =Ωlog(119894119894)

log log(119894119894)

But we cannot rule them out in practice

Outline

bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Attacksbull Constructing iMHFs (New)

bull Depth-Robustness is sufficient

bull Conclusions and Open Questions

Presenter
Presentation Notes
Joint work with Joel Alwen and Krzysztof Pietrzak

Depth-Robustness is Sufficient [ABP16]

Proof Let P1hellipPt denote an (optimal) pebbling of G For 0lt i lt d defineSi = 119875119875119894119894 cup 119875119875119889119889+119894119894 cup 1198751198752119889119889+119894119894 cup ⋯

one of the sets Si has size at most CC(G)d Now we claim that d ge depth(G-Si)

because any path in G-Si must have been completely pebbled at some point Thus it must have been pebbled entirely during some interval of length d Thus G (CC(G)dd)-reducible It follows that CC(G)ge 119890119890119901119901

119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901

Depth-Robustness is Sufficient [ABP16]

Implications There exists a constant indegree graph G with

CC G ge Ω1198941198942

log119894119894

Previous Best [AS15] Ω 1198991198992

log10 119899119899

[AB16] We cannot do better (in an asymptotic sense)

119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901

Summary

bull BCRYPT and PBKDF2 are no longer sufficient for password hashing

bull Argon2i is an improvement over BCRYPT and PBKDF2bull But still has its flaws [AB16AB17]

bull Current Recommendation Argon2idbull No side channel attacks Resists known attacksbull Side channel attacks reduce security to Argon2i

bull Look for improvements in the near future using depth-robust graphs [ABP17]

Conclusions

bull Depth-robustness is a necessary and sufficient for secure iMHFsbull [AB16] [ABP16]

bull Big Challenge Improved Constructions of Depth-Robust Graphsbull We already have constructions in theory [EGS77 PR80 hellip]bull But constants matter

Thanks for Listening

Passwords vs time Look how far wersquove come

Netscape IPO Dotcom crash

Source Cormacrsquos estimate

ldquoThe password is deadrdquo

Chart1

3
48
1368
322
7791
15376
2527
39639
47953
61115
7353
94674
106021
134538
16527
194616
21681

Sheet1

Sheet1

Sheet2

Sheet3

Biometrics

59

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy

60

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Hardware Tokens

61

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around

62

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Graphical Passwords

bull Examplesbull Passfaces Cued Click Points Windows 8

63

Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13

Graphical Passwords

bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8

Challenge Multiple Passwords

64

Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13

Graphical Passwords Hotspots

Graphical Passwords Hotspots

Password Managers

bull Password Management Software

67

Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313

Related Work

bull Password Management SoftwareChallenge Single point of failure

68

Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313

References

bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]

bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]

bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]

bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]

  • Course Business
  • CryptographyCS 555
  • Password Storage
  • Offline Attacks A Common Problem
  • Offline Attacks A Common Problem
  • A Dangerous Problem
  • Attempt 1 Hash Iteration
  • The Challenge
  • Goal Moderately Expensive Hash Function
  • Memory Costs Equitable Across Architectures
  • Outline
  • Memory Hard Function (MHF)
  • iMHF Candidates
  • iMHF (fGH)
  • Evaluating an iMHF (pebbling)
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example (CC)
  • Measuring Cost
  • Pebbling Example (CC)
  • Pebbling Equivalence
  • Desiderata
  • Depth-Robustness The Key Property
  • Naiumlve Pebbling Algorithms
  • Amortized Attack Quality
  • Desiderata
  • Desiderata
  • c-Ideal iMHF
  • Outline
  • Depth-Robustness The Key Property
  • Depth Robustness
  • Depth Robustness
  • Attacking (ed)-reducible DAGs
  • Depth Robustness is Necessary
  • Answer No
  • Argon2i [BDK]
  • Argon2i
  • Argon2i
  • Argon2i Reducing depth to 119899
  • Argon2i Reducing depth to 119899
  • Argon2i is a layered DAG (almost)
  • Attack Simulation [AB16b]
  • Ideal iMHFs Donrsquot Exist
  • But we cannot rule them out in practice
  • Outline
  • Depth-Robustness is Sufficient [ABP16]
  • Depth-Robustness is Sufficient [ABP16]
  • Summary
  • Conclusions
  • Thanks for Listening
  • Passwords vs time Look how far wersquove come
  • Biometrics
  • Biometrics
  • Hardware Tokens
  • Hardware Tokens
  • Graphical Passwords
  • Graphical Passwords
  • Graphical Passwords Hotspots
  • Graphical Passwords Hotspots
  • Password Managers
  • Related Work
  • References
Everybody
DATE DATE NUMBER OF USERS WORLD WORLD INFORMATION DATE DATE NUMBER OF USERS DATE DATE acctsyr
POPULATION POPULATION SOURCE
December-90 0 3 15 020 00261 000 1 December-90 3 1 December-90 3 1 December-90 3 3 December-90 3 1 3
December-95 December-95 0 16 040 80 040 IDC 100 00522 180 12 December-95 192 December-95 16 1778 December-95 48 28448 December-95 48 3 48
December-96 December-96 0 36 090 180 090 IDC 200 00783 188 13132 December-96 472752 December-96 36 1994916 December-96 126 71816976 December-96 1368 38 126
December-97 December-97 0 70 170 350 170 IDC 300 01043 209 16263 December-97 113841 December-97 70 2238295752 December-97 280 15668070264 December-97 322 46 280
December-98 December-98 0 147 360 735 360 CI Almanac 400 01303 230 19391 December-98 2850477 December-98 147 25113678337 December-98 6615 3691710715604 December-98 7791 53 6615
December-99 December-99 0 248 410 1240 410 Nua Ltd 500 01563 251 22517 December-99 5584216 December-99 248 28177547095 December-99 1240 6988031679463 December-99 15376 62 1240
March-00 March-00 0 304 500 1520 500 Nua Ltd 600 01822 272 25638 March-00 7793952 December-00 361 3161520784 December-00 19855 11413090030294 December-00 2527 7 19855
July-00 July-00 0 359 590 1795 590 Nua Ltd 700 02081 293 28754 July-00 10322686 December-01 543 35472263197 December-01 3258 1926143891578 December-01 39639 73 3258
December-00 December-00 0 361 580 1805 580 Internet World Stats 800 02338 313 31864 December-00 11502904 December-02 607 39799879307 December-02 39455 2415852673913 December-02 47953 79 39455
March-01 March-01 0 458 760 2290 760 Nua Ltd 900 02852 334 34967 March-01 16014886 December-03 719 44655464582 December-03 5033 32107279034493 December-03 61115 85 5033
June-01 June-01 0 479 790 2395 790 Nua Ltd 1000 03107 355 38061 June-01 18231219 December-04 817 50103431261 December-04 61275 40934503340285 December-04 7353 9 61275
August-01 August-01 0 513 860 2565 860 Nua Ltd 1100 03361 396 44221 August-01 22685373 December-05 1018 56216049875 December-05 8144 57227938772657 December-05 9467 93 8144
April-02 April-02 0 558 860 2790 860 Internet World Stats 1200 03614 417 47284 April-02 26384472 December-06 1093 6307440796 December-06 9291 68940327899894 December-06 10602 97 9291
July-02 July-02 0 569 910 2845 910 Internet World Stats 1300 03866 437 50334 July-02 28640046 December-07 1319 70769485731 December-07 11871 93344951678825 December-07 13454 102 11871
September-02 September-02 0 587 940 2935 940 Internet World Stats 1400 04117 458 53371 September-02 31328777 December-08 1574 7940336299 December-08 14953 124980893346059 December-08 16527 105 14953
March-03 March-03 0 608 970 3040 970 Internet World Stats 1500 04366 478 56394 March-03 34287552 December-09 1802 89090573275 December-09 18020 160541213040896 December-09 19462 108 18020
September-03 September-03 0 677 1060 3385 1060 Internet World Stats 1600 04614 498 59401 September-03 40214477 December-10 1971 99959623214 December-10 20696 197020417355075 December-10 21681 11 20696
October-03 October-03 0 682 1070 3410 1070 Internet World Stats 1700 0486 518 62392 October-03 42551344
December-03 December-03 0 719 1110 3595 1110 Internet World Stats 1800 02852 538 65365 December-03 46997435
February-04 February-04 0 745 1150 3725 1150 Internet World Stats 1900 03107 558 6832 February-04 508984
May-04 May-04 0 757 1170 3785 1170 Internet World Stats 2000 03361 597 7417 May-04 5614669
October-04 October-04 0 812 1270 4060 1270 Internet World Stats 2100 03614 616 77064 October-04 62575968
December-04 December-04 0 817 1270 4085 1270 Internet World Stats 2200 03866 636 79935 December-04 65306895
March-05 March-05 0 888 1390 4440 1390 Internet World Stats 2300 04117 655 82782 March-05 73510416
June-05 June-05 0 938 1460 4690 1460 Internet World Stats 2400 04366 674 85606 June-05 80298428
September-05 September-05 0 957 1490 4785 1490 Internet World Stats 2500 04614 692 88404 September-05 84602628
November-05 November-05 0 972 1520 4860 1520 Internet World Stats 2600 0486 711 91176 November-05 88623072
December-05 December-05 0 1018 1570 5090 1570 Internet World Stats 2700 05348 729 93921 December-05 95611578
March-06 March-06 0 1023 1570 5115 1570 Internet World Stats 2800 05589 747 96638 March-06 98860674
June-06 June-06 0 1043 1600 5215 1600 Internet World Stats 2900 05828 783 101984 June-06 106369312
September-06 September-06 0 1086 1670 5430 1670 Internet World Stats 3000 06065 801 104611 September-06 113607546
December-06 December-06 0 1093 1670 5465 1670 Internet World Stats 3100 063 818 107207 December-06 117177251
March-07 March-07 0 1129 1720 5645 1720 Internet World Stats 3200 06534 835 109771 March-07 123931459
June-07 June-07 0 1173 1780 5865 1780 Internet World Stats 3300 06765 852 112301 June-07 131729073
September-07 September-07 0 1245 1890 6225 1890 Internet World Stats 3400 06993 869 114797 September-07 142922265
December-07 December-07 0 1319 2000 6595 2000 Internet World Stats 3500 0722 886 117258 December-07 154663302
March-08 March-08 0 1407 2110 7035 2110 Internet World Stats 3600 07665 902 119683 March-08 168393981
June-08 June-08 0 1463 2190 7315 2190 Internet World Stats 3700 07884 918 122071 June-08 178589873
September-08 September-08 0 1504 2250 7520 2250 Internet World Stats 3800 08101 949 126736 September-08 190610944
December-08 December-08 0 1574 2350 7870 2350 Internet World Stats 3900 08314 964 12901 December-08 20306174
March-09 March-09 0 1596 2380 7980 2380 Internet World Stats 4000 08525 971 13 March-09 20748
June-09 June-09 0 1669 2470 8345 2470 Internet World Stats 4100 08733 998 134 June-09 223646
September-09 September-09 0 1734 2560 8670 2560 Internet World Stats 4200 08938 1018 137 September-09 237558
December-09 December-09 0 1802 2660 9010 2660 Internet World Stats 4300 0914 1051 142 December-09 255884
June-10 June-10 0 1966 2870 9830 2870 Internet World Stats 4400 09339 1078 146 June-10 287036
September-10 September-10 0 1971 2880 9855 2880 Internet World Stats 4500 09728 1112 151 September-10 297621
09917 000 155333333333
159833333333
33208
35034
35400
35765
36130
36495
36861
37226
37591
37956
38322
38687
39052
39417
39783
40148
40513
Page 3: Attacking Data Independent Memory Hard Functions · As a motivating example consider an adversary who breaks into an authentication server and steals a users crptographic hash va\൬ue.

Password Storage

3

Username

jblocki

+

jblocki 123456

SHA1(12345689d978034a3f6)=85e23cfe0021f584e3db87aa72630a9a2345c062

Hash

85e23cfe0021f584e3db87aa72630a9a2345c062

Salt

89d978034a3f6

Presenter
Presentation Notes
As a motivating example consider an adversary who breaks into an authentication server and steals a users crptographic hash value The adversary can execute an offline attack against the password by comparing the hash value with the hashes of likely password guesses The adversary is limited only by the resources that he is willing to invest cracking the passwords

bull Password breaches at major companies have affected millions of users

Offline Attacks A Common Problem

Presenter
Presentation Notes
Unfortunately offline dictionary attacks are quite common Password breaches at major companies have affected millions of users In the past few years I have had to update the slide several times

Offline Attacks A Common Problem

bull Password breaches at major companies have affected millions of users

Presenter
Presentation Notes
Unfortunately offline dictionary attacks are quite common Password breaches at major companies have affected millions of users

A Dangerous Problem

$2400 onAmazon

Can we increase guessing costs for the attacker

Attempt 1 Hash Iteration

bull BCRYPT

bull PBKDF2 100000 SHA256 computations(iterative)

Estimated Cost on ASIC $1 per billion password guesses [BS14]

The Challenge

User Patience

Disclaimer This slide is entirely for humorous effect Donrsquot take it too seriously

Time

Uni

ts o

f Pat

ienc

e

USD

$

Goal Moderately Expensive Hash Function

Fast on PC and Expensive on ASIC

Presenter
Presentation Notes
This motivates the need for moderately hard functions The basic idea is to build a password hash function that is moderately expensive to compute to limit the number of guesses that an adversary would be willing to try An honest server only needs to compute the function once during a typical authentication session However the adversary potentially has an advantage in this game While the honest server must typically evaluate the function on standard hardware the adversary could use potentially reduce the cost per password guess by developing customized hardware (GPUs FPGAs ASICs) to evaluate the password hash function Thus we want to ensure that the cost to evaluate this function is equitable across platforms13

Memory Costs Equitable Across Architectures

Presenter
Presentation Notes
By contrast memory costs tends to be much more equitable across different architectures

Outline

bull Motivationbull Data Independent Memory Hard Functions (iMHFs)

bull Graph Pebblingbull Measuring Pebbling Costsbull Desiderata

bull Attacks on iMHF Constructionsbull Constructing iMHFsbull Open Questions

Memory Hard Function (MHF)

bull Intuition computation costs dominated by memory costsvs

bull Data Independent Memory Hard Function (iMHF)bull Memory access pattern should not depend on input

Presenter
Presentation Notes
In this work we study a special type of memory hard function called data-independent memory hard functions As the name suggests the memory access pattern will not depend on the input making the functions resistant to side-channel attacks

iMHF Candidates

bull Catena [FLW15]bull Special Recognition at Password Hashing Competitionbull Two Variants Dragonfly and Double-Butterfly

bull Argon2 [BDK15]bull Winner of the Password Hashing Competitionbull Argon2i (data-independent mode) is recommended for Password Hashing

bull Balloon Hashing [BCS16]bull Newer proposal (three variants in original proposal)

Presenter
Presentation Notes
In terms of depth-robustness two of these variants were similar to Catena and one variant was similar to Argon

iMHF (fGH)

12

3

4Output fGH (pwdsalt)= L4

Input pwd salt

1198711198713 = 119867119867(1198711198712 1198711198711)1198711198711 = 119867119867(119901119901119901119901119901119901 119904119904119904119904119904119904119904119904)

Defined by bull H 01 2119896119896 rarr 01 119896119896 (Random Oracle)bull DAG G (encodes data-dependencies)

bull Maximum indegree 120575120575 = O 1

1

Evaluating an iMHF (pebbling)

Pebbling Rules 119875119875=P1hellipPtsub 119881119881 stbull Pi+1sub Pi cup 119909119909 isin 119881119881 parents 119909119909 sub Pi+1 (need dependent values)bull nisin Pt (must finish and output Ln)

12

3

4 Output L4Inputpwd salt

1198711198713 = 119867119867(1198711198712 1198711198711)1198711198711 = 119867119867(119901119901119901119901119901119901 119904119904119904119904119904119904119904119904)

1

Presenter
Presentation Notes
We will describe our algorithms for evaluating an iMHF using the language of graph pebbling Placing a pebble on a node corresponds to computing the corresponding label and keeping a pebble on the graph corresponds to storing that label in memory Of course we can only compute a label if we have all of the dependent labels Thus in a legal pebbling we cannot place a pebble on a node until we have pebbles on the parents of that node If the adversary is parallel then we are allowed to place multiple pebbles on the graph in each round We can remove pebbles from the graph at any point in time

Pebbling Example

1 2 3 4 51 3 4 5

Pebbling Example

1 2 3 4 5

P1 = 1

Pebbling Example

1 2 3 4 5

P1 = 1P2 = 12

Pebbling Example

P1 = 1P2 = 12P3 = 3

1 2 3 4 5

Pebbling Example

P1 = 1P2 = 12P3 = 3

1 2 3 4 5

P4 = 34

Pebbling Example

P1 = 1P2 = 12P3 = 3

1 2 3 4 5

P4 = 34P5 = 5

Pebbling Example (CC)

P1 = 1P2 = 12P3 = 3

1 2 3 4 5

P4 = 34P5 = 5

CC 119866119866 le119894119894=1

5

119875119875119894119894

= 1 + 2 + 1 + 2 + 1= 7

Measuring Cost

bull Cumulative Complexity (CC)

CC 119866119866 = min119875119875

119894119894=1

119905119905119875119875

119875119875119894119894

bull Amortization [AS15]CC 119866119866119866119866 = 2 times CC(119866119866)

Pebbling Example (CC)

P1 = 1P2 = 12P3 = 3

1 2 3 4 5

P4 = 34P5 = 5

CC 119866119866 le119894119894=1

5

119875119875119894119894

= 1 + 2 + 1 + 2 + 1= 7

Pebbling Equivalence

119827119827119827119827119827119827119827119827119827119827119827119827119827119827 119808119808119808119808119808119808119808119808 (119816119816119816119816119816119816119827119827119827119827119827119827119816119816119816119816) High pebbling complexity of G implies high amortized memory complexity for the iMHF fGH

Implication Structure of the graph G is key to iMHFsecurity

Desiderata

Find a DAG G on n nodes such that1 Constant Indegree (120575120575 = 2)

2 CC(G) ge 1198991198992

120591120591for some small value 120591120591

Maximize costs for fixed n(Users are impatient)

Depth-Robustness The Key Property

Necessary [AB16] and sufficient[ABP16] for secure iMHFs

Naiumlve Pebbling Algorithms

bull Sequential Algorithm (Naiumlve)bull Constraint One new pebble per roundbull Every iMHF is defined via its Naiumlve algorithm

bull Example Naiumlve (Pebble in Topological Order)bull Never discard pebblesbull Time nbull Average pebbles n2bull ER(Naiumlve) = θ Rn + n2

Amortized Attack Quality

Quality119877119877 119860119860 =ER(Naiumlve)

ER 119860119860times 119894119894119894119894119904119904119904119904(119860119860)

Example Algorithm A evaluates 5 iMHF instances with total cost ER 119860119860 = 100 and ER Naiumlve = 40

Quality119877119877 119860119860 =40

100times 5 = 2

Presenter
Presentation Notes
Use Example

Desiderata

Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)

2 QualityR(A) le 119888119888 for every adversary A (c small)

3 ER(Naive) ge 1198991198992

120591120591+ R119894119894 for some small value 120591120591

Memory costs should dominate

Desiderata

Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)

2 QualityR(A) le 119888119888 for every adversary A (c small)

3 ER(Naive) ge 1198991198992

120591120591+ R119894119894 for some small value 120591120591

Maximize costs for fixed n(Users are impatient)

c-Ideal iMHF

Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)

2 QualityR(A) le 119888119888 for every adversary A (c small)

3 ER(Naive) ge 1198991198992

120591120591+ R119894119894 for 120591120591 = 119874119874(1)

Outline

bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Our Attacks

bull General Attack on Non Depth Robust DAGsbull Existing iMHFs are not Depth Robustbull Ideal iMHFs donrsquot exist

bull Subsequent Results (Depth-Robustness is Sufficient)bull Open Questions

Depth-Robustness The Key Property

Necessary [AB16] and sufficient[ABP16] for secure iMHFs

Depth Robustness

Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d

Otherwise we say that G is (ed)-depth robust

1 2 3 4 5

Example (12)-reducible

Depth Robustness

Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d

Otherwise we say that G is (ed)-depth robust

1 2 3 4 5

Example (12)-reducible

Attacking (ed)-reducible DAGs

bull Input |S| lee such that depth(G-S) = d g gt d

bull Light Phase (g rounds) Discard most pebblesbull Goal Pebble the next g nodes in g (sequential) stepsbull Low Memory (only keep pebbles on S and on parents of new nodes)bull Lasts a ``longrdquo time

bull Balloon Phase (d rounds) Greedily Recover Missing Pebblesbull Goal Recover needed pebbles for upcoming light phasebull Expensive but quick (at most d steps in parallel)

Theorem (Depth-Robustness is a necessary condition) If G is not (ed)-node robust then CC 119866119866 = O 119890119890119894119894 + 1198941198943119901119901 In particular CC 119866119866 = o 1198941198942 for ed=o(n)

Depth Robustness is Necessary

Are existing iMHF candidates based on depth-robust DAGs

Answer No

bull Catena [FLW15] is 119890119890 119874119874 119899119899119890119890

-reducible

119862119862119862119862 = 119874119874 119894119894162

bull Balloon Hashing and Argon2i (old version) are 119890119890 119874119874 1198991198992

1198901198902-reducible

119862119862119862119862 = 119874119874 119894119894171

bull Argon2i (latest version) is 119890119890 119874119874 1198991198993

1198901198903-reducible

119862119862119862119862 = 119874119874 119894119894177

bull Similar picture for most other iMHF candidates [AGKKOPRRR16]

Argon2i [BDK]

bull Argon2 Winner of the password hashing competition[2015]

bull Authors recommend Argon2i variant (data-independent) for password hashing

Presenter
Presentation Notes
Alex Biryukov Daniel Dinu and Dmitry Khovratovich from University of Luxembourg

Argon2i

1 2 3 4 ihellip n

Argon2i

1 2 3 4 ihellip n

random predecessor r(i) lt i

Indegree 120575120575 = 2

Argon2i Reducing depth to 119894119894

1 2 3 11989411989434

helliphellip

211989411989434

hellip 4 119894119894

n

Layer 0Layer 1

Layer 4 119894119894helliphelliphellip

Argon2i Reducing depth to 119894119894

1 2 3 11989411989434

helliphellip

211989411989434

hellip 4 119894119894

n

Layer 0Layer 1

Layer 4 119894119894

Definition 1198781198782 = 119907119907119894119894 119907119907119903119903(119894119894)and v119894119894 in same layer

119810119810119816119816119816119816119810119810119827119827 1198781198782119810119810119842119842 119842119842119827119827119816119816119816119816119816119816

helliphelliphellip

119813119813119816119816119813119813119813119813 Easy to reduce the depth of a path

Argon2i is a layered DAG (almost)

1 2 3 11989411989434

+2 +3 helliphellip

211989411989434

hellip 4 119894119894

n

Layer 0Layer 1

Layer 4 119894119894

Let S = S1+S2

helliphelliphellip

Attack Simulation [AB16b]

Attack on Argon 2i-B is practical even for pessimistic parameter ranges (brown line)

Pessimistic Argon 2i-B parameter

Parameter setting could easily be chosen when following Argon2i-B guidelines

hellip

Ideal iMHFs Donrsquot Exist

Thm[AB16] Any graph G (with constant in-degree) is at least somewhat depth-reducible

Implication If CC(G)= Ω 1198941198942 there is an attack A with high quality

QualityR 119860119860 =Ωlog(119894119894)

log log(119894119894)

But we cannot rule them out in practice

Outline

bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Attacksbull Constructing iMHFs (New)

bull Depth-Robustness is sufficient

bull Conclusions and Open Questions

Presenter
Presentation Notes
Joint work with Joel Alwen and Krzysztof Pietrzak

Depth-Robustness is Sufficient [ABP16]

Proof Let P1hellipPt denote an (optimal) pebbling of G For 0lt i lt d defineSi = 119875119875119894119894 cup 119875119875119889119889+119894119894 cup 1198751198752119889119889+119894119894 cup ⋯

one of the sets Si has size at most CC(G)d Now we claim that d ge depth(G-Si)

because any path in G-Si must have been completely pebbled at some point Thus it must have been pebbled entirely during some interval of length d Thus G (CC(G)dd)-reducible It follows that CC(G)ge 119890119890119901119901

119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901

Depth-Robustness is Sufficient [ABP16]

Implications There exists a constant indegree graph G with

CC G ge Ω1198941198942

log119894119894

Previous Best [AS15] Ω 1198991198992

log10 119899119899

[AB16] We cannot do better (in an asymptotic sense)

119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901

Summary

bull BCRYPT and PBKDF2 are no longer sufficient for password hashing

bull Argon2i is an improvement over BCRYPT and PBKDF2bull But still has its flaws [AB16AB17]

bull Current Recommendation Argon2idbull No side channel attacks Resists known attacksbull Side channel attacks reduce security to Argon2i

bull Look for improvements in the near future using depth-robust graphs [ABP17]

Conclusions

bull Depth-robustness is a necessary and sufficient for secure iMHFsbull [AB16] [ABP16]

bull Big Challenge Improved Constructions of Depth-Robust Graphsbull We already have constructions in theory [EGS77 PR80 hellip]bull But constants matter

Thanks for Listening

Passwords vs time Look how far wersquove come

Netscape IPO Dotcom crash

Source Cormacrsquos estimate

ldquoThe password is deadrdquo

Chart1

3
48
1368
322
7791
15376
2527
39639
47953
61115
7353
94674
106021
134538
16527
194616
21681

Sheet1

Sheet1

Sheet2

Sheet3

Biometrics

59

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy

60

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Hardware Tokens

61

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around

62

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Graphical Passwords

bull Examplesbull Passfaces Cued Click Points Windows 8

63

Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13

Graphical Passwords

bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8

Challenge Multiple Passwords

64

Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13

Graphical Passwords Hotspots

Graphical Passwords Hotspots

Password Managers

bull Password Management Software

67

Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313

Related Work

bull Password Management SoftwareChallenge Single point of failure

68

Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313

References

bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]

bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]

bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]

bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]

  • Course Business
  • CryptographyCS 555
  • Password Storage
  • Offline Attacks A Common Problem
  • Offline Attacks A Common Problem
  • A Dangerous Problem
  • Attempt 1 Hash Iteration
  • The Challenge
  • Goal Moderately Expensive Hash Function
  • Memory Costs Equitable Across Architectures
  • Outline
  • Memory Hard Function (MHF)
  • iMHF Candidates
  • iMHF (fGH)
  • Evaluating an iMHF (pebbling)
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example (CC)
  • Measuring Cost
  • Pebbling Example (CC)
  • Pebbling Equivalence
  • Desiderata
  • Depth-Robustness The Key Property
  • Naiumlve Pebbling Algorithms
  • Amortized Attack Quality
  • Desiderata
  • Desiderata
  • c-Ideal iMHF
  • Outline
  • Depth-Robustness The Key Property
  • Depth Robustness
  • Depth Robustness
  • Attacking (ed)-reducible DAGs
  • Depth Robustness is Necessary
  • Answer No
  • Argon2i [BDK]
  • Argon2i
  • Argon2i
  • Argon2i Reducing depth to 119899
  • Argon2i Reducing depth to 119899
  • Argon2i is a layered DAG (almost)
  • Attack Simulation [AB16b]
  • Ideal iMHFs Donrsquot Exist
  • But we cannot rule them out in practice
  • Outline
  • Depth-Robustness is Sufficient [ABP16]
  • Depth-Robustness is Sufficient [ABP16]
  • Summary
  • Conclusions
  • Thanks for Listening
  • Passwords vs time Look how far wersquove come
  • Biometrics
  • Biometrics
  • Hardware Tokens
  • Hardware Tokens
  • Graphical Passwords
  • Graphical Passwords
  • Graphical Passwords Hotspots
  • Graphical Passwords Hotspots
  • Password Managers
  • Related Work
  • References
Everybody
DATE DATE NUMBER OF USERS WORLD WORLD INFORMATION DATE DATE NUMBER OF USERS DATE DATE acctsyr
POPULATION POPULATION SOURCE
December-90 0 3 15 020 00261 000 1 December-90 3 1 December-90 3 1 December-90 3 3 December-90 3 1 3
December-95 December-95 0 16 040 80 040 IDC 100 00522 180 12 December-95 192 December-95 16 1778 December-95 48 28448 December-95 48 3 48
December-96 December-96 0 36 090 180 090 IDC 200 00783 188 13132 December-96 472752 December-96 36 1994916 December-96 126 71816976 December-96 1368 38 126
December-97 December-97 0 70 170 350 170 IDC 300 01043 209 16263 December-97 113841 December-97 70 2238295752 December-97 280 15668070264 December-97 322 46 280
December-98 December-98 0 147 360 735 360 CI Almanac 400 01303 230 19391 December-98 2850477 December-98 147 25113678337 December-98 6615 3691710715604 December-98 7791 53 6615
December-99 December-99 0 248 410 1240 410 Nua Ltd 500 01563 251 22517 December-99 5584216 December-99 248 28177547095 December-99 1240 6988031679463 December-99 15376 62 1240
March-00 March-00 0 304 500 1520 500 Nua Ltd 600 01822 272 25638 March-00 7793952 December-00 361 3161520784 December-00 19855 11413090030294 December-00 2527 7 19855
July-00 July-00 0 359 590 1795 590 Nua Ltd 700 02081 293 28754 July-00 10322686 December-01 543 35472263197 December-01 3258 1926143891578 December-01 39639 73 3258
December-00 December-00 0 361 580 1805 580 Internet World Stats 800 02338 313 31864 December-00 11502904 December-02 607 39799879307 December-02 39455 2415852673913 December-02 47953 79 39455
March-01 March-01 0 458 760 2290 760 Nua Ltd 900 02852 334 34967 March-01 16014886 December-03 719 44655464582 December-03 5033 32107279034493 December-03 61115 85 5033
June-01 June-01 0 479 790 2395 790 Nua Ltd 1000 03107 355 38061 June-01 18231219 December-04 817 50103431261 December-04 61275 40934503340285 December-04 7353 9 61275
August-01 August-01 0 513 860 2565 860 Nua Ltd 1100 03361 396 44221 August-01 22685373 December-05 1018 56216049875 December-05 8144 57227938772657 December-05 9467 93 8144
April-02 April-02 0 558 860 2790 860 Internet World Stats 1200 03614 417 47284 April-02 26384472 December-06 1093 6307440796 December-06 9291 68940327899894 December-06 10602 97 9291
July-02 July-02 0 569 910 2845 910 Internet World Stats 1300 03866 437 50334 July-02 28640046 December-07 1319 70769485731 December-07 11871 93344951678825 December-07 13454 102 11871
September-02 September-02 0 587 940 2935 940 Internet World Stats 1400 04117 458 53371 September-02 31328777 December-08 1574 7940336299 December-08 14953 124980893346059 December-08 16527 105 14953
March-03 March-03 0 608 970 3040 970 Internet World Stats 1500 04366 478 56394 March-03 34287552 December-09 1802 89090573275 December-09 18020 160541213040896 December-09 19462 108 18020
September-03 September-03 0 677 1060 3385 1060 Internet World Stats 1600 04614 498 59401 September-03 40214477 December-10 1971 99959623214 December-10 20696 197020417355075 December-10 21681 11 20696
October-03 October-03 0 682 1070 3410 1070 Internet World Stats 1700 0486 518 62392 October-03 42551344
December-03 December-03 0 719 1110 3595 1110 Internet World Stats 1800 02852 538 65365 December-03 46997435
February-04 February-04 0 745 1150 3725 1150 Internet World Stats 1900 03107 558 6832 February-04 508984
May-04 May-04 0 757 1170 3785 1170 Internet World Stats 2000 03361 597 7417 May-04 5614669
October-04 October-04 0 812 1270 4060 1270 Internet World Stats 2100 03614 616 77064 October-04 62575968
December-04 December-04 0 817 1270 4085 1270 Internet World Stats 2200 03866 636 79935 December-04 65306895
March-05 March-05 0 888 1390 4440 1390 Internet World Stats 2300 04117 655 82782 March-05 73510416
June-05 June-05 0 938 1460 4690 1460 Internet World Stats 2400 04366 674 85606 June-05 80298428
September-05 September-05 0 957 1490 4785 1490 Internet World Stats 2500 04614 692 88404 September-05 84602628
November-05 November-05 0 972 1520 4860 1520 Internet World Stats 2600 0486 711 91176 November-05 88623072
December-05 December-05 0 1018 1570 5090 1570 Internet World Stats 2700 05348 729 93921 December-05 95611578
March-06 March-06 0 1023 1570 5115 1570 Internet World Stats 2800 05589 747 96638 March-06 98860674
June-06 June-06 0 1043 1600 5215 1600 Internet World Stats 2900 05828 783 101984 June-06 106369312
September-06 September-06 0 1086 1670 5430 1670 Internet World Stats 3000 06065 801 104611 September-06 113607546
December-06 December-06 0 1093 1670 5465 1670 Internet World Stats 3100 063 818 107207 December-06 117177251
March-07 March-07 0 1129 1720 5645 1720 Internet World Stats 3200 06534 835 109771 March-07 123931459
June-07 June-07 0 1173 1780 5865 1780 Internet World Stats 3300 06765 852 112301 June-07 131729073
September-07 September-07 0 1245 1890 6225 1890 Internet World Stats 3400 06993 869 114797 September-07 142922265
December-07 December-07 0 1319 2000 6595 2000 Internet World Stats 3500 0722 886 117258 December-07 154663302
March-08 March-08 0 1407 2110 7035 2110 Internet World Stats 3600 07665 902 119683 March-08 168393981
June-08 June-08 0 1463 2190 7315 2190 Internet World Stats 3700 07884 918 122071 June-08 178589873
September-08 September-08 0 1504 2250 7520 2250 Internet World Stats 3800 08101 949 126736 September-08 190610944
December-08 December-08 0 1574 2350 7870 2350 Internet World Stats 3900 08314 964 12901 December-08 20306174
March-09 March-09 0 1596 2380 7980 2380 Internet World Stats 4000 08525 971 13 March-09 20748
June-09 June-09 0 1669 2470 8345 2470 Internet World Stats 4100 08733 998 134 June-09 223646
September-09 September-09 0 1734 2560 8670 2560 Internet World Stats 4200 08938 1018 137 September-09 237558
December-09 December-09 0 1802 2660 9010 2660 Internet World Stats 4300 0914 1051 142 December-09 255884
June-10 June-10 0 1966 2870 9830 2870 Internet World Stats 4400 09339 1078 146 June-10 287036
September-10 September-10 0 1971 2880 9855 2880 Internet World Stats 4500 09728 1112 151 September-10 297621
09917 000 155333333333
159833333333
33208
35034
35400
35765
36130
36495
36861
37226
37591
37956
38322
38687
39052
39417
39783
40148
40513
Page 4: Attacking Data Independent Memory Hard Functions · As a motivating example consider an adversary who breaks into an authentication server and steals a users crptographic hash va\൬ue.

bull Password breaches at major companies have affected millions of users

Offline Attacks A Common Problem

Presenter
Presentation Notes
Unfortunately offline dictionary attacks are quite common Password breaches at major companies have affected millions of users In the past few years I have had to update the slide several times

Offline Attacks A Common Problem

bull Password breaches at major companies have affected millions of users

Presenter
Presentation Notes
Unfortunately offline dictionary attacks are quite common Password breaches at major companies have affected millions of users

A Dangerous Problem

$2400 onAmazon

Can we increase guessing costs for the attacker

Attempt 1 Hash Iteration

bull BCRYPT

bull PBKDF2 100000 SHA256 computations(iterative)

Estimated Cost on ASIC $1 per billion password guesses [BS14]

The Challenge

User Patience

Disclaimer This slide is entirely for humorous effect Donrsquot take it too seriously

Time

Uni

ts o

f Pat

ienc

e

USD

$

Goal Moderately Expensive Hash Function

Fast on PC and Expensive on ASIC

Presenter
Presentation Notes
This motivates the need for moderately hard functions The basic idea is to build a password hash function that is moderately expensive to compute to limit the number of guesses that an adversary would be willing to try An honest server only needs to compute the function once during a typical authentication session However the adversary potentially has an advantage in this game While the honest server must typically evaluate the function on standard hardware the adversary could use potentially reduce the cost per password guess by developing customized hardware (GPUs FPGAs ASICs) to evaluate the password hash function Thus we want to ensure that the cost to evaluate this function is equitable across platforms13

Memory Costs Equitable Across Architectures

Presenter
Presentation Notes
By contrast memory costs tends to be much more equitable across different architectures

Outline

bull Motivationbull Data Independent Memory Hard Functions (iMHFs)

bull Graph Pebblingbull Measuring Pebbling Costsbull Desiderata

bull Attacks on iMHF Constructionsbull Constructing iMHFsbull Open Questions

Memory Hard Function (MHF)

bull Intuition computation costs dominated by memory costsvs

bull Data Independent Memory Hard Function (iMHF)bull Memory access pattern should not depend on input

Presenter
Presentation Notes
In this work we study a special type of memory hard function called data-independent memory hard functions As the name suggests the memory access pattern will not depend on the input making the functions resistant to side-channel attacks

iMHF Candidates

bull Catena [FLW15]bull Special Recognition at Password Hashing Competitionbull Two Variants Dragonfly and Double-Butterfly

bull Argon2 [BDK15]bull Winner of the Password Hashing Competitionbull Argon2i (data-independent mode) is recommended for Password Hashing

bull Balloon Hashing [BCS16]bull Newer proposal (three variants in original proposal)

Presenter
Presentation Notes
In terms of depth-robustness two of these variants were similar to Catena and one variant was similar to Argon

iMHF (fGH)

12

3

4Output fGH (pwdsalt)= L4

Input pwd salt

1198711198713 = 119867119867(1198711198712 1198711198711)1198711198711 = 119867119867(119901119901119901119901119901119901 119904119904119904119904119904119904119904119904)

Defined by bull H 01 2119896119896 rarr 01 119896119896 (Random Oracle)bull DAG G (encodes data-dependencies)

bull Maximum indegree 120575120575 = O 1

1

Evaluating an iMHF (pebbling)

Pebbling Rules 119875119875=P1hellipPtsub 119881119881 stbull Pi+1sub Pi cup 119909119909 isin 119881119881 parents 119909119909 sub Pi+1 (need dependent values)bull nisin Pt (must finish and output Ln)

12

3

4 Output L4Inputpwd salt

1198711198713 = 119867119867(1198711198712 1198711198711)1198711198711 = 119867119867(119901119901119901119901119901119901 119904119904119904119904119904119904119904119904)

1

Presenter
Presentation Notes
We will describe our algorithms for evaluating an iMHF using the language of graph pebbling Placing a pebble on a node corresponds to computing the corresponding label and keeping a pebble on the graph corresponds to storing that label in memory Of course we can only compute a label if we have all of the dependent labels Thus in a legal pebbling we cannot place a pebble on a node until we have pebbles on the parents of that node If the adversary is parallel then we are allowed to place multiple pebbles on the graph in each round We can remove pebbles from the graph at any point in time

Pebbling Example

1 2 3 4 51 3 4 5

Pebbling Example

1 2 3 4 5

P1 = 1

Pebbling Example

1 2 3 4 5

P1 = 1P2 = 12

Pebbling Example

P1 = 1P2 = 12P3 = 3

1 2 3 4 5

Pebbling Example

P1 = 1P2 = 12P3 = 3

1 2 3 4 5

P4 = 34

Pebbling Example

P1 = 1P2 = 12P3 = 3

1 2 3 4 5

P4 = 34P5 = 5

Pebbling Example (CC)

P1 = 1P2 = 12P3 = 3

1 2 3 4 5

P4 = 34P5 = 5

CC 119866119866 le119894119894=1

5

119875119875119894119894

= 1 + 2 + 1 + 2 + 1= 7

Measuring Cost

bull Cumulative Complexity (CC)

CC 119866119866 = min119875119875

119894119894=1

119905119905119875119875

119875119875119894119894

bull Amortization [AS15]CC 119866119866119866119866 = 2 times CC(119866119866)

Pebbling Example (CC)

P1 = 1P2 = 12P3 = 3

1 2 3 4 5

P4 = 34P5 = 5

CC 119866119866 le119894119894=1

5

119875119875119894119894

= 1 + 2 + 1 + 2 + 1= 7

Pebbling Equivalence

119827119827119827119827119827119827119827119827119827119827119827119827119827119827 119808119808119808119808119808119808119808119808 (119816119816119816119816119816119816119827119827119827119827119827119827119816119816119816119816) High pebbling complexity of G implies high amortized memory complexity for the iMHF fGH

Implication Structure of the graph G is key to iMHFsecurity

Desiderata

Find a DAG G on n nodes such that1 Constant Indegree (120575120575 = 2)

2 CC(G) ge 1198991198992

120591120591for some small value 120591120591

Maximize costs for fixed n(Users are impatient)

Depth-Robustness The Key Property

Necessary [AB16] and sufficient[ABP16] for secure iMHFs

Naiumlve Pebbling Algorithms

bull Sequential Algorithm (Naiumlve)bull Constraint One new pebble per roundbull Every iMHF is defined via its Naiumlve algorithm

bull Example Naiumlve (Pebble in Topological Order)bull Never discard pebblesbull Time nbull Average pebbles n2bull ER(Naiumlve) = θ Rn + n2

Amortized Attack Quality

Quality119877119877 119860119860 =ER(Naiumlve)

ER 119860119860times 119894119894119894119894119904119904119904119904(119860119860)

Example Algorithm A evaluates 5 iMHF instances with total cost ER 119860119860 = 100 and ER Naiumlve = 40

Quality119877119877 119860119860 =40

100times 5 = 2

Presenter
Presentation Notes
Use Example

Desiderata

Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)

2 QualityR(A) le 119888119888 for every adversary A (c small)

3 ER(Naive) ge 1198991198992

120591120591+ R119894119894 for some small value 120591120591

Memory costs should dominate

Desiderata

Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)

2 QualityR(A) le 119888119888 for every adversary A (c small)

3 ER(Naive) ge 1198991198992

120591120591+ R119894119894 for some small value 120591120591

Maximize costs for fixed n(Users are impatient)

c-Ideal iMHF

Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)

2 QualityR(A) le 119888119888 for every adversary A (c small)

3 ER(Naive) ge 1198991198992

120591120591+ R119894119894 for 120591120591 = 119874119874(1)

Outline

bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Our Attacks

bull General Attack on Non Depth Robust DAGsbull Existing iMHFs are not Depth Robustbull Ideal iMHFs donrsquot exist

bull Subsequent Results (Depth-Robustness is Sufficient)bull Open Questions

Depth-Robustness The Key Property

Necessary [AB16] and sufficient[ABP16] for secure iMHFs

Depth Robustness

Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d

Otherwise we say that G is (ed)-depth robust

1 2 3 4 5

Example (12)-reducible

Depth Robustness

Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d

Otherwise we say that G is (ed)-depth robust

1 2 3 4 5

Example (12)-reducible

Attacking (ed)-reducible DAGs

bull Input |S| lee such that depth(G-S) = d g gt d

bull Light Phase (g rounds) Discard most pebblesbull Goal Pebble the next g nodes in g (sequential) stepsbull Low Memory (only keep pebbles on S and on parents of new nodes)bull Lasts a ``longrdquo time

bull Balloon Phase (d rounds) Greedily Recover Missing Pebblesbull Goal Recover needed pebbles for upcoming light phasebull Expensive but quick (at most d steps in parallel)

Theorem (Depth-Robustness is a necessary condition) If G is not (ed)-node robust then CC 119866119866 = O 119890119890119894119894 + 1198941198943119901119901 In particular CC 119866119866 = o 1198941198942 for ed=o(n)

Depth Robustness is Necessary

Are existing iMHF candidates based on depth-robust DAGs

Answer No

bull Catena [FLW15] is 119890119890 119874119874 119899119899119890119890

-reducible

119862119862119862119862 = 119874119874 119894119894162

bull Balloon Hashing and Argon2i (old version) are 119890119890 119874119874 1198991198992

1198901198902-reducible

119862119862119862119862 = 119874119874 119894119894171

bull Argon2i (latest version) is 119890119890 119874119874 1198991198993

1198901198903-reducible

119862119862119862119862 = 119874119874 119894119894177

bull Similar picture for most other iMHF candidates [AGKKOPRRR16]

Argon2i [BDK]

bull Argon2 Winner of the password hashing competition[2015]

bull Authors recommend Argon2i variant (data-independent) for password hashing

Presenter
Presentation Notes
Alex Biryukov Daniel Dinu and Dmitry Khovratovich from University of Luxembourg

Argon2i

1 2 3 4 ihellip n

Argon2i

1 2 3 4 ihellip n

random predecessor r(i) lt i

Indegree 120575120575 = 2

Argon2i Reducing depth to 119894119894

1 2 3 11989411989434

helliphellip

211989411989434

hellip 4 119894119894

n

Layer 0Layer 1

Layer 4 119894119894helliphelliphellip

Argon2i Reducing depth to 119894119894

1 2 3 11989411989434

helliphellip

211989411989434

hellip 4 119894119894

n

Layer 0Layer 1

Layer 4 119894119894

Definition 1198781198782 = 119907119907119894119894 119907119907119903119903(119894119894)and v119894119894 in same layer

119810119810119816119816119816119816119810119810119827119827 1198781198782119810119810119842119842 119842119842119827119827119816119816119816119816119816119816

helliphelliphellip

119813119813119816119816119813119813119813119813 Easy to reduce the depth of a path

Argon2i is a layered DAG (almost)

1 2 3 11989411989434

+2 +3 helliphellip

211989411989434

hellip 4 119894119894

n

Layer 0Layer 1

Layer 4 119894119894

Let S = S1+S2

helliphelliphellip

Attack Simulation [AB16b]

Attack on Argon 2i-B is practical even for pessimistic parameter ranges (brown line)

Pessimistic Argon 2i-B parameter

Parameter setting could easily be chosen when following Argon2i-B guidelines

hellip

Ideal iMHFs Donrsquot Exist

Thm[AB16] Any graph G (with constant in-degree) is at least somewhat depth-reducible

Implication If CC(G)= Ω 1198941198942 there is an attack A with high quality

QualityR 119860119860 =Ωlog(119894119894)

log log(119894119894)

But we cannot rule them out in practice

Outline

bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Attacksbull Constructing iMHFs (New)

bull Depth-Robustness is sufficient

bull Conclusions and Open Questions

Presenter
Presentation Notes
Joint work with Joel Alwen and Krzysztof Pietrzak

Depth-Robustness is Sufficient [ABP16]

Proof Let P1hellipPt denote an (optimal) pebbling of G For 0lt i lt d defineSi = 119875119875119894119894 cup 119875119875119889119889+119894119894 cup 1198751198752119889119889+119894119894 cup ⋯

one of the sets Si has size at most CC(G)d Now we claim that d ge depth(G-Si)

because any path in G-Si must have been completely pebbled at some point Thus it must have been pebbled entirely during some interval of length d Thus G (CC(G)dd)-reducible It follows that CC(G)ge 119890119890119901119901

119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901

Depth-Robustness is Sufficient [ABP16]

Implications There exists a constant indegree graph G with

CC G ge Ω1198941198942

log119894119894

Previous Best [AS15] Ω 1198991198992

log10 119899119899

[AB16] We cannot do better (in an asymptotic sense)

119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901

Summary

bull BCRYPT and PBKDF2 are no longer sufficient for password hashing

bull Argon2i is an improvement over BCRYPT and PBKDF2bull But still has its flaws [AB16AB17]

bull Current Recommendation Argon2idbull No side channel attacks Resists known attacksbull Side channel attacks reduce security to Argon2i

bull Look for improvements in the near future using depth-robust graphs [ABP17]

Conclusions

bull Depth-robustness is a necessary and sufficient for secure iMHFsbull [AB16] [ABP16]

bull Big Challenge Improved Constructions of Depth-Robust Graphsbull We already have constructions in theory [EGS77 PR80 hellip]bull But constants matter

Thanks for Listening

Passwords vs time Look how far wersquove come

Netscape IPO Dotcom crash

Source Cormacrsquos estimate

ldquoThe password is deadrdquo

Chart1

3
48
1368
322
7791
15376
2527
39639
47953
61115
7353
94674
106021
134538
16527
194616
21681

Sheet1

Sheet1

Sheet2

Sheet3

Biometrics

59

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy

60

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Hardware Tokens

61

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around

62

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Graphical Passwords

bull Examplesbull Passfaces Cued Click Points Windows 8

63

Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13

Graphical Passwords

bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8

Challenge Multiple Passwords

64

Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13

Graphical Passwords Hotspots

Graphical Passwords Hotspots

Password Managers

bull Password Management Software

67

Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313

Related Work

bull Password Management SoftwareChallenge Single point of failure

68

Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313

References

bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]

bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]

bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]

bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]

  • Course Business
  • CryptographyCS 555
  • Password Storage
  • Offline Attacks A Common Problem
  • Offline Attacks A Common Problem
  • A Dangerous Problem
  • Attempt 1 Hash Iteration
  • The Challenge
  • Goal Moderately Expensive Hash Function
  • Memory Costs Equitable Across Architectures
  • Outline
  • Memory Hard Function (MHF)
  • iMHF Candidates
  • iMHF (fGH)
  • Evaluating an iMHF (pebbling)
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example (CC)
  • Measuring Cost
  • Pebbling Example (CC)
  • Pebbling Equivalence
  • Desiderata
  • Depth-Robustness The Key Property
  • Naiumlve Pebbling Algorithms
  • Amortized Attack Quality
  • Desiderata
  • Desiderata
  • c-Ideal iMHF
  • Outline
  • Depth-Robustness The Key Property
  • Depth Robustness
  • Depth Robustness
  • Attacking (ed)-reducible DAGs
  • Depth Robustness is Necessary
  • Answer No
  • Argon2i [BDK]
  • Argon2i
  • Argon2i
  • Argon2i Reducing depth to 119899
  • Argon2i Reducing depth to 119899
  • Argon2i is a layered DAG (almost)
  • Attack Simulation [AB16b]
  • Ideal iMHFs Donrsquot Exist
  • But we cannot rule them out in practice
  • Outline
  • Depth-Robustness is Sufficient [ABP16]
  • Depth-Robustness is Sufficient [ABP16]
  • Summary
  • Conclusions
  • Thanks for Listening
  • Passwords vs time Look how far wersquove come
  • Biometrics
  • Biometrics
  • Hardware Tokens
  • Hardware Tokens
  • Graphical Passwords
  • Graphical Passwords
  • Graphical Passwords Hotspots
  • Graphical Passwords Hotspots
  • Password Managers
  • Related Work
  • References
Everybody
DATE DATE NUMBER OF USERS WORLD WORLD INFORMATION DATE DATE NUMBER OF USERS DATE DATE acctsyr
POPULATION POPULATION SOURCE
December-90 0 3 15 020 00261 000 1 December-90 3 1 December-90 3 1 December-90 3 3 December-90 3 1 3
December-95 December-95 0 16 040 80 040 IDC 100 00522 180 12 December-95 192 December-95 16 1778 December-95 48 28448 December-95 48 3 48
December-96 December-96 0 36 090 180 090 IDC 200 00783 188 13132 December-96 472752 December-96 36 1994916 December-96 126 71816976 December-96 1368 38 126
December-97 December-97 0 70 170 350 170 IDC 300 01043 209 16263 December-97 113841 December-97 70 2238295752 December-97 280 15668070264 December-97 322 46 280
December-98 December-98 0 147 360 735 360 CI Almanac 400 01303 230 19391 December-98 2850477 December-98 147 25113678337 December-98 6615 3691710715604 December-98 7791 53 6615
December-99 December-99 0 248 410 1240 410 Nua Ltd 500 01563 251 22517 December-99 5584216 December-99 248 28177547095 December-99 1240 6988031679463 December-99 15376 62 1240
March-00 March-00 0 304 500 1520 500 Nua Ltd 600 01822 272 25638 March-00 7793952 December-00 361 3161520784 December-00 19855 11413090030294 December-00 2527 7 19855
July-00 July-00 0 359 590 1795 590 Nua Ltd 700 02081 293 28754 July-00 10322686 December-01 543 35472263197 December-01 3258 1926143891578 December-01 39639 73 3258
December-00 December-00 0 361 580 1805 580 Internet World Stats 800 02338 313 31864 December-00 11502904 December-02 607 39799879307 December-02 39455 2415852673913 December-02 47953 79 39455
March-01 March-01 0 458 760 2290 760 Nua Ltd 900 02852 334 34967 March-01 16014886 December-03 719 44655464582 December-03 5033 32107279034493 December-03 61115 85 5033
June-01 June-01 0 479 790 2395 790 Nua Ltd 1000 03107 355 38061 June-01 18231219 December-04 817 50103431261 December-04 61275 40934503340285 December-04 7353 9 61275
August-01 August-01 0 513 860 2565 860 Nua Ltd 1100 03361 396 44221 August-01 22685373 December-05 1018 56216049875 December-05 8144 57227938772657 December-05 9467 93 8144
April-02 April-02 0 558 860 2790 860 Internet World Stats 1200 03614 417 47284 April-02 26384472 December-06 1093 6307440796 December-06 9291 68940327899894 December-06 10602 97 9291
July-02 July-02 0 569 910 2845 910 Internet World Stats 1300 03866 437 50334 July-02 28640046 December-07 1319 70769485731 December-07 11871 93344951678825 December-07 13454 102 11871
September-02 September-02 0 587 940 2935 940 Internet World Stats 1400 04117 458 53371 September-02 31328777 December-08 1574 7940336299 December-08 14953 124980893346059 December-08 16527 105 14953
March-03 March-03 0 608 970 3040 970 Internet World Stats 1500 04366 478 56394 March-03 34287552 December-09 1802 89090573275 December-09 18020 160541213040896 December-09 19462 108 18020
September-03 September-03 0 677 1060 3385 1060 Internet World Stats 1600 04614 498 59401 September-03 40214477 December-10 1971 99959623214 December-10 20696 197020417355075 December-10 21681 11 20696
October-03 October-03 0 682 1070 3410 1070 Internet World Stats 1700 0486 518 62392 October-03 42551344
December-03 December-03 0 719 1110 3595 1110 Internet World Stats 1800 02852 538 65365 December-03 46997435
February-04 February-04 0 745 1150 3725 1150 Internet World Stats 1900 03107 558 6832 February-04 508984
May-04 May-04 0 757 1170 3785 1170 Internet World Stats 2000 03361 597 7417 May-04 5614669
October-04 October-04 0 812 1270 4060 1270 Internet World Stats 2100 03614 616 77064 October-04 62575968
December-04 December-04 0 817 1270 4085 1270 Internet World Stats 2200 03866 636 79935 December-04 65306895
March-05 March-05 0 888 1390 4440 1390 Internet World Stats 2300 04117 655 82782 March-05 73510416
June-05 June-05 0 938 1460 4690 1460 Internet World Stats 2400 04366 674 85606 June-05 80298428
September-05 September-05 0 957 1490 4785 1490 Internet World Stats 2500 04614 692 88404 September-05 84602628
November-05 November-05 0 972 1520 4860 1520 Internet World Stats 2600 0486 711 91176 November-05 88623072
December-05 December-05 0 1018 1570 5090 1570 Internet World Stats 2700 05348 729 93921 December-05 95611578
March-06 March-06 0 1023 1570 5115 1570 Internet World Stats 2800 05589 747 96638 March-06 98860674
June-06 June-06 0 1043 1600 5215 1600 Internet World Stats 2900 05828 783 101984 June-06 106369312
September-06 September-06 0 1086 1670 5430 1670 Internet World Stats 3000 06065 801 104611 September-06 113607546
December-06 December-06 0 1093 1670 5465 1670 Internet World Stats 3100 063 818 107207 December-06 117177251
March-07 March-07 0 1129 1720 5645 1720 Internet World Stats 3200 06534 835 109771 March-07 123931459
June-07 June-07 0 1173 1780 5865 1780 Internet World Stats 3300 06765 852 112301 June-07 131729073
September-07 September-07 0 1245 1890 6225 1890 Internet World Stats 3400 06993 869 114797 September-07 142922265
December-07 December-07 0 1319 2000 6595 2000 Internet World Stats 3500 0722 886 117258 December-07 154663302
March-08 March-08 0 1407 2110 7035 2110 Internet World Stats 3600 07665 902 119683 March-08 168393981
June-08 June-08 0 1463 2190 7315 2190 Internet World Stats 3700 07884 918 122071 June-08 178589873
September-08 September-08 0 1504 2250 7520 2250 Internet World Stats 3800 08101 949 126736 September-08 190610944
December-08 December-08 0 1574 2350 7870 2350 Internet World Stats 3900 08314 964 12901 December-08 20306174
March-09 March-09 0 1596 2380 7980 2380 Internet World Stats 4000 08525 971 13 March-09 20748
June-09 June-09 0 1669 2470 8345 2470 Internet World Stats 4100 08733 998 134 June-09 223646
September-09 September-09 0 1734 2560 8670 2560 Internet World Stats 4200 08938 1018 137 September-09 237558
December-09 December-09 0 1802 2660 9010 2660 Internet World Stats 4300 0914 1051 142 December-09 255884
June-10 June-10 0 1966 2870 9830 2870 Internet World Stats 4400 09339 1078 146 June-10 287036
September-10 September-10 0 1971 2880 9855 2880 Internet World Stats 4500 09728 1112 151 September-10 297621
09917 000 155333333333
159833333333
33208
35034
35400
35765
36130
36495
36861
37226
37591
37956
38322
38687
39052
39417
39783
40148
40513
Page 5: Attacking Data Independent Memory Hard Functions · As a motivating example consider an adversary who breaks into an authentication server and steals a users crptographic hash va\൬ue.

Offline Attacks A Common Problem

bull Password breaches at major companies have affected millions of users

Presenter
Presentation Notes
Unfortunately offline dictionary attacks are quite common Password breaches at major companies have affected millions of users

A Dangerous Problem

$2400 onAmazon

Can we increase guessing costs for the attacker

Attempt 1 Hash Iteration

bull BCRYPT

bull PBKDF2 100000 SHA256 computations(iterative)

Estimated Cost on ASIC $1 per billion password guesses [BS14]

The Challenge

User Patience

Disclaimer This slide is entirely for humorous effect Donrsquot take it too seriously

Time

Uni

ts o

f Pat

ienc

e

USD

$

Goal Moderately Expensive Hash Function

Fast on PC and Expensive on ASIC

Presenter
Presentation Notes
This motivates the need for moderately hard functions The basic idea is to build a password hash function that is moderately expensive to compute to limit the number of guesses that an adversary would be willing to try An honest server only needs to compute the function once during a typical authentication session However the adversary potentially has an advantage in this game While the honest server must typically evaluate the function on standard hardware the adversary could use potentially reduce the cost per password guess by developing customized hardware (GPUs FPGAs ASICs) to evaluate the password hash function Thus we want to ensure that the cost to evaluate this function is equitable across platforms13

Memory Costs Equitable Across Architectures

Presenter
Presentation Notes
By contrast memory costs tends to be much more equitable across different architectures

Outline

bull Motivationbull Data Independent Memory Hard Functions (iMHFs)

bull Graph Pebblingbull Measuring Pebbling Costsbull Desiderata

bull Attacks on iMHF Constructionsbull Constructing iMHFsbull Open Questions

Memory Hard Function (MHF)

bull Intuition computation costs dominated by memory costsvs

bull Data Independent Memory Hard Function (iMHF)bull Memory access pattern should not depend on input

Presenter
Presentation Notes
In this work we study a special type of memory hard function called data-independent memory hard functions As the name suggests the memory access pattern will not depend on the input making the functions resistant to side-channel attacks

iMHF Candidates

bull Catena [FLW15]bull Special Recognition at Password Hashing Competitionbull Two Variants Dragonfly and Double-Butterfly

bull Argon2 [BDK15]bull Winner of the Password Hashing Competitionbull Argon2i (data-independent mode) is recommended for Password Hashing

bull Balloon Hashing [BCS16]bull Newer proposal (three variants in original proposal)

Presenter
Presentation Notes
In terms of depth-robustness two of these variants were similar to Catena and one variant was similar to Argon

iMHF (fGH)

12

3

4Output fGH (pwdsalt)= L4

Input pwd salt

1198711198713 = 119867119867(1198711198712 1198711198711)1198711198711 = 119867119867(119901119901119901119901119901119901 119904119904119904119904119904119904119904119904)

Defined by bull H 01 2119896119896 rarr 01 119896119896 (Random Oracle)bull DAG G (encodes data-dependencies)

bull Maximum indegree 120575120575 = O 1

1

Evaluating an iMHF (pebbling)

Pebbling Rules 119875119875=P1hellipPtsub 119881119881 stbull Pi+1sub Pi cup 119909119909 isin 119881119881 parents 119909119909 sub Pi+1 (need dependent values)bull nisin Pt (must finish and output Ln)

12

3

4 Output L4Inputpwd salt

1198711198713 = 119867119867(1198711198712 1198711198711)1198711198711 = 119867119867(119901119901119901119901119901119901 119904119904119904119904119904119904119904119904)

1

Presenter
Presentation Notes
We will describe our algorithms for evaluating an iMHF using the language of graph pebbling Placing a pebble on a node corresponds to computing the corresponding label and keeping a pebble on the graph corresponds to storing that label in memory Of course we can only compute a label if we have all of the dependent labels Thus in a legal pebbling we cannot place a pebble on a node until we have pebbles on the parents of that node If the adversary is parallel then we are allowed to place multiple pebbles on the graph in each round We can remove pebbles from the graph at any point in time

Pebbling Example

1 2 3 4 51 3 4 5

Pebbling Example

1 2 3 4 5

P1 = 1

Pebbling Example

1 2 3 4 5

P1 = 1P2 = 12

Pebbling Example

P1 = 1P2 = 12P3 = 3

1 2 3 4 5

Pebbling Example

P1 = 1P2 = 12P3 = 3

1 2 3 4 5

P4 = 34

Pebbling Example

P1 = 1P2 = 12P3 = 3

1 2 3 4 5

P4 = 34P5 = 5

Pebbling Example (CC)

P1 = 1P2 = 12P3 = 3

1 2 3 4 5

P4 = 34P5 = 5

CC 119866119866 le119894119894=1

5

119875119875119894119894

= 1 + 2 + 1 + 2 + 1= 7

Measuring Cost

bull Cumulative Complexity (CC)

CC 119866119866 = min119875119875

119894119894=1

119905119905119875119875

119875119875119894119894

bull Amortization [AS15]CC 119866119866119866119866 = 2 times CC(119866119866)

Pebbling Example (CC)

P1 = 1P2 = 12P3 = 3

1 2 3 4 5

P4 = 34P5 = 5

CC 119866119866 le119894119894=1

5

119875119875119894119894

= 1 + 2 + 1 + 2 + 1= 7

Pebbling Equivalence

119827119827119827119827119827119827119827119827119827119827119827119827119827119827 119808119808119808119808119808119808119808119808 (119816119816119816119816119816119816119827119827119827119827119827119827119816119816119816119816) High pebbling complexity of G implies high amortized memory complexity for the iMHF fGH

Implication Structure of the graph G is key to iMHFsecurity

Desiderata

Find a DAG G on n nodes such that1 Constant Indegree (120575120575 = 2)

2 CC(G) ge 1198991198992

120591120591for some small value 120591120591

Maximize costs for fixed n(Users are impatient)

Depth-Robustness The Key Property

Necessary [AB16] and sufficient[ABP16] for secure iMHFs

Naiumlve Pebbling Algorithms

bull Sequential Algorithm (Naiumlve)bull Constraint One new pebble per roundbull Every iMHF is defined via its Naiumlve algorithm

bull Example Naiumlve (Pebble in Topological Order)bull Never discard pebblesbull Time nbull Average pebbles n2bull ER(Naiumlve) = θ Rn + n2

Amortized Attack Quality

Quality119877119877 119860119860 =ER(Naiumlve)

ER 119860119860times 119894119894119894119894119904119904119904119904(119860119860)

Example Algorithm A evaluates 5 iMHF instances with total cost ER 119860119860 = 100 and ER Naiumlve = 40

Quality119877119877 119860119860 =40

100times 5 = 2

Presenter
Presentation Notes
Use Example

Desiderata

Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)

2 QualityR(A) le 119888119888 for every adversary A (c small)

3 ER(Naive) ge 1198991198992

120591120591+ R119894119894 for some small value 120591120591

Memory costs should dominate

Desiderata

Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)

2 QualityR(A) le 119888119888 for every adversary A (c small)

3 ER(Naive) ge 1198991198992

120591120591+ R119894119894 for some small value 120591120591

Maximize costs for fixed n(Users are impatient)

c-Ideal iMHF

Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)

2 QualityR(A) le 119888119888 for every adversary A (c small)

3 ER(Naive) ge 1198991198992

120591120591+ R119894119894 for 120591120591 = 119874119874(1)

Outline

bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Our Attacks

bull General Attack on Non Depth Robust DAGsbull Existing iMHFs are not Depth Robustbull Ideal iMHFs donrsquot exist

bull Subsequent Results (Depth-Robustness is Sufficient)bull Open Questions

Depth-Robustness The Key Property

Necessary [AB16] and sufficient[ABP16] for secure iMHFs

Depth Robustness

Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d

Otherwise we say that G is (ed)-depth robust

1 2 3 4 5

Example (12)-reducible

Depth Robustness

Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d

Otherwise we say that G is (ed)-depth robust

1 2 3 4 5

Example (12)-reducible

Attacking (ed)-reducible DAGs

bull Input |S| lee such that depth(G-S) = d g gt d

bull Light Phase (g rounds) Discard most pebblesbull Goal Pebble the next g nodes in g (sequential) stepsbull Low Memory (only keep pebbles on S and on parents of new nodes)bull Lasts a ``longrdquo time

bull Balloon Phase (d rounds) Greedily Recover Missing Pebblesbull Goal Recover needed pebbles for upcoming light phasebull Expensive but quick (at most d steps in parallel)

Theorem (Depth-Robustness is a necessary condition) If G is not (ed)-node robust then CC 119866119866 = O 119890119890119894119894 + 1198941198943119901119901 In particular CC 119866119866 = o 1198941198942 for ed=o(n)

Depth Robustness is Necessary

Are existing iMHF candidates based on depth-robust DAGs

Answer No

bull Catena [FLW15] is 119890119890 119874119874 119899119899119890119890

-reducible

119862119862119862119862 = 119874119874 119894119894162

bull Balloon Hashing and Argon2i (old version) are 119890119890 119874119874 1198991198992

1198901198902-reducible

119862119862119862119862 = 119874119874 119894119894171

bull Argon2i (latest version) is 119890119890 119874119874 1198991198993

1198901198903-reducible

119862119862119862119862 = 119874119874 119894119894177

bull Similar picture for most other iMHF candidates [AGKKOPRRR16]

Argon2i [BDK]

bull Argon2 Winner of the password hashing competition[2015]

bull Authors recommend Argon2i variant (data-independent) for password hashing

Presenter
Presentation Notes
Alex Biryukov Daniel Dinu and Dmitry Khovratovich from University of Luxembourg

Argon2i

1 2 3 4 ihellip n

Argon2i

1 2 3 4 ihellip n

random predecessor r(i) lt i

Indegree 120575120575 = 2

Argon2i Reducing depth to 119894119894

1 2 3 11989411989434

helliphellip

211989411989434

hellip 4 119894119894

n

Layer 0Layer 1

Layer 4 119894119894helliphelliphellip

Argon2i Reducing depth to 119894119894

1 2 3 11989411989434

helliphellip

211989411989434

hellip 4 119894119894

n

Layer 0Layer 1

Layer 4 119894119894

Definition 1198781198782 = 119907119907119894119894 119907119907119903119903(119894119894)and v119894119894 in same layer

119810119810119816119816119816119816119810119810119827119827 1198781198782119810119810119842119842 119842119842119827119827119816119816119816119816119816119816

helliphelliphellip

119813119813119816119816119813119813119813119813 Easy to reduce the depth of a path

Argon2i is a layered DAG (almost)

1 2 3 11989411989434

+2 +3 helliphellip

211989411989434

hellip 4 119894119894

n

Layer 0Layer 1

Layer 4 119894119894

Let S = S1+S2

helliphelliphellip

Attack Simulation [AB16b]

Attack on Argon 2i-B is practical even for pessimistic parameter ranges (brown line)

Pessimistic Argon 2i-B parameter

Parameter setting could easily be chosen when following Argon2i-B guidelines

hellip

Ideal iMHFs Donrsquot Exist

Thm[AB16] Any graph G (with constant in-degree) is at least somewhat depth-reducible

Implication If CC(G)= Ω 1198941198942 there is an attack A with high quality

QualityR 119860119860 =Ωlog(119894119894)

log log(119894119894)

But we cannot rule them out in practice

Outline

bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Attacksbull Constructing iMHFs (New)

bull Depth-Robustness is sufficient

bull Conclusions and Open Questions

Presenter
Presentation Notes
Joint work with Joel Alwen and Krzysztof Pietrzak

Depth-Robustness is Sufficient [ABP16]

Proof Let P1hellipPt denote an (optimal) pebbling of G For 0lt i lt d defineSi = 119875119875119894119894 cup 119875119875119889119889+119894119894 cup 1198751198752119889119889+119894119894 cup ⋯

one of the sets Si has size at most CC(G)d Now we claim that d ge depth(G-Si)

because any path in G-Si must have been completely pebbled at some point Thus it must have been pebbled entirely during some interval of length d Thus G (CC(G)dd)-reducible It follows that CC(G)ge 119890119890119901119901

119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901

Depth-Robustness is Sufficient [ABP16]

Implications There exists a constant indegree graph G with

CC G ge Ω1198941198942

log119894119894

Previous Best [AS15] Ω 1198991198992

log10 119899119899

[AB16] We cannot do better (in an asymptotic sense)

119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901

Summary

bull BCRYPT and PBKDF2 are no longer sufficient for password hashing

bull Argon2i is an improvement over BCRYPT and PBKDF2bull But still has its flaws [AB16AB17]

bull Current Recommendation Argon2idbull No side channel attacks Resists known attacksbull Side channel attacks reduce security to Argon2i

bull Look for improvements in the near future using depth-robust graphs [ABP17]

Conclusions

bull Depth-robustness is a necessary and sufficient for secure iMHFsbull [AB16] [ABP16]

bull Big Challenge Improved Constructions of Depth-Robust Graphsbull We already have constructions in theory [EGS77 PR80 hellip]bull But constants matter

Thanks for Listening

Passwords vs time Look how far wersquove come

Netscape IPO Dotcom crash

Source Cormacrsquos estimate

ldquoThe password is deadrdquo

Chart1

3
48
1368
322
7791
15376
2527
39639
47953
61115
7353
94674
106021
134538
16527
194616
21681

Sheet1

Sheet1

Sheet2

Sheet3

Biometrics

59

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy

60

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Hardware Tokens

61

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around

62

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Graphical Passwords

bull Examplesbull Passfaces Cued Click Points Windows 8

63

Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13

Graphical Passwords

bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8

Challenge Multiple Passwords

64

Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13

Graphical Passwords Hotspots

Graphical Passwords Hotspots

Password Managers

bull Password Management Software

67

Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313

Related Work

bull Password Management SoftwareChallenge Single point of failure

68

Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313

References

bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]

bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]

bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]

bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]

  • Course Business
  • CryptographyCS 555
  • Password Storage
  • Offline Attacks A Common Problem
  • Offline Attacks A Common Problem
  • A Dangerous Problem
  • Attempt 1 Hash Iteration
  • The Challenge
  • Goal Moderately Expensive Hash Function
  • Memory Costs Equitable Across Architectures
  • Outline
  • Memory Hard Function (MHF)
  • iMHF Candidates
  • iMHF (fGH)
  • Evaluating an iMHF (pebbling)
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example (CC)
  • Measuring Cost
  • Pebbling Example (CC)
  • Pebbling Equivalence
  • Desiderata
  • Depth-Robustness The Key Property
  • Naiumlve Pebbling Algorithms
  • Amortized Attack Quality
  • Desiderata
  • Desiderata
  • c-Ideal iMHF
  • Outline
  • Depth-Robustness The Key Property
  • Depth Robustness
  • Depth Robustness
  • Attacking (ed)-reducible DAGs
  • Depth Robustness is Necessary
  • Answer No
  • Argon2i [BDK]
  • Argon2i
  • Argon2i
  • Argon2i Reducing depth to 119899
  • Argon2i Reducing depth to 119899
  • Argon2i is a layered DAG (almost)
  • Attack Simulation [AB16b]
  • Ideal iMHFs Donrsquot Exist
  • But we cannot rule them out in practice
  • Outline
  • Depth-Robustness is Sufficient [ABP16]
  • Depth-Robustness is Sufficient [ABP16]
  • Summary
  • Conclusions
  • Thanks for Listening
  • Passwords vs time Look how far wersquove come
  • Biometrics
  • Biometrics
  • Hardware Tokens
  • Hardware Tokens
  • Graphical Passwords
  • Graphical Passwords
  • Graphical Passwords Hotspots
  • Graphical Passwords Hotspots
  • Password Managers
  • Related Work
  • References
Everybody
DATE DATE NUMBER OF USERS WORLD WORLD INFORMATION DATE DATE NUMBER OF USERS DATE DATE acctsyr
POPULATION POPULATION SOURCE
December-90 0 3 15 020 00261 000 1 December-90 3 1 December-90 3 1 December-90 3 3 December-90 3 1 3
December-95 December-95 0 16 040 80 040 IDC 100 00522 180 12 December-95 192 December-95 16 1778 December-95 48 28448 December-95 48 3 48
December-96 December-96 0 36 090 180 090 IDC 200 00783 188 13132 December-96 472752 December-96 36 1994916 December-96 126 71816976 December-96 1368 38 126
December-97 December-97 0 70 170 350 170 IDC 300 01043 209 16263 December-97 113841 December-97 70 2238295752 December-97 280 15668070264 December-97 322 46 280
December-98 December-98 0 147 360 735 360 CI Almanac 400 01303 230 19391 December-98 2850477 December-98 147 25113678337 December-98 6615 3691710715604 December-98 7791 53 6615
December-99 December-99 0 248 410 1240 410 Nua Ltd 500 01563 251 22517 December-99 5584216 December-99 248 28177547095 December-99 1240 6988031679463 December-99 15376 62 1240
March-00 March-00 0 304 500 1520 500 Nua Ltd 600 01822 272 25638 March-00 7793952 December-00 361 3161520784 December-00 19855 11413090030294 December-00 2527 7 19855
July-00 July-00 0 359 590 1795 590 Nua Ltd 700 02081 293 28754 July-00 10322686 December-01 543 35472263197 December-01 3258 1926143891578 December-01 39639 73 3258
December-00 December-00 0 361 580 1805 580 Internet World Stats 800 02338 313 31864 December-00 11502904 December-02 607 39799879307 December-02 39455 2415852673913 December-02 47953 79 39455
March-01 March-01 0 458 760 2290 760 Nua Ltd 900 02852 334 34967 March-01 16014886 December-03 719 44655464582 December-03 5033 32107279034493 December-03 61115 85 5033
June-01 June-01 0 479 790 2395 790 Nua Ltd 1000 03107 355 38061 June-01 18231219 December-04 817 50103431261 December-04 61275 40934503340285 December-04 7353 9 61275
August-01 August-01 0 513 860 2565 860 Nua Ltd 1100 03361 396 44221 August-01 22685373 December-05 1018 56216049875 December-05 8144 57227938772657 December-05 9467 93 8144
April-02 April-02 0 558 860 2790 860 Internet World Stats 1200 03614 417 47284 April-02 26384472 December-06 1093 6307440796 December-06 9291 68940327899894 December-06 10602 97 9291
July-02 July-02 0 569 910 2845 910 Internet World Stats 1300 03866 437 50334 July-02 28640046 December-07 1319 70769485731 December-07 11871 93344951678825 December-07 13454 102 11871
September-02 September-02 0 587 940 2935 940 Internet World Stats 1400 04117 458 53371 September-02 31328777 December-08 1574 7940336299 December-08 14953 124980893346059 December-08 16527 105 14953
March-03 March-03 0 608 970 3040 970 Internet World Stats 1500 04366 478 56394 March-03 34287552 December-09 1802 89090573275 December-09 18020 160541213040896 December-09 19462 108 18020
September-03 September-03 0 677 1060 3385 1060 Internet World Stats 1600 04614 498 59401 September-03 40214477 December-10 1971 99959623214 December-10 20696 197020417355075 December-10 21681 11 20696
October-03 October-03 0 682 1070 3410 1070 Internet World Stats 1700 0486 518 62392 October-03 42551344
December-03 December-03 0 719 1110 3595 1110 Internet World Stats 1800 02852 538 65365 December-03 46997435
February-04 February-04 0 745 1150 3725 1150 Internet World Stats 1900 03107 558 6832 February-04 508984
May-04 May-04 0 757 1170 3785 1170 Internet World Stats 2000 03361 597 7417 May-04 5614669
October-04 October-04 0 812 1270 4060 1270 Internet World Stats 2100 03614 616 77064 October-04 62575968
December-04 December-04 0 817 1270 4085 1270 Internet World Stats 2200 03866 636 79935 December-04 65306895
March-05 March-05 0 888 1390 4440 1390 Internet World Stats 2300 04117 655 82782 March-05 73510416
June-05 June-05 0 938 1460 4690 1460 Internet World Stats 2400 04366 674 85606 June-05 80298428
September-05 September-05 0 957 1490 4785 1490 Internet World Stats 2500 04614 692 88404 September-05 84602628
November-05 November-05 0 972 1520 4860 1520 Internet World Stats 2600 0486 711 91176 November-05 88623072
December-05 December-05 0 1018 1570 5090 1570 Internet World Stats 2700 05348 729 93921 December-05 95611578
March-06 March-06 0 1023 1570 5115 1570 Internet World Stats 2800 05589 747 96638 March-06 98860674
June-06 June-06 0 1043 1600 5215 1600 Internet World Stats 2900 05828 783 101984 June-06 106369312
September-06 September-06 0 1086 1670 5430 1670 Internet World Stats 3000 06065 801 104611 September-06 113607546
December-06 December-06 0 1093 1670 5465 1670 Internet World Stats 3100 063 818 107207 December-06 117177251
March-07 March-07 0 1129 1720 5645 1720 Internet World Stats 3200 06534 835 109771 March-07 123931459
June-07 June-07 0 1173 1780 5865 1780 Internet World Stats 3300 06765 852 112301 June-07 131729073
September-07 September-07 0 1245 1890 6225 1890 Internet World Stats 3400 06993 869 114797 September-07 142922265
December-07 December-07 0 1319 2000 6595 2000 Internet World Stats 3500 0722 886 117258 December-07 154663302
March-08 March-08 0 1407 2110 7035 2110 Internet World Stats 3600 07665 902 119683 March-08 168393981
June-08 June-08 0 1463 2190 7315 2190 Internet World Stats 3700 07884 918 122071 June-08 178589873
September-08 September-08 0 1504 2250 7520 2250 Internet World Stats 3800 08101 949 126736 September-08 190610944
December-08 December-08 0 1574 2350 7870 2350 Internet World Stats 3900 08314 964 12901 December-08 20306174
March-09 March-09 0 1596 2380 7980 2380 Internet World Stats 4000 08525 971 13 March-09 20748
June-09 June-09 0 1669 2470 8345 2470 Internet World Stats 4100 08733 998 134 June-09 223646
September-09 September-09 0 1734 2560 8670 2560 Internet World Stats 4200 08938 1018 137 September-09 237558
December-09 December-09 0 1802 2660 9010 2660 Internet World Stats 4300 0914 1051 142 December-09 255884
June-10 June-10 0 1966 2870 9830 2870 Internet World Stats 4400 09339 1078 146 June-10 287036
September-10 September-10 0 1971 2880 9855 2880 Internet World Stats 4500 09728 1112 151 September-10 297621
09917 000 155333333333
159833333333
33208
35034
35400
35765
36130
36495
36861
37226
37591
37956
38322
38687
39052
39417
39783
40148
40513
Page 6: Attacking Data Independent Memory Hard Functions · As a motivating example consider an adversary who breaks into an authentication server and steals a users crptographic hash va\൬ue.

A Dangerous Problem

$2400 onAmazon

Can we increase guessing costs for the attacker

Attempt 1 Hash Iteration

bull BCRYPT

bull PBKDF2 100000 SHA256 computations(iterative)

Estimated Cost on ASIC $1 per billion password guesses [BS14]

The Challenge

User Patience

Disclaimer This slide is entirely for humorous effect Donrsquot take it too seriously

Time

Uni

ts o

f Pat

ienc

e

USD

$

Goal Moderately Expensive Hash Function

Fast on PC and Expensive on ASIC

Presenter
Presentation Notes
This motivates the need for moderately hard functions The basic idea is to build a password hash function that is moderately expensive to compute to limit the number of guesses that an adversary would be willing to try An honest server only needs to compute the function once during a typical authentication session However the adversary potentially has an advantage in this game While the honest server must typically evaluate the function on standard hardware the adversary could use potentially reduce the cost per password guess by developing customized hardware (GPUs FPGAs ASICs) to evaluate the password hash function Thus we want to ensure that the cost to evaluate this function is equitable across platforms13

Memory Costs Equitable Across Architectures

Presenter
Presentation Notes
By contrast memory costs tends to be much more equitable across different architectures

Outline

bull Motivationbull Data Independent Memory Hard Functions (iMHFs)

bull Graph Pebblingbull Measuring Pebbling Costsbull Desiderata

bull Attacks on iMHF Constructionsbull Constructing iMHFsbull Open Questions

Memory Hard Function (MHF)

bull Intuition computation costs dominated by memory costsvs

bull Data Independent Memory Hard Function (iMHF)bull Memory access pattern should not depend on input

Presenter
Presentation Notes
In this work we study a special type of memory hard function called data-independent memory hard functions As the name suggests the memory access pattern will not depend on the input making the functions resistant to side-channel attacks

iMHF Candidates

bull Catena [FLW15]bull Special Recognition at Password Hashing Competitionbull Two Variants Dragonfly and Double-Butterfly

bull Argon2 [BDK15]bull Winner of the Password Hashing Competitionbull Argon2i (data-independent mode) is recommended for Password Hashing

bull Balloon Hashing [BCS16]bull Newer proposal (three variants in original proposal)

Presenter
Presentation Notes
In terms of depth-robustness two of these variants were similar to Catena and one variant was similar to Argon

iMHF (fGH)

12

3

4Output fGH (pwdsalt)= L4

Input pwd salt

1198711198713 = 119867119867(1198711198712 1198711198711)1198711198711 = 119867119867(119901119901119901119901119901119901 119904119904119904119904119904119904119904119904)

Defined by bull H 01 2119896119896 rarr 01 119896119896 (Random Oracle)bull DAG G (encodes data-dependencies)

bull Maximum indegree 120575120575 = O 1

1

Evaluating an iMHF (pebbling)

Pebbling Rules 119875119875=P1hellipPtsub 119881119881 stbull Pi+1sub Pi cup 119909119909 isin 119881119881 parents 119909119909 sub Pi+1 (need dependent values)bull nisin Pt (must finish and output Ln)

12

3

4 Output L4Inputpwd salt

1198711198713 = 119867119867(1198711198712 1198711198711)1198711198711 = 119867119867(119901119901119901119901119901119901 119904119904119904119904119904119904119904119904)

1

Presenter
Presentation Notes
We will describe our algorithms for evaluating an iMHF using the language of graph pebbling Placing a pebble on a node corresponds to computing the corresponding label and keeping a pebble on the graph corresponds to storing that label in memory Of course we can only compute a label if we have all of the dependent labels Thus in a legal pebbling we cannot place a pebble on a node until we have pebbles on the parents of that node If the adversary is parallel then we are allowed to place multiple pebbles on the graph in each round We can remove pebbles from the graph at any point in time

Pebbling Example

1 2 3 4 51 3 4 5

Pebbling Example

1 2 3 4 5

P1 = 1

Pebbling Example

1 2 3 4 5

P1 = 1P2 = 12

Pebbling Example

P1 = 1P2 = 12P3 = 3

1 2 3 4 5

Pebbling Example

P1 = 1P2 = 12P3 = 3

1 2 3 4 5

P4 = 34

Pebbling Example

P1 = 1P2 = 12P3 = 3

1 2 3 4 5

P4 = 34P5 = 5

Pebbling Example (CC)

P1 = 1P2 = 12P3 = 3

1 2 3 4 5

P4 = 34P5 = 5

CC 119866119866 le119894119894=1

5

119875119875119894119894

= 1 + 2 + 1 + 2 + 1= 7

Measuring Cost

bull Cumulative Complexity (CC)

CC 119866119866 = min119875119875

119894119894=1

119905119905119875119875

119875119875119894119894

bull Amortization [AS15]CC 119866119866119866119866 = 2 times CC(119866119866)

Pebbling Example (CC)

P1 = 1P2 = 12P3 = 3

1 2 3 4 5

P4 = 34P5 = 5

CC 119866119866 le119894119894=1

5

119875119875119894119894

= 1 + 2 + 1 + 2 + 1= 7

Pebbling Equivalence

119827119827119827119827119827119827119827119827119827119827119827119827119827119827 119808119808119808119808119808119808119808119808 (119816119816119816119816119816119816119827119827119827119827119827119827119816119816119816119816) High pebbling complexity of G implies high amortized memory complexity for the iMHF fGH

Implication Structure of the graph G is key to iMHFsecurity

Desiderata

Find a DAG G on n nodes such that1 Constant Indegree (120575120575 = 2)

2 CC(G) ge 1198991198992

120591120591for some small value 120591120591

Maximize costs for fixed n(Users are impatient)

Depth-Robustness The Key Property

Necessary [AB16] and sufficient[ABP16] for secure iMHFs

Naiumlve Pebbling Algorithms

bull Sequential Algorithm (Naiumlve)bull Constraint One new pebble per roundbull Every iMHF is defined via its Naiumlve algorithm

bull Example Naiumlve (Pebble in Topological Order)bull Never discard pebblesbull Time nbull Average pebbles n2bull ER(Naiumlve) = θ Rn + n2

Amortized Attack Quality

Quality119877119877 119860119860 =ER(Naiumlve)

ER 119860119860times 119894119894119894119894119904119904119904119904(119860119860)

Example Algorithm A evaluates 5 iMHF instances with total cost ER 119860119860 = 100 and ER Naiumlve = 40

Quality119877119877 119860119860 =40

100times 5 = 2

Presenter
Presentation Notes
Use Example

Desiderata

Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)

2 QualityR(A) le 119888119888 for every adversary A (c small)

3 ER(Naive) ge 1198991198992

120591120591+ R119894119894 for some small value 120591120591

Memory costs should dominate

Desiderata

Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)

2 QualityR(A) le 119888119888 for every adversary A (c small)

3 ER(Naive) ge 1198991198992

120591120591+ R119894119894 for some small value 120591120591

Maximize costs for fixed n(Users are impatient)

c-Ideal iMHF

Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)

2 QualityR(A) le 119888119888 for every adversary A (c small)

3 ER(Naive) ge 1198991198992

120591120591+ R119894119894 for 120591120591 = 119874119874(1)

Outline

bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Our Attacks

bull General Attack on Non Depth Robust DAGsbull Existing iMHFs are not Depth Robustbull Ideal iMHFs donrsquot exist

bull Subsequent Results (Depth-Robustness is Sufficient)bull Open Questions

Depth-Robustness The Key Property

Necessary [AB16] and sufficient[ABP16] for secure iMHFs

Depth Robustness

Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d

Otherwise we say that G is (ed)-depth robust

1 2 3 4 5

Example (12)-reducible

Depth Robustness

Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d

Otherwise we say that G is (ed)-depth robust

1 2 3 4 5

Example (12)-reducible

Attacking (ed)-reducible DAGs

bull Input |S| lee such that depth(G-S) = d g gt d

bull Light Phase (g rounds) Discard most pebblesbull Goal Pebble the next g nodes in g (sequential) stepsbull Low Memory (only keep pebbles on S and on parents of new nodes)bull Lasts a ``longrdquo time

bull Balloon Phase (d rounds) Greedily Recover Missing Pebblesbull Goal Recover needed pebbles for upcoming light phasebull Expensive but quick (at most d steps in parallel)

Theorem (Depth-Robustness is a necessary condition) If G is not (ed)-node robust then CC 119866119866 = O 119890119890119894119894 + 1198941198943119901119901 In particular CC 119866119866 = o 1198941198942 for ed=o(n)

Depth Robustness is Necessary

Are existing iMHF candidates based on depth-robust DAGs

Answer No

bull Catena [FLW15] is 119890119890 119874119874 119899119899119890119890

-reducible

119862119862119862119862 = 119874119874 119894119894162

bull Balloon Hashing and Argon2i (old version) are 119890119890 119874119874 1198991198992

1198901198902-reducible

119862119862119862119862 = 119874119874 119894119894171

bull Argon2i (latest version) is 119890119890 119874119874 1198991198993

1198901198903-reducible

119862119862119862119862 = 119874119874 119894119894177

bull Similar picture for most other iMHF candidates [AGKKOPRRR16]

Argon2i [BDK]

bull Argon2 Winner of the password hashing competition[2015]

bull Authors recommend Argon2i variant (data-independent) for password hashing

Presenter
Presentation Notes
Alex Biryukov Daniel Dinu and Dmitry Khovratovich from University of Luxembourg

Argon2i

1 2 3 4 ihellip n

Argon2i

1 2 3 4 ihellip n

random predecessor r(i) lt i

Indegree 120575120575 = 2

Argon2i Reducing depth to 119894119894

1 2 3 11989411989434

helliphellip

211989411989434

hellip 4 119894119894

n

Layer 0Layer 1

Layer 4 119894119894helliphelliphellip

Argon2i Reducing depth to 119894119894

1 2 3 11989411989434

helliphellip

211989411989434

hellip 4 119894119894

n

Layer 0Layer 1

Layer 4 119894119894

Definition 1198781198782 = 119907119907119894119894 119907119907119903119903(119894119894)and v119894119894 in same layer

119810119810119816119816119816119816119810119810119827119827 1198781198782119810119810119842119842 119842119842119827119827119816119816119816119816119816119816

helliphelliphellip

119813119813119816119816119813119813119813119813 Easy to reduce the depth of a path

Argon2i is a layered DAG (almost)

1 2 3 11989411989434

+2 +3 helliphellip

211989411989434

hellip 4 119894119894

n

Layer 0Layer 1

Layer 4 119894119894

Let S = S1+S2

helliphelliphellip

Attack Simulation [AB16b]

Attack on Argon 2i-B is practical even for pessimistic parameter ranges (brown line)

Pessimistic Argon 2i-B parameter

Parameter setting could easily be chosen when following Argon2i-B guidelines

hellip

Ideal iMHFs Donrsquot Exist

Thm[AB16] Any graph G (with constant in-degree) is at least somewhat depth-reducible

Implication If CC(G)= Ω 1198941198942 there is an attack A with high quality

QualityR 119860119860 =Ωlog(119894119894)

log log(119894119894)

But we cannot rule them out in practice

Outline

bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Attacksbull Constructing iMHFs (New)

bull Depth-Robustness is sufficient

bull Conclusions and Open Questions

Presenter
Presentation Notes
Joint work with Joel Alwen and Krzysztof Pietrzak

Depth-Robustness is Sufficient [ABP16]

Proof Let P1hellipPt denote an (optimal) pebbling of G For 0lt i lt d defineSi = 119875119875119894119894 cup 119875119875119889119889+119894119894 cup 1198751198752119889119889+119894119894 cup ⋯

one of the sets Si has size at most CC(G)d Now we claim that d ge depth(G-Si)

because any path in G-Si must have been completely pebbled at some point Thus it must have been pebbled entirely during some interval of length d Thus G (CC(G)dd)-reducible It follows that CC(G)ge 119890119890119901119901

119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901

Depth-Robustness is Sufficient [ABP16]

Implications There exists a constant indegree graph G with

CC G ge Ω1198941198942

log119894119894

Previous Best [AS15] Ω 1198991198992

log10 119899119899

[AB16] We cannot do better (in an asymptotic sense)

119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901

Summary

bull BCRYPT and PBKDF2 are no longer sufficient for password hashing

bull Argon2i is an improvement over BCRYPT and PBKDF2bull But still has its flaws [AB16AB17]

bull Current Recommendation Argon2idbull No side channel attacks Resists known attacksbull Side channel attacks reduce security to Argon2i

bull Look for improvements in the near future using depth-robust graphs [ABP17]

Conclusions

bull Depth-robustness is a necessary and sufficient for secure iMHFsbull [AB16] [ABP16]

bull Big Challenge Improved Constructions of Depth-Robust Graphsbull We already have constructions in theory [EGS77 PR80 hellip]bull But constants matter

Thanks for Listening

Passwords vs time Look how far wersquove come

Netscape IPO Dotcom crash

Source Cormacrsquos estimate

ldquoThe password is deadrdquo

Chart1

3
48
1368
322
7791
15376
2527
39639
47953
61115
7353
94674
106021
134538
16527
194616
21681

Sheet1

Sheet1

Sheet2

Sheet3

Biometrics

59

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy

60

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Hardware Tokens

61

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around

62

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Graphical Passwords

bull Examplesbull Passfaces Cued Click Points Windows 8

63

Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13

Graphical Passwords

bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8

Challenge Multiple Passwords

64

Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13

Graphical Passwords Hotspots

Graphical Passwords Hotspots

Password Managers

bull Password Management Software

67

Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313

Related Work

bull Password Management SoftwareChallenge Single point of failure

68

Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313

References

bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]

bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]

bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]

bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]

  • Course Business
  • CryptographyCS 555
  • Password Storage
  • Offline Attacks A Common Problem
  • Offline Attacks A Common Problem
  • A Dangerous Problem
  • Attempt 1 Hash Iteration
  • The Challenge
  • Goal Moderately Expensive Hash Function
  • Memory Costs Equitable Across Architectures
  • Outline
  • Memory Hard Function (MHF)
  • iMHF Candidates
  • iMHF (fGH)
  • Evaluating an iMHF (pebbling)
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example (CC)
  • Measuring Cost
  • Pebbling Example (CC)
  • Pebbling Equivalence
  • Desiderata
  • Depth-Robustness The Key Property
  • Naiumlve Pebbling Algorithms
  • Amortized Attack Quality
  • Desiderata
  • Desiderata
  • c-Ideal iMHF
  • Outline
  • Depth-Robustness The Key Property
  • Depth Robustness
  • Depth Robustness
  • Attacking (ed)-reducible DAGs
  • Depth Robustness is Necessary
  • Answer No
  • Argon2i [BDK]
  • Argon2i
  • Argon2i
  • Argon2i Reducing depth to 119899
  • Argon2i Reducing depth to 119899
  • Argon2i is a layered DAG (almost)
  • Attack Simulation [AB16b]
  • Ideal iMHFs Donrsquot Exist
  • But we cannot rule them out in practice
  • Outline
  • Depth-Robustness is Sufficient [ABP16]
  • Depth-Robustness is Sufficient [ABP16]
  • Summary
  • Conclusions
  • Thanks for Listening
  • Passwords vs time Look how far wersquove come
  • Biometrics
  • Biometrics
  • Hardware Tokens
  • Hardware Tokens
  • Graphical Passwords
  • Graphical Passwords
  • Graphical Passwords Hotspots
  • Graphical Passwords Hotspots
  • Password Managers
  • Related Work
  • References
Everybody
DATE DATE NUMBER OF USERS WORLD WORLD INFORMATION DATE DATE NUMBER OF USERS DATE DATE acctsyr
POPULATION POPULATION SOURCE
December-90 0 3 15 020 00261 000 1 December-90 3 1 December-90 3 1 December-90 3 3 December-90 3 1 3
December-95 December-95 0 16 040 80 040 IDC 100 00522 180 12 December-95 192 December-95 16 1778 December-95 48 28448 December-95 48 3 48
December-96 December-96 0 36 090 180 090 IDC 200 00783 188 13132 December-96 472752 December-96 36 1994916 December-96 126 71816976 December-96 1368 38 126
December-97 December-97 0 70 170 350 170 IDC 300 01043 209 16263 December-97 113841 December-97 70 2238295752 December-97 280 15668070264 December-97 322 46 280
December-98 December-98 0 147 360 735 360 CI Almanac 400 01303 230 19391 December-98 2850477 December-98 147 25113678337 December-98 6615 3691710715604 December-98 7791 53 6615
December-99 December-99 0 248 410 1240 410 Nua Ltd 500 01563 251 22517 December-99 5584216 December-99 248 28177547095 December-99 1240 6988031679463 December-99 15376 62 1240
March-00 March-00 0 304 500 1520 500 Nua Ltd 600 01822 272 25638 March-00 7793952 December-00 361 3161520784 December-00 19855 11413090030294 December-00 2527 7 19855
July-00 July-00 0 359 590 1795 590 Nua Ltd 700 02081 293 28754 July-00 10322686 December-01 543 35472263197 December-01 3258 1926143891578 December-01 39639 73 3258
December-00 December-00 0 361 580 1805 580 Internet World Stats 800 02338 313 31864 December-00 11502904 December-02 607 39799879307 December-02 39455 2415852673913 December-02 47953 79 39455
March-01 March-01 0 458 760 2290 760 Nua Ltd 900 02852 334 34967 March-01 16014886 December-03 719 44655464582 December-03 5033 32107279034493 December-03 61115 85 5033
June-01 June-01 0 479 790 2395 790 Nua Ltd 1000 03107 355 38061 June-01 18231219 December-04 817 50103431261 December-04 61275 40934503340285 December-04 7353 9 61275
August-01 August-01 0 513 860 2565 860 Nua Ltd 1100 03361 396 44221 August-01 22685373 December-05 1018 56216049875 December-05 8144 57227938772657 December-05 9467 93 8144
April-02 April-02 0 558 860 2790 860 Internet World Stats 1200 03614 417 47284 April-02 26384472 December-06 1093 6307440796 December-06 9291 68940327899894 December-06 10602 97 9291
July-02 July-02 0 569 910 2845 910 Internet World Stats 1300 03866 437 50334 July-02 28640046 December-07 1319 70769485731 December-07 11871 93344951678825 December-07 13454 102 11871
September-02 September-02 0 587 940 2935 940 Internet World Stats 1400 04117 458 53371 September-02 31328777 December-08 1574 7940336299 December-08 14953 124980893346059 December-08 16527 105 14953
March-03 March-03 0 608 970 3040 970 Internet World Stats 1500 04366 478 56394 March-03 34287552 December-09 1802 89090573275 December-09 18020 160541213040896 December-09 19462 108 18020
September-03 September-03 0 677 1060 3385 1060 Internet World Stats 1600 04614 498 59401 September-03 40214477 December-10 1971 99959623214 December-10 20696 197020417355075 December-10 21681 11 20696
October-03 October-03 0 682 1070 3410 1070 Internet World Stats 1700 0486 518 62392 October-03 42551344
December-03 December-03 0 719 1110 3595 1110 Internet World Stats 1800 02852 538 65365 December-03 46997435
February-04 February-04 0 745 1150 3725 1150 Internet World Stats 1900 03107 558 6832 February-04 508984
May-04 May-04 0 757 1170 3785 1170 Internet World Stats 2000 03361 597 7417 May-04 5614669
October-04 October-04 0 812 1270 4060 1270 Internet World Stats 2100 03614 616 77064 October-04 62575968
December-04 December-04 0 817 1270 4085 1270 Internet World Stats 2200 03866 636 79935 December-04 65306895
March-05 March-05 0 888 1390 4440 1390 Internet World Stats 2300 04117 655 82782 March-05 73510416
June-05 June-05 0 938 1460 4690 1460 Internet World Stats 2400 04366 674 85606 June-05 80298428
September-05 September-05 0 957 1490 4785 1490 Internet World Stats 2500 04614 692 88404 September-05 84602628
November-05 November-05 0 972 1520 4860 1520 Internet World Stats 2600 0486 711 91176 November-05 88623072
December-05 December-05 0 1018 1570 5090 1570 Internet World Stats 2700 05348 729 93921 December-05 95611578
March-06 March-06 0 1023 1570 5115 1570 Internet World Stats 2800 05589 747 96638 March-06 98860674
June-06 June-06 0 1043 1600 5215 1600 Internet World Stats 2900 05828 783 101984 June-06 106369312
September-06 September-06 0 1086 1670 5430 1670 Internet World Stats 3000 06065 801 104611 September-06 113607546
December-06 December-06 0 1093 1670 5465 1670 Internet World Stats 3100 063 818 107207 December-06 117177251
March-07 March-07 0 1129 1720 5645 1720 Internet World Stats 3200 06534 835 109771 March-07 123931459
June-07 June-07 0 1173 1780 5865 1780 Internet World Stats 3300 06765 852 112301 June-07 131729073
September-07 September-07 0 1245 1890 6225 1890 Internet World Stats 3400 06993 869 114797 September-07 142922265
December-07 December-07 0 1319 2000 6595 2000 Internet World Stats 3500 0722 886 117258 December-07 154663302
March-08 March-08 0 1407 2110 7035 2110 Internet World Stats 3600 07665 902 119683 March-08 168393981
June-08 June-08 0 1463 2190 7315 2190 Internet World Stats 3700 07884 918 122071 June-08 178589873
September-08 September-08 0 1504 2250 7520 2250 Internet World Stats 3800 08101 949 126736 September-08 190610944
December-08 December-08 0 1574 2350 7870 2350 Internet World Stats 3900 08314 964 12901 December-08 20306174
March-09 March-09 0 1596 2380 7980 2380 Internet World Stats 4000 08525 971 13 March-09 20748
June-09 June-09 0 1669 2470 8345 2470 Internet World Stats 4100 08733 998 134 June-09 223646
September-09 September-09 0 1734 2560 8670 2560 Internet World Stats 4200 08938 1018 137 September-09 237558
December-09 December-09 0 1802 2660 9010 2660 Internet World Stats 4300 0914 1051 142 December-09 255884
June-10 June-10 0 1966 2870 9830 2870 Internet World Stats 4400 09339 1078 146 June-10 287036
September-10 September-10 0 1971 2880 9855 2880 Internet World Stats 4500 09728 1112 151 September-10 297621
09917 000 155333333333
159833333333
33208
35034
35400
35765
36130
36495
36861
37226
37591
37956
38322
38687
39052
39417
39783
40148
40513
Page 7: Attacking Data Independent Memory Hard Functions · As a motivating example consider an adversary who breaks into an authentication server and steals a users crptographic hash va\൬ue.

Attempt 1 Hash Iteration

bull BCRYPT

bull PBKDF2 100000 SHA256 computations(iterative)

Estimated Cost on ASIC $1 per billion password guesses [BS14]

The Challenge

User Patience

Disclaimer This slide is entirely for humorous effect Donrsquot take it too seriously

Time

Uni

ts o

f Pat

ienc

e

USD

$

Goal Moderately Expensive Hash Function

Fast on PC and Expensive on ASIC

Presenter
Presentation Notes
This motivates the need for moderately hard functions The basic idea is to build a password hash function that is moderately expensive to compute to limit the number of guesses that an adversary would be willing to try An honest server only needs to compute the function once during a typical authentication session However the adversary potentially has an advantage in this game While the honest server must typically evaluate the function on standard hardware the adversary could use potentially reduce the cost per password guess by developing customized hardware (GPUs FPGAs ASICs) to evaluate the password hash function Thus we want to ensure that the cost to evaluate this function is equitable across platforms13

Memory Costs Equitable Across Architectures

Presenter
Presentation Notes
By contrast memory costs tends to be much more equitable across different architectures

Outline

bull Motivationbull Data Independent Memory Hard Functions (iMHFs)

bull Graph Pebblingbull Measuring Pebbling Costsbull Desiderata

bull Attacks on iMHF Constructionsbull Constructing iMHFsbull Open Questions

Memory Hard Function (MHF)

bull Intuition computation costs dominated by memory costsvs

bull Data Independent Memory Hard Function (iMHF)bull Memory access pattern should not depend on input

Presenter
Presentation Notes
In this work we study a special type of memory hard function called data-independent memory hard functions As the name suggests the memory access pattern will not depend on the input making the functions resistant to side-channel attacks

iMHF Candidates

bull Catena [FLW15]bull Special Recognition at Password Hashing Competitionbull Two Variants Dragonfly and Double-Butterfly

bull Argon2 [BDK15]bull Winner of the Password Hashing Competitionbull Argon2i (data-independent mode) is recommended for Password Hashing

bull Balloon Hashing [BCS16]bull Newer proposal (three variants in original proposal)

Presenter
Presentation Notes
In terms of depth-robustness two of these variants were similar to Catena and one variant was similar to Argon

iMHF (fGH)

12

3

4Output fGH (pwdsalt)= L4

Input pwd salt

1198711198713 = 119867119867(1198711198712 1198711198711)1198711198711 = 119867119867(119901119901119901119901119901119901 119904119904119904119904119904119904119904119904)

Defined by bull H 01 2119896119896 rarr 01 119896119896 (Random Oracle)bull DAG G (encodes data-dependencies)

bull Maximum indegree 120575120575 = O 1

1

Evaluating an iMHF (pebbling)

Pebbling Rules 119875119875=P1hellipPtsub 119881119881 stbull Pi+1sub Pi cup 119909119909 isin 119881119881 parents 119909119909 sub Pi+1 (need dependent values)bull nisin Pt (must finish and output Ln)

12

3

4 Output L4Inputpwd salt

1198711198713 = 119867119867(1198711198712 1198711198711)1198711198711 = 119867119867(119901119901119901119901119901119901 119904119904119904119904119904119904119904119904)

1

Presenter
Presentation Notes
We will describe our algorithms for evaluating an iMHF using the language of graph pebbling Placing a pebble on a node corresponds to computing the corresponding label and keeping a pebble on the graph corresponds to storing that label in memory Of course we can only compute a label if we have all of the dependent labels Thus in a legal pebbling we cannot place a pebble on a node until we have pebbles on the parents of that node If the adversary is parallel then we are allowed to place multiple pebbles on the graph in each round We can remove pebbles from the graph at any point in time

Pebbling Example

1 2 3 4 51 3 4 5

Pebbling Example

1 2 3 4 5

P1 = 1

Pebbling Example

1 2 3 4 5

P1 = 1P2 = 12

Pebbling Example

P1 = 1P2 = 12P3 = 3

1 2 3 4 5

Pebbling Example

P1 = 1P2 = 12P3 = 3

1 2 3 4 5

P4 = 34

Pebbling Example

P1 = 1P2 = 12P3 = 3

1 2 3 4 5

P4 = 34P5 = 5

Pebbling Example (CC)

P1 = 1P2 = 12P3 = 3

1 2 3 4 5

P4 = 34P5 = 5

CC 119866119866 le119894119894=1

5

119875119875119894119894

= 1 + 2 + 1 + 2 + 1= 7

Measuring Cost

bull Cumulative Complexity (CC)

CC 119866119866 = min119875119875

119894119894=1

119905119905119875119875

119875119875119894119894

bull Amortization [AS15]CC 119866119866119866119866 = 2 times CC(119866119866)

Pebbling Example (CC)

P1 = 1P2 = 12P3 = 3

1 2 3 4 5

P4 = 34P5 = 5

CC 119866119866 le119894119894=1

5

119875119875119894119894

= 1 + 2 + 1 + 2 + 1= 7

Pebbling Equivalence

119827119827119827119827119827119827119827119827119827119827119827119827119827119827 119808119808119808119808119808119808119808119808 (119816119816119816119816119816119816119827119827119827119827119827119827119816119816119816119816) High pebbling complexity of G implies high amortized memory complexity for the iMHF fGH

Implication Structure of the graph G is key to iMHFsecurity

Desiderata

Find a DAG G on n nodes such that1 Constant Indegree (120575120575 = 2)

2 CC(G) ge 1198991198992

120591120591for some small value 120591120591

Maximize costs for fixed n(Users are impatient)

Depth-Robustness The Key Property

Necessary [AB16] and sufficient[ABP16] for secure iMHFs

Naiumlve Pebbling Algorithms

bull Sequential Algorithm (Naiumlve)bull Constraint One new pebble per roundbull Every iMHF is defined via its Naiumlve algorithm

bull Example Naiumlve (Pebble in Topological Order)bull Never discard pebblesbull Time nbull Average pebbles n2bull ER(Naiumlve) = θ Rn + n2

Amortized Attack Quality

Quality119877119877 119860119860 =ER(Naiumlve)

ER 119860119860times 119894119894119894119894119904119904119904119904(119860119860)

Example Algorithm A evaluates 5 iMHF instances with total cost ER 119860119860 = 100 and ER Naiumlve = 40

Quality119877119877 119860119860 =40

100times 5 = 2

Presenter
Presentation Notes
Use Example

Desiderata

Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)

2 QualityR(A) le 119888119888 for every adversary A (c small)

3 ER(Naive) ge 1198991198992

120591120591+ R119894119894 for some small value 120591120591

Memory costs should dominate

Desiderata

Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)

2 QualityR(A) le 119888119888 for every adversary A (c small)

3 ER(Naive) ge 1198991198992

120591120591+ R119894119894 for some small value 120591120591

Maximize costs for fixed n(Users are impatient)

c-Ideal iMHF

Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)

2 QualityR(A) le 119888119888 for every adversary A (c small)

3 ER(Naive) ge 1198991198992

120591120591+ R119894119894 for 120591120591 = 119874119874(1)

Outline

bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Our Attacks

bull General Attack on Non Depth Robust DAGsbull Existing iMHFs are not Depth Robustbull Ideal iMHFs donrsquot exist

bull Subsequent Results (Depth-Robustness is Sufficient)bull Open Questions

Depth-Robustness The Key Property

Necessary [AB16] and sufficient[ABP16] for secure iMHFs

Depth Robustness

Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d

Otherwise we say that G is (ed)-depth robust

1 2 3 4 5

Example (12)-reducible

Depth Robustness

Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d

Otherwise we say that G is (ed)-depth robust

1 2 3 4 5

Example (12)-reducible

Attacking (ed)-reducible DAGs

bull Input |S| lee such that depth(G-S) = d g gt d

bull Light Phase (g rounds) Discard most pebblesbull Goal Pebble the next g nodes in g (sequential) stepsbull Low Memory (only keep pebbles on S and on parents of new nodes)bull Lasts a ``longrdquo time

bull Balloon Phase (d rounds) Greedily Recover Missing Pebblesbull Goal Recover needed pebbles for upcoming light phasebull Expensive but quick (at most d steps in parallel)

Theorem (Depth-Robustness is a necessary condition) If G is not (ed)-node robust then CC 119866119866 = O 119890119890119894119894 + 1198941198943119901119901 In particular CC 119866119866 = o 1198941198942 for ed=o(n)

Depth Robustness is Necessary

Are existing iMHF candidates based on depth-robust DAGs

Answer No

bull Catena [FLW15] is 119890119890 119874119874 119899119899119890119890

-reducible

119862119862119862119862 = 119874119874 119894119894162

bull Balloon Hashing and Argon2i (old version) are 119890119890 119874119874 1198991198992

1198901198902-reducible

119862119862119862119862 = 119874119874 119894119894171

bull Argon2i (latest version) is 119890119890 119874119874 1198991198993

1198901198903-reducible

119862119862119862119862 = 119874119874 119894119894177

bull Similar picture for most other iMHF candidates [AGKKOPRRR16]

Argon2i [BDK]

bull Argon2 Winner of the password hashing competition[2015]

bull Authors recommend Argon2i variant (data-independent) for password hashing

Presenter
Presentation Notes
Alex Biryukov Daniel Dinu and Dmitry Khovratovich from University of Luxembourg

Argon2i

1 2 3 4 ihellip n

Argon2i

1 2 3 4 ihellip n

random predecessor r(i) lt i

Indegree 120575120575 = 2

Argon2i Reducing depth to 119894119894

1 2 3 11989411989434

helliphellip

211989411989434

hellip 4 119894119894

n

Layer 0Layer 1

Layer 4 119894119894helliphelliphellip

Argon2i Reducing depth to 119894119894

1 2 3 11989411989434

helliphellip

211989411989434

hellip 4 119894119894

n

Layer 0Layer 1

Layer 4 119894119894

Definition 1198781198782 = 119907119907119894119894 119907119907119903119903(119894119894)and v119894119894 in same layer

119810119810119816119816119816119816119810119810119827119827 1198781198782119810119810119842119842 119842119842119827119827119816119816119816119816119816119816

helliphelliphellip

119813119813119816119816119813119813119813119813 Easy to reduce the depth of a path

Argon2i is a layered DAG (almost)

1 2 3 11989411989434

+2 +3 helliphellip

211989411989434

hellip 4 119894119894

n

Layer 0Layer 1

Layer 4 119894119894

Let S = S1+S2

helliphelliphellip

Attack Simulation [AB16b]

Attack on Argon 2i-B is practical even for pessimistic parameter ranges (brown line)

Pessimistic Argon 2i-B parameter

Parameter setting could easily be chosen when following Argon2i-B guidelines

hellip

Ideal iMHFs Donrsquot Exist

Thm[AB16] Any graph G (with constant in-degree) is at least somewhat depth-reducible

Implication If CC(G)= Ω 1198941198942 there is an attack A with high quality

QualityR 119860119860 =Ωlog(119894119894)

log log(119894119894)

But we cannot rule them out in practice

Outline

bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Attacksbull Constructing iMHFs (New)

bull Depth-Robustness is sufficient

bull Conclusions and Open Questions

Presenter
Presentation Notes
Joint work with Joel Alwen and Krzysztof Pietrzak

Depth-Robustness is Sufficient [ABP16]

Proof Let P1hellipPt denote an (optimal) pebbling of G For 0lt i lt d defineSi = 119875119875119894119894 cup 119875119875119889119889+119894119894 cup 1198751198752119889119889+119894119894 cup ⋯

one of the sets Si has size at most CC(G)d Now we claim that d ge depth(G-Si)

because any path in G-Si must have been completely pebbled at some point Thus it must have been pebbled entirely during some interval of length d Thus G (CC(G)dd)-reducible It follows that CC(G)ge 119890119890119901119901

119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901

Depth-Robustness is Sufficient [ABP16]

Implications There exists a constant indegree graph G with

CC G ge Ω1198941198942

log119894119894

Previous Best [AS15] Ω 1198991198992

log10 119899119899

[AB16] We cannot do better (in an asymptotic sense)

119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901

Summary

bull BCRYPT and PBKDF2 are no longer sufficient for password hashing

bull Argon2i is an improvement over BCRYPT and PBKDF2bull But still has its flaws [AB16AB17]

bull Current Recommendation Argon2idbull No side channel attacks Resists known attacksbull Side channel attacks reduce security to Argon2i

bull Look for improvements in the near future using depth-robust graphs [ABP17]

Conclusions

bull Depth-robustness is a necessary and sufficient for secure iMHFsbull [AB16] [ABP16]

bull Big Challenge Improved Constructions of Depth-Robust Graphsbull We already have constructions in theory [EGS77 PR80 hellip]bull But constants matter

Thanks for Listening

Passwords vs time Look how far wersquove come

Netscape IPO Dotcom crash

Source Cormacrsquos estimate

ldquoThe password is deadrdquo

Chart1

3
48
1368
322
7791
15376
2527
39639
47953
61115
7353
94674
106021
134538
16527
194616
21681

Sheet1

Sheet1

Sheet2

Sheet3

Biometrics

59

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy

60

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Hardware Tokens

61

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around

62

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Graphical Passwords

bull Examplesbull Passfaces Cued Click Points Windows 8

63

Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13

Graphical Passwords

bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8

Challenge Multiple Passwords

64

Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13

Graphical Passwords Hotspots

Graphical Passwords Hotspots

Password Managers

bull Password Management Software

67

Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313

Related Work

bull Password Management SoftwareChallenge Single point of failure

68

Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313

References

bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]

bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]

bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]

bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]

  • Course Business
  • CryptographyCS 555
  • Password Storage
  • Offline Attacks A Common Problem
  • Offline Attacks A Common Problem
  • A Dangerous Problem
  • Attempt 1 Hash Iteration
  • The Challenge
  • Goal Moderately Expensive Hash Function
  • Memory Costs Equitable Across Architectures
  • Outline
  • Memory Hard Function (MHF)
  • iMHF Candidates
  • iMHF (fGH)
  • Evaluating an iMHF (pebbling)
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example (CC)
  • Measuring Cost
  • Pebbling Example (CC)
  • Pebbling Equivalence
  • Desiderata
  • Depth-Robustness The Key Property
  • Naiumlve Pebbling Algorithms
  • Amortized Attack Quality
  • Desiderata
  • Desiderata
  • c-Ideal iMHF
  • Outline
  • Depth-Robustness The Key Property
  • Depth Robustness
  • Depth Robustness
  • Attacking (ed)-reducible DAGs
  • Depth Robustness is Necessary
  • Answer No
  • Argon2i [BDK]
  • Argon2i
  • Argon2i
  • Argon2i Reducing depth to 119899
  • Argon2i Reducing depth to 119899
  • Argon2i is a layered DAG (almost)
  • Attack Simulation [AB16b]
  • Ideal iMHFs Donrsquot Exist
  • But we cannot rule them out in practice
  • Outline
  • Depth-Robustness is Sufficient [ABP16]
  • Depth-Robustness is Sufficient [ABP16]
  • Summary
  • Conclusions
  • Thanks for Listening
  • Passwords vs time Look how far wersquove come
  • Biometrics
  • Biometrics
  • Hardware Tokens
  • Hardware Tokens
  • Graphical Passwords
  • Graphical Passwords
  • Graphical Passwords Hotspots
  • Graphical Passwords Hotspots
  • Password Managers
  • Related Work
  • References
Everybody
DATE DATE NUMBER OF USERS WORLD WORLD INFORMATION DATE DATE NUMBER OF USERS DATE DATE acctsyr
POPULATION POPULATION SOURCE
December-90 0 3 15 020 00261 000 1 December-90 3 1 December-90 3 1 December-90 3 3 December-90 3 1 3
December-95 December-95 0 16 040 80 040 IDC 100 00522 180 12 December-95 192 December-95 16 1778 December-95 48 28448 December-95 48 3 48
December-96 December-96 0 36 090 180 090 IDC 200 00783 188 13132 December-96 472752 December-96 36 1994916 December-96 126 71816976 December-96 1368 38 126
December-97 December-97 0 70 170 350 170 IDC 300 01043 209 16263 December-97 113841 December-97 70 2238295752 December-97 280 15668070264 December-97 322 46 280
December-98 December-98 0 147 360 735 360 CI Almanac 400 01303 230 19391 December-98 2850477 December-98 147 25113678337 December-98 6615 3691710715604 December-98 7791 53 6615
December-99 December-99 0 248 410 1240 410 Nua Ltd 500 01563 251 22517 December-99 5584216 December-99 248 28177547095 December-99 1240 6988031679463 December-99 15376 62 1240
March-00 March-00 0 304 500 1520 500 Nua Ltd 600 01822 272 25638 March-00 7793952 December-00 361 3161520784 December-00 19855 11413090030294 December-00 2527 7 19855
July-00 July-00 0 359 590 1795 590 Nua Ltd 700 02081 293 28754 July-00 10322686 December-01 543 35472263197 December-01 3258 1926143891578 December-01 39639 73 3258
December-00 December-00 0 361 580 1805 580 Internet World Stats 800 02338 313 31864 December-00 11502904 December-02 607 39799879307 December-02 39455 2415852673913 December-02 47953 79 39455
March-01 March-01 0 458 760 2290 760 Nua Ltd 900 02852 334 34967 March-01 16014886 December-03 719 44655464582 December-03 5033 32107279034493 December-03 61115 85 5033
June-01 June-01 0 479 790 2395 790 Nua Ltd 1000 03107 355 38061 June-01 18231219 December-04 817 50103431261 December-04 61275 40934503340285 December-04 7353 9 61275
August-01 August-01 0 513 860 2565 860 Nua Ltd 1100 03361 396 44221 August-01 22685373 December-05 1018 56216049875 December-05 8144 57227938772657 December-05 9467 93 8144
April-02 April-02 0 558 860 2790 860 Internet World Stats 1200 03614 417 47284 April-02 26384472 December-06 1093 6307440796 December-06 9291 68940327899894 December-06 10602 97 9291
July-02 July-02 0 569 910 2845 910 Internet World Stats 1300 03866 437 50334 July-02 28640046 December-07 1319 70769485731 December-07 11871 93344951678825 December-07 13454 102 11871
September-02 September-02 0 587 940 2935 940 Internet World Stats 1400 04117 458 53371 September-02 31328777 December-08 1574 7940336299 December-08 14953 124980893346059 December-08 16527 105 14953
March-03 March-03 0 608 970 3040 970 Internet World Stats 1500 04366 478 56394 March-03 34287552 December-09 1802 89090573275 December-09 18020 160541213040896 December-09 19462 108 18020
September-03 September-03 0 677 1060 3385 1060 Internet World Stats 1600 04614 498 59401 September-03 40214477 December-10 1971 99959623214 December-10 20696 197020417355075 December-10 21681 11 20696
October-03 October-03 0 682 1070 3410 1070 Internet World Stats 1700 0486 518 62392 October-03 42551344
December-03 December-03 0 719 1110 3595 1110 Internet World Stats 1800 02852 538 65365 December-03 46997435
February-04 February-04 0 745 1150 3725 1150 Internet World Stats 1900 03107 558 6832 February-04 508984
May-04 May-04 0 757 1170 3785 1170 Internet World Stats 2000 03361 597 7417 May-04 5614669
October-04 October-04 0 812 1270 4060 1270 Internet World Stats 2100 03614 616 77064 October-04 62575968
December-04 December-04 0 817 1270 4085 1270 Internet World Stats 2200 03866 636 79935 December-04 65306895
March-05 March-05 0 888 1390 4440 1390 Internet World Stats 2300 04117 655 82782 March-05 73510416
June-05 June-05 0 938 1460 4690 1460 Internet World Stats 2400 04366 674 85606 June-05 80298428
September-05 September-05 0 957 1490 4785 1490 Internet World Stats 2500 04614 692 88404 September-05 84602628
November-05 November-05 0 972 1520 4860 1520 Internet World Stats 2600 0486 711 91176 November-05 88623072
December-05 December-05 0 1018 1570 5090 1570 Internet World Stats 2700 05348 729 93921 December-05 95611578
March-06 March-06 0 1023 1570 5115 1570 Internet World Stats 2800 05589 747 96638 March-06 98860674
June-06 June-06 0 1043 1600 5215 1600 Internet World Stats 2900 05828 783 101984 June-06 106369312
September-06 September-06 0 1086 1670 5430 1670 Internet World Stats 3000 06065 801 104611 September-06 113607546
December-06 December-06 0 1093 1670 5465 1670 Internet World Stats 3100 063 818 107207 December-06 117177251
March-07 March-07 0 1129 1720 5645 1720 Internet World Stats 3200 06534 835 109771 March-07 123931459
June-07 June-07 0 1173 1780 5865 1780 Internet World Stats 3300 06765 852 112301 June-07 131729073
September-07 September-07 0 1245 1890 6225 1890 Internet World Stats 3400 06993 869 114797 September-07 142922265
December-07 December-07 0 1319 2000 6595 2000 Internet World Stats 3500 0722 886 117258 December-07 154663302
March-08 March-08 0 1407 2110 7035 2110 Internet World Stats 3600 07665 902 119683 March-08 168393981
June-08 June-08 0 1463 2190 7315 2190 Internet World Stats 3700 07884 918 122071 June-08 178589873
September-08 September-08 0 1504 2250 7520 2250 Internet World Stats 3800 08101 949 126736 September-08 190610944
December-08 December-08 0 1574 2350 7870 2350 Internet World Stats 3900 08314 964 12901 December-08 20306174
March-09 March-09 0 1596 2380 7980 2380 Internet World Stats 4000 08525 971 13 March-09 20748
June-09 June-09 0 1669 2470 8345 2470 Internet World Stats 4100 08733 998 134 June-09 223646
September-09 September-09 0 1734 2560 8670 2560 Internet World Stats 4200 08938 1018 137 September-09 237558
December-09 December-09 0 1802 2660 9010 2660 Internet World Stats 4300 0914 1051 142 December-09 255884
June-10 June-10 0 1966 2870 9830 2870 Internet World Stats 4400 09339 1078 146 June-10 287036
September-10 September-10 0 1971 2880 9855 2880 Internet World Stats 4500 09728 1112 151 September-10 297621
09917 000 155333333333
159833333333
33208
35034
35400
35765
36130
36495
36861
37226
37591
37956
38322
38687
39052
39417
39783
40148
40513
Page 8: Attacking Data Independent Memory Hard Functions · As a motivating example consider an adversary who breaks into an authentication server and steals a users crptographic hash va\൬ue.

The Challenge

User Patience

Disclaimer This slide is entirely for humorous effect Donrsquot take it too seriously

Time

Uni

ts o

f Pat

ienc

e

USD

$

Goal Moderately Expensive Hash Function

Fast on PC and Expensive on ASIC

Presenter
Presentation Notes
This motivates the need for moderately hard functions The basic idea is to build a password hash function that is moderately expensive to compute to limit the number of guesses that an adversary would be willing to try An honest server only needs to compute the function once during a typical authentication session However the adversary potentially has an advantage in this game While the honest server must typically evaluate the function on standard hardware the adversary could use potentially reduce the cost per password guess by developing customized hardware (GPUs FPGAs ASICs) to evaluate the password hash function Thus we want to ensure that the cost to evaluate this function is equitable across platforms13

Memory Costs Equitable Across Architectures

Presenter
Presentation Notes
By contrast memory costs tends to be much more equitable across different architectures

Outline

bull Motivationbull Data Independent Memory Hard Functions (iMHFs)

bull Graph Pebblingbull Measuring Pebbling Costsbull Desiderata

bull Attacks on iMHF Constructionsbull Constructing iMHFsbull Open Questions

Memory Hard Function (MHF)

bull Intuition computation costs dominated by memory costsvs

bull Data Independent Memory Hard Function (iMHF)bull Memory access pattern should not depend on input

Presenter
Presentation Notes
In this work we study a special type of memory hard function called data-independent memory hard functions As the name suggests the memory access pattern will not depend on the input making the functions resistant to side-channel attacks

iMHF Candidates

bull Catena [FLW15]bull Special Recognition at Password Hashing Competitionbull Two Variants Dragonfly and Double-Butterfly

bull Argon2 [BDK15]bull Winner of the Password Hashing Competitionbull Argon2i (data-independent mode) is recommended for Password Hashing

bull Balloon Hashing [BCS16]bull Newer proposal (three variants in original proposal)

Presenter
Presentation Notes
In terms of depth-robustness two of these variants were similar to Catena and one variant was similar to Argon

iMHF (fGH)

12

3

4Output fGH (pwdsalt)= L4

Input pwd salt

1198711198713 = 119867119867(1198711198712 1198711198711)1198711198711 = 119867119867(119901119901119901119901119901119901 119904119904119904119904119904119904119904119904)

Defined by bull H 01 2119896119896 rarr 01 119896119896 (Random Oracle)bull DAG G (encodes data-dependencies)

bull Maximum indegree 120575120575 = O 1

1

Evaluating an iMHF (pebbling)

Pebbling Rules 119875119875=P1hellipPtsub 119881119881 stbull Pi+1sub Pi cup 119909119909 isin 119881119881 parents 119909119909 sub Pi+1 (need dependent values)bull nisin Pt (must finish and output Ln)

12

3

4 Output L4Inputpwd salt

1198711198713 = 119867119867(1198711198712 1198711198711)1198711198711 = 119867119867(119901119901119901119901119901119901 119904119904119904119904119904119904119904119904)

1

Presenter
Presentation Notes
We will describe our algorithms for evaluating an iMHF using the language of graph pebbling Placing a pebble on a node corresponds to computing the corresponding label and keeping a pebble on the graph corresponds to storing that label in memory Of course we can only compute a label if we have all of the dependent labels Thus in a legal pebbling we cannot place a pebble on a node until we have pebbles on the parents of that node If the adversary is parallel then we are allowed to place multiple pebbles on the graph in each round We can remove pebbles from the graph at any point in time

Pebbling Example

1 2 3 4 51 3 4 5

Pebbling Example

1 2 3 4 5

P1 = 1

Pebbling Example

1 2 3 4 5

P1 = 1P2 = 12

Pebbling Example

P1 = 1P2 = 12P3 = 3

1 2 3 4 5

Pebbling Example

P1 = 1P2 = 12P3 = 3

1 2 3 4 5

P4 = 34

Pebbling Example

P1 = 1P2 = 12P3 = 3

1 2 3 4 5

P4 = 34P5 = 5

Pebbling Example (CC)

P1 = 1P2 = 12P3 = 3

1 2 3 4 5

P4 = 34P5 = 5

CC 119866119866 le119894119894=1

5

119875119875119894119894

= 1 + 2 + 1 + 2 + 1= 7

Measuring Cost

bull Cumulative Complexity (CC)

CC 119866119866 = min119875119875

119894119894=1

119905119905119875119875

119875119875119894119894

bull Amortization [AS15]CC 119866119866119866119866 = 2 times CC(119866119866)

Pebbling Example (CC)

P1 = 1P2 = 12P3 = 3

1 2 3 4 5

P4 = 34P5 = 5

CC 119866119866 le119894119894=1

5

119875119875119894119894

= 1 + 2 + 1 + 2 + 1= 7

Pebbling Equivalence

119827119827119827119827119827119827119827119827119827119827119827119827119827119827 119808119808119808119808119808119808119808119808 (119816119816119816119816119816119816119827119827119827119827119827119827119816119816119816119816) High pebbling complexity of G implies high amortized memory complexity for the iMHF fGH

Implication Structure of the graph G is key to iMHFsecurity

Desiderata

Find a DAG G on n nodes such that1 Constant Indegree (120575120575 = 2)

2 CC(G) ge 1198991198992

120591120591for some small value 120591120591

Maximize costs for fixed n(Users are impatient)

Depth-Robustness The Key Property

Necessary [AB16] and sufficient[ABP16] for secure iMHFs

Naiumlve Pebbling Algorithms

bull Sequential Algorithm (Naiumlve)bull Constraint One new pebble per roundbull Every iMHF is defined via its Naiumlve algorithm

bull Example Naiumlve (Pebble in Topological Order)bull Never discard pebblesbull Time nbull Average pebbles n2bull ER(Naiumlve) = θ Rn + n2

Amortized Attack Quality

Quality119877119877 119860119860 =ER(Naiumlve)

ER 119860119860times 119894119894119894119894119904119904119904119904(119860119860)

Example Algorithm A evaluates 5 iMHF instances with total cost ER 119860119860 = 100 and ER Naiumlve = 40

Quality119877119877 119860119860 =40

100times 5 = 2

Presenter
Presentation Notes
Use Example

Desiderata

Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)

2 QualityR(A) le 119888119888 for every adversary A (c small)

3 ER(Naive) ge 1198991198992

120591120591+ R119894119894 for some small value 120591120591

Memory costs should dominate

Desiderata

Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)

2 QualityR(A) le 119888119888 for every adversary A (c small)

3 ER(Naive) ge 1198991198992

120591120591+ R119894119894 for some small value 120591120591

Maximize costs for fixed n(Users are impatient)

c-Ideal iMHF

Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)

2 QualityR(A) le 119888119888 for every adversary A (c small)

3 ER(Naive) ge 1198991198992

120591120591+ R119894119894 for 120591120591 = 119874119874(1)

Outline

bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Our Attacks

bull General Attack on Non Depth Robust DAGsbull Existing iMHFs are not Depth Robustbull Ideal iMHFs donrsquot exist

bull Subsequent Results (Depth-Robustness is Sufficient)bull Open Questions

Depth-Robustness The Key Property

Necessary [AB16] and sufficient[ABP16] for secure iMHFs

Depth Robustness

Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d

Otherwise we say that G is (ed)-depth robust

1 2 3 4 5

Example (12)-reducible

Depth Robustness

Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d

Otherwise we say that G is (ed)-depth robust

1 2 3 4 5

Example (12)-reducible

Attacking (ed)-reducible DAGs

bull Input |S| lee such that depth(G-S) = d g gt d

bull Light Phase (g rounds) Discard most pebblesbull Goal Pebble the next g nodes in g (sequential) stepsbull Low Memory (only keep pebbles on S and on parents of new nodes)bull Lasts a ``longrdquo time

bull Balloon Phase (d rounds) Greedily Recover Missing Pebblesbull Goal Recover needed pebbles for upcoming light phasebull Expensive but quick (at most d steps in parallel)

Theorem (Depth-Robustness is a necessary condition) If G is not (ed)-node robust then CC 119866119866 = O 119890119890119894119894 + 1198941198943119901119901 In particular CC 119866119866 = o 1198941198942 for ed=o(n)

Depth Robustness is Necessary

Are existing iMHF candidates based on depth-robust DAGs

Answer No

bull Catena [FLW15] is 119890119890 119874119874 119899119899119890119890

-reducible

119862119862119862119862 = 119874119874 119894119894162

bull Balloon Hashing and Argon2i (old version) are 119890119890 119874119874 1198991198992

1198901198902-reducible

119862119862119862119862 = 119874119874 119894119894171

bull Argon2i (latest version) is 119890119890 119874119874 1198991198993

1198901198903-reducible

119862119862119862119862 = 119874119874 119894119894177

bull Similar picture for most other iMHF candidates [AGKKOPRRR16]

Argon2i [BDK]

bull Argon2 Winner of the password hashing competition[2015]

bull Authors recommend Argon2i variant (data-independent) for password hashing

Presenter
Presentation Notes
Alex Biryukov Daniel Dinu and Dmitry Khovratovich from University of Luxembourg

Argon2i

1 2 3 4 ihellip n

Argon2i

1 2 3 4 ihellip n

random predecessor r(i) lt i

Indegree 120575120575 = 2

Argon2i Reducing depth to 119894119894

1 2 3 11989411989434

helliphellip

211989411989434

hellip 4 119894119894

n

Layer 0Layer 1

Layer 4 119894119894helliphelliphellip

Argon2i Reducing depth to 119894119894

1 2 3 11989411989434

helliphellip

211989411989434

hellip 4 119894119894

n

Layer 0Layer 1

Layer 4 119894119894

Definition 1198781198782 = 119907119907119894119894 119907119907119903119903(119894119894)and v119894119894 in same layer

119810119810119816119816119816119816119810119810119827119827 1198781198782119810119810119842119842 119842119842119827119827119816119816119816119816119816119816

helliphelliphellip

119813119813119816119816119813119813119813119813 Easy to reduce the depth of a path

Argon2i is a layered DAG (almost)

1 2 3 11989411989434

+2 +3 helliphellip

211989411989434

hellip 4 119894119894

n

Layer 0Layer 1

Layer 4 119894119894

Let S = S1+S2

helliphelliphellip

Attack Simulation [AB16b]

Attack on Argon 2i-B is practical even for pessimistic parameter ranges (brown line)

Pessimistic Argon 2i-B parameter

Parameter setting could easily be chosen when following Argon2i-B guidelines

hellip

Ideal iMHFs Donrsquot Exist

Thm[AB16] Any graph G (with constant in-degree) is at least somewhat depth-reducible

Implication If CC(G)= Ω 1198941198942 there is an attack A with high quality

QualityR 119860119860 =Ωlog(119894119894)

log log(119894119894)

But we cannot rule them out in practice

Outline

bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Attacksbull Constructing iMHFs (New)

bull Depth-Robustness is sufficient

bull Conclusions and Open Questions

Presenter
Presentation Notes
Joint work with Joel Alwen and Krzysztof Pietrzak

Depth-Robustness is Sufficient [ABP16]

Proof Let P1hellipPt denote an (optimal) pebbling of G For 0lt i lt d defineSi = 119875119875119894119894 cup 119875119875119889119889+119894119894 cup 1198751198752119889119889+119894119894 cup ⋯

one of the sets Si has size at most CC(G)d Now we claim that d ge depth(G-Si)

because any path in G-Si must have been completely pebbled at some point Thus it must have been pebbled entirely during some interval of length d Thus G (CC(G)dd)-reducible It follows that CC(G)ge 119890119890119901119901

119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901

Depth-Robustness is Sufficient [ABP16]

Implications There exists a constant indegree graph G with

CC G ge Ω1198941198942

log119894119894

Previous Best [AS15] Ω 1198991198992

log10 119899119899

[AB16] We cannot do better (in an asymptotic sense)

119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901

Summary

bull BCRYPT and PBKDF2 are no longer sufficient for password hashing

bull Argon2i is an improvement over BCRYPT and PBKDF2bull But still has its flaws [AB16AB17]

bull Current Recommendation Argon2idbull No side channel attacks Resists known attacksbull Side channel attacks reduce security to Argon2i

bull Look for improvements in the near future using depth-robust graphs [ABP17]

Conclusions

bull Depth-robustness is a necessary and sufficient for secure iMHFsbull [AB16] [ABP16]

bull Big Challenge Improved Constructions of Depth-Robust Graphsbull We already have constructions in theory [EGS77 PR80 hellip]bull But constants matter

Thanks for Listening

Passwords vs time Look how far wersquove come

Netscape IPO Dotcom crash

Source Cormacrsquos estimate

ldquoThe password is deadrdquo

Chart1

3
48
1368
322
7791
15376
2527
39639
47953
61115
7353
94674
106021
134538
16527
194616
21681

Sheet1

Sheet1

Sheet2

Sheet3

Biometrics

59

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy

60

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Hardware Tokens

61

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around

62

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Graphical Passwords

bull Examplesbull Passfaces Cued Click Points Windows 8

63

Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13

Graphical Passwords

bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8

Challenge Multiple Passwords

64

Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13

Graphical Passwords Hotspots

Graphical Passwords Hotspots

Password Managers

bull Password Management Software

67

Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313

Related Work

bull Password Management SoftwareChallenge Single point of failure

68

Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313

References

bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]

bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]

bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]

bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]

  • Course Business
  • CryptographyCS 555
  • Password Storage
  • Offline Attacks A Common Problem
  • Offline Attacks A Common Problem
  • A Dangerous Problem
  • Attempt 1 Hash Iteration
  • The Challenge
  • Goal Moderately Expensive Hash Function
  • Memory Costs Equitable Across Architectures
  • Outline
  • Memory Hard Function (MHF)
  • iMHF Candidates
  • iMHF (fGH)
  • Evaluating an iMHF (pebbling)
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example (CC)
  • Measuring Cost
  • Pebbling Example (CC)
  • Pebbling Equivalence
  • Desiderata
  • Depth-Robustness The Key Property
  • Naiumlve Pebbling Algorithms
  • Amortized Attack Quality
  • Desiderata
  • Desiderata
  • c-Ideal iMHF
  • Outline
  • Depth-Robustness The Key Property
  • Depth Robustness
  • Depth Robustness
  • Attacking (ed)-reducible DAGs
  • Depth Robustness is Necessary
  • Answer No
  • Argon2i [BDK]
  • Argon2i
  • Argon2i
  • Argon2i Reducing depth to 119899
  • Argon2i Reducing depth to 119899
  • Argon2i is a layered DAG (almost)
  • Attack Simulation [AB16b]
  • Ideal iMHFs Donrsquot Exist
  • But we cannot rule them out in practice
  • Outline
  • Depth-Robustness is Sufficient [ABP16]
  • Depth-Robustness is Sufficient [ABP16]
  • Summary
  • Conclusions
  • Thanks for Listening
  • Passwords vs time Look how far wersquove come
  • Biometrics
  • Biometrics
  • Hardware Tokens
  • Hardware Tokens
  • Graphical Passwords
  • Graphical Passwords
  • Graphical Passwords Hotspots
  • Graphical Passwords Hotspots
  • Password Managers
  • Related Work
  • References
Everybody
DATE DATE NUMBER OF USERS WORLD WORLD INFORMATION DATE DATE NUMBER OF USERS DATE DATE acctsyr
POPULATION POPULATION SOURCE
December-90 0 3 15 020 00261 000 1 December-90 3 1 December-90 3 1 December-90 3 3 December-90 3 1 3
December-95 December-95 0 16 040 80 040 IDC 100 00522 180 12 December-95 192 December-95 16 1778 December-95 48 28448 December-95 48 3 48
December-96 December-96 0 36 090 180 090 IDC 200 00783 188 13132 December-96 472752 December-96 36 1994916 December-96 126 71816976 December-96 1368 38 126
December-97 December-97 0 70 170 350 170 IDC 300 01043 209 16263 December-97 113841 December-97 70 2238295752 December-97 280 15668070264 December-97 322 46 280
December-98 December-98 0 147 360 735 360 CI Almanac 400 01303 230 19391 December-98 2850477 December-98 147 25113678337 December-98 6615 3691710715604 December-98 7791 53 6615
December-99 December-99 0 248 410 1240 410 Nua Ltd 500 01563 251 22517 December-99 5584216 December-99 248 28177547095 December-99 1240 6988031679463 December-99 15376 62 1240
March-00 March-00 0 304 500 1520 500 Nua Ltd 600 01822 272 25638 March-00 7793952 December-00 361 3161520784 December-00 19855 11413090030294 December-00 2527 7 19855
July-00 July-00 0 359 590 1795 590 Nua Ltd 700 02081 293 28754 July-00 10322686 December-01 543 35472263197 December-01 3258 1926143891578 December-01 39639 73 3258
December-00 December-00 0 361 580 1805 580 Internet World Stats 800 02338 313 31864 December-00 11502904 December-02 607 39799879307 December-02 39455 2415852673913 December-02 47953 79 39455
March-01 March-01 0 458 760 2290 760 Nua Ltd 900 02852 334 34967 March-01 16014886 December-03 719 44655464582 December-03 5033 32107279034493 December-03 61115 85 5033
June-01 June-01 0 479 790 2395 790 Nua Ltd 1000 03107 355 38061 June-01 18231219 December-04 817 50103431261 December-04 61275 40934503340285 December-04 7353 9 61275
August-01 August-01 0 513 860 2565 860 Nua Ltd 1100 03361 396 44221 August-01 22685373 December-05 1018 56216049875 December-05 8144 57227938772657 December-05 9467 93 8144
April-02 April-02 0 558 860 2790 860 Internet World Stats 1200 03614 417 47284 April-02 26384472 December-06 1093 6307440796 December-06 9291 68940327899894 December-06 10602 97 9291
July-02 July-02 0 569 910 2845 910 Internet World Stats 1300 03866 437 50334 July-02 28640046 December-07 1319 70769485731 December-07 11871 93344951678825 December-07 13454 102 11871
September-02 September-02 0 587 940 2935 940 Internet World Stats 1400 04117 458 53371 September-02 31328777 December-08 1574 7940336299 December-08 14953 124980893346059 December-08 16527 105 14953
March-03 March-03 0 608 970 3040 970 Internet World Stats 1500 04366 478 56394 March-03 34287552 December-09 1802 89090573275 December-09 18020 160541213040896 December-09 19462 108 18020
September-03 September-03 0 677 1060 3385 1060 Internet World Stats 1600 04614 498 59401 September-03 40214477 December-10 1971 99959623214 December-10 20696 197020417355075 December-10 21681 11 20696
October-03 October-03 0 682 1070 3410 1070 Internet World Stats 1700 0486 518 62392 October-03 42551344
December-03 December-03 0 719 1110 3595 1110 Internet World Stats 1800 02852 538 65365 December-03 46997435
February-04 February-04 0 745 1150 3725 1150 Internet World Stats 1900 03107 558 6832 February-04 508984
May-04 May-04 0 757 1170 3785 1170 Internet World Stats 2000 03361 597 7417 May-04 5614669
October-04 October-04 0 812 1270 4060 1270 Internet World Stats 2100 03614 616 77064 October-04 62575968
December-04 December-04 0 817 1270 4085 1270 Internet World Stats 2200 03866 636 79935 December-04 65306895
March-05 March-05 0 888 1390 4440 1390 Internet World Stats 2300 04117 655 82782 March-05 73510416
June-05 June-05 0 938 1460 4690 1460 Internet World Stats 2400 04366 674 85606 June-05 80298428
September-05 September-05 0 957 1490 4785 1490 Internet World Stats 2500 04614 692 88404 September-05 84602628
November-05 November-05 0 972 1520 4860 1520 Internet World Stats 2600 0486 711 91176 November-05 88623072
December-05 December-05 0 1018 1570 5090 1570 Internet World Stats 2700 05348 729 93921 December-05 95611578
March-06 March-06 0 1023 1570 5115 1570 Internet World Stats 2800 05589 747 96638 March-06 98860674
June-06 June-06 0 1043 1600 5215 1600 Internet World Stats 2900 05828 783 101984 June-06 106369312
September-06 September-06 0 1086 1670 5430 1670 Internet World Stats 3000 06065 801 104611 September-06 113607546
December-06 December-06 0 1093 1670 5465 1670 Internet World Stats 3100 063 818 107207 December-06 117177251
March-07 March-07 0 1129 1720 5645 1720 Internet World Stats 3200 06534 835 109771 March-07 123931459
June-07 June-07 0 1173 1780 5865 1780 Internet World Stats 3300 06765 852 112301 June-07 131729073
September-07 September-07 0 1245 1890 6225 1890 Internet World Stats 3400 06993 869 114797 September-07 142922265
December-07 December-07 0 1319 2000 6595 2000 Internet World Stats 3500 0722 886 117258 December-07 154663302
March-08 March-08 0 1407 2110 7035 2110 Internet World Stats 3600 07665 902 119683 March-08 168393981
June-08 June-08 0 1463 2190 7315 2190 Internet World Stats 3700 07884 918 122071 June-08 178589873
September-08 September-08 0 1504 2250 7520 2250 Internet World Stats 3800 08101 949 126736 September-08 190610944
December-08 December-08 0 1574 2350 7870 2350 Internet World Stats 3900 08314 964 12901 December-08 20306174
March-09 March-09 0 1596 2380 7980 2380 Internet World Stats 4000 08525 971 13 March-09 20748
June-09 June-09 0 1669 2470 8345 2470 Internet World Stats 4100 08733 998 134 June-09 223646
September-09 September-09 0 1734 2560 8670 2560 Internet World Stats 4200 08938 1018 137 September-09 237558
December-09 December-09 0 1802 2660 9010 2660 Internet World Stats 4300 0914 1051 142 December-09 255884
June-10 June-10 0 1966 2870 9830 2870 Internet World Stats 4400 09339 1078 146 June-10 287036
September-10 September-10 0 1971 2880 9855 2880 Internet World Stats 4500 09728 1112 151 September-10 297621
09917 000 155333333333
159833333333
33208
35034
35400
35765
36130
36495
36861
37226
37591
37956
38322
38687
39052
39417
39783
40148
40513
Page 9: Attacking Data Independent Memory Hard Functions · As a motivating example consider an adversary who breaks into an authentication server and steals a users crptographic hash va\൬ue.

Goal Moderately Expensive Hash Function

Fast on PC and Expensive on ASIC

Presenter
Presentation Notes
This motivates the need for moderately hard functions The basic idea is to build a password hash function that is moderately expensive to compute to limit the number of guesses that an adversary would be willing to try An honest server only needs to compute the function once during a typical authentication session However the adversary potentially has an advantage in this game While the honest server must typically evaluate the function on standard hardware the adversary could use potentially reduce the cost per password guess by developing customized hardware (GPUs FPGAs ASICs) to evaluate the password hash function Thus we want to ensure that the cost to evaluate this function is equitable across platforms13

Memory Costs Equitable Across Architectures

Presenter
Presentation Notes
By contrast memory costs tends to be much more equitable across different architectures

Outline

bull Motivationbull Data Independent Memory Hard Functions (iMHFs)

bull Graph Pebblingbull Measuring Pebbling Costsbull Desiderata

bull Attacks on iMHF Constructionsbull Constructing iMHFsbull Open Questions

Memory Hard Function (MHF)

bull Intuition computation costs dominated by memory costsvs

bull Data Independent Memory Hard Function (iMHF)bull Memory access pattern should not depend on input

Presenter
Presentation Notes
In this work we study a special type of memory hard function called data-independent memory hard functions As the name suggests the memory access pattern will not depend on the input making the functions resistant to side-channel attacks

iMHF Candidates

bull Catena [FLW15]bull Special Recognition at Password Hashing Competitionbull Two Variants Dragonfly and Double-Butterfly

bull Argon2 [BDK15]bull Winner of the Password Hashing Competitionbull Argon2i (data-independent mode) is recommended for Password Hashing

bull Balloon Hashing [BCS16]bull Newer proposal (three variants in original proposal)

Presenter
Presentation Notes
In terms of depth-robustness two of these variants were similar to Catena and one variant was similar to Argon

iMHF (fGH)

12

3

4Output fGH (pwdsalt)= L4

Input pwd salt

1198711198713 = 119867119867(1198711198712 1198711198711)1198711198711 = 119867119867(119901119901119901119901119901119901 119904119904119904119904119904119904119904119904)

Defined by bull H 01 2119896119896 rarr 01 119896119896 (Random Oracle)bull DAG G (encodes data-dependencies)

bull Maximum indegree 120575120575 = O 1

1

Evaluating an iMHF (pebbling)

Pebbling Rules 119875119875=P1hellipPtsub 119881119881 stbull Pi+1sub Pi cup 119909119909 isin 119881119881 parents 119909119909 sub Pi+1 (need dependent values)bull nisin Pt (must finish and output Ln)

12

3

4 Output L4Inputpwd salt

1198711198713 = 119867119867(1198711198712 1198711198711)1198711198711 = 119867119867(119901119901119901119901119901119901 119904119904119904119904119904119904119904119904)

1

Presenter
Presentation Notes
We will describe our algorithms for evaluating an iMHF using the language of graph pebbling Placing a pebble on a node corresponds to computing the corresponding label and keeping a pebble on the graph corresponds to storing that label in memory Of course we can only compute a label if we have all of the dependent labels Thus in a legal pebbling we cannot place a pebble on a node until we have pebbles on the parents of that node If the adversary is parallel then we are allowed to place multiple pebbles on the graph in each round We can remove pebbles from the graph at any point in time

Pebbling Example

1 2 3 4 51 3 4 5

Pebbling Example

1 2 3 4 5

P1 = 1

Pebbling Example

1 2 3 4 5

P1 = 1P2 = 12

Pebbling Example

P1 = 1P2 = 12P3 = 3

1 2 3 4 5

Pebbling Example

P1 = 1P2 = 12P3 = 3

1 2 3 4 5

P4 = 34

Pebbling Example

P1 = 1P2 = 12P3 = 3

1 2 3 4 5

P4 = 34P5 = 5

Pebbling Example (CC)

P1 = 1P2 = 12P3 = 3

1 2 3 4 5

P4 = 34P5 = 5

CC 119866119866 le119894119894=1

5

119875119875119894119894

= 1 + 2 + 1 + 2 + 1= 7

Measuring Cost

bull Cumulative Complexity (CC)

CC 119866119866 = min119875119875

119894119894=1

119905119905119875119875

119875119875119894119894

bull Amortization [AS15]CC 119866119866119866119866 = 2 times CC(119866119866)

Pebbling Example (CC)

P1 = 1P2 = 12P3 = 3

1 2 3 4 5

P4 = 34P5 = 5

CC 119866119866 le119894119894=1

5

119875119875119894119894

= 1 + 2 + 1 + 2 + 1= 7

Pebbling Equivalence

119827119827119827119827119827119827119827119827119827119827119827119827119827119827 119808119808119808119808119808119808119808119808 (119816119816119816119816119816119816119827119827119827119827119827119827119816119816119816119816) High pebbling complexity of G implies high amortized memory complexity for the iMHF fGH

Implication Structure of the graph G is key to iMHFsecurity

Desiderata

Find a DAG G on n nodes such that1 Constant Indegree (120575120575 = 2)

2 CC(G) ge 1198991198992

120591120591for some small value 120591120591

Maximize costs for fixed n(Users are impatient)

Depth-Robustness The Key Property

Necessary [AB16] and sufficient[ABP16] for secure iMHFs

Naiumlve Pebbling Algorithms

bull Sequential Algorithm (Naiumlve)bull Constraint One new pebble per roundbull Every iMHF is defined via its Naiumlve algorithm

bull Example Naiumlve (Pebble in Topological Order)bull Never discard pebblesbull Time nbull Average pebbles n2bull ER(Naiumlve) = θ Rn + n2

Amortized Attack Quality

Quality119877119877 119860119860 =ER(Naiumlve)

ER 119860119860times 119894119894119894119894119904119904119904119904(119860119860)

Example Algorithm A evaluates 5 iMHF instances with total cost ER 119860119860 = 100 and ER Naiumlve = 40

Quality119877119877 119860119860 =40

100times 5 = 2

Presenter
Presentation Notes
Use Example

Desiderata

Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)

2 QualityR(A) le 119888119888 for every adversary A (c small)

3 ER(Naive) ge 1198991198992

120591120591+ R119894119894 for some small value 120591120591

Memory costs should dominate

Desiderata

Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)

2 QualityR(A) le 119888119888 for every adversary A (c small)

3 ER(Naive) ge 1198991198992

120591120591+ R119894119894 for some small value 120591120591

Maximize costs for fixed n(Users are impatient)

c-Ideal iMHF

Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)

2 QualityR(A) le 119888119888 for every adversary A (c small)

3 ER(Naive) ge 1198991198992

120591120591+ R119894119894 for 120591120591 = 119874119874(1)

Outline

bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Our Attacks

bull General Attack on Non Depth Robust DAGsbull Existing iMHFs are not Depth Robustbull Ideal iMHFs donrsquot exist

bull Subsequent Results (Depth-Robustness is Sufficient)bull Open Questions

Depth-Robustness The Key Property

Necessary [AB16] and sufficient[ABP16] for secure iMHFs

Depth Robustness

Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d

Otherwise we say that G is (ed)-depth robust

1 2 3 4 5

Example (12)-reducible

Depth Robustness

Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d

Otherwise we say that G is (ed)-depth robust

1 2 3 4 5

Example (12)-reducible

Attacking (ed)-reducible DAGs

bull Input |S| lee such that depth(G-S) = d g gt d

bull Light Phase (g rounds) Discard most pebblesbull Goal Pebble the next g nodes in g (sequential) stepsbull Low Memory (only keep pebbles on S and on parents of new nodes)bull Lasts a ``longrdquo time

bull Balloon Phase (d rounds) Greedily Recover Missing Pebblesbull Goal Recover needed pebbles for upcoming light phasebull Expensive but quick (at most d steps in parallel)

Theorem (Depth-Robustness is a necessary condition) If G is not (ed)-node robust then CC 119866119866 = O 119890119890119894119894 + 1198941198943119901119901 In particular CC 119866119866 = o 1198941198942 for ed=o(n)

Depth Robustness is Necessary

Are existing iMHF candidates based on depth-robust DAGs

Answer No

bull Catena [FLW15] is 119890119890 119874119874 119899119899119890119890

-reducible

119862119862119862119862 = 119874119874 119894119894162

bull Balloon Hashing and Argon2i (old version) are 119890119890 119874119874 1198991198992

1198901198902-reducible

119862119862119862119862 = 119874119874 119894119894171

bull Argon2i (latest version) is 119890119890 119874119874 1198991198993

1198901198903-reducible

119862119862119862119862 = 119874119874 119894119894177

bull Similar picture for most other iMHF candidates [AGKKOPRRR16]

Argon2i [BDK]

bull Argon2 Winner of the password hashing competition[2015]

bull Authors recommend Argon2i variant (data-independent) for password hashing

Presenter
Presentation Notes
Alex Biryukov Daniel Dinu and Dmitry Khovratovich from University of Luxembourg

Argon2i

1 2 3 4 ihellip n

Argon2i

1 2 3 4 ihellip n

random predecessor r(i) lt i

Indegree 120575120575 = 2

Argon2i Reducing depth to 119894119894

1 2 3 11989411989434

helliphellip

211989411989434

hellip 4 119894119894

n

Layer 0Layer 1

Layer 4 119894119894helliphelliphellip

Argon2i Reducing depth to 119894119894

1 2 3 11989411989434

helliphellip

211989411989434

hellip 4 119894119894

n

Layer 0Layer 1

Layer 4 119894119894

Definition 1198781198782 = 119907119907119894119894 119907119907119903119903(119894119894)and v119894119894 in same layer

119810119810119816119816119816119816119810119810119827119827 1198781198782119810119810119842119842 119842119842119827119827119816119816119816119816119816119816

helliphelliphellip

119813119813119816119816119813119813119813119813 Easy to reduce the depth of a path

Argon2i is a layered DAG (almost)

1 2 3 11989411989434

+2 +3 helliphellip

211989411989434

hellip 4 119894119894

n

Layer 0Layer 1

Layer 4 119894119894

Let S = S1+S2

helliphelliphellip

Attack Simulation [AB16b]

Attack on Argon 2i-B is practical even for pessimistic parameter ranges (brown line)

Pessimistic Argon 2i-B parameter

Parameter setting could easily be chosen when following Argon2i-B guidelines

hellip

Ideal iMHFs Donrsquot Exist

Thm[AB16] Any graph G (with constant in-degree) is at least somewhat depth-reducible

Implication If CC(G)= Ω 1198941198942 there is an attack A with high quality

QualityR 119860119860 =Ωlog(119894119894)

log log(119894119894)

But we cannot rule them out in practice

Outline

bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Attacksbull Constructing iMHFs (New)

bull Depth-Robustness is sufficient

bull Conclusions and Open Questions

Presenter
Presentation Notes
Joint work with Joel Alwen and Krzysztof Pietrzak

Depth-Robustness is Sufficient [ABP16]

Proof Let P1hellipPt denote an (optimal) pebbling of G For 0lt i lt d defineSi = 119875119875119894119894 cup 119875119875119889119889+119894119894 cup 1198751198752119889119889+119894119894 cup ⋯

one of the sets Si has size at most CC(G)d Now we claim that d ge depth(G-Si)

because any path in G-Si must have been completely pebbled at some point Thus it must have been pebbled entirely during some interval of length d Thus G (CC(G)dd)-reducible It follows that CC(G)ge 119890119890119901119901

119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901

Depth-Robustness is Sufficient [ABP16]

Implications There exists a constant indegree graph G with

CC G ge Ω1198941198942

log119894119894

Previous Best [AS15] Ω 1198991198992

log10 119899119899

[AB16] We cannot do better (in an asymptotic sense)

119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901

Summary

bull BCRYPT and PBKDF2 are no longer sufficient for password hashing

bull Argon2i is an improvement over BCRYPT and PBKDF2bull But still has its flaws [AB16AB17]

bull Current Recommendation Argon2idbull No side channel attacks Resists known attacksbull Side channel attacks reduce security to Argon2i

bull Look for improvements in the near future using depth-robust graphs [ABP17]

Conclusions

bull Depth-robustness is a necessary and sufficient for secure iMHFsbull [AB16] [ABP16]

bull Big Challenge Improved Constructions of Depth-Robust Graphsbull We already have constructions in theory [EGS77 PR80 hellip]bull But constants matter

Thanks for Listening

Passwords vs time Look how far wersquove come

Netscape IPO Dotcom crash

Source Cormacrsquos estimate

ldquoThe password is deadrdquo

Chart1

3
48
1368
322
7791
15376
2527
39639
47953
61115
7353
94674
106021
134538
16527
194616
21681

Sheet1

Sheet1

Sheet2

Sheet3

Biometrics

59

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy

60

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Hardware Tokens

61

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around

62

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Graphical Passwords

bull Examplesbull Passfaces Cued Click Points Windows 8

63

Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13

Graphical Passwords

bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8

Challenge Multiple Passwords

64

Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13

Graphical Passwords Hotspots

Graphical Passwords Hotspots

Password Managers

bull Password Management Software

67

Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313

Related Work

bull Password Management SoftwareChallenge Single point of failure

68

Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313

References

bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]

bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]

bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]

bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]

  • Course Business
  • CryptographyCS 555
  • Password Storage
  • Offline Attacks A Common Problem
  • Offline Attacks A Common Problem
  • A Dangerous Problem
  • Attempt 1 Hash Iteration
  • The Challenge
  • Goal Moderately Expensive Hash Function
  • Memory Costs Equitable Across Architectures
  • Outline
  • Memory Hard Function (MHF)
  • iMHF Candidates
  • iMHF (fGH)
  • Evaluating an iMHF (pebbling)
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example (CC)
  • Measuring Cost
  • Pebbling Example (CC)
  • Pebbling Equivalence
  • Desiderata
  • Depth-Robustness The Key Property
  • Naiumlve Pebbling Algorithms
  • Amortized Attack Quality
  • Desiderata
  • Desiderata
  • c-Ideal iMHF
  • Outline
  • Depth-Robustness The Key Property
  • Depth Robustness
  • Depth Robustness
  • Attacking (ed)-reducible DAGs
  • Depth Robustness is Necessary
  • Answer No
  • Argon2i [BDK]
  • Argon2i
  • Argon2i
  • Argon2i Reducing depth to 119899
  • Argon2i Reducing depth to 119899
  • Argon2i is a layered DAG (almost)
  • Attack Simulation [AB16b]
  • Ideal iMHFs Donrsquot Exist
  • But we cannot rule them out in practice
  • Outline
  • Depth-Robustness is Sufficient [ABP16]
  • Depth-Robustness is Sufficient [ABP16]
  • Summary
  • Conclusions
  • Thanks for Listening
  • Passwords vs time Look how far wersquove come
  • Biometrics
  • Biometrics
  • Hardware Tokens
  • Hardware Tokens
  • Graphical Passwords
  • Graphical Passwords
  • Graphical Passwords Hotspots
  • Graphical Passwords Hotspots
  • Password Managers
  • Related Work
  • References
Everybody
DATE DATE NUMBER OF USERS WORLD WORLD INFORMATION DATE DATE NUMBER OF USERS DATE DATE acctsyr
POPULATION POPULATION SOURCE
December-90 0 3 15 020 00261 000 1 December-90 3 1 December-90 3 1 December-90 3 3 December-90 3 1 3
December-95 December-95 0 16 040 80 040 IDC 100 00522 180 12 December-95 192 December-95 16 1778 December-95 48 28448 December-95 48 3 48
December-96 December-96 0 36 090 180 090 IDC 200 00783 188 13132 December-96 472752 December-96 36 1994916 December-96 126 71816976 December-96 1368 38 126
December-97 December-97 0 70 170 350 170 IDC 300 01043 209 16263 December-97 113841 December-97 70 2238295752 December-97 280 15668070264 December-97 322 46 280
December-98 December-98 0 147 360 735 360 CI Almanac 400 01303 230 19391 December-98 2850477 December-98 147 25113678337 December-98 6615 3691710715604 December-98 7791 53 6615
December-99 December-99 0 248 410 1240 410 Nua Ltd 500 01563 251 22517 December-99 5584216 December-99 248 28177547095 December-99 1240 6988031679463 December-99 15376 62 1240
March-00 March-00 0 304 500 1520 500 Nua Ltd 600 01822 272 25638 March-00 7793952 December-00 361 3161520784 December-00 19855 11413090030294 December-00 2527 7 19855
July-00 July-00 0 359 590 1795 590 Nua Ltd 700 02081 293 28754 July-00 10322686 December-01 543 35472263197 December-01 3258 1926143891578 December-01 39639 73 3258
December-00 December-00 0 361 580 1805 580 Internet World Stats 800 02338 313 31864 December-00 11502904 December-02 607 39799879307 December-02 39455 2415852673913 December-02 47953 79 39455
March-01 March-01 0 458 760 2290 760 Nua Ltd 900 02852 334 34967 March-01 16014886 December-03 719 44655464582 December-03 5033 32107279034493 December-03 61115 85 5033
June-01 June-01 0 479 790 2395 790 Nua Ltd 1000 03107 355 38061 June-01 18231219 December-04 817 50103431261 December-04 61275 40934503340285 December-04 7353 9 61275
August-01 August-01 0 513 860 2565 860 Nua Ltd 1100 03361 396 44221 August-01 22685373 December-05 1018 56216049875 December-05 8144 57227938772657 December-05 9467 93 8144
April-02 April-02 0 558 860 2790 860 Internet World Stats 1200 03614 417 47284 April-02 26384472 December-06 1093 6307440796 December-06 9291 68940327899894 December-06 10602 97 9291
July-02 July-02 0 569 910 2845 910 Internet World Stats 1300 03866 437 50334 July-02 28640046 December-07 1319 70769485731 December-07 11871 93344951678825 December-07 13454 102 11871
September-02 September-02 0 587 940 2935 940 Internet World Stats 1400 04117 458 53371 September-02 31328777 December-08 1574 7940336299 December-08 14953 124980893346059 December-08 16527 105 14953
March-03 March-03 0 608 970 3040 970 Internet World Stats 1500 04366 478 56394 March-03 34287552 December-09 1802 89090573275 December-09 18020 160541213040896 December-09 19462 108 18020
September-03 September-03 0 677 1060 3385 1060 Internet World Stats 1600 04614 498 59401 September-03 40214477 December-10 1971 99959623214 December-10 20696 197020417355075 December-10 21681 11 20696
October-03 October-03 0 682 1070 3410 1070 Internet World Stats 1700 0486 518 62392 October-03 42551344
December-03 December-03 0 719 1110 3595 1110 Internet World Stats 1800 02852 538 65365 December-03 46997435
February-04 February-04 0 745 1150 3725 1150 Internet World Stats 1900 03107 558 6832 February-04 508984
May-04 May-04 0 757 1170 3785 1170 Internet World Stats 2000 03361 597 7417 May-04 5614669
October-04 October-04 0 812 1270 4060 1270 Internet World Stats 2100 03614 616 77064 October-04 62575968
December-04 December-04 0 817 1270 4085 1270 Internet World Stats 2200 03866 636 79935 December-04 65306895
March-05 March-05 0 888 1390 4440 1390 Internet World Stats 2300 04117 655 82782 March-05 73510416
June-05 June-05 0 938 1460 4690 1460 Internet World Stats 2400 04366 674 85606 June-05 80298428
September-05 September-05 0 957 1490 4785 1490 Internet World Stats 2500 04614 692 88404 September-05 84602628
November-05 November-05 0 972 1520 4860 1520 Internet World Stats 2600 0486 711 91176 November-05 88623072
December-05 December-05 0 1018 1570 5090 1570 Internet World Stats 2700 05348 729 93921 December-05 95611578
March-06 March-06 0 1023 1570 5115 1570 Internet World Stats 2800 05589 747 96638 March-06 98860674
June-06 June-06 0 1043 1600 5215 1600 Internet World Stats 2900 05828 783 101984 June-06 106369312
September-06 September-06 0 1086 1670 5430 1670 Internet World Stats 3000 06065 801 104611 September-06 113607546
December-06 December-06 0 1093 1670 5465 1670 Internet World Stats 3100 063 818 107207 December-06 117177251
March-07 March-07 0 1129 1720 5645 1720 Internet World Stats 3200 06534 835 109771 March-07 123931459
June-07 June-07 0 1173 1780 5865 1780 Internet World Stats 3300 06765 852 112301 June-07 131729073
September-07 September-07 0 1245 1890 6225 1890 Internet World Stats 3400 06993 869 114797 September-07 142922265
December-07 December-07 0 1319 2000 6595 2000 Internet World Stats 3500 0722 886 117258 December-07 154663302
March-08 March-08 0 1407 2110 7035 2110 Internet World Stats 3600 07665 902 119683 March-08 168393981
June-08 June-08 0 1463 2190 7315 2190 Internet World Stats 3700 07884 918 122071 June-08 178589873
September-08 September-08 0 1504 2250 7520 2250 Internet World Stats 3800 08101 949 126736 September-08 190610944
December-08 December-08 0 1574 2350 7870 2350 Internet World Stats 3900 08314 964 12901 December-08 20306174
March-09 March-09 0 1596 2380 7980 2380 Internet World Stats 4000 08525 971 13 March-09 20748
June-09 June-09 0 1669 2470 8345 2470 Internet World Stats 4100 08733 998 134 June-09 223646
September-09 September-09 0 1734 2560 8670 2560 Internet World Stats 4200 08938 1018 137 September-09 237558
December-09 December-09 0 1802 2660 9010 2660 Internet World Stats 4300 0914 1051 142 December-09 255884
June-10 June-10 0 1966 2870 9830 2870 Internet World Stats 4400 09339 1078 146 June-10 287036
September-10 September-10 0 1971 2880 9855 2880 Internet World Stats 4500 09728 1112 151 September-10 297621
09917 000 155333333333
159833333333
33208
35034
35400
35765
36130
36495
36861
37226
37591
37956
38322
38687
39052
39417
39783
40148
40513
Page 10: Attacking Data Independent Memory Hard Functions · As a motivating example consider an adversary who breaks into an authentication server and steals a users crptographic hash va\൬ue.

Memory Costs Equitable Across Architectures

Presenter
Presentation Notes
By contrast memory costs tends to be much more equitable across different architectures

Outline

bull Motivationbull Data Independent Memory Hard Functions (iMHFs)

bull Graph Pebblingbull Measuring Pebbling Costsbull Desiderata

bull Attacks on iMHF Constructionsbull Constructing iMHFsbull Open Questions

Memory Hard Function (MHF)

bull Intuition computation costs dominated by memory costsvs

bull Data Independent Memory Hard Function (iMHF)bull Memory access pattern should not depend on input

Presenter
Presentation Notes
In this work we study a special type of memory hard function called data-independent memory hard functions As the name suggests the memory access pattern will not depend on the input making the functions resistant to side-channel attacks

iMHF Candidates

bull Catena [FLW15]bull Special Recognition at Password Hashing Competitionbull Two Variants Dragonfly and Double-Butterfly

bull Argon2 [BDK15]bull Winner of the Password Hashing Competitionbull Argon2i (data-independent mode) is recommended for Password Hashing

bull Balloon Hashing [BCS16]bull Newer proposal (three variants in original proposal)

Presenter
Presentation Notes
In terms of depth-robustness two of these variants were similar to Catena and one variant was similar to Argon

iMHF (fGH)

12

3

4Output fGH (pwdsalt)= L4

Input pwd salt

1198711198713 = 119867119867(1198711198712 1198711198711)1198711198711 = 119867119867(119901119901119901119901119901119901 119904119904119904119904119904119904119904119904)

Defined by bull H 01 2119896119896 rarr 01 119896119896 (Random Oracle)bull DAG G (encodes data-dependencies)

bull Maximum indegree 120575120575 = O 1

1

Evaluating an iMHF (pebbling)

Pebbling Rules 119875119875=P1hellipPtsub 119881119881 stbull Pi+1sub Pi cup 119909119909 isin 119881119881 parents 119909119909 sub Pi+1 (need dependent values)bull nisin Pt (must finish and output Ln)

12

3

4 Output L4Inputpwd salt

1198711198713 = 119867119867(1198711198712 1198711198711)1198711198711 = 119867119867(119901119901119901119901119901119901 119904119904119904119904119904119904119904119904)

1

Presenter
Presentation Notes
We will describe our algorithms for evaluating an iMHF using the language of graph pebbling Placing a pebble on a node corresponds to computing the corresponding label and keeping a pebble on the graph corresponds to storing that label in memory Of course we can only compute a label if we have all of the dependent labels Thus in a legal pebbling we cannot place a pebble on a node until we have pebbles on the parents of that node If the adversary is parallel then we are allowed to place multiple pebbles on the graph in each round We can remove pebbles from the graph at any point in time

Pebbling Example

1 2 3 4 51 3 4 5

Pebbling Example

1 2 3 4 5

P1 = 1

Pebbling Example

1 2 3 4 5

P1 = 1P2 = 12

Pebbling Example

P1 = 1P2 = 12P3 = 3

1 2 3 4 5

Pebbling Example

P1 = 1P2 = 12P3 = 3

1 2 3 4 5

P4 = 34

Pebbling Example

P1 = 1P2 = 12P3 = 3

1 2 3 4 5

P4 = 34P5 = 5

Pebbling Example (CC)

P1 = 1P2 = 12P3 = 3

1 2 3 4 5

P4 = 34P5 = 5

CC 119866119866 le119894119894=1

5

119875119875119894119894

= 1 + 2 + 1 + 2 + 1= 7

Measuring Cost

bull Cumulative Complexity (CC)

CC 119866119866 = min119875119875

119894119894=1

119905119905119875119875

119875119875119894119894

bull Amortization [AS15]CC 119866119866119866119866 = 2 times CC(119866119866)

Pebbling Example (CC)

P1 = 1P2 = 12P3 = 3

1 2 3 4 5

P4 = 34P5 = 5

CC 119866119866 le119894119894=1

5

119875119875119894119894

= 1 + 2 + 1 + 2 + 1= 7

Pebbling Equivalence

119827119827119827119827119827119827119827119827119827119827119827119827119827119827 119808119808119808119808119808119808119808119808 (119816119816119816119816119816119816119827119827119827119827119827119827119816119816119816119816) High pebbling complexity of G implies high amortized memory complexity for the iMHF fGH

Implication Structure of the graph G is key to iMHFsecurity

Desiderata

Find a DAG G on n nodes such that1 Constant Indegree (120575120575 = 2)

2 CC(G) ge 1198991198992

120591120591for some small value 120591120591

Maximize costs for fixed n(Users are impatient)

Depth-Robustness The Key Property

Necessary [AB16] and sufficient[ABP16] for secure iMHFs

Naiumlve Pebbling Algorithms

bull Sequential Algorithm (Naiumlve)bull Constraint One new pebble per roundbull Every iMHF is defined via its Naiumlve algorithm

bull Example Naiumlve (Pebble in Topological Order)bull Never discard pebblesbull Time nbull Average pebbles n2bull ER(Naiumlve) = θ Rn + n2

Amortized Attack Quality

Quality119877119877 119860119860 =ER(Naiumlve)

ER 119860119860times 119894119894119894119894119904119904119904119904(119860119860)

Example Algorithm A evaluates 5 iMHF instances with total cost ER 119860119860 = 100 and ER Naiumlve = 40

Quality119877119877 119860119860 =40

100times 5 = 2

Presenter
Presentation Notes
Use Example

Desiderata

Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)

2 QualityR(A) le 119888119888 for every adversary A (c small)

3 ER(Naive) ge 1198991198992

120591120591+ R119894119894 for some small value 120591120591

Memory costs should dominate

Desiderata

Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)

2 QualityR(A) le 119888119888 for every adversary A (c small)

3 ER(Naive) ge 1198991198992

120591120591+ R119894119894 for some small value 120591120591

Maximize costs for fixed n(Users are impatient)

c-Ideal iMHF

Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)

2 QualityR(A) le 119888119888 for every adversary A (c small)

3 ER(Naive) ge 1198991198992

120591120591+ R119894119894 for 120591120591 = 119874119874(1)

Outline

bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Our Attacks

bull General Attack on Non Depth Robust DAGsbull Existing iMHFs are not Depth Robustbull Ideal iMHFs donrsquot exist

bull Subsequent Results (Depth-Robustness is Sufficient)bull Open Questions

Depth-Robustness The Key Property

Necessary [AB16] and sufficient[ABP16] for secure iMHFs

Depth Robustness

Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d

Otherwise we say that G is (ed)-depth robust

1 2 3 4 5

Example (12)-reducible

Depth Robustness

Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d

Otherwise we say that G is (ed)-depth robust

1 2 3 4 5

Example (12)-reducible

Attacking (ed)-reducible DAGs

bull Input |S| lee such that depth(G-S) = d g gt d

bull Light Phase (g rounds) Discard most pebblesbull Goal Pebble the next g nodes in g (sequential) stepsbull Low Memory (only keep pebbles on S and on parents of new nodes)bull Lasts a ``longrdquo time

bull Balloon Phase (d rounds) Greedily Recover Missing Pebblesbull Goal Recover needed pebbles for upcoming light phasebull Expensive but quick (at most d steps in parallel)

Theorem (Depth-Robustness is a necessary condition) If G is not (ed)-node robust then CC 119866119866 = O 119890119890119894119894 + 1198941198943119901119901 In particular CC 119866119866 = o 1198941198942 for ed=o(n)

Depth Robustness is Necessary

Are existing iMHF candidates based on depth-robust DAGs

Answer No

bull Catena [FLW15] is 119890119890 119874119874 119899119899119890119890

-reducible

119862119862119862119862 = 119874119874 119894119894162

bull Balloon Hashing and Argon2i (old version) are 119890119890 119874119874 1198991198992

1198901198902-reducible

119862119862119862119862 = 119874119874 119894119894171

bull Argon2i (latest version) is 119890119890 119874119874 1198991198993

1198901198903-reducible

119862119862119862119862 = 119874119874 119894119894177

bull Similar picture for most other iMHF candidates [AGKKOPRRR16]

Argon2i [BDK]

bull Argon2 Winner of the password hashing competition[2015]

bull Authors recommend Argon2i variant (data-independent) for password hashing

Presenter
Presentation Notes
Alex Biryukov Daniel Dinu and Dmitry Khovratovich from University of Luxembourg

Argon2i

1 2 3 4 ihellip n

Argon2i

1 2 3 4 ihellip n

random predecessor r(i) lt i

Indegree 120575120575 = 2

Argon2i Reducing depth to 119894119894

1 2 3 11989411989434

helliphellip

211989411989434

hellip 4 119894119894

n

Layer 0Layer 1

Layer 4 119894119894helliphelliphellip

Argon2i Reducing depth to 119894119894

1 2 3 11989411989434

helliphellip

211989411989434

hellip 4 119894119894

n

Layer 0Layer 1

Layer 4 119894119894

Definition 1198781198782 = 119907119907119894119894 119907119907119903119903(119894119894)and v119894119894 in same layer

119810119810119816119816119816119816119810119810119827119827 1198781198782119810119810119842119842 119842119842119827119827119816119816119816119816119816119816

helliphelliphellip

119813119813119816119816119813119813119813119813 Easy to reduce the depth of a path

Argon2i is a layered DAG (almost)

1 2 3 11989411989434

+2 +3 helliphellip

211989411989434

hellip 4 119894119894

n

Layer 0Layer 1

Layer 4 119894119894

Let S = S1+S2

helliphelliphellip

Attack Simulation [AB16b]

Attack on Argon 2i-B is practical even for pessimistic parameter ranges (brown line)

Pessimistic Argon 2i-B parameter

Parameter setting could easily be chosen when following Argon2i-B guidelines

hellip

Ideal iMHFs Donrsquot Exist

Thm[AB16] Any graph G (with constant in-degree) is at least somewhat depth-reducible

Implication If CC(G)= Ω 1198941198942 there is an attack A with high quality

QualityR 119860119860 =Ωlog(119894119894)

log log(119894119894)

But we cannot rule them out in practice

Outline

bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Attacksbull Constructing iMHFs (New)

bull Depth-Robustness is sufficient

bull Conclusions and Open Questions

Presenter
Presentation Notes
Joint work with Joel Alwen and Krzysztof Pietrzak

Depth-Robustness is Sufficient [ABP16]

Proof Let P1hellipPt denote an (optimal) pebbling of G For 0lt i lt d defineSi = 119875119875119894119894 cup 119875119875119889119889+119894119894 cup 1198751198752119889119889+119894119894 cup ⋯

one of the sets Si has size at most CC(G)d Now we claim that d ge depth(G-Si)

because any path in G-Si must have been completely pebbled at some point Thus it must have been pebbled entirely during some interval of length d Thus G (CC(G)dd)-reducible It follows that CC(G)ge 119890119890119901119901

119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901

Depth-Robustness is Sufficient [ABP16]

Implications There exists a constant indegree graph G with

CC G ge Ω1198941198942

log119894119894

Previous Best [AS15] Ω 1198991198992

log10 119899119899

[AB16] We cannot do better (in an asymptotic sense)

119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901

Summary

bull BCRYPT and PBKDF2 are no longer sufficient for password hashing

bull Argon2i is an improvement over BCRYPT and PBKDF2bull But still has its flaws [AB16AB17]

bull Current Recommendation Argon2idbull No side channel attacks Resists known attacksbull Side channel attacks reduce security to Argon2i

bull Look for improvements in the near future using depth-robust graphs [ABP17]

Conclusions

bull Depth-robustness is a necessary and sufficient for secure iMHFsbull [AB16] [ABP16]

bull Big Challenge Improved Constructions of Depth-Robust Graphsbull We already have constructions in theory [EGS77 PR80 hellip]bull But constants matter

Thanks for Listening

Passwords vs time Look how far wersquove come

Netscape IPO Dotcom crash

Source Cormacrsquos estimate

ldquoThe password is deadrdquo

Chart1

3
48
1368
322
7791
15376
2527
39639
47953
61115
7353
94674
106021
134538
16527
194616
21681

Sheet1

Sheet1

Sheet2

Sheet3

Biometrics

59

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy

60

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Hardware Tokens

61

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around

62

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Graphical Passwords

bull Examplesbull Passfaces Cued Click Points Windows 8

63

Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13

Graphical Passwords

bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8

Challenge Multiple Passwords

64

Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13

Graphical Passwords Hotspots

Graphical Passwords Hotspots

Password Managers

bull Password Management Software

67

Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313

Related Work

bull Password Management SoftwareChallenge Single point of failure

68

Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313

References

bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]

bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]

bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]

bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]

  • Course Business
  • CryptographyCS 555
  • Password Storage
  • Offline Attacks A Common Problem
  • Offline Attacks A Common Problem
  • A Dangerous Problem
  • Attempt 1 Hash Iteration
  • The Challenge
  • Goal Moderately Expensive Hash Function
  • Memory Costs Equitable Across Architectures
  • Outline
  • Memory Hard Function (MHF)
  • iMHF Candidates
  • iMHF (fGH)
  • Evaluating an iMHF (pebbling)
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example (CC)
  • Measuring Cost
  • Pebbling Example (CC)
  • Pebbling Equivalence
  • Desiderata
  • Depth-Robustness The Key Property
  • Naiumlve Pebbling Algorithms
  • Amortized Attack Quality
  • Desiderata
  • Desiderata
  • c-Ideal iMHF
  • Outline
  • Depth-Robustness The Key Property
  • Depth Robustness
  • Depth Robustness
  • Attacking (ed)-reducible DAGs
  • Depth Robustness is Necessary
  • Answer No
  • Argon2i [BDK]
  • Argon2i
  • Argon2i
  • Argon2i Reducing depth to 119899
  • Argon2i Reducing depth to 119899
  • Argon2i is a layered DAG (almost)
  • Attack Simulation [AB16b]
  • Ideal iMHFs Donrsquot Exist
  • But we cannot rule them out in practice
  • Outline
  • Depth-Robustness is Sufficient [ABP16]
  • Depth-Robustness is Sufficient [ABP16]
  • Summary
  • Conclusions
  • Thanks for Listening
  • Passwords vs time Look how far wersquove come
  • Biometrics
  • Biometrics
  • Hardware Tokens
  • Hardware Tokens
  • Graphical Passwords
  • Graphical Passwords
  • Graphical Passwords Hotspots
  • Graphical Passwords Hotspots
  • Password Managers
  • Related Work
  • References
Everybody
DATE DATE NUMBER OF USERS WORLD WORLD INFORMATION DATE DATE NUMBER OF USERS DATE DATE acctsyr
POPULATION POPULATION SOURCE
December-90 0 3 15 020 00261 000 1 December-90 3 1 December-90 3 1 December-90 3 3 December-90 3 1 3
December-95 December-95 0 16 040 80 040 IDC 100 00522 180 12 December-95 192 December-95 16 1778 December-95 48 28448 December-95 48 3 48
December-96 December-96 0 36 090 180 090 IDC 200 00783 188 13132 December-96 472752 December-96 36 1994916 December-96 126 71816976 December-96 1368 38 126
December-97 December-97 0 70 170 350 170 IDC 300 01043 209 16263 December-97 113841 December-97 70 2238295752 December-97 280 15668070264 December-97 322 46 280
December-98 December-98 0 147 360 735 360 CI Almanac 400 01303 230 19391 December-98 2850477 December-98 147 25113678337 December-98 6615 3691710715604 December-98 7791 53 6615
December-99 December-99 0 248 410 1240 410 Nua Ltd 500 01563 251 22517 December-99 5584216 December-99 248 28177547095 December-99 1240 6988031679463 December-99 15376 62 1240
March-00 March-00 0 304 500 1520 500 Nua Ltd 600 01822 272 25638 March-00 7793952 December-00 361 3161520784 December-00 19855 11413090030294 December-00 2527 7 19855
July-00 July-00 0 359 590 1795 590 Nua Ltd 700 02081 293 28754 July-00 10322686 December-01 543 35472263197 December-01 3258 1926143891578 December-01 39639 73 3258
December-00 December-00 0 361 580 1805 580 Internet World Stats 800 02338 313 31864 December-00 11502904 December-02 607 39799879307 December-02 39455 2415852673913 December-02 47953 79 39455
March-01 March-01 0 458 760 2290 760 Nua Ltd 900 02852 334 34967 March-01 16014886 December-03 719 44655464582 December-03 5033 32107279034493 December-03 61115 85 5033
June-01 June-01 0 479 790 2395 790 Nua Ltd 1000 03107 355 38061 June-01 18231219 December-04 817 50103431261 December-04 61275 40934503340285 December-04 7353 9 61275
August-01 August-01 0 513 860 2565 860 Nua Ltd 1100 03361 396 44221 August-01 22685373 December-05 1018 56216049875 December-05 8144 57227938772657 December-05 9467 93 8144
April-02 April-02 0 558 860 2790 860 Internet World Stats 1200 03614 417 47284 April-02 26384472 December-06 1093 6307440796 December-06 9291 68940327899894 December-06 10602 97 9291
July-02 July-02 0 569 910 2845 910 Internet World Stats 1300 03866 437 50334 July-02 28640046 December-07 1319 70769485731 December-07 11871 93344951678825 December-07 13454 102 11871
September-02 September-02 0 587 940 2935 940 Internet World Stats 1400 04117 458 53371 September-02 31328777 December-08 1574 7940336299 December-08 14953 124980893346059 December-08 16527 105 14953
March-03 March-03 0 608 970 3040 970 Internet World Stats 1500 04366 478 56394 March-03 34287552 December-09 1802 89090573275 December-09 18020 160541213040896 December-09 19462 108 18020
September-03 September-03 0 677 1060 3385 1060 Internet World Stats 1600 04614 498 59401 September-03 40214477 December-10 1971 99959623214 December-10 20696 197020417355075 December-10 21681 11 20696
October-03 October-03 0 682 1070 3410 1070 Internet World Stats 1700 0486 518 62392 October-03 42551344
December-03 December-03 0 719 1110 3595 1110 Internet World Stats 1800 02852 538 65365 December-03 46997435
February-04 February-04 0 745 1150 3725 1150 Internet World Stats 1900 03107 558 6832 February-04 508984
May-04 May-04 0 757 1170 3785 1170 Internet World Stats 2000 03361 597 7417 May-04 5614669
October-04 October-04 0 812 1270 4060 1270 Internet World Stats 2100 03614 616 77064 October-04 62575968
December-04 December-04 0 817 1270 4085 1270 Internet World Stats 2200 03866 636 79935 December-04 65306895
March-05 March-05 0 888 1390 4440 1390 Internet World Stats 2300 04117 655 82782 March-05 73510416
June-05 June-05 0 938 1460 4690 1460 Internet World Stats 2400 04366 674 85606 June-05 80298428
September-05 September-05 0 957 1490 4785 1490 Internet World Stats 2500 04614 692 88404 September-05 84602628
November-05 November-05 0 972 1520 4860 1520 Internet World Stats 2600 0486 711 91176 November-05 88623072
December-05 December-05 0 1018 1570 5090 1570 Internet World Stats 2700 05348 729 93921 December-05 95611578
March-06 March-06 0 1023 1570 5115 1570 Internet World Stats 2800 05589 747 96638 March-06 98860674
June-06 June-06 0 1043 1600 5215 1600 Internet World Stats 2900 05828 783 101984 June-06 106369312
September-06 September-06 0 1086 1670 5430 1670 Internet World Stats 3000 06065 801 104611 September-06 113607546
December-06 December-06 0 1093 1670 5465 1670 Internet World Stats 3100 063 818 107207 December-06 117177251
March-07 March-07 0 1129 1720 5645 1720 Internet World Stats 3200 06534 835 109771 March-07 123931459
June-07 June-07 0 1173 1780 5865 1780 Internet World Stats 3300 06765 852 112301 June-07 131729073
September-07 September-07 0 1245 1890 6225 1890 Internet World Stats 3400 06993 869 114797 September-07 142922265
December-07 December-07 0 1319 2000 6595 2000 Internet World Stats 3500 0722 886 117258 December-07 154663302
March-08 March-08 0 1407 2110 7035 2110 Internet World Stats 3600 07665 902 119683 March-08 168393981
June-08 June-08 0 1463 2190 7315 2190 Internet World Stats 3700 07884 918 122071 June-08 178589873
September-08 September-08 0 1504 2250 7520 2250 Internet World Stats 3800 08101 949 126736 September-08 190610944
December-08 December-08 0 1574 2350 7870 2350 Internet World Stats 3900 08314 964 12901 December-08 20306174
March-09 March-09 0 1596 2380 7980 2380 Internet World Stats 4000 08525 971 13 March-09 20748
June-09 June-09 0 1669 2470 8345 2470 Internet World Stats 4100 08733 998 134 June-09 223646
September-09 September-09 0 1734 2560 8670 2560 Internet World Stats 4200 08938 1018 137 September-09 237558
December-09 December-09 0 1802 2660 9010 2660 Internet World Stats 4300 0914 1051 142 December-09 255884
June-10 June-10 0 1966 2870 9830 2870 Internet World Stats 4400 09339 1078 146 June-10 287036
September-10 September-10 0 1971 2880 9855 2880 Internet World Stats 4500 09728 1112 151 September-10 297621
09917 000 155333333333
159833333333
33208
35034
35400
35765
36130
36495
36861
37226
37591
37956
38322
38687
39052
39417
39783
40148
40513
Page 11: Attacking Data Independent Memory Hard Functions · As a motivating example consider an adversary who breaks into an authentication server and steals a users crptographic hash va\൬ue.

Outline

bull Motivationbull Data Independent Memory Hard Functions (iMHFs)

bull Graph Pebblingbull Measuring Pebbling Costsbull Desiderata

bull Attacks on iMHF Constructionsbull Constructing iMHFsbull Open Questions

Memory Hard Function (MHF)

bull Intuition computation costs dominated by memory costsvs

bull Data Independent Memory Hard Function (iMHF)bull Memory access pattern should not depend on input

Presenter
Presentation Notes
In this work we study a special type of memory hard function called data-independent memory hard functions As the name suggests the memory access pattern will not depend on the input making the functions resistant to side-channel attacks

iMHF Candidates

bull Catena [FLW15]bull Special Recognition at Password Hashing Competitionbull Two Variants Dragonfly and Double-Butterfly

bull Argon2 [BDK15]bull Winner of the Password Hashing Competitionbull Argon2i (data-independent mode) is recommended for Password Hashing

bull Balloon Hashing [BCS16]bull Newer proposal (three variants in original proposal)

Presenter
Presentation Notes
In terms of depth-robustness two of these variants were similar to Catena and one variant was similar to Argon

iMHF (fGH)

12

3

4Output fGH (pwdsalt)= L4

Input pwd salt

1198711198713 = 119867119867(1198711198712 1198711198711)1198711198711 = 119867119867(119901119901119901119901119901119901 119904119904119904119904119904119904119904119904)

Defined by bull H 01 2119896119896 rarr 01 119896119896 (Random Oracle)bull DAG G (encodes data-dependencies)

bull Maximum indegree 120575120575 = O 1

1

Evaluating an iMHF (pebbling)

Pebbling Rules 119875119875=P1hellipPtsub 119881119881 stbull Pi+1sub Pi cup 119909119909 isin 119881119881 parents 119909119909 sub Pi+1 (need dependent values)bull nisin Pt (must finish and output Ln)

12

3

4 Output L4Inputpwd salt

1198711198713 = 119867119867(1198711198712 1198711198711)1198711198711 = 119867119867(119901119901119901119901119901119901 119904119904119904119904119904119904119904119904)

1

Presenter
Presentation Notes
We will describe our algorithms for evaluating an iMHF using the language of graph pebbling Placing a pebble on a node corresponds to computing the corresponding label and keeping a pebble on the graph corresponds to storing that label in memory Of course we can only compute a label if we have all of the dependent labels Thus in a legal pebbling we cannot place a pebble on a node until we have pebbles on the parents of that node If the adversary is parallel then we are allowed to place multiple pebbles on the graph in each round We can remove pebbles from the graph at any point in time

Pebbling Example

1 2 3 4 51 3 4 5

Pebbling Example

1 2 3 4 5

P1 = 1

Pebbling Example

1 2 3 4 5

P1 = 1P2 = 12

Pebbling Example

P1 = 1P2 = 12P3 = 3

1 2 3 4 5

Pebbling Example

P1 = 1P2 = 12P3 = 3

1 2 3 4 5

P4 = 34

Pebbling Example

P1 = 1P2 = 12P3 = 3

1 2 3 4 5

P4 = 34P5 = 5

Pebbling Example (CC)

P1 = 1P2 = 12P3 = 3

1 2 3 4 5

P4 = 34P5 = 5

CC 119866119866 le119894119894=1

5

119875119875119894119894

= 1 + 2 + 1 + 2 + 1= 7

Measuring Cost

bull Cumulative Complexity (CC)

CC 119866119866 = min119875119875

119894119894=1

119905119905119875119875

119875119875119894119894

bull Amortization [AS15]CC 119866119866119866119866 = 2 times CC(119866119866)

Pebbling Example (CC)

P1 = 1P2 = 12P3 = 3

1 2 3 4 5

P4 = 34P5 = 5

CC 119866119866 le119894119894=1

5

119875119875119894119894

= 1 + 2 + 1 + 2 + 1= 7

Pebbling Equivalence

119827119827119827119827119827119827119827119827119827119827119827119827119827119827 119808119808119808119808119808119808119808119808 (119816119816119816119816119816119816119827119827119827119827119827119827119816119816119816119816) High pebbling complexity of G implies high amortized memory complexity for the iMHF fGH

Implication Structure of the graph G is key to iMHFsecurity

Desiderata

Find a DAG G on n nodes such that1 Constant Indegree (120575120575 = 2)

2 CC(G) ge 1198991198992

120591120591for some small value 120591120591

Maximize costs for fixed n(Users are impatient)

Depth-Robustness The Key Property

Necessary [AB16] and sufficient[ABP16] for secure iMHFs

Naiumlve Pebbling Algorithms

bull Sequential Algorithm (Naiumlve)bull Constraint One new pebble per roundbull Every iMHF is defined via its Naiumlve algorithm

bull Example Naiumlve (Pebble in Topological Order)bull Never discard pebblesbull Time nbull Average pebbles n2bull ER(Naiumlve) = θ Rn + n2

Amortized Attack Quality

Quality119877119877 119860119860 =ER(Naiumlve)

ER 119860119860times 119894119894119894119894119904119904119904119904(119860119860)

Example Algorithm A evaluates 5 iMHF instances with total cost ER 119860119860 = 100 and ER Naiumlve = 40

Quality119877119877 119860119860 =40

100times 5 = 2

Presenter
Presentation Notes
Use Example

Desiderata

Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)

2 QualityR(A) le 119888119888 for every adversary A (c small)

3 ER(Naive) ge 1198991198992

120591120591+ R119894119894 for some small value 120591120591

Memory costs should dominate

Desiderata

Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)

2 QualityR(A) le 119888119888 for every adversary A (c small)

3 ER(Naive) ge 1198991198992

120591120591+ R119894119894 for some small value 120591120591

Maximize costs for fixed n(Users are impatient)

c-Ideal iMHF

Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)

2 QualityR(A) le 119888119888 for every adversary A (c small)

3 ER(Naive) ge 1198991198992

120591120591+ R119894119894 for 120591120591 = 119874119874(1)

Outline

bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Our Attacks

bull General Attack on Non Depth Robust DAGsbull Existing iMHFs are not Depth Robustbull Ideal iMHFs donrsquot exist

bull Subsequent Results (Depth-Robustness is Sufficient)bull Open Questions

Depth-Robustness The Key Property

Necessary [AB16] and sufficient[ABP16] for secure iMHFs

Depth Robustness

Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d

Otherwise we say that G is (ed)-depth robust

1 2 3 4 5

Example (12)-reducible

Depth Robustness

Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d

Otherwise we say that G is (ed)-depth robust

1 2 3 4 5

Example (12)-reducible

Attacking (ed)-reducible DAGs

bull Input |S| lee such that depth(G-S) = d g gt d

bull Light Phase (g rounds) Discard most pebblesbull Goal Pebble the next g nodes in g (sequential) stepsbull Low Memory (only keep pebbles on S and on parents of new nodes)bull Lasts a ``longrdquo time

bull Balloon Phase (d rounds) Greedily Recover Missing Pebblesbull Goal Recover needed pebbles for upcoming light phasebull Expensive but quick (at most d steps in parallel)

Theorem (Depth-Robustness is a necessary condition) If G is not (ed)-node robust then CC 119866119866 = O 119890119890119894119894 + 1198941198943119901119901 In particular CC 119866119866 = o 1198941198942 for ed=o(n)

Depth Robustness is Necessary

Are existing iMHF candidates based on depth-robust DAGs

Answer No

bull Catena [FLW15] is 119890119890 119874119874 119899119899119890119890

-reducible

119862119862119862119862 = 119874119874 119894119894162

bull Balloon Hashing and Argon2i (old version) are 119890119890 119874119874 1198991198992

1198901198902-reducible

119862119862119862119862 = 119874119874 119894119894171

bull Argon2i (latest version) is 119890119890 119874119874 1198991198993

1198901198903-reducible

119862119862119862119862 = 119874119874 119894119894177

bull Similar picture for most other iMHF candidates [AGKKOPRRR16]

Argon2i [BDK]

bull Argon2 Winner of the password hashing competition[2015]

bull Authors recommend Argon2i variant (data-independent) for password hashing

Presenter
Presentation Notes
Alex Biryukov Daniel Dinu and Dmitry Khovratovich from University of Luxembourg

Argon2i

1 2 3 4 ihellip n

Argon2i

1 2 3 4 ihellip n

random predecessor r(i) lt i

Indegree 120575120575 = 2

Argon2i Reducing depth to 119894119894

1 2 3 11989411989434

helliphellip

211989411989434

hellip 4 119894119894

n

Layer 0Layer 1

Layer 4 119894119894helliphelliphellip

Argon2i Reducing depth to 119894119894

1 2 3 11989411989434

helliphellip

211989411989434

hellip 4 119894119894

n

Layer 0Layer 1

Layer 4 119894119894

Definition 1198781198782 = 119907119907119894119894 119907119907119903119903(119894119894)and v119894119894 in same layer

119810119810119816119816119816119816119810119810119827119827 1198781198782119810119810119842119842 119842119842119827119827119816119816119816119816119816119816

helliphelliphellip

119813119813119816119816119813119813119813119813 Easy to reduce the depth of a path

Argon2i is a layered DAG (almost)

1 2 3 11989411989434

+2 +3 helliphellip

211989411989434

hellip 4 119894119894

n

Layer 0Layer 1

Layer 4 119894119894

Let S = S1+S2

helliphelliphellip

Attack Simulation [AB16b]

Attack on Argon 2i-B is practical even for pessimistic parameter ranges (brown line)

Pessimistic Argon 2i-B parameter

Parameter setting could easily be chosen when following Argon2i-B guidelines

hellip

Ideal iMHFs Donrsquot Exist

Thm[AB16] Any graph G (with constant in-degree) is at least somewhat depth-reducible

Implication If CC(G)= Ω 1198941198942 there is an attack A with high quality

QualityR 119860119860 =Ωlog(119894119894)

log log(119894119894)

But we cannot rule them out in practice

Outline

bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Attacksbull Constructing iMHFs (New)

bull Depth-Robustness is sufficient

bull Conclusions and Open Questions

Presenter
Presentation Notes
Joint work with Joel Alwen and Krzysztof Pietrzak

Depth-Robustness is Sufficient [ABP16]

Proof Let P1hellipPt denote an (optimal) pebbling of G For 0lt i lt d defineSi = 119875119875119894119894 cup 119875119875119889119889+119894119894 cup 1198751198752119889119889+119894119894 cup ⋯

one of the sets Si has size at most CC(G)d Now we claim that d ge depth(G-Si)

because any path in G-Si must have been completely pebbled at some point Thus it must have been pebbled entirely during some interval of length d Thus G (CC(G)dd)-reducible It follows that CC(G)ge 119890119890119901119901

119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901

Depth-Robustness is Sufficient [ABP16]

Implications There exists a constant indegree graph G with

CC G ge Ω1198941198942

log119894119894

Previous Best [AS15] Ω 1198991198992

log10 119899119899

[AB16] We cannot do better (in an asymptotic sense)

119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901

Summary

bull BCRYPT and PBKDF2 are no longer sufficient for password hashing

bull Argon2i is an improvement over BCRYPT and PBKDF2bull But still has its flaws [AB16AB17]

bull Current Recommendation Argon2idbull No side channel attacks Resists known attacksbull Side channel attacks reduce security to Argon2i

bull Look for improvements in the near future using depth-robust graphs [ABP17]

Conclusions

bull Depth-robustness is a necessary and sufficient for secure iMHFsbull [AB16] [ABP16]

bull Big Challenge Improved Constructions of Depth-Robust Graphsbull We already have constructions in theory [EGS77 PR80 hellip]bull But constants matter

Thanks for Listening

Passwords vs time Look how far wersquove come

Netscape IPO Dotcom crash

Source Cormacrsquos estimate

ldquoThe password is deadrdquo

Chart1

3
48
1368
322
7791
15376
2527
39639
47953
61115
7353
94674
106021
134538
16527
194616
21681

Sheet1

Sheet1

Sheet2

Sheet3

Biometrics

59

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy

60

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Hardware Tokens

61

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around

62

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Graphical Passwords

bull Examplesbull Passfaces Cued Click Points Windows 8

63

Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13

Graphical Passwords

bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8

Challenge Multiple Passwords

64

Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13

Graphical Passwords Hotspots

Graphical Passwords Hotspots

Password Managers

bull Password Management Software

67

Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313

Related Work

bull Password Management SoftwareChallenge Single point of failure

68

Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313

References

bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]

bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]

bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]

bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]

  • Course Business
  • CryptographyCS 555
  • Password Storage
  • Offline Attacks A Common Problem
  • Offline Attacks A Common Problem
  • A Dangerous Problem
  • Attempt 1 Hash Iteration
  • The Challenge
  • Goal Moderately Expensive Hash Function
  • Memory Costs Equitable Across Architectures
  • Outline
  • Memory Hard Function (MHF)
  • iMHF Candidates
  • iMHF (fGH)
  • Evaluating an iMHF (pebbling)
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example (CC)
  • Measuring Cost
  • Pebbling Example (CC)
  • Pebbling Equivalence
  • Desiderata
  • Depth-Robustness The Key Property
  • Naiumlve Pebbling Algorithms
  • Amortized Attack Quality
  • Desiderata
  • Desiderata
  • c-Ideal iMHF
  • Outline
  • Depth-Robustness The Key Property
  • Depth Robustness
  • Depth Robustness
  • Attacking (ed)-reducible DAGs
  • Depth Robustness is Necessary
  • Answer No
  • Argon2i [BDK]
  • Argon2i
  • Argon2i
  • Argon2i Reducing depth to 119899
  • Argon2i Reducing depth to 119899
  • Argon2i is a layered DAG (almost)
  • Attack Simulation [AB16b]
  • Ideal iMHFs Donrsquot Exist
  • But we cannot rule them out in practice
  • Outline
  • Depth-Robustness is Sufficient [ABP16]
  • Depth-Robustness is Sufficient [ABP16]
  • Summary
  • Conclusions
  • Thanks for Listening
  • Passwords vs time Look how far wersquove come
  • Biometrics
  • Biometrics
  • Hardware Tokens
  • Hardware Tokens
  • Graphical Passwords
  • Graphical Passwords
  • Graphical Passwords Hotspots
  • Graphical Passwords Hotspots
  • Password Managers
  • Related Work
  • References
Everybody
DATE DATE NUMBER OF USERS WORLD WORLD INFORMATION DATE DATE NUMBER OF USERS DATE DATE acctsyr
POPULATION POPULATION SOURCE
December-90 0 3 15 020 00261 000 1 December-90 3 1 December-90 3 1 December-90 3 3 December-90 3 1 3
December-95 December-95 0 16 040 80 040 IDC 100 00522 180 12 December-95 192 December-95 16 1778 December-95 48 28448 December-95 48 3 48
December-96 December-96 0 36 090 180 090 IDC 200 00783 188 13132 December-96 472752 December-96 36 1994916 December-96 126 71816976 December-96 1368 38 126
December-97 December-97 0 70 170 350 170 IDC 300 01043 209 16263 December-97 113841 December-97 70 2238295752 December-97 280 15668070264 December-97 322 46 280
December-98 December-98 0 147 360 735 360 CI Almanac 400 01303 230 19391 December-98 2850477 December-98 147 25113678337 December-98 6615 3691710715604 December-98 7791 53 6615
December-99 December-99 0 248 410 1240 410 Nua Ltd 500 01563 251 22517 December-99 5584216 December-99 248 28177547095 December-99 1240 6988031679463 December-99 15376 62 1240
March-00 March-00 0 304 500 1520 500 Nua Ltd 600 01822 272 25638 March-00 7793952 December-00 361 3161520784 December-00 19855 11413090030294 December-00 2527 7 19855
July-00 July-00 0 359 590 1795 590 Nua Ltd 700 02081 293 28754 July-00 10322686 December-01 543 35472263197 December-01 3258 1926143891578 December-01 39639 73 3258
December-00 December-00 0 361 580 1805 580 Internet World Stats 800 02338 313 31864 December-00 11502904 December-02 607 39799879307 December-02 39455 2415852673913 December-02 47953 79 39455
March-01 March-01 0 458 760 2290 760 Nua Ltd 900 02852 334 34967 March-01 16014886 December-03 719 44655464582 December-03 5033 32107279034493 December-03 61115 85 5033
June-01 June-01 0 479 790 2395 790 Nua Ltd 1000 03107 355 38061 June-01 18231219 December-04 817 50103431261 December-04 61275 40934503340285 December-04 7353 9 61275
August-01 August-01 0 513 860 2565 860 Nua Ltd 1100 03361 396 44221 August-01 22685373 December-05 1018 56216049875 December-05 8144 57227938772657 December-05 9467 93 8144
April-02 April-02 0 558 860 2790 860 Internet World Stats 1200 03614 417 47284 April-02 26384472 December-06 1093 6307440796 December-06 9291 68940327899894 December-06 10602 97 9291
July-02 July-02 0 569 910 2845 910 Internet World Stats 1300 03866 437 50334 July-02 28640046 December-07 1319 70769485731 December-07 11871 93344951678825 December-07 13454 102 11871
September-02 September-02 0 587 940 2935 940 Internet World Stats 1400 04117 458 53371 September-02 31328777 December-08 1574 7940336299 December-08 14953 124980893346059 December-08 16527 105 14953
March-03 March-03 0 608 970 3040 970 Internet World Stats 1500 04366 478 56394 March-03 34287552 December-09 1802 89090573275 December-09 18020 160541213040896 December-09 19462 108 18020
September-03 September-03 0 677 1060 3385 1060 Internet World Stats 1600 04614 498 59401 September-03 40214477 December-10 1971 99959623214 December-10 20696 197020417355075 December-10 21681 11 20696
October-03 October-03 0 682 1070 3410 1070 Internet World Stats 1700 0486 518 62392 October-03 42551344
December-03 December-03 0 719 1110 3595 1110 Internet World Stats 1800 02852 538 65365 December-03 46997435
February-04 February-04 0 745 1150 3725 1150 Internet World Stats 1900 03107 558 6832 February-04 508984
May-04 May-04 0 757 1170 3785 1170 Internet World Stats 2000 03361 597 7417 May-04 5614669
October-04 October-04 0 812 1270 4060 1270 Internet World Stats 2100 03614 616 77064 October-04 62575968
December-04 December-04 0 817 1270 4085 1270 Internet World Stats 2200 03866 636 79935 December-04 65306895
March-05 March-05 0 888 1390 4440 1390 Internet World Stats 2300 04117 655 82782 March-05 73510416
June-05 June-05 0 938 1460 4690 1460 Internet World Stats 2400 04366 674 85606 June-05 80298428
September-05 September-05 0 957 1490 4785 1490 Internet World Stats 2500 04614 692 88404 September-05 84602628
November-05 November-05 0 972 1520 4860 1520 Internet World Stats 2600 0486 711 91176 November-05 88623072
December-05 December-05 0 1018 1570 5090 1570 Internet World Stats 2700 05348 729 93921 December-05 95611578
March-06 March-06 0 1023 1570 5115 1570 Internet World Stats 2800 05589 747 96638 March-06 98860674
June-06 June-06 0 1043 1600 5215 1600 Internet World Stats 2900 05828 783 101984 June-06 106369312
September-06 September-06 0 1086 1670 5430 1670 Internet World Stats 3000 06065 801 104611 September-06 113607546
December-06 December-06 0 1093 1670 5465 1670 Internet World Stats 3100 063 818 107207 December-06 117177251
March-07 March-07 0 1129 1720 5645 1720 Internet World Stats 3200 06534 835 109771 March-07 123931459
June-07 June-07 0 1173 1780 5865 1780 Internet World Stats 3300 06765 852 112301 June-07 131729073
September-07 September-07 0 1245 1890 6225 1890 Internet World Stats 3400 06993 869 114797 September-07 142922265
December-07 December-07 0 1319 2000 6595 2000 Internet World Stats 3500 0722 886 117258 December-07 154663302
March-08 March-08 0 1407 2110 7035 2110 Internet World Stats 3600 07665 902 119683 March-08 168393981
June-08 June-08 0 1463 2190 7315 2190 Internet World Stats 3700 07884 918 122071 June-08 178589873
September-08 September-08 0 1504 2250 7520 2250 Internet World Stats 3800 08101 949 126736 September-08 190610944
December-08 December-08 0 1574 2350 7870 2350 Internet World Stats 3900 08314 964 12901 December-08 20306174
March-09 March-09 0 1596 2380 7980 2380 Internet World Stats 4000 08525 971 13 March-09 20748
June-09 June-09 0 1669 2470 8345 2470 Internet World Stats 4100 08733 998 134 June-09 223646
September-09 September-09 0 1734 2560 8670 2560 Internet World Stats 4200 08938 1018 137 September-09 237558
December-09 December-09 0 1802 2660 9010 2660 Internet World Stats 4300 0914 1051 142 December-09 255884
June-10 June-10 0 1966 2870 9830 2870 Internet World Stats 4400 09339 1078 146 June-10 287036
September-10 September-10 0 1971 2880 9855 2880 Internet World Stats 4500 09728 1112 151 September-10 297621
09917 000 155333333333
159833333333
33208
35034
35400
35765
36130
36495
36861
37226
37591
37956
38322
38687
39052
39417
39783
40148
40513
Page 12: Attacking Data Independent Memory Hard Functions · As a motivating example consider an adversary who breaks into an authentication server and steals a users crptographic hash va\൬ue.

Memory Hard Function (MHF)

bull Intuition computation costs dominated by memory costsvs

bull Data Independent Memory Hard Function (iMHF)bull Memory access pattern should not depend on input

Presenter
Presentation Notes
In this work we study a special type of memory hard function called data-independent memory hard functions As the name suggests the memory access pattern will not depend on the input making the functions resistant to side-channel attacks

iMHF Candidates

bull Catena [FLW15]bull Special Recognition at Password Hashing Competitionbull Two Variants Dragonfly and Double-Butterfly

bull Argon2 [BDK15]bull Winner of the Password Hashing Competitionbull Argon2i (data-independent mode) is recommended for Password Hashing

bull Balloon Hashing [BCS16]bull Newer proposal (three variants in original proposal)

Presenter
Presentation Notes
In terms of depth-robustness two of these variants were similar to Catena and one variant was similar to Argon

iMHF (fGH)

12

3

4Output fGH (pwdsalt)= L4

Input pwd salt

1198711198713 = 119867119867(1198711198712 1198711198711)1198711198711 = 119867119867(119901119901119901119901119901119901 119904119904119904119904119904119904119904119904)

Defined by bull H 01 2119896119896 rarr 01 119896119896 (Random Oracle)bull DAG G (encodes data-dependencies)

bull Maximum indegree 120575120575 = O 1

1

Evaluating an iMHF (pebbling)

Pebbling Rules 119875119875=P1hellipPtsub 119881119881 stbull Pi+1sub Pi cup 119909119909 isin 119881119881 parents 119909119909 sub Pi+1 (need dependent values)bull nisin Pt (must finish and output Ln)

12

3

4 Output L4Inputpwd salt

1198711198713 = 119867119867(1198711198712 1198711198711)1198711198711 = 119867119867(119901119901119901119901119901119901 119904119904119904119904119904119904119904119904)

1

Presenter
Presentation Notes
We will describe our algorithms for evaluating an iMHF using the language of graph pebbling Placing a pebble on a node corresponds to computing the corresponding label and keeping a pebble on the graph corresponds to storing that label in memory Of course we can only compute a label if we have all of the dependent labels Thus in a legal pebbling we cannot place a pebble on a node until we have pebbles on the parents of that node If the adversary is parallel then we are allowed to place multiple pebbles on the graph in each round We can remove pebbles from the graph at any point in time

Pebbling Example

1 2 3 4 51 3 4 5

Pebbling Example

1 2 3 4 5

P1 = 1

Pebbling Example

1 2 3 4 5

P1 = 1P2 = 12

Pebbling Example

P1 = 1P2 = 12P3 = 3

1 2 3 4 5

Pebbling Example

P1 = 1P2 = 12P3 = 3

1 2 3 4 5

P4 = 34

Pebbling Example

P1 = 1P2 = 12P3 = 3

1 2 3 4 5

P4 = 34P5 = 5

Pebbling Example (CC)

P1 = 1P2 = 12P3 = 3

1 2 3 4 5

P4 = 34P5 = 5

CC 119866119866 le119894119894=1

5

119875119875119894119894

= 1 + 2 + 1 + 2 + 1= 7

Measuring Cost

bull Cumulative Complexity (CC)

CC 119866119866 = min119875119875

119894119894=1

119905119905119875119875

119875119875119894119894

bull Amortization [AS15]CC 119866119866119866119866 = 2 times CC(119866119866)

Pebbling Example (CC)

P1 = 1P2 = 12P3 = 3

1 2 3 4 5

P4 = 34P5 = 5

CC 119866119866 le119894119894=1

5

119875119875119894119894

= 1 + 2 + 1 + 2 + 1= 7

Pebbling Equivalence

119827119827119827119827119827119827119827119827119827119827119827119827119827119827 119808119808119808119808119808119808119808119808 (119816119816119816119816119816119816119827119827119827119827119827119827119816119816119816119816) High pebbling complexity of G implies high amortized memory complexity for the iMHF fGH

Implication Structure of the graph G is key to iMHFsecurity

Desiderata

Find a DAG G on n nodes such that1 Constant Indegree (120575120575 = 2)

2 CC(G) ge 1198991198992

120591120591for some small value 120591120591

Maximize costs for fixed n(Users are impatient)

Depth-Robustness The Key Property

Necessary [AB16] and sufficient[ABP16] for secure iMHFs

Naiumlve Pebbling Algorithms

bull Sequential Algorithm (Naiumlve)bull Constraint One new pebble per roundbull Every iMHF is defined via its Naiumlve algorithm

bull Example Naiumlve (Pebble in Topological Order)bull Never discard pebblesbull Time nbull Average pebbles n2bull ER(Naiumlve) = θ Rn + n2

Amortized Attack Quality

Quality119877119877 119860119860 =ER(Naiumlve)

ER 119860119860times 119894119894119894119894119904119904119904119904(119860119860)

Example Algorithm A evaluates 5 iMHF instances with total cost ER 119860119860 = 100 and ER Naiumlve = 40

Quality119877119877 119860119860 =40

100times 5 = 2

Presenter
Presentation Notes
Use Example

Desiderata

Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)

2 QualityR(A) le 119888119888 for every adversary A (c small)

3 ER(Naive) ge 1198991198992

120591120591+ R119894119894 for some small value 120591120591

Memory costs should dominate

Desiderata

Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)

2 QualityR(A) le 119888119888 for every adversary A (c small)

3 ER(Naive) ge 1198991198992

120591120591+ R119894119894 for some small value 120591120591

Maximize costs for fixed n(Users are impatient)

c-Ideal iMHF

Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)

2 QualityR(A) le 119888119888 for every adversary A (c small)

3 ER(Naive) ge 1198991198992

120591120591+ R119894119894 for 120591120591 = 119874119874(1)

Outline

bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Our Attacks

bull General Attack on Non Depth Robust DAGsbull Existing iMHFs are not Depth Robustbull Ideal iMHFs donrsquot exist

bull Subsequent Results (Depth-Robustness is Sufficient)bull Open Questions

Depth-Robustness The Key Property

Necessary [AB16] and sufficient[ABP16] for secure iMHFs

Depth Robustness

Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d

Otherwise we say that G is (ed)-depth robust

1 2 3 4 5

Example (12)-reducible

Depth Robustness

Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d

Otherwise we say that G is (ed)-depth robust

1 2 3 4 5

Example (12)-reducible

Attacking (ed)-reducible DAGs

bull Input |S| lee such that depth(G-S) = d g gt d

bull Light Phase (g rounds) Discard most pebblesbull Goal Pebble the next g nodes in g (sequential) stepsbull Low Memory (only keep pebbles on S and on parents of new nodes)bull Lasts a ``longrdquo time

bull Balloon Phase (d rounds) Greedily Recover Missing Pebblesbull Goal Recover needed pebbles for upcoming light phasebull Expensive but quick (at most d steps in parallel)

Theorem (Depth-Robustness is a necessary condition) If G is not (ed)-node robust then CC 119866119866 = O 119890119890119894119894 + 1198941198943119901119901 In particular CC 119866119866 = o 1198941198942 for ed=o(n)

Depth Robustness is Necessary

Are existing iMHF candidates based on depth-robust DAGs

Answer No

bull Catena [FLW15] is 119890119890 119874119874 119899119899119890119890

-reducible

119862119862119862119862 = 119874119874 119894119894162

bull Balloon Hashing and Argon2i (old version) are 119890119890 119874119874 1198991198992

1198901198902-reducible

119862119862119862119862 = 119874119874 119894119894171

bull Argon2i (latest version) is 119890119890 119874119874 1198991198993

1198901198903-reducible

119862119862119862119862 = 119874119874 119894119894177

bull Similar picture for most other iMHF candidates [AGKKOPRRR16]

Argon2i [BDK]

bull Argon2 Winner of the password hashing competition[2015]

bull Authors recommend Argon2i variant (data-independent) for password hashing

Presenter
Presentation Notes
Alex Biryukov Daniel Dinu and Dmitry Khovratovich from University of Luxembourg

Argon2i

1 2 3 4 ihellip n

Argon2i

1 2 3 4 ihellip n

random predecessor r(i) lt i

Indegree 120575120575 = 2

Argon2i Reducing depth to 119894119894

1 2 3 11989411989434

helliphellip

211989411989434

hellip 4 119894119894

n

Layer 0Layer 1

Layer 4 119894119894helliphelliphellip

Argon2i Reducing depth to 119894119894

1 2 3 11989411989434

helliphellip

211989411989434

hellip 4 119894119894

n

Layer 0Layer 1

Layer 4 119894119894

Definition 1198781198782 = 119907119907119894119894 119907119907119903119903(119894119894)and v119894119894 in same layer

119810119810119816119816119816119816119810119810119827119827 1198781198782119810119810119842119842 119842119842119827119827119816119816119816119816119816119816

helliphelliphellip

119813119813119816119816119813119813119813119813 Easy to reduce the depth of a path

Argon2i is a layered DAG (almost)

1 2 3 11989411989434

+2 +3 helliphellip

211989411989434

hellip 4 119894119894

n

Layer 0Layer 1

Layer 4 119894119894

Let S = S1+S2

helliphelliphellip

Attack Simulation [AB16b]

Attack on Argon 2i-B is practical even for pessimistic parameter ranges (brown line)

Pessimistic Argon 2i-B parameter

Parameter setting could easily be chosen when following Argon2i-B guidelines

hellip

Ideal iMHFs Donrsquot Exist

Thm[AB16] Any graph G (with constant in-degree) is at least somewhat depth-reducible

Implication If CC(G)= Ω 1198941198942 there is an attack A with high quality

QualityR 119860119860 =Ωlog(119894119894)

log log(119894119894)

But we cannot rule them out in practice

Outline

bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Attacksbull Constructing iMHFs (New)

bull Depth-Robustness is sufficient

bull Conclusions and Open Questions

Presenter
Presentation Notes
Joint work with Joel Alwen and Krzysztof Pietrzak

Depth-Robustness is Sufficient [ABP16]

Proof Let P1hellipPt denote an (optimal) pebbling of G For 0lt i lt d defineSi = 119875119875119894119894 cup 119875119875119889119889+119894119894 cup 1198751198752119889119889+119894119894 cup ⋯

one of the sets Si has size at most CC(G)d Now we claim that d ge depth(G-Si)

because any path in G-Si must have been completely pebbled at some point Thus it must have been pebbled entirely during some interval of length d Thus G (CC(G)dd)-reducible It follows that CC(G)ge 119890119890119901119901

119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901

Depth-Robustness is Sufficient [ABP16]

Implications There exists a constant indegree graph G with

CC G ge Ω1198941198942

log119894119894

Previous Best [AS15] Ω 1198991198992

log10 119899119899

[AB16] We cannot do better (in an asymptotic sense)

119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901

Summary

bull BCRYPT and PBKDF2 are no longer sufficient for password hashing

bull Argon2i is an improvement over BCRYPT and PBKDF2bull But still has its flaws [AB16AB17]

bull Current Recommendation Argon2idbull No side channel attacks Resists known attacksbull Side channel attacks reduce security to Argon2i

bull Look for improvements in the near future using depth-robust graphs [ABP17]

Conclusions

bull Depth-robustness is a necessary and sufficient for secure iMHFsbull [AB16] [ABP16]

bull Big Challenge Improved Constructions of Depth-Robust Graphsbull We already have constructions in theory [EGS77 PR80 hellip]bull But constants matter

Thanks for Listening

Passwords vs time Look how far wersquove come

Netscape IPO Dotcom crash

Source Cormacrsquos estimate

ldquoThe password is deadrdquo

Chart1

3
48
1368
322
7791
15376
2527
39639
47953
61115
7353
94674
106021
134538
16527
194616
21681

Sheet1

Sheet1

Sheet2

Sheet3

Biometrics

59

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy

60

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Hardware Tokens

61

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around

62

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Graphical Passwords

bull Examplesbull Passfaces Cued Click Points Windows 8

63

Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13

Graphical Passwords

bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8

Challenge Multiple Passwords

64

Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13

Graphical Passwords Hotspots

Graphical Passwords Hotspots

Password Managers

bull Password Management Software

67

Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313

Related Work

bull Password Management SoftwareChallenge Single point of failure

68

Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313

References

bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]

bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]

bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]

bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]

  • Course Business
  • CryptographyCS 555
  • Password Storage
  • Offline Attacks A Common Problem
  • Offline Attacks A Common Problem
  • A Dangerous Problem
  • Attempt 1 Hash Iteration
  • The Challenge
  • Goal Moderately Expensive Hash Function
  • Memory Costs Equitable Across Architectures
  • Outline
  • Memory Hard Function (MHF)
  • iMHF Candidates
  • iMHF (fGH)
  • Evaluating an iMHF (pebbling)
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example (CC)
  • Measuring Cost
  • Pebbling Example (CC)
  • Pebbling Equivalence
  • Desiderata
  • Depth-Robustness The Key Property
  • Naiumlve Pebbling Algorithms
  • Amortized Attack Quality
  • Desiderata
  • Desiderata
  • c-Ideal iMHF
  • Outline
  • Depth-Robustness The Key Property
  • Depth Robustness
  • Depth Robustness
  • Attacking (ed)-reducible DAGs
  • Depth Robustness is Necessary
  • Answer No
  • Argon2i [BDK]
  • Argon2i
  • Argon2i
  • Argon2i Reducing depth to 119899
  • Argon2i Reducing depth to 119899
  • Argon2i is a layered DAG (almost)
  • Attack Simulation [AB16b]
  • Ideal iMHFs Donrsquot Exist
  • But we cannot rule them out in practice
  • Outline
  • Depth-Robustness is Sufficient [ABP16]
  • Depth-Robustness is Sufficient [ABP16]
  • Summary
  • Conclusions
  • Thanks for Listening
  • Passwords vs time Look how far wersquove come
  • Biometrics
  • Biometrics
  • Hardware Tokens
  • Hardware Tokens
  • Graphical Passwords
  • Graphical Passwords
  • Graphical Passwords Hotspots
  • Graphical Passwords Hotspots
  • Password Managers
  • Related Work
  • References
Everybody
DATE DATE NUMBER OF USERS WORLD WORLD INFORMATION DATE DATE NUMBER OF USERS DATE DATE acctsyr
POPULATION POPULATION SOURCE
December-90 0 3 15 020 00261 000 1 December-90 3 1 December-90 3 1 December-90 3 3 December-90 3 1 3
December-95 December-95 0 16 040 80 040 IDC 100 00522 180 12 December-95 192 December-95 16 1778 December-95 48 28448 December-95 48 3 48
December-96 December-96 0 36 090 180 090 IDC 200 00783 188 13132 December-96 472752 December-96 36 1994916 December-96 126 71816976 December-96 1368 38 126
December-97 December-97 0 70 170 350 170 IDC 300 01043 209 16263 December-97 113841 December-97 70 2238295752 December-97 280 15668070264 December-97 322 46 280
December-98 December-98 0 147 360 735 360 CI Almanac 400 01303 230 19391 December-98 2850477 December-98 147 25113678337 December-98 6615 3691710715604 December-98 7791 53 6615
December-99 December-99 0 248 410 1240 410 Nua Ltd 500 01563 251 22517 December-99 5584216 December-99 248 28177547095 December-99 1240 6988031679463 December-99 15376 62 1240
March-00 March-00 0 304 500 1520 500 Nua Ltd 600 01822 272 25638 March-00 7793952 December-00 361 3161520784 December-00 19855 11413090030294 December-00 2527 7 19855
July-00 July-00 0 359 590 1795 590 Nua Ltd 700 02081 293 28754 July-00 10322686 December-01 543 35472263197 December-01 3258 1926143891578 December-01 39639 73 3258
December-00 December-00 0 361 580 1805 580 Internet World Stats 800 02338 313 31864 December-00 11502904 December-02 607 39799879307 December-02 39455 2415852673913 December-02 47953 79 39455
March-01 March-01 0 458 760 2290 760 Nua Ltd 900 02852 334 34967 March-01 16014886 December-03 719 44655464582 December-03 5033 32107279034493 December-03 61115 85 5033
June-01 June-01 0 479 790 2395 790 Nua Ltd 1000 03107 355 38061 June-01 18231219 December-04 817 50103431261 December-04 61275 40934503340285 December-04 7353 9 61275
August-01 August-01 0 513 860 2565 860 Nua Ltd 1100 03361 396 44221 August-01 22685373 December-05 1018 56216049875 December-05 8144 57227938772657 December-05 9467 93 8144
April-02 April-02 0 558 860 2790 860 Internet World Stats 1200 03614 417 47284 April-02 26384472 December-06 1093 6307440796 December-06 9291 68940327899894 December-06 10602 97 9291
July-02 July-02 0 569 910 2845 910 Internet World Stats 1300 03866 437 50334 July-02 28640046 December-07 1319 70769485731 December-07 11871 93344951678825 December-07 13454 102 11871
September-02 September-02 0 587 940 2935 940 Internet World Stats 1400 04117 458 53371 September-02 31328777 December-08 1574 7940336299 December-08 14953 124980893346059 December-08 16527 105 14953
March-03 March-03 0 608 970 3040 970 Internet World Stats 1500 04366 478 56394 March-03 34287552 December-09 1802 89090573275 December-09 18020 160541213040896 December-09 19462 108 18020
September-03 September-03 0 677 1060 3385 1060 Internet World Stats 1600 04614 498 59401 September-03 40214477 December-10 1971 99959623214 December-10 20696 197020417355075 December-10 21681 11 20696
October-03 October-03 0 682 1070 3410 1070 Internet World Stats 1700 0486 518 62392 October-03 42551344
December-03 December-03 0 719 1110 3595 1110 Internet World Stats 1800 02852 538 65365 December-03 46997435
February-04 February-04 0 745 1150 3725 1150 Internet World Stats 1900 03107 558 6832 February-04 508984
May-04 May-04 0 757 1170 3785 1170 Internet World Stats 2000 03361 597 7417 May-04 5614669
October-04 October-04 0 812 1270 4060 1270 Internet World Stats 2100 03614 616 77064 October-04 62575968
December-04 December-04 0 817 1270 4085 1270 Internet World Stats 2200 03866 636 79935 December-04 65306895
March-05 March-05 0 888 1390 4440 1390 Internet World Stats 2300 04117 655 82782 March-05 73510416
June-05 June-05 0 938 1460 4690 1460 Internet World Stats 2400 04366 674 85606 June-05 80298428
September-05 September-05 0 957 1490 4785 1490 Internet World Stats 2500 04614 692 88404 September-05 84602628
November-05 November-05 0 972 1520 4860 1520 Internet World Stats 2600 0486 711 91176 November-05 88623072
December-05 December-05 0 1018 1570 5090 1570 Internet World Stats 2700 05348 729 93921 December-05 95611578
March-06 March-06 0 1023 1570 5115 1570 Internet World Stats 2800 05589 747 96638 March-06 98860674
June-06 June-06 0 1043 1600 5215 1600 Internet World Stats 2900 05828 783 101984 June-06 106369312
September-06 September-06 0 1086 1670 5430 1670 Internet World Stats 3000 06065 801 104611 September-06 113607546
December-06 December-06 0 1093 1670 5465 1670 Internet World Stats 3100 063 818 107207 December-06 117177251
March-07 March-07 0 1129 1720 5645 1720 Internet World Stats 3200 06534 835 109771 March-07 123931459
June-07 June-07 0 1173 1780 5865 1780 Internet World Stats 3300 06765 852 112301 June-07 131729073
September-07 September-07 0 1245 1890 6225 1890 Internet World Stats 3400 06993 869 114797 September-07 142922265
December-07 December-07 0 1319 2000 6595 2000 Internet World Stats 3500 0722 886 117258 December-07 154663302
March-08 March-08 0 1407 2110 7035 2110 Internet World Stats 3600 07665 902 119683 March-08 168393981
June-08 June-08 0 1463 2190 7315 2190 Internet World Stats 3700 07884 918 122071 June-08 178589873
September-08 September-08 0 1504 2250 7520 2250 Internet World Stats 3800 08101 949 126736 September-08 190610944
December-08 December-08 0 1574 2350 7870 2350 Internet World Stats 3900 08314 964 12901 December-08 20306174
March-09 March-09 0 1596 2380 7980 2380 Internet World Stats 4000 08525 971 13 March-09 20748
June-09 June-09 0 1669 2470 8345 2470 Internet World Stats 4100 08733 998 134 June-09 223646
September-09 September-09 0 1734 2560 8670 2560 Internet World Stats 4200 08938 1018 137 September-09 237558
December-09 December-09 0 1802 2660 9010 2660 Internet World Stats 4300 0914 1051 142 December-09 255884
June-10 June-10 0 1966 2870 9830 2870 Internet World Stats 4400 09339 1078 146 June-10 287036
September-10 September-10 0 1971 2880 9855 2880 Internet World Stats 4500 09728 1112 151 September-10 297621
09917 000 155333333333
159833333333
33208
35034
35400
35765
36130
36495
36861
37226
37591
37956
38322
38687
39052
39417
39783
40148
40513
Page 13: Attacking Data Independent Memory Hard Functions · As a motivating example consider an adversary who breaks into an authentication server and steals a users crptographic hash va\൬ue.

iMHF Candidates

bull Catena [FLW15]bull Special Recognition at Password Hashing Competitionbull Two Variants Dragonfly and Double-Butterfly

bull Argon2 [BDK15]bull Winner of the Password Hashing Competitionbull Argon2i (data-independent mode) is recommended for Password Hashing

bull Balloon Hashing [BCS16]bull Newer proposal (three variants in original proposal)

Presenter
Presentation Notes
In terms of depth-robustness two of these variants were similar to Catena and one variant was similar to Argon

iMHF (fGH)

12

3

4Output fGH (pwdsalt)= L4

Input pwd salt

1198711198713 = 119867119867(1198711198712 1198711198711)1198711198711 = 119867119867(119901119901119901119901119901119901 119904119904119904119904119904119904119904119904)

Defined by bull H 01 2119896119896 rarr 01 119896119896 (Random Oracle)bull DAG G (encodes data-dependencies)

bull Maximum indegree 120575120575 = O 1

1

Evaluating an iMHF (pebbling)

Pebbling Rules 119875119875=P1hellipPtsub 119881119881 stbull Pi+1sub Pi cup 119909119909 isin 119881119881 parents 119909119909 sub Pi+1 (need dependent values)bull nisin Pt (must finish and output Ln)

12

3

4 Output L4Inputpwd salt

1198711198713 = 119867119867(1198711198712 1198711198711)1198711198711 = 119867119867(119901119901119901119901119901119901 119904119904119904119904119904119904119904119904)

1

Presenter
Presentation Notes
We will describe our algorithms for evaluating an iMHF using the language of graph pebbling Placing a pebble on a node corresponds to computing the corresponding label and keeping a pebble on the graph corresponds to storing that label in memory Of course we can only compute a label if we have all of the dependent labels Thus in a legal pebbling we cannot place a pebble on a node until we have pebbles on the parents of that node If the adversary is parallel then we are allowed to place multiple pebbles on the graph in each round We can remove pebbles from the graph at any point in time

Pebbling Example

1 2 3 4 51 3 4 5

Pebbling Example

1 2 3 4 5

P1 = 1

Pebbling Example

1 2 3 4 5

P1 = 1P2 = 12

Pebbling Example

P1 = 1P2 = 12P3 = 3

1 2 3 4 5

Pebbling Example

P1 = 1P2 = 12P3 = 3

1 2 3 4 5

P4 = 34

Pebbling Example

P1 = 1P2 = 12P3 = 3

1 2 3 4 5

P4 = 34P5 = 5

Pebbling Example (CC)

P1 = 1P2 = 12P3 = 3

1 2 3 4 5

P4 = 34P5 = 5

CC 119866119866 le119894119894=1

5

119875119875119894119894

= 1 + 2 + 1 + 2 + 1= 7

Measuring Cost

bull Cumulative Complexity (CC)

CC 119866119866 = min119875119875

119894119894=1

119905119905119875119875

119875119875119894119894

bull Amortization [AS15]CC 119866119866119866119866 = 2 times CC(119866119866)

Pebbling Example (CC)

P1 = 1P2 = 12P3 = 3

1 2 3 4 5

P4 = 34P5 = 5

CC 119866119866 le119894119894=1

5

119875119875119894119894

= 1 + 2 + 1 + 2 + 1= 7

Pebbling Equivalence

119827119827119827119827119827119827119827119827119827119827119827119827119827119827 119808119808119808119808119808119808119808119808 (119816119816119816119816119816119816119827119827119827119827119827119827119816119816119816119816) High pebbling complexity of G implies high amortized memory complexity for the iMHF fGH

Implication Structure of the graph G is key to iMHFsecurity

Desiderata

Find a DAG G on n nodes such that1 Constant Indegree (120575120575 = 2)

2 CC(G) ge 1198991198992

120591120591for some small value 120591120591

Maximize costs for fixed n(Users are impatient)

Depth-Robustness The Key Property

Necessary [AB16] and sufficient[ABP16] for secure iMHFs

Naiumlve Pebbling Algorithms

bull Sequential Algorithm (Naiumlve)bull Constraint One new pebble per roundbull Every iMHF is defined via its Naiumlve algorithm

bull Example Naiumlve (Pebble in Topological Order)bull Never discard pebblesbull Time nbull Average pebbles n2bull ER(Naiumlve) = θ Rn + n2

Amortized Attack Quality

Quality119877119877 119860119860 =ER(Naiumlve)

ER 119860119860times 119894119894119894119894119904119904119904119904(119860119860)

Example Algorithm A evaluates 5 iMHF instances with total cost ER 119860119860 = 100 and ER Naiumlve = 40

Quality119877119877 119860119860 =40

100times 5 = 2

Presenter
Presentation Notes
Use Example

Desiderata

Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)

2 QualityR(A) le 119888119888 for every adversary A (c small)

3 ER(Naive) ge 1198991198992

120591120591+ R119894119894 for some small value 120591120591

Memory costs should dominate

Desiderata

Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)

2 QualityR(A) le 119888119888 for every adversary A (c small)

3 ER(Naive) ge 1198991198992

120591120591+ R119894119894 for some small value 120591120591

Maximize costs for fixed n(Users are impatient)

c-Ideal iMHF

Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)

2 QualityR(A) le 119888119888 for every adversary A (c small)

3 ER(Naive) ge 1198991198992

120591120591+ R119894119894 for 120591120591 = 119874119874(1)

Outline

bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Our Attacks

bull General Attack on Non Depth Robust DAGsbull Existing iMHFs are not Depth Robustbull Ideal iMHFs donrsquot exist

bull Subsequent Results (Depth-Robustness is Sufficient)bull Open Questions

Depth-Robustness The Key Property

Necessary [AB16] and sufficient[ABP16] for secure iMHFs

Depth Robustness

Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d

Otherwise we say that G is (ed)-depth robust

1 2 3 4 5

Example (12)-reducible

Depth Robustness

Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d

Otherwise we say that G is (ed)-depth robust

1 2 3 4 5

Example (12)-reducible

Attacking (ed)-reducible DAGs

bull Input |S| lee such that depth(G-S) = d g gt d

bull Light Phase (g rounds) Discard most pebblesbull Goal Pebble the next g nodes in g (sequential) stepsbull Low Memory (only keep pebbles on S and on parents of new nodes)bull Lasts a ``longrdquo time

bull Balloon Phase (d rounds) Greedily Recover Missing Pebblesbull Goal Recover needed pebbles for upcoming light phasebull Expensive but quick (at most d steps in parallel)

Theorem (Depth-Robustness is a necessary condition) If G is not (ed)-node robust then CC 119866119866 = O 119890119890119894119894 + 1198941198943119901119901 In particular CC 119866119866 = o 1198941198942 for ed=o(n)

Depth Robustness is Necessary

Are existing iMHF candidates based on depth-robust DAGs

Answer No

bull Catena [FLW15] is 119890119890 119874119874 119899119899119890119890

-reducible

119862119862119862119862 = 119874119874 119894119894162

bull Balloon Hashing and Argon2i (old version) are 119890119890 119874119874 1198991198992

1198901198902-reducible

119862119862119862119862 = 119874119874 119894119894171

bull Argon2i (latest version) is 119890119890 119874119874 1198991198993

1198901198903-reducible

119862119862119862119862 = 119874119874 119894119894177

bull Similar picture for most other iMHF candidates [AGKKOPRRR16]

Argon2i [BDK]

bull Argon2 Winner of the password hashing competition[2015]

bull Authors recommend Argon2i variant (data-independent) for password hashing

Presenter
Presentation Notes
Alex Biryukov Daniel Dinu and Dmitry Khovratovich from University of Luxembourg

Argon2i

1 2 3 4 ihellip n

Argon2i

1 2 3 4 ihellip n

random predecessor r(i) lt i

Indegree 120575120575 = 2

Argon2i Reducing depth to 119894119894

1 2 3 11989411989434

helliphellip

211989411989434

hellip 4 119894119894

n

Layer 0Layer 1

Layer 4 119894119894helliphelliphellip

Argon2i Reducing depth to 119894119894

1 2 3 11989411989434

helliphellip

211989411989434

hellip 4 119894119894

n

Layer 0Layer 1

Layer 4 119894119894

Definition 1198781198782 = 119907119907119894119894 119907119907119903119903(119894119894)and v119894119894 in same layer

119810119810119816119816119816119816119810119810119827119827 1198781198782119810119810119842119842 119842119842119827119827119816119816119816119816119816119816

helliphelliphellip

119813119813119816119816119813119813119813119813 Easy to reduce the depth of a path

Argon2i is a layered DAG (almost)

1 2 3 11989411989434

+2 +3 helliphellip

211989411989434

hellip 4 119894119894

n

Layer 0Layer 1

Layer 4 119894119894

Let S = S1+S2

helliphelliphellip

Attack Simulation [AB16b]

Attack on Argon 2i-B is practical even for pessimistic parameter ranges (brown line)

Pessimistic Argon 2i-B parameter

Parameter setting could easily be chosen when following Argon2i-B guidelines

hellip

Ideal iMHFs Donrsquot Exist

Thm[AB16] Any graph G (with constant in-degree) is at least somewhat depth-reducible

Implication If CC(G)= Ω 1198941198942 there is an attack A with high quality

QualityR 119860119860 =Ωlog(119894119894)

log log(119894119894)

But we cannot rule them out in practice

Outline

bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Attacksbull Constructing iMHFs (New)

bull Depth-Robustness is sufficient

bull Conclusions and Open Questions

Presenter
Presentation Notes
Joint work with Joel Alwen and Krzysztof Pietrzak

Depth-Robustness is Sufficient [ABP16]

Proof Let P1hellipPt denote an (optimal) pebbling of G For 0lt i lt d defineSi = 119875119875119894119894 cup 119875119875119889119889+119894119894 cup 1198751198752119889119889+119894119894 cup ⋯

one of the sets Si has size at most CC(G)d Now we claim that d ge depth(G-Si)

because any path in G-Si must have been completely pebbled at some point Thus it must have been pebbled entirely during some interval of length d Thus G (CC(G)dd)-reducible It follows that CC(G)ge 119890119890119901119901

119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901

Depth-Robustness is Sufficient [ABP16]

Implications There exists a constant indegree graph G with

CC G ge Ω1198941198942

log119894119894

Previous Best [AS15] Ω 1198991198992

log10 119899119899

[AB16] We cannot do better (in an asymptotic sense)

119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901

Summary

bull BCRYPT and PBKDF2 are no longer sufficient for password hashing

bull Argon2i is an improvement over BCRYPT and PBKDF2bull But still has its flaws [AB16AB17]

bull Current Recommendation Argon2idbull No side channel attacks Resists known attacksbull Side channel attacks reduce security to Argon2i

bull Look for improvements in the near future using depth-robust graphs [ABP17]

Conclusions

bull Depth-robustness is a necessary and sufficient for secure iMHFsbull [AB16] [ABP16]

bull Big Challenge Improved Constructions of Depth-Robust Graphsbull We already have constructions in theory [EGS77 PR80 hellip]bull But constants matter

Thanks for Listening

Passwords vs time Look how far wersquove come

Netscape IPO Dotcom crash

Source Cormacrsquos estimate

ldquoThe password is deadrdquo

Chart1

3
48
1368
322
7791
15376
2527
39639
47953
61115
7353
94674
106021
134538
16527
194616
21681

Sheet1

Sheet1

Sheet2

Sheet3

Biometrics

59

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy

60

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Hardware Tokens

61

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around

62

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Graphical Passwords

bull Examplesbull Passfaces Cued Click Points Windows 8

63

Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13

Graphical Passwords

bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8

Challenge Multiple Passwords

64

Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13

Graphical Passwords Hotspots

Graphical Passwords Hotspots

Password Managers

bull Password Management Software

67

Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313

Related Work

bull Password Management SoftwareChallenge Single point of failure

68

Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313

References

bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]

bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]

bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]

bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]

  • Course Business
  • CryptographyCS 555
  • Password Storage
  • Offline Attacks A Common Problem
  • Offline Attacks A Common Problem
  • A Dangerous Problem
  • Attempt 1 Hash Iteration
  • The Challenge
  • Goal Moderately Expensive Hash Function
  • Memory Costs Equitable Across Architectures
  • Outline
  • Memory Hard Function (MHF)
  • iMHF Candidates
  • iMHF (fGH)
  • Evaluating an iMHF (pebbling)
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example (CC)
  • Measuring Cost
  • Pebbling Example (CC)
  • Pebbling Equivalence
  • Desiderata
  • Depth-Robustness The Key Property
  • Naiumlve Pebbling Algorithms
  • Amortized Attack Quality
  • Desiderata
  • Desiderata
  • c-Ideal iMHF
  • Outline
  • Depth-Robustness The Key Property
  • Depth Robustness
  • Depth Robustness
  • Attacking (ed)-reducible DAGs
  • Depth Robustness is Necessary
  • Answer No
  • Argon2i [BDK]
  • Argon2i
  • Argon2i
  • Argon2i Reducing depth to 119899
  • Argon2i Reducing depth to 119899
  • Argon2i is a layered DAG (almost)
  • Attack Simulation [AB16b]
  • Ideal iMHFs Donrsquot Exist
  • But we cannot rule them out in practice
  • Outline
  • Depth-Robustness is Sufficient [ABP16]
  • Depth-Robustness is Sufficient [ABP16]
  • Summary
  • Conclusions
  • Thanks for Listening
  • Passwords vs time Look how far wersquove come
  • Biometrics
  • Biometrics
  • Hardware Tokens
  • Hardware Tokens
  • Graphical Passwords
  • Graphical Passwords
  • Graphical Passwords Hotspots
  • Graphical Passwords Hotspots
  • Password Managers
  • Related Work
  • References
Everybody
DATE DATE NUMBER OF USERS WORLD WORLD INFORMATION DATE DATE NUMBER OF USERS DATE DATE acctsyr
POPULATION POPULATION SOURCE
December-90 0 3 15 020 00261 000 1 December-90 3 1 December-90 3 1 December-90 3 3 December-90 3 1 3
December-95 December-95 0 16 040 80 040 IDC 100 00522 180 12 December-95 192 December-95 16 1778 December-95 48 28448 December-95 48 3 48
December-96 December-96 0 36 090 180 090 IDC 200 00783 188 13132 December-96 472752 December-96 36 1994916 December-96 126 71816976 December-96 1368 38 126
December-97 December-97 0 70 170 350 170 IDC 300 01043 209 16263 December-97 113841 December-97 70 2238295752 December-97 280 15668070264 December-97 322 46 280
December-98 December-98 0 147 360 735 360 CI Almanac 400 01303 230 19391 December-98 2850477 December-98 147 25113678337 December-98 6615 3691710715604 December-98 7791 53 6615
December-99 December-99 0 248 410 1240 410 Nua Ltd 500 01563 251 22517 December-99 5584216 December-99 248 28177547095 December-99 1240 6988031679463 December-99 15376 62 1240
March-00 March-00 0 304 500 1520 500 Nua Ltd 600 01822 272 25638 March-00 7793952 December-00 361 3161520784 December-00 19855 11413090030294 December-00 2527 7 19855
July-00 July-00 0 359 590 1795 590 Nua Ltd 700 02081 293 28754 July-00 10322686 December-01 543 35472263197 December-01 3258 1926143891578 December-01 39639 73 3258
December-00 December-00 0 361 580 1805 580 Internet World Stats 800 02338 313 31864 December-00 11502904 December-02 607 39799879307 December-02 39455 2415852673913 December-02 47953 79 39455
March-01 March-01 0 458 760 2290 760 Nua Ltd 900 02852 334 34967 March-01 16014886 December-03 719 44655464582 December-03 5033 32107279034493 December-03 61115 85 5033
June-01 June-01 0 479 790 2395 790 Nua Ltd 1000 03107 355 38061 June-01 18231219 December-04 817 50103431261 December-04 61275 40934503340285 December-04 7353 9 61275
August-01 August-01 0 513 860 2565 860 Nua Ltd 1100 03361 396 44221 August-01 22685373 December-05 1018 56216049875 December-05 8144 57227938772657 December-05 9467 93 8144
April-02 April-02 0 558 860 2790 860 Internet World Stats 1200 03614 417 47284 April-02 26384472 December-06 1093 6307440796 December-06 9291 68940327899894 December-06 10602 97 9291
July-02 July-02 0 569 910 2845 910 Internet World Stats 1300 03866 437 50334 July-02 28640046 December-07 1319 70769485731 December-07 11871 93344951678825 December-07 13454 102 11871
September-02 September-02 0 587 940 2935 940 Internet World Stats 1400 04117 458 53371 September-02 31328777 December-08 1574 7940336299 December-08 14953 124980893346059 December-08 16527 105 14953
March-03 March-03 0 608 970 3040 970 Internet World Stats 1500 04366 478 56394 March-03 34287552 December-09 1802 89090573275 December-09 18020 160541213040896 December-09 19462 108 18020
September-03 September-03 0 677 1060 3385 1060 Internet World Stats 1600 04614 498 59401 September-03 40214477 December-10 1971 99959623214 December-10 20696 197020417355075 December-10 21681 11 20696
October-03 October-03 0 682 1070 3410 1070 Internet World Stats 1700 0486 518 62392 October-03 42551344
December-03 December-03 0 719 1110 3595 1110 Internet World Stats 1800 02852 538 65365 December-03 46997435
February-04 February-04 0 745 1150 3725 1150 Internet World Stats 1900 03107 558 6832 February-04 508984
May-04 May-04 0 757 1170 3785 1170 Internet World Stats 2000 03361 597 7417 May-04 5614669
October-04 October-04 0 812 1270 4060 1270 Internet World Stats 2100 03614 616 77064 October-04 62575968
December-04 December-04 0 817 1270 4085 1270 Internet World Stats 2200 03866 636 79935 December-04 65306895
March-05 March-05 0 888 1390 4440 1390 Internet World Stats 2300 04117 655 82782 March-05 73510416
June-05 June-05 0 938 1460 4690 1460 Internet World Stats 2400 04366 674 85606 June-05 80298428
September-05 September-05 0 957 1490 4785 1490 Internet World Stats 2500 04614 692 88404 September-05 84602628
November-05 November-05 0 972 1520 4860 1520 Internet World Stats 2600 0486 711 91176 November-05 88623072
December-05 December-05 0 1018 1570 5090 1570 Internet World Stats 2700 05348 729 93921 December-05 95611578
March-06 March-06 0 1023 1570 5115 1570 Internet World Stats 2800 05589 747 96638 March-06 98860674
June-06 June-06 0 1043 1600 5215 1600 Internet World Stats 2900 05828 783 101984 June-06 106369312
September-06 September-06 0 1086 1670 5430 1670 Internet World Stats 3000 06065 801 104611 September-06 113607546
December-06 December-06 0 1093 1670 5465 1670 Internet World Stats 3100 063 818 107207 December-06 117177251
March-07 March-07 0 1129 1720 5645 1720 Internet World Stats 3200 06534 835 109771 March-07 123931459
June-07 June-07 0 1173 1780 5865 1780 Internet World Stats 3300 06765 852 112301 June-07 131729073
September-07 September-07 0 1245 1890 6225 1890 Internet World Stats 3400 06993 869 114797 September-07 142922265
December-07 December-07 0 1319 2000 6595 2000 Internet World Stats 3500 0722 886 117258 December-07 154663302
March-08 March-08 0 1407 2110 7035 2110 Internet World Stats 3600 07665 902 119683 March-08 168393981
June-08 June-08 0 1463 2190 7315 2190 Internet World Stats 3700 07884 918 122071 June-08 178589873
September-08 September-08 0 1504 2250 7520 2250 Internet World Stats 3800 08101 949 126736 September-08 190610944
December-08 December-08 0 1574 2350 7870 2350 Internet World Stats 3900 08314 964 12901 December-08 20306174
March-09 March-09 0 1596 2380 7980 2380 Internet World Stats 4000 08525 971 13 March-09 20748
June-09 June-09 0 1669 2470 8345 2470 Internet World Stats 4100 08733 998 134 June-09 223646
September-09 September-09 0 1734 2560 8670 2560 Internet World Stats 4200 08938 1018 137 September-09 237558
December-09 December-09 0 1802 2660 9010 2660 Internet World Stats 4300 0914 1051 142 December-09 255884
June-10 June-10 0 1966 2870 9830 2870 Internet World Stats 4400 09339 1078 146 June-10 287036
September-10 September-10 0 1971 2880 9855 2880 Internet World Stats 4500 09728 1112 151 September-10 297621
09917 000 155333333333
159833333333
33208
35034
35400
35765
36130
36495
36861
37226
37591
37956
38322
38687
39052
39417
39783
40148
40513
Page 14: Attacking Data Independent Memory Hard Functions · As a motivating example consider an adversary who breaks into an authentication server and steals a users crptographic hash va\൬ue.

iMHF (fGH)

12

3

4Output fGH (pwdsalt)= L4

Input pwd salt

1198711198713 = 119867119867(1198711198712 1198711198711)1198711198711 = 119867119867(119901119901119901119901119901119901 119904119904119904119904119904119904119904119904)

Defined by bull H 01 2119896119896 rarr 01 119896119896 (Random Oracle)bull DAG G (encodes data-dependencies)

bull Maximum indegree 120575120575 = O 1

1

Evaluating an iMHF (pebbling)

Pebbling Rules 119875119875=P1hellipPtsub 119881119881 stbull Pi+1sub Pi cup 119909119909 isin 119881119881 parents 119909119909 sub Pi+1 (need dependent values)bull nisin Pt (must finish and output Ln)

12

3

4 Output L4Inputpwd salt

1198711198713 = 119867119867(1198711198712 1198711198711)1198711198711 = 119867119867(119901119901119901119901119901119901 119904119904119904119904119904119904119904119904)

1

Presenter
Presentation Notes
We will describe our algorithms for evaluating an iMHF using the language of graph pebbling Placing a pebble on a node corresponds to computing the corresponding label and keeping a pebble on the graph corresponds to storing that label in memory Of course we can only compute a label if we have all of the dependent labels Thus in a legal pebbling we cannot place a pebble on a node until we have pebbles on the parents of that node If the adversary is parallel then we are allowed to place multiple pebbles on the graph in each round We can remove pebbles from the graph at any point in time

Pebbling Example

1 2 3 4 51 3 4 5

Pebbling Example

1 2 3 4 5

P1 = 1

Pebbling Example

1 2 3 4 5

P1 = 1P2 = 12

Pebbling Example

P1 = 1P2 = 12P3 = 3

1 2 3 4 5

Pebbling Example

P1 = 1P2 = 12P3 = 3

1 2 3 4 5

P4 = 34

Pebbling Example

P1 = 1P2 = 12P3 = 3

1 2 3 4 5

P4 = 34P5 = 5

Pebbling Example (CC)

P1 = 1P2 = 12P3 = 3

1 2 3 4 5

P4 = 34P5 = 5

CC 119866119866 le119894119894=1

5

119875119875119894119894

= 1 + 2 + 1 + 2 + 1= 7

Measuring Cost

bull Cumulative Complexity (CC)

CC 119866119866 = min119875119875

119894119894=1

119905119905119875119875

119875119875119894119894

bull Amortization [AS15]CC 119866119866119866119866 = 2 times CC(119866119866)

Pebbling Example (CC)

P1 = 1P2 = 12P3 = 3

1 2 3 4 5

P4 = 34P5 = 5

CC 119866119866 le119894119894=1

5

119875119875119894119894

= 1 + 2 + 1 + 2 + 1= 7

Pebbling Equivalence

119827119827119827119827119827119827119827119827119827119827119827119827119827119827 119808119808119808119808119808119808119808119808 (119816119816119816119816119816119816119827119827119827119827119827119827119816119816119816119816) High pebbling complexity of G implies high amortized memory complexity for the iMHF fGH

Implication Structure of the graph G is key to iMHFsecurity

Desiderata

Find a DAG G on n nodes such that1 Constant Indegree (120575120575 = 2)

2 CC(G) ge 1198991198992

120591120591for some small value 120591120591

Maximize costs for fixed n(Users are impatient)

Depth-Robustness The Key Property

Necessary [AB16] and sufficient[ABP16] for secure iMHFs

Naiumlve Pebbling Algorithms

bull Sequential Algorithm (Naiumlve)bull Constraint One new pebble per roundbull Every iMHF is defined via its Naiumlve algorithm

bull Example Naiumlve (Pebble in Topological Order)bull Never discard pebblesbull Time nbull Average pebbles n2bull ER(Naiumlve) = θ Rn + n2

Amortized Attack Quality

Quality119877119877 119860119860 =ER(Naiumlve)

ER 119860119860times 119894119894119894119894119904119904119904119904(119860119860)

Example Algorithm A evaluates 5 iMHF instances with total cost ER 119860119860 = 100 and ER Naiumlve = 40

Quality119877119877 119860119860 =40

100times 5 = 2

Presenter
Presentation Notes
Use Example

Desiderata

Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)

2 QualityR(A) le 119888119888 for every adversary A (c small)

3 ER(Naive) ge 1198991198992

120591120591+ R119894119894 for some small value 120591120591

Memory costs should dominate

Desiderata

Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)

2 QualityR(A) le 119888119888 for every adversary A (c small)

3 ER(Naive) ge 1198991198992

120591120591+ R119894119894 for some small value 120591120591

Maximize costs for fixed n(Users are impatient)

c-Ideal iMHF

Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)

2 QualityR(A) le 119888119888 for every adversary A (c small)

3 ER(Naive) ge 1198991198992

120591120591+ R119894119894 for 120591120591 = 119874119874(1)

Outline

bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Our Attacks

bull General Attack on Non Depth Robust DAGsbull Existing iMHFs are not Depth Robustbull Ideal iMHFs donrsquot exist

bull Subsequent Results (Depth-Robustness is Sufficient)bull Open Questions

Depth-Robustness The Key Property

Necessary [AB16] and sufficient[ABP16] for secure iMHFs

Depth Robustness

Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d

Otherwise we say that G is (ed)-depth robust

1 2 3 4 5

Example (12)-reducible

Depth Robustness

Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d

Otherwise we say that G is (ed)-depth robust

1 2 3 4 5

Example (12)-reducible

Attacking (ed)-reducible DAGs

bull Input |S| lee such that depth(G-S) = d g gt d

bull Light Phase (g rounds) Discard most pebblesbull Goal Pebble the next g nodes in g (sequential) stepsbull Low Memory (only keep pebbles on S and on parents of new nodes)bull Lasts a ``longrdquo time

bull Balloon Phase (d rounds) Greedily Recover Missing Pebblesbull Goal Recover needed pebbles for upcoming light phasebull Expensive but quick (at most d steps in parallel)

Theorem (Depth-Robustness is a necessary condition) If G is not (ed)-node robust then CC 119866119866 = O 119890119890119894119894 + 1198941198943119901119901 In particular CC 119866119866 = o 1198941198942 for ed=o(n)

Depth Robustness is Necessary

Are existing iMHF candidates based on depth-robust DAGs

Answer No

bull Catena [FLW15] is 119890119890 119874119874 119899119899119890119890

-reducible

119862119862119862119862 = 119874119874 119894119894162

bull Balloon Hashing and Argon2i (old version) are 119890119890 119874119874 1198991198992

1198901198902-reducible

119862119862119862119862 = 119874119874 119894119894171

bull Argon2i (latest version) is 119890119890 119874119874 1198991198993

1198901198903-reducible

119862119862119862119862 = 119874119874 119894119894177

bull Similar picture for most other iMHF candidates [AGKKOPRRR16]

Argon2i [BDK]

bull Argon2 Winner of the password hashing competition[2015]

bull Authors recommend Argon2i variant (data-independent) for password hashing

Presenter
Presentation Notes
Alex Biryukov Daniel Dinu and Dmitry Khovratovich from University of Luxembourg

Argon2i

1 2 3 4 ihellip n

Argon2i

1 2 3 4 ihellip n

random predecessor r(i) lt i

Indegree 120575120575 = 2

Argon2i Reducing depth to 119894119894

1 2 3 11989411989434

helliphellip

211989411989434

hellip 4 119894119894

n

Layer 0Layer 1

Layer 4 119894119894helliphelliphellip

Argon2i Reducing depth to 119894119894

1 2 3 11989411989434

helliphellip

211989411989434

hellip 4 119894119894

n

Layer 0Layer 1

Layer 4 119894119894

Definition 1198781198782 = 119907119907119894119894 119907119907119903119903(119894119894)and v119894119894 in same layer

119810119810119816119816119816119816119810119810119827119827 1198781198782119810119810119842119842 119842119842119827119827119816119816119816119816119816119816

helliphelliphellip

119813119813119816119816119813119813119813119813 Easy to reduce the depth of a path

Argon2i is a layered DAG (almost)

1 2 3 11989411989434

+2 +3 helliphellip

211989411989434

hellip 4 119894119894

n

Layer 0Layer 1

Layer 4 119894119894

Let S = S1+S2

helliphelliphellip

Attack Simulation [AB16b]

Attack on Argon 2i-B is practical even for pessimistic parameter ranges (brown line)

Pessimistic Argon 2i-B parameter

Parameter setting could easily be chosen when following Argon2i-B guidelines

hellip

Ideal iMHFs Donrsquot Exist

Thm[AB16] Any graph G (with constant in-degree) is at least somewhat depth-reducible

Implication If CC(G)= Ω 1198941198942 there is an attack A with high quality

QualityR 119860119860 =Ωlog(119894119894)

log log(119894119894)

But we cannot rule them out in practice

Outline

bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Attacksbull Constructing iMHFs (New)

bull Depth-Robustness is sufficient

bull Conclusions and Open Questions

Presenter
Presentation Notes
Joint work with Joel Alwen and Krzysztof Pietrzak

Depth-Robustness is Sufficient [ABP16]

Proof Let P1hellipPt denote an (optimal) pebbling of G For 0lt i lt d defineSi = 119875119875119894119894 cup 119875119875119889119889+119894119894 cup 1198751198752119889119889+119894119894 cup ⋯

one of the sets Si has size at most CC(G)d Now we claim that d ge depth(G-Si)

because any path in G-Si must have been completely pebbled at some point Thus it must have been pebbled entirely during some interval of length d Thus G (CC(G)dd)-reducible It follows that CC(G)ge 119890119890119901119901

119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901

Depth-Robustness is Sufficient [ABP16]

Implications There exists a constant indegree graph G with

CC G ge Ω1198941198942

log119894119894

Previous Best [AS15] Ω 1198991198992

log10 119899119899

[AB16] We cannot do better (in an asymptotic sense)

119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901

Summary

bull BCRYPT and PBKDF2 are no longer sufficient for password hashing

bull Argon2i is an improvement over BCRYPT and PBKDF2bull But still has its flaws [AB16AB17]

bull Current Recommendation Argon2idbull No side channel attacks Resists known attacksbull Side channel attacks reduce security to Argon2i

bull Look for improvements in the near future using depth-robust graphs [ABP17]

Conclusions

bull Depth-robustness is a necessary and sufficient for secure iMHFsbull [AB16] [ABP16]

bull Big Challenge Improved Constructions of Depth-Robust Graphsbull We already have constructions in theory [EGS77 PR80 hellip]bull But constants matter

Thanks for Listening

Passwords vs time Look how far wersquove come

Netscape IPO Dotcom crash

Source Cormacrsquos estimate

ldquoThe password is deadrdquo

Chart1

3
48
1368
322
7791
15376
2527
39639
47953
61115
7353
94674
106021
134538
16527
194616
21681

Sheet1

Sheet1

Sheet2

Sheet3

Biometrics

59

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy

60

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Hardware Tokens

61

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around

62

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Graphical Passwords

bull Examplesbull Passfaces Cued Click Points Windows 8

63

Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13

Graphical Passwords

bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8

Challenge Multiple Passwords

64

Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13

Graphical Passwords Hotspots

Graphical Passwords Hotspots

Password Managers

bull Password Management Software

67

Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313

Related Work

bull Password Management SoftwareChallenge Single point of failure

68

Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313

References

bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]

bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]

bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]

bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]

  • Course Business
  • CryptographyCS 555
  • Password Storage
  • Offline Attacks A Common Problem
  • Offline Attacks A Common Problem
  • A Dangerous Problem
  • Attempt 1 Hash Iteration
  • The Challenge
  • Goal Moderately Expensive Hash Function
  • Memory Costs Equitable Across Architectures
  • Outline
  • Memory Hard Function (MHF)
  • iMHF Candidates
  • iMHF (fGH)
  • Evaluating an iMHF (pebbling)
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example (CC)
  • Measuring Cost
  • Pebbling Example (CC)
  • Pebbling Equivalence
  • Desiderata
  • Depth-Robustness The Key Property
  • Naiumlve Pebbling Algorithms
  • Amortized Attack Quality
  • Desiderata
  • Desiderata
  • c-Ideal iMHF
  • Outline
  • Depth-Robustness The Key Property
  • Depth Robustness
  • Depth Robustness
  • Attacking (ed)-reducible DAGs
  • Depth Robustness is Necessary
  • Answer No
  • Argon2i [BDK]
  • Argon2i
  • Argon2i
  • Argon2i Reducing depth to 119899
  • Argon2i Reducing depth to 119899
  • Argon2i is a layered DAG (almost)
  • Attack Simulation [AB16b]
  • Ideal iMHFs Donrsquot Exist
  • But we cannot rule them out in practice
  • Outline
  • Depth-Robustness is Sufficient [ABP16]
  • Depth-Robustness is Sufficient [ABP16]
  • Summary
  • Conclusions
  • Thanks for Listening
  • Passwords vs time Look how far wersquove come
  • Biometrics
  • Biometrics
  • Hardware Tokens
  • Hardware Tokens
  • Graphical Passwords
  • Graphical Passwords
  • Graphical Passwords Hotspots
  • Graphical Passwords Hotspots
  • Password Managers
  • Related Work
  • References
Everybody
DATE DATE NUMBER OF USERS WORLD WORLD INFORMATION DATE DATE NUMBER OF USERS DATE DATE acctsyr
POPULATION POPULATION SOURCE
December-90 0 3 15 020 00261 000 1 December-90 3 1 December-90 3 1 December-90 3 3 December-90 3 1 3
December-95 December-95 0 16 040 80 040 IDC 100 00522 180 12 December-95 192 December-95 16 1778 December-95 48 28448 December-95 48 3 48
December-96 December-96 0 36 090 180 090 IDC 200 00783 188 13132 December-96 472752 December-96 36 1994916 December-96 126 71816976 December-96 1368 38 126
December-97 December-97 0 70 170 350 170 IDC 300 01043 209 16263 December-97 113841 December-97 70 2238295752 December-97 280 15668070264 December-97 322 46 280
December-98 December-98 0 147 360 735 360 CI Almanac 400 01303 230 19391 December-98 2850477 December-98 147 25113678337 December-98 6615 3691710715604 December-98 7791 53 6615
December-99 December-99 0 248 410 1240 410 Nua Ltd 500 01563 251 22517 December-99 5584216 December-99 248 28177547095 December-99 1240 6988031679463 December-99 15376 62 1240
March-00 March-00 0 304 500 1520 500 Nua Ltd 600 01822 272 25638 March-00 7793952 December-00 361 3161520784 December-00 19855 11413090030294 December-00 2527 7 19855
July-00 July-00 0 359 590 1795 590 Nua Ltd 700 02081 293 28754 July-00 10322686 December-01 543 35472263197 December-01 3258 1926143891578 December-01 39639 73 3258
December-00 December-00 0 361 580 1805 580 Internet World Stats 800 02338 313 31864 December-00 11502904 December-02 607 39799879307 December-02 39455 2415852673913 December-02 47953 79 39455
March-01 March-01 0 458 760 2290 760 Nua Ltd 900 02852 334 34967 March-01 16014886 December-03 719 44655464582 December-03 5033 32107279034493 December-03 61115 85 5033
June-01 June-01 0 479 790 2395 790 Nua Ltd 1000 03107 355 38061 June-01 18231219 December-04 817 50103431261 December-04 61275 40934503340285 December-04 7353 9 61275
August-01 August-01 0 513 860 2565 860 Nua Ltd 1100 03361 396 44221 August-01 22685373 December-05 1018 56216049875 December-05 8144 57227938772657 December-05 9467 93 8144
April-02 April-02 0 558 860 2790 860 Internet World Stats 1200 03614 417 47284 April-02 26384472 December-06 1093 6307440796 December-06 9291 68940327899894 December-06 10602 97 9291
July-02 July-02 0 569 910 2845 910 Internet World Stats 1300 03866 437 50334 July-02 28640046 December-07 1319 70769485731 December-07 11871 93344951678825 December-07 13454 102 11871
September-02 September-02 0 587 940 2935 940 Internet World Stats 1400 04117 458 53371 September-02 31328777 December-08 1574 7940336299 December-08 14953 124980893346059 December-08 16527 105 14953
March-03 March-03 0 608 970 3040 970 Internet World Stats 1500 04366 478 56394 March-03 34287552 December-09 1802 89090573275 December-09 18020 160541213040896 December-09 19462 108 18020
September-03 September-03 0 677 1060 3385 1060 Internet World Stats 1600 04614 498 59401 September-03 40214477 December-10 1971 99959623214 December-10 20696 197020417355075 December-10 21681 11 20696
October-03 October-03 0 682 1070 3410 1070 Internet World Stats 1700 0486 518 62392 October-03 42551344
December-03 December-03 0 719 1110 3595 1110 Internet World Stats 1800 02852 538 65365 December-03 46997435
February-04 February-04 0 745 1150 3725 1150 Internet World Stats 1900 03107 558 6832 February-04 508984
May-04 May-04 0 757 1170 3785 1170 Internet World Stats 2000 03361 597 7417 May-04 5614669
October-04 October-04 0 812 1270 4060 1270 Internet World Stats 2100 03614 616 77064 October-04 62575968
December-04 December-04 0 817 1270 4085 1270 Internet World Stats 2200 03866 636 79935 December-04 65306895
March-05 March-05 0 888 1390 4440 1390 Internet World Stats 2300 04117 655 82782 March-05 73510416
June-05 June-05 0 938 1460 4690 1460 Internet World Stats 2400 04366 674 85606 June-05 80298428
September-05 September-05 0 957 1490 4785 1490 Internet World Stats 2500 04614 692 88404 September-05 84602628
November-05 November-05 0 972 1520 4860 1520 Internet World Stats 2600 0486 711 91176 November-05 88623072
December-05 December-05 0 1018 1570 5090 1570 Internet World Stats 2700 05348 729 93921 December-05 95611578
March-06 March-06 0 1023 1570 5115 1570 Internet World Stats 2800 05589 747 96638 March-06 98860674
June-06 June-06 0 1043 1600 5215 1600 Internet World Stats 2900 05828 783 101984 June-06 106369312
September-06 September-06 0 1086 1670 5430 1670 Internet World Stats 3000 06065 801 104611 September-06 113607546
December-06 December-06 0 1093 1670 5465 1670 Internet World Stats 3100 063 818 107207 December-06 117177251
March-07 March-07 0 1129 1720 5645 1720 Internet World Stats 3200 06534 835 109771 March-07 123931459
June-07 June-07 0 1173 1780 5865 1780 Internet World Stats 3300 06765 852 112301 June-07 131729073
September-07 September-07 0 1245 1890 6225 1890 Internet World Stats 3400 06993 869 114797 September-07 142922265
December-07 December-07 0 1319 2000 6595 2000 Internet World Stats 3500 0722 886 117258 December-07 154663302
March-08 March-08 0 1407 2110 7035 2110 Internet World Stats 3600 07665 902 119683 March-08 168393981
June-08 June-08 0 1463 2190 7315 2190 Internet World Stats 3700 07884 918 122071 June-08 178589873
September-08 September-08 0 1504 2250 7520 2250 Internet World Stats 3800 08101 949 126736 September-08 190610944
December-08 December-08 0 1574 2350 7870 2350 Internet World Stats 3900 08314 964 12901 December-08 20306174
March-09 March-09 0 1596 2380 7980 2380 Internet World Stats 4000 08525 971 13 March-09 20748
June-09 June-09 0 1669 2470 8345 2470 Internet World Stats 4100 08733 998 134 June-09 223646
September-09 September-09 0 1734 2560 8670 2560 Internet World Stats 4200 08938 1018 137 September-09 237558
December-09 December-09 0 1802 2660 9010 2660 Internet World Stats 4300 0914 1051 142 December-09 255884
June-10 June-10 0 1966 2870 9830 2870 Internet World Stats 4400 09339 1078 146 June-10 287036
September-10 September-10 0 1971 2880 9855 2880 Internet World Stats 4500 09728 1112 151 September-10 297621
09917 000 155333333333
159833333333
33208
35034
35400
35765
36130
36495
36861
37226
37591
37956
38322
38687
39052
39417
39783
40148
40513
Page 15: Attacking Data Independent Memory Hard Functions · As a motivating example consider an adversary who breaks into an authentication server and steals a users crptographic hash va\൬ue.

Evaluating an iMHF (pebbling)

Pebbling Rules 119875119875=P1hellipPtsub 119881119881 stbull Pi+1sub Pi cup 119909119909 isin 119881119881 parents 119909119909 sub Pi+1 (need dependent values)bull nisin Pt (must finish and output Ln)

12

3

4 Output L4Inputpwd salt

1198711198713 = 119867119867(1198711198712 1198711198711)1198711198711 = 119867119867(119901119901119901119901119901119901 119904119904119904119904119904119904119904119904)

1

Presenter
Presentation Notes
We will describe our algorithms for evaluating an iMHF using the language of graph pebbling Placing a pebble on a node corresponds to computing the corresponding label and keeping a pebble on the graph corresponds to storing that label in memory Of course we can only compute a label if we have all of the dependent labels Thus in a legal pebbling we cannot place a pebble on a node until we have pebbles on the parents of that node If the adversary is parallel then we are allowed to place multiple pebbles on the graph in each round We can remove pebbles from the graph at any point in time

Pebbling Example

1 2 3 4 51 3 4 5

Pebbling Example

1 2 3 4 5

P1 = 1

Pebbling Example

1 2 3 4 5

P1 = 1P2 = 12

Pebbling Example

P1 = 1P2 = 12P3 = 3

1 2 3 4 5

Pebbling Example

P1 = 1P2 = 12P3 = 3

1 2 3 4 5

P4 = 34

Pebbling Example

P1 = 1P2 = 12P3 = 3

1 2 3 4 5

P4 = 34P5 = 5

Pebbling Example (CC)

P1 = 1P2 = 12P3 = 3

1 2 3 4 5

P4 = 34P5 = 5

CC 119866119866 le119894119894=1

5

119875119875119894119894

= 1 + 2 + 1 + 2 + 1= 7

Measuring Cost

bull Cumulative Complexity (CC)

CC 119866119866 = min119875119875

119894119894=1

119905119905119875119875

119875119875119894119894

bull Amortization [AS15]CC 119866119866119866119866 = 2 times CC(119866119866)

Pebbling Example (CC)

P1 = 1P2 = 12P3 = 3

1 2 3 4 5

P4 = 34P5 = 5

CC 119866119866 le119894119894=1

5

119875119875119894119894

= 1 + 2 + 1 + 2 + 1= 7

Pebbling Equivalence

119827119827119827119827119827119827119827119827119827119827119827119827119827119827 119808119808119808119808119808119808119808119808 (119816119816119816119816119816119816119827119827119827119827119827119827119816119816119816119816) High pebbling complexity of G implies high amortized memory complexity for the iMHF fGH

Implication Structure of the graph G is key to iMHFsecurity

Desiderata

Find a DAG G on n nodes such that1 Constant Indegree (120575120575 = 2)

2 CC(G) ge 1198991198992

120591120591for some small value 120591120591

Maximize costs for fixed n(Users are impatient)

Depth-Robustness The Key Property

Necessary [AB16] and sufficient[ABP16] for secure iMHFs

Naiumlve Pebbling Algorithms

bull Sequential Algorithm (Naiumlve)bull Constraint One new pebble per roundbull Every iMHF is defined via its Naiumlve algorithm

bull Example Naiumlve (Pebble in Topological Order)bull Never discard pebblesbull Time nbull Average pebbles n2bull ER(Naiumlve) = θ Rn + n2

Amortized Attack Quality

Quality119877119877 119860119860 =ER(Naiumlve)

ER 119860119860times 119894119894119894119894119904119904119904119904(119860119860)

Example Algorithm A evaluates 5 iMHF instances with total cost ER 119860119860 = 100 and ER Naiumlve = 40

Quality119877119877 119860119860 =40

100times 5 = 2

Presenter
Presentation Notes
Use Example

Desiderata

Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)

2 QualityR(A) le 119888119888 for every adversary A (c small)

3 ER(Naive) ge 1198991198992

120591120591+ R119894119894 for some small value 120591120591

Memory costs should dominate

Desiderata

Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)

2 QualityR(A) le 119888119888 for every adversary A (c small)

3 ER(Naive) ge 1198991198992

120591120591+ R119894119894 for some small value 120591120591

Maximize costs for fixed n(Users are impatient)

c-Ideal iMHF

Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)

2 QualityR(A) le 119888119888 for every adversary A (c small)

3 ER(Naive) ge 1198991198992

120591120591+ R119894119894 for 120591120591 = 119874119874(1)

Outline

bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Our Attacks

bull General Attack on Non Depth Robust DAGsbull Existing iMHFs are not Depth Robustbull Ideal iMHFs donrsquot exist

bull Subsequent Results (Depth-Robustness is Sufficient)bull Open Questions

Depth-Robustness The Key Property

Necessary [AB16] and sufficient[ABP16] for secure iMHFs

Depth Robustness

Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d

Otherwise we say that G is (ed)-depth robust

1 2 3 4 5

Example (12)-reducible

Depth Robustness

Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d

Otherwise we say that G is (ed)-depth robust

1 2 3 4 5

Example (12)-reducible

Attacking (ed)-reducible DAGs

bull Input |S| lee such that depth(G-S) = d g gt d

bull Light Phase (g rounds) Discard most pebblesbull Goal Pebble the next g nodes in g (sequential) stepsbull Low Memory (only keep pebbles on S and on parents of new nodes)bull Lasts a ``longrdquo time

bull Balloon Phase (d rounds) Greedily Recover Missing Pebblesbull Goal Recover needed pebbles for upcoming light phasebull Expensive but quick (at most d steps in parallel)

Theorem (Depth-Robustness is a necessary condition) If G is not (ed)-node robust then CC 119866119866 = O 119890119890119894119894 + 1198941198943119901119901 In particular CC 119866119866 = o 1198941198942 for ed=o(n)

Depth Robustness is Necessary

Are existing iMHF candidates based on depth-robust DAGs

Answer No

bull Catena [FLW15] is 119890119890 119874119874 119899119899119890119890

-reducible

119862119862119862119862 = 119874119874 119894119894162

bull Balloon Hashing and Argon2i (old version) are 119890119890 119874119874 1198991198992

1198901198902-reducible

119862119862119862119862 = 119874119874 119894119894171

bull Argon2i (latest version) is 119890119890 119874119874 1198991198993

1198901198903-reducible

119862119862119862119862 = 119874119874 119894119894177

bull Similar picture for most other iMHF candidates [AGKKOPRRR16]

Argon2i [BDK]

bull Argon2 Winner of the password hashing competition[2015]

bull Authors recommend Argon2i variant (data-independent) for password hashing

Presenter
Presentation Notes
Alex Biryukov Daniel Dinu and Dmitry Khovratovich from University of Luxembourg

Argon2i

1 2 3 4 ihellip n

Argon2i

1 2 3 4 ihellip n

random predecessor r(i) lt i

Indegree 120575120575 = 2

Argon2i Reducing depth to 119894119894

1 2 3 11989411989434

helliphellip

211989411989434

hellip 4 119894119894

n

Layer 0Layer 1

Layer 4 119894119894helliphelliphellip

Argon2i Reducing depth to 119894119894

1 2 3 11989411989434

helliphellip

211989411989434

hellip 4 119894119894

n

Layer 0Layer 1

Layer 4 119894119894

Definition 1198781198782 = 119907119907119894119894 119907119907119903119903(119894119894)and v119894119894 in same layer

119810119810119816119816119816119816119810119810119827119827 1198781198782119810119810119842119842 119842119842119827119827119816119816119816119816119816119816

helliphelliphellip

119813119813119816119816119813119813119813119813 Easy to reduce the depth of a path

Argon2i is a layered DAG (almost)

1 2 3 11989411989434

+2 +3 helliphellip

211989411989434

hellip 4 119894119894

n

Layer 0Layer 1

Layer 4 119894119894

Let S = S1+S2

helliphelliphellip

Attack Simulation [AB16b]

Attack on Argon 2i-B is practical even for pessimistic parameter ranges (brown line)

Pessimistic Argon 2i-B parameter

Parameter setting could easily be chosen when following Argon2i-B guidelines

hellip

Ideal iMHFs Donrsquot Exist

Thm[AB16] Any graph G (with constant in-degree) is at least somewhat depth-reducible

Implication If CC(G)= Ω 1198941198942 there is an attack A with high quality

QualityR 119860119860 =Ωlog(119894119894)

log log(119894119894)

But we cannot rule them out in practice

Outline

bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Attacksbull Constructing iMHFs (New)

bull Depth-Robustness is sufficient

bull Conclusions and Open Questions

Presenter
Presentation Notes
Joint work with Joel Alwen and Krzysztof Pietrzak

Depth-Robustness is Sufficient [ABP16]

Proof Let P1hellipPt denote an (optimal) pebbling of G For 0lt i lt d defineSi = 119875119875119894119894 cup 119875119875119889119889+119894119894 cup 1198751198752119889119889+119894119894 cup ⋯

one of the sets Si has size at most CC(G)d Now we claim that d ge depth(G-Si)

because any path in G-Si must have been completely pebbled at some point Thus it must have been pebbled entirely during some interval of length d Thus G (CC(G)dd)-reducible It follows that CC(G)ge 119890119890119901119901

119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901

Depth-Robustness is Sufficient [ABP16]

Implications There exists a constant indegree graph G with

CC G ge Ω1198941198942

log119894119894

Previous Best [AS15] Ω 1198991198992

log10 119899119899

[AB16] We cannot do better (in an asymptotic sense)

119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901

Summary

bull BCRYPT and PBKDF2 are no longer sufficient for password hashing

bull Argon2i is an improvement over BCRYPT and PBKDF2bull But still has its flaws [AB16AB17]

bull Current Recommendation Argon2idbull No side channel attacks Resists known attacksbull Side channel attacks reduce security to Argon2i

bull Look for improvements in the near future using depth-robust graphs [ABP17]

Conclusions

bull Depth-robustness is a necessary and sufficient for secure iMHFsbull [AB16] [ABP16]

bull Big Challenge Improved Constructions of Depth-Robust Graphsbull We already have constructions in theory [EGS77 PR80 hellip]bull But constants matter

Thanks for Listening

Passwords vs time Look how far wersquove come

Netscape IPO Dotcom crash

Source Cormacrsquos estimate

ldquoThe password is deadrdquo

Chart1

3
48
1368
322
7791
15376
2527
39639
47953
61115
7353
94674
106021
134538
16527
194616
21681

Sheet1

Sheet1

Sheet2

Sheet3

Biometrics

59

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy

60

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Hardware Tokens

61

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around

62

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Graphical Passwords

bull Examplesbull Passfaces Cued Click Points Windows 8

63

Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13

Graphical Passwords

bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8

Challenge Multiple Passwords

64

Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13

Graphical Passwords Hotspots

Graphical Passwords Hotspots

Password Managers

bull Password Management Software

67

Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313

Related Work

bull Password Management SoftwareChallenge Single point of failure

68

Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313

References

bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]

bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]

bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]

bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]

  • Course Business
  • CryptographyCS 555
  • Password Storage
  • Offline Attacks A Common Problem
  • Offline Attacks A Common Problem
  • A Dangerous Problem
  • Attempt 1 Hash Iteration
  • The Challenge
  • Goal Moderately Expensive Hash Function
  • Memory Costs Equitable Across Architectures
  • Outline
  • Memory Hard Function (MHF)
  • iMHF Candidates
  • iMHF (fGH)
  • Evaluating an iMHF (pebbling)
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example (CC)
  • Measuring Cost
  • Pebbling Example (CC)
  • Pebbling Equivalence
  • Desiderata
  • Depth-Robustness The Key Property
  • Naiumlve Pebbling Algorithms
  • Amortized Attack Quality
  • Desiderata
  • Desiderata
  • c-Ideal iMHF
  • Outline
  • Depth-Robustness The Key Property
  • Depth Robustness
  • Depth Robustness
  • Attacking (ed)-reducible DAGs
  • Depth Robustness is Necessary
  • Answer No
  • Argon2i [BDK]
  • Argon2i
  • Argon2i
  • Argon2i Reducing depth to 119899
  • Argon2i Reducing depth to 119899
  • Argon2i is a layered DAG (almost)
  • Attack Simulation [AB16b]
  • Ideal iMHFs Donrsquot Exist
  • But we cannot rule them out in practice
  • Outline
  • Depth-Robustness is Sufficient [ABP16]
  • Depth-Robustness is Sufficient [ABP16]
  • Summary
  • Conclusions
  • Thanks for Listening
  • Passwords vs time Look how far wersquove come
  • Biometrics
  • Biometrics
  • Hardware Tokens
  • Hardware Tokens
  • Graphical Passwords
  • Graphical Passwords
  • Graphical Passwords Hotspots
  • Graphical Passwords Hotspots
  • Password Managers
  • Related Work
  • References
Everybody
DATE DATE NUMBER OF USERS WORLD WORLD INFORMATION DATE DATE NUMBER OF USERS DATE DATE acctsyr
POPULATION POPULATION SOURCE
December-90 0 3 15 020 00261 000 1 December-90 3 1 December-90 3 1 December-90 3 3 December-90 3 1 3
December-95 December-95 0 16 040 80 040 IDC 100 00522 180 12 December-95 192 December-95 16 1778 December-95 48 28448 December-95 48 3 48
December-96 December-96 0 36 090 180 090 IDC 200 00783 188 13132 December-96 472752 December-96 36 1994916 December-96 126 71816976 December-96 1368 38 126
December-97 December-97 0 70 170 350 170 IDC 300 01043 209 16263 December-97 113841 December-97 70 2238295752 December-97 280 15668070264 December-97 322 46 280
December-98 December-98 0 147 360 735 360 CI Almanac 400 01303 230 19391 December-98 2850477 December-98 147 25113678337 December-98 6615 3691710715604 December-98 7791 53 6615
December-99 December-99 0 248 410 1240 410 Nua Ltd 500 01563 251 22517 December-99 5584216 December-99 248 28177547095 December-99 1240 6988031679463 December-99 15376 62 1240
March-00 March-00 0 304 500 1520 500 Nua Ltd 600 01822 272 25638 March-00 7793952 December-00 361 3161520784 December-00 19855 11413090030294 December-00 2527 7 19855
July-00 July-00 0 359 590 1795 590 Nua Ltd 700 02081 293 28754 July-00 10322686 December-01 543 35472263197 December-01 3258 1926143891578 December-01 39639 73 3258
December-00 December-00 0 361 580 1805 580 Internet World Stats 800 02338 313 31864 December-00 11502904 December-02 607 39799879307 December-02 39455 2415852673913 December-02 47953 79 39455
March-01 March-01 0 458 760 2290 760 Nua Ltd 900 02852 334 34967 March-01 16014886 December-03 719 44655464582 December-03 5033 32107279034493 December-03 61115 85 5033
June-01 June-01 0 479 790 2395 790 Nua Ltd 1000 03107 355 38061 June-01 18231219 December-04 817 50103431261 December-04 61275 40934503340285 December-04 7353 9 61275
August-01 August-01 0 513 860 2565 860 Nua Ltd 1100 03361 396 44221 August-01 22685373 December-05 1018 56216049875 December-05 8144 57227938772657 December-05 9467 93 8144
April-02 April-02 0 558 860 2790 860 Internet World Stats 1200 03614 417 47284 April-02 26384472 December-06 1093 6307440796 December-06 9291 68940327899894 December-06 10602 97 9291
July-02 July-02 0 569 910 2845 910 Internet World Stats 1300 03866 437 50334 July-02 28640046 December-07 1319 70769485731 December-07 11871 93344951678825 December-07 13454 102 11871
September-02 September-02 0 587 940 2935 940 Internet World Stats 1400 04117 458 53371 September-02 31328777 December-08 1574 7940336299 December-08 14953 124980893346059 December-08 16527 105 14953
March-03 March-03 0 608 970 3040 970 Internet World Stats 1500 04366 478 56394 March-03 34287552 December-09 1802 89090573275 December-09 18020 160541213040896 December-09 19462 108 18020
September-03 September-03 0 677 1060 3385 1060 Internet World Stats 1600 04614 498 59401 September-03 40214477 December-10 1971 99959623214 December-10 20696 197020417355075 December-10 21681 11 20696
October-03 October-03 0 682 1070 3410 1070 Internet World Stats 1700 0486 518 62392 October-03 42551344
December-03 December-03 0 719 1110 3595 1110 Internet World Stats 1800 02852 538 65365 December-03 46997435
February-04 February-04 0 745 1150 3725 1150 Internet World Stats 1900 03107 558 6832 February-04 508984
May-04 May-04 0 757 1170 3785 1170 Internet World Stats 2000 03361 597 7417 May-04 5614669
October-04 October-04 0 812 1270 4060 1270 Internet World Stats 2100 03614 616 77064 October-04 62575968
December-04 December-04 0 817 1270 4085 1270 Internet World Stats 2200 03866 636 79935 December-04 65306895
March-05 March-05 0 888 1390 4440 1390 Internet World Stats 2300 04117 655 82782 March-05 73510416
June-05 June-05 0 938 1460 4690 1460 Internet World Stats 2400 04366 674 85606 June-05 80298428
September-05 September-05 0 957 1490 4785 1490 Internet World Stats 2500 04614 692 88404 September-05 84602628
November-05 November-05 0 972 1520 4860 1520 Internet World Stats 2600 0486 711 91176 November-05 88623072
December-05 December-05 0 1018 1570 5090 1570 Internet World Stats 2700 05348 729 93921 December-05 95611578
March-06 March-06 0 1023 1570 5115 1570 Internet World Stats 2800 05589 747 96638 March-06 98860674
June-06 June-06 0 1043 1600 5215 1600 Internet World Stats 2900 05828 783 101984 June-06 106369312
September-06 September-06 0 1086 1670 5430 1670 Internet World Stats 3000 06065 801 104611 September-06 113607546
December-06 December-06 0 1093 1670 5465 1670 Internet World Stats 3100 063 818 107207 December-06 117177251
March-07 March-07 0 1129 1720 5645 1720 Internet World Stats 3200 06534 835 109771 March-07 123931459
June-07 June-07 0 1173 1780 5865 1780 Internet World Stats 3300 06765 852 112301 June-07 131729073
September-07 September-07 0 1245 1890 6225 1890 Internet World Stats 3400 06993 869 114797 September-07 142922265
December-07 December-07 0 1319 2000 6595 2000 Internet World Stats 3500 0722 886 117258 December-07 154663302
March-08 March-08 0 1407 2110 7035 2110 Internet World Stats 3600 07665 902 119683 March-08 168393981
June-08 June-08 0 1463 2190 7315 2190 Internet World Stats 3700 07884 918 122071 June-08 178589873
September-08 September-08 0 1504 2250 7520 2250 Internet World Stats 3800 08101 949 126736 September-08 190610944
December-08 December-08 0 1574 2350 7870 2350 Internet World Stats 3900 08314 964 12901 December-08 20306174
March-09 March-09 0 1596 2380 7980 2380 Internet World Stats 4000 08525 971 13 March-09 20748
June-09 June-09 0 1669 2470 8345 2470 Internet World Stats 4100 08733 998 134 June-09 223646
September-09 September-09 0 1734 2560 8670 2560 Internet World Stats 4200 08938 1018 137 September-09 237558
December-09 December-09 0 1802 2660 9010 2660 Internet World Stats 4300 0914 1051 142 December-09 255884
June-10 June-10 0 1966 2870 9830 2870 Internet World Stats 4400 09339 1078 146 June-10 287036
September-10 September-10 0 1971 2880 9855 2880 Internet World Stats 4500 09728 1112 151 September-10 297621
09917 000 155333333333
159833333333
33208
35034
35400
35765
36130
36495
36861
37226
37591
37956
38322
38687
39052
39417
39783
40148
40513
Page 16: Attacking Data Independent Memory Hard Functions · As a motivating example consider an adversary who breaks into an authentication server and steals a users crptographic hash va\൬ue.

Pebbling Example

1 2 3 4 51 3 4 5

Pebbling Example

1 2 3 4 5

P1 = 1

Pebbling Example

1 2 3 4 5

P1 = 1P2 = 12

Pebbling Example

P1 = 1P2 = 12P3 = 3

1 2 3 4 5

Pebbling Example

P1 = 1P2 = 12P3 = 3

1 2 3 4 5

P4 = 34

Pebbling Example

P1 = 1P2 = 12P3 = 3

1 2 3 4 5

P4 = 34P5 = 5

Pebbling Example (CC)

P1 = 1P2 = 12P3 = 3

1 2 3 4 5

P4 = 34P5 = 5

CC 119866119866 le119894119894=1

5

119875119875119894119894

= 1 + 2 + 1 + 2 + 1= 7

Measuring Cost

bull Cumulative Complexity (CC)

CC 119866119866 = min119875119875

119894119894=1

119905119905119875119875

119875119875119894119894

bull Amortization [AS15]CC 119866119866119866119866 = 2 times CC(119866119866)

Pebbling Example (CC)

P1 = 1P2 = 12P3 = 3

1 2 3 4 5

P4 = 34P5 = 5

CC 119866119866 le119894119894=1

5

119875119875119894119894

= 1 + 2 + 1 + 2 + 1= 7

Pebbling Equivalence

119827119827119827119827119827119827119827119827119827119827119827119827119827119827 119808119808119808119808119808119808119808119808 (119816119816119816119816119816119816119827119827119827119827119827119827119816119816119816119816) High pebbling complexity of G implies high amortized memory complexity for the iMHF fGH

Implication Structure of the graph G is key to iMHFsecurity

Desiderata

Find a DAG G on n nodes such that1 Constant Indegree (120575120575 = 2)

2 CC(G) ge 1198991198992

120591120591for some small value 120591120591

Maximize costs for fixed n(Users are impatient)

Depth-Robustness The Key Property

Necessary [AB16] and sufficient[ABP16] for secure iMHFs

Naiumlve Pebbling Algorithms

bull Sequential Algorithm (Naiumlve)bull Constraint One new pebble per roundbull Every iMHF is defined via its Naiumlve algorithm

bull Example Naiumlve (Pebble in Topological Order)bull Never discard pebblesbull Time nbull Average pebbles n2bull ER(Naiumlve) = θ Rn + n2

Amortized Attack Quality

Quality119877119877 119860119860 =ER(Naiumlve)

ER 119860119860times 119894119894119894119894119904119904119904119904(119860119860)

Example Algorithm A evaluates 5 iMHF instances with total cost ER 119860119860 = 100 and ER Naiumlve = 40

Quality119877119877 119860119860 =40

100times 5 = 2

Presenter
Presentation Notes
Use Example

Desiderata

Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)

2 QualityR(A) le 119888119888 for every adversary A (c small)

3 ER(Naive) ge 1198991198992

120591120591+ R119894119894 for some small value 120591120591

Memory costs should dominate

Desiderata

Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)

2 QualityR(A) le 119888119888 for every adversary A (c small)

3 ER(Naive) ge 1198991198992

120591120591+ R119894119894 for some small value 120591120591

Maximize costs for fixed n(Users are impatient)

c-Ideal iMHF

Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)

2 QualityR(A) le 119888119888 for every adversary A (c small)

3 ER(Naive) ge 1198991198992

120591120591+ R119894119894 for 120591120591 = 119874119874(1)

Outline

bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Our Attacks

bull General Attack on Non Depth Robust DAGsbull Existing iMHFs are not Depth Robustbull Ideal iMHFs donrsquot exist

bull Subsequent Results (Depth-Robustness is Sufficient)bull Open Questions

Depth-Robustness The Key Property

Necessary [AB16] and sufficient[ABP16] for secure iMHFs

Depth Robustness

Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d

Otherwise we say that G is (ed)-depth robust

1 2 3 4 5

Example (12)-reducible

Depth Robustness

Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d

Otherwise we say that G is (ed)-depth robust

1 2 3 4 5

Example (12)-reducible

Attacking (ed)-reducible DAGs

bull Input |S| lee such that depth(G-S) = d g gt d

bull Light Phase (g rounds) Discard most pebblesbull Goal Pebble the next g nodes in g (sequential) stepsbull Low Memory (only keep pebbles on S and on parents of new nodes)bull Lasts a ``longrdquo time

bull Balloon Phase (d rounds) Greedily Recover Missing Pebblesbull Goal Recover needed pebbles for upcoming light phasebull Expensive but quick (at most d steps in parallel)

Theorem (Depth-Robustness is a necessary condition) If G is not (ed)-node robust then CC 119866119866 = O 119890119890119894119894 + 1198941198943119901119901 In particular CC 119866119866 = o 1198941198942 for ed=o(n)

Depth Robustness is Necessary

Are existing iMHF candidates based on depth-robust DAGs

Answer No

bull Catena [FLW15] is 119890119890 119874119874 119899119899119890119890

-reducible

119862119862119862119862 = 119874119874 119894119894162

bull Balloon Hashing and Argon2i (old version) are 119890119890 119874119874 1198991198992

1198901198902-reducible

119862119862119862119862 = 119874119874 119894119894171

bull Argon2i (latest version) is 119890119890 119874119874 1198991198993

1198901198903-reducible

119862119862119862119862 = 119874119874 119894119894177

bull Similar picture for most other iMHF candidates [AGKKOPRRR16]

Argon2i [BDK]

bull Argon2 Winner of the password hashing competition[2015]

bull Authors recommend Argon2i variant (data-independent) for password hashing

Presenter
Presentation Notes
Alex Biryukov Daniel Dinu and Dmitry Khovratovich from University of Luxembourg

Argon2i

1 2 3 4 ihellip n

Argon2i

1 2 3 4 ihellip n

random predecessor r(i) lt i

Indegree 120575120575 = 2

Argon2i Reducing depth to 119894119894

1 2 3 11989411989434

helliphellip

211989411989434

hellip 4 119894119894

n

Layer 0Layer 1

Layer 4 119894119894helliphelliphellip

Argon2i Reducing depth to 119894119894

1 2 3 11989411989434

helliphellip

211989411989434

hellip 4 119894119894

n

Layer 0Layer 1

Layer 4 119894119894

Definition 1198781198782 = 119907119907119894119894 119907119907119903119903(119894119894)and v119894119894 in same layer

119810119810119816119816119816119816119810119810119827119827 1198781198782119810119810119842119842 119842119842119827119827119816119816119816119816119816119816

helliphelliphellip

119813119813119816119816119813119813119813119813 Easy to reduce the depth of a path

Argon2i is a layered DAG (almost)

1 2 3 11989411989434

+2 +3 helliphellip

211989411989434

hellip 4 119894119894

n

Layer 0Layer 1

Layer 4 119894119894

Let S = S1+S2

helliphelliphellip

Attack Simulation [AB16b]

Attack on Argon 2i-B is practical even for pessimistic parameter ranges (brown line)

Pessimistic Argon 2i-B parameter

Parameter setting could easily be chosen when following Argon2i-B guidelines

hellip

Ideal iMHFs Donrsquot Exist

Thm[AB16] Any graph G (with constant in-degree) is at least somewhat depth-reducible

Implication If CC(G)= Ω 1198941198942 there is an attack A with high quality

QualityR 119860119860 =Ωlog(119894119894)

log log(119894119894)

But we cannot rule them out in practice

Outline

bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Attacksbull Constructing iMHFs (New)

bull Depth-Robustness is sufficient

bull Conclusions and Open Questions

Presenter
Presentation Notes
Joint work with Joel Alwen and Krzysztof Pietrzak

Depth-Robustness is Sufficient [ABP16]

Proof Let P1hellipPt denote an (optimal) pebbling of G For 0lt i lt d defineSi = 119875119875119894119894 cup 119875119875119889119889+119894119894 cup 1198751198752119889119889+119894119894 cup ⋯

one of the sets Si has size at most CC(G)d Now we claim that d ge depth(G-Si)

because any path in G-Si must have been completely pebbled at some point Thus it must have been pebbled entirely during some interval of length d Thus G (CC(G)dd)-reducible It follows that CC(G)ge 119890119890119901119901

119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901

Depth-Robustness is Sufficient [ABP16]

Implications There exists a constant indegree graph G with

CC G ge Ω1198941198942

log119894119894

Previous Best [AS15] Ω 1198991198992

log10 119899119899

[AB16] We cannot do better (in an asymptotic sense)

119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901

Summary

bull BCRYPT and PBKDF2 are no longer sufficient for password hashing

bull Argon2i is an improvement over BCRYPT and PBKDF2bull But still has its flaws [AB16AB17]

bull Current Recommendation Argon2idbull No side channel attacks Resists known attacksbull Side channel attacks reduce security to Argon2i

bull Look for improvements in the near future using depth-robust graphs [ABP17]

Conclusions

bull Depth-robustness is a necessary and sufficient for secure iMHFsbull [AB16] [ABP16]

bull Big Challenge Improved Constructions of Depth-Robust Graphsbull We already have constructions in theory [EGS77 PR80 hellip]bull But constants matter

Thanks for Listening

Passwords vs time Look how far wersquove come

Netscape IPO Dotcom crash

Source Cormacrsquos estimate

ldquoThe password is deadrdquo

Chart1

3
48
1368
322
7791
15376
2527
39639
47953
61115
7353
94674
106021
134538
16527
194616
21681

Sheet1

Sheet1

Sheet2

Sheet3

Biometrics

59

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy

60

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Hardware Tokens

61

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around

62

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Graphical Passwords

bull Examplesbull Passfaces Cued Click Points Windows 8

63

Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13

Graphical Passwords

bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8

Challenge Multiple Passwords

64

Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13

Graphical Passwords Hotspots

Graphical Passwords Hotspots

Password Managers

bull Password Management Software

67

Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313

Related Work

bull Password Management SoftwareChallenge Single point of failure

68

Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313

References

bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]

bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]

bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]

bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]

  • Course Business
  • CryptographyCS 555
  • Password Storage
  • Offline Attacks A Common Problem
  • Offline Attacks A Common Problem
  • A Dangerous Problem
  • Attempt 1 Hash Iteration
  • The Challenge
  • Goal Moderately Expensive Hash Function
  • Memory Costs Equitable Across Architectures
  • Outline
  • Memory Hard Function (MHF)
  • iMHF Candidates
  • iMHF (fGH)
  • Evaluating an iMHF (pebbling)
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example (CC)
  • Measuring Cost
  • Pebbling Example (CC)
  • Pebbling Equivalence
  • Desiderata
  • Depth-Robustness The Key Property
  • Naiumlve Pebbling Algorithms
  • Amortized Attack Quality
  • Desiderata
  • Desiderata
  • c-Ideal iMHF
  • Outline
  • Depth-Robustness The Key Property
  • Depth Robustness
  • Depth Robustness
  • Attacking (ed)-reducible DAGs
  • Depth Robustness is Necessary
  • Answer No
  • Argon2i [BDK]
  • Argon2i
  • Argon2i
  • Argon2i Reducing depth to 119899
  • Argon2i Reducing depth to 119899
  • Argon2i is a layered DAG (almost)
  • Attack Simulation [AB16b]
  • Ideal iMHFs Donrsquot Exist
  • But we cannot rule them out in practice
  • Outline
  • Depth-Robustness is Sufficient [ABP16]
  • Depth-Robustness is Sufficient [ABP16]
  • Summary
  • Conclusions
  • Thanks for Listening
  • Passwords vs time Look how far wersquove come
  • Biometrics
  • Biometrics
  • Hardware Tokens
  • Hardware Tokens
  • Graphical Passwords
  • Graphical Passwords
  • Graphical Passwords Hotspots
  • Graphical Passwords Hotspots
  • Password Managers
  • Related Work
  • References
Everybody
DATE DATE NUMBER OF USERS WORLD WORLD INFORMATION DATE DATE NUMBER OF USERS DATE DATE acctsyr
POPULATION POPULATION SOURCE
December-90 0 3 15 020 00261 000 1 December-90 3 1 December-90 3 1 December-90 3 3 December-90 3 1 3
December-95 December-95 0 16 040 80 040 IDC 100 00522 180 12 December-95 192 December-95 16 1778 December-95 48 28448 December-95 48 3 48
December-96 December-96 0 36 090 180 090 IDC 200 00783 188 13132 December-96 472752 December-96 36 1994916 December-96 126 71816976 December-96 1368 38 126
December-97 December-97 0 70 170 350 170 IDC 300 01043 209 16263 December-97 113841 December-97 70 2238295752 December-97 280 15668070264 December-97 322 46 280
December-98 December-98 0 147 360 735 360 CI Almanac 400 01303 230 19391 December-98 2850477 December-98 147 25113678337 December-98 6615 3691710715604 December-98 7791 53 6615
December-99 December-99 0 248 410 1240 410 Nua Ltd 500 01563 251 22517 December-99 5584216 December-99 248 28177547095 December-99 1240 6988031679463 December-99 15376 62 1240
March-00 March-00 0 304 500 1520 500 Nua Ltd 600 01822 272 25638 March-00 7793952 December-00 361 3161520784 December-00 19855 11413090030294 December-00 2527 7 19855
July-00 July-00 0 359 590 1795 590 Nua Ltd 700 02081 293 28754 July-00 10322686 December-01 543 35472263197 December-01 3258 1926143891578 December-01 39639 73 3258
December-00 December-00 0 361 580 1805 580 Internet World Stats 800 02338 313 31864 December-00 11502904 December-02 607 39799879307 December-02 39455 2415852673913 December-02 47953 79 39455
March-01 March-01 0 458 760 2290 760 Nua Ltd 900 02852 334 34967 March-01 16014886 December-03 719 44655464582 December-03 5033 32107279034493 December-03 61115 85 5033
June-01 June-01 0 479 790 2395 790 Nua Ltd 1000 03107 355 38061 June-01 18231219 December-04 817 50103431261 December-04 61275 40934503340285 December-04 7353 9 61275
August-01 August-01 0 513 860 2565 860 Nua Ltd 1100 03361 396 44221 August-01 22685373 December-05 1018 56216049875 December-05 8144 57227938772657 December-05 9467 93 8144
April-02 April-02 0 558 860 2790 860 Internet World Stats 1200 03614 417 47284 April-02 26384472 December-06 1093 6307440796 December-06 9291 68940327899894 December-06 10602 97 9291
July-02 July-02 0 569 910 2845 910 Internet World Stats 1300 03866 437 50334 July-02 28640046 December-07 1319 70769485731 December-07 11871 93344951678825 December-07 13454 102 11871
September-02 September-02 0 587 940 2935 940 Internet World Stats 1400 04117 458 53371 September-02 31328777 December-08 1574 7940336299 December-08 14953 124980893346059 December-08 16527 105 14953
March-03 March-03 0 608 970 3040 970 Internet World Stats 1500 04366 478 56394 March-03 34287552 December-09 1802 89090573275 December-09 18020 160541213040896 December-09 19462 108 18020
September-03 September-03 0 677 1060 3385 1060 Internet World Stats 1600 04614 498 59401 September-03 40214477 December-10 1971 99959623214 December-10 20696 197020417355075 December-10 21681 11 20696
October-03 October-03 0 682 1070 3410 1070 Internet World Stats 1700 0486 518 62392 October-03 42551344
December-03 December-03 0 719 1110 3595 1110 Internet World Stats 1800 02852 538 65365 December-03 46997435
February-04 February-04 0 745 1150 3725 1150 Internet World Stats 1900 03107 558 6832 February-04 508984
May-04 May-04 0 757 1170 3785 1170 Internet World Stats 2000 03361 597 7417 May-04 5614669
October-04 October-04 0 812 1270 4060 1270 Internet World Stats 2100 03614 616 77064 October-04 62575968
December-04 December-04 0 817 1270 4085 1270 Internet World Stats 2200 03866 636 79935 December-04 65306895
March-05 March-05 0 888 1390 4440 1390 Internet World Stats 2300 04117 655 82782 March-05 73510416
June-05 June-05 0 938 1460 4690 1460 Internet World Stats 2400 04366 674 85606 June-05 80298428
September-05 September-05 0 957 1490 4785 1490 Internet World Stats 2500 04614 692 88404 September-05 84602628
November-05 November-05 0 972 1520 4860 1520 Internet World Stats 2600 0486 711 91176 November-05 88623072
December-05 December-05 0 1018 1570 5090 1570 Internet World Stats 2700 05348 729 93921 December-05 95611578
March-06 March-06 0 1023 1570 5115 1570 Internet World Stats 2800 05589 747 96638 March-06 98860674
June-06 June-06 0 1043 1600 5215 1600 Internet World Stats 2900 05828 783 101984 June-06 106369312
September-06 September-06 0 1086 1670 5430 1670 Internet World Stats 3000 06065 801 104611 September-06 113607546
December-06 December-06 0 1093 1670 5465 1670 Internet World Stats 3100 063 818 107207 December-06 117177251
March-07 March-07 0 1129 1720 5645 1720 Internet World Stats 3200 06534 835 109771 March-07 123931459
June-07 June-07 0 1173 1780 5865 1780 Internet World Stats 3300 06765 852 112301 June-07 131729073
September-07 September-07 0 1245 1890 6225 1890 Internet World Stats 3400 06993 869 114797 September-07 142922265
December-07 December-07 0 1319 2000 6595 2000 Internet World Stats 3500 0722 886 117258 December-07 154663302
March-08 March-08 0 1407 2110 7035 2110 Internet World Stats 3600 07665 902 119683 March-08 168393981
June-08 June-08 0 1463 2190 7315 2190 Internet World Stats 3700 07884 918 122071 June-08 178589873
September-08 September-08 0 1504 2250 7520 2250 Internet World Stats 3800 08101 949 126736 September-08 190610944
December-08 December-08 0 1574 2350 7870 2350 Internet World Stats 3900 08314 964 12901 December-08 20306174
March-09 March-09 0 1596 2380 7980 2380 Internet World Stats 4000 08525 971 13 March-09 20748
June-09 June-09 0 1669 2470 8345 2470 Internet World Stats 4100 08733 998 134 June-09 223646
September-09 September-09 0 1734 2560 8670 2560 Internet World Stats 4200 08938 1018 137 September-09 237558
December-09 December-09 0 1802 2660 9010 2660 Internet World Stats 4300 0914 1051 142 December-09 255884
June-10 June-10 0 1966 2870 9830 2870 Internet World Stats 4400 09339 1078 146 June-10 287036
September-10 September-10 0 1971 2880 9855 2880 Internet World Stats 4500 09728 1112 151 September-10 297621
09917 000 155333333333
159833333333
33208
35034
35400
35765
36130
36495
36861
37226
37591
37956
38322
38687
39052
39417
39783
40148
40513
Page 17: Attacking Data Independent Memory Hard Functions · As a motivating example consider an adversary who breaks into an authentication server and steals a users crptographic hash va\൬ue.

Pebbling Example

1 2 3 4 5

P1 = 1

Pebbling Example

1 2 3 4 5

P1 = 1P2 = 12

Pebbling Example

P1 = 1P2 = 12P3 = 3

1 2 3 4 5

Pebbling Example

P1 = 1P2 = 12P3 = 3

1 2 3 4 5

P4 = 34

Pebbling Example

P1 = 1P2 = 12P3 = 3

1 2 3 4 5

P4 = 34P5 = 5

Pebbling Example (CC)

P1 = 1P2 = 12P3 = 3

1 2 3 4 5

P4 = 34P5 = 5

CC 119866119866 le119894119894=1

5

119875119875119894119894

= 1 + 2 + 1 + 2 + 1= 7

Measuring Cost

bull Cumulative Complexity (CC)

CC 119866119866 = min119875119875

119894119894=1

119905119905119875119875

119875119875119894119894

bull Amortization [AS15]CC 119866119866119866119866 = 2 times CC(119866119866)

Pebbling Example (CC)

P1 = 1P2 = 12P3 = 3

1 2 3 4 5

P4 = 34P5 = 5

CC 119866119866 le119894119894=1

5

119875119875119894119894

= 1 + 2 + 1 + 2 + 1= 7

Pebbling Equivalence

119827119827119827119827119827119827119827119827119827119827119827119827119827119827 119808119808119808119808119808119808119808119808 (119816119816119816119816119816119816119827119827119827119827119827119827119816119816119816119816) High pebbling complexity of G implies high amortized memory complexity for the iMHF fGH

Implication Structure of the graph G is key to iMHFsecurity

Desiderata

Find a DAG G on n nodes such that1 Constant Indegree (120575120575 = 2)

2 CC(G) ge 1198991198992

120591120591for some small value 120591120591

Maximize costs for fixed n(Users are impatient)

Depth-Robustness The Key Property

Necessary [AB16] and sufficient[ABP16] for secure iMHFs

Naiumlve Pebbling Algorithms

bull Sequential Algorithm (Naiumlve)bull Constraint One new pebble per roundbull Every iMHF is defined via its Naiumlve algorithm

bull Example Naiumlve (Pebble in Topological Order)bull Never discard pebblesbull Time nbull Average pebbles n2bull ER(Naiumlve) = θ Rn + n2

Amortized Attack Quality

Quality119877119877 119860119860 =ER(Naiumlve)

ER 119860119860times 119894119894119894119894119904119904119904119904(119860119860)

Example Algorithm A evaluates 5 iMHF instances with total cost ER 119860119860 = 100 and ER Naiumlve = 40

Quality119877119877 119860119860 =40

100times 5 = 2

Presenter
Presentation Notes
Use Example

Desiderata

Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)

2 QualityR(A) le 119888119888 for every adversary A (c small)

3 ER(Naive) ge 1198991198992

120591120591+ R119894119894 for some small value 120591120591

Memory costs should dominate

Desiderata

Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)

2 QualityR(A) le 119888119888 for every adversary A (c small)

3 ER(Naive) ge 1198991198992

120591120591+ R119894119894 for some small value 120591120591

Maximize costs for fixed n(Users are impatient)

c-Ideal iMHF

Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)

2 QualityR(A) le 119888119888 for every adversary A (c small)

3 ER(Naive) ge 1198991198992

120591120591+ R119894119894 for 120591120591 = 119874119874(1)

Outline

bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Our Attacks

bull General Attack on Non Depth Robust DAGsbull Existing iMHFs are not Depth Robustbull Ideal iMHFs donrsquot exist

bull Subsequent Results (Depth-Robustness is Sufficient)bull Open Questions

Depth-Robustness The Key Property

Necessary [AB16] and sufficient[ABP16] for secure iMHFs

Depth Robustness

Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d

Otherwise we say that G is (ed)-depth robust

1 2 3 4 5

Example (12)-reducible

Depth Robustness

Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d

Otherwise we say that G is (ed)-depth robust

1 2 3 4 5

Example (12)-reducible

Attacking (ed)-reducible DAGs

bull Input |S| lee such that depth(G-S) = d g gt d

bull Light Phase (g rounds) Discard most pebblesbull Goal Pebble the next g nodes in g (sequential) stepsbull Low Memory (only keep pebbles on S and on parents of new nodes)bull Lasts a ``longrdquo time

bull Balloon Phase (d rounds) Greedily Recover Missing Pebblesbull Goal Recover needed pebbles for upcoming light phasebull Expensive but quick (at most d steps in parallel)

Theorem (Depth-Robustness is a necessary condition) If G is not (ed)-node robust then CC 119866119866 = O 119890119890119894119894 + 1198941198943119901119901 In particular CC 119866119866 = o 1198941198942 for ed=o(n)

Depth Robustness is Necessary

Are existing iMHF candidates based on depth-robust DAGs

Answer No

bull Catena [FLW15] is 119890119890 119874119874 119899119899119890119890

-reducible

119862119862119862119862 = 119874119874 119894119894162

bull Balloon Hashing and Argon2i (old version) are 119890119890 119874119874 1198991198992

1198901198902-reducible

119862119862119862119862 = 119874119874 119894119894171

bull Argon2i (latest version) is 119890119890 119874119874 1198991198993

1198901198903-reducible

119862119862119862119862 = 119874119874 119894119894177

bull Similar picture for most other iMHF candidates [AGKKOPRRR16]

Argon2i [BDK]

bull Argon2 Winner of the password hashing competition[2015]

bull Authors recommend Argon2i variant (data-independent) for password hashing

Presenter
Presentation Notes
Alex Biryukov Daniel Dinu and Dmitry Khovratovich from University of Luxembourg

Argon2i

1 2 3 4 ihellip n

Argon2i

1 2 3 4 ihellip n

random predecessor r(i) lt i

Indegree 120575120575 = 2

Argon2i Reducing depth to 119894119894

1 2 3 11989411989434

helliphellip

211989411989434

hellip 4 119894119894

n

Layer 0Layer 1

Layer 4 119894119894helliphelliphellip

Argon2i Reducing depth to 119894119894

1 2 3 11989411989434

helliphellip

211989411989434

hellip 4 119894119894

n

Layer 0Layer 1

Layer 4 119894119894

Definition 1198781198782 = 119907119907119894119894 119907119907119903119903(119894119894)and v119894119894 in same layer

119810119810119816119816119816119816119810119810119827119827 1198781198782119810119810119842119842 119842119842119827119827119816119816119816119816119816119816

helliphelliphellip

119813119813119816119816119813119813119813119813 Easy to reduce the depth of a path

Argon2i is a layered DAG (almost)

1 2 3 11989411989434

+2 +3 helliphellip

211989411989434

hellip 4 119894119894

n

Layer 0Layer 1

Layer 4 119894119894

Let S = S1+S2

helliphelliphellip

Attack Simulation [AB16b]

Attack on Argon 2i-B is practical even for pessimistic parameter ranges (brown line)

Pessimistic Argon 2i-B parameter

Parameter setting could easily be chosen when following Argon2i-B guidelines

hellip

Ideal iMHFs Donrsquot Exist

Thm[AB16] Any graph G (with constant in-degree) is at least somewhat depth-reducible

Implication If CC(G)= Ω 1198941198942 there is an attack A with high quality

QualityR 119860119860 =Ωlog(119894119894)

log log(119894119894)

But we cannot rule them out in practice

Outline

bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Attacksbull Constructing iMHFs (New)

bull Depth-Robustness is sufficient

bull Conclusions and Open Questions

Presenter
Presentation Notes
Joint work with Joel Alwen and Krzysztof Pietrzak

Depth-Robustness is Sufficient [ABP16]

Proof Let P1hellipPt denote an (optimal) pebbling of G For 0lt i lt d defineSi = 119875119875119894119894 cup 119875119875119889119889+119894119894 cup 1198751198752119889119889+119894119894 cup ⋯

one of the sets Si has size at most CC(G)d Now we claim that d ge depth(G-Si)

because any path in G-Si must have been completely pebbled at some point Thus it must have been pebbled entirely during some interval of length d Thus G (CC(G)dd)-reducible It follows that CC(G)ge 119890119890119901119901

119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901

Depth-Robustness is Sufficient [ABP16]

Implications There exists a constant indegree graph G with

CC G ge Ω1198941198942

log119894119894

Previous Best [AS15] Ω 1198991198992

log10 119899119899

[AB16] We cannot do better (in an asymptotic sense)

119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901

Summary

bull BCRYPT and PBKDF2 are no longer sufficient for password hashing

bull Argon2i is an improvement over BCRYPT and PBKDF2bull But still has its flaws [AB16AB17]

bull Current Recommendation Argon2idbull No side channel attacks Resists known attacksbull Side channel attacks reduce security to Argon2i

bull Look for improvements in the near future using depth-robust graphs [ABP17]

Conclusions

bull Depth-robustness is a necessary and sufficient for secure iMHFsbull [AB16] [ABP16]

bull Big Challenge Improved Constructions of Depth-Robust Graphsbull We already have constructions in theory [EGS77 PR80 hellip]bull But constants matter

Thanks for Listening

Passwords vs time Look how far wersquove come

Netscape IPO Dotcom crash

Source Cormacrsquos estimate

ldquoThe password is deadrdquo

Chart1

3
48
1368
322
7791
15376
2527
39639
47953
61115
7353
94674
106021
134538
16527
194616
21681

Sheet1

Sheet1

Sheet2

Sheet3

Biometrics

59

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy

60

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Hardware Tokens

61

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around

62

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Graphical Passwords

bull Examplesbull Passfaces Cued Click Points Windows 8

63

Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13

Graphical Passwords

bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8

Challenge Multiple Passwords

64

Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13

Graphical Passwords Hotspots

Graphical Passwords Hotspots

Password Managers

bull Password Management Software

67

Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313

Related Work

bull Password Management SoftwareChallenge Single point of failure

68

Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313

References

bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]

bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]

bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]

bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]

  • Course Business
  • CryptographyCS 555
  • Password Storage
  • Offline Attacks A Common Problem
  • Offline Attacks A Common Problem
  • A Dangerous Problem
  • Attempt 1 Hash Iteration
  • The Challenge
  • Goal Moderately Expensive Hash Function
  • Memory Costs Equitable Across Architectures
  • Outline
  • Memory Hard Function (MHF)
  • iMHF Candidates
  • iMHF (fGH)
  • Evaluating an iMHF (pebbling)
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example (CC)
  • Measuring Cost
  • Pebbling Example (CC)
  • Pebbling Equivalence
  • Desiderata
  • Depth-Robustness The Key Property
  • Naiumlve Pebbling Algorithms
  • Amortized Attack Quality
  • Desiderata
  • Desiderata
  • c-Ideal iMHF
  • Outline
  • Depth-Robustness The Key Property
  • Depth Robustness
  • Depth Robustness
  • Attacking (ed)-reducible DAGs
  • Depth Robustness is Necessary
  • Answer No
  • Argon2i [BDK]
  • Argon2i
  • Argon2i
  • Argon2i Reducing depth to 119899
  • Argon2i Reducing depth to 119899
  • Argon2i is a layered DAG (almost)
  • Attack Simulation [AB16b]
  • Ideal iMHFs Donrsquot Exist
  • But we cannot rule them out in practice
  • Outline
  • Depth-Robustness is Sufficient [ABP16]
  • Depth-Robustness is Sufficient [ABP16]
  • Summary
  • Conclusions
  • Thanks for Listening
  • Passwords vs time Look how far wersquove come
  • Biometrics
  • Biometrics
  • Hardware Tokens
  • Hardware Tokens
  • Graphical Passwords
  • Graphical Passwords
  • Graphical Passwords Hotspots
  • Graphical Passwords Hotspots
  • Password Managers
  • Related Work
  • References
Everybody
DATE DATE NUMBER OF USERS WORLD WORLD INFORMATION DATE DATE NUMBER OF USERS DATE DATE acctsyr
POPULATION POPULATION SOURCE
December-90 0 3 15 020 00261 000 1 December-90 3 1 December-90 3 1 December-90 3 3 December-90 3 1 3
December-95 December-95 0 16 040 80 040 IDC 100 00522 180 12 December-95 192 December-95 16 1778 December-95 48 28448 December-95 48 3 48
December-96 December-96 0 36 090 180 090 IDC 200 00783 188 13132 December-96 472752 December-96 36 1994916 December-96 126 71816976 December-96 1368 38 126
December-97 December-97 0 70 170 350 170 IDC 300 01043 209 16263 December-97 113841 December-97 70 2238295752 December-97 280 15668070264 December-97 322 46 280
December-98 December-98 0 147 360 735 360 CI Almanac 400 01303 230 19391 December-98 2850477 December-98 147 25113678337 December-98 6615 3691710715604 December-98 7791 53 6615
December-99 December-99 0 248 410 1240 410 Nua Ltd 500 01563 251 22517 December-99 5584216 December-99 248 28177547095 December-99 1240 6988031679463 December-99 15376 62 1240
March-00 March-00 0 304 500 1520 500 Nua Ltd 600 01822 272 25638 March-00 7793952 December-00 361 3161520784 December-00 19855 11413090030294 December-00 2527 7 19855
July-00 July-00 0 359 590 1795 590 Nua Ltd 700 02081 293 28754 July-00 10322686 December-01 543 35472263197 December-01 3258 1926143891578 December-01 39639 73 3258
December-00 December-00 0 361 580 1805 580 Internet World Stats 800 02338 313 31864 December-00 11502904 December-02 607 39799879307 December-02 39455 2415852673913 December-02 47953 79 39455
March-01 March-01 0 458 760 2290 760 Nua Ltd 900 02852 334 34967 March-01 16014886 December-03 719 44655464582 December-03 5033 32107279034493 December-03 61115 85 5033
June-01 June-01 0 479 790 2395 790 Nua Ltd 1000 03107 355 38061 June-01 18231219 December-04 817 50103431261 December-04 61275 40934503340285 December-04 7353 9 61275
August-01 August-01 0 513 860 2565 860 Nua Ltd 1100 03361 396 44221 August-01 22685373 December-05 1018 56216049875 December-05 8144 57227938772657 December-05 9467 93 8144
April-02 April-02 0 558 860 2790 860 Internet World Stats 1200 03614 417 47284 April-02 26384472 December-06 1093 6307440796 December-06 9291 68940327899894 December-06 10602 97 9291
July-02 July-02 0 569 910 2845 910 Internet World Stats 1300 03866 437 50334 July-02 28640046 December-07 1319 70769485731 December-07 11871 93344951678825 December-07 13454 102 11871
September-02 September-02 0 587 940 2935 940 Internet World Stats 1400 04117 458 53371 September-02 31328777 December-08 1574 7940336299 December-08 14953 124980893346059 December-08 16527 105 14953
March-03 March-03 0 608 970 3040 970 Internet World Stats 1500 04366 478 56394 March-03 34287552 December-09 1802 89090573275 December-09 18020 160541213040896 December-09 19462 108 18020
September-03 September-03 0 677 1060 3385 1060 Internet World Stats 1600 04614 498 59401 September-03 40214477 December-10 1971 99959623214 December-10 20696 197020417355075 December-10 21681 11 20696
October-03 October-03 0 682 1070 3410 1070 Internet World Stats 1700 0486 518 62392 October-03 42551344
December-03 December-03 0 719 1110 3595 1110 Internet World Stats 1800 02852 538 65365 December-03 46997435
February-04 February-04 0 745 1150 3725 1150 Internet World Stats 1900 03107 558 6832 February-04 508984
May-04 May-04 0 757 1170 3785 1170 Internet World Stats 2000 03361 597 7417 May-04 5614669
October-04 October-04 0 812 1270 4060 1270 Internet World Stats 2100 03614 616 77064 October-04 62575968
December-04 December-04 0 817 1270 4085 1270 Internet World Stats 2200 03866 636 79935 December-04 65306895
March-05 March-05 0 888 1390 4440 1390 Internet World Stats 2300 04117 655 82782 March-05 73510416
June-05 June-05 0 938 1460 4690 1460 Internet World Stats 2400 04366 674 85606 June-05 80298428
September-05 September-05 0 957 1490 4785 1490 Internet World Stats 2500 04614 692 88404 September-05 84602628
November-05 November-05 0 972 1520 4860 1520 Internet World Stats 2600 0486 711 91176 November-05 88623072
December-05 December-05 0 1018 1570 5090 1570 Internet World Stats 2700 05348 729 93921 December-05 95611578
March-06 March-06 0 1023 1570 5115 1570 Internet World Stats 2800 05589 747 96638 March-06 98860674
June-06 June-06 0 1043 1600 5215 1600 Internet World Stats 2900 05828 783 101984 June-06 106369312
September-06 September-06 0 1086 1670 5430 1670 Internet World Stats 3000 06065 801 104611 September-06 113607546
December-06 December-06 0 1093 1670 5465 1670 Internet World Stats 3100 063 818 107207 December-06 117177251
March-07 March-07 0 1129 1720 5645 1720 Internet World Stats 3200 06534 835 109771 March-07 123931459
June-07 June-07 0 1173 1780 5865 1780 Internet World Stats 3300 06765 852 112301 June-07 131729073
September-07 September-07 0 1245 1890 6225 1890 Internet World Stats 3400 06993 869 114797 September-07 142922265
December-07 December-07 0 1319 2000 6595 2000 Internet World Stats 3500 0722 886 117258 December-07 154663302
March-08 March-08 0 1407 2110 7035 2110 Internet World Stats 3600 07665 902 119683 March-08 168393981
June-08 June-08 0 1463 2190 7315 2190 Internet World Stats 3700 07884 918 122071 June-08 178589873
September-08 September-08 0 1504 2250 7520 2250 Internet World Stats 3800 08101 949 126736 September-08 190610944
December-08 December-08 0 1574 2350 7870 2350 Internet World Stats 3900 08314 964 12901 December-08 20306174
March-09 March-09 0 1596 2380 7980 2380 Internet World Stats 4000 08525 971 13 March-09 20748
June-09 June-09 0 1669 2470 8345 2470 Internet World Stats 4100 08733 998 134 June-09 223646
September-09 September-09 0 1734 2560 8670 2560 Internet World Stats 4200 08938 1018 137 September-09 237558
December-09 December-09 0 1802 2660 9010 2660 Internet World Stats 4300 0914 1051 142 December-09 255884
June-10 June-10 0 1966 2870 9830 2870 Internet World Stats 4400 09339 1078 146 June-10 287036
September-10 September-10 0 1971 2880 9855 2880 Internet World Stats 4500 09728 1112 151 September-10 297621
09917 000 155333333333
159833333333
33208
35034
35400
35765
36130
36495
36861
37226
37591
37956
38322
38687
39052
39417
39783
40148
40513
Page 18: Attacking Data Independent Memory Hard Functions · As a motivating example consider an adversary who breaks into an authentication server and steals a users crptographic hash va\൬ue.

Pebbling Example

1 2 3 4 5

P1 = 1P2 = 12

Pebbling Example

P1 = 1P2 = 12P3 = 3

1 2 3 4 5

Pebbling Example

P1 = 1P2 = 12P3 = 3

1 2 3 4 5

P4 = 34

Pebbling Example

P1 = 1P2 = 12P3 = 3

1 2 3 4 5

P4 = 34P5 = 5

Pebbling Example (CC)

P1 = 1P2 = 12P3 = 3

1 2 3 4 5

P4 = 34P5 = 5

CC 119866119866 le119894119894=1

5

119875119875119894119894

= 1 + 2 + 1 + 2 + 1= 7

Measuring Cost

bull Cumulative Complexity (CC)

CC 119866119866 = min119875119875

119894119894=1

119905119905119875119875

119875119875119894119894

bull Amortization [AS15]CC 119866119866119866119866 = 2 times CC(119866119866)

Pebbling Example (CC)

P1 = 1P2 = 12P3 = 3

1 2 3 4 5

P4 = 34P5 = 5

CC 119866119866 le119894119894=1

5

119875119875119894119894

= 1 + 2 + 1 + 2 + 1= 7

Pebbling Equivalence

119827119827119827119827119827119827119827119827119827119827119827119827119827119827 119808119808119808119808119808119808119808119808 (119816119816119816119816119816119816119827119827119827119827119827119827119816119816119816119816) High pebbling complexity of G implies high amortized memory complexity for the iMHF fGH

Implication Structure of the graph G is key to iMHFsecurity

Desiderata

Find a DAG G on n nodes such that1 Constant Indegree (120575120575 = 2)

2 CC(G) ge 1198991198992

120591120591for some small value 120591120591

Maximize costs for fixed n(Users are impatient)

Depth-Robustness The Key Property

Necessary [AB16] and sufficient[ABP16] for secure iMHFs

Naiumlve Pebbling Algorithms

bull Sequential Algorithm (Naiumlve)bull Constraint One new pebble per roundbull Every iMHF is defined via its Naiumlve algorithm

bull Example Naiumlve (Pebble in Topological Order)bull Never discard pebblesbull Time nbull Average pebbles n2bull ER(Naiumlve) = θ Rn + n2

Amortized Attack Quality

Quality119877119877 119860119860 =ER(Naiumlve)

ER 119860119860times 119894119894119894119894119904119904119904119904(119860119860)

Example Algorithm A evaluates 5 iMHF instances with total cost ER 119860119860 = 100 and ER Naiumlve = 40

Quality119877119877 119860119860 =40

100times 5 = 2

Presenter
Presentation Notes
Use Example

Desiderata

Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)

2 QualityR(A) le 119888119888 for every adversary A (c small)

3 ER(Naive) ge 1198991198992

120591120591+ R119894119894 for some small value 120591120591

Memory costs should dominate

Desiderata

Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)

2 QualityR(A) le 119888119888 for every adversary A (c small)

3 ER(Naive) ge 1198991198992

120591120591+ R119894119894 for some small value 120591120591

Maximize costs for fixed n(Users are impatient)

c-Ideal iMHF

Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)

2 QualityR(A) le 119888119888 for every adversary A (c small)

3 ER(Naive) ge 1198991198992

120591120591+ R119894119894 for 120591120591 = 119874119874(1)

Outline

bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Our Attacks

bull General Attack on Non Depth Robust DAGsbull Existing iMHFs are not Depth Robustbull Ideal iMHFs donrsquot exist

bull Subsequent Results (Depth-Robustness is Sufficient)bull Open Questions

Depth-Robustness The Key Property

Necessary [AB16] and sufficient[ABP16] for secure iMHFs

Depth Robustness

Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d

Otherwise we say that G is (ed)-depth robust

1 2 3 4 5

Example (12)-reducible

Depth Robustness

Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d

Otherwise we say that G is (ed)-depth robust

1 2 3 4 5

Example (12)-reducible

Attacking (ed)-reducible DAGs

bull Input |S| lee such that depth(G-S) = d g gt d

bull Light Phase (g rounds) Discard most pebblesbull Goal Pebble the next g nodes in g (sequential) stepsbull Low Memory (only keep pebbles on S and on parents of new nodes)bull Lasts a ``longrdquo time

bull Balloon Phase (d rounds) Greedily Recover Missing Pebblesbull Goal Recover needed pebbles for upcoming light phasebull Expensive but quick (at most d steps in parallel)

Theorem (Depth-Robustness is a necessary condition) If G is not (ed)-node robust then CC 119866119866 = O 119890119890119894119894 + 1198941198943119901119901 In particular CC 119866119866 = o 1198941198942 for ed=o(n)

Depth Robustness is Necessary

Are existing iMHF candidates based on depth-robust DAGs

Answer No

bull Catena [FLW15] is 119890119890 119874119874 119899119899119890119890

-reducible

119862119862119862119862 = 119874119874 119894119894162

bull Balloon Hashing and Argon2i (old version) are 119890119890 119874119874 1198991198992

1198901198902-reducible

119862119862119862119862 = 119874119874 119894119894171

bull Argon2i (latest version) is 119890119890 119874119874 1198991198993

1198901198903-reducible

119862119862119862119862 = 119874119874 119894119894177

bull Similar picture for most other iMHF candidates [AGKKOPRRR16]

Argon2i [BDK]

bull Argon2 Winner of the password hashing competition[2015]

bull Authors recommend Argon2i variant (data-independent) for password hashing

Presenter
Presentation Notes
Alex Biryukov Daniel Dinu and Dmitry Khovratovich from University of Luxembourg

Argon2i

1 2 3 4 ihellip n

Argon2i

1 2 3 4 ihellip n

random predecessor r(i) lt i

Indegree 120575120575 = 2

Argon2i Reducing depth to 119894119894

1 2 3 11989411989434

helliphellip

211989411989434

hellip 4 119894119894

n

Layer 0Layer 1

Layer 4 119894119894helliphelliphellip

Argon2i Reducing depth to 119894119894

1 2 3 11989411989434

helliphellip

211989411989434

hellip 4 119894119894

n

Layer 0Layer 1

Layer 4 119894119894

Definition 1198781198782 = 119907119907119894119894 119907119907119903119903(119894119894)and v119894119894 in same layer

119810119810119816119816119816119816119810119810119827119827 1198781198782119810119810119842119842 119842119842119827119827119816119816119816119816119816119816

helliphelliphellip

119813119813119816119816119813119813119813119813 Easy to reduce the depth of a path

Argon2i is a layered DAG (almost)

1 2 3 11989411989434

+2 +3 helliphellip

211989411989434

hellip 4 119894119894

n

Layer 0Layer 1

Layer 4 119894119894

Let S = S1+S2

helliphelliphellip

Attack Simulation [AB16b]

Attack on Argon 2i-B is practical even for pessimistic parameter ranges (brown line)

Pessimistic Argon 2i-B parameter

Parameter setting could easily be chosen when following Argon2i-B guidelines

hellip

Ideal iMHFs Donrsquot Exist

Thm[AB16] Any graph G (with constant in-degree) is at least somewhat depth-reducible

Implication If CC(G)= Ω 1198941198942 there is an attack A with high quality

QualityR 119860119860 =Ωlog(119894119894)

log log(119894119894)

But we cannot rule them out in practice

Outline

bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Attacksbull Constructing iMHFs (New)

bull Depth-Robustness is sufficient

bull Conclusions and Open Questions

Presenter
Presentation Notes
Joint work with Joel Alwen and Krzysztof Pietrzak

Depth-Robustness is Sufficient [ABP16]

Proof Let P1hellipPt denote an (optimal) pebbling of G For 0lt i lt d defineSi = 119875119875119894119894 cup 119875119875119889119889+119894119894 cup 1198751198752119889119889+119894119894 cup ⋯

one of the sets Si has size at most CC(G)d Now we claim that d ge depth(G-Si)

because any path in G-Si must have been completely pebbled at some point Thus it must have been pebbled entirely during some interval of length d Thus G (CC(G)dd)-reducible It follows that CC(G)ge 119890119890119901119901

119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901

Depth-Robustness is Sufficient [ABP16]

Implications There exists a constant indegree graph G with

CC G ge Ω1198941198942

log119894119894

Previous Best [AS15] Ω 1198991198992

log10 119899119899

[AB16] We cannot do better (in an asymptotic sense)

119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901

Summary

bull BCRYPT and PBKDF2 are no longer sufficient for password hashing

bull Argon2i is an improvement over BCRYPT and PBKDF2bull But still has its flaws [AB16AB17]

bull Current Recommendation Argon2idbull No side channel attacks Resists known attacksbull Side channel attacks reduce security to Argon2i

bull Look for improvements in the near future using depth-robust graphs [ABP17]

Conclusions

bull Depth-robustness is a necessary and sufficient for secure iMHFsbull [AB16] [ABP16]

bull Big Challenge Improved Constructions of Depth-Robust Graphsbull We already have constructions in theory [EGS77 PR80 hellip]bull But constants matter

Thanks for Listening

Passwords vs time Look how far wersquove come

Netscape IPO Dotcom crash

Source Cormacrsquos estimate

ldquoThe password is deadrdquo

Chart1

3
48
1368
322
7791
15376
2527
39639
47953
61115
7353
94674
106021
134538
16527
194616
21681

Sheet1

Sheet1

Sheet2

Sheet3

Biometrics

59

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy

60

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Hardware Tokens

61

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around

62

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Graphical Passwords

bull Examplesbull Passfaces Cued Click Points Windows 8

63

Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13

Graphical Passwords

bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8

Challenge Multiple Passwords

64

Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13

Graphical Passwords Hotspots

Graphical Passwords Hotspots

Password Managers

bull Password Management Software

67

Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313

Related Work

bull Password Management SoftwareChallenge Single point of failure

68

Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313

References

bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]

bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]

bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]

bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]

  • Course Business
  • CryptographyCS 555
  • Password Storage
  • Offline Attacks A Common Problem
  • Offline Attacks A Common Problem
  • A Dangerous Problem
  • Attempt 1 Hash Iteration
  • The Challenge
  • Goal Moderately Expensive Hash Function
  • Memory Costs Equitable Across Architectures
  • Outline
  • Memory Hard Function (MHF)
  • iMHF Candidates
  • iMHF (fGH)
  • Evaluating an iMHF (pebbling)
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example (CC)
  • Measuring Cost
  • Pebbling Example (CC)
  • Pebbling Equivalence
  • Desiderata
  • Depth-Robustness The Key Property
  • Naiumlve Pebbling Algorithms
  • Amortized Attack Quality
  • Desiderata
  • Desiderata
  • c-Ideal iMHF
  • Outline
  • Depth-Robustness The Key Property
  • Depth Robustness
  • Depth Robustness
  • Attacking (ed)-reducible DAGs
  • Depth Robustness is Necessary
  • Answer No
  • Argon2i [BDK]
  • Argon2i
  • Argon2i
  • Argon2i Reducing depth to 119899
  • Argon2i Reducing depth to 119899
  • Argon2i is a layered DAG (almost)
  • Attack Simulation [AB16b]
  • Ideal iMHFs Donrsquot Exist
  • But we cannot rule them out in practice
  • Outline
  • Depth-Robustness is Sufficient [ABP16]
  • Depth-Robustness is Sufficient [ABP16]
  • Summary
  • Conclusions
  • Thanks for Listening
  • Passwords vs time Look how far wersquove come
  • Biometrics
  • Biometrics
  • Hardware Tokens
  • Hardware Tokens
  • Graphical Passwords
  • Graphical Passwords
  • Graphical Passwords Hotspots
  • Graphical Passwords Hotspots
  • Password Managers
  • Related Work
  • References
Everybody
DATE DATE NUMBER OF USERS WORLD WORLD INFORMATION DATE DATE NUMBER OF USERS DATE DATE acctsyr
POPULATION POPULATION SOURCE
December-90 0 3 15 020 00261 000 1 December-90 3 1 December-90 3 1 December-90 3 3 December-90 3 1 3
December-95 December-95 0 16 040 80 040 IDC 100 00522 180 12 December-95 192 December-95 16 1778 December-95 48 28448 December-95 48 3 48
December-96 December-96 0 36 090 180 090 IDC 200 00783 188 13132 December-96 472752 December-96 36 1994916 December-96 126 71816976 December-96 1368 38 126
December-97 December-97 0 70 170 350 170 IDC 300 01043 209 16263 December-97 113841 December-97 70 2238295752 December-97 280 15668070264 December-97 322 46 280
December-98 December-98 0 147 360 735 360 CI Almanac 400 01303 230 19391 December-98 2850477 December-98 147 25113678337 December-98 6615 3691710715604 December-98 7791 53 6615
December-99 December-99 0 248 410 1240 410 Nua Ltd 500 01563 251 22517 December-99 5584216 December-99 248 28177547095 December-99 1240 6988031679463 December-99 15376 62 1240
March-00 March-00 0 304 500 1520 500 Nua Ltd 600 01822 272 25638 March-00 7793952 December-00 361 3161520784 December-00 19855 11413090030294 December-00 2527 7 19855
July-00 July-00 0 359 590 1795 590 Nua Ltd 700 02081 293 28754 July-00 10322686 December-01 543 35472263197 December-01 3258 1926143891578 December-01 39639 73 3258
December-00 December-00 0 361 580 1805 580 Internet World Stats 800 02338 313 31864 December-00 11502904 December-02 607 39799879307 December-02 39455 2415852673913 December-02 47953 79 39455
March-01 March-01 0 458 760 2290 760 Nua Ltd 900 02852 334 34967 March-01 16014886 December-03 719 44655464582 December-03 5033 32107279034493 December-03 61115 85 5033
June-01 June-01 0 479 790 2395 790 Nua Ltd 1000 03107 355 38061 June-01 18231219 December-04 817 50103431261 December-04 61275 40934503340285 December-04 7353 9 61275
August-01 August-01 0 513 860 2565 860 Nua Ltd 1100 03361 396 44221 August-01 22685373 December-05 1018 56216049875 December-05 8144 57227938772657 December-05 9467 93 8144
April-02 April-02 0 558 860 2790 860 Internet World Stats 1200 03614 417 47284 April-02 26384472 December-06 1093 6307440796 December-06 9291 68940327899894 December-06 10602 97 9291
July-02 July-02 0 569 910 2845 910 Internet World Stats 1300 03866 437 50334 July-02 28640046 December-07 1319 70769485731 December-07 11871 93344951678825 December-07 13454 102 11871
September-02 September-02 0 587 940 2935 940 Internet World Stats 1400 04117 458 53371 September-02 31328777 December-08 1574 7940336299 December-08 14953 124980893346059 December-08 16527 105 14953
March-03 March-03 0 608 970 3040 970 Internet World Stats 1500 04366 478 56394 March-03 34287552 December-09 1802 89090573275 December-09 18020 160541213040896 December-09 19462 108 18020
September-03 September-03 0 677 1060 3385 1060 Internet World Stats 1600 04614 498 59401 September-03 40214477 December-10 1971 99959623214 December-10 20696 197020417355075 December-10 21681 11 20696
October-03 October-03 0 682 1070 3410 1070 Internet World Stats 1700 0486 518 62392 October-03 42551344
December-03 December-03 0 719 1110 3595 1110 Internet World Stats 1800 02852 538 65365 December-03 46997435
February-04 February-04 0 745 1150 3725 1150 Internet World Stats 1900 03107 558 6832 February-04 508984
May-04 May-04 0 757 1170 3785 1170 Internet World Stats 2000 03361 597 7417 May-04 5614669
October-04 October-04 0 812 1270 4060 1270 Internet World Stats 2100 03614 616 77064 October-04 62575968
December-04 December-04 0 817 1270 4085 1270 Internet World Stats 2200 03866 636 79935 December-04 65306895
March-05 March-05 0 888 1390 4440 1390 Internet World Stats 2300 04117 655 82782 March-05 73510416
June-05 June-05 0 938 1460 4690 1460 Internet World Stats 2400 04366 674 85606 June-05 80298428
September-05 September-05 0 957 1490 4785 1490 Internet World Stats 2500 04614 692 88404 September-05 84602628
November-05 November-05 0 972 1520 4860 1520 Internet World Stats 2600 0486 711 91176 November-05 88623072
December-05 December-05 0 1018 1570 5090 1570 Internet World Stats 2700 05348 729 93921 December-05 95611578
March-06 March-06 0 1023 1570 5115 1570 Internet World Stats 2800 05589 747 96638 March-06 98860674
June-06 June-06 0 1043 1600 5215 1600 Internet World Stats 2900 05828 783 101984 June-06 106369312
September-06 September-06 0 1086 1670 5430 1670 Internet World Stats 3000 06065 801 104611 September-06 113607546
December-06 December-06 0 1093 1670 5465 1670 Internet World Stats 3100 063 818 107207 December-06 117177251
March-07 March-07 0 1129 1720 5645 1720 Internet World Stats 3200 06534 835 109771 March-07 123931459
June-07 June-07 0 1173 1780 5865 1780 Internet World Stats 3300 06765 852 112301 June-07 131729073
September-07 September-07 0 1245 1890 6225 1890 Internet World Stats 3400 06993 869 114797 September-07 142922265
December-07 December-07 0 1319 2000 6595 2000 Internet World Stats 3500 0722 886 117258 December-07 154663302
March-08 March-08 0 1407 2110 7035 2110 Internet World Stats 3600 07665 902 119683 March-08 168393981
June-08 June-08 0 1463 2190 7315 2190 Internet World Stats 3700 07884 918 122071 June-08 178589873
September-08 September-08 0 1504 2250 7520 2250 Internet World Stats 3800 08101 949 126736 September-08 190610944
December-08 December-08 0 1574 2350 7870 2350 Internet World Stats 3900 08314 964 12901 December-08 20306174
March-09 March-09 0 1596 2380 7980 2380 Internet World Stats 4000 08525 971 13 March-09 20748
June-09 June-09 0 1669 2470 8345 2470 Internet World Stats 4100 08733 998 134 June-09 223646
September-09 September-09 0 1734 2560 8670 2560 Internet World Stats 4200 08938 1018 137 September-09 237558
December-09 December-09 0 1802 2660 9010 2660 Internet World Stats 4300 0914 1051 142 December-09 255884
June-10 June-10 0 1966 2870 9830 2870 Internet World Stats 4400 09339 1078 146 June-10 287036
September-10 September-10 0 1971 2880 9855 2880 Internet World Stats 4500 09728 1112 151 September-10 297621
09917 000 155333333333
159833333333
33208
35034
35400
35765
36130
36495
36861
37226
37591
37956
38322
38687
39052
39417
39783
40148
40513
Page 19: Attacking Data Independent Memory Hard Functions · As a motivating example consider an adversary who breaks into an authentication server and steals a users crptographic hash va\൬ue.

Pebbling Example

P1 = 1P2 = 12P3 = 3

1 2 3 4 5

Pebbling Example

P1 = 1P2 = 12P3 = 3

1 2 3 4 5

P4 = 34

Pebbling Example

P1 = 1P2 = 12P3 = 3

1 2 3 4 5

P4 = 34P5 = 5

Pebbling Example (CC)

P1 = 1P2 = 12P3 = 3

1 2 3 4 5

P4 = 34P5 = 5

CC 119866119866 le119894119894=1

5

119875119875119894119894

= 1 + 2 + 1 + 2 + 1= 7

Measuring Cost

bull Cumulative Complexity (CC)

CC 119866119866 = min119875119875

119894119894=1

119905119905119875119875

119875119875119894119894

bull Amortization [AS15]CC 119866119866119866119866 = 2 times CC(119866119866)

Pebbling Example (CC)

P1 = 1P2 = 12P3 = 3

1 2 3 4 5

P4 = 34P5 = 5

CC 119866119866 le119894119894=1

5

119875119875119894119894

= 1 + 2 + 1 + 2 + 1= 7

Pebbling Equivalence

119827119827119827119827119827119827119827119827119827119827119827119827119827119827 119808119808119808119808119808119808119808119808 (119816119816119816119816119816119816119827119827119827119827119827119827119816119816119816119816) High pebbling complexity of G implies high amortized memory complexity for the iMHF fGH

Implication Structure of the graph G is key to iMHFsecurity

Desiderata

Find a DAG G on n nodes such that1 Constant Indegree (120575120575 = 2)

2 CC(G) ge 1198991198992

120591120591for some small value 120591120591

Maximize costs for fixed n(Users are impatient)

Depth-Robustness The Key Property

Necessary [AB16] and sufficient[ABP16] for secure iMHFs

Naiumlve Pebbling Algorithms

bull Sequential Algorithm (Naiumlve)bull Constraint One new pebble per roundbull Every iMHF is defined via its Naiumlve algorithm

bull Example Naiumlve (Pebble in Topological Order)bull Never discard pebblesbull Time nbull Average pebbles n2bull ER(Naiumlve) = θ Rn + n2

Amortized Attack Quality

Quality119877119877 119860119860 =ER(Naiumlve)

ER 119860119860times 119894119894119894119894119904119904119904119904(119860119860)

Example Algorithm A evaluates 5 iMHF instances with total cost ER 119860119860 = 100 and ER Naiumlve = 40

Quality119877119877 119860119860 =40

100times 5 = 2

Presenter
Presentation Notes
Use Example

Desiderata

Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)

2 QualityR(A) le 119888119888 for every adversary A (c small)

3 ER(Naive) ge 1198991198992

120591120591+ R119894119894 for some small value 120591120591

Memory costs should dominate

Desiderata

Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)

2 QualityR(A) le 119888119888 for every adversary A (c small)

3 ER(Naive) ge 1198991198992

120591120591+ R119894119894 for some small value 120591120591

Maximize costs for fixed n(Users are impatient)

c-Ideal iMHF

Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)

2 QualityR(A) le 119888119888 for every adversary A (c small)

3 ER(Naive) ge 1198991198992

120591120591+ R119894119894 for 120591120591 = 119874119874(1)

Outline

bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Our Attacks

bull General Attack on Non Depth Robust DAGsbull Existing iMHFs are not Depth Robustbull Ideal iMHFs donrsquot exist

bull Subsequent Results (Depth-Robustness is Sufficient)bull Open Questions

Depth-Robustness The Key Property

Necessary [AB16] and sufficient[ABP16] for secure iMHFs

Depth Robustness

Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d

Otherwise we say that G is (ed)-depth robust

1 2 3 4 5

Example (12)-reducible

Depth Robustness

Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d

Otherwise we say that G is (ed)-depth robust

1 2 3 4 5

Example (12)-reducible

Attacking (ed)-reducible DAGs

bull Input |S| lee such that depth(G-S) = d g gt d

bull Light Phase (g rounds) Discard most pebblesbull Goal Pebble the next g nodes in g (sequential) stepsbull Low Memory (only keep pebbles on S and on parents of new nodes)bull Lasts a ``longrdquo time

bull Balloon Phase (d rounds) Greedily Recover Missing Pebblesbull Goal Recover needed pebbles for upcoming light phasebull Expensive but quick (at most d steps in parallel)

Theorem (Depth-Robustness is a necessary condition) If G is not (ed)-node robust then CC 119866119866 = O 119890119890119894119894 + 1198941198943119901119901 In particular CC 119866119866 = o 1198941198942 for ed=o(n)

Depth Robustness is Necessary

Are existing iMHF candidates based on depth-robust DAGs

Answer No

bull Catena [FLW15] is 119890119890 119874119874 119899119899119890119890

-reducible

119862119862119862119862 = 119874119874 119894119894162

bull Balloon Hashing and Argon2i (old version) are 119890119890 119874119874 1198991198992

1198901198902-reducible

119862119862119862119862 = 119874119874 119894119894171

bull Argon2i (latest version) is 119890119890 119874119874 1198991198993

1198901198903-reducible

119862119862119862119862 = 119874119874 119894119894177

bull Similar picture for most other iMHF candidates [AGKKOPRRR16]

Argon2i [BDK]

bull Argon2 Winner of the password hashing competition[2015]

bull Authors recommend Argon2i variant (data-independent) for password hashing

Presenter
Presentation Notes
Alex Biryukov Daniel Dinu and Dmitry Khovratovich from University of Luxembourg

Argon2i

1 2 3 4 ihellip n

Argon2i

1 2 3 4 ihellip n

random predecessor r(i) lt i

Indegree 120575120575 = 2

Argon2i Reducing depth to 119894119894

1 2 3 11989411989434

helliphellip

211989411989434

hellip 4 119894119894

n

Layer 0Layer 1

Layer 4 119894119894helliphelliphellip

Argon2i Reducing depth to 119894119894

1 2 3 11989411989434

helliphellip

211989411989434

hellip 4 119894119894

n

Layer 0Layer 1

Layer 4 119894119894

Definition 1198781198782 = 119907119907119894119894 119907119907119903119903(119894119894)and v119894119894 in same layer

119810119810119816119816119816119816119810119810119827119827 1198781198782119810119810119842119842 119842119842119827119827119816119816119816119816119816119816

helliphelliphellip

119813119813119816119816119813119813119813119813 Easy to reduce the depth of a path

Argon2i is a layered DAG (almost)

1 2 3 11989411989434

+2 +3 helliphellip

211989411989434

hellip 4 119894119894

n

Layer 0Layer 1

Layer 4 119894119894

Let S = S1+S2

helliphelliphellip

Attack Simulation [AB16b]

Attack on Argon 2i-B is practical even for pessimistic parameter ranges (brown line)

Pessimistic Argon 2i-B parameter

Parameter setting could easily be chosen when following Argon2i-B guidelines

hellip

Ideal iMHFs Donrsquot Exist

Thm[AB16] Any graph G (with constant in-degree) is at least somewhat depth-reducible

Implication If CC(G)= Ω 1198941198942 there is an attack A with high quality

QualityR 119860119860 =Ωlog(119894119894)

log log(119894119894)

But we cannot rule them out in practice

Outline

bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Attacksbull Constructing iMHFs (New)

bull Depth-Robustness is sufficient

bull Conclusions and Open Questions

Presenter
Presentation Notes
Joint work with Joel Alwen and Krzysztof Pietrzak

Depth-Robustness is Sufficient [ABP16]

Proof Let P1hellipPt denote an (optimal) pebbling of G For 0lt i lt d defineSi = 119875119875119894119894 cup 119875119875119889119889+119894119894 cup 1198751198752119889119889+119894119894 cup ⋯

one of the sets Si has size at most CC(G)d Now we claim that d ge depth(G-Si)

because any path in G-Si must have been completely pebbled at some point Thus it must have been pebbled entirely during some interval of length d Thus G (CC(G)dd)-reducible It follows that CC(G)ge 119890119890119901119901

119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901

Depth-Robustness is Sufficient [ABP16]

Implications There exists a constant indegree graph G with

CC G ge Ω1198941198942

log119894119894

Previous Best [AS15] Ω 1198991198992

log10 119899119899

[AB16] We cannot do better (in an asymptotic sense)

119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901

Summary

bull BCRYPT and PBKDF2 are no longer sufficient for password hashing

bull Argon2i is an improvement over BCRYPT and PBKDF2bull But still has its flaws [AB16AB17]

bull Current Recommendation Argon2idbull No side channel attacks Resists known attacksbull Side channel attacks reduce security to Argon2i

bull Look for improvements in the near future using depth-robust graphs [ABP17]

Conclusions

bull Depth-robustness is a necessary and sufficient for secure iMHFsbull [AB16] [ABP16]

bull Big Challenge Improved Constructions of Depth-Robust Graphsbull We already have constructions in theory [EGS77 PR80 hellip]bull But constants matter

Thanks for Listening

Passwords vs time Look how far wersquove come

Netscape IPO Dotcom crash

Source Cormacrsquos estimate

ldquoThe password is deadrdquo

Chart1

3
48
1368
322
7791
15376
2527
39639
47953
61115
7353
94674
106021
134538
16527
194616
21681

Sheet1

Sheet1

Sheet2

Sheet3

Biometrics

59

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy

60

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Hardware Tokens

61

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around

62

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Graphical Passwords

bull Examplesbull Passfaces Cued Click Points Windows 8

63

Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13

Graphical Passwords

bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8

Challenge Multiple Passwords

64

Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13

Graphical Passwords Hotspots

Graphical Passwords Hotspots

Password Managers

bull Password Management Software

67

Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313

Related Work

bull Password Management SoftwareChallenge Single point of failure

68

Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313

References

bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]

bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]

bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]

bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]

  • Course Business
  • CryptographyCS 555
  • Password Storage
  • Offline Attacks A Common Problem
  • Offline Attacks A Common Problem
  • A Dangerous Problem
  • Attempt 1 Hash Iteration
  • The Challenge
  • Goal Moderately Expensive Hash Function
  • Memory Costs Equitable Across Architectures
  • Outline
  • Memory Hard Function (MHF)
  • iMHF Candidates
  • iMHF (fGH)
  • Evaluating an iMHF (pebbling)
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example (CC)
  • Measuring Cost
  • Pebbling Example (CC)
  • Pebbling Equivalence
  • Desiderata
  • Depth-Robustness The Key Property
  • Naiumlve Pebbling Algorithms
  • Amortized Attack Quality
  • Desiderata
  • Desiderata
  • c-Ideal iMHF
  • Outline
  • Depth-Robustness The Key Property
  • Depth Robustness
  • Depth Robustness
  • Attacking (ed)-reducible DAGs
  • Depth Robustness is Necessary
  • Answer No
  • Argon2i [BDK]
  • Argon2i
  • Argon2i
  • Argon2i Reducing depth to 119899
  • Argon2i Reducing depth to 119899
  • Argon2i is a layered DAG (almost)
  • Attack Simulation [AB16b]
  • Ideal iMHFs Donrsquot Exist
  • But we cannot rule them out in practice
  • Outline
  • Depth-Robustness is Sufficient [ABP16]
  • Depth-Robustness is Sufficient [ABP16]
  • Summary
  • Conclusions
  • Thanks for Listening
  • Passwords vs time Look how far wersquove come
  • Biometrics
  • Biometrics
  • Hardware Tokens
  • Hardware Tokens
  • Graphical Passwords
  • Graphical Passwords
  • Graphical Passwords Hotspots
  • Graphical Passwords Hotspots
  • Password Managers
  • Related Work
  • References
Everybody
DATE DATE NUMBER OF USERS WORLD WORLD INFORMATION DATE DATE NUMBER OF USERS DATE DATE acctsyr
POPULATION POPULATION SOURCE
December-90 0 3 15 020 00261 000 1 December-90 3 1 December-90 3 1 December-90 3 3 December-90 3 1 3
December-95 December-95 0 16 040 80 040 IDC 100 00522 180 12 December-95 192 December-95 16 1778 December-95 48 28448 December-95 48 3 48
December-96 December-96 0 36 090 180 090 IDC 200 00783 188 13132 December-96 472752 December-96 36 1994916 December-96 126 71816976 December-96 1368 38 126
December-97 December-97 0 70 170 350 170 IDC 300 01043 209 16263 December-97 113841 December-97 70 2238295752 December-97 280 15668070264 December-97 322 46 280
December-98 December-98 0 147 360 735 360 CI Almanac 400 01303 230 19391 December-98 2850477 December-98 147 25113678337 December-98 6615 3691710715604 December-98 7791 53 6615
December-99 December-99 0 248 410 1240 410 Nua Ltd 500 01563 251 22517 December-99 5584216 December-99 248 28177547095 December-99 1240 6988031679463 December-99 15376 62 1240
March-00 March-00 0 304 500 1520 500 Nua Ltd 600 01822 272 25638 March-00 7793952 December-00 361 3161520784 December-00 19855 11413090030294 December-00 2527 7 19855
July-00 July-00 0 359 590 1795 590 Nua Ltd 700 02081 293 28754 July-00 10322686 December-01 543 35472263197 December-01 3258 1926143891578 December-01 39639 73 3258
December-00 December-00 0 361 580 1805 580 Internet World Stats 800 02338 313 31864 December-00 11502904 December-02 607 39799879307 December-02 39455 2415852673913 December-02 47953 79 39455
March-01 March-01 0 458 760 2290 760 Nua Ltd 900 02852 334 34967 March-01 16014886 December-03 719 44655464582 December-03 5033 32107279034493 December-03 61115 85 5033
June-01 June-01 0 479 790 2395 790 Nua Ltd 1000 03107 355 38061 June-01 18231219 December-04 817 50103431261 December-04 61275 40934503340285 December-04 7353 9 61275
August-01 August-01 0 513 860 2565 860 Nua Ltd 1100 03361 396 44221 August-01 22685373 December-05 1018 56216049875 December-05 8144 57227938772657 December-05 9467 93 8144
April-02 April-02 0 558 860 2790 860 Internet World Stats 1200 03614 417 47284 April-02 26384472 December-06 1093 6307440796 December-06 9291 68940327899894 December-06 10602 97 9291
July-02 July-02 0 569 910 2845 910 Internet World Stats 1300 03866 437 50334 July-02 28640046 December-07 1319 70769485731 December-07 11871 93344951678825 December-07 13454 102 11871
September-02 September-02 0 587 940 2935 940 Internet World Stats 1400 04117 458 53371 September-02 31328777 December-08 1574 7940336299 December-08 14953 124980893346059 December-08 16527 105 14953
March-03 March-03 0 608 970 3040 970 Internet World Stats 1500 04366 478 56394 March-03 34287552 December-09 1802 89090573275 December-09 18020 160541213040896 December-09 19462 108 18020
September-03 September-03 0 677 1060 3385 1060 Internet World Stats 1600 04614 498 59401 September-03 40214477 December-10 1971 99959623214 December-10 20696 197020417355075 December-10 21681 11 20696
October-03 October-03 0 682 1070 3410 1070 Internet World Stats 1700 0486 518 62392 October-03 42551344
December-03 December-03 0 719 1110 3595 1110 Internet World Stats 1800 02852 538 65365 December-03 46997435
February-04 February-04 0 745 1150 3725 1150 Internet World Stats 1900 03107 558 6832 February-04 508984
May-04 May-04 0 757 1170 3785 1170 Internet World Stats 2000 03361 597 7417 May-04 5614669
October-04 October-04 0 812 1270 4060 1270 Internet World Stats 2100 03614 616 77064 October-04 62575968
December-04 December-04 0 817 1270 4085 1270 Internet World Stats 2200 03866 636 79935 December-04 65306895
March-05 March-05 0 888 1390 4440 1390 Internet World Stats 2300 04117 655 82782 March-05 73510416
June-05 June-05 0 938 1460 4690 1460 Internet World Stats 2400 04366 674 85606 June-05 80298428
September-05 September-05 0 957 1490 4785 1490 Internet World Stats 2500 04614 692 88404 September-05 84602628
November-05 November-05 0 972 1520 4860 1520 Internet World Stats 2600 0486 711 91176 November-05 88623072
December-05 December-05 0 1018 1570 5090 1570 Internet World Stats 2700 05348 729 93921 December-05 95611578
March-06 March-06 0 1023 1570 5115 1570 Internet World Stats 2800 05589 747 96638 March-06 98860674
June-06 June-06 0 1043 1600 5215 1600 Internet World Stats 2900 05828 783 101984 June-06 106369312
September-06 September-06 0 1086 1670 5430 1670 Internet World Stats 3000 06065 801 104611 September-06 113607546
December-06 December-06 0 1093 1670 5465 1670 Internet World Stats 3100 063 818 107207 December-06 117177251
March-07 March-07 0 1129 1720 5645 1720 Internet World Stats 3200 06534 835 109771 March-07 123931459
June-07 June-07 0 1173 1780 5865 1780 Internet World Stats 3300 06765 852 112301 June-07 131729073
September-07 September-07 0 1245 1890 6225 1890 Internet World Stats 3400 06993 869 114797 September-07 142922265
December-07 December-07 0 1319 2000 6595 2000 Internet World Stats 3500 0722 886 117258 December-07 154663302
March-08 March-08 0 1407 2110 7035 2110 Internet World Stats 3600 07665 902 119683 March-08 168393981
June-08 June-08 0 1463 2190 7315 2190 Internet World Stats 3700 07884 918 122071 June-08 178589873
September-08 September-08 0 1504 2250 7520 2250 Internet World Stats 3800 08101 949 126736 September-08 190610944
December-08 December-08 0 1574 2350 7870 2350 Internet World Stats 3900 08314 964 12901 December-08 20306174
March-09 March-09 0 1596 2380 7980 2380 Internet World Stats 4000 08525 971 13 March-09 20748
June-09 June-09 0 1669 2470 8345 2470 Internet World Stats 4100 08733 998 134 June-09 223646
September-09 September-09 0 1734 2560 8670 2560 Internet World Stats 4200 08938 1018 137 September-09 237558
December-09 December-09 0 1802 2660 9010 2660 Internet World Stats 4300 0914 1051 142 December-09 255884
June-10 June-10 0 1966 2870 9830 2870 Internet World Stats 4400 09339 1078 146 June-10 287036
September-10 September-10 0 1971 2880 9855 2880 Internet World Stats 4500 09728 1112 151 September-10 297621
09917 000 155333333333
159833333333
33208
35034
35400
35765
36130
36495
36861
37226
37591
37956
38322
38687
39052
39417
39783
40148
40513
Page 20: Attacking Data Independent Memory Hard Functions · As a motivating example consider an adversary who breaks into an authentication server and steals a users crptographic hash va\൬ue.

Pebbling Example

P1 = 1P2 = 12P3 = 3

1 2 3 4 5

P4 = 34

Pebbling Example

P1 = 1P2 = 12P3 = 3

1 2 3 4 5

P4 = 34P5 = 5

Pebbling Example (CC)

P1 = 1P2 = 12P3 = 3

1 2 3 4 5

P4 = 34P5 = 5

CC 119866119866 le119894119894=1

5

119875119875119894119894

= 1 + 2 + 1 + 2 + 1= 7

Measuring Cost

bull Cumulative Complexity (CC)

CC 119866119866 = min119875119875

119894119894=1

119905119905119875119875

119875119875119894119894

bull Amortization [AS15]CC 119866119866119866119866 = 2 times CC(119866119866)

Pebbling Example (CC)

P1 = 1P2 = 12P3 = 3

1 2 3 4 5

P4 = 34P5 = 5

CC 119866119866 le119894119894=1

5

119875119875119894119894

= 1 + 2 + 1 + 2 + 1= 7

Pebbling Equivalence

119827119827119827119827119827119827119827119827119827119827119827119827119827119827 119808119808119808119808119808119808119808119808 (119816119816119816119816119816119816119827119827119827119827119827119827119816119816119816119816) High pebbling complexity of G implies high amortized memory complexity for the iMHF fGH

Implication Structure of the graph G is key to iMHFsecurity

Desiderata

Find a DAG G on n nodes such that1 Constant Indegree (120575120575 = 2)

2 CC(G) ge 1198991198992

120591120591for some small value 120591120591

Maximize costs for fixed n(Users are impatient)

Depth-Robustness The Key Property

Necessary [AB16] and sufficient[ABP16] for secure iMHFs

Naiumlve Pebbling Algorithms

bull Sequential Algorithm (Naiumlve)bull Constraint One new pebble per roundbull Every iMHF is defined via its Naiumlve algorithm

bull Example Naiumlve (Pebble in Topological Order)bull Never discard pebblesbull Time nbull Average pebbles n2bull ER(Naiumlve) = θ Rn + n2

Amortized Attack Quality

Quality119877119877 119860119860 =ER(Naiumlve)

ER 119860119860times 119894119894119894119894119904119904119904119904(119860119860)

Example Algorithm A evaluates 5 iMHF instances with total cost ER 119860119860 = 100 and ER Naiumlve = 40

Quality119877119877 119860119860 =40

100times 5 = 2

Presenter
Presentation Notes
Use Example

Desiderata

Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)

2 QualityR(A) le 119888119888 for every adversary A (c small)

3 ER(Naive) ge 1198991198992

120591120591+ R119894119894 for some small value 120591120591

Memory costs should dominate

Desiderata

Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)

2 QualityR(A) le 119888119888 for every adversary A (c small)

3 ER(Naive) ge 1198991198992

120591120591+ R119894119894 for some small value 120591120591

Maximize costs for fixed n(Users are impatient)

c-Ideal iMHF

Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)

2 QualityR(A) le 119888119888 for every adversary A (c small)

3 ER(Naive) ge 1198991198992

120591120591+ R119894119894 for 120591120591 = 119874119874(1)

Outline

bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Our Attacks

bull General Attack on Non Depth Robust DAGsbull Existing iMHFs are not Depth Robustbull Ideal iMHFs donrsquot exist

bull Subsequent Results (Depth-Robustness is Sufficient)bull Open Questions

Depth-Robustness The Key Property

Necessary [AB16] and sufficient[ABP16] for secure iMHFs

Depth Robustness

Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d

Otherwise we say that G is (ed)-depth robust

1 2 3 4 5

Example (12)-reducible

Depth Robustness

Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d

Otherwise we say that G is (ed)-depth robust

1 2 3 4 5

Example (12)-reducible

Attacking (ed)-reducible DAGs

bull Input |S| lee such that depth(G-S) = d g gt d

bull Light Phase (g rounds) Discard most pebblesbull Goal Pebble the next g nodes in g (sequential) stepsbull Low Memory (only keep pebbles on S and on parents of new nodes)bull Lasts a ``longrdquo time

bull Balloon Phase (d rounds) Greedily Recover Missing Pebblesbull Goal Recover needed pebbles for upcoming light phasebull Expensive but quick (at most d steps in parallel)

Theorem (Depth-Robustness is a necessary condition) If G is not (ed)-node robust then CC 119866119866 = O 119890119890119894119894 + 1198941198943119901119901 In particular CC 119866119866 = o 1198941198942 for ed=o(n)

Depth Robustness is Necessary

Are existing iMHF candidates based on depth-robust DAGs

Answer No

bull Catena [FLW15] is 119890119890 119874119874 119899119899119890119890

-reducible

119862119862119862119862 = 119874119874 119894119894162

bull Balloon Hashing and Argon2i (old version) are 119890119890 119874119874 1198991198992

1198901198902-reducible

119862119862119862119862 = 119874119874 119894119894171

bull Argon2i (latest version) is 119890119890 119874119874 1198991198993

1198901198903-reducible

119862119862119862119862 = 119874119874 119894119894177

bull Similar picture for most other iMHF candidates [AGKKOPRRR16]

Argon2i [BDK]

bull Argon2 Winner of the password hashing competition[2015]

bull Authors recommend Argon2i variant (data-independent) for password hashing

Presenter
Presentation Notes
Alex Biryukov Daniel Dinu and Dmitry Khovratovich from University of Luxembourg

Argon2i

1 2 3 4 ihellip n

Argon2i

1 2 3 4 ihellip n

random predecessor r(i) lt i

Indegree 120575120575 = 2

Argon2i Reducing depth to 119894119894

1 2 3 11989411989434

helliphellip

211989411989434

hellip 4 119894119894

n

Layer 0Layer 1

Layer 4 119894119894helliphelliphellip

Argon2i Reducing depth to 119894119894

1 2 3 11989411989434

helliphellip

211989411989434

hellip 4 119894119894

n

Layer 0Layer 1

Layer 4 119894119894

Definition 1198781198782 = 119907119907119894119894 119907119907119903119903(119894119894)and v119894119894 in same layer

119810119810119816119816119816119816119810119810119827119827 1198781198782119810119810119842119842 119842119842119827119827119816119816119816119816119816119816

helliphelliphellip

119813119813119816119816119813119813119813119813 Easy to reduce the depth of a path

Argon2i is a layered DAG (almost)

1 2 3 11989411989434

+2 +3 helliphellip

211989411989434

hellip 4 119894119894

n

Layer 0Layer 1

Layer 4 119894119894

Let S = S1+S2

helliphelliphellip

Attack Simulation [AB16b]

Attack on Argon 2i-B is practical even for pessimistic parameter ranges (brown line)

Pessimistic Argon 2i-B parameter

Parameter setting could easily be chosen when following Argon2i-B guidelines

hellip

Ideal iMHFs Donrsquot Exist

Thm[AB16] Any graph G (with constant in-degree) is at least somewhat depth-reducible

Implication If CC(G)= Ω 1198941198942 there is an attack A with high quality

QualityR 119860119860 =Ωlog(119894119894)

log log(119894119894)

But we cannot rule them out in practice

Outline

bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Attacksbull Constructing iMHFs (New)

bull Depth-Robustness is sufficient

bull Conclusions and Open Questions

Presenter
Presentation Notes
Joint work with Joel Alwen and Krzysztof Pietrzak

Depth-Robustness is Sufficient [ABP16]

Proof Let P1hellipPt denote an (optimal) pebbling of G For 0lt i lt d defineSi = 119875119875119894119894 cup 119875119875119889119889+119894119894 cup 1198751198752119889119889+119894119894 cup ⋯

one of the sets Si has size at most CC(G)d Now we claim that d ge depth(G-Si)

because any path in G-Si must have been completely pebbled at some point Thus it must have been pebbled entirely during some interval of length d Thus G (CC(G)dd)-reducible It follows that CC(G)ge 119890119890119901119901

119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901

Depth-Robustness is Sufficient [ABP16]

Implications There exists a constant indegree graph G with

CC G ge Ω1198941198942

log119894119894

Previous Best [AS15] Ω 1198991198992

log10 119899119899

[AB16] We cannot do better (in an asymptotic sense)

119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901

Summary

bull BCRYPT and PBKDF2 are no longer sufficient for password hashing

bull Argon2i is an improvement over BCRYPT and PBKDF2bull But still has its flaws [AB16AB17]

bull Current Recommendation Argon2idbull No side channel attacks Resists known attacksbull Side channel attacks reduce security to Argon2i

bull Look for improvements in the near future using depth-robust graphs [ABP17]

Conclusions

bull Depth-robustness is a necessary and sufficient for secure iMHFsbull [AB16] [ABP16]

bull Big Challenge Improved Constructions of Depth-Robust Graphsbull We already have constructions in theory [EGS77 PR80 hellip]bull But constants matter

Thanks for Listening

Passwords vs time Look how far wersquove come

Netscape IPO Dotcom crash

Source Cormacrsquos estimate

ldquoThe password is deadrdquo

Chart1

3
48
1368
322
7791
15376
2527
39639
47953
61115
7353
94674
106021
134538
16527
194616
21681

Sheet1

Sheet1

Sheet2

Sheet3

Biometrics

59

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy

60

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Hardware Tokens

61

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around

62

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Graphical Passwords

bull Examplesbull Passfaces Cued Click Points Windows 8

63

Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13

Graphical Passwords

bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8

Challenge Multiple Passwords

64

Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13

Graphical Passwords Hotspots

Graphical Passwords Hotspots

Password Managers

bull Password Management Software

67

Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313

Related Work

bull Password Management SoftwareChallenge Single point of failure

68

Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313

References

bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]

bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]

bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]

bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]

  • Course Business
  • CryptographyCS 555
  • Password Storage
  • Offline Attacks A Common Problem
  • Offline Attacks A Common Problem
  • A Dangerous Problem
  • Attempt 1 Hash Iteration
  • The Challenge
  • Goal Moderately Expensive Hash Function
  • Memory Costs Equitable Across Architectures
  • Outline
  • Memory Hard Function (MHF)
  • iMHF Candidates
  • iMHF (fGH)
  • Evaluating an iMHF (pebbling)
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example (CC)
  • Measuring Cost
  • Pebbling Example (CC)
  • Pebbling Equivalence
  • Desiderata
  • Depth-Robustness The Key Property
  • Naiumlve Pebbling Algorithms
  • Amortized Attack Quality
  • Desiderata
  • Desiderata
  • c-Ideal iMHF
  • Outline
  • Depth-Robustness The Key Property
  • Depth Robustness
  • Depth Robustness
  • Attacking (ed)-reducible DAGs
  • Depth Robustness is Necessary
  • Answer No
  • Argon2i [BDK]
  • Argon2i
  • Argon2i
  • Argon2i Reducing depth to 119899
  • Argon2i Reducing depth to 119899
  • Argon2i is a layered DAG (almost)
  • Attack Simulation [AB16b]
  • Ideal iMHFs Donrsquot Exist
  • But we cannot rule them out in practice
  • Outline
  • Depth-Robustness is Sufficient [ABP16]
  • Depth-Robustness is Sufficient [ABP16]
  • Summary
  • Conclusions
  • Thanks for Listening
  • Passwords vs time Look how far wersquove come
  • Biometrics
  • Biometrics
  • Hardware Tokens
  • Hardware Tokens
  • Graphical Passwords
  • Graphical Passwords
  • Graphical Passwords Hotspots
  • Graphical Passwords Hotspots
  • Password Managers
  • Related Work
  • References
Everybody
DATE DATE NUMBER OF USERS WORLD WORLD INFORMATION DATE DATE NUMBER OF USERS DATE DATE acctsyr
POPULATION POPULATION SOURCE
December-90 0 3 15 020 00261 000 1 December-90 3 1 December-90 3 1 December-90 3 3 December-90 3 1 3
December-95 December-95 0 16 040 80 040 IDC 100 00522 180 12 December-95 192 December-95 16 1778 December-95 48 28448 December-95 48 3 48
December-96 December-96 0 36 090 180 090 IDC 200 00783 188 13132 December-96 472752 December-96 36 1994916 December-96 126 71816976 December-96 1368 38 126
December-97 December-97 0 70 170 350 170 IDC 300 01043 209 16263 December-97 113841 December-97 70 2238295752 December-97 280 15668070264 December-97 322 46 280
December-98 December-98 0 147 360 735 360 CI Almanac 400 01303 230 19391 December-98 2850477 December-98 147 25113678337 December-98 6615 3691710715604 December-98 7791 53 6615
December-99 December-99 0 248 410 1240 410 Nua Ltd 500 01563 251 22517 December-99 5584216 December-99 248 28177547095 December-99 1240 6988031679463 December-99 15376 62 1240
March-00 March-00 0 304 500 1520 500 Nua Ltd 600 01822 272 25638 March-00 7793952 December-00 361 3161520784 December-00 19855 11413090030294 December-00 2527 7 19855
July-00 July-00 0 359 590 1795 590 Nua Ltd 700 02081 293 28754 July-00 10322686 December-01 543 35472263197 December-01 3258 1926143891578 December-01 39639 73 3258
December-00 December-00 0 361 580 1805 580 Internet World Stats 800 02338 313 31864 December-00 11502904 December-02 607 39799879307 December-02 39455 2415852673913 December-02 47953 79 39455
March-01 March-01 0 458 760 2290 760 Nua Ltd 900 02852 334 34967 March-01 16014886 December-03 719 44655464582 December-03 5033 32107279034493 December-03 61115 85 5033
June-01 June-01 0 479 790 2395 790 Nua Ltd 1000 03107 355 38061 June-01 18231219 December-04 817 50103431261 December-04 61275 40934503340285 December-04 7353 9 61275
August-01 August-01 0 513 860 2565 860 Nua Ltd 1100 03361 396 44221 August-01 22685373 December-05 1018 56216049875 December-05 8144 57227938772657 December-05 9467 93 8144
April-02 April-02 0 558 860 2790 860 Internet World Stats 1200 03614 417 47284 April-02 26384472 December-06 1093 6307440796 December-06 9291 68940327899894 December-06 10602 97 9291
July-02 July-02 0 569 910 2845 910 Internet World Stats 1300 03866 437 50334 July-02 28640046 December-07 1319 70769485731 December-07 11871 93344951678825 December-07 13454 102 11871
September-02 September-02 0 587 940 2935 940 Internet World Stats 1400 04117 458 53371 September-02 31328777 December-08 1574 7940336299 December-08 14953 124980893346059 December-08 16527 105 14953
March-03 March-03 0 608 970 3040 970 Internet World Stats 1500 04366 478 56394 March-03 34287552 December-09 1802 89090573275 December-09 18020 160541213040896 December-09 19462 108 18020
September-03 September-03 0 677 1060 3385 1060 Internet World Stats 1600 04614 498 59401 September-03 40214477 December-10 1971 99959623214 December-10 20696 197020417355075 December-10 21681 11 20696
October-03 October-03 0 682 1070 3410 1070 Internet World Stats 1700 0486 518 62392 October-03 42551344
December-03 December-03 0 719 1110 3595 1110 Internet World Stats 1800 02852 538 65365 December-03 46997435
February-04 February-04 0 745 1150 3725 1150 Internet World Stats 1900 03107 558 6832 February-04 508984
May-04 May-04 0 757 1170 3785 1170 Internet World Stats 2000 03361 597 7417 May-04 5614669
October-04 October-04 0 812 1270 4060 1270 Internet World Stats 2100 03614 616 77064 October-04 62575968
December-04 December-04 0 817 1270 4085 1270 Internet World Stats 2200 03866 636 79935 December-04 65306895
March-05 March-05 0 888 1390 4440 1390 Internet World Stats 2300 04117 655 82782 March-05 73510416
June-05 June-05 0 938 1460 4690 1460 Internet World Stats 2400 04366 674 85606 June-05 80298428
September-05 September-05 0 957 1490 4785 1490 Internet World Stats 2500 04614 692 88404 September-05 84602628
November-05 November-05 0 972 1520 4860 1520 Internet World Stats 2600 0486 711 91176 November-05 88623072
December-05 December-05 0 1018 1570 5090 1570 Internet World Stats 2700 05348 729 93921 December-05 95611578
March-06 March-06 0 1023 1570 5115 1570 Internet World Stats 2800 05589 747 96638 March-06 98860674
June-06 June-06 0 1043 1600 5215 1600 Internet World Stats 2900 05828 783 101984 June-06 106369312
September-06 September-06 0 1086 1670 5430 1670 Internet World Stats 3000 06065 801 104611 September-06 113607546
December-06 December-06 0 1093 1670 5465 1670 Internet World Stats 3100 063 818 107207 December-06 117177251
March-07 March-07 0 1129 1720 5645 1720 Internet World Stats 3200 06534 835 109771 March-07 123931459
June-07 June-07 0 1173 1780 5865 1780 Internet World Stats 3300 06765 852 112301 June-07 131729073
September-07 September-07 0 1245 1890 6225 1890 Internet World Stats 3400 06993 869 114797 September-07 142922265
December-07 December-07 0 1319 2000 6595 2000 Internet World Stats 3500 0722 886 117258 December-07 154663302
March-08 March-08 0 1407 2110 7035 2110 Internet World Stats 3600 07665 902 119683 March-08 168393981
June-08 June-08 0 1463 2190 7315 2190 Internet World Stats 3700 07884 918 122071 June-08 178589873
September-08 September-08 0 1504 2250 7520 2250 Internet World Stats 3800 08101 949 126736 September-08 190610944
December-08 December-08 0 1574 2350 7870 2350 Internet World Stats 3900 08314 964 12901 December-08 20306174
March-09 March-09 0 1596 2380 7980 2380 Internet World Stats 4000 08525 971 13 March-09 20748
June-09 June-09 0 1669 2470 8345 2470 Internet World Stats 4100 08733 998 134 June-09 223646
September-09 September-09 0 1734 2560 8670 2560 Internet World Stats 4200 08938 1018 137 September-09 237558
December-09 December-09 0 1802 2660 9010 2660 Internet World Stats 4300 0914 1051 142 December-09 255884
June-10 June-10 0 1966 2870 9830 2870 Internet World Stats 4400 09339 1078 146 June-10 287036
September-10 September-10 0 1971 2880 9855 2880 Internet World Stats 4500 09728 1112 151 September-10 297621
09917 000 155333333333
159833333333
33208
35034
35400
35765
36130
36495
36861
37226
37591
37956
38322
38687
39052
39417
39783
40148
40513
Page 21: Attacking Data Independent Memory Hard Functions · As a motivating example consider an adversary who breaks into an authentication server and steals a users crptographic hash va\൬ue.

Pebbling Example

P1 = 1P2 = 12P3 = 3

1 2 3 4 5

P4 = 34P5 = 5

Pebbling Example (CC)

P1 = 1P2 = 12P3 = 3

1 2 3 4 5

P4 = 34P5 = 5

CC 119866119866 le119894119894=1

5

119875119875119894119894

= 1 + 2 + 1 + 2 + 1= 7

Measuring Cost

bull Cumulative Complexity (CC)

CC 119866119866 = min119875119875

119894119894=1

119905119905119875119875

119875119875119894119894

bull Amortization [AS15]CC 119866119866119866119866 = 2 times CC(119866119866)

Pebbling Example (CC)

P1 = 1P2 = 12P3 = 3

1 2 3 4 5

P4 = 34P5 = 5

CC 119866119866 le119894119894=1

5

119875119875119894119894

= 1 + 2 + 1 + 2 + 1= 7

Pebbling Equivalence

119827119827119827119827119827119827119827119827119827119827119827119827119827119827 119808119808119808119808119808119808119808119808 (119816119816119816119816119816119816119827119827119827119827119827119827119816119816119816119816) High pebbling complexity of G implies high amortized memory complexity for the iMHF fGH

Implication Structure of the graph G is key to iMHFsecurity

Desiderata

Find a DAG G on n nodes such that1 Constant Indegree (120575120575 = 2)

2 CC(G) ge 1198991198992

120591120591for some small value 120591120591

Maximize costs for fixed n(Users are impatient)

Depth-Robustness The Key Property

Necessary [AB16] and sufficient[ABP16] for secure iMHFs

Naiumlve Pebbling Algorithms

bull Sequential Algorithm (Naiumlve)bull Constraint One new pebble per roundbull Every iMHF is defined via its Naiumlve algorithm

bull Example Naiumlve (Pebble in Topological Order)bull Never discard pebblesbull Time nbull Average pebbles n2bull ER(Naiumlve) = θ Rn + n2

Amortized Attack Quality

Quality119877119877 119860119860 =ER(Naiumlve)

ER 119860119860times 119894119894119894119894119904119904119904119904(119860119860)

Example Algorithm A evaluates 5 iMHF instances with total cost ER 119860119860 = 100 and ER Naiumlve = 40

Quality119877119877 119860119860 =40

100times 5 = 2

Presenter
Presentation Notes
Use Example

Desiderata

Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)

2 QualityR(A) le 119888119888 for every adversary A (c small)

3 ER(Naive) ge 1198991198992

120591120591+ R119894119894 for some small value 120591120591

Memory costs should dominate

Desiderata

Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)

2 QualityR(A) le 119888119888 for every adversary A (c small)

3 ER(Naive) ge 1198991198992

120591120591+ R119894119894 for some small value 120591120591

Maximize costs for fixed n(Users are impatient)

c-Ideal iMHF

Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)

2 QualityR(A) le 119888119888 for every adversary A (c small)

3 ER(Naive) ge 1198991198992

120591120591+ R119894119894 for 120591120591 = 119874119874(1)

Outline

bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Our Attacks

bull General Attack on Non Depth Robust DAGsbull Existing iMHFs are not Depth Robustbull Ideal iMHFs donrsquot exist

bull Subsequent Results (Depth-Robustness is Sufficient)bull Open Questions

Depth-Robustness The Key Property

Necessary [AB16] and sufficient[ABP16] for secure iMHFs

Depth Robustness

Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d

Otherwise we say that G is (ed)-depth robust

1 2 3 4 5

Example (12)-reducible

Depth Robustness

Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d

Otherwise we say that G is (ed)-depth robust

1 2 3 4 5

Example (12)-reducible

Attacking (ed)-reducible DAGs

bull Input |S| lee such that depth(G-S) = d g gt d

bull Light Phase (g rounds) Discard most pebblesbull Goal Pebble the next g nodes in g (sequential) stepsbull Low Memory (only keep pebbles on S and on parents of new nodes)bull Lasts a ``longrdquo time

bull Balloon Phase (d rounds) Greedily Recover Missing Pebblesbull Goal Recover needed pebbles for upcoming light phasebull Expensive but quick (at most d steps in parallel)

Theorem (Depth-Robustness is a necessary condition) If G is not (ed)-node robust then CC 119866119866 = O 119890119890119894119894 + 1198941198943119901119901 In particular CC 119866119866 = o 1198941198942 for ed=o(n)

Depth Robustness is Necessary

Are existing iMHF candidates based on depth-robust DAGs

Answer No

bull Catena [FLW15] is 119890119890 119874119874 119899119899119890119890

-reducible

119862119862119862119862 = 119874119874 119894119894162

bull Balloon Hashing and Argon2i (old version) are 119890119890 119874119874 1198991198992

1198901198902-reducible

119862119862119862119862 = 119874119874 119894119894171

bull Argon2i (latest version) is 119890119890 119874119874 1198991198993

1198901198903-reducible

119862119862119862119862 = 119874119874 119894119894177

bull Similar picture for most other iMHF candidates [AGKKOPRRR16]

Argon2i [BDK]

bull Argon2 Winner of the password hashing competition[2015]

bull Authors recommend Argon2i variant (data-independent) for password hashing

Presenter
Presentation Notes
Alex Biryukov Daniel Dinu and Dmitry Khovratovich from University of Luxembourg

Argon2i

1 2 3 4 ihellip n

Argon2i

1 2 3 4 ihellip n

random predecessor r(i) lt i

Indegree 120575120575 = 2

Argon2i Reducing depth to 119894119894

1 2 3 11989411989434

helliphellip

211989411989434

hellip 4 119894119894

n

Layer 0Layer 1

Layer 4 119894119894helliphelliphellip

Argon2i Reducing depth to 119894119894

1 2 3 11989411989434

helliphellip

211989411989434

hellip 4 119894119894

n

Layer 0Layer 1

Layer 4 119894119894

Definition 1198781198782 = 119907119907119894119894 119907119907119903119903(119894119894)and v119894119894 in same layer

119810119810119816119816119816119816119810119810119827119827 1198781198782119810119810119842119842 119842119842119827119827119816119816119816119816119816119816

helliphelliphellip

119813119813119816119816119813119813119813119813 Easy to reduce the depth of a path

Argon2i is a layered DAG (almost)

1 2 3 11989411989434

+2 +3 helliphellip

211989411989434

hellip 4 119894119894

n

Layer 0Layer 1

Layer 4 119894119894

Let S = S1+S2

helliphelliphellip

Attack Simulation [AB16b]

Attack on Argon 2i-B is practical even for pessimistic parameter ranges (brown line)

Pessimistic Argon 2i-B parameter

Parameter setting could easily be chosen when following Argon2i-B guidelines

hellip

Ideal iMHFs Donrsquot Exist

Thm[AB16] Any graph G (with constant in-degree) is at least somewhat depth-reducible

Implication If CC(G)= Ω 1198941198942 there is an attack A with high quality

QualityR 119860119860 =Ωlog(119894119894)

log log(119894119894)

But we cannot rule them out in practice

Outline

bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Attacksbull Constructing iMHFs (New)

bull Depth-Robustness is sufficient

bull Conclusions and Open Questions

Presenter
Presentation Notes
Joint work with Joel Alwen and Krzysztof Pietrzak

Depth-Robustness is Sufficient [ABP16]

Proof Let P1hellipPt denote an (optimal) pebbling of G For 0lt i lt d defineSi = 119875119875119894119894 cup 119875119875119889119889+119894119894 cup 1198751198752119889119889+119894119894 cup ⋯

one of the sets Si has size at most CC(G)d Now we claim that d ge depth(G-Si)

because any path in G-Si must have been completely pebbled at some point Thus it must have been pebbled entirely during some interval of length d Thus G (CC(G)dd)-reducible It follows that CC(G)ge 119890119890119901119901

119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901

Depth-Robustness is Sufficient [ABP16]

Implications There exists a constant indegree graph G with

CC G ge Ω1198941198942

log119894119894

Previous Best [AS15] Ω 1198991198992

log10 119899119899

[AB16] We cannot do better (in an asymptotic sense)

119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901

Summary

bull BCRYPT and PBKDF2 are no longer sufficient for password hashing

bull Argon2i is an improvement over BCRYPT and PBKDF2bull But still has its flaws [AB16AB17]

bull Current Recommendation Argon2idbull No side channel attacks Resists known attacksbull Side channel attacks reduce security to Argon2i

bull Look for improvements in the near future using depth-robust graphs [ABP17]

Conclusions

bull Depth-robustness is a necessary and sufficient for secure iMHFsbull [AB16] [ABP16]

bull Big Challenge Improved Constructions of Depth-Robust Graphsbull We already have constructions in theory [EGS77 PR80 hellip]bull But constants matter

Thanks for Listening

Passwords vs time Look how far wersquove come

Netscape IPO Dotcom crash

Source Cormacrsquos estimate

ldquoThe password is deadrdquo

Chart1

3
48
1368
322
7791
15376
2527
39639
47953
61115
7353
94674
106021
134538
16527
194616
21681

Sheet1

Sheet1

Sheet2

Sheet3

Biometrics

59

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy

60

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Hardware Tokens

61

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around

62

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Graphical Passwords

bull Examplesbull Passfaces Cued Click Points Windows 8

63

Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13

Graphical Passwords

bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8

Challenge Multiple Passwords

64

Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13

Graphical Passwords Hotspots

Graphical Passwords Hotspots

Password Managers

bull Password Management Software

67

Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313

Related Work

bull Password Management SoftwareChallenge Single point of failure

68

Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313

References

bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]

bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]

bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]

bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]

  • Course Business
  • CryptographyCS 555
  • Password Storage
  • Offline Attacks A Common Problem
  • Offline Attacks A Common Problem
  • A Dangerous Problem
  • Attempt 1 Hash Iteration
  • The Challenge
  • Goal Moderately Expensive Hash Function
  • Memory Costs Equitable Across Architectures
  • Outline
  • Memory Hard Function (MHF)
  • iMHF Candidates
  • iMHF (fGH)
  • Evaluating an iMHF (pebbling)
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example (CC)
  • Measuring Cost
  • Pebbling Example (CC)
  • Pebbling Equivalence
  • Desiderata
  • Depth-Robustness The Key Property
  • Naiumlve Pebbling Algorithms
  • Amortized Attack Quality
  • Desiderata
  • Desiderata
  • c-Ideal iMHF
  • Outline
  • Depth-Robustness The Key Property
  • Depth Robustness
  • Depth Robustness
  • Attacking (ed)-reducible DAGs
  • Depth Robustness is Necessary
  • Answer No
  • Argon2i [BDK]
  • Argon2i
  • Argon2i
  • Argon2i Reducing depth to 119899
  • Argon2i Reducing depth to 119899
  • Argon2i is a layered DAG (almost)
  • Attack Simulation [AB16b]
  • Ideal iMHFs Donrsquot Exist
  • But we cannot rule them out in practice
  • Outline
  • Depth-Robustness is Sufficient [ABP16]
  • Depth-Robustness is Sufficient [ABP16]
  • Summary
  • Conclusions
  • Thanks for Listening
  • Passwords vs time Look how far wersquove come
  • Biometrics
  • Biometrics
  • Hardware Tokens
  • Hardware Tokens
  • Graphical Passwords
  • Graphical Passwords
  • Graphical Passwords Hotspots
  • Graphical Passwords Hotspots
  • Password Managers
  • Related Work
  • References
Everybody
DATE DATE NUMBER OF USERS WORLD WORLD INFORMATION DATE DATE NUMBER OF USERS DATE DATE acctsyr
POPULATION POPULATION SOURCE
December-90 0 3 15 020 00261 000 1 December-90 3 1 December-90 3 1 December-90 3 3 December-90 3 1 3
December-95 December-95 0 16 040 80 040 IDC 100 00522 180 12 December-95 192 December-95 16 1778 December-95 48 28448 December-95 48 3 48
December-96 December-96 0 36 090 180 090 IDC 200 00783 188 13132 December-96 472752 December-96 36 1994916 December-96 126 71816976 December-96 1368 38 126
December-97 December-97 0 70 170 350 170 IDC 300 01043 209 16263 December-97 113841 December-97 70 2238295752 December-97 280 15668070264 December-97 322 46 280
December-98 December-98 0 147 360 735 360 CI Almanac 400 01303 230 19391 December-98 2850477 December-98 147 25113678337 December-98 6615 3691710715604 December-98 7791 53 6615
December-99 December-99 0 248 410 1240 410 Nua Ltd 500 01563 251 22517 December-99 5584216 December-99 248 28177547095 December-99 1240 6988031679463 December-99 15376 62 1240
March-00 March-00 0 304 500 1520 500 Nua Ltd 600 01822 272 25638 March-00 7793952 December-00 361 3161520784 December-00 19855 11413090030294 December-00 2527 7 19855
July-00 July-00 0 359 590 1795 590 Nua Ltd 700 02081 293 28754 July-00 10322686 December-01 543 35472263197 December-01 3258 1926143891578 December-01 39639 73 3258
December-00 December-00 0 361 580 1805 580 Internet World Stats 800 02338 313 31864 December-00 11502904 December-02 607 39799879307 December-02 39455 2415852673913 December-02 47953 79 39455
March-01 March-01 0 458 760 2290 760 Nua Ltd 900 02852 334 34967 March-01 16014886 December-03 719 44655464582 December-03 5033 32107279034493 December-03 61115 85 5033
June-01 June-01 0 479 790 2395 790 Nua Ltd 1000 03107 355 38061 June-01 18231219 December-04 817 50103431261 December-04 61275 40934503340285 December-04 7353 9 61275
August-01 August-01 0 513 860 2565 860 Nua Ltd 1100 03361 396 44221 August-01 22685373 December-05 1018 56216049875 December-05 8144 57227938772657 December-05 9467 93 8144
April-02 April-02 0 558 860 2790 860 Internet World Stats 1200 03614 417 47284 April-02 26384472 December-06 1093 6307440796 December-06 9291 68940327899894 December-06 10602 97 9291
July-02 July-02 0 569 910 2845 910 Internet World Stats 1300 03866 437 50334 July-02 28640046 December-07 1319 70769485731 December-07 11871 93344951678825 December-07 13454 102 11871
September-02 September-02 0 587 940 2935 940 Internet World Stats 1400 04117 458 53371 September-02 31328777 December-08 1574 7940336299 December-08 14953 124980893346059 December-08 16527 105 14953
March-03 March-03 0 608 970 3040 970 Internet World Stats 1500 04366 478 56394 March-03 34287552 December-09 1802 89090573275 December-09 18020 160541213040896 December-09 19462 108 18020
September-03 September-03 0 677 1060 3385 1060 Internet World Stats 1600 04614 498 59401 September-03 40214477 December-10 1971 99959623214 December-10 20696 197020417355075 December-10 21681 11 20696
October-03 October-03 0 682 1070 3410 1070 Internet World Stats 1700 0486 518 62392 October-03 42551344
December-03 December-03 0 719 1110 3595 1110 Internet World Stats 1800 02852 538 65365 December-03 46997435
February-04 February-04 0 745 1150 3725 1150 Internet World Stats 1900 03107 558 6832 February-04 508984
May-04 May-04 0 757 1170 3785 1170 Internet World Stats 2000 03361 597 7417 May-04 5614669
October-04 October-04 0 812 1270 4060 1270 Internet World Stats 2100 03614 616 77064 October-04 62575968
December-04 December-04 0 817 1270 4085 1270 Internet World Stats 2200 03866 636 79935 December-04 65306895
March-05 March-05 0 888 1390 4440 1390 Internet World Stats 2300 04117 655 82782 March-05 73510416
June-05 June-05 0 938 1460 4690 1460 Internet World Stats 2400 04366 674 85606 June-05 80298428
September-05 September-05 0 957 1490 4785 1490 Internet World Stats 2500 04614 692 88404 September-05 84602628
November-05 November-05 0 972 1520 4860 1520 Internet World Stats 2600 0486 711 91176 November-05 88623072
December-05 December-05 0 1018 1570 5090 1570 Internet World Stats 2700 05348 729 93921 December-05 95611578
March-06 March-06 0 1023 1570 5115 1570 Internet World Stats 2800 05589 747 96638 March-06 98860674
June-06 June-06 0 1043 1600 5215 1600 Internet World Stats 2900 05828 783 101984 June-06 106369312
September-06 September-06 0 1086 1670 5430 1670 Internet World Stats 3000 06065 801 104611 September-06 113607546
December-06 December-06 0 1093 1670 5465 1670 Internet World Stats 3100 063 818 107207 December-06 117177251
March-07 March-07 0 1129 1720 5645 1720 Internet World Stats 3200 06534 835 109771 March-07 123931459
June-07 June-07 0 1173 1780 5865 1780 Internet World Stats 3300 06765 852 112301 June-07 131729073
September-07 September-07 0 1245 1890 6225 1890 Internet World Stats 3400 06993 869 114797 September-07 142922265
December-07 December-07 0 1319 2000 6595 2000 Internet World Stats 3500 0722 886 117258 December-07 154663302
March-08 March-08 0 1407 2110 7035 2110 Internet World Stats 3600 07665 902 119683 March-08 168393981
June-08 June-08 0 1463 2190 7315 2190 Internet World Stats 3700 07884 918 122071 June-08 178589873
September-08 September-08 0 1504 2250 7520 2250 Internet World Stats 3800 08101 949 126736 September-08 190610944
December-08 December-08 0 1574 2350 7870 2350 Internet World Stats 3900 08314 964 12901 December-08 20306174
March-09 March-09 0 1596 2380 7980 2380 Internet World Stats 4000 08525 971 13 March-09 20748
June-09 June-09 0 1669 2470 8345 2470 Internet World Stats 4100 08733 998 134 June-09 223646
September-09 September-09 0 1734 2560 8670 2560 Internet World Stats 4200 08938 1018 137 September-09 237558
December-09 December-09 0 1802 2660 9010 2660 Internet World Stats 4300 0914 1051 142 December-09 255884
June-10 June-10 0 1966 2870 9830 2870 Internet World Stats 4400 09339 1078 146 June-10 287036
September-10 September-10 0 1971 2880 9855 2880 Internet World Stats 4500 09728 1112 151 September-10 297621
09917 000 155333333333
159833333333
33208
35034
35400
35765
36130
36495
36861
37226
37591
37956
38322
38687
39052
39417
39783
40148
40513
Page 22: Attacking Data Independent Memory Hard Functions · As a motivating example consider an adversary who breaks into an authentication server and steals a users crptographic hash va\൬ue.

Pebbling Example (CC)

P1 = 1P2 = 12P3 = 3

1 2 3 4 5

P4 = 34P5 = 5

CC 119866119866 le119894119894=1

5

119875119875119894119894

= 1 + 2 + 1 + 2 + 1= 7

Measuring Cost

bull Cumulative Complexity (CC)

CC 119866119866 = min119875119875

119894119894=1

119905119905119875119875

119875119875119894119894

bull Amortization [AS15]CC 119866119866119866119866 = 2 times CC(119866119866)

Pebbling Example (CC)

P1 = 1P2 = 12P3 = 3

1 2 3 4 5

P4 = 34P5 = 5

CC 119866119866 le119894119894=1

5

119875119875119894119894

= 1 + 2 + 1 + 2 + 1= 7

Pebbling Equivalence

119827119827119827119827119827119827119827119827119827119827119827119827119827119827 119808119808119808119808119808119808119808119808 (119816119816119816119816119816119816119827119827119827119827119827119827119816119816119816119816) High pebbling complexity of G implies high amortized memory complexity for the iMHF fGH

Implication Structure of the graph G is key to iMHFsecurity

Desiderata

Find a DAG G on n nodes such that1 Constant Indegree (120575120575 = 2)

2 CC(G) ge 1198991198992

120591120591for some small value 120591120591

Maximize costs for fixed n(Users are impatient)

Depth-Robustness The Key Property

Necessary [AB16] and sufficient[ABP16] for secure iMHFs

Naiumlve Pebbling Algorithms

bull Sequential Algorithm (Naiumlve)bull Constraint One new pebble per roundbull Every iMHF is defined via its Naiumlve algorithm

bull Example Naiumlve (Pebble in Topological Order)bull Never discard pebblesbull Time nbull Average pebbles n2bull ER(Naiumlve) = θ Rn + n2

Amortized Attack Quality

Quality119877119877 119860119860 =ER(Naiumlve)

ER 119860119860times 119894119894119894119894119904119904119904119904(119860119860)

Example Algorithm A evaluates 5 iMHF instances with total cost ER 119860119860 = 100 and ER Naiumlve = 40

Quality119877119877 119860119860 =40

100times 5 = 2

Presenter
Presentation Notes
Use Example

Desiderata

Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)

2 QualityR(A) le 119888119888 for every adversary A (c small)

3 ER(Naive) ge 1198991198992

120591120591+ R119894119894 for some small value 120591120591

Memory costs should dominate

Desiderata

Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)

2 QualityR(A) le 119888119888 for every adversary A (c small)

3 ER(Naive) ge 1198991198992

120591120591+ R119894119894 for some small value 120591120591

Maximize costs for fixed n(Users are impatient)

c-Ideal iMHF

Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)

2 QualityR(A) le 119888119888 for every adversary A (c small)

3 ER(Naive) ge 1198991198992

120591120591+ R119894119894 for 120591120591 = 119874119874(1)

Outline

bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Our Attacks

bull General Attack on Non Depth Robust DAGsbull Existing iMHFs are not Depth Robustbull Ideal iMHFs donrsquot exist

bull Subsequent Results (Depth-Robustness is Sufficient)bull Open Questions

Depth-Robustness The Key Property

Necessary [AB16] and sufficient[ABP16] for secure iMHFs

Depth Robustness

Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d

Otherwise we say that G is (ed)-depth robust

1 2 3 4 5

Example (12)-reducible

Depth Robustness

Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d

Otherwise we say that G is (ed)-depth robust

1 2 3 4 5

Example (12)-reducible

Attacking (ed)-reducible DAGs

bull Input |S| lee such that depth(G-S) = d g gt d

bull Light Phase (g rounds) Discard most pebblesbull Goal Pebble the next g nodes in g (sequential) stepsbull Low Memory (only keep pebbles on S and on parents of new nodes)bull Lasts a ``longrdquo time

bull Balloon Phase (d rounds) Greedily Recover Missing Pebblesbull Goal Recover needed pebbles for upcoming light phasebull Expensive but quick (at most d steps in parallel)

Theorem (Depth-Robustness is a necessary condition) If G is not (ed)-node robust then CC 119866119866 = O 119890119890119894119894 + 1198941198943119901119901 In particular CC 119866119866 = o 1198941198942 for ed=o(n)

Depth Robustness is Necessary

Are existing iMHF candidates based on depth-robust DAGs

Answer No

bull Catena [FLW15] is 119890119890 119874119874 119899119899119890119890

-reducible

119862119862119862119862 = 119874119874 119894119894162

bull Balloon Hashing and Argon2i (old version) are 119890119890 119874119874 1198991198992

1198901198902-reducible

119862119862119862119862 = 119874119874 119894119894171

bull Argon2i (latest version) is 119890119890 119874119874 1198991198993

1198901198903-reducible

119862119862119862119862 = 119874119874 119894119894177

bull Similar picture for most other iMHF candidates [AGKKOPRRR16]

Argon2i [BDK]

bull Argon2 Winner of the password hashing competition[2015]

bull Authors recommend Argon2i variant (data-independent) for password hashing

Presenter
Presentation Notes
Alex Biryukov Daniel Dinu and Dmitry Khovratovich from University of Luxembourg

Argon2i

1 2 3 4 ihellip n

Argon2i

1 2 3 4 ihellip n

random predecessor r(i) lt i

Indegree 120575120575 = 2

Argon2i Reducing depth to 119894119894

1 2 3 11989411989434

helliphellip

211989411989434

hellip 4 119894119894

n

Layer 0Layer 1

Layer 4 119894119894helliphelliphellip

Argon2i Reducing depth to 119894119894

1 2 3 11989411989434

helliphellip

211989411989434

hellip 4 119894119894

n

Layer 0Layer 1

Layer 4 119894119894

Definition 1198781198782 = 119907119907119894119894 119907119907119903119903(119894119894)and v119894119894 in same layer

119810119810119816119816119816119816119810119810119827119827 1198781198782119810119810119842119842 119842119842119827119827119816119816119816119816119816119816

helliphelliphellip

119813119813119816119816119813119813119813119813 Easy to reduce the depth of a path

Argon2i is a layered DAG (almost)

1 2 3 11989411989434

+2 +3 helliphellip

211989411989434

hellip 4 119894119894

n

Layer 0Layer 1

Layer 4 119894119894

Let S = S1+S2

helliphelliphellip

Attack Simulation [AB16b]

Attack on Argon 2i-B is practical even for pessimistic parameter ranges (brown line)

Pessimistic Argon 2i-B parameter

Parameter setting could easily be chosen when following Argon2i-B guidelines

hellip

Ideal iMHFs Donrsquot Exist

Thm[AB16] Any graph G (with constant in-degree) is at least somewhat depth-reducible

Implication If CC(G)= Ω 1198941198942 there is an attack A with high quality

QualityR 119860119860 =Ωlog(119894119894)

log log(119894119894)

But we cannot rule them out in practice

Outline

bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Attacksbull Constructing iMHFs (New)

bull Depth-Robustness is sufficient

bull Conclusions and Open Questions

Presenter
Presentation Notes
Joint work with Joel Alwen and Krzysztof Pietrzak

Depth-Robustness is Sufficient [ABP16]

Proof Let P1hellipPt denote an (optimal) pebbling of G For 0lt i lt d defineSi = 119875119875119894119894 cup 119875119875119889119889+119894119894 cup 1198751198752119889119889+119894119894 cup ⋯

one of the sets Si has size at most CC(G)d Now we claim that d ge depth(G-Si)

because any path in G-Si must have been completely pebbled at some point Thus it must have been pebbled entirely during some interval of length d Thus G (CC(G)dd)-reducible It follows that CC(G)ge 119890119890119901119901

119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901

Depth-Robustness is Sufficient [ABP16]

Implications There exists a constant indegree graph G with

CC G ge Ω1198941198942

log119894119894

Previous Best [AS15] Ω 1198991198992

log10 119899119899

[AB16] We cannot do better (in an asymptotic sense)

119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901

Summary

bull BCRYPT and PBKDF2 are no longer sufficient for password hashing

bull Argon2i is an improvement over BCRYPT and PBKDF2bull But still has its flaws [AB16AB17]

bull Current Recommendation Argon2idbull No side channel attacks Resists known attacksbull Side channel attacks reduce security to Argon2i

bull Look for improvements in the near future using depth-robust graphs [ABP17]

Conclusions

bull Depth-robustness is a necessary and sufficient for secure iMHFsbull [AB16] [ABP16]

bull Big Challenge Improved Constructions of Depth-Robust Graphsbull We already have constructions in theory [EGS77 PR80 hellip]bull But constants matter

Thanks for Listening

Passwords vs time Look how far wersquove come

Netscape IPO Dotcom crash

Source Cormacrsquos estimate

ldquoThe password is deadrdquo

Chart1

3
48
1368
322
7791
15376
2527
39639
47953
61115
7353
94674
106021
134538
16527
194616
21681

Sheet1

Sheet1

Sheet2

Sheet3

Biometrics

59

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy

60

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Hardware Tokens

61

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around

62

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Graphical Passwords

bull Examplesbull Passfaces Cued Click Points Windows 8

63

Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13

Graphical Passwords

bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8

Challenge Multiple Passwords

64

Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13

Graphical Passwords Hotspots

Graphical Passwords Hotspots

Password Managers

bull Password Management Software

67

Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313

Related Work

bull Password Management SoftwareChallenge Single point of failure

68

Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313

References

bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]

bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]

bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]

bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]

  • Course Business
  • CryptographyCS 555
  • Password Storage
  • Offline Attacks A Common Problem
  • Offline Attacks A Common Problem
  • A Dangerous Problem
  • Attempt 1 Hash Iteration
  • The Challenge
  • Goal Moderately Expensive Hash Function
  • Memory Costs Equitable Across Architectures
  • Outline
  • Memory Hard Function (MHF)
  • iMHF Candidates
  • iMHF (fGH)
  • Evaluating an iMHF (pebbling)
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example (CC)
  • Measuring Cost
  • Pebbling Example (CC)
  • Pebbling Equivalence
  • Desiderata
  • Depth-Robustness The Key Property
  • Naiumlve Pebbling Algorithms
  • Amortized Attack Quality
  • Desiderata
  • Desiderata
  • c-Ideal iMHF
  • Outline
  • Depth-Robustness The Key Property
  • Depth Robustness
  • Depth Robustness
  • Attacking (ed)-reducible DAGs
  • Depth Robustness is Necessary
  • Answer No
  • Argon2i [BDK]
  • Argon2i
  • Argon2i
  • Argon2i Reducing depth to 119899
  • Argon2i Reducing depth to 119899
  • Argon2i is a layered DAG (almost)
  • Attack Simulation [AB16b]
  • Ideal iMHFs Donrsquot Exist
  • But we cannot rule them out in practice
  • Outline
  • Depth-Robustness is Sufficient [ABP16]
  • Depth-Robustness is Sufficient [ABP16]
  • Summary
  • Conclusions
  • Thanks for Listening
  • Passwords vs time Look how far wersquove come
  • Biometrics
  • Biometrics
  • Hardware Tokens
  • Hardware Tokens
  • Graphical Passwords
  • Graphical Passwords
  • Graphical Passwords Hotspots
  • Graphical Passwords Hotspots
  • Password Managers
  • Related Work
  • References
Everybody
DATE DATE NUMBER OF USERS WORLD WORLD INFORMATION DATE DATE NUMBER OF USERS DATE DATE acctsyr
POPULATION POPULATION SOURCE
December-90 0 3 15 020 00261 000 1 December-90 3 1 December-90 3 1 December-90 3 3 December-90 3 1 3
December-95 December-95 0 16 040 80 040 IDC 100 00522 180 12 December-95 192 December-95 16 1778 December-95 48 28448 December-95 48 3 48
December-96 December-96 0 36 090 180 090 IDC 200 00783 188 13132 December-96 472752 December-96 36 1994916 December-96 126 71816976 December-96 1368 38 126
December-97 December-97 0 70 170 350 170 IDC 300 01043 209 16263 December-97 113841 December-97 70 2238295752 December-97 280 15668070264 December-97 322 46 280
December-98 December-98 0 147 360 735 360 CI Almanac 400 01303 230 19391 December-98 2850477 December-98 147 25113678337 December-98 6615 3691710715604 December-98 7791 53 6615
December-99 December-99 0 248 410 1240 410 Nua Ltd 500 01563 251 22517 December-99 5584216 December-99 248 28177547095 December-99 1240 6988031679463 December-99 15376 62 1240
March-00 March-00 0 304 500 1520 500 Nua Ltd 600 01822 272 25638 March-00 7793952 December-00 361 3161520784 December-00 19855 11413090030294 December-00 2527 7 19855
July-00 July-00 0 359 590 1795 590 Nua Ltd 700 02081 293 28754 July-00 10322686 December-01 543 35472263197 December-01 3258 1926143891578 December-01 39639 73 3258
December-00 December-00 0 361 580 1805 580 Internet World Stats 800 02338 313 31864 December-00 11502904 December-02 607 39799879307 December-02 39455 2415852673913 December-02 47953 79 39455
March-01 March-01 0 458 760 2290 760 Nua Ltd 900 02852 334 34967 March-01 16014886 December-03 719 44655464582 December-03 5033 32107279034493 December-03 61115 85 5033
June-01 June-01 0 479 790 2395 790 Nua Ltd 1000 03107 355 38061 June-01 18231219 December-04 817 50103431261 December-04 61275 40934503340285 December-04 7353 9 61275
August-01 August-01 0 513 860 2565 860 Nua Ltd 1100 03361 396 44221 August-01 22685373 December-05 1018 56216049875 December-05 8144 57227938772657 December-05 9467 93 8144
April-02 April-02 0 558 860 2790 860 Internet World Stats 1200 03614 417 47284 April-02 26384472 December-06 1093 6307440796 December-06 9291 68940327899894 December-06 10602 97 9291
July-02 July-02 0 569 910 2845 910 Internet World Stats 1300 03866 437 50334 July-02 28640046 December-07 1319 70769485731 December-07 11871 93344951678825 December-07 13454 102 11871
September-02 September-02 0 587 940 2935 940 Internet World Stats 1400 04117 458 53371 September-02 31328777 December-08 1574 7940336299 December-08 14953 124980893346059 December-08 16527 105 14953
March-03 March-03 0 608 970 3040 970 Internet World Stats 1500 04366 478 56394 March-03 34287552 December-09 1802 89090573275 December-09 18020 160541213040896 December-09 19462 108 18020
September-03 September-03 0 677 1060 3385 1060 Internet World Stats 1600 04614 498 59401 September-03 40214477 December-10 1971 99959623214 December-10 20696 197020417355075 December-10 21681 11 20696
October-03 October-03 0 682 1070 3410 1070 Internet World Stats 1700 0486 518 62392 October-03 42551344
December-03 December-03 0 719 1110 3595 1110 Internet World Stats 1800 02852 538 65365 December-03 46997435
February-04 February-04 0 745 1150 3725 1150 Internet World Stats 1900 03107 558 6832 February-04 508984
May-04 May-04 0 757 1170 3785 1170 Internet World Stats 2000 03361 597 7417 May-04 5614669
October-04 October-04 0 812 1270 4060 1270 Internet World Stats 2100 03614 616 77064 October-04 62575968
December-04 December-04 0 817 1270 4085 1270 Internet World Stats 2200 03866 636 79935 December-04 65306895
March-05 March-05 0 888 1390 4440 1390 Internet World Stats 2300 04117 655 82782 March-05 73510416
June-05 June-05 0 938 1460 4690 1460 Internet World Stats 2400 04366 674 85606 June-05 80298428
September-05 September-05 0 957 1490 4785 1490 Internet World Stats 2500 04614 692 88404 September-05 84602628
November-05 November-05 0 972 1520 4860 1520 Internet World Stats 2600 0486 711 91176 November-05 88623072
December-05 December-05 0 1018 1570 5090 1570 Internet World Stats 2700 05348 729 93921 December-05 95611578
March-06 March-06 0 1023 1570 5115 1570 Internet World Stats 2800 05589 747 96638 March-06 98860674
June-06 June-06 0 1043 1600 5215 1600 Internet World Stats 2900 05828 783 101984 June-06 106369312
September-06 September-06 0 1086 1670 5430 1670 Internet World Stats 3000 06065 801 104611 September-06 113607546
December-06 December-06 0 1093 1670 5465 1670 Internet World Stats 3100 063 818 107207 December-06 117177251
March-07 March-07 0 1129 1720 5645 1720 Internet World Stats 3200 06534 835 109771 March-07 123931459
June-07 June-07 0 1173 1780 5865 1780 Internet World Stats 3300 06765 852 112301 June-07 131729073
September-07 September-07 0 1245 1890 6225 1890 Internet World Stats 3400 06993 869 114797 September-07 142922265
December-07 December-07 0 1319 2000 6595 2000 Internet World Stats 3500 0722 886 117258 December-07 154663302
March-08 March-08 0 1407 2110 7035 2110 Internet World Stats 3600 07665 902 119683 March-08 168393981
June-08 June-08 0 1463 2190 7315 2190 Internet World Stats 3700 07884 918 122071 June-08 178589873
September-08 September-08 0 1504 2250 7520 2250 Internet World Stats 3800 08101 949 126736 September-08 190610944
December-08 December-08 0 1574 2350 7870 2350 Internet World Stats 3900 08314 964 12901 December-08 20306174
March-09 March-09 0 1596 2380 7980 2380 Internet World Stats 4000 08525 971 13 March-09 20748
June-09 June-09 0 1669 2470 8345 2470 Internet World Stats 4100 08733 998 134 June-09 223646
September-09 September-09 0 1734 2560 8670 2560 Internet World Stats 4200 08938 1018 137 September-09 237558
December-09 December-09 0 1802 2660 9010 2660 Internet World Stats 4300 0914 1051 142 December-09 255884
June-10 June-10 0 1966 2870 9830 2870 Internet World Stats 4400 09339 1078 146 June-10 287036
September-10 September-10 0 1971 2880 9855 2880 Internet World Stats 4500 09728 1112 151 September-10 297621
09917 000 155333333333
159833333333
33208
35034
35400
35765
36130
36495
36861
37226
37591
37956
38322
38687
39052
39417
39783
40148
40513
Page 23: Attacking Data Independent Memory Hard Functions · As a motivating example consider an adversary who breaks into an authentication server and steals a users crptographic hash va\൬ue.

Measuring Cost

bull Cumulative Complexity (CC)

CC 119866119866 = min119875119875

119894119894=1

119905119905119875119875

119875119875119894119894

bull Amortization [AS15]CC 119866119866119866119866 = 2 times CC(119866119866)

Pebbling Example (CC)

P1 = 1P2 = 12P3 = 3

1 2 3 4 5

P4 = 34P5 = 5

CC 119866119866 le119894119894=1

5

119875119875119894119894

= 1 + 2 + 1 + 2 + 1= 7

Pebbling Equivalence

119827119827119827119827119827119827119827119827119827119827119827119827119827119827 119808119808119808119808119808119808119808119808 (119816119816119816119816119816119816119827119827119827119827119827119827119816119816119816119816) High pebbling complexity of G implies high amortized memory complexity for the iMHF fGH

Implication Structure of the graph G is key to iMHFsecurity

Desiderata

Find a DAG G on n nodes such that1 Constant Indegree (120575120575 = 2)

2 CC(G) ge 1198991198992

120591120591for some small value 120591120591

Maximize costs for fixed n(Users are impatient)

Depth-Robustness The Key Property

Necessary [AB16] and sufficient[ABP16] for secure iMHFs

Naiumlve Pebbling Algorithms

bull Sequential Algorithm (Naiumlve)bull Constraint One new pebble per roundbull Every iMHF is defined via its Naiumlve algorithm

bull Example Naiumlve (Pebble in Topological Order)bull Never discard pebblesbull Time nbull Average pebbles n2bull ER(Naiumlve) = θ Rn + n2

Amortized Attack Quality

Quality119877119877 119860119860 =ER(Naiumlve)

ER 119860119860times 119894119894119894119894119904119904119904119904(119860119860)

Example Algorithm A evaluates 5 iMHF instances with total cost ER 119860119860 = 100 and ER Naiumlve = 40

Quality119877119877 119860119860 =40

100times 5 = 2

Presenter
Presentation Notes
Use Example

Desiderata

Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)

2 QualityR(A) le 119888119888 for every adversary A (c small)

3 ER(Naive) ge 1198991198992

120591120591+ R119894119894 for some small value 120591120591

Memory costs should dominate

Desiderata

Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)

2 QualityR(A) le 119888119888 for every adversary A (c small)

3 ER(Naive) ge 1198991198992

120591120591+ R119894119894 for some small value 120591120591

Maximize costs for fixed n(Users are impatient)

c-Ideal iMHF

Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)

2 QualityR(A) le 119888119888 for every adversary A (c small)

3 ER(Naive) ge 1198991198992

120591120591+ R119894119894 for 120591120591 = 119874119874(1)

Outline

bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Our Attacks

bull General Attack on Non Depth Robust DAGsbull Existing iMHFs are not Depth Robustbull Ideal iMHFs donrsquot exist

bull Subsequent Results (Depth-Robustness is Sufficient)bull Open Questions

Depth-Robustness The Key Property

Necessary [AB16] and sufficient[ABP16] for secure iMHFs

Depth Robustness

Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d

Otherwise we say that G is (ed)-depth robust

1 2 3 4 5

Example (12)-reducible

Depth Robustness

Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d

Otherwise we say that G is (ed)-depth robust

1 2 3 4 5

Example (12)-reducible

Attacking (ed)-reducible DAGs

bull Input |S| lee such that depth(G-S) = d g gt d

bull Light Phase (g rounds) Discard most pebblesbull Goal Pebble the next g nodes in g (sequential) stepsbull Low Memory (only keep pebbles on S and on parents of new nodes)bull Lasts a ``longrdquo time

bull Balloon Phase (d rounds) Greedily Recover Missing Pebblesbull Goal Recover needed pebbles for upcoming light phasebull Expensive but quick (at most d steps in parallel)

Theorem (Depth-Robustness is a necessary condition) If G is not (ed)-node robust then CC 119866119866 = O 119890119890119894119894 + 1198941198943119901119901 In particular CC 119866119866 = o 1198941198942 for ed=o(n)

Depth Robustness is Necessary

Are existing iMHF candidates based on depth-robust DAGs

Answer No

bull Catena [FLW15] is 119890119890 119874119874 119899119899119890119890

-reducible

119862119862119862119862 = 119874119874 119894119894162

bull Balloon Hashing and Argon2i (old version) are 119890119890 119874119874 1198991198992

1198901198902-reducible

119862119862119862119862 = 119874119874 119894119894171

bull Argon2i (latest version) is 119890119890 119874119874 1198991198993

1198901198903-reducible

119862119862119862119862 = 119874119874 119894119894177

bull Similar picture for most other iMHF candidates [AGKKOPRRR16]

Argon2i [BDK]

bull Argon2 Winner of the password hashing competition[2015]

bull Authors recommend Argon2i variant (data-independent) for password hashing

Presenter
Presentation Notes
Alex Biryukov Daniel Dinu and Dmitry Khovratovich from University of Luxembourg

Argon2i

1 2 3 4 ihellip n

Argon2i

1 2 3 4 ihellip n

random predecessor r(i) lt i

Indegree 120575120575 = 2

Argon2i Reducing depth to 119894119894

1 2 3 11989411989434

helliphellip

211989411989434

hellip 4 119894119894

n

Layer 0Layer 1

Layer 4 119894119894helliphelliphellip

Argon2i Reducing depth to 119894119894

1 2 3 11989411989434

helliphellip

211989411989434

hellip 4 119894119894

n

Layer 0Layer 1

Layer 4 119894119894

Definition 1198781198782 = 119907119907119894119894 119907119907119903119903(119894119894)and v119894119894 in same layer

119810119810119816119816119816119816119810119810119827119827 1198781198782119810119810119842119842 119842119842119827119827119816119816119816119816119816119816

helliphelliphellip

119813119813119816119816119813119813119813119813 Easy to reduce the depth of a path

Argon2i is a layered DAG (almost)

1 2 3 11989411989434

+2 +3 helliphellip

211989411989434

hellip 4 119894119894

n

Layer 0Layer 1

Layer 4 119894119894

Let S = S1+S2

helliphelliphellip

Attack Simulation [AB16b]

Attack on Argon 2i-B is practical even for pessimistic parameter ranges (brown line)

Pessimistic Argon 2i-B parameter

Parameter setting could easily be chosen when following Argon2i-B guidelines

hellip

Ideal iMHFs Donrsquot Exist

Thm[AB16] Any graph G (with constant in-degree) is at least somewhat depth-reducible

Implication If CC(G)= Ω 1198941198942 there is an attack A with high quality

QualityR 119860119860 =Ωlog(119894119894)

log log(119894119894)

But we cannot rule them out in practice

Outline

bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Attacksbull Constructing iMHFs (New)

bull Depth-Robustness is sufficient

bull Conclusions and Open Questions

Presenter
Presentation Notes
Joint work with Joel Alwen and Krzysztof Pietrzak

Depth-Robustness is Sufficient [ABP16]

Proof Let P1hellipPt denote an (optimal) pebbling of G For 0lt i lt d defineSi = 119875119875119894119894 cup 119875119875119889119889+119894119894 cup 1198751198752119889119889+119894119894 cup ⋯

one of the sets Si has size at most CC(G)d Now we claim that d ge depth(G-Si)

because any path in G-Si must have been completely pebbled at some point Thus it must have been pebbled entirely during some interval of length d Thus G (CC(G)dd)-reducible It follows that CC(G)ge 119890119890119901119901

119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901

Depth-Robustness is Sufficient [ABP16]

Implications There exists a constant indegree graph G with

CC G ge Ω1198941198942

log119894119894

Previous Best [AS15] Ω 1198991198992

log10 119899119899

[AB16] We cannot do better (in an asymptotic sense)

119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901

Summary

bull BCRYPT and PBKDF2 are no longer sufficient for password hashing

bull Argon2i is an improvement over BCRYPT and PBKDF2bull But still has its flaws [AB16AB17]

bull Current Recommendation Argon2idbull No side channel attacks Resists known attacksbull Side channel attacks reduce security to Argon2i

bull Look for improvements in the near future using depth-robust graphs [ABP17]

Conclusions

bull Depth-robustness is a necessary and sufficient for secure iMHFsbull [AB16] [ABP16]

bull Big Challenge Improved Constructions of Depth-Robust Graphsbull We already have constructions in theory [EGS77 PR80 hellip]bull But constants matter

Thanks for Listening

Passwords vs time Look how far wersquove come

Netscape IPO Dotcom crash

Source Cormacrsquos estimate

ldquoThe password is deadrdquo

Chart1

3
48
1368
322
7791
15376
2527
39639
47953
61115
7353
94674
106021
134538
16527
194616
21681

Sheet1

Sheet1

Sheet2

Sheet3

Biometrics

59

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy

60

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Hardware Tokens

61

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around

62

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Graphical Passwords

bull Examplesbull Passfaces Cued Click Points Windows 8

63

Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13

Graphical Passwords

bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8

Challenge Multiple Passwords

64

Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13

Graphical Passwords Hotspots

Graphical Passwords Hotspots

Password Managers

bull Password Management Software

67

Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313

Related Work

bull Password Management SoftwareChallenge Single point of failure

68

Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313

References

bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]

bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]

bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]

bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]

  • Course Business
  • CryptographyCS 555
  • Password Storage
  • Offline Attacks A Common Problem
  • Offline Attacks A Common Problem
  • A Dangerous Problem
  • Attempt 1 Hash Iteration
  • The Challenge
  • Goal Moderately Expensive Hash Function
  • Memory Costs Equitable Across Architectures
  • Outline
  • Memory Hard Function (MHF)
  • iMHF Candidates
  • iMHF (fGH)
  • Evaluating an iMHF (pebbling)
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example (CC)
  • Measuring Cost
  • Pebbling Example (CC)
  • Pebbling Equivalence
  • Desiderata
  • Depth-Robustness The Key Property
  • Naiumlve Pebbling Algorithms
  • Amortized Attack Quality
  • Desiderata
  • Desiderata
  • c-Ideal iMHF
  • Outline
  • Depth-Robustness The Key Property
  • Depth Robustness
  • Depth Robustness
  • Attacking (ed)-reducible DAGs
  • Depth Robustness is Necessary
  • Answer No
  • Argon2i [BDK]
  • Argon2i
  • Argon2i
  • Argon2i Reducing depth to 119899
  • Argon2i Reducing depth to 119899
  • Argon2i is a layered DAG (almost)
  • Attack Simulation [AB16b]
  • Ideal iMHFs Donrsquot Exist
  • But we cannot rule them out in practice
  • Outline
  • Depth-Robustness is Sufficient [ABP16]
  • Depth-Robustness is Sufficient [ABP16]
  • Summary
  • Conclusions
  • Thanks for Listening
  • Passwords vs time Look how far wersquove come
  • Biometrics
  • Biometrics
  • Hardware Tokens
  • Hardware Tokens
  • Graphical Passwords
  • Graphical Passwords
  • Graphical Passwords Hotspots
  • Graphical Passwords Hotspots
  • Password Managers
  • Related Work
  • References
Everybody
DATE DATE NUMBER OF USERS WORLD WORLD INFORMATION DATE DATE NUMBER OF USERS DATE DATE acctsyr
POPULATION POPULATION SOURCE
December-90 0 3 15 020 00261 000 1 December-90 3 1 December-90 3 1 December-90 3 3 December-90 3 1 3
December-95 December-95 0 16 040 80 040 IDC 100 00522 180 12 December-95 192 December-95 16 1778 December-95 48 28448 December-95 48 3 48
December-96 December-96 0 36 090 180 090 IDC 200 00783 188 13132 December-96 472752 December-96 36 1994916 December-96 126 71816976 December-96 1368 38 126
December-97 December-97 0 70 170 350 170 IDC 300 01043 209 16263 December-97 113841 December-97 70 2238295752 December-97 280 15668070264 December-97 322 46 280
December-98 December-98 0 147 360 735 360 CI Almanac 400 01303 230 19391 December-98 2850477 December-98 147 25113678337 December-98 6615 3691710715604 December-98 7791 53 6615
December-99 December-99 0 248 410 1240 410 Nua Ltd 500 01563 251 22517 December-99 5584216 December-99 248 28177547095 December-99 1240 6988031679463 December-99 15376 62 1240
March-00 March-00 0 304 500 1520 500 Nua Ltd 600 01822 272 25638 March-00 7793952 December-00 361 3161520784 December-00 19855 11413090030294 December-00 2527 7 19855
July-00 July-00 0 359 590 1795 590 Nua Ltd 700 02081 293 28754 July-00 10322686 December-01 543 35472263197 December-01 3258 1926143891578 December-01 39639 73 3258
December-00 December-00 0 361 580 1805 580 Internet World Stats 800 02338 313 31864 December-00 11502904 December-02 607 39799879307 December-02 39455 2415852673913 December-02 47953 79 39455
March-01 March-01 0 458 760 2290 760 Nua Ltd 900 02852 334 34967 March-01 16014886 December-03 719 44655464582 December-03 5033 32107279034493 December-03 61115 85 5033
June-01 June-01 0 479 790 2395 790 Nua Ltd 1000 03107 355 38061 June-01 18231219 December-04 817 50103431261 December-04 61275 40934503340285 December-04 7353 9 61275
August-01 August-01 0 513 860 2565 860 Nua Ltd 1100 03361 396 44221 August-01 22685373 December-05 1018 56216049875 December-05 8144 57227938772657 December-05 9467 93 8144
April-02 April-02 0 558 860 2790 860 Internet World Stats 1200 03614 417 47284 April-02 26384472 December-06 1093 6307440796 December-06 9291 68940327899894 December-06 10602 97 9291
July-02 July-02 0 569 910 2845 910 Internet World Stats 1300 03866 437 50334 July-02 28640046 December-07 1319 70769485731 December-07 11871 93344951678825 December-07 13454 102 11871
September-02 September-02 0 587 940 2935 940 Internet World Stats 1400 04117 458 53371 September-02 31328777 December-08 1574 7940336299 December-08 14953 124980893346059 December-08 16527 105 14953
March-03 March-03 0 608 970 3040 970 Internet World Stats 1500 04366 478 56394 March-03 34287552 December-09 1802 89090573275 December-09 18020 160541213040896 December-09 19462 108 18020
September-03 September-03 0 677 1060 3385 1060 Internet World Stats 1600 04614 498 59401 September-03 40214477 December-10 1971 99959623214 December-10 20696 197020417355075 December-10 21681 11 20696
October-03 October-03 0 682 1070 3410 1070 Internet World Stats 1700 0486 518 62392 October-03 42551344
December-03 December-03 0 719 1110 3595 1110 Internet World Stats 1800 02852 538 65365 December-03 46997435
February-04 February-04 0 745 1150 3725 1150 Internet World Stats 1900 03107 558 6832 February-04 508984
May-04 May-04 0 757 1170 3785 1170 Internet World Stats 2000 03361 597 7417 May-04 5614669
October-04 October-04 0 812 1270 4060 1270 Internet World Stats 2100 03614 616 77064 October-04 62575968
December-04 December-04 0 817 1270 4085 1270 Internet World Stats 2200 03866 636 79935 December-04 65306895
March-05 March-05 0 888 1390 4440 1390 Internet World Stats 2300 04117 655 82782 March-05 73510416
June-05 June-05 0 938 1460 4690 1460 Internet World Stats 2400 04366 674 85606 June-05 80298428
September-05 September-05 0 957 1490 4785 1490 Internet World Stats 2500 04614 692 88404 September-05 84602628
November-05 November-05 0 972 1520 4860 1520 Internet World Stats 2600 0486 711 91176 November-05 88623072
December-05 December-05 0 1018 1570 5090 1570 Internet World Stats 2700 05348 729 93921 December-05 95611578
March-06 March-06 0 1023 1570 5115 1570 Internet World Stats 2800 05589 747 96638 March-06 98860674
June-06 June-06 0 1043 1600 5215 1600 Internet World Stats 2900 05828 783 101984 June-06 106369312
September-06 September-06 0 1086 1670 5430 1670 Internet World Stats 3000 06065 801 104611 September-06 113607546
December-06 December-06 0 1093 1670 5465 1670 Internet World Stats 3100 063 818 107207 December-06 117177251
March-07 March-07 0 1129 1720 5645 1720 Internet World Stats 3200 06534 835 109771 March-07 123931459
June-07 June-07 0 1173 1780 5865 1780 Internet World Stats 3300 06765 852 112301 June-07 131729073
September-07 September-07 0 1245 1890 6225 1890 Internet World Stats 3400 06993 869 114797 September-07 142922265
December-07 December-07 0 1319 2000 6595 2000 Internet World Stats 3500 0722 886 117258 December-07 154663302
March-08 March-08 0 1407 2110 7035 2110 Internet World Stats 3600 07665 902 119683 March-08 168393981
June-08 June-08 0 1463 2190 7315 2190 Internet World Stats 3700 07884 918 122071 June-08 178589873
September-08 September-08 0 1504 2250 7520 2250 Internet World Stats 3800 08101 949 126736 September-08 190610944
December-08 December-08 0 1574 2350 7870 2350 Internet World Stats 3900 08314 964 12901 December-08 20306174
March-09 March-09 0 1596 2380 7980 2380 Internet World Stats 4000 08525 971 13 March-09 20748
June-09 June-09 0 1669 2470 8345 2470 Internet World Stats 4100 08733 998 134 June-09 223646
September-09 September-09 0 1734 2560 8670 2560 Internet World Stats 4200 08938 1018 137 September-09 237558
December-09 December-09 0 1802 2660 9010 2660 Internet World Stats 4300 0914 1051 142 December-09 255884
June-10 June-10 0 1966 2870 9830 2870 Internet World Stats 4400 09339 1078 146 June-10 287036
September-10 September-10 0 1971 2880 9855 2880 Internet World Stats 4500 09728 1112 151 September-10 297621
09917 000 155333333333
159833333333
33208
35034
35400
35765
36130
36495
36861
37226
37591
37956
38322
38687
39052
39417
39783
40148
40513
Page 24: Attacking Data Independent Memory Hard Functions · As a motivating example consider an adversary who breaks into an authentication server and steals a users crptographic hash va\൬ue.

Pebbling Example (CC)

P1 = 1P2 = 12P3 = 3

1 2 3 4 5

P4 = 34P5 = 5

CC 119866119866 le119894119894=1

5

119875119875119894119894

= 1 + 2 + 1 + 2 + 1= 7

Pebbling Equivalence

119827119827119827119827119827119827119827119827119827119827119827119827119827119827 119808119808119808119808119808119808119808119808 (119816119816119816119816119816119816119827119827119827119827119827119827119816119816119816119816) High pebbling complexity of G implies high amortized memory complexity for the iMHF fGH

Implication Structure of the graph G is key to iMHFsecurity

Desiderata

Find a DAG G on n nodes such that1 Constant Indegree (120575120575 = 2)

2 CC(G) ge 1198991198992

120591120591for some small value 120591120591

Maximize costs for fixed n(Users are impatient)

Depth-Robustness The Key Property

Necessary [AB16] and sufficient[ABP16] for secure iMHFs

Naiumlve Pebbling Algorithms

bull Sequential Algorithm (Naiumlve)bull Constraint One new pebble per roundbull Every iMHF is defined via its Naiumlve algorithm

bull Example Naiumlve (Pebble in Topological Order)bull Never discard pebblesbull Time nbull Average pebbles n2bull ER(Naiumlve) = θ Rn + n2

Amortized Attack Quality

Quality119877119877 119860119860 =ER(Naiumlve)

ER 119860119860times 119894119894119894119894119904119904119904119904(119860119860)

Example Algorithm A evaluates 5 iMHF instances with total cost ER 119860119860 = 100 and ER Naiumlve = 40

Quality119877119877 119860119860 =40

100times 5 = 2

Presenter
Presentation Notes
Use Example

Desiderata

Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)

2 QualityR(A) le 119888119888 for every adversary A (c small)

3 ER(Naive) ge 1198991198992

120591120591+ R119894119894 for some small value 120591120591

Memory costs should dominate

Desiderata

Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)

2 QualityR(A) le 119888119888 for every adversary A (c small)

3 ER(Naive) ge 1198991198992

120591120591+ R119894119894 for some small value 120591120591

Maximize costs for fixed n(Users are impatient)

c-Ideal iMHF

Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)

2 QualityR(A) le 119888119888 for every adversary A (c small)

3 ER(Naive) ge 1198991198992

120591120591+ R119894119894 for 120591120591 = 119874119874(1)

Outline

bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Our Attacks

bull General Attack on Non Depth Robust DAGsbull Existing iMHFs are not Depth Robustbull Ideal iMHFs donrsquot exist

bull Subsequent Results (Depth-Robustness is Sufficient)bull Open Questions

Depth-Robustness The Key Property

Necessary [AB16] and sufficient[ABP16] for secure iMHFs

Depth Robustness

Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d

Otherwise we say that G is (ed)-depth robust

1 2 3 4 5

Example (12)-reducible

Depth Robustness

Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d

Otherwise we say that G is (ed)-depth robust

1 2 3 4 5

Example (12)-reducible

Attacking (ed)-reducible DAGs

bull Input |S| lee such that depth(G-S) = d g gt d

bull Light Phase (g rounds) Discard most pebblesbull Goal Pebble the next g nodes in g (sequential) stepsbull Low Memory (only keep pebbles on S and on parents of new nodes)bull Lasts a ``longrdquo time

bull Balloon Phase (d rounds) Greedily Recover Missing Pebblesbull Goal Recover needed pebbles for upcoming light phasebull Expensive but quick (at most d steps in parallel)

Theorem (Depth-Robustness is a necessary condition) If G is not (ed)-node robust then CC 119866119866 = O 119890119890119894119894 + 1198941198943119901119901 In particular CC 119866119866 = o 1198941198942 for ed=o(n)

Depth Robustness is Necessary

Are existing iMHF candidates based on depth-robust DAGs

Answer No

bull Catena [FLW15] is 119890119890 119874119874 119899119899119890119890

-reducible

119862119862119862119862 = 119874119874 119894119894162

bull Balloon Hashing and Argon2i (old version) are 119890119890 119874119874 1198991198992

1198901198902-reducible

119862119862119862119862 = 119874119874 119894119894171

bull Argon2i (latest version) is 119890119890 119874119874 1198991198993

1198901198903-reducible

119862119862119862119862 = 119874119874 119894119894177

bull Similar picture for most other iMHF candidates [AGKKOPRRR16]

Argon2i [BDK]

bull Argon2 Winner of the password hashing competition[2015]

bull Authors recommend Argon2i variant (data-independent) for password hashing

Presenter
Presentation Notes
Alex Biryukov Daniel Dinu and Dmitry Khovratovich from University of Luxembourg

Argon2i

1 2 3 4 ihellip n

Argon2i

1 2 3 4 ihellip n

random predecessor r(i) lt i

Indegree 120575120575 = 2

Argon2i Reducing depth to 119894119894

1 2 3 11989411989434

helliphellip

211989411989434

hellip 4 119894119894

n

Layer 0Layer 1

Layer 4 119894119894helliphelliphellip

Argon2i Reducing depth to 119894119894

1 2 3 11989411989434

helliphellip

211989411989434

hellip 4 119894119894

n

Layer 0Layer 1

Layer 4 119894119894

Definition 1198781198782 = 119907119907119894119894 119907119907119903119903(119894119894)and v119894119894 in same layer

119810119810119816119816119816119816119810119810119827119827 1198781198782119810119810119842119842 119842119842119827119827119816119816119816119816119816119816

helliphelliphellip

119813119813119816119816119813119813119813119813 Easy to reduce the depth of a path

Argon2i is a layered DAG (almost)

1 2 3 11989411989434

+2 +3 helliphellip

211989411989434

hellip 4 119894119894

n

Layer 0Layer 1

Layer 4 119894119894

Let S = S1+S2

helliphelliphellip

Attack Simulation [AB16b]

Attack on Argon 2i-B is practical even for pessimistic parameter ranges (brown line)

Pessimistic Argon 2i-B parameter

Parameter setting could easily be chosen when following Argon2i-B guidelines

hellip

Ideal iMHFs Donrsquot Exist

Thm[AB16] Any graph G (with constant in-degree) is at least somewhat depth-reducible

Implication If CC(G)= Ω 1198941198942 there is an attack A with high quality

QualityR 119860119860 =Ωlog(119894119894)

log log(119894119894)

But we cannot rule them out in practice

Outline

bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Attacksbull Constructing iMHFs (New)

bull Depth-Robustness is sufficient

bull Conclusions and Open Questions

Presenter
Presentation Notes
Joint work with Joel Alwen and Krzysztof Pietrzak

Depth-Robustness is Sufficient [ABP16]

Proof Let P1hellipPt denote an (optimal) pebbling of G For 0lt i lt d defineSi = 119875119875119894119894 cup 119875119875119889119889+119894119894 cup 1198751198752119889119889+119894119894 cup ⋯

one of the sets Si has size at most CC(G)d Now we claim that d ge depth(G-Si)

because any path in G-Si must have been completely pebbled at some point Thus it must have been pebbled entirely during some interval of length d Thus G (CC(G)dd)-reducible It follows that CC(G)ge 119890119890119901119901

119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901

Depth-Robustness is Sufficient [ABP16]

Implications There exists a constant indegree graph G with

CC G ge Ω1198941198942

log119894119894

Previous Best [AS15] Ω 1198991198992

log10 119899119899

[AB16] We cannot do better (in an asymptotic sense)

119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901

Summary

bull BCRYPT and PBKDF2 are no longer sufficient for password hashing

bull Argon2i is an improvement over BCRYPT and PBKDF2bull But still has its flaws [AB16AB17]

bull Current Recommendation Argon2idbull No side channel attacks Resists known attacksbull Side channel attacks reduce security to Argon2i

bull Look for improvements in the near future using depth-robust graphs [ABP17]

Conclusions

bull Depth-robustness is a necessary and sufficient for secure iMHFsbull [AB16] [ABP16]

bull Big Challenge Improved Constructions of Depth-Robust Graphsbull We already have constructions in theory [EGS77 PR80 hellip]bull But constants matter

Thanks for Listening

Passwords vs time Look how far wersquove come

Netscape IPO Dotcom crash

Source Cormacrsquos estimate

ldquoThe password is deadrdquo

Chart1

3
48
1368
322
7791
15376
2527
39639
47953
61115
7353
94674
106021
134538
16527
194616
21681

Sheet1

Sheet1

Sheet2

Sheet3

Biometrics

59

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy

60

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Hardware Tokens

61

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around

62

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Graphical Passwords

bull Examplesbull Passfaces Cued Click Points Windows 8

63

Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13

Graphical Passwords

bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8

Challenge Multiple Passwords

64

Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13

Graphical Passwords Hotspots

Graphical Passwords Hotspots

Password Managers

bull Password Management Software

67

Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313

Related Work

bull Password Management SoftwareChallenge Single point of failure

68

Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313

References

bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]

bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]

bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]

bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]

  • Course Business
  • CryptographyCS 555
  • Password Storage
  • Offline Attacks A Common Problem
  • Offline Attacks A Common Problem
  • A Dangerous Problem
  • Attempt 1 Hash Iteration
  • The Challenge
  • Goal Moderately Expensive Hash Function
  • Memory Costs Equitable Across Architectures
  • Outline
  • Memory Hard Function (MHF)
  • iMHF Candidates
  • iMHF (fGH)
  • Evaluating an iMHF (pebbling)
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example (CC)
  • Measuring Cost
  • Pebbling Example (CC)
  • Pebbling Equivalence
  • Desiderata
  • Depth-Robustness The Key Property
  • Naiumlve Pebbling Algorithms
  • Amortized Attack Quality
  • Desiderata
  • Desiderata
  • c-Ideal iMHF
  • Outline
  • Depth-Robustness The Key Property
  • Depth Robustness
  • Depth Robustness
  • Attacking (ed)-reducible DAGs
  • Depth Robustness is Necessary
  • Answer No
  • Argon2i [BDK]
  • Argon2i
  • Argon2i
  • Argon2i Reducing depth to 119899
  • Argon2i Reducing depth to 119899
  • Argon2i is a layered DAG (almost)
  • Attack Simulation [AB16b]
  • Ideal iMHFs Donrsquot Exist
  • But we cannot rule them out in practice
  • Outline
  • Depth-Robustness is Sufficient [ABP16]
  • Depth-Robustness is Sufficient [ABP16]
  • Summary
  • Conclusions
  • Thanks for Listening
  • Passwords vs time Look how far wersquove come
  • Biometrics
  • Biometrics
  • Hardware Tokens
  • Hardware Tokens
  • Graphical Passwords
  • Graphical Passwords
  • Graphical Passwords Hotspots
  • Graphical Passwords Hotspots
  • Password Managers
  • Related Work
  • References
Everybody
DATE DATE NUMBER OF USERS WORLD WORLD INFORMATION DATE DATE NUMBER OF USERS DATE DATE acctsyr
POPULATION POPULATION SOURCE
December-90 0 3 15 020 00261 000 1 December-90 3 1 December-90 3 1 December-90 3 3 December-90 3 1 3
December-95 December-95 0 16 040 80 040 IDC 100 00522 180 12 December-95 192 December-95 16 1778 December-95 48 28448 December-95 48 3 48
December-96 December-96 0 36 090 180 090 IDC 200 00783 188 13132 December-96 472752 December-96 36 1994916 December-96 126 71816976 December-96 1368 38 126
December-97 December-97 0 70 170 350 170 IDC 300 01043 209 16263 December-97 113841 December-97 70 2238295752 December-97 280 15668070264 December-97 322 46 280
December-98 December-98 0 147 360 735 360 CI Almanac 400 01303 230 19391 December-98 2850477 December-98 147 25113678337 December-98 6615 3691710715604 December-98 7791 53 6615
December-99 December-99 0 248 410 1240 410 Nua Ltd 500 01563 251 22517 December-99 5584216 December-99 248 28177547095 December-99 1240 6988031679463 December-99 15376 62 1240
March-00 March-00 0 304 500 1520 500 Nua Ltd 600 01822 272 25638 March-00 7793952 December-00 361 3161520784 December-00 19855 11413090030294 December-00 2527 7 19855
July-00 July-00 0 359 590 1795 590 Nua Ltd 700 02081 293 28754 July-00 10322686 December-01 543 35472263197 December-01 3258 1926143891578 December-01 39639 73 3258
December-00 December-00 0 361 580 1805 580 Internet World Stats 800 02338 313 31864 December-00 11502904 December-02 607 39799879307 December-02 39455 2415852673913 December-02 47953 79 39455
March-01 March-01 0 458 760 2290 760 Nua Ltd 900 02852 334 34967 March-01 16014886 December-03 719 44655464582 December-03 5033 32107279034493 December-03 61115 85 5033
June-01 June-01 0 479 790 2395 790 Nua Ltd 1000 03107 355 38061 June-01 18231219 December-04 817 50103431261 December-04 61275 40934503340285 December-04 7353 9 61275
August-01 August-01 0 513 860 2565 860 Nua Ltd 1100 03361 396 44221 August-01 22685373 December-05 1018 56216049875 December-05 8144 57227938772657 December-05 9467 93 8144
April-02 April-02 0 558 860 2790 860 Internet World Stats 1200 03614 417 47284 April-02 26384472 December-06 1093 6307440796 December-06 9291 68940327899894 December-06 10602 97 9291
July-02 July-02 0 569 910 2845 910 Internet World Stats 1300 03866 437 50334 July-02 28640046 December-07 1319 70769485731 December-07 11871 93344951678825 December-07 13454 102 11871
September-02 September-02 0 587 940 2935 940 Internet World Stats 1400 04117 458 53371 September-02 31328777 December-08 1574 7940336299 December-08 14953 124980893346059 December-08 16527 105 14953
March-03 March-03 0 608 970 3040 970 Internet World Stats 1500 04366 478 56394 March-03 34287552 December-09 1802 89090573275 December-09 18020 160541213040896 December-09 19462 108 18020
September-03 September-03 0 677 1060 3385 1060 Internet World Stats 1600 04614 498 59401 September-03 40214477 December-10 1971 99959623214 December-10 20696 197020417355075 December-10 21681 11 20696
October-03 October-03 0 682 1070 3410 1070 Internet World Stats 1700 0486 518 62392 October-03 42551344
December-03 December-03 0 719 1110 3595 1110 Internet World Stats 1800 02852 538 65365 December-03 46997435
February-04 February-04 0 745 1150 3725 1150 Internet World Stats 1900 03107 558 6832 February-04 508984
May-04 May-04 0 757 1170 3785 1170 Internet World Stats 2000 03361 597 7417 May-04 5614669
October-04 October-04 0 812 1270 4060 1270 Internet World Stats 2100 03614 616 77064 October-04 62575968
December-04 December-04 0 817 1270 4085 1270 Internet World Stats 2200 03866 636 79935 December-04 65306895
March-05 March-05 0 888 1390 4440 1390 Internet World Stats 2300 04117 655 82782 March-05 73510416
June-05 June-05 0 938 1460 4690 1460 Internet World Stats 2400 04366 674 85606 June-05 80298428
September-05 September-05 0 957 1490 4785 1490 Internet World Stats 2500 04614 692 88404 September-05 84602628
November-05 November-05 0 972 1520 4860 1520 Internet World Stats 2600 0486 711 91176 November-05 88623072
December-05 December-05 0 1018 1570 5090 1570 Internet World Stats 2700 05348 729 93921 December-05 95611578
March-06 March-06 0 1023 1570 5115 1570 Internet World Stats 2800 05589 747 96638 March-06 98860674
June-06 June-06 0 1043 1600 5215 1600 Internet World Stats 2900 05828 783 101984 June-06 106369312
September-06 September-06 0 1086 1670 5430 1670 Internet World Stats 3000 06065 801 104611 September-06 113607546
December-06 December-06 0 1093 1670 5465 1670 Internet World Stats 3100 063 818 107207 December-06 117177251
March-07 March-07 0 1129 1720 5645 1720 Internet World Stats 3200 06534 835 109771 March-07 123931459
June-07 June-07 0 1173 1780 5865 1780 Internet World Stats 3300 06765 852 112301 June-07 131729073
September-07 September-07 0 1245 1890 6225 1890 Internet World Stats 3400 06993 869 114797 September-07 142922265
December-07 December-07 0 1319 2000 6595 2000 Internet World Stats 3500 0722 886 117258 December-07 154663302
March-08 March-08 0 1407 2110 7035 2110 Internet World Stats 3600 07665 902 119683 March-08 168393981
June-08 June-08 0 1463 2190 7315 2190 Internet World Stats 3700 07884 918 122071 June-08 178589873
September-08 September-08 0 1504 2250 7520 2250 Internet World Stats 3800 08101 949 126736 September-08 190610944
December-08 December-08 0 1574 2350 7870 2350 Internet World Stats 3900 08314 964 12901 December-08 20306174
March-09 March-09 0 1596 2380 7980 2380 Internet World Stats 4000 08525 971 13 March-09 20748
June-09 June-09 0 1669 2470 8345 2470 Internet World Stats 4100 08733 998 134 June-09 223646
September-09 September-09 0 1734 2560 8670 2560 Internet World Stats 4200 08938 1018 137 September-09 237558
December-09 December-09 0 1802 2660 9010 2660 Internet World Stats 4300 0914 1051 142 December-09 255884
June-10 June-10 0 1966 2870 9830 2870 Internet World Stats 4400 09339 1078 146 June-10 287036
September-10 September-10 0 1971 2880 9855 2880 Internet World Stats 4500 09728 1112 151 September-10 297621
09917 000 155333333333
159833333333
33208
35034
35400
35765
36130
36495
36861
37226
37591
37956
38322
38687
39052
39417
39783
40148
40513
Page 25: Attacking Data Independent Memory Hard Functions · As a motivating example consider an adversary who breaks into an authentication server and steals a users crptographic hash va\൬ue.

Pebbling Equivalence

119827119827119827119827119827119827119827119827119827119827119827119827119827119827 119808119808119808119808119808119808119808119808 (119816119816119816119816119816119816119827119827119827119827119827119827119816119816119816119816) High pebbling complexity of G implies high amortized memory complexity for the iMHF fGH

Implication Structure of the graph G is key to iMHFsecurity

Desiderata

Find a DAG G on n nodes such that1 Constant Indegree (120575120575 = 2)

2 CC(G) ge 1198991198992

120591120591for some small value 120591120591

Maximize costs for fixed n(Users are impatient)

Depth-Robustness The Key Property

Necessary [AB16] and sufficient[ABP16] for secure iMHFs

Naiumlve Pebbling Algorithms

bull Sequential Algorithm (Naiumlve)bull Constraint One new pebble per roundbull Every iMHF is defined via its Naiumlve algorithm

bull Example Naiumlve (Pebble in Topological Order)bull Never discard pebblesbull Time nbull Average pebbles n2bull ER(Naiumlve) = θ Rn + n2

Amortized Attack Quality

Quality119877119877 119860119860 =ER(Naiumlve)

ER 119860119860times 119894119894119894119894119904119904119904119904(119860119860)

Example Algorithm A evaluates 5 iMHF instances with total cost ER 119860119860 = 100 and ER Naiumlve = 40

Quality119877119877 119860119860 =40

100times 5 = 2

Presenter
Presentation Notes
Use Example

Desiderata

Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)

2 QualityR(A) le 119888119888 for every adversary A (c small)

3 ER(Naive) ge 1198991198992

120591120591+ R119894119894 for some small value 120591120591

Memory costs should dominate

Desiderata

Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)

2 QualityR(A) le 119888119888 for every adversary A (c small)

3 ER(Naive) ge 1198991198992

120591120591+ R119894119894 for some small value 120591120591

Maximize costs for fixed n(Users are impatient)

c-Ideal iMHF

Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)

2 QualityR(A) le 119888119888 for every adversary A (c small)

3 ER(Naive) ge 1198991198992

120591120591+ R119894119894 for 120591120591 = 119874119874(1)

Outline

bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Our Attacks

bull General Attack on Non Depth Robust DAGsbull Existing iMHFs are not Depth Robustbull Ideal iMHFs donrsquot exist

bull Subsequent Results (Depth-Robustness is Sufficient)bull Open Questions

Depth-Robustness The Key Property

Necessary [AB16] and sufficient[ABP16] for secure iMHFs

Depth Robustness

Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d

Otherwise we say that G is (ed)-depth robust

1 2 3 4 5

Example (12)-reducible

Depth Robustness

Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d

Otherwise we say that G is (ed)-depth robust

1 2 3 4 5

Example (12)-reducible

Attacking (ed)-reducible DAGs

bull Input |S| lee such that depth(G-S) = d g gt d

bull Light Phase (g rounds) Discard most pebblesbull Goal Pebble the next g nodes in g (sequential) stepsbull Low Memory (only keep pebbles on S and on parents of new nodes)bull Lasts a ``longrdquo time

bull Balloon Phase (d rounds) Greedily Recover Missing Pebblesbull Goal Recover needed pebbles for upcoming light phasebull Expensive but quick (at most d steps in parallel)

Theorem (Depth-Robustness is a necessary condition) If G is not (ed)-node robust then CC 119866119866 = O 119890119890119894119894 + 1198941198943119901119901 In particular CC 119866119866 = o 1198941198942 for ed=o(n)

Depth Robustness is Necessary

Are existing iMHF candidates based on depth-robust DAGs

Answer No

bull Catena [FLW15] is 119890119890 119874119874 119899119899119890119890

-reducible

119862119862119862119862 = 119874119874 119894119894162

bull Balloon Hashing and Argon2i (old version) are 119890119890 119874119874 1198991198992

1198901198902-reducible

119862119862119862119862 = 119874119874 119894119894171

bull Argon2i (latest version) is 119890119890 119874119874 1198991198993

1198901198903-reducible

119862119862119862119862 = 119874119874 119894119894177

bull Similar picture for most other iMHF candidates [AGKKOPRRR16]

Argon2i [BDK]

bull Argon2 Winner of the password hashing competition[2015]

bull Authors recommend Argon2i variant (data-independent) for password hashing

Presenter
Presentation Notes
Alex Biryukov Daniel Dinu and Dmitry Khovratovich from University of Luxembourg

Argon2i

1 2 3 4 ihellip n

Argon2i

1 2 3 4 ihellip n

random predecessor r(i) lt i

Indegree 120575120575 = 2

Argon2i Reducing depth to 119894119894

1 2 3 11989411989434

helliphellip

211989411989434

hellip 4 119894119894

n

Layer 0Layer 1

Layer 4 119894119894helliphelliphellip

Argon2i Reducing depth to 119894119894

1 2 3 11989411989434

helliphellip

211989411989434

hellip 4 119894119894

n

Layer 0Layer 1

Layer 4 119894119894

Definition 1198781198782 = 119907119907119894119894 119907119907119903119903(119894119894)and v119894119894 in same layer

119810119810119816119816119816119816119810119810119827119827 1198781198782119810119810119842119842 119842119842119827119827119816119816119816119816119816119816

helliphelliphellip

119813119813119816119816119813119813119813119813 Easy to reduce the depth of a path

Argon2i is a layered DAG (almost)

1 2 3 11989411989434

+2 +3 helliphellip

211989411989434

hellip 4 119894119894

n

Layer 0Layer 1

Layer 4 119894119894

Let S = S1+S2

helliphelliphellip

Attack Simulation [AB16b]

Attack on Argon 2i-B is practical even for pessimistic parameter ranges (brown line)

Pessimistic Argon 2i-B parameter

Parameter setting could easily be chosen when following Argon2i-B guidelines

hellip

Ideal iMHFs Donrsquot Exist

Thm[AB16] Any graph G (with constant in-degree) is at least somewhat depth-reducible

Implication If CC(G)= Ω 1198941198942 there is an attack A with high quality

QualityR 119860119860 =Ωlog(119894119894)

log log(119894119894)

But we cannot rule them out in practice

Outline

bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Attacksbull Constructing iMHFs (New)

bull Depth-Robustness is sufficient

bull Conclusions and Open Questions

Presenter
Presentation Notes
Joint work with Joel Alwen and Krzysztof Pietrzak

Depth-Robustness is Sufficient [ABP16]

Proof Let P1hellipPt denote an (optimal) pebbling of G For 0lt i lt d defineSi = 119875119875119894119894 cup 119875119875119889119889+119894119894 cup 1198751198752119889119889+119894119894 cup ⋯

one of the sets Si has size at most CC(G)d Now we claim that d ge depth(G-Si)

because any path in G-Si must have been completely pebbled at some point Thus it must have been pebbled entirely during some interval of length d Thus G (CC(G)dd)-reducible It follows that CC(G)ge 119890119890119901119901

119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901

Depth-Robustness is Sufficient [ABP16]

Implications There exists a constant indegree graph G with

CC G ge Ω1198941198942

log119894119894

Previous Best [AS15] Ω 1198991198992

log10 119899119899

[AB16] We cannot do better (in an asymptotic sense)

119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901

Summary

bull BCRYPT and PBKDF2 are no longer sufficient for password hashing

bull Argon2i is an improvement over BCRYPT and PBKDF2bull But still has its flaws [AB16AB17]

bull Current Recommendation Argon2idbull No side channel attacks Resists known attacksbull Side channel attacks reduce security to Argon2i

bull Look for improvements in the near future using depth-robust graphs [ABP17]

Conclusions

bull Depth-robustness is a necessary and sufficient for secure iMHFsbull [AB16] [ABP16]

bull Big Challenge Improved Constructions of Depth-Robust Graphsbull We already have constructions in theory [EGS77 PR80 hellip]bull But constants matter

Thanks for Listening

Passwords vs time Look how far wersquove come

Netscape IPO Dotcom crash

Source Cormacrsquos estimate

ldquoThe password is deadrdquo

Chart1

3
48
1368
322
7791
15376
2527
39639
47953
61115
7353
94674
106021
134538
16527
194616
21681

Sheet1

Sheet1

Sheet2

Sheet3

Biometrics

59

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy

60

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Hardware Tokens

61

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around

62

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Graphical Passwords

bull Examplesbull Passfaces Cued Click Points Windows 8

63

Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13

Graphical Passwords

bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8

Challenge Multiple Passwords

64

Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13

Graphical Passwords Hotspots

Graphical Passwords Hotspots

Password Managers

bull Password Management Software

67

Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313

Related Work

bull Password Management SoftwareChallenge Single point of failure

68

Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313

References

bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]

bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]

bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]

bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]

  • Course Business
  • CryptographyCS 555
  • Password Storage
  • Offline Attacks A Common Problem
  • Offline Attacks A Common Problem
  • A Dangerous Problem
  • Attempt 1 Hash Iteration
  • The Challenge
  • Goal Moderately Expensive Hash Function
  • Memory Costs Equitable Across Architectures
  • Outline
  • Memory Hard Function (MHF)
  • iMHF Candidates
  • iMHF (fGH)
  • Evaluating an iMHF (pebbling)
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example (CC)
  • Measuring Cost
  • Pebbling Example (CC)
  • Pebbling Equivalence
  • Desiderata
  • Depth-Robustness The Key Property
  • Naiumlve Pebbling Algorithms
  • Amortized Attack Quality
  • Desiderata
  • Desiderata
  • c-Ideal iMHF
  • Outline
  • Depth-Robustness The Key Property
  • Depth Robustness
  • Depth Robustness
  • Attacking (ed)-reducible DAGs
  • Depth Robustness is Necessary
  • Answer No
  • Argon2i [BDK]
  • Argon2i
  • Argon2i
  • Argon2i Reducing depth to 119899
  • Argon2i Reducing depth to 119899
  • Argon2i is a layered DAG (almost)
  • Attack Simulation [AB16b]
  • Ideal iMHFs Donrsquot Exist
  • But we cannot rule them out in practice
  • Outline
  • Depth-Robustness is Sufficient [ABP16]
  • Depth-Robustness is Sufficient [ABP16]
  • Summary
  • Conclusions
  • Thanks for Listening
  • Passwords vs time Look how far wersquove come
  • Biometrics
  • Biometrics
  • Hardware Tokens
  • Hardware Tokens
  • Graphical Passwords
  • Graphical Passwords
  • Graphical Passwords Hotspots
  • Graphical Passwords Hotspots
  • Password Managers
  • Related Work
  • References
Everybody
DATE DATE NUMBER OF USERS WORLD WORLD INFORMATION DATE DATE NUMBER OF USERS DATE DATE acctsyr
POPULATION POPULATION SOURCE
December-90 0 3 15 020 00261 000 1 December-90 3 1 December-90 3 1 December-90 3 3 December-90 3 1 3
December-95 December-95 0 16 040 80 040 IDC 100 00522 180 12 December-95 192 December-95 16 1778 December-95 48 28448 December-95 48 3 48
December-96 December-96 0 36 090 180 090 IDC 200 00783 188 13132 December-96 472752 December-96 36 1994916 December-96 126 71816976 December-96 1368 38 126
December-97 December-97 0 70 170 350 170 IDC 300 01043 209 16263 December-97 113841 December-97 70 2238295752 December-97 280 15668070264 December-97 322 46 280
December-98 December-98 0 147 360 735 360 CI Almanac 400 01303 230 19391 December-98 2850477 December-98 147 25113678337 December-98 6615 3691710715604 December-98 7791 53 6615
December-99 December-99 0 248 410 1240 410 Nua Ltd 500 01563 251 22517 December-99 5584216 December-99 248 28177547095 December-99 1240 6988031679463 December-99 15376 62 1240
March-00 March-00 0 304 500 1520 500 Nua Ltd 600 01822 272 25638 March-00 7793952 December-00 361 3161520784 December-00 19855 11413090030294 December-00 2527 7 19855
July-00 July-00 0 359 590 1795 590 Nua Ltd 700 02081 293 28754 July-00 10322686 December-01 543 35472263197 December-01 3258 1926143891578 December-01 39639 73 3258
December-00 December-00 0 361 580 1805 580 Internet World Stats 800 02338 313 31864 December-00 11502904 December-02 607 39799879307 December-02 39455 2415852673913 December-02 47953 79 39455
March-01 March-01 0 458 760 2290 760 Nua Ltd 900 02852 334 34967 March-01 16014886 December-03 719 44655464582 December-03 5033 32107279034493 December-03 61115 85 5033
June-01 June-01 0 479 790 2395 790 Nua Ltd 1000 03107 355 38061 June-01 18231219 December-04 817 50103431261 December-04 61275 40934503340285 December-04 7353 9 61275
August-01 August-01 0 513 860 2565 860 Nua Ltd 1100 03361 396 44221 August-01 22685373 December-05 1018 56216049875 December-05 8144 57227938772657 December-05 9467 93 8144
April-02 April-02 0 558 860 2790 860 Internet World Stats 1200 03614 417 47284 April-02 26384472 December-06 1093 6307440796 December-06 9291 68940327899894 December-06 10602 97 9291
July-02 July-02 0 569 910 2845 910 Internet World Stats 1300 03866 437 50334 July-02 28640046 December-07 1319 70769485731 December-07 11871 93344951678825 December-07 13454 102 11871
September-02 September-02 0 587 940 2935 940 Internet World Stats 1400 04117 458 53371 September-02 31328777 December-08 1574 7940336299 December-08 14953 124980893346059 December-08 16527 105 14953
March-03 March-03 0 608 970 3040 970 Internet World Stats 1500 04366 478 56394 March-03 34287552 December-09 1802 89090573275 December-09 18020 160541213040896 December-09 19462 108 18020
September-03 September-03 0 677 1060 3385 1060 Internet World Stats 1600 04614 498 59401 September-03 40214477 December-10 1971 99959623214 December-10 20696 197020417355075 December-10 21681 11 20696
October-03 October-03 0 682 1070 3410 1070 Internet World Stats 1700 0486 518 62392 October-03 42551344
December-03 December-03 0 719 1110 3595 1110 Internet World Stats 1800 02852 538 65365 December-03 46997435
February-04 February-04 0 745 1150 3725 1150 Internet World Stats 1900 03107 558 6832 February-04 508984
May-04 May-04 0 757 1170 3785 1170 Internet World Stats 2000 03361 597 7417 May-04 5614669
October-04 October-04 0 812 1270 4060 1270 Internet World Stats 2100 03614 616 77064 October-04 62575968
December-04 December-04 0 817 1270 4085 1270 Internet World Stats 2200 03866 636 79935 December-04 65306895
March-05 March-05 0 888 1390 4440 1390 Internet World Stats 2300 04117 655 82782 March-05 73510416
June-05 June-05 0 938 1460 4690 1460 Internet World Stats 2400 04366 674 85606 June-05 80298428
September-05 September-05 0 957 1490 4785 1490 Internet World Stats 2500 04614 692 88404 September-05 84602628
November-05 November-05 0 972 1520 4860 1520 Internet World Stats 2600 0486 711 91176 November-05 88623072
December-05 December-05 0 1018 1570 5090 1570 Internet World Stats 2700 05348 729 93921 December-05 95611578
March-06 March-06 0 1023 1570 5115 1570 Internet World Stats 2800 05589 747 96638 March-06 98860674
June-06 June-06 0 1043 1600 5215 1600 Internet World Stats 2900 05828 783 101984 June-06 106369312
September-06 September-06 0 1086 1670 5430 1670 Internet World Stats 3000 06065 801 104611 September-06 113607546
December-06 December-06 0 1093 1670 5465 1670 Internet World Stats 3100 063 818 107207 December-06 117177251
March-07 March-07 0 1129 1720 5645 1720 Internet World Stats 3200 06534 835 109771 March-07 123931459
June-07 June-07 0 1173 1780 5865 1780 Internet World Stats 3300 06765 852 112301 June-07 131729073
September-07 September-07 0 1245 1890 6225 1890 Internet World Stats 3400 06993 869 114797 September-07 142922265
December-07 December-07 0 1319 2000 6595 2000 Internet World Stats 3500 0722 886 117258 December-07 154663302
March-08 March-08 0 1407 2110 7035 2110 Internet World Stats 3600 07665 902 119683 March-08 168393981
June-08 June-08 0 1463 2190 7315 2190 Internet World Stats 3700 07884 918 122071 June-08 178589873
September-08 September-08 0 1504 2250 7520 2250 Internet World Stats 3800 08101 949 126736 September-08 190610944
December-08 December-08 0 1574 2350 7870 2350 Internet World Stats 3900 08314 964 12901 December-08 20306174
March-09 March-09 0 1596 2380 7980 2380 Internet World Stats 4000 08525 971 13 March-09 20748
June-09 June-09 0 1669 2470 8345 2470 Internet World Stats 4100 08733 998 134 June-09 223646
September-09 September-09 0 1734 2560 8670 2560 Internet World Stats 4200 08938 1018 137 September-09 237558
December-09 December-09 0 1802 2660 9010 2660 Internet World Stats 4300 0914 1051 142 December-09 255884
June-10 June-10 0 1966 2870 9830 2870 Internet World Stats 4400 09339 1078 146 June-10 287036
September-10 September-10 0 1971 2880 9855 2880 Internet World Stats 4500 09728 1112 151 September-10 297621
09917 000 155333333333
159833333333
33208
35034
35400
35765
36130
36495
36861
37226
37591
37956
38322
38687
39052
39417
39783
40148
40513
Page 26: Attacking Data Independent Memory Hard Functions · As a motivating example consider an adversary who breaks into an authentication server and steals a users crptographic hash va\൬ue.

Desiderata

Find a DAG G on n nodes such that1 Constant Indegree (120575120575 = 2)

2 CC(G) ge 1198991198992

120591120591for some small value 120591120591

Maximize costs for fixed n(Users are impatient)

Depth-Robustness The Key Property

Necessary [AB16] and sufficient[ABP16] for secure iMHFs

Naiumlve Pebbling Algorithms

bull Sequential Algorithm (Naiumlve)bull Constraint One new pebble per roundbull Every iMHF is defined via its Naiumlve algorithm

bull Example Naiumlve (Pebble in Topological Order)bull Never discard pebblesbull Time nbull Average pebbles n2bull ER(Naiumlve) = θ Rn + n2

Amortized Attack Quality

Quality119877119877 119860119860 =ER(Naiumlve)

ER 119860119860times 119894119894119894119894119904119904119904119904(119860119860)

Example Algorithm A evaluates 5 iMHF instances with total cost ER 119860119860 = 100 and ER Naiumlve = 40

Quality119877119877 119860119860 =40

100times 5 = 2

Presenter
Presentation Notes
Use Example

Desiderata

Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)

2 QualityR(A) le 119888119888 for every adversary A (c small)

3 ER(Naive) ge 1198991198992

120591120591+ R119894119894 for some small value 120591120591

Memory costs should dominate

Desiderata

Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)

2 QualityR(A) le 119888119888 for every adversary A (c small)

3 ER(Naive) ge 1198991198992

120591120591+ R119894119894 for some small value 120591120591

Maximize costs for fixed n(Users are impatient)

c-Ideal iMHF

Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)

2 QualityR(A) le 119888119888 for every adversary A (c small)

3 ER(Naive) ge 1198991198992

120591120591+ R119894119894 for 120591120591 = 119874119874(1)

Outline

bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Our Attacks

bull General Attack on Non Depth Robust DAGsbull Existing iMHFs are not Depth Robustbull Ideal iMHFs donrsquot exist

bull Subsequent Results (Depth-Robustness is Sufficient)bull Open Questions

Depth-Robustness The Key Property

Necessary [AB16] and sufficient[ABP16] for secure iMHFs

Depth Robustness

Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d

Otherwise we say that G is (ed)-depth robust

1 2 3 4 5

Example (12)-reducible

Depth Robustness

Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d

Otherwise we say that G is (ed)-depth robust

1 2 3 4 5

Example (12)-reducible

Attacking (ed)-reducible DAGs

bull Input |S| lee such that depth(G-S) = d g gt d

bull Light Phase (g rounds) Discard most pebblesbull Goal Pebble the next g nodes in g (sequential) stepsbull Low Memory (only keep pebbles on S and on parents of new nodes)bull Lasts a ``longrdquo time

bull Balloon Phase (d rounds) Greedily Recover Missing Pebblesbull Goal Recover needed pebbles for upcoming light phasebull Expensive but quick (at most d steps in parallel)

Theorem (Depth-Robustness is a necessary condition) If G is not (ed)-node robust then CC 119866119866 = O 119890119890119894119894 + 1198941198943119901119901 In particular CC 119866119866 = o 1198941198942 for ed=o(n)

Depth Robustness is Necessary

Are existing iMHF candidates based on depth-robust DAGs

Answer No

bull Catena [FLW15] is 119890119890 119874119874 119899119899119890119890

-reducible

119862119862119862119862 = 119874119874 119894119894162

bull Balloon Hashing and Argon2i (old version) are 119890119890 119874119874 1198991198992

1198901198902-reducible

119862119862119862119862 = 119874119874 119894119894171

bull Argon2i (latest version) is 119890119890 119874119874 1198991198993

1198901198903-reducible

119862119862119862119862 = 119874119874 119894119894177

bull Similar picture for most other iMHF candidates [AGKKOPRRR16]

Argon2i [BDK]

bull Argon2 Winner of the password hashing competition[2015]

bull Authors recommend Argon2i variant (data-independent) for password hashing

Presenter
Presentation Notes
Alex Biryukov Daniel Dinu and Dmitry Khovratovich from University of Luxembourg

Argon2i

1 2 3 4 ihellip n

Argon2i

1 2 3 4 ihellip n

random predecessor r(i) lt i

Indegree 120575120575 = 2

Argon2i Reducing depth to 119894119894

1 2 3 11989411989434

helliphellip

211989411989434

hellip 4 119894119894

n

Layer 0Layer 1

Layer 4 119894119894helliphelliphellip

Argon2i Reducing depth to 119894119894

1 2 3 11989411989434

helliphellip

211989411989434

hellip 4 119894119894

n

Layer 0Layer 1

Layer 4 119894119894

Definition 1198781198782 = 119907119907119894119894 119907119907119903119903(119894119894)and v119894119894 in same layer

119810119810119816119816119816119816119810119810119827119827 1198781198782119810119810119842119842 119842119842119827119827119816119816119816119816119816119816

helliphelliphellip

119813119813119816119816119813119813119813119813 Easy to reduce the depth of a path

Argon2i is a layered DAG (almost)

1 2 3 11989411989434

+2 +3 helliphellip

211989411989434

hellip 4 119894119894

n

Layer 0Layer 1

Layer 4 119894119894

Let S = S1+S2

helliphelliphellip

Attack Simulation [AB16b]

Attack on Argon 2i-B is practical even for pessimistic parameter ranges (brown line)

Pessimistic Argon 2i-B parameter

Parameter setting could easily be chosen when following Argon2i-B guidelines

hellip

Ideal iMHFs Donrsquot Exist

Thm[AB16] Any graph G (with constant in-degree) is at least somewhat depth-reducible

Implication If CC(G)= Ω 1198941198942 there is an attack A with high quality

QualityR 119860119860 =Ωlog(119894119894)

log log(119894119894)

But we cannot rule them out in practice

Outline

bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Attacksbull Constructing iMHFs (New)

bull Depth-Robustness is sufficient

bull Conclusions and Open Questions

Presenter
Presentation Notes
Joint work with Joel Alwen and Krzysztof Pietrzak

Depth-Robustness is Sufficient [ABP16]

Proof Let P1hellipPt denote an (optimal) pebbling of G For 0lt i lt d defineSi = 119875119875119894119894 cup 119875119875119889119889+119894119894 cup 1198751198752119889119889+119894119894 cup ⋯

one of the sets Si has size at most CC(G)d Now we claim that d ge depth(G-Si)

because any path in G-Si must have been completely pebbled at some point Thus it must have been pebbled entirely during some interval of length d Thus G (CC(G)dd)-reducible It follows that CC(G)ge 119890119890119901119901

119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901

Depth-Robustness is Sufficient [ABP16]

Implications There exists a constant indegree graph G with

CC G ge Ω1198941198942

log119894119894

Previous Best [AS15] Ω 1198991198992

log10 119899119899

[AB16] We cannot do better (in an asymptotic sense)

119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901

Summary

bull BCRYPT and PBKDF2 are no longer sufficient for password hashing

bull Argon2i is an improvement over BCRYPT and PBKDF2bull But still has its flaws [AB16AB17]

bull Current Recommendation Argon2idbull No side channel attacks Resists known attacksbull Side channel attacks reduce security to Argon2i

bull Look for improvements in the near future using depth-robust graphs [ABP17]

Conclusions

bull Depth-robustness is a necessary and sufficient for secure iMHFsbull [AB16] [ABP16]

bull Big Challenge Improved Constructions of Depth-Robust Graphsbull We already have constructions in theory [EGS77 PR80 hellip]bull But constants matter

Thanks for Listening

Passwords vs time Look how far wersquove come

Netscape IPO Dotcom crash

Source Cormacrsquos estimate

ldquoThe password is deadrdquo

Chart1

3
48
1368
322
7791
15376
2527
39639
47953
61115
7353
94674
106021
134538
16527
194616
21681

Sheet1

Sheet1

Sheet2

Sheet3

Biometrics

59

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy

60

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Hardware Tokens

61

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around

62

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Graphical Passwords

bull Examplesbull Passfaces Cued Click Points Windows 8

63

Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13

Graphical Passwords

bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8

Challenge Multiple Passwords

64

Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13

Graphical Passwords Hotspots

Graphical Passwords Hotspots

Password Managers

bull Password Management Software

67

Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313

Related Work

bull Password Management SoftwareChallenge Single point of failure

68

Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313

References

bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]

bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]

bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]

bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]

  • Course Business
  • CryptographyCS 555
  • Password Storage
  • Offline Attacks A Common Problem
  • Offline Attacks A Common Problem
  • A Dangerous Problem
  • Attempt 1 Hash Iteration
  • The Challenge
  • Goal Moderately Expensive Hash Function
  • Memory Costs Equitable Across Architectures
  • Outline
  • Memory Hard Function (MHF)
  • iMHF Candidates
  • iMHF (fGH)
  • Evaluating an iMHF (pebbling)
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example (CC)
  • Measuring Cost
  • Pebbling Example (CC)
  • Pebbling Equivalence
  • Desiderata
  • Depth-Robustness The Key Property
  • Naiumlve Pebbling Algorithms
  • Amortized Attack Quality
  • Desiderata
  • Desiderata
  • c-Ideal iMHF
  • Outline
  • Depth-Robustness The Key Property
  • Depth Robustness
  • Depth Robustness
  • Attacking (ed)-reducible DAGs
  • Depth Robustness is Necessary
  • Answer No
  • Argon2i [BDK]
  • Argon2i
  • Argon2i
  • Argon2i Reducing depth to 119899
  • Argon2i Reducing depth to 119899
  • Argon2i is a layered DAG (almost)
  • Attack Simulation [AB16b]
  • Ideal iMHFs Donrsquot Exist
  • But we cannot rule them out in practice
  • Outline
  • Depth-Robustness is Sufficient [ABP16]
  • Depth-Robustness is Sufficient [ABP16]
  • Summary
  • Conclusions
  • Thanks for Listening
  • Passwords vs time Look how far wersquove come
  • Biometrics
  • Biometrics
  • Hardware Tokens
  • Hardware Tokens
  • Graphical Passwords
  • Graphical Passwords
  • Graphical Passwords Hotspots
  • Graphical Passwords Hotspots
  • Password Managers
  • Related Work
  • References
Everybody
DATE DATE NUMBER OF USERS WORLD WORLD INFORMATION DATE DATE NUMBER OF USERS DATE DATE acctsyr
POPULATION POPULATION SOURCE
December-90 0 3 15 020 00261 000 1 December-90 3 1 December-90 3 1 December-90 3 3 December-90 3 1 3
December-95 December-95 0 16 040 80 040 IDC 100 00522 180 12 December-95 192 December-95 16 1778 December-95 48 28448 December-95 48 3 48
December-96 December-96 0 36 090 180 090 IDC 200 00783 188 13132 December-96 472752 December-96 36 1994916 December-96 126 71816976 December-96 1368 38 126
December-97 December-97 0 70 170 350 170 IDC 300 01043 209 16263 December-97 113841 December-97 70 2238295752 December-97 280 15668070264 December-97 322 46 280
December-98 December-98 0 147 360 735 360 CI Almanac 400 01303 230 19391 December-98 2850477 December-98 147 25113678337 December-98 6615 3691710715604 December-98 7791 53 6615
December-99 December-99 0 248 410 1240 410 Nua Ltd 500 01563 251 22517 December-99 5584216 December-99 248 28177547095 December-99 1240 6988031679463 December-99 15376 62 1240
March-00 March-00 0 304 500 1520 500 Nua Ltd 600 01822 272 25638 March-00 7793952 December-00 361 3161520784 December-00 19855 11413090030294 December-00 2527 7 19855
July-00 July-00 0 359 590 1795 590 Nua Ltd 700 02081 293 28754 July-00 10322686 December-01 543 35472263197 December-01 3258 1926143891578 December-01 39639 73 3258
December-00 December-00 0 361 580 1805 580 Internet World Stats 800 02338 313 31864 December-00 11502904 December-02 607 39799879307 December-02 39455 2415852673913 December-02 47953 79 39455
March-01 March-01 0 458 760 2290 760 Nua Ltd 900 02852 334 34967 March-01 16014886 December-03 719 44655464582 December-03 5033 32107279034493 December-03 61115 85 5033
June-01 June-01 0 479 790 2395 790 Nua Ltd 1000 03107 355 38061 June-01 18231219 December-04 817 50103431261 December-04 61275 40934503340285 December-04 7353 9 61275
August-01 August-01 0 513 860 2565 860 Nua Ltd 1100 03361 396 44221 August-01 22685373 December-05 1018 56216049875 December-05 8144 57227938772657 December-05 9467 93 8144
April-02 April-02 0 558 860 2790 860 Internet World Stats 1200 03614 417 47284 April-02 26384472 December-06 1093 6307440796 December-06 9291 68940327899894 December-06 10602 97 9291
July-02 July-02 0 569 910 2845 910 Internet World Stats 1300 03866 437 50334 July-02 28640046 December-07 1319 70769485731 December-07 11871 93344951678825 December-07 13454 102 11871
September-02 September-02 0 587 940 2935 940 Internet World Stats 1400 04117 458 53371 September-02 31328777 December-08 1574 7940336299 December-08 14953 124980893346059 December-08 16527 105 14953
March-03 March-03 0 608 970 3040 970 Internet World Stats 1500 04366 478 56394 March-03 34287552 December-09 1802 89090573275 December-09 18020 160541213040896 December-09 19462 108 18020
September-03 September-03 0 677 1060 3385 1060 Internet World Stats 1600 04614 498 59401 September-03 40214477 December-10 1971 99959623214 December-10 20696 197020417355075 December-10 21681 11 20696
October-03 October-03 0 682 1070 3410 1070 Internet World Stats 1700 0486 518 62392 October-03 42551344
December-03 December-03 0 719 1110 3595 1110 Internet World Stats 1800 02852 538 65365 December-03 46997435
February-04 February-04 0 745 1150 3725 1150 Internet World Stats 1900 03107 558 6832 February-04 508984
May-04 May-04 0 757 1170 3785 1170 Internet World Stats 2000 03361 597 7417 May-04 5614669
October-04 October-04 0 812 1270 4060 1270 Internet World Stats 2100 03614 616 77064 October-04 62575968
December-04 December-04 0 817 1270 4085 1270 Internet World Stats 2200 03866 636 79935 December-04 65306895
March-05 March-05 0 888 1390 4440 1390 Internet World Stats 2300 04117 655 82782 March-05 73510416
June-05 June-05 0 938 1460 4690 1460 Internet World Stats 2400 04366 674 85606 June-05 80298428
September-05 September-05 0 957 1490 4785 1490 Internet World Stats 2500 04614 692 88404 September-05 84602628
November-05 November-05 0 972 1520 4860 1520 Internet World Stats 2600 0486 711 91176 November-05 88623072
December-05 December-05 0 1018 1570 5090 1570 Internet World Stats 2700 05348 729 93921 December-05 95611578
March-06 March-06 0 1023 1570 5115 1570 Internet World Stats 2800 05589 747 96638 March-06 98860674
June-06 June-06 0 1043 1600 5215 1600 Internet World Stats 2900 05828 783 101984 June-06 106369312
September-06 September-06 0 1086 1670 5430 1670 Internet World Stats 3000 06065 801 104611 September-06 113607546
December-06 December-06 0 1093 1670 5465 1670 Internet World Stats 3100 063 818 107207 December-06 117177251
March-07 March-07 0 1129 1720 5645 1720 Internet World Stats 3200 06534 835 109771 March-07 123931459
June-07 June-07 0 1173 1780 5865 1780 Internet World Stats 3300 06765 852 112301 June-07 131729073
September-07 September-07 0 1245 1890 6225 1890 Internet World Stats 3400 06993 869 114797 September-07 142922265
December-07 December-07 0 1319 2000 6595 2000 Internet World Stats 3500 0722 886 117258 December-07 154663302
March-08 March-08 0 1407 2110 7035 2110 Internet World Stats 3600 07665 902 119683 March-08 168393981
June-08 June-08 0 1463 2190 7315 2190 Internet World Stats 3700 07884 918 122071 June-08 178589873
September-08 September-08 0 1504 2250 7520 2250 Internet World Stats 3800 08101 949 126736 September-08 190610944
December-08 December-08 0 1574 2350 7870 2350 Internet World Stats 3900 08314 964 12901 December-08 20306174
March-09 March-09 0 1596 2380 7980 2380 Internet World Stats 4000 08525 971 13 March-09 20748
June-09 June-09 0 1669 2470 8345 2470 Internet World Stats 4100 08733 998 134 June-09 223646
September-09 September-09 0 1734 2560 8670 2560 Internet World Stats 4200 08938 1018 137 September-09 237558
December-09 December-09 0 1802 2660 9010 2660 Internet World Stats 4300 0914 1051 142 December-09 255884
June-10 June-10 0 1966 2870 9830 2870 Internet World Stats 4400 09339 1078 146 June-10 287036
September-10 September-10 0 1971 2880 9855 2880 Internet World Stats 4500 09728 1112 151 September-10 297621
09917 000 155333333333
159833333333
33208
35034
35400
35765
36130
36495
36861
37226
37591
37956
38322
38687
39052
39417
39783
40148
40513
Page 27: Attacking Data Independent Memory Hard Functions · As a motivating example consider an adversary who breaks into an authentication server and steals a users crptographic hash va\൬ue.

Depth-Robustness The Key Property

Necessary [AB16] and sufficient[ABP16] for secure iMHFs

Naiumlve Pebbling Algorithms

bull Sequential Algorithm (Naiumlve)bull Constraint One new pebble per roundbull Every iMHF is defined via its Naiumlve algorithm

bull Example Naiumlve (Pebble in Topological Order)bull Never discard pebblesbull Time nbull Average pebbles n2bull ER(Naiumlve) = θ Rn + n2

Amortized Attack Quality

Quality119877119877 119860119860 =ER(Naiumlve)

ER 119860119860times 119894119894119894119894119904119904119904119904(119860119860)

Example Algorithm A evaluates 5 iMHF instances with total cost ER 119860119860 = 100 and ER Naiumlve = 40

Quality119877119877 119860119860 =40

100times 5 = 2

Presenter
Presentation Notes
Use Example

Desiderata

Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)

2 QualityR(A) le 119888119888 for every adversary A (c small)

3 ER(Naive) ge 1198991198992

120591120591+ R119894119894 for some small value 120591120591

Memory costs should dominate

Desiderata

Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)

2 QualityR(A) le 119888119888 for every adversary A (c small)

3 ER(Naive) ge 1198991198992

120591120591+ R119894119894 for some small value 120591120591

Maximize costs for fixed n(Users are impatient)

c-Ideal iMHF

Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)

2 QualityR(A) le 119888119888 for every adversary A (c small)

3 ER(Naive) ge 1198991198992

120591120591+ R119894119894 for 120591120591 = 119874119874(1)

Outline

bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Our Attacks

bull General Attack on Non Depth Robust DAGsbull Existing iMHFs are not Depth Robustbull Ideal iMHFs donrsquot exist

bull Subsequent Results (Depth-Robustness is Sufficient)bull Open Questions

Depth-Robustness The Key Property

Necessary [AB16] and sufficient[ABP16] for secure iMHFs

Depth Robustness

Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d

Otherwise we say that G is (ed)-depth robust

1 2 3 4 5

Example (12)-reducible

Depth Robustness

Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d

Otherwise we say that G is (ed)-depth robust

1 2 3 4 5

Example (12)-reducible

Attacking (ed)-reducible DAGs

bull Input |S| lee such that depth(G-S) = d g gt d

bull Light Phase (g rounds) Discard most pebblesbull Goal Pebble the next g nodes in g (sequential) stepsbull Low Memory (only keep pebbles on S and on parents of new nodes)bull Lasts a ``longrdquo time

bull Balloon Phase (d rounds) Greedily Recover Missing Pebblesbull Goal Recover needed pebbles for upcoming light phasebull Expensive but quick (at most d steps in parallel)

Theorem (Depth-Robustness is a necessary condition) If G is not (ed)-node robust then CC 119866119866 = O 119890119890119894119894 + 1198941198943119901119901 In particular CC 119866119866 = o 1198941198942 for ed=o(n)

Depth Robustness is Necessary

Are existing iMHF candidates based on depth-robust DAGs

Answer No

bull Catena [FLW15] is 119890119890 119874119874 119899119899119890119890

-reducible

119862119862119862119862 = 119874119874 119894119894162

bull Balloon Hashing and Argon2i (old version) are 119890119890 119874119874 1198991198992

1198901198902-reducible

119862119862119862119862 = 119874119874 119894119894171

bull Argon2i (latest version) is 119890119890 119874119874 1198991198993

1198901198903-reducible

119862119862119862119862 = 119874119874 119894119894177

bull Similar picture for most other iMHF candidates [AGKKOPRRR16]

Argon2i [BDK]

bull Argon2 Winner of the password hashing competition[2015]

bull Authors recommend Argon2i variant (data-independent) for password hashing

Presenter
Presentation Notes
Alex Biryukov Daniel Dinu and Dmitry Khovratovich from University of Luxembourg

Argon2i

1 2 3 4 ihellip n

Argon2i

1 2 3 4 ihellip n

random predecessor r(i) lt i

Indegree 120575120575 = 2

Argon2i Reducing depth to 119894119894

1 2 3 11989411989434

helliphellip

211989411989434

hellip 4 119894119894

n

Layer 0Layer 1

Layer 4 119894119894helliphelliphellip

Argon2i Reducing depth to 119894119894

1 2 3 11989411989434

helliphellip

211989411989434

hellip 4 119894119894

n

Layer 0Layer 1

Layer 4 119894119894

Definition 1198781198782 = 119907119907119894119894 119907119907119903119903(119894119894)and v119894119894 in same layer

119810119810119816119816119816119816119810119810119827119827 1198781198782119810119810119842119842 119842119842119827119827119816119816119816119816119816119816

helliphelliphellip

119813119813119816119816119813119813119813119813 Easy to reduce the depth of a path

Argon2i is a layered DAG (almost)

1 2 3 11989411989434

+2 +3 helliphellip

211989411989434

hellip 4 119894119894

n

Layer 0Layer 1

Layer 4 119894119894

Let S = S1+S2

helliphelliphellip

Attack Simulation [AB16b]

Attack on Argon 2i-B is practical even for pessimistic parameter ranges (brown line)

Pessimistic Argon 2i-B parameter

Parameter setting could easily be chosen when following Argon2i-B guidelines

hellip

Ideal iMHFs Donrsquot Exist

Thm[AB16] Any graph G (with constant in-degree) is at least somewhat depth-reducible

Implication If CC(G)= Ω 1198941198942 there is an attack A with high quality

QualityR 119860119860 =Ωlog(119894119894)

log log(119894119894)

But we cannot rule them out in practice

Outline

bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Attacksbull Constructing iMHFs (New)

bull Depth-Robustness is sufficient

bull Conclusions and Open Questions

Presenter
Presentation Notes
Joint work with Joel Alwen and Krzysztof Pietrzak

Depth-Robustness is Sufficient [ABP16]

Proof Let P1hellipPt denote an (optimal) pebbling of G For 0lt i lt d defineSi = 119875119875119894119894 cup 119875119875119889119889+119894119894 cup 1198751198752119889119889+119894119894 cup ⋯

one of the sets Si has size at most CC(G)d Now we claim that d ge depth(G-Si)

because any path in G-Si must have been completely pebbled at some point Thus it must have been pebbled entirely during some interval of length d Thus G (CC(G)dd)-reducible It follows that CC(G)ge 119890119890119901119901

119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901

Depth-Robustness is Sufficient [ABP16]

Implications There exists a constant indegree graph G with

CC G ge Ω1198941198942

log119894119894

Previous Best [AS15] Ω 1198991198992

log10 119899119899

[AB16] We cannot do better (in an asymptotic sense)

119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901

Summary

bull BCRYPT and PBKDF2 are no longer sufficient for password hashing

bull Argon2i is an improvement over BCRYPT and PBKDF2bull But still has its flaws [AB16AB17]

bull Current Recommendation Argon2idbull No side channel attacks Resists known attacksbull Side channel attacks reduce security to Argon2i

bull Look for improvements in the near future using depth-robust graphs [ABP17]

Conclusions

bull Depth-robustness is a necessary and sufficient for secure iMHFsbull [AB16] [ABP16]

bull Big Challenge Improved Constructions of Depth-Robust Graphsbull We already have constructions in theory [EGS77 PR80 hellip]bull But constants matter

Thanks for Listening

Passwords vs time Look how far wersquove come

Netscape IPO Dotcom crash

Source Cormacrsquos estimate

ldquoThe password is deadrdquo

Chart1

3
48
1368
322
7791
15376
2527
39639
47953
61115
7353
94674
106021
134538
16527
194616
21681

Sheet1

Sheet1

Sheet2

Sheet3

Biometrics

59

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy

60

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Hardware Tokens

61

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around

62

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Graphical Passwords

bull Examplesbull Passfaces Cued Click Points Windows 8

63

Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13

Graphical Passwords

bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8

Challenge Multiple Passwords

64

Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13

Graphical Passwords Hotspots

Graphical Passwords Hotspots

Password Managers

bull Password Management Software

67

Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313

Related Work

bull Password Management SoftwareChallenge Single point of failure

68

Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313

References

bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]

bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]

bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]

bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]

  • Course Business
  • CryptographyCS 555
  • Password Storage
  • Offline Attacks A Common Problem
  • Offline Attacks A Common Problem
  • A Dangerous Problem
  • Attempt 1 Hash Iteration
  • The Challenge
  • Goal Moderately Expensive Hash Function
  • Memory Costs Equitable Across Architectures
  • Outline
  • Memory Hard Function (MHF)
  • iMHF Candidates
  • iMHF (fGH)
  • Evaluating an iMHF (pebbling)
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example (CC)
  • Measuring Cost
  • Pebbling Example (CC)
  • Pebbling Equivalence
  • Desiderata
  • Depth-Robustness The Key Property
  • Naiumlve Pebbling Algorithms
  • Amortized Attack Quality
  • Desiderata
  • Desiderata
  • c-Ideal iMHF
  • Outline
  • Depth-Robustness The Key Property
  • Depth Robustness
  • Depth Robustness
  • Attacking (ed)-reducible DAGs
  • Depth Robustness is Necessary
  • Answer No
  • Argon2i [BDK]
  • Argon2i
  • Argon2i
  • Argon2i Reducing depth to 119899
  • Argon2i Reducing depth to 119899
  • Argon2i is a layered DAG (almost)
  • Attack Simulation [AB16b]
  • Ideal iMHFs Donrsquot Exist
  • But we cannot rule them out in practice
  • Outline
  • Depth-Robustness is Sufficient [ABP16]
  • Depth-Robustness is Sufficient [ABP16]
  • Summary
  • Conclusions
  • Thanks for Listening
  • Passwords vs time Look how far wersquove come
  • Biometrics
  • Biometrics
  • Hardware Tokens
  • Hardware Tokens
  • Graphical Passwords
  • Graphical Passwords
  • Graphical Passwords Hotspots
  • Graphical Passwords Hotspots
  • Password Managers
  • Related Work
  • References
Everybody
DATE DATE NUMBER OF USERS WORLD WORLD INFORMATION DATE DATE NUMBER OF USERS DATE DATE acctsyr
POPULATION POPULATION SOURCE
December-90 0 3 15 020 00261 000 1 December-90 3 1 December-90 3 1 December-90 3 3 December-90 3 1 3
December-95 December-95 0 16 040 80 040 IDC 100 00522 180 12 December-95 192 December-95 16 1778 December-95 48 28448 December-95 48 3 48
December-96 December-96 0 36 090 180 090 IDC 200 00783 188 13132 December-96 472752 December-96 36 1994916 December-96 126 71816976 December-96 1368 38 126
December-97 December-97 0 70 170 350 170 IDC 300 01043 209 16263 December-97 113841 December-97 70 2238295752 December-97 280 15668070264 December-97 322 46 280
December-98 December-98 0 147 360 735 360 CI Almanac 400 01303 230 19391 December-98 2850477 December-98 147 25113678337 December-98 6615 3691710715604 December-98 7791 53 6615
December-99 December-99 0 248 410 1240 410 Nua Ltd 500 01563 251 22517 December-99 5584216 December-99 248 28177547095 December-99 1240 6988031679463 December-99 15376 62 1240
March-00 March-00 0 304 500 1520 500 Nua Ltd 600 01822 272 25638 March-00 7793952 December-00 361 3161520784 December-00 19855 11413090030294 December-00 2527 7 19855
July-00 July-00 0 359 590 1795 590 Nua Ltd 700 02081 293 28754 July-00 10322686 December-01 543 35472263197 December-01 3258 1926143891578 December-01 39639 73 3258
December-00 December-00 0 361 580 1805 580 Internet World Stats 800 02338 313 31864 December-00 11502904 December-02 607 39799879307 December-02 39455 2415852673913 December-02 47953 79 39455
March-01 March-01 0 458 760 2290 760 Nua Ltd 900 02852 334 34967 March-01 16014886 December-03 719 44655464582 December-03 5033 32107279034493 December-03 61115 85 5033
June-01 June-01 0 479 790 2395 790 Nua Ltd 1000 03107 355 38061 June-01 18231219 December-04 817 50103431261 December-04 61275 40934503340285 December-04 7353 9 61275
August-01 August-01 0 513 860 2565 860 Nua Ltd 1100 03361 396 44221 August-01 22685373 December-05 1018 56216049875 December-05 8144 57227938772657 December-05 9467 93 8144
April-02 April-02 0 558 860 2790 860 Internet World Stats 1200 03614 417 47284 April-02 26384472 December-06 1093 6307440796 December-06 9291 68940327899894 December-06 10602 97 9291
July-02 July-02 0 569 910 2845 910 Internet World Stats 1300 03866 437 50334 July-02 28640046 December-07 1319 70769485731 December-07 11871 93344951678825 December-07 13454 102 11871
September-02 September-02 0 587 940 2935 940 Internet World Stats 1400 04117 458 53371 September-02 31328777 December-08 1574 7940336299 December-08 14953 124980893346059 December-08 16527 105 14953
March-03 March-03 0 608 970 3040 970 Internet World Stats 1500 04366 478 56394 March-03 34287552 December-09 1802 89090573275 December-09 18020 160541213040896 December-09 19462 108 18020
September-03 September-03 0 677 1060 3385 1060 Internet World Stats 1600 04614 498 59401 September-03 40214477 December-10 1971 99959623214 December-10 20696 197020417355075 December-10 21681 11 20696
October-03 October-03 0 682 1070 3410 1070 Internet World Stats 1700 0486 518 62392 October-03 42551344
December-03 December-03 0 719 1110 3595 1110 Internet World Stats 1800 02852 538 65365 December-03 46997435
February-04 February-04 0 745 1150 3725 1150 Internet World Stats 1900 03107 558 6832 February-04 508984
May-04 May-04 0 757 1170 3785 1170 Internet World Stats 2000 03361 597 7417 May-04 5614669
October-04 October-04 0 812 1270 4060 1270 Internet World Stats 2100 03614 616 77064 October-04 62575968
December-04 December-04 0 817 1270 4085 1270 Internet World Stats 2200 03866 636 79935 December-04 65306895
March-05 March-05 0 888 1390 4440 1390 Internet World Stats 2300 04117 655 82782 March-05 73510416
June-05 June-05 0 938 1460 4690 1460 Internet World Stats 2400 04366 674 85606 June-05 80298428
September-05 September-05 0 957 1490 4785 1490 Internet World Stats 2500 04614 692 88404 September-05 84602628
November-05 November-05 0 972 1520 4860 1520 Internet World Stats 2600 0486 711 91176 November-05 88623072
December-05 December-05 0 1018 1570 5090 1570 Internet World Stats 2700 05348 729 93921 December-05 95611578
March-06 March-06 0 1023 1570 5115 1570 Internet World Stats 2800 05589 747 96638 March-06 98860674
June-06 June-06 0 1043 1600 5215 1600 Internet World Stats 2900 05828 783 101984 June-06 106369312
September-06 September-06 0 1086 1670 5430 1670 Internet World Stats 3000 06065 801 104611 September-06 113607546
December-06 December-06 0 1093 1670 5465 1670 Internet World Stats 3100 063 818 107207 December-06 117177251
March-07 March-07 0 1129 1720 5645 1720 Internet World Stats 3200 06534 835 109771 March-07 123931459
June-07 June-07 0 1173 1780 5865 1780 Internet World Stats 3300 06765 852 112301 June-07 131729073
September-07 September-07 0 1245 1890 6225 1890 Internet World Stats 3400 06993 869 114797 September-07 142922265
December-07 December-07 0 1319 2000 6595 2000 Internet World Stats 3500 0722 886 117258 December-07 154663302
March-08 March-08 0 1407 2110 7035 2110 Internet World Stats 3600 07665 902 119683 March-08 168393981
June-08 June-08 0 1463 2190 7315 2190 Internet World Stats 3700 07884 918 122071 June-08 178589873
September-08 September-08 0 1504 2250 7520 2250 Internet World Stats 3800 08101 949 126736 September-08 190610944
December-08 December-08 0 1574 2350 7870 2350 Internet World Stats 3900 08314 964 12901 December-08 20306174
March-09 March-09 0 1596 2380 7980 2380 Internet World Stats 4000 08525 971 13 March-09 20748
June-09 June-09 0 1669 2470 8345 2470 Internet World Stats 4100 08733 998 134 June-09 223646
September-09 September-09 0 1734 2560 8670 2560 Internet World Stats 4200 08938 1018 137 September-09 237558
December-09 December-09 0 1802 2660 9010 2660 Internet World Stats 4300 0914 1051 142 December-09 255884
June-10 June-10 0 1966 2870 9830 2870 Internet World Stats 4400 09339 1078 146 June-10 287036
September-10 September-10 0 1971 2880 9855 2880 Internet World Stats 4500 09728 1112 151 September-10 297621
09917 000 155333333333
159833333333
33208
35034
35400
35765
36130
36495
36861
37226
37591
37956
38322
38687
39052
39417
39783
40148
40513
Page 28: Attacking Data Independent Memory Hard Functions · As a motivating example consider an adversary who breaks into an authentication server and steals a users crptographic hash va\൬ue.

Naiumlve Pebbling Algorithms

bull Sequential Algorithm (Naiumlve)bull Constraint One new pebble per roundbull Every iMHF is defined via its Naiumlve algorithm

bull Example Naiumlve (Pebble in Topological Order)bull Never discard pebblesbull Time nbull Average pebbles n2bull ER(Naiumlve) = θ Rn + n2

Amortized Attack Quality

Quality119877119877 119860119860 =ER(Naiumlve)

ER 119860119860times 119894119894119894119894119904119904119904119904(119860119860)

Example Algorithm A evaluates 5 iMHF instances with total cost ER 119860119860 = 100 and ER Naiumlve = 40

Quality119877119877 119860119860 =40

100times 5 = 2

Presenter
Presentation Notes
Use Example

Desiderata

Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)

2 QualityR(A) le 119888119888 for every adversary A (c small)

3 ER(Naive) ge 1198991198992

120591120591+ R119894119894 for some small value 120591120591

Memory costs should dominate

Desiderata

Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)

2 QualityR(A) le 119888119888 for every adversary A (c small)

3 ER(Naive) ge 1198991198992

120591120591+ R119894119894 for some small value 120591120591

Maximize costs for fixed n(Users are impatient)

c-Ideal iMHF

Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)

2 QualityR(A) le 119888119888 for every adversary A (c small)

3 ER(Naive) ge 1198991198992

120591120591+ R119894119894 for 120591120591 = 119874119874(1)

Outline

bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Our Attacks

bull General Attack on Non Depth Robust DAGsbull Existing iMHFs are not Depth Robustbull Ideal iMHFs donrsquot exist

bull Subsequent Results (Depth-Robustness is Sufficient)bull Open Questions

Depth-Robustness The Key Property

Necessary [AB16] and sufficient[ABP16] for secure iMHFs

Depth Robustness

Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d

Otherwise we say that G is (ed)-depth robust

1 2 3 4 5

Example (12)-reducible

Depth Robustness

Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d

Otherwise we say that G is (ed)-depth robust

1 2 3 4 5

Example (12)-reducible

Attacking (ed)-reducible DAGs

bull Input |S| lee such that depth(G-S) = d g gt d

bull Light Phase (g rounds) Discard most pebblesbull Goal Pebble the next g nodes in g (sequential) stepsbull Low Memory (only keep pebbles on S and on parents of new nodes)bull Lasts a ``longrdquo time

bull Balloon Phase (d rounds) Greedily Recover Missing Pebblesbull Goal Recover needed pebbles for upcoming light phasebull Expensive but quick (at most d steps in parallel)

Theorem (Depth-Robustness is a necessary condition) If G is not (ed)-node robust then CC 119866119866 = O 119890119890119894119894 + 1198941198943119901119901 In particular CC 119866119866 = o 1198941198942 for ed=o(n)

Depth Robustness is Necessary

Are existing iMHF candidates based on depth-robust DAGs

Answer No

bull Catena [FLW15] is 119890119890 119874119874 119899119899119890119890

-reducible

119862119862119862119862 = 119874119874 119894119894162

bull Balloon Hashing and Argon2i (old version) are 119890119890 119874119874 1198991198992

1198901198902-reducible

119862119862119862119862 = 119874119874 119894119894171

bull Argon2i (latest version) is 119890119890 119874119874 1198991198993

1198901198903-reducible

119862119862119862119862 = 119874119874 119894119894177

bull Similar picture for most other iMHF candidates [AGKKOPRRR16]

Argon2i [BDK]

bull Argon2 Winner of the password hashing competition[2015]

bull Authors recommend Argon2i variant (data-independent) for password hashing

Presenter
Presentation Notes
Alex Biryukov Daniel Dinu and Dmitry Khovratovich from University of Luxembourg

Argon2i

1 2 3 4 ihellip n

Argon2i

1 2 3 4 ihellip n

random predecessor r(i) lt i

Indegree 120575120575 = 2

Argon2i Reducing depth to 119894119894

1 2 3 11989411989434

helliphellip

211989411989434

hellip 4 119894119894

n

Layer 0Layer 1

Layer 4 119894119894helliphelliphellip

Argon2i Reducing depth to 119894119894

1 2 3 11989411989434

helliphellip

211989411989434

hellip 4 119894119894

n

Layer 0Layer 1

Layer 4 119894119894

Definition 1198781198782 = 119907119907119894119894 119907119907119903119903(119894119894)and v119894119894 in same layer

119810119810119816119816119816119816119810119810119827119827 1198781198782119810119810119842119842 119842119842119827119827119816119816119816119816119816119816

helliphelliphellip

119813119813119816119816119813119813119813119813 Easy to reduce the depth of a path

Argon2i is a layered DAG (almost)

1 2 3 11989411989434

+2 +3 helliphellip

211989411989434

hellip 4 119894119894

n

Layer 0Layer 1

Layer 4 119894119894

Let S = S1+S2

helliphelliphellip

Attack Simulation [AB16b]

Attack on Argon 2i-B is practical even for pessimistic parameter ranges (brown line)

Pessimistic Argon 2i-B parameter

Parameter setting could easily be chosen when following Argon2i-B guidelines

hellip

Ideal iMHFs Donrsquot Exist

Thm[AB16] Any graph G (with constant in-degree) is at least somewhat depth-reducible

Implication If CC(G)= Ω 1198941198942 there is an attack A with high quality

QualityR 119860119860 =Ωlog(119894119894)

log log(119894119894)

But we cannot rule them out in practice

Outline

bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Attacksbull Constructing iMHFs (New)

bull Depth-Robustness is sufficient

bull Conclusions and Open Questions

Presenter
Presentation Notes
Joint work with Joel Alwen and Krzysztof Pietrzak

Depth-Robustness is Sufficient [ABP16]

Proof Let P1hellipPt denote an (optimal) pebbling of G For 0lt i lt d defineSi = 119875119875119894119894 cup 119875119875119889119889+119894119894 cup 1198751198752119889119889+119894119894 cup ⋯

one of the sets Si has size at most CC(G)d Now we claim that d ge depth(G-Si)

because any path in G-Si must have been completely pebbled at some point Thus it must have been pebbled entirely during some interval of length d Thus G (CC(G)dd)-reducible It follows that CC(G)ge 119890119890119901119901

119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901

Depth-Robustness is Sufficient [ABP16]

Implications There exists a constant indegree graph G with

CC G ge Ω1198941198942

log119894119894

Previous Best [AS15] Ω 1198991198992

log10 119899119899

[AB16] We cannot do better (in an asymptotic sense)

119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901

Summary

bull BCRYPT and PBKDF2 are no longer sufficient for password hashing

bull Argon2i is an improvement over BCRYPT and PBKDF2bull But still has its flaws [AB16AB17]

bull Current Recommendation Argon2idbull No side channel attacks Resists known attacksbull Side channel attacks reduce security to Argon2i

bull Look for improvements in the near future using depth-robust graphs [ABP17]

Conclusions

bull Depth-robustness is a necessary and sufficient for secure iMHFsbull [AB16] [ABP16]

bull Big Challenge Improved Constructions of Depth-Robust Graphsbull We already have constructions in theory [EGS77 PR80 hellip]bull But constants matter

Thanks for Listening

Passwords vs time Look how far wersquove come

Netscape IPO Dotcom crash

Source Cormacrsquos estimate

ldquoThe password is deadrdquo

Chart1

3
48
1368
322
7791
15376
2527
39639
47953
61115
7353
94674
106021
134538
16527
194616
21681

Sheet1

Sheet1

Sheet2

Sheet3

Biometrics

59

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy

60

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Hardware Tokens

61

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around

62

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Graphical Passwords

bull Examplesbull Passfaces Cued Click Points Windows 8

63

Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13

Graphical Passwords

bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8

Challenge Multiple Passwords

64

Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13

Graphical Passwords Hotspots

Graphical Passwords Hotspots

Password Managers

bull Password Management Software

67

Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313

Related Work

bull Password Management SoftwareChallenge Single point of failure

68

Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313

References

bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]

bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]

bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]

bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]

  • Course Business
  • CryptographyCS 555
  • Password Storage
  • Offline Attacks A Common Problem
  • Offline Attacks A Common Problem
  • A Dangerous Problem
  • Attempt 1 Hash Iteration
  • The Challenge
  • Goal Moderately Expensive Hash Function
  • Memory Costs Equitable Across Architectures
  • Outline
  • Memory Hard Function (MHF)
  • iMHF Candidates
  • iMHF (fGH)
  • Evaluating an iMHF (pebbling)
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example (CC)
  • Measuring Cost
  • Pebbling Example (CC)
  • Pebbling Equivalence
  • Desiderata
  • Depth-Robustness The Key Property
  • Naiumlve Pebbling Algorithms
  • Amortized Attack Quality
  • Desiderata
  • Desiderata
  • c-Ideal iMHF
  • Outline
  • Depth-Robustness The Key Property
  • Depth Robustness
  • Depth Robustness
  • Attacking (ed)-reducible DAGs
  • Depth Robustness is Necessary
  • Answer No
  • Argon2i [BDK]
  • Argon2i
  • Argon2i
  • Argon2i Reducing depth to 119899
  • Argon2i Reducing depth to 119899
  • Argon2i is a layered DAG (almost)
  • Attack Simulation [AB16b]
  • Ideal iMHFs Donrsquot Exist
  • But we cannot rule them out in practice
  • Outline
  • Depth-Robustness is Sufficient [ABP16]
  • Depth-Robustness is Sufficient [ABP16]
  • Summary
  • Conclusions
  • Thanks for Listening
  • Passwords vs time Look how far wersquove come
  • Biometrics
  • Biometrics
  • Hardware Tokens
  • Hardware Tokens
  • Graphical Passwords
  • Graphical Passwords
  • Graphical Passwords Hotspots
  • Graphical Passwords Hotspots
  • Password Managers
  • Related Work
  • References
Everybody
DATE DATE NUMBER OF USERS WORLD WORLD INFORMATION DATE DATE NUMBER OF USERS DATE DATE acctsyr
POPULATION POPULATION SOURCE
December-90 0 3 15 020 00261 000 1 December-90 3 1 December-90 3 1 December-90 3 3 December-90 3 1 3
December-95 December-95 0 16 040 80 040 IDC 100 00522 180 12 December-95 192 December-95 16 1778 December-95 48 28448 December-95 48 3 48
December-96 December-96 0 36 090 180 090 IDC 200 00783 188 13132 December-96 472752 December-96 36 1994916 December-96 126 71816976 December-96 1368 38 126
December-97 December-97 0 70 170 350 170 IDC 300 01043 209 16263 December-97 113841 December-97 70 2238295752 December-97 280 15668070264 December-97 322 46 280
December-98 December-98 0 147 360 735 360 CI Almanac 400 01303 230 19391 December-98 2850477 December-98 147 25113678337 December-98 6615 3691710715604 December-98 7791 53 6615
December-99 December-99 0 248 410 1240 410 Nua Ltd 500 01563 251 22517 December-99 5584216 December-99 248 28177547095 December-99 1240 6988031679463 December-99 15376 62 1240
March-00 March-00 0 304 500 1520 500 Nua Ltd 600 01822 272 25638 March-00 7793952 December-00 361 3161520784 December-00 19855 11413090030294 December-00 2527 7 19855
July-00 July-00 0 359 590 1795 590 Nua Ltd 700 02081 293 28754 July-00 10322686 December-01 543 35472263197 December-01 3258 1926143891578 December-01 39639 73 3258
December-00 December-00 0 361 580 1805 580 Internet World Stats 800 02338 313 31864 December-00 11502904 December-02 607 39799879307 December-02 39455 2415852673913 December-02 47953 79 39455
March-01 March-01 0 458 760 2290 760 Nua Ltd 900 02852 334 34967 March-01 16014886 December-03 719 44655464582 December-03 5033 32107279034493 December-03 61115 85 5033
June-01 June-01 0 479 790 2395 790 Nua Ltd 1000 03107 355 38061 June-01 18231219 December-04 817 50103431261 December-04 61275 40934503340285 December-04 7353 9 61275
August-01 August-01 0 513 860 2565 860 Nua Ltd 1100 03361 396 44221 August-01 22685373 December-05 1018 56216049875 December-05 8144 57227938772657 December-05 9467 93 8144
April-02 April-02 0 558 860 2790 860 Internet World Stats 1200 03614 417 47284 April-02 26384472 December-06 1093 6307440796 December-06 9291 68940327899894 December-06 10602 97 9291
July-02 July-02 0 569 910 2845 910 Internet World Stats 1300 03866 437 50334 July-02 28640046 December-07 1319 70769485731 December-07 11871 93344951678825 December-07 13454 102 11871
September-02 September-02 0 587 940 2935 940 Internet World Stats 1400 04117 458 53371 September-02 31328777 December-08 1574 7940336299 December-08 14953 124980893346059 December-08 16527 105 14953
March-03 March-03 0 608 970 3040 970 Internet World Stats 1500 04366 478 56394 March-03 34287552 December-09 1802 89090573275 December-09 18020 160541213040896 December-09 19462 108 18020
September-03 September-03 0 677 1060 3385 1060 Internet World Stats 1600 04614 498 59401 September-03 40214477 December-10 1971 99959623214 December-10 20696 197020417355075 December-10 21681 11 20696
October-03 October-03 0 682 1070 3410 1070 Internet World Stats 1700 0486 518 62392 October-03 42551344
December-03 December-03 0 719 1110 3595 1110 Internet World Stats 1800 02852 538 65365 December-03 46997435
February-04 February-04 0 745 1150 3725 1150 Internet World Stats 1900 03107 558 6832 February-04 508984
May-04 May-04 0 757 1170 3785 1170 Internet World Stats 2000 03361 597 7417 May-04 5614669
October-04 October-04 0 812 1270 4060 1270 Internet World Stats 2100 03614 616 77064 October-04 62575968
December-04 December-04 0 817 1270 4085 1270 Internet World Stats 2200 03866 636 79935 December-04 65306895
March-05 March-05 0 888 1390 4440 1390 Internet World Stats 2300 04117 655 82782 March-05 73510416
June-05 June-05 0 938 1460 4690 1460 Internet World Stats 2400 04366 674 85606 June-05 80298428
September-05 September-05 0 957 1490 4785 1490 Internet World Stats 2500 04614 692 88404 September-05 84602628
November-05 November-05 0 972 1520 4860 1520 Internet World Stats 2600 0486 711 91176 November-05 88623072
December-05 December-05 0 1018 1570 5090 1570 Internet World Stats 2700 05348 729 93921 December-05 95611578
March-06 March-06 0 1023 1570 5115 1570 Internet World Stats 2800 05589 747 96638 March-06 98860674
June-06 June-06 0 1043 1600 5215 1600 Internet World Stats 2900 05828 783 101984 June-06 106369312
September-06 September-06 0 1086 1670 5430 1670 Internet World Stats 3000 06065 801 104611 September-06 113607546
December-06 December-06 0 1093 1670 5465 1670 Internet World Stats 3100 063 818 107207 December-06 117177251
March-07 March-07 0 1129 1720 5645 1720 Internet World Stats 3200 06534 835 109771 March-07 123931459
June-07 June-07 0 1173 1780 5865 1780 Internet World Stats 3300 06765 852 112301 June-07 131729073
September-07 September-07 0 1245 1890 6225 1890 Internet World Stats 3400 06993 869 114797 September-07 142922265
December-07 December-07 0 1319 2000 6595 2000 Internet World Stats 3500 0722 886 117258 December-07 154663302
March-08 March-08 0 1407 2110 7035 2110 Internet World Stats 3600 07665 902 119683 March-08 168393981
June-08 June-08 0 1463 2190 7315 2190 Internet World Stats 3700 07884 918 122071 June-08 178589873
September-08 September-08 0 1504 2250 7520 2250 Internet World Stats 3800 08101 949 126736 September-08 190610944
December-08 December-08 0 1574 2350 7870 2350 Internet World Stats 3900 08314 964 12901 December-08 20306174
March-09 March-09 0 1596 2380 7980 2380 Internet World Stats 4000 08525 971 13 March-09 20748
June-09 June-09 0 1669 2470 8345 2470 Internet World Stats 4100 08733 998 134 June-09 223646
September-09 September-09 0 1734 2560 8670 2560 Internet World Stats 4200 08938 1018 137 September-09 237558
December-09 December-09 0 1802 2660 9010 2660 Internet World Stats 4300 0914 1051 142 December-09 255884
June-10 June-10 0 1966 2870 9830 2870 Internet World Stats 4400 09339 1078 146 June-10 287036
September-10 September-10 0 1971 2880 9855 2880 Internet World Stats 4500 09728 1112 151 September-10 297621
09917 000 155333333333
159833333333
33208
35034
35400
35765
36130
36495
36861
37226
37591
37956
38322
38687
39052
39417
39783
40148
40513
Page 29: Attacking Data Independent Memory Hard Functions · As a motivating example consider an adversary who breaks into an authentication server and steals a users crptographic hash va\൬ue.

Amortized Attack Quality

Quality119877119877 119860119860 =ER(Naiumlve)

ER 119860119860times 119894119894119894119894119904119904119904119904(119860119860)

Example Algorithm A evaluates 5 iMHF instances with total cost ER 119860119860 = 100 and ER Naiumlve = 40

Quality119877119877 119860119860 =40

100times 5 = 2

Presenter
Presentation Notes
Use Example

Desiderata

Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)

2 QualityR(A) le 119888119888 for every adversary A (c small)

3 ER(Naive) ge 1198991198992

120591120591+ R119894119894 for some small value 120591120591

Memory costs should dominate

Desiderata

Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)

2 QualityR(A) le 119888119888 for every adversary A (c small)

3 ER(Naive) ge 1198991198992

120591120591+ R119894119894 for some small value 120591120591

Maximize costs for fixed n(Users are impatient)

c-Ideal iMHF

Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)

2 QualityR(A) le 119888119888 for every adversary A (c small)

3 ER(Naive) ge 1198991198992

120591120591+ R119894119894 for 120591120591 = 119874119874(1)

Outline

bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Our Attacks

bull General Attack on Non Depth Robust DAGsbull Existing iMHFs are not Depth Robustbull Ideal iMHFs donrsquot exist

bull Subsequent Results (Depth-Robustness is Sufficient)bull Open Questions

Depth-Robustness The Key Property

Necessary [AB16] and sufficient[ABP16] for secure iMHFs

Depth Robustness

Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d

Otherwise we say that G is (ed)-depth robust

1 2 3 4 5

Example (12)-reducible

Depth Robustness

Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d

Otherwise we say that G is (ed)-depth robust

1 2 3 4 5

Example (12)-reducible

Attacking (ed)-reducible DAGs

bull Input |S| lee such that depth(G-S) = d g gt d

bull Light Phase (g rounds) Discard most pebblesbull Goal Pebble the next g nodes in g (sequential) stepsbull Low Memory (only keep pebbles on S and on parents of new nodes)bull Lasts a ``longrdquo time

bull Balloon Phase (d rounds) Greedily Recover Missing Pebblesbull Goal Recover needed pebbles for upcoming light phasebull Expensive but quick (at most d steps in parallel)

Theorem (Depth-Robustness is a necessary condition) If G is not (ed)-node robust then CC 119866119866 = O 119890119890119894119894 + 1198941198943119901119901 In particular CC 119866119866 = o 1198941198942 for ed=o(n)

Depth Robustness is Necessary

Are existing iMHF candidates based on depth-robust DAGs

Answer No

bull Catena [FLW15] is 119890119890 119874119874 119899119899119890119890

-reducible

119862119862119862119862 = 119874119874 119894119894162

bull Balloon Hashing and Argon2i (old version) are 119890119890 119874119874 1198991198992

1198901198902-reducible

119862119862119862119862 = 119874119874 119894119894171

bull Argon2i (latest version) is 119890119890 119874119874 1198991198993

1198901198903-reducible

119862119862119862119862 = 119874119874 119894119894177

bull Similar picture for most other iMHF candidates [AGKKOPRRR16]

Argon2i [BDK]

bull Argon2 Winner of the password hashing competition[2015]

bull Authors recommend Argon2i variant (data-independent) for password hashing

Presenter
Presentation Notes
Alex Biryukov Daniel Dinu and Dmitry Khovratovich from University of Luxembourg

Argon2i

1 2 3 4 ihellip n

Argon2i

1 2 3 4 ihellip n

random predecessor r(i) lt i

Indegree 120575120575 = 2

Argon2i Reducing depth to 119894119894

1 2 3 11989411989434

helliphellip

211989411989434

hellip 4 119894119894

n

Layer 0Layer 1

Layer 4 119894119894helliphelliphellip

Argon2i Reducing depth to 119894119894

1 2 3 11989411989434

helliphellip

211989411989434

hellip 4 119894119894

n

Layer 0Layer 1

Layer 4 119894119894

Definition 1198781198782 = 119907119907119894119894 119907119907119903119903(119894119894)and v119894119894 in same layer

119810119810119816119816119816119816119810119810119827119827 1198781198782119810119810119842119842 119842119842119827119827119816119816119816119816119816119816

helliphelliphellip

119813119813119816119816119813119813119813119813 Easy to reduce the depth of a path

Argon2i is a layered DAG (almost)

1 2 3 11989411989434

+2 +3 helliphellip

211989411989434

hellip 4 119894119894

n

Layer 0Layer 1

Layer 4 119894119894

Let S = S1+S2

helliphelliphellip

Attack Simulation [AB16b]

Attack on Argon 2i-B is practical even for pessimistic parameter ranges (brown line)

Pessimistic Argon 2i-B parameter

Parameter setting could easily be chosen when following Argon2i-B guidelines

hellip

Ideal iMHFs Donrsquot Exist

Thm[AB16] Any graph G (with constant in-degree) is at least somewhat depth-reducible

Implication If CC(G)= Ω 1198941198942 there is an attack A with high quality

QualityR 119860119860 =Ωlog(119894119894)

log log(119894119894)

But we cannot rule them out in practice

Outline

bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Attacksbull Constructing iMHFs (New)

bull Depth-Robustness is sufficient

bull Conclusions and Open Questions

Presenter
Presentation Notes
Joint work with Joel Alwen and Krzysztof Pietrzak

Depth-Robustness is Sufficient [ABP16]

Proof Let P1hellipPt denote an (optimal) pebbling of G For 0lt i lt d defineSi = 119875119875119894119894 cup 119875119875119889119889+119894119894 cup 1198751198752119889119889+119894119894 cup ⋯

one of the sets Si has size at most CC(G)d Now we claim that d ge depth(G-Si)

because any path in G-Si must have been completely pebbled at some point Thus it must have been pebbled entirely during some interval of length d Thus G (CC(G)dd)-reducible It follows that CC(G)ge 119890119890119901119901

119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901

Depth-Robustness is Sufficient [ABP16]

Implications There exists a constant indegree graph G with

CC G ge Ω1198941198942

log119894119894

Previous Best [AS15] Ω 1198991198992

log10 119899119899

[AB16] We cannot do better (in an asymptotic sense)

119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901

Summary

bull BCRYPT and PBKDF2 are no longer sufficient for password hashing

bull Argon2i is an improvement over BCRYPT and PBKDF2bull But still has its flaws [AB16AB17]

bull Current Recommendation Argon2idbull No side channel attacks Resists known attacksbull Side channel attacks reduce security to Argon2i

bull Look for improvements in the near future using depth-robust graphs [ABP17]

Conclusions

bull Depth-robustness is a necessary and sufficient for secure iMHFsbull [AB16] [ABP16]

bull Big Challenge Improved Constructions of Depth-Robust Graphsbull We already have constructions in theory [EGS77 PR80 hellip]bull But constants matter

Thanks for Listening

Passwords vs time Look how far wersquove come

Netscape IPO Dotcom crash

Source Cormacrsquos estimate

ldquoThe password is deadrdquo

Chart1

3
48
1368
322
7791
15376
2527
39639
47953
61115
7353
94674
106021
134538
16527
194616
21681

Sheet1

Sheet1

Sheet2

Sheet3

Biometrics

59

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy

60

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Hardware Tokens

61

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around

62

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Graphical Passwords

bull Examplesbull Passfaces Cued Click Points Windows 8

63

Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13

Graphical Passwords

bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8

Challenge Multiple Passwords

64

Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13

Graphical Passwords Hotspots

Graphical Passwords Hotspots

Password Managers

bull Password Management Software

67

Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313

Related Work

bull Password Management SoftwareChallenge Single point of failure

68

Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313

References

bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]

bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]

bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]

bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]

  • Course Business
  • CryptographyCS 555
  • Password Storage
  • Offline Attacks A Common Problem
  • Offline Attacks A Common Problem
  • A Dangerous Problem
  • Attempt 1 Hash Iteration
  • The Challenge
  • Goal Moderately Expensive Hash Function
  • Memory Costs Equitable Across Architectures
  • Outline
  • Memory Hard Function (MHF)
  • iMHF Candidates
  • iMHF (fGH)
  • Evaluating an iMHF (pebbling)
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example (CC)
  • Measuring Cost
  • Pebbling Example (CC)
  • Pebbling Equivalence
  • Desiderata
  • Depth-Robustness The Key Property
  • Naiumlve Pebbling Algorithms
  • Amortized Attack Quality
  • Desiderata
  • Desiderata
  • c-Ideal iMHF
  • Outline
  • Depth-Robustness The Key Property
  • Depth Robustness
  • Depth Robustness
  • Attacking (ed)-reducible DAGs
  • Depth Robustness is Necessary
  • Answer No
  • Argon2i [BDK]
  • Argon2i
  • Argon2i
  • Argon2i Reducing depth to 119899
  • Argon2i Reducing depth to 119899
  • Argon2i is a layered DAG (almost)
  • Attack Simulation [AB16b]
  • Ideal iMHFs Donrsquot Exist
  • But we cannot rule them out in practice
  • Outline
  • Depth-Robustness is Sufficient [ABP16]
  • Depth-Robustness is Sufficient [ABP16]
  • Summary
  • Conclusions
  • Thanks for Listening
  • Passwords vs time Look how far wersquove come
  • Biometrics
  • Biometrics
  • Hardware Tokens
  • Hardware Tokens
  • Graphical Passwords
  • Graphical Passwords
  • Graphical Passwords Hotspots
  • Graphical Passwords Hotspots
  • Password Managers
  • Related Work
  • References
Everybody
DATE DATE NUMBER OF USERS WORLD WORLD INFORMATION DATE DATE NUMBER OF USERS DATE DATE acctsyr
POPULATION POPULATION SOURCE
December-90 0 3 15 020 00261 000 1 December-90 3 1 December-90 3 1 December-90 3 3 December-90 3 1 3
December-95 December-95 0 16 040 80 040 IDC 100 00522 180 12 December-95 192 December-95 16 1778 December-95 48 28448 December-95 48 3 48
December-96 December-96 0 36 090 180 090 IDC 200 00783 188 13132 December-96 472752 December-96 36 1994916 December-96 126 71816976 December-96 1368 38 126
December-97 December-97 0 70 170 350 170 IDC 300 01043 209 16263 December-97 113841 December-97 70 2238295752 December-97 280 15668070264 December-97 322 46 280
December-98 December-98 0 147 360 735 360 CI Almanac 400 01303 230 19391 December-98 2850477 December-98 147 25113678337 December-98 6615 3691710715604 December-98 7791 53 6615
December-99 December-99 0 248 410 1240 410 Nua Ltd 500 01563 251 22517 December-99 5584216 December-99 248 28177547095 December-99 1240 6988031679463 December-99 15376 62 1240
March-00 March-00 0 304 500 1520 500 Nua Ltd 600 01822 272 25638 March-00 7793952 December-00 361 3161520784 December-00 19855 11413090030294 December-00 2527 7 19855
July-00 July-00 0 359 590 1795 590 Nua Ltd 700 02081 293 28754 July-00 10322686 December-01 543 35472263197 December-01 3258 1926143891578 December-01 39639 73 3258
December-00 December-00 0 361 580 1805 580 Internet World Stats 800 02338 313 31864 December-00 11502904 December-02 607 39799879307 December-02 39455 2415852673913 December-02 47953 79 39455
March-01 March-01 0 458 760 2290 760 Nua Ltd 900 02852 334 34967 March-01 16014886 December-03 719 44655464582 December-03 5033 32107279034493 December-03 61115 85 5033
June-01 June-01 0 479 790 2395 790 Nua Ltd 1000 03107 355 38061 June-01 18231219 December-04 817 50103431261 December-04 61275 40934503340285 December-04 7353 9 61275
August-01 August-01 0 513 860 2565 860 Nua Ltd 1100 03361 396 44221 August-01 22685373 December-05 1018 56216049875 December-05 8144 57227938772657 December-05 9467 93 8144
April-02 April-02 0 558 860 2790 860 Internet World Stats 1200 03614 417 47284 April-02 26384472 December-06 1093 6307440796 December-06 9291 68940327899894 December-06 10602 97 9291
July-02 July-02 0 569 910 2845 910 Internet World Stats 1300 03866 437 50334 July-02 28640046 December-07 1319 70769485731 December-07 11871 93344951678825 December-07 13454 102 11871
September-02 September-02 0 587 940 2935 940 Internet World Stats 1400 04117 458 53371 September-02 31328777 December-08 1574 7940336299 December-08 14953 124980893346059 December-08 16527 105 14953
March-03 March-03 0 608 970 3040 970 Internet World Stats 1500 04366 478 56394 March-03 34287552 December-09 1802 89090573275 December-09 18020 160541213040896 December-09 19462 108 18020
September-03 September-03 0 677 1060 3385 1060 Internet World Stats 1600 04614 498 59401 September-03 40214477 December-10 1971 99959623214 December-10 20696 197020417355075 December-10 21681 11 20696
October-03 October-03 0 682 1070 3410 1070 Internet World Stats 1700 0486 518 62392 October-03 42551344
December-03 December-03 0 719 1110 3595 1110 Internet World Stats 1800 02852 538 65365 December-03 46997435
February-04 February-04 0 745 1150 3725 1150 Internet World Stats 1900 03107 558 6832 February-04 508984
May-04 May-04 0 757 1170 3785 1170 Internet World Stats 2000 03361 597 7417 May-04 5614669
October-04 October-04 0 812 1270 4060 1270 Internet World Stats 2100 03614 616 77064 October-04 62575968
December-04 December-04 0 817 1270 4085 1270 Internet World Stats 2200 03866 636 79935 December-04 65306895
March-05 March-05 0 888 1390 4440 1390 Internet World Stats 2300 04117 655 82782 March-05 73510416
June-05 June-05 0 938 1460 4690 1460 Internet World Stats 2400 04366 674 85606 June-05 80298428
September-05 September-05 0 957 1490 4785 1490 Internet World Stats 2500 04614 692 88404 September-05 84602628
November-05 November-05 0 972 1520 4860 1520 Internet World Stats 2600 0486 711 91176 November-05 88623072
December-05 December-05 0 1018 1570 5090 1570 Internet World Stats 2700 05348 729 93921 December-05 95611578
March-06 March-06 0 1023 1570 5115 1570 Internet World Stats 2800 05589 747 96638 March-06 98860674
June-06 June-06 0 1043 1600 5215 1600 Internet World Stats 2900 05828 783 101984 June-06 106369312
September-06 September-06 0 1086 1670 5430 1670 Internet World Stats 3000 06065 801 104611 September-06 113607546
December-06 December-06 0 1093 1670 5465 1670 Internet World Stats 3100 063 818 107207 December-06 117177251
March-07 March-07 0 1129 1720 5645 1720 Internet World Stats 3200 06534 835 109771 March-07 123931459
June-07 June-07 0 1173 1780 5865 1780 Internet World Stats 3300 06765 852 112301 June-07 131729073
September-07 September-07 0 1245 1890 6225 1890 Internet World Stats 3400 06993 869 114797 September-07 142922265
December-07 December-07 0 1319 2000 6595 2000 Internet World Stats 3500 0722 886 117258 December-07 154663302
March-08 March-08 0 1407 2110 7035 2110 Internet World Stats 3600 07665 902 119683 March-08 168393981
June-08 June-08 0 1463 2190 7315 2190 Internet World Stats 3700 07884 918 122071 June-08 178589873
September-08 September-08 0 1504 2250 7520 2250 Internet World Stats 3800 08101 949 126736 September-08 190610944
December-08 December-08 0 1574 2350 7870 2350 Internet World Stats 3900 08314 964 12901 December-08 20306174
March-09 March-09 0 1596 2380 7980 2380 Internet World Stats 4000 08525 971 13 March-09 20748
June-09 June-09 0 1669 2470 8345 2470 Internet World Stats 4100 08733 998 134 June-09 223646
September-09 September-09 0 1734 2560 8670 2560 Internet World Stats 4200 08938 1018 137 September-09 237558
December-09 December-09 0 1802 2660 9010 2660 Internet World Stats 4300 0914 1051 142 December-09 255884
June-10 June-10 0 1966 2870 9830 2870 Internet World Stats 4400 09339 1078 146 June-10 287036
September-10 September-10 0 1971 2880 9855 2880 Internet World Stats 4500 09728 1112 151 September-10 297621
09917 000 155333333333
159833333333
33208
35034
35400
35765
36130
36495
36861
37226
37591
37956
38322
38687
39052
39417
39783
40148
40513
Page 30: Attacking Data Independent Memory Hard Functions · As a motivating example consider an adversary who breaks into an authentication server and steals a users crptographic hash va\൬ue.

Desiderata

Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)

2 QualityR(A) le 119888119888 for every adversary A (c small)

3 ER(Naive) ge 1198991198992

120591120591+ R119894119894 for some small value 120591120591

Memory costs should dominate

Desiderata

Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)

2 QualityR(A) le 119888119888 for every adversary A (c small)

3 ER(Naive) ge 1198991198992

120591120591+ R119894119894 for some small value 120591120591

Maximize costs for fixed n(Users are impatient)

c-Ideal iMHF

Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)

2 QualityR(A) le 119888119888 for every adversary A (c small)

3 ER(Naive) ge 1198991198992

120591120591+ R119894119894 for 120591120591 = 119874119874(1)

Outline

bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Our Attacks

bull General Attack on Non Depth Robust DAGsbull Existing iMHFs are not Depth Robustbull Ideal iMHFs donrsquot exist

bull Subsequent Results (Depth-Robustness is Sufficient)bull Open Questions

Depth-Robustness The Key Property

Necessary [AB16] and sufficient[ABP16] for secure iMHFs

Depth Robustness

Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d

Otherwise we say that G is (ed)-depth robust

1 2 3 4 5

Example (12)-reducible

Depth Robustness

Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d

Otherwise we say that G is (ed)-depth robust

1 2 3 4 5

Example (12)-reducible

Attacking (ed)-reducible DAGs

bull Input |S| lee such that depth(G-S) = d g gt d

bull Light Phase (g rounds) Discard most pebblesbull Goal Pebble the next g nodes in g (sequential) stepsbull Low Memory (only keep pebbles on S and on parents of new nodes)bull Lasts a ``longrdquo time

bull Balloon Phase (d rounds) Greedily Recover Missing Pebblesbull Goal Recover needed pebbles for upcoming light phasebull Expensive but quick (at most d steps in parallel)

Theorem (Depth-Robustness is a necessary condition) If G is not (ed)-node robust then CC 119866119866 = O 119890119890119894119894 + 1198941198943119901119901 In particular CC 119866119866 = o 1198941198942 for ed=o(n)

Depth Robustness is Necessary

Are existing iMHF candidates based on depth-robust DAGs

Answer No

bull Catena [FLW15] is 119890119890 119874119874 119899119899119890119890

-reducible

119862119862119862119862 = 119874119874 119894119894162

bull Balloon Hashing and Argon2i (old version) are 119890119890 119874119874 1198991198992

1198901198902-reducible

119862119862119862119862 = 119874119874 119894119894171

bull Argon2i (latest version) is 119890119890 119874119874 1198991198993

1198901198903-reducible

119862119862119862119862 = 119874119874 119894119894177

bull Similar picture for most other iMHF candidates [AGKKOPRRR16]

Argon2i [BDK]

bull Argon2 Winner of the password hashing competition[2015]

bull Authors recommend Argon2i variant (data-independent) for password hashing

Presenter
Presentation Notes
Alex Biryukov Daniel Dinu and Dmitry Khovratovich from University of Luxembourg

Argon2i

1 2 3 4 ihellip n

Argon2i

1 2 3 4 ihellip n

random predecessor r(i) lt i

Indegree 120575120575 = 2

Argon2i Reducing depth to 119894119894

1 2 3 11989411989434

helliphellip

211989411989434

hellip 4 119894119894

n

Layer 0Layer 1

Layer 4 119894119894helliphelliphellip

Argon2i Reducing depth to 119894119894

1 2 3 11989411989434

helliphellip

211989411989434

hellip 4 119894119894

n

Layer 0Layer 1

Layer 4 119894119894

Definition 1198781198782 = 119907119907119894119894 119907119907119903119903(119894119894)and v119894119894 in same layer

119810119810119816119816119816119816119810119810119827119827 1198781198782119810119810119842119842 119842119842119827119827119816119816119816119816119816119816

helliphelliphellip

119813119813119816119816119813119813119813119813 Easy to reduce the depth of a path

Argon2i is a layered DAG (almost)

1 2 3 11989411989434

+2 +3 helliphellip

211989411989434

hellip 4 119894119894

n

Layer 0Layer 1

Layer 4 119894119894

Let S = S1+S2

helliphelliphellip

Attack Simulation [AB16b]

Attack on Argon 2i-B is practical even for pessimistic parameter ranges (brown line)

Pessimistic Argon 2i-B parameter

Parameter setting could easily be chosen when following Argon2i-B guidelines

hellip

Ideal iMHFs Donrsquot Exist

Thm[AB16] Any graph G (with constant in-degree) is at least somewhat depth-reducible

Implication If CC(G)= Ω 1198941198942 there is an attack A with high quality

QualityR 119860119860 =Ωlog(119894119894)

log log(119894119894)

But we cannot rule them out in practice

Outline

bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Attacksbull Constructing iMHFs (New)

bull Depth-Robustness is sufficient

bull Conclusions and Open Questions

Presenter
Presentation Notes
Joint work with Joel Alwen and Krzysztof Pietrzak

Depth-Robustness is Sufficient [ABP16]

Proof Let P1hellipPt denote an (optimal) pebbling of G For 0lt i lt d defineSi = 119875119875119894119894 cup 119875119875119889119889+119894119894 cup 1198751198752119889119889+119894119894 cup ⋯

one of the sets Si has size at most CC(G)d Now we claim that d ge depth(G-Si)

because any path in G-Si must have been completely pebbled at some point Thus it must have been pebbled entirely during some interval of length d Thus G (CC(G)dd)-reducible It follows that CC(G)ge 119890119890119901119901

119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901

Depth-Robustness is Sufficient [ABP16]

Implications There exists a constant indegree graph G with

CC G ge Ω1198941198942

log119894119894

Previous Best [AS15] Ω 1198991198992

log10 119899119899

[AB16] We cannot do better (in an asymptotic sense)

119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901

Summary

bull BCRYPT and PBKDF2 are no longer sufficient for password hashing

bull Argon2i is an improvement over BCRYPT and PBKDF2bull But still has its flaws [AB16AB17]

bull Current Recommendation Argon2idbull No side channel attacks Resists known attacksbull Side channel attacks reduce security to Argon2i

bull Look for improvements in the near future using depth-robust graphs [ABP17]

Conclusions

bull Depth-robustness is a necessary and sufficient for secure iMHFsbull [AB16] [ABP16]

bull Big Challenge Improved Constructions of Depth-Robust Graphsbull We already have constructions in theory [EGS77 PR80 hellip]bull But constants matter

Thanks for Listening

Passwords vs time Look how far wersquove come

Netscape IPO Dotcom crash

Source Cormacrsquos estimate

ldquoThe password is deadrdquo

Chart1

3
48
1368
322
7791
15376
2527
39639
47953
61115
7353
94674
106021
134538
16527
194616
21681

Sheet1

Sheet1

Sheet2

Sheet3

Biometrics

59

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy

60

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Hardware Tokens

61

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around

62

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Graphical Passwords

bull Examplesbull Passfaces Cued Click Points Windows 8

63

Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13

Graphical Passwords

bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8

Challenge Multiple Passwords

64

Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13

Graphical Passwords Hotspots

Graphical Passwords Hotspots

Password Managers

bull Password Management Software

67

Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313

Related Work

bull Password Management SoftwareChallenge Single point of failure

68

Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313

References

bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]

bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]

bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]

bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]

  • Course Business
  • CryptographyCS 555
  • Password Storage
  • Offline Attacks A Common Problem
  • Offline Attacks A Common Problem
  • A Dangerous Problem
  • Attempt 1 Hash Iteration
  • The Challenge
  • Goal Moderately Expensive Hash Function
  • Memory Costs Equitable Across Architectures
  • Outline
  • Memory Hard Function (MHF)
  • iMHF Candidates
  • iMHF (fGH)
  • Evaluating an iMHF (pebbling)
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example (CC)
  • Measuring Cost
  • Pebbling Example (CC)
  • Pebbling Equivalence
  • Desiderata
  • Depth-Robustness The Key Property
  • Naiumlve Pebbling Algorithms
  • Amortized Attack Quality
  • Desiderata
  • Desiderata
  • c-Ideal iMHF
  • Outline
  • Depth-Robustness The Key Property
  • Depth Robustness
  • Depth Robustness
  • Attacking (ed)-reducible DAGs
  • Depth Robustness is Necessary
  • Answer No
  • Argon2i [BDK]
  • Argon2i
  • Argon2i
  • Argon2i Reducing depth to 119899
  • Argon2i Reducing depth to 119899
  • Argon2i is a layered DAG (almost)
  • Attack Simulation [AB16b]
  • Ideal iMHFs Donrsquot Exist
  • But we cannot rule them out in practice
  • Outline
  • Depth-Robustness is Sufficient [ABP16]
  • Depth-Robustness is Sufficient [ABP16]
  • Summary
  • Conclusions
  • Thanks for Listening
  • Passwords vs time Look how far wersquove come
  • Biometrics
  • Biometrics
  • Hardware Tokens
  • Hardware Tokens
  • Graphical Passwords
  • Graphical Passwords
  • Graphical Passwords Hotspots
  • Graphical Passwords Hotspots
  • Password Managers
  • Related Work
  • References
Everybody
DATE DATE NUMBER OF USERS WORLD WORLD INFORMATION DATE DATE NUMBER OF USERS DATE DATE acctsyr
POPULATION POPULATION SOURCE
December-90 0 3 15 020 00261 000 1 December-90 3 1 December-90 3 1 December-90 3 3 December-90 3 1 3
December-95 December-95 0 16 040 80 040 IDC 100 00522 180 12 December-95 192 December-95 16 1778 December-95 48 28448 December-95 48 3 48
December-96 December-96 0 36 090 180 090 IDC 200 00783 188 13132 December-96 472752 December-96 36 1994916 December-96 126 71816976 December-96 1368 38 126
December-97 December-97 0 70 170 350 170 IDC 300 01043 209 16263 December-97 113841 December-97 70 2238295752 December-97 280 15668070264 December-97 322 46 280
December-98 December-98 0 147 360 735 360 CI Almanac 400 01303 230 19391 December-98 2850477 December-98 147 25113678337 December-98 6615 3691710715604 December-98 7791 53 6615
December-99 December-99 0 248 410 1240 410 Nua Ltd 500 01563 251 22517 December-99 5584216 December-99 248 28177547095 December-99 1240 6988031679463 December-99 15376 62 1240
March-00 March-00 0 304 500 1520 500 Nua Ltd 600 01822 272 25638 March-00 7793952 December-00 361 3161520784 December-00 19855 11413090030294 December-00 2527 7 19855
July-00 July-00 0 359 590 1795 590 Nua Ltd 700 02081 293 28754 July-00 10322686 December-01 543 35472263197 December-01 3258 1926143891578 December-01 39639 73 3258
December-00 December-00 0 361 580 1805 580 Internet World Stats 800 02338 313 31864 December-00 11502904 December-02 607 39799879307 December-02 39455 2415852673913 December-02 47953 79 39455
March-01 March-01 0 458 760 2290 760 Nua Ltd 900 02852 334 34967 March-01 16014886 December-03 719 44655464582 December-03 5033 32107279034493 December-03 61115 85 5033
June-01 June-01 0 479 790 2395 790 Nua Ltd 1000 03107 355 38061 June-01 18231219 December-04 817 50103431261 December-04 61275 40934503340285 December-04 7353 9 61275
August-01 August-01 0 513 860 2565 860 Nua Ltd 1100 03361 396 44221 August-01 22685373 December-05 1018 56216049875 December-05 8144 57227938772657 December-05 9467 93 8144
April-02 April-02 0 558 860 2790 860 Internet World Stats 1200 03614 417 47284 April-02 26384472 December-06 1093 6307440796 December-06 9291 68940327899894 December-06 10602 97 9291
July-02 July-02 0 569 910 2845 910 Internet World Stats 1300 03866 437 50334 July-02 28640046 December-07 1319 70769485731 December-07 11871 93344951678825 December-07 13454 102 11871
September-02 September-02 0 587 940 2935 940 Internet World Stats 1400 04117 458 53371 September-02 31328777 December-08 1574 7940336299 December-08 14953 124980893346059 December-08 16527 105 14953
March-03 March-03 0 608 970 3040 970 Internet World Stats 1500 04366 478 56394 March-03 34287552 December-09 1802 89090573275 December-09 18020 160541213040896 December-09 19462 108 18020
September-03 September-03 0 677 1060 3385 1060 Internet World Stats 1600 04614 498 59401 September-03 40214477 December-10 1971 99959623214 December-10 20696 197020417355075 December-10 21681 11 20696
October-03 October-03 0 682 1070 3410 1070 Internet World Stats 1700 0486 518 62392 October-03 42551344
December-03 December-03 0 719 1110 3595 1110 Internet World Stats 1800 02852 538 65365 December-03 46997435
February-04 February-04 0 745 1150 3725 1150 Internet World Stats 1900 03107 558 6832 February-04 508984
May-04 May-04 0 757 1170 3785 1170 Internet World Stats 2000 03361 597 7417 May-04 5614669
October-04 October-04 0 812 1270 4060 1270 Internet World Stats 2100 03614 616 77064 October-04 62575968
December-04 December-04 0 817 1270 4085 1270 Internet World Stats 2200 03866 636 79935 December-04 65306895
March-05 March-05 0 888 1390 4440 1390 Internet World Stats 2300 04117 655 82782 March-05 73510416
June-05 June-05 0 938 1460 4690 1460 Internet World Stats 2400 04366 674 85606 June-05 80298428
September-05 September-05 0 957 1490 4785 1490 Internet World Stats 2500 04614 692 88404 September-05 84602628
November-05 November-05 0 972 1520 4860 1520 Internet World Stats 2600 0486 711 91176 November-05 88623072
December-05 December-05 0 1018 1570 5090 1570 Internet World Stats 2700 05348 729 93921 December-05 95611578
March-06 March-06 0 1023 1570 5115 1570 Internet World Stats 2800 05589 747 96638 March-06 98860674
June-06 June-06 0 1043 1600 5215 1600 Internet World Stats 2900 05828 783 101984 June-06 106369312
September-06 September-06 0 1086 1670 5430 1670 Internet World Stats 3000 06065 801 104611 September-06 113607546
December-06 December-06 0 1093 1670 5465 1670 Internet World Stats 3100 063 818 107207 December-06 117177251
March-07 March-07 0 1129 1720 5645 1720 Internet World Stats 3200 06534 835 109771 March-07 123931459
June-07 June-07 0 1173 1780 5865 1780 Internet World Stats 3300 06765 852 112301 June-07 131729073
September-07 September-07 0 1245 1890 6225 1890 Internet World Stats 3400 06993 869 114797 September-07 142922265
December-07 December-07 0 1319 2000 6595 2000 Internet World Stats 3500 0722 886 117258 December-07 154663302
March-08 March-08 0 1407 2110 7035 2110 Internet World Stats 3600 07665 902 119683 March-08 168393981
June-08 June-08 0 1463 2190 7315 2190 Internet World Stats 3700 07884 918 122071 June-08 178589873
September-08 September-08 0 1504 2250 7520 2250 Internet World Stats 3800 08101 949 126736 September-08 190610944
December-08 December-08 0 1574 2350 7870 2350 Internet World Stats 3900 08314 964 12901 December-08 20306174
March-09 March-09 0 1596 2380 7980 2380 Internet World Stats 4000 08525 971 13 March-09 20748
June-09 June-09 0 1669 2470 8345 2470 Internet World Stats 4100 08733 998 134 June-09 223646
September-09 September-09 0 1734 2560 8670 2560 Internet World Stats 4200 08938 1018 137 September-09 237558
December-09 December-09 0 1802 2660 9010 2660 Internet World Stats 4300 0914 1051 142 December-09 255884
June-10 June-10 0 1966 2870 9830 2870 Internet World Stats 4400 09339 1078 146 June-10 287036
September-10 September-10 0 1971 2880 9855 2880 Internet World Stats 4500 09728 1112 151 September-10 297621
09917 000 155333333333
159833333333
33208
35034
35400
35765
36130
36495
36861
37226
37591
37956
38322
38687
39052
39417
39783
40148
40513
Page 31: Attacking Data Independent Memory Hard Functions · As a motivating example consider an adversary who breaks into an authentication server and steals a users crptographic hash va\൬ue.

Desiderata

Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)

2 QualityR(A) le 119888119888 for every adversary A (c small)

3 ER(Naive) ge 1198991198992

120591120591+ R119894119894 for some small value 120591120591

Maximize costs for fixed n(Users are impatient)

c-Ideal iMHF

Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)

2 QualityR(A) le 119888119888 for every adversary A (c small)

3 ER(Naive) ge 1198991198992

120591120591+ R119894119894 for 120591120591 = 119874119874(1)

Outline

bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Our Attacks

bull General Attack on Non Depth Robust DAGsbull Existing iMHFs are not Depth Robustbull Ideal iMHFs donrsquot exist

bull Subsequent Results (Depth-Robustness is Sufficient)bull Open Questions

Depth-Robustness The Key Property

Necessary [AB16] and sufficient[ABP16] for secure iMHFs

Depth Robustness

Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d

Otherwise we say that G is (ed)-depth robust

1 2 3 4 5

Example (12)-reducible

Depth Robustness

Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d

Otherwise we say that G is (ed)-depth robust

1 2 3 4 5

Example (12)-reducible

Attacking (ed)-reducible DAGs

bull Input |S| lee such that depth(G-S) = d g gt d

bull Light Phase (g rounds) Discard most pebblesbull Goal Pebble the next g nodes in g (sequential) stepsbull Low Memory (only keep pebbles on S and on parents of new nodes)bull Lasts a ``longrdquo time

bull Balloon Phase (d rounds) Greedily Recover Missing Pebblesbull Goal Recover needed pebbles for upcoming light phasebull Expensive but quick (at most d steps in parallel)

Theorem (Depth-Robustness is a necessary condition) If G is not (ed)-node robust then CC 119866119866 = O 119890119890119894119894 + 1198941198943119901119901 In particular CC 119866119866 = o 1198941198942 for ed=o(n)

Depth Robustness is Necessary

Are existing iMHF candidates based on depth-robust DAGs

Answer No

bull Catena [FLW15] is 119890119890 119874119874 119899119899119890119890

-reducible

119862119862119862119862 = 119874119874 119894119894162

bull Balloon Hashing and Argon2i (old version) are 119890119890 119874119874 1198991198992

1198901198902-reducible

119862119862119862119862 = 119874119874 119894119894171

bull Argon2i (latest version) is 119890119890 119874119874 1198991198993

1198901198903-reducible

119862119862119862119862 = 119874119874 119894119894177

bull Similar picture for most other iMHF candidates [AGKKOPRRR16]

Argon2i [BDK]

bull Argon2 Winner of the password hashing competition[2015]

bull Authors recommend Argon2i variant (data-independent) for password hashing

Presenter
Presentation Notes
Alex Biryukov Daniel Dinu and Dmitry Khovratovich from University of Luxembourg

Argon2i

1 2 3 4 ihellip n

Argon2i

1 2 3 4 ihellip n

random predecessor r(i) lt i

Indegree 120575120575 = 2

Argon2i Reducing depth to 119894119894

1 2 3 11989411989434

helliphellip

211989411989434

hellip 4 119894119894

n

Layer 0Layer 1

Layer 4 119894119894helliphelliphellip

Argon2i Reducing depth to 119894119894

1 2 3 11989411989434

helliphellip

211989411989434

hellip 4 119894119894

n

Layer 0Layer 1

Layer 4 119894119894

Definition 1198781198782 = 119907119907119894119894 119907119907119903119903(119894119894)and v119894119894 in same layer

119810119810119816119816119816119816119810119810119827119827 1198781198782119810119810119842119842 119842119842119827119827119816119816119816119816119816119816

helliphelliphellip

119813119813119816119816119813119813119813119813 Easy to reduce the depth of a path

Argon2i is a layered DAG (almost)

1 2 3 11989411989434

+2 +3 helliphellip

211989411989434

hellip 4 119894119894

n

Layer 0Layer 1

Layer 4 119894119894

Let S = S1+S2

helliphelliphellip

Attack Simulation [AB16b]

Attack on Argon 2i-B is practical even for pessimistic parameter ranges (brown line)

Pessimistic Argon 2i-B parameter

Parameter setting could easily be chosen when following Argon2i-B guidelines

hellip

Ideal iMHFs Donrsquot Exist

Thm[AB16] Any graph G (with constant in-degree) is at least somewhat depth-reducible

Implication If CC(G)= Ω 1198941198942 there is an attack A with high quality

QualityR 119860119860 =Ωlog(119894119894)

log log(119894119894)

But we cannot rule them out in practice

Outline

bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Attacksbull Constructing iMHFs (New)

bull Depth-Robustness is sufficient

bull Conclusions and Open Questions

Presenter
Presentation Notes
Joint work with Joel Alwen and Krzysztof Pietrzak

Depth-Robustness is Sufficient [ABP16]

Proof Let P1hellipPt denote an (optimal) pebbling of G For 0lt i lt d defineSi = 119875119875119894119894 cup 119875119875119889119889+119894119894 cup 1198751198752119889119889+119894119894 cup ⋯

one of the sets Si has size at most CC(G)d Now we claim that d ge depth(G-Si)

because any path in G-Si must have been completely pebbled at some point Thus it must have been pebbled entirely during some interval of length d Thus G (CC(G)dd)-reducible It follows that CC(G)ge 119890119890119901119901

119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901

Depth-Robustness is Sufficient [ABP16]

Implications There exists a constant indegree graph G with

CC G ge Ω1198941198942

log119894119894

Previous Best [AS15] Ω 1198991198992

log10 119899119899

[AB16] We cannot do better (in an asymptotic sense)

119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901

Summary

bull BCRYPT and PBKDF2 are no longer sufficient for password hashing

bull Argon2i is an improvement over BCRYPT and PBKDF2bull But still has its flaws [AB16AB17]

bull Current Recommendation Argon2idbull No side channel attacks Resists known attacksbull Side channel attacks reduce security to Argon2i

bull Look for improvements in the near future using depth-robust graphs [ABP17]

Conclusions

bull Depth-robustness is a necessary and sufficient for secure iMHFsbull [AB16] [ABP16]

bull Big Challenge Improved Constructions of Depth-Robust Graphsbull We already have constructions in theory [EGS77 PR80 hellip]bull But constants matter

Thanks for Listening

Passwords vs time Look how far wersquove come

Netscape IPO Dotcom crash

Source Cormacrsquos estimate

ldquoThe password is deadrdquo

Chart1

3
48
1368
322
7791
15376
2527
39639
47953
61115
7353
94674
106021
134538
16527
194616
21681

Sheet1

Sheet1

Sheet2

Sheet3

Biometrics

59

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy

60

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Hardware Tokens

61

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around

62

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Graphical Passwords

bull Examplesbull Passfaces Cued Click Points Windows 8

63

Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13

Graphical Passwords

bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8

Challenge Multiple Passwords

64

Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13

Graphical Passwords Hotspots

Graphical Passwords Hotspots

Password Managers

bull Password Management Software

67

Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313

Related Work

bull Password Management SoftwareChallenge Single point of failure

68

Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313

References

bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]

bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]

bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]

bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]

  • Course Business
  • CryptographyCS 555
  • Password Storage
  • Offline Attacks A Common Problem
  • Offline Attacks A Common Problem
  • A Dangerous Problem
  • Attempt 1 Hash Iteration
  • The Challenge
  • Goal Moderately Expensive Hash Function
  • Memory Costs Equitable Across Architectures
  • Outline
  • Memory Hard Function (MHF)
  • iMHF Candidates
  • iMHF (fGH)
  • Evaluating an iMHF (pebbling)
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example (CC)
  • Measuring Cost
  • Pebbling Example (CC)
  • Pebbling Equivalence
  • Desiderata
  • Depth-Robustness The Key Property
  • Naiumlve Pebbling Algorithms
  • Amortized Attack Quality
  • Desiderata
  • Desiderata
  • c-Ideal iMHF
  • Outline
  • Depth-Robustness The Key Property
  • Depth Robustness
  • Depth Robustness
  • Attacking (ed)-reducible DAGs
  • Depth Robustness is Necessary
  • Answer No
  • Argon2i [BDK]
  • Argon2i
  • Argon2i
  • Argon2i Reducing depth to 119899
  • Argon2i Reducing depth to 119899
  • Argon2i is a layered DAG (almost)
  • Attack Simulation [AB16b]
  • Ideal iMHFs Donrsquot Exist
  • But we cannot rule them out in practice
  • Outline
  • Depth-Robustness is Sufficient [ABP16]
  • Depth-Robustness is Sufficient [ABP16]
  • Summary
  • Conclusions
  • Thanks for Listening
  • Passwords vs time Look how far wersquove come
  • Biometrics
  • Biometrics
  • Hardware Tokens
  • Hardware Tokens
  • Graphical Passwords
  • Graphical Passwords
  • Graphical Passwords Hotspots
  • Graphical Passwords Hotspots
  • Password Managers
  • Related Work
  • References
Everybody
DATE DATE NUMBER OF USERS WORLD WORLD INFORMATION DATE DATE NUMBER OF USERS DATE DATE acctsyr
POPULATION POPULATION SOURCE
December-90 0 3 15 020 00261 000 1 December-90 3 1 December-90 3 1 December-90 3 3 December-90 3 1 3
December-95 December-95 0 16 040 80 040 IDC 100 00522 180 12 December-95 192 December-95 16 1778 December-95 48 28448 December-95 48 3 48
December-96 December-96 0 36 090 180 090 IDC 200 00783 188 13132 December-96 472752 December-96 36 1994916 December-96 126 71816976 December-96 1368 38 126
December-97 December-97 0 70 170 350 170 IDC 300 01043 209 16263 December-97 113841 December-97 70 2238295752 December-97 280 15668070264 December-97 322 46 280
December-98 December-98 0 147 360 735 360 CI Almanac 400 01303 230 19391 December-98 2850477 December-98 147 25113678337 December-98 6615 3691710715604 December-98 7791 53 6615
December-99 December-99 0 248 410 1240 410 Nua Ltd 500 01563 251 22517 December-99 5584216 December-99 248 28177547095 December-99 1240 6988031679463 December-99 15376 62 1240
March-00 March-00 0 304 500 1520 500 Nua Ltd 600 01822 272 25638 March-00 7793952 December-00 361 3161520784 December-00 19855 11413090030294 December-00 2527 7 19855
July-00 July-00 0 359 590 1795 590 Nua Ltd 700 02081 293 28754 July-00 10322686 December-01 543 35472263197 December-01 3258 1926143891578 December-01 39639 73 3258
December-00 December-00 0 361 580 1805 580 Internet World Stats 800 02338 313 31864 December-00 11502904 December-02 607 39799879307 December-02 39455 2415852673913 December-02 47953 79 39455
March-01 March-01 0 458 760 2290 760 Nua Ltd 900 02852 334 34967 March-01 16014886 December-03 719 44655464582 December-03 5033 32107279034493 December-03 61115 85 5033
June-01 June-01 0 479 790 2395 790 Nua Ltd 1000 03107 355 38061 June-01 18231219 December-04 817 50103431261 December-04 61275 40934503340285 December-04 7353 9 61275
August-01 August-01 0 513 860 2565 860 Nua Ltd 1100 03361 396 44221 August-01 22685373 December-05 1018 56216049875 December-05 8144 57227938772657 December-05 9467 93 8144
April-02 April-02 0 558 860 2790 860 Internet World Stats 1200 03614 417 47284 April-02 26384472 December-06 1093 6307440796 December-06 9291 68940327899894 December-06 10602 97 9291
July-02 July-02 0 569 910 2845 910 Internet World Stats 1300 03866 437 50334 July-02 28640046 December-07 1319 70769485731 December-07 11871 93344951678825 December-07 13454 102 11871
September-02 September-02 0 587 940 2935 940 Internet World Stats 1400 04117 458 53371 September-02 31328777 December-08 1574 7940336299 December-08 14953 124980893346059 December-08 16527 105 14953
March-03 March-03 0 608 970 3040 970 Internet World Stats 1500 04366 478 56394 March-03 34287552 December-09 1802 89090573275 December-09 18020 160541213040896 December-09 19462 108 18020
September-03 September-03 0 677 1060 3385 1060 Internet World Stats 1600 04614 498 59401 September-03 40214477 December-10 1971 99959623214 December-10 20696 197020417355075 December-10 21681 11 20696
October-03 October-03 0 682 1070 3410 1070 Internet World Stats 1700 0486 518 62392 October-03 42551344
December-03 December-03 0 719 1110 3595 1110 Internet World Stats 1800 02852 538 65365 December-03 46997435
February-04 February-04 0 745 1150 3725 1150 Internet World Stats 1900 03107 558 6832 February-04 508984
May-04 May-04 0 757 1170 3785 1170 Internet World Stats 2000 03361 597 7417 May-04 5614669
October-04 October-04 0 812 1270 4060 1270 Internet World Stats 2100 03614 616 77064 October-04 62575968
December-04 December-04 0 817 1270 4085 1270 Internet World Stats 2200 03866 636 79935 December-04 65306895
March-05 March-05 0 888 1390 4440 1390 Internet World Stats 2300 04117 655 82782 March-05 73510416
June-05 June-05 0 938 1460 4690 1460 Internet World Stats 2400 04366 674 85606 June-05 80298428
September-05 September-05 0 957 1490 4785 1490 Internet World Stats 2500 04614 692 88404 September-05 84602628
November-05 November-05 0 972 1520 4860 1520 Internet World Stats 2600 0486 711 91176 November-05 88623072
December-05 December-05 0 1018 1570 5090 1570 Internet World Stats 2700 05348 729 93921 December-05 95611578
March-06 March-06 0 1023 1570 5115 1570 Internet World Stats 2800 05589 747 96638 March-06 98860674
June-06 June-06 0 1043 1600 5215 1600 Internet World Stats 2900 05828 783 101984 June-06 106369312
September-06 September-06 0 1086 1670 5430 1670 Internet World Stats 3000 06065 801 104611 September-06 113607546
December-06 December-06 0 1093 1670 5465 1670 Internet World Stats 3100 063 818 107207 December-06 117177251
March-07 March-07 0 1129 1720 5645 1720 Internet World Stats 3200 06534 835 109771 March-07 123931459
June-07 June-07 0 1173 1780 5865 1780 Internet World Stats 3300 06765 852 112301 June-07 131729073
September-07 September-07 0 1245 1890 6225 1890 Internet World Stats 3400 06993 869 114797 September-07 142922265
December-07 December-07 0 1319 2000 6595 2000 Internet World Stats 3500 0722 886 117258 December-07 154663302
March-08 March-08 0 1407 2110 7035 2110 Internet World Stats 3600 07665 902 119683 March-08 168393981
June-08 June-08 0 1463 2190 7315 2190 Internet World Stats 3700 07884 918 122071 June-08 178589873
September-08 September-08 0 1504 2250 7520 2250 Internet World Stats 3800 08101 949 126736 September-08 190610944
December-08 December-08 0 1574 2350 7870 2350 Internet World Stats 3900 08314 964 12901 December-08 20306174
March-09 March-09 0 1596 2380 7980 2380 Internet World Stats 4000 08525 971 13 March-09 20748
June-09 June-09 0 1669 2470 8345 2470 Internet World Stats 4100 08733 998 134 June-09 223646
September-09 September-09 0 1734 2560 8670 2560 Internet World Stats 4200 08938 1018 137 September-09 237558
December-09 December-09 0 1802 2660 9010 2660 Internet World Stats 4300 0914 1051 142 December-09 255884
June-10 June-10 0 1966 2870 9830 2870 Internet World Stats 4400 09339 1078 146 June-10 287036
September-10 September-10 0 1971 2880 9855 2880 Internet World Stats 4500 09728 1112 151 September-10 297621
09917 000 155333333333
159833333333
33208
35034
35400
35765
36130
36495
36861
37226
37591
37956
38322
38687
39052
39417
39783
40148
40513
Page 32: Attacking Data Independent Memory Hard Functions · As a motivating example consider an adversary who breaks into an authentication server and steals a users crptographic hash va\൬ue.

c-Ideal iMHF

Find a DAG G and a sequential pebbling algorithm N with1 Constant Indegree (120575120575 = 2)

2 QualityR(A) le 119888119888 for every adversary A (c small)

3 ER(Naive) ge 1198991198992

120591120591+ R119894119894 for 120591120591 = 119874119874(1)

Outline

bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Our Attacks

bull General Attack on Non Depth Robust DAGsbull Existing iMHFs are not Depth Robustbull Ideal iMHFs donrsquot exist

bull Subsequent Results (Depth-Robustness is Sufficient)bull Open Questions

Depth-Robustness The Key Property

Necessary [AB16] and sufficient[ABP16] for secure iMHFs

Depth Robustness

Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d

Otherwise we say that G is (ed)-depth robust

1 2 3 4 5

Example (12)-reducible

Depth Robustness

Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d

Otherwise we say that G is (ed)-depth robust

1 2 3 4 5

Example (12)-reducible

Attacking (ed)-reducible DAGs

bull Input |S| lee such that depth(G-S) = d g gt d

bull Light Phase (g rounds) Discard most pebblesbull Goal Pebble the next g nodes in g (sequential) stepsbull Low Memory (only keep pebbles on S and on parents of new nodes)bull Lasts a ``longrdquo time

bull Balloon Phase (d rounds) Greedily Recover Missing Pebblesbull Goal Recover needed pebbles for upcoming light phasebull Expensive but quick (at most d steps in parallel)

Theorem (Depth-Robustness is a necessary condition) If G is not (ed)-node robust then CC 119866119866 = O 119890119890119894119894 + 1198941198943119901119901 In particular CC 119866119866 = o 1198941198942 for ed=o(n)

Depth Robustness is Necessary

Are existing iMHF candidates based on depth-robust DAGs

Answer No

bull Catena [FLW15] is 119890119890 119874119874 119899119899119890119890

-reducible

119862119862119862119862 = 119874119874 119894119894162

bull Balloon Hashing and Argon2i (old version) are 119890119890 119874119874 1198991198992

1198901198902-reducible

119862119862119862119862 = 119874119874 119894119894171

bull Argon2i (latest version) is 119890119890 119874119874 1198991198993

1198901198903-reducible

119862119862119862119862 = 119874119874 119894119894177

bull Similar picture for most other iMHF candidates [AGKKOPRRR16]

Argon2i [BDK]

bull Argon2 Winner of the password hashing competition[2015]

bull Authors recommend Argon2i variant (data-independent) for password hashing

Presenter
Presentation Notes
Alex Biryukov Daniel Dinu and Dmitry Khovratovich from University of Luxembourg

Argon2i

1 2 3 4 ihellip n

Argon2i

1 2 3 4 ihellip n

random predecessor r(i) lt i

Indegree 120575120575 = 2

Argon2i Reducing depth to 119894119894

1 2 3 11989411989434

helliphellip

211989411989434

hellip 4 119894119894

n

Layer 0Layer 1

Layer 4 119894119894helliphelliphellip

Argon2i Reducing depth to 119894119894

1 2 3 11989411989434

helliphellip

211989411989434

hellip 4 119894119894

n

Layer 0Layer 1

Layer 4 119894119894

Definition 1198781198782 = 119907119907119894119894 119907119907119903119903(119894119894)and v119894119894 in same layer

119810119810119816119816119816119816119810119810119827119827 1198781198782119810119810119842119842 119842119842119827119827119816119816119816119816119816119816

helliphelliphellip

119813119813119816119816119813119813119813119813 Easy to reduce the depth of a path

Argon2i is a layered DAG (almost)

1 2 3 11989411989434

+2 +3 helliphellip

211989411989434

hellip 4 119894119894

n

Layer 0Layer 1

Layer 4 119894119894

Let S = S1+S2

helliphelliphellip

Attack Simulation [AB16b]

Attack on Argon 2i-B is practical even for pessimistic parameter ranges (brown line)

Pessimistic Argon 2i-B parameter

Parameter setting could easily be chosen when following Argon2i-B guidelines

hellip

Ideal iMHFs Donrsquot Exist

Thm[AB16] Any graph G (with constant in-degree) is at least somewhat depth-reducible

Implication If CC(G)= Ω 1198941198942 there is an attack A with high quality

QualityR 119860119860 =Ωlog(119894119894)

log log(119894119894)

But we cannot rule them out in practice

Outline

bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Attacksbull Constructing iMHFs (New)

bull Depth-Robustness is sufficient

bull Conclusions and Open Questions

Presenter
Presentation Notes
Joint work with Joel Alwen and Krzysztof Pietrzak

Depth-Robustness is Sufficient [ABP16]

Proof Let P1hellipPt denote an (optimal) pebbling of G For 0lt i lt d defineSi = 119875119875119894119894 cup 119875119875119889119889+119894119894 cup 1198751198752119889119889+119894119894 cup ⋯

one of the sets Si has size at most CC(G)d Now we claim that d ge depth(G-Si)

because any path in G-Si must have been completely pebbled at some point Thus it must have been pebbled entirely during some interval of length d Thus G (CC(G)dd)-reducible It follows that CC(G)ge 119890119890119901119901

119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901

Depth-Robustness is Sufficient [ABP16]

Implications There exists a constant indegree graph G with

CC G ge Ω1198941198942

log119894119894

Previous Best [AS15] Ω 1198991198992

log10 119899119899

[AB16] We cannot do better (in an asymptotic sense)

119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901

Summary

bull BCRYPT and PBKDF2 are no longer sufficient for password hashing

bull Argon2i is an improvement over BCRYPT and PBKDF2bull But still has its flaws [AB16AB17]

bull Current Recommendation Argon2idbull No side channel attacks Resists known attacksbull Side channel attacks reduce security to Argon2i

bull Look for improvements in the near future using depth-robust graphs [ABP17]

Conclusions

bull Depth-robustness is a necessary and sufficient for secure iMHFsbull [AB16] [ABP16]

bull Big Challenge Improved Constructions of Depth-Robust Graphsbull We already have constructions in theory [EGS77 PR80 hellip]bull But constants matter

Thanks for Listening

Passwords vs time Look how far wersquove come

Netscape IPO Dotcom crash

Source Cormacrsquos estimate

ldquoThe password is deadrdquo

Chart1

3
48
1368
322
7791
15376
2527
39639
47953
61115
7353
94674
106021
134538
16527
194616
21681

Sheet1

Sheet1

Sheet2

Sheet3

Biometrics

59

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy

60

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Hardware Tokens

61

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around

62

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Graphical Passwords

bull Examplesbull Passfaces Cued Click Points Windows 8

63

Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13

Graphical Passwords

bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8

Challenge Multiple Passwords

64

Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13

Graphical Passwords Hotspots

Graphical Passwords Hotspots

Password Managers

bull Password Management Software

67

Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313

Related Work

bull Password Management SoftwareChallenge Single point of failure

68

Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313

References

bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]

bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]

bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]

bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]

  • Course Business
  • CryptographyCS 555
  • Password Storage
  • Offline Attacks A Common Problem
  • Offline Attacks A Common Problem
  • A Dangerous Problem
  • Attempt 1 Hash Iteration
  • The Challenge
  • Goal Moderately Expensive Hash Function
  • Memory Costs Equitable Across Architectures
  • Outline
  • Memory Hard Function (MHF)
  • iMHF Candidates
  • iMHF (fGH)
  • Evaluating an iMHF (pebbling)
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example (CC)
  • Measuring Cost
  • Pebbling Example (CC)
  • Pebbling Equivalence
  • Desiderata
  • Depth-Robustness The Key Property
  • Naiumlve Pebbling Algorithms
  • Amortized Attack Quality
  • Desiderata
  • Desiderata
  • c-Ideal iMHF
  • Outline
  • Depth-Robustness The Key Property
  • Depth Robustness
  • Depth Robustness
  • Attacking (ed)-reducible DAGs
  • Depth Robustness is Necessary
  • Answer No
  • Argon2i [BDK]
  • Argon2i
  • Argon2i
  • Argon2i Reducing depth to 119899
  • Argon2i Reducing depth to 119899
  • Argon2i is a layered DAG (almost)
  • Attack Simulation [AB16b]
  • Ideal iMHFs Donrsquot Exist
  • But we cannot rule them out in practice
  • Outline
  • Depth-Robustness is Sufficient [ABP16]
  • Depth-Robustness is Sufficient [ABP16]
  • Summary
  • Conclusions
  • Thanks for Listening
  • Passwords vs time Look how far wersquove come
  • Biometrics
  • Biometrics
  • Hardware Tokens
  • Hardware Tokens
  • Graphical Passwords
  • Graphical Passwords
  • Graphical Passwords Hotspots
  • Graphical Passwords Hotspots
  • Password Managers
  • Related Work
  • References
Everybody
DATE DATE NUMBER OF USERS WORLD WORLD INFORMATION DATE DATE NUMBER OF USERS DATE DATE acctsyr
POPULATION POPULATION SOURCE
December-90 0 3 15 020 00261 000 1 December-90 3 1 December-90 3 1 December-90 3 3 December-90 3 1 3
December-95 December-95 0 16 040 80 040 IDC 100 00522 180 12 December-95 192 December-95 16 1778 December-95 48 28448 December-95 48 3 48
December-96 December-96 0 36 090 180 090 IDC 200 00783 188 13132 December-96 472752 December-96 36 1994916 December-96 126 71816976 December-96 1368 38 126
December-97 December-97 0 70 170 350 170 IDC 300 01043 209 16263 December-97 113841 December-97 70 2238295752 December-97 280 15668070264 December-97 322 46 280
December-98 December-98 0 147 360 735 360 CI Almanac 400 01303 230 19391 December-98 2850477 December-98 147 25113678337 December-98 6615 3691710715604 December-98 7791 53 6615
December-99 December-99 0 248 410 1240 410 Nua Ltd 500 01563 251 22517 December-99 5584216 December-99 248 28177547095 December-99 1240 6988031679463 December-99 15376 62 1240
March-00 March-00 0 304 500 1520 500 Nua Ltd 600 01822 272 25638 March-00 7793952 December-00 361 3161520784 December-00 19855 11413090030294 December-00 2527 7 19855
July-00 July-00 0 359 590 1795 590 Nua Ltd 700 02081 293 28754 July-00 10322686 December-01 543 35472263197 December-01 3258 1926143891578 December-01 39639 73 3258
December-00 December-00 0 361 580 1805 580 Internet World Stats 800 02338 313 31864 December-00 11502904 December-02 607 39799879307 December-02 39455 2415852673913 December-02 47953 79 39455
March-01 March-01 0 458 760 2290 760 Nua Ltd 900 02852 334 34967 March-01 16014886 December-03 719 44655464582 December-03 5033 32107279034493 December-03 61115 85 5033
June-01 June-01 0 479 790 2395 790 Nua Ltd 1000 03107 355 38061 June-01 18231219 December-04 817 50103431261 December-04 61275 40934503340285 December-04 7353 9 61275
August-01 August-01 0 513 860 2565 860 Nua Ltd 1100 03361 396 44221 August-01 22685373 December-05 1018 56216049875 December-05 8144 57227938772657 December-05 9467 93 8144
April-02 April-02 0 558 860 2790 860 Internet World Stats 1200 03614 417 47284 April-02 26384472 December-06 1093 6307440796 December-06 9291 68940327899894 December-06 10602 97 9291
July-02 July-02 0 569 910 2845 910 Internet World Stats 1300 03866 437 50334 July-02 28640046 December-07 1319 70769485731 December-07 11871 93344951678825 December-07 13454 102 11871
September-02 September-02 0 587 940 2935 940 Internet World Stats 1400 04117 458 53371 September-02 31328777 December-08 1574 7940336299 December-08 14953 124980893346059 December-08 16527 105 14953
March-03 March-03 0 608 970 3040 970 Internet World Stats 1500 04366 478 56394 March-03 34287552 December-09 1802 89090573275 December-09 18020 160541213040896 December-09 19462 108 18020
September-03 September-03 0 677 1060 3385 1060 Internet World Stats 1600 04614 498 59401 September-03 40214477 December-10 1971 99959623214 December-10 20696 197020417355075 December-10 21681 11 20696
October-03 October-03 0 682 1070 3410 1070 Internet World Stats 1700 0486 518 62392 October-03 42551344
December-03 December-03 0 719 1110 3595 1110 Internet World Stats 1800 02852 538 65365 December-03 46997435
February-04 February-04 0 745 1150 3725 1150 Internet World Stats 1900 03107 558 6832 February-04 508984
May-04 May-04 0 757 1170 3785 1170 Internet World Stats 2000 03361 597 7417 May-04 5614669
October-04 October-04 0 812 1270 4060 1270 Internet World Stats 2100 03614 616 77064 October-04 62575968
December-04 December-04 0 817 1270 4085 1270 Internet World Stats 2200 03866 636 79935 December-04 65306895
March-05 March-05 0 888 1390 4440 1390 Internet World Stats 2300 04117 655 82782 March-05 73510416
June-05 June-05 0 938 1460 4690 1460 Internet World Stats 2400 04366 674 85606 June-05 80298428
September-05 September-05 0 957 1490 4785 1490 Internet World Stats 2500 04614 692 88404 September-05 84602628
November-05 November-05 0 972 1520 4860 1520 Internet World Stats 2600 0486 711 91176 November-05 88623072
December-05 December-05 0 1018 1570 5090 1570 Internet World Stats 2700 05348 729 93921 December-05 95611578
March-06 March-06 0 1023 1570 5115 1570 Internet World Stats 2800 05589 747 96638 March-06 98860674
June-06 June-06 0 1043 1600 5215 1600 Internet World Stats 2900 05828 783 101984 June-06 106369312
September-06 September-06 0 1086 1670 5430 1670 Internet World Stats 3000 06065 801 104611 September-06 113607546
December-06 December-06 0 1093 1670 5465 1670 Internet World Stats 3100 063 818 107207 December-06 117177251
March-07 March-07 0 1129 1720 5645 1720 Internet World Stats 3200 06534 835 109771 March-07 123931459
June-07 June-07 0 1173 1780 5865 1780 Internet World Stats 3300 06765 852 112301 June-07 131729073
September-07 September-07 0 1245 1890 6225 1890 Internet World Stats 3400 06993 869 114797 September-07 142922265
December-07 December-07 0 1319 2000 6595 2000 Internet World Stats 3500 0722 886 117258 December-07 154663302
March-08 March-08 0 1407 2110 7035 2110 Internet World Stats 3600 07665 902 119683 March-08 168393981
June-08 June-08 0 1463 2190 7315 2190 Internet World Stats 3700 07884 918 122071 June-08 178589873
September-08 September-08 0 1504 2250 7520 2250 Internet World Stats 3800 08101 949 126736 September-08 190610944
December-08 December-08 0 1574 2350 7870 2350 Internet World Stats 3900 08314 964 12901 December-08 20306174
March-09 March-09 0 1596 2380 7980 2380 Internet World Stats 4000 08525 971 13 March-09 20748
June-09 June-09 0 1669 2470 8345 2470 Internet World Stats 4100 08733 998 134 June-09 223646
September-09 September-09 0 1734 2560 8670 2560 Internet World Stats 4200 08938 1018 137 September-09 237558
December-09 December-09 0 1802 2660 9010 2660 Internet World Stats 4300 0914 1051 142 December-09 255884
June-10 June-10 0 1966 2870 9830 2870 Internet World Stats 4400 09339 1078 146 June-10 287036
September-10 September-10 0 1971 2880 9855 2880 Internet World Stats 4500 09728 1112 151 September-10 297621
09917 000 155333333333
159833333333
33208
35034
35400
35765
36130
36495
36861
37226
37591
37956
38322
38687
39052
39417
39783
40148
40513
Page 33: Attacking Data Independent Memory Hard Functions · As a motivating example consider an adversary who breaks into an authentication server and steals a users crptographic hash va\൬ue.

Outline

bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Our Attacks

bull General Attack on Non Depth Robust DAGsbull Existing iMHFs are not Depth Robustbull Ideal iMHFs donrsquot exist

bull Subsequent Results (Depth-Robustness is Sufficient)bull Open Questions

Depth-Robustness The Key Property

Necessary [AB16] and sufficient[ABP16] for secure iMHFs

Depth Robustness

Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d

Otherwise we say that G is (ed)-depth robust

1 2 3 4 5

Example (12)-reducible

Depth Robustness

Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d

Otherwise we say that G is (ed)-depth robust

1 2 3 4 5

Example (12)-reducible

Attacking (ed)-reducible DAGs

bull Input |S| lee such that depth(G-S) = d g gt d

bull Light Phase (g rounds) Discard most pebblesbull Goal Pebble the next g nodes in g (sequential) stepsbull Low Memory (only keep pebbles on S and on parents of new nodes)bull Lasts a ``longrdquo time

bull Balloon Phase (d rounds) Greedily Recover Missing Pebblesbull Goal Recover needed pebbles for upcoming light phasebull Expensive but quick (at most d steps in parallel)

Theorem (Depth-Robustness is a necessary condition) If G is not (ed)-node robust then CC 119866119866 = O 119890119890119894119894 + 1198941198943119901119901 In particular CC 119866119866 = o 1198941198942 for ed=o(n)

Depth Robustness is Necessary

Are existing iMHF candidates based on depth-robust DAGs

Answer No

bull Catena [FLW15] is 119890119890 119874119874 119899119899119890119890

-reducible

119862119862119862119862 = 119874119874 119894119894162

bull Balloon Hashing and Argon2i (old version) are 119890119890 119874119874 1198991198992

1198901198902-reducible

119862119862119862119862 = 119874119874 119894119894171

bull Argon2i (latest version) is 119890119890 119874119874 1198991198993

1198901198903-reducible

119862119862119862119862 = 119874119874 119894119894177

bull Similar picture for most other iMHF candidates [AGKKOPRRR16]

Argon2i [BDK]

bull Argon2 Winner of the password hashing competition[2015]

bull Authors recommend Argon2i variant (data-independent) for password hashing

Presenter
Presentation Notes
Alex Biryukov Daniel Dinu and Dmitry Khovratovich from University of Luxembourg

Argon2i

1 2 3 4 ihellip n

Argon2i

1 2 3 4 ihellip n

random predecessor r(i) lt i

Indegree 120575120575 = 2

Argon2i Reducing depth to 119894119894

1 2 3 11989411989434

helliphellip

211989411989434

hellip 4 119894119894

n

Layer 0Layer 1

Layer 4 119894119894helliphelliphellip

Argon2i Reducing depth to 119894119894

1 2 3 11989411989434

helliphellip

211989411989434

hellip 4 119894119894

n

Layer 0Layer 1

Layer 4 119894119894

Definition 1198781198782 = 119907119907119894119894 119907119907119903119903(119894119894)and v119894119894 in same layer

119810119810119816119816119816119816119810119810119827119827 1198781198782119810119810119842119842 119842119842119827119827119816119816119816119816119816119816

helliphelliphellip

119813119813119816119816119813119813119813119813 Easy to reduce the depth of a path

Argon2i is a layered DAG (almost)

1 2 3 11989411989434

+2 +3 helliphellip

211989411989434

hellip 4 119894119894

n

Layer 0Layer 1

Layer 4 119894119894

Let S = S1+S2

helliphelliphellip

Attack Simulation [AB16b]

Attack on Argon 2i-B is practical even for pessimistic parameter ranges (brown line)

Pessimistic Argon 2i-B parameter

Parameter setting could easily be chosen when following Argon2i-B guidelines

hellip

Ideal iMHFs Donrsquot Exist

Thm[AB16] Any graph G (with constant in-degree) is at least somewhat depth-reducible

Implication If CC(G)= Ω 1198941198942 there is an attack A with high quality

QualityR 119860119860 =Ωlog(119894119894)

log log(119894119894)

But we cannot rule them out in practice

Outline

bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Attacksbull Constructing iMHFs (New)

bull Depth-Robustness is sufficient

bull Conclusions and Open Questions

Presenter
Presentation Notes
Joint work with Joel Alwen and Krzysztof Pietrzak

Depth-Robustness is Sufficient [ABP16]

Proof Let P1hellipPt denote an (optimal) pebbling of G For 0lt i lt d defineSi = 119875119875119894119894 cup 119875119875119889119889+119894119894 cup 1198751198752119889119889+119894119894 cup ⋯

one of the sets Si has size at most CC(G)d Now we claim that d ge depth(G-Si)

because any path in G-Si must have been completely pebbled at some point Thus it must have been pebbled entirely during some interval of length d Thus G (CC(G)dd)-reducible It follows that CC(G)ge 119890119890119901119901

119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901

Depth-Robustness is Sufficient [ABP16]

Implications There exists a constant indegree graph G with

CC G ge Ω1198941198942

log119894119894

Previous Best [AS15] Ω 1198991198992

log10 119899119899

[AB16] We cannot do better (in an asymptotic sense)

119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901

Summary

bull BCRYPT and PBKDF2 are no longer sufficient for password hashing

bull Argon2i is an improvement over BCRYPT and PBKDF2bull But still has its flaws [AB16AB17]

bull Current Recommendation Argon2idbull No side channel attacks Resists known attacksbull Side channel attacks reduce security to Argon2i

bull Look for improvements in the near future using depth-robust graphs [ABP17]

Conclusions

bull Depth-robustness is a necessary and sufficient for secure iMHFsbull [AB16] [ABP16]

bull Big Challenge Improved Constructions of Depth-Robust Graphsbull We already have constructions in theory [EGS77 PR80 hellip]bull But constants matter

Thanks for Listening

Passwords vs time Look how far wersquove come

Netscape IPO Dotcom crash

Source Cormacrsquos estimate

ldquoThe password is deadrdquo

Chart1

3
48
1368
322
7791
15376
2527
39639
47953
61115
7353
94674
106021
134538
16527
194616
21681

Sheet1

Sheet1

Sheet2

Sheet3

Biometrics

59

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy

60

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Hardware Tokens

61

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around

62

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Graphical Passwords

bull Examplesbull Passfaces Cued Click Points Windows 8

63

Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13

Graphical Passwords

bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8

Challenge Multiple Passwords

64

Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13

Graphical Passwords Hotspots

Graphical Passwords Hotspots

Password Managers

bull Password Management Software

67

Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313

Related Work

bull Password Management SoftwareChallenge Single point of failure

68

Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313

References

bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]

bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]

bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]

bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]

  • Course Business
  • CryptographyCS 555
  • Password Storage
  • Offline Attacks A Common Problem
  • Offline Attacks A Common Problem
  • A Dangerous Problem
  • Attempt 1 Hash Iteration
  • The Challenge
  • Goal Moderately Expensive Hash Function
  • Memory Costs Equitable Across Architectures
  • Outline
  • Memory Hard Function (MHF)
  • iMHF Candidates
  • iMHF (fGH)
  • Evaluating an iMHF (pebbling)
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example (CC)
  • Measuring Cost
  • Pebbling Example (CC)
  • Pebbling Equivalence
  • Desiderata
  • Depth-Robustness The Key Property
  • Naiumlve Pebbling Algorithms
  • Amortized Attack Quality
  • Desiderata
  • Desiderata
  • c-Ideal iMHF
  • Outline
  • Depth-Robustness The Key Property
  • Depth Robustness
  • Depth Robustness
  • Attacking (ed)-reducible DAGs
  • Depth Robustness is Necessary
  • Answer No
  • Argon2i [BDK]
  • Argon2i
  • Argon2i
  • Argon2i Reducing depth to 119899
  • Argon2i Reducing depth to 119899
  • Argon2i is a layered DAG (almost)
  • Attack Simulation [AB16b]
  • Ideal iMHFs Donrsquot Exist
  • But we cannot rule them out in practice
  • Outline
  • Depth-Robustness is Sufficient [ABP16]
  • Depth-Robustness is Sufficient [ABP16]
  • Summary
  • Conclusions
  • Thanks for Listening
  • Passwords vs time Look how far wersquove come
  • Biometrics
  • Biometrics
  • Hardware Tokens
  • Hardware Tokens
  • Graphical Passwords
  • Graphical Passwords
  • Graphical Passwords Hotspots
  • Graphical Passwords Hotspots
  • Password Managers
  • Related Work
  • References
Everybody
DATE DATE NUMBER OF USERS WORLD WORLD INFORMATION DATE DATE NUMBER OF USERS DATE DATE acctsyr
POPULATION POPULATION SOURCE
December-90 0 3 15 020 00261 000 1 December-90 3 1 December-90 3 1 December-90 3 3 December-90 3 1 3
December-95 December-95 0 16 040 80 040 IDC 100 00522 180 12 December-95 192 December-95 16 1778 December-95 48 28448 December-95 48 3 48
December-96 December-96 0 36 090 180 090 IDC 200 00783 188 13132 December-96 472752 December-96 36 1994916 December-96 126 71816976 December-96 1368 38 126
December-97 December-97 0 70 170 350 170 IDC 300 01043 209 16263 December-97 113841 December-97 70 2238295752 December-97 280 15668070264 December-97 322 46 280
December-98 December-98 0 147 360 735 360 CI Almanac 400 01303 230 19391 December-98 2850477 December-98 147 25113678337 December-98 6615 3691710715604 December-98 7791 53 6615
December-99 December-99 0 248 410 1240 410 Nua Ltd 500 01563 251 22517 December-99 5584216 December-99 248 28177547095 December-99 1240 6988031679463 December-99 15376 62 1240
March-00 March-00 0 304 500 1520 500 Nua Ltd 600 01822 272 25638 March-00 7793952 December-00 361 3161520784 December-00 19855 11413090030294 December-00 2527 7 19855
July-00 July-00 0 359 590 1795 590 Nua Ltd 700 02081 293 28754 July-00 10322686 December-01 543 35472263197 December-01 3258 1926143891578 December-01 39639 73 3258
December-00 December-00 0 361 580 1805 580 Internet World Stats 800 02338 313 31864 December-00 11502904 December-02 607 39799879307 December-02 39455 2415852673913 December-02 47953 79 39455
March-01 March-01 0 458 760 2290 760 Nua Ltd 900 02852 334 34967 March-01 16014886 December-03 719 44655464582 December-03 5033 32107279034493 December-03 61115 85 5033
June-01 June-01 0 479 790 2395 790 Nua Ltd 1000 03107 355 38061 June-01 18231219 December-04 817 50103431261 December-04 61275 40934503340285 December-04 7353 9 61275
August-01 August-01 0 513 860 2565 860 Nua Ltd 1100 03361 396 44221 August-01 22685373 December-05 1018 56216049875 December-05 8144 57227938772657 December-05 9467 93 8144
April-02 April-02 0 558 860 2790 860 Internet World Stats 1200 03614 417 47284 April-02 26384472 December-06 1093 6307440796 December-06 9291 68940327899894 December-06 10602 97 9291
July-02 July-02 0 569 910 2845 910 Internet World Stats 1300 03866 437 50334 July-02 28640046 December-07 1319 70769485731 December-07 11871 93344951678825 December-07 13454 102 11871
September-02 September-02 0 587 940 2935 940 Internet World Stats 1400 04117 458 53371 September-02 31328777 December-08 1574 7940336299 December-08 14953 124980893346059 December-08 16527 105 14953
March-03 March-03 0 608 970 3040 970 Internet World Stats 1500 04366 478 56394 March-03 34287552 December-09 1802 89090573275 December-09 18020 160541213040896 December-09 19462 108 18020
September-03 September-03 0 677 1060 3385 1060 Internet World Stats 1600 04614 498 59401 September-03 40214477 December-10 1971 99959623214 December-10 20696 197020417355075 December-10 21681 11 20696
October-03 October-03 0 682 1070 3410 1070 Internet World Stats 1700 0486 518 62392 October-03 42551344
December-03 December-03 0 719 1110 3595 1110 Internet World Stats 1800 02852 538 65365 December-03 46997435
February-04 February-04 0 745 1150 3725 1150 Internet World Stats 1900 03107 558 6832 February-04 508984
May-04 May-04 0 757 1170 3785 1170 Internet World Stats 2000 03361 597 7417 May-04 5614669
October-04 October-04 0 812 1270 4060 1270 Internet World Stats 2100 03614 616 77064 October-04 62575968
December-04 December-04 0 817 1270 4085 1270 Internet World Stats 2200 03866 636 79935 December-04 65306895
March-05 March-05 0 888 1390 4440 1390 Internet World Stats 2300 04117 655 82782 March-05 73510416
June-05 June-05 0 938 1460 4690 1460 Internet World Stats 2400 04366 674 85606 June-05 80298428
September-05 September-05 0 957 1490 4785 1490 Internet World Stats 2500 04614 692 88404 September-05 84602628
November-05 November-05 0 972 1520 4860 1520 Internet World Stats 2600 0486 711 91176 November-05 88623072
December-05 December-05 0 1018 1570 5090 1570 Internet World Stats 2700 05348 729 93921 December-05 95611578
March-06 March-06 0 1023 1570 5115 1570 Internet World Stats 2800 05589 747 96638 March-06 98860674
June-06 June-06 0 1043 1600 5215 1600 Internet World Stats 2900 05828 783 101984 June-06 106369312
September-06 September-06 0 1086 1670 5430 1670 Internet World Stats 3000 06065 801 104611 September-06 113607546
December-06 December-06 0 1093 1670 5465 1670 Internet World Stats 3100 063 818 107207 December-06 117177251
March-07 March-07 0 1129 1720 5645 1720 Internet World Stats 3200 06534 835 109771 March-07 123931459
June-07 June-07 0 1173 1780 5865 1780 Internet World Stats 3300 06765 852 112301 June-07 131729073
September-07 September-07 0 1245 1890 6225 1890 Internet World Stats 3400 06993 869 114797 September-07 142922265
December-07 December-07 0 1319 2000 6595 2000 Internet World Stats 3500 0722 886 117258 December-07 154663302
March-08 March-08 0 1407 2110 7035 2110 Internet World Stats 3600 07665 902 119683 March-08 168393981
June-08 June-08 0 1463 2190 7315 2190 Internet World Stats 3700 07884 918 122071 June-08 178589873
September-08 September-08 0 1504 2250 7520 2250 Internet World Stats 3800 08101 949 126736 September-08 190610944
December-08 December-08 0 1574 2350 7870 2350 Internet World Stats 3900 08314 964 12901 December-08 20306174
March-09 March-09 0 1596 2380 7980 2380 Internet World Stats 4000 08525 971 13 March-09 20748
June-09 June-09 0 1669 2470 8345 2470 Internet World Stats 4100 08733 998 134 June-09 223646
September-09 September-09 0 1734 2560 8670 2560 Internet World Stats 4200 08938 1018 137 September-09 237558
December-09 December-09 0 1802 2660 9010 2660 Internet World Stats 4300 0914 1051 142 December-09 255884
June-10 June-10 0 1966 2870 9830 2870 Internet World Stats 4400 09339 1078 146 June-10 287036
September-10 September-10 0 1971 2880 9855 2880 Internet World Stats 4500 09728 1112 151 September-10 297621
09917 000 155333333333
159833333333
33208
35034
35400
35765
36130
36495
36861
37226
37591
37956
38322
38687
39052
39417
39783
40148
40513
Page 34: Attacking Data Independent Memory Hard Functions · As a motivating example consider an adversary who breaks into an authentication server and steals a users crptographic hash va\൬ue.

Depth-Robustness The Key Property

Necessary [AB16] and sufficient[ABP16] for secure iMHFs

Depth Robustness

Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d

Otherwise we say that G is (ed)-depth robust

1 2 3 4 5

Example (12)-reducible

Depth Robustness

Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d

Otherwise we say that G is (ed)-depth robust

1 2 3 4 5

Example (12)-reducible

Attacking (ed)-reducible DAGs

bull Input |S| lee such that depth(G-S) = d g gt d

bull Light Phase (g rounds) Discard most pebblesbull Goal Pebble the next g nodes in g (sequential) stepsbull Low Memory (only keep pebbles on S and on parents of new nodes)bull Lasts a ``longrdquo time

bull Balloon Phase (d rounds) Greedily Recover Missing Pebblesbull Goal Recover needed pebbles for upcoming light phasebull Expensive but quick (at most d steps in parallel)

Theorem (Depth-Robustness is a necessary condition) If G is not (ed)-node robust then CC 119866119866 = O 119890119890119894119894 + 1198941198943119901119901 In particular CC 119866119866 = o 1198941198942 for ed=o(n)

Depth Robustness is Necessary

Are existing iMHF candidates based on depth-robust DAGs

Answer No

bull Catena [FLW15] is 119890119890 119874119874 119899119899119890119890

-reducible

119862119862119862119862 = 119874119874 119894119894162

bull Balloon Hashing and Argon2i (old version) are 119890119890 119874119874 1198991198992

1198901198902-reducible

119862119862119862119862 = 119874119874 119894119894171

bull Argon2i (latest version) is 119890119890 119874119874 1198991198993

1198901198903-reducible

119862119862119862119862 = 119874119874 119894119894177

bull Similar picture for most other iMHF candidates [AGKKOPRRR16]

Argon2i [BDK]

bull Argon2 Winner of the password hashing competition[2015]

bull Authors recommend Argon2i variant (data-independent) for password hashing

Presenter
Presentation Notes
Alex Biryukov Daniel Dinu and Dmitry Khovratovich from University of Luxembourg

Argon2i

1 2 3 4 ihellip n

Argon2i

1 2 3 4 ihellip n

random predecessor r(i) lt i

Indegree 120575120575 = 2

Argon2i Reducing depth to 119894119894

1 2 3 11989411989434

helliphellip

211989411989434

hellip 4 119894119894

n

Layer 0Layer 1

Layer 4 119894119894helliphelliphellip

Argon2i Reducing depth to 119894119894

1 2 3 11989411989434

helliphellip

211989411989434

hellip 4 119894119894

n

Layer 0Layer 1

Layer 4 119894119894

Definition 1198781198782 = 119907119907119894119894 119907119907119903119903(119894119894)and v119894119894 in same layer

119810119810119816119816119816119816119810119810119827119827 1198781198782119810119810119842119842 119842119842119827119827119816119816119816119816119816119816

helliphelliphellip

119813119813119816119816119813119813119813119813 Easy to reduce the depth of a path

Argon2i is a layered DAG (almost)

1 2 3 11989411989434

+2 +3 helliphellip

211989411989434

hellip 4 119894119894

n

Layer 0Layer 1

Layer 4 119894119894

Let S = S1+S2

helliphelliphellip

Attack Simulation [AB16b]

Attack on Argon 2i-B is practical even for pessimistic parameter ranges (brown line)

Pessimistic Argon 2i-B parameter

Parameter setting could easily be chosen when following Argon2i-B guidelines

hellip

Ideal iMHFs Donrsquot Exist

Thm[AB16] Any graph G (with constant in-degree) is at least somewhat depth-reducible

Implication If CC(G)= Ω 1198941198942 there is an attack A with high quality

QualityR 119860119860 =Ωlog(119894119894)

log log(119894119894)

But we cannot rule them out in practice

Outline

bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Attacksbull Constructing iMHFs (New)

bull Depth-Robustness is sufficient

bull Conclusions and Open Questions

Presenter
Presentation Notes
Joint work with Joel Alwen and Krzysztof Pietrzak

Depth-Robustness is Sufficient [ABP16]

Proof Let P1hellipPt denote an (optimal) pebbling of G For 0lt i lt d defineSi = 119875119875119894119894 cup 119875119875119889119889+119894119894 cup 1198751198752119889119889+119894119894 cup ⋯

one of the sets Si has size at most CC(G)d Now we claim that d ge depth(G-Si)

because any path in G-Si must have been completely pebbled at some point Thus it must have been pebbled entirely during some interval of length d Thus G (CC(G)dd)-reducible It follows that CC(G)ge 119890119890119901119901

119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901

Depth-Robustness is Sufficient [ABP16]

Implications There exists a constant indegree graph G with

CC G ge Ω1198941198942

log119894119894

Previous Best [AS15] Ω 1198991198992

log10 119899119899

[AB16] We cannot do better (in an asymptotic sense)

119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901

Summary

bull BCRYPT and PBKDF2 are no longer sufficient for password hashing

bull Argon2i is an improvement over BCRYPT and PBKDF2bull But still has its flaws [AB16AB17]

bull Current Recommendation Argon2idbull No side channel attacks Resists known attacksbull Side channel attacks reduce security to Argon2i

bull Look for improvements in the near future using depth-robust graphs [ABP17]

Conclusions

bull Depth-robustness is a necessary and sufficient for secure iMHFsbull [AB16] [ABP16]

bull Big Challenge Improved Constructions of Depth-Robust Graphsbull We already have constructions in theory [EGS77 PR80 hellip]bull But constants matter

Thanks for Listening

Passwords vs time Look how far wersquove come

Netscape IPO Dotcom crash

Source Cormacrsquos estimate

ldquoThe password is deadrdquo

Chart1

3
48
1368
322
7791
15376
2527
39639
47953
61115
7353
94674
106021
134538
16527
194616
21681

Sheet1

Sheet1

Sheet2

Sheet3

Biometrics

59

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy

60

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Hardware Tokens

61

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around

62

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Graphical Passwords

bull Examplesbull Passfaces Cued Click Points Windows 8

63

Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13

Graphical Passwords

bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8

Challenge Multiple Passwords

64

Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13

Graphical Passwords Hotspots

Graphical Passwords Hotspots

Password Managers

bull Password Management Software

67

Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313

Related Work

bull Password Management SoftwareChallenge Single point of failure

68

Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313

References

bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]

bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]

bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]

bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]

  • Course Business
  • CryptographyCS 555
  • Password Storage
  • Offline Attacks A Common Problem
  • Offline Attacks A Common Problem
  • A Dangerous Problem
  • Attempt 1 Hash Iteration
  • The Challenge
  • Goal Moderately Expensive Hash Function
  • Memory Costs Equitable Across Architectures
  • Outline
  • Memory Hard Function (MHF)
  • iMHF Candidates
  • iMHF (fGH)
  • Evaluating an iMHF (pebbling)
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example (CC)
  • Measuring Cost
  • Pebbling Example (CC)
  • Pebbling Equivalence
  • Desiderata
  • Depth-Robustness The Key Property
  • Naiumlve Pebbling Algorithms
  • Amortized Attack Quality
  • Desiderata
  • Desiderata
  • c-Ideal iMHF
  • Outline
  • Depth-Robustness The Key Property
  • Depth Robustness
  • Depth Robustness
  • Attacking (ed)-reducible DAGs
  • Depth Robustness is Necessary
  • Answer No
  • Argon2i [BDK]
  • Argon2i
  • Argon2i
  • Argon2i Reducing depth to 119899
  • Argon2i Reducing depth to 119899
  • Argon2i is a layered DAG (almost)
  • Attack Simulation [AB16b]
  • Ideal iMHFs Donrsquot Exist
  • But we cannot rule them out in practice
  • Outline
  • Depth-Robustness is Sufficient [ABP16]
  • Depth-Robustness is Sufficient [ABP16]
  • Summary
  • Conclusions
  • Thanks for Listening
  • Passwords vs time Look how far wersquove come
  • Biometrics
  • Biometrics
  • Hardware Tokens
  • Hardware Tokens
  • Graphical Passwords
  • Graphical Passwords
  • Graphical Passwords Hotspots
  • Graphical Passwords Hotspots
  • Password Managers
  • Related Work
  • References
Everybody
DATE DATE NUMBER OF USERS WORLD WORLD INFORMATION DATE DATE NUMBER OF USERS DATE DATE acctsyr
POPULATION POPULATION SOURCE
December-90 0 3 15 020 00261 000 1 December-90 3 1 December-90 3 1 December-90 3 3 December-90 3 1 3
December-95 December-95 0 16 040 80 040 IDC 100 00522 180 12 December-95 192 December-95 16 1778 December-95 48 28448 December-95 48 3 48
December-96 December-96 0 36 090 180 090 IDC 200 00783 188 13132 December-96 472752 December-96 36 1994916 December-96 126 71816976 December-96 1368 38 126
December-97 December-97 0 70 170 350 170 IDC 300 01043 209 16263 December-97 113841 December-97 70 2238295752 December-97 280 15668070264 December-97 322 46 280
December-98 December-98 0 147 360 735 360 CI Almanac 400 01303 230 19391 December-98 2850477 December-98 147 25113678337 December-98 6615 3691710715604 December-98 7791 53 6615
December-99 December-99 0 248 410 1240 410 Nua Ltd 500 01563 251 22517 December-99 5584216 December-99 248 28177547095 December-99 1240 6988031679463 December-99 15376 62 1240
March-00 March-00 0 304 500 1520 500 Nua Ltd 600 01822 272 25638 March-00 7793952 December-00 361 3161520784 December-00 19855 11413090030294 December-00 2527 7 19855
July-00 July-00 0 359 590 1795 590 Nua Ltd 700 02081 293 28754 July-00 10322686 December-01 543 35472263197 December-01 3258 1926143891578 December-01 39639 73 3258
December-00 December-00 0 361 580 1805 580 Internet World Stats 800 02338 313 31864 December-00 11502904 December-02 607 39799879307 December-02 39455 2415852673913 December-02 47953 79 39455
March-01 March-01 0 458 760 2290 760 Nua Ltd 900 02852 334 34967 March-01 16014886 December-03 719 44655464582 December-03 5033 32107279034493 December-03 61115 85 5033
June-01 June-01 0 479 790 2395 790 Nua Ltd 1000 03107 355 38061 June-01 18231219 December-04 817 50103431261 December-04 61275 40934503340285 December-04 7353 9 61275
August-01 August-01 0 513 860 2565 860 Nua Ltd 1100 03361 396 44221 August-01 22685373 December-05 1018 56216049875 December-05 8144 57227938772657 December-05 9467 93 8144
April-02 April-02 0 558 860 2790 860 Internet World Stats 1200 03614 417 47284 April-02 26384472 December-06 1093 6307440796 December-06 9291 68940327899894 December-06 10602 97 9291
July-02 July-02 0 569 910 2845 910 Internet World Stats 1300 03866 437 50334 July-02 28640046 December-07 1319 70769485731 December-07 11871 93344951678825 December-07 13454 102 11871
September-02 September-02 0 587 940 2935 940 Internet World Stats 1400 04117 458 53371 September-02 31328777 December-08 1574 7940336299 December-08 14953 124980893346059 December-08 16527 105 14953
March-03 March-03 0 608 970 3040 970 Internet World Stats 1500 04366 478 56394 March-03 34287552 December-09 1802 89090573275 December-09 18020 160541213040896 December-09 19462 108 18020
September-03 September-03 0 677 1060 3385 1060 Internet World Stats 1600 04614 498 59401 September-03 40214477 December-10 1971 99959623214 December-10 20696 197020417355075 December-10 21681 11 20696
October-03 October-03 0 682 1070 3410 1070 Internet World Stats 1700 0486 518 62392 October-03 42551344
December-03 December-03 0 719 1110 3595 1110 Internet World Stats 1800 02852 538 65365 December-03 46997435
February-04 February-04 0 745 1150 3725 1150 Internet World Stats 1900 03107 558 6832 February-04 508984
May-04 May-04 0 757 1170 3785 1170 Internet World Stats 2000 03361 597 7417 May-04 5614669
October-04 October-04 0 812 1270 4060 1270 Internet World Stats 2100 03614 616 77064 October-04 62575968
December-04 December-04 0 817 1270 4085 1270 Internet World Stats 2200 03866 636 79935 December-04 65306895
March-05 March-05 0 888 1390 4440 1390 Internet World Stats 2300 04117 655 82782 March-05 73510416
June-05 June-05 0 938 1460 4690 1460 Internet World Stats 2400 04366 674 85606 June-05 80298428
September-05 September-05 0 957 1490 4785 1490 Internet World Stats 2500 04614 692 88404 September-05 84602628
November-05 November-05 0 972 1520 4860 1520 Internet World Stats 2600 0486 711 91176 November-05 88623072
December-05 December-05 0 1018 1570 5090 1570 Internet World Stats 2700 05348 729 93921 December-05 95611578
March-06 March-06 0 1023 1570 5115 1570 Internet World Stats 2800 05589 747 96638 March-06 98860674
June-06 June-06 0 1043 1600 5215 1600 Internet World Stats 2900 05828 783 101984 June-06 106369312
September-06 September-06 0 1086 1670 5430 1670 Internet World Stats 3000 06065 801 104611 September-06 113607546
December-06 December-06 0 1093 1670 5465 1670 Internet World Stats 3100 063 818 107207 December-06 117177251
March-07 March-07 0 1129 1720 5645 1720 Internet World Stats 3200 06534 835 109771 March-07 123931459
June-07 June-07 0 1173 1780 5865 1780 Internet World Stats 3300 06765 852 112301 June-07 131729073
September-07 September-07 0 1245 1890 6225 1890 Internet World Stats 3400 06993 869 114797 September-07 142922265
December-07 December-07 0 1319 2000 6595 2000 Internet World Stats 3500 0722 886 117258 December-07 154663302
March-08 March-08 0 1407 2110 7035 2110 Internet World Stats 3600 07665 902 119683 March-08 168393981
June-08 June-08 0 1463 2190 7315 2190 Internet World Stats 3700 07884 918 122071 June-08 178589873
September-08 September-08 0 1504 2250 7520 2250 Internet World Stats 3800 08101 949 126736 September-08 190610944
December-08 December-08 0 1574 2350 7870 2350 Internet World Stats 3900 08314 964 12901 December-08 20306174
March-09 March-09 0 1596 2380 7980 2380 Internet World Stats 4000 08525 971 13 March-09 20748
June-09 June-09 0 1669 2470 8345 2470 Internet World Stats 4100 08733 998 134 June-09 223646
September-09 September-09 0 1734 2560 8670 2560 Internet World Stats 4200 08938 1018 137 September-09 237558
December-09 December-09 0 1802 2660 9010 2660 Internet World Stats 4300 0914 1051 142 December-09 255884
June-10 June-10 0 1966 2870 9830 2870 Internet World Stats 4400 09339 1078 146 June-10 287036
September-10 September-10 0 1971 2880 9855 2880 Internet World Stats 4500 09728 1112 151 September-10 297621
09917 000 155333333333
159833333333
33208
35034
35400
35765
36130
36495
36861
37226
37591
37956
38322
38687
39052
39417
39783
40148
40513
Page 35: Attacking Data Independent Memory Hard Functions · As a motivating example consider an adversary who breaks into an authentication server and steals a users crptographic hash va\൬ue.

Depth Robustness

Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d

Otherwise we say that G is (ed)-depth robust

1 2 3 4 5

Example (12)-reducible

Depth Robustness

Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d

Otherwise we say that G is (ed)-depth robust

1 2 3 4 5

Example (12)-reducible

Attacking (ed)-reducible DAGs

bull Input |S| lee such that depth(G-S) = d g gt d

bull Light Phase (g rounds) Discard most pebblesbull Goal Pebble the next g nodes in g (sequential) stepsbull Low Memory (only keep pebbles on S and on parents of new nodes)bull Lasts a ``longrdquo time

bull Balloon Phase (d rounds) Greedily Recover Missing Pebblesbull Goal Recover needed pebbles for upcoming light phasebull Expensive but quick (at most d steps in parallel)

Theorem (Depth-Robustness is a necessary condition) If G is not (ed)-node robust then CC 119866119866 = O 119890119890119894119894 + 1198941198943119901119901 In particular CC 119866119866 = o 1198941198942 for ed=o(n)

Depth Robustness is Necessary

Are existing iMHF candidates based on depth-robust DAGs

Answer No

bull Catena [FLW15] is 119890119890 119874119874 119899119899119890119890

-reducible

119862119862119862119862 = 119874119874 119894119894162

bull Balloon Hashing and Argon2i (old version) are 119890119890 119874119874 1198991198992

1198901198902-reducible

119862119862119862119862 = 119874119874 119894119894171

bull Argon2i (latest version) is 119890119890 119874119874 1198991198993

1198901198903-reducible

119862119862119862119862 = 119874119874 119894119894177

bull Similar picture for most other iMHF candidates [AGKKOPRRR16]

Argon2i [BDK]

bull Argon2 Winner of the password hashing competition[2015]

bull Authors recommend Argon2i variant (data-independent) for password hashing

Presenter
Presentation Notes
Alex Biryukov Daniel Dinu and Dmitry Khovratovich from University of Luxembourg

Argon2i

1 2 3 4 ihellip n

Argon2i

1 2 3 4 ihellip n

random predecessor r(i) lt i

Indegree 120575120575 = 2

Argon2i Reducing depth to 119894119894

1 2 3 11989411989434

helliphellip

211989411989434

hellip 4 119894119894

n

Layer 0Layer 1

Layer 4 119894119894helliphelliphellip

Argon2i Reducing depth to 119894119894

1 2 3 11989411989434

helliphellip

211989411989434

hellip 4 119894119894

n

Layer 0Layer 1

Layer 4 119894119894

Definition 1198781198782 = 119907119907119894119894 119907119907119903119903(119894119894)and v119894119894 in same layer

119810119810119816119816119816119816119810119810119827119827 1198781198782119810119810119842119842 119842119842119827119827119816119816119816119816119816119816

helliphelliphellip

119813119813119816119816119813119813119813119813 Easy to reduce the depth of a path

Argon2i is a layered DAG (almost)

1 2 3 11989411989434

+2 +3 helliphellip

211989411989434

hellip 4 119894119894

n

Layer 0Layer 1

Layer 4 119894119894

Let S = S1+S2

helliphelliphellip

Attack Simulation [AB16b]

Attack on Argon 2i-B is practical even for pessimistic parameter ranges (brown line)

Pessimistic Argon 2i-B parameter

Parameter setting could easily be chosen when following Argon2i-B guidelines

hellip

Ideal iMHFs Donrsquot Exist

Thm[AB16] Any graph G (with constant in-degree) is at least somewhat depth-reducible

Implication If CC(G)= Ω 1198941198942 there is an attack A with high quality

QualityR 119860119860 =Ωlog(119894119894)

log log(119894119894)

But we cannot rule them out in practice

Outline

bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Attacksbull Constructing iMHFs (New)

bull Depth-Robustness is sufficient

bull Conclusions and Open Questions

Presenter
Presentation Notes
Joint work with Joel Alwen and Krzysztof Pietrzak

Depth-Robustness is Sufficient [ABP16]

Proof Let P1hellipPt denote an (optimal) pebbling of G For 0lt i lt d defineSi = 119875119875119894119894 cup 119875119875119889119889+119894119894 cup 1198751198752119889119889+119894119894 cup ⋯

one of the sets Si has size at most CC(G)d Now we claim that d ge depth(G-Si)

because any path in G-Si must have been completely pebbled at some point Thus it must have been pebbled entirely during some interval of length d Thus G (CC(G)dd)-reducible It follows that CC(G)ge 119890119890119901119901

119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901

Depth-Robustness is Sufficient [ABP16]

Implications There exists a constant indegree graph G with

CC G ge Ω1198941198942

log119894119894

Previous Best [AS15] Ω 1198991198992

log10 119899119899

[AB16] We cannot do better (in an asymptotic sense)

119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901

Summary

bull BCRYPT and PBKDF2 are no longer sufficient for password hashing

bull Argon2i is an improvement over BCRYPT and PBKDF2bull But still has its flaws [AB16AB17]

bull Current Recommendation Argon2idbull No side channel attacks Resists known attacksbull Side channel attacks reduce security to Argon2i

bull Look for improvements in the near future using depth-robust graphs [ABP17]

Conclusions

bull Depth-robustness is a necessary and sufficient for secure iMHFsbull [AB16] [ABP16]

bull Big Challenge Improved Constructions of Depth-Robust Graphsbull We already have constructions in theory [EGS77 PR80 hellip]bull But constants matter

Thanks for Listening

Passwords vs time Look how far wersquove come

Netscape IPO Dotcom crash

Source Cormacrsquos estimate

ldquoThe password is deadrdquo

Chart1

3
48
1368
322
7791
15376
2527
39639
47953
61115
7353
94674
106021
134538
16527
194616
21681

Sheet1

Sheet1

Sheet2

Sheet3

Biometrics

59

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy

60

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Hardware Tokens

61

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around

62

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Graphical Passwords

bull Examplesbull Passfaces Cued Click Points Windows 8

63

Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13

Graphical Passwords

bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8

Challenge Multiple Passwords

64

Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13

Graphical Passwords Hotspots

Graphical Passwords Hotspots

Password Managers

bull Password Management Software

67

Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313

Related Work

bull Password Management SoftwareChallenge Single point of failure

68

Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313

References

bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]

bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]

bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]

bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]

  • Course Business
  • CryptographyCS 555
  • Password Storage
  • Offline Attacks A Common Problem
  • Offline Attacks A Common Problem
  • A Dangerous Problem
  • Attempt 1 Hash Iteration
  • The Challenge
  • Goal Moderately Expensive Hash Function
  • Memory Costs Equitable Across Architectures
  • Outline
  • Memory Hard Function (MHF)
  • iMHF Candidates
  • iMHF (fGH)
  • Evaluating an iMHF (pebbling)
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example (CC)
  • Measuring Cost
  • Pebbling Example (CC)
  • Pebbling Equivalence
  • Desiderata
  • Depth-Robustness The Key Property
  • Naiumlve Pebbling Algorithms
  • Amortized Attack Quality
  • Desiderata
  • Desiderata
  • c-Ideal iMHF
  • Outline
  • Depth-Robustness The Key Property
  • Depth Robustness
  • Depth Robustness
  • Attacking (ed)-reducible DAGs
  • Depth Robustness is Necessary
  • Answer No
  • Argon2i [BDK]
  • Argon2i
  • Argon2i
  • Argon2i Reducing depth to 119899
  • Argon2i Reducing depth to 119899
  • Argon2i is a layered DAG (almost)
  • Attack Simulation [AB16b]
  • Ideal iMHFs Donrsquot Exist
  • But we cannot rule them out in practice
  • Outline
  • Depth-Robustness is Sufficient [ABP16]
  • Depth-Robustness is Sufficient [ABP16]
  • Summary
  • Conclusions
  • Thanks for Listening
  • Passwords vs time Look how far wersquove come
  • Biometrics
  • Biometrics
  • Hardware Tokens
  • Hardware Tokens
  • Graphical Passwords
  • Graphical Passwords
  • Graphical Passwords Hotspots
  • Graphical Passwords Hotspots
  • Password Managers
  • Related Work
  • References
Everybody
DATE DATE NUMBER OF USERS WORLD WORLD INFORMATION DATE DATE NUMBER OF USERS DATE DATE acctsyr
POPULATION POPULATION SOURCE
December-90 0 3 15 020 00261 000 1 December-90 3 1 December-90 3 1 December-90 3 3 December-90 3 1 3
December-95 December-95 0 16 040 80 040 IDC 100 00522 180 12 December-95 192 December-95 16 1778 December-95 48 28448 December-95 48 3 48
December-96 December-96 0 36 090 180 090 IDC 200 00783 188 13132 December-96 472752 December-96 36 1994916 December-96 126 71816976 December-96 1368 38 126
December-97 December-97 0 70 170 350 170 IDC 300 01043 209 16263 December-97 113841 December-97 70 2238295752 December-97 280 15668070264 December-97 322 46 280
December-98 December-98 0 147 360 735 360 CI Almanac 400 01303 230 19391 December-98 2850477 December-98 147 25113678337 December-98 6615 3691710715604 December-98 7791 53 6615
December-99 December-99 0 248 410 1240 410 Nua Ltd 500 01563 251 22517 December-99 5584216 December-99 248 28177547095 December-99 1240 6988031679463 December-99 15376 62 1240
March-00 March-00 0 304 500 1520 500 Nua Ltd 600 01822 272 25638 March-00 7793952 December-00 361 3161520784 December-00 19855 11413090030294 December-00 2527 7 19855
July-00 July-00 0 359 590 1795 590 Nua Ltd 700 02081 293 28754 July-00 10322686 December-01 543 35472263197 December-01 3258 1926143891578 December-01 39639 73 3258
December-00 December-00 0 361 580 1805 580 Internet World Stats 800 02338 313 31864 December-00 11502904 December-02 607 39799879307 December-02 39455 2415852673913 December-02 47953 79 39455
March-01 March-01 0 458 760 2290 760 Nua Ltd 900 02852 334 34967 March-01 16014886 December-03 719 44655464582 December-03 5033 32107279034493 December-03 61115 85 5033
June-01 June-01 0 479 790 2395 790 Nua Ltd 1000 03107 355 38061 June-01 18231219 December-04 817 50103431261 December-04 61275 40934503340285 December-04 7353 9 61275
August-01 August-01 0 513 860 2565 860 Nua Ltd 1100 03361 396 44221 August-01 22685373 December-05 1018 56216049875 December-05 8144 57227938772657 December-05 9467 93 8144
April-02 April-02 0 558 860 2790 860 Internet World Stats 1200 03614 417 47284 April-02 26384472 December-06 1093 6307440796 December-06 9291 68940327899894 December-06 10602 97 9291
July-02 July-02 0 569 910 2845 910 Internet World Stats 1300 03866 437 50334 July-02 28640046 December-07 1319 70769485731 December-07 11871 93344951678825 December-07 13454 102 11871
September-02 September-02 0 587 940 2935 940 Internet World Stats 1400 04117 458 53371 September-02 31328777 December-08 1574 7940336299 December-08 14953 124980893346059 December-08 16527 105 14953
March-03 March-03 0 608 970 3040 970 Internet World Stats 1500 04366 478 56394 March-03 34287552 December-09 1802 89090573275 December-09 18020 160541213040896 December-09 19462 108 18020
September-03 September-03 0 677 1060 3385 1060 Internet World Stats 1600 04614 498 59401 September-03 40214477 December-10 1971 99959623214 December-10 20696 197020417355075 December-10 21681 11 20696
October-03 October-03 0 682 1070 3410 1070 Internet World Stats 1700 0486 518 62392 October-03 42551344
December-03 December-03 0 719 1110 3595 1110 Internet World Stats 1800 02852 538 65365 December-03 46997435
February-04 February-04 0 745 1150 3725 1150 Internet World Stats 1900 03107 558 6832 February-04 508984
May-04 May-04 0 757 1170 3785 1170 Internet World Stats 2000 03361 597 7417 May-04 5614669
October-04 October-04 0 812 1270 4060 1270 Internet World Stats 2100 03614 616 77064 October-04 62575968
December-04 December-04 0 817 1270 4085 1270 Internet World Stats 2200 03866 636 79935 December-04 65306895
March-05 March-05 0 888 1390 4440 1390 Internet World Stats 2300 04117 655 82782 March-05 73510416
June-05 June-05 0 938 1460 4690 1460 Internet World Stats 2400 04366 674 85606 June-05 80298428
September-05 September-05 0 957 1490 4785 1490 Internet World Stats 2500 04614 692 88404 September-05 84602628
November-05 November-05 0 972 1520 4860 1520 Internet World Stats 2600 0486 711 91176 November-05 88623072
December-05 December-05 0 1018 1570 5090 1570 Internet World Stats 2700 05348 729 93921 December-05 95611578
March-06 March-06 0 1023 1570 5115 1570 Internet World Stats 2800 05589 747 96638 March-06 98860674
June-06 June-06 0 1043 1600 5215 1600 Internet World Stats 2900 05828 783 101984 June-06 106369312
September-06 September-06 0 1086 1670 5430 1670 Internet World Stats 3000 06065 801 104611 September-06 113607546
December-06 December-06 0 1093 1670 5465 1670 Internet World Stats 3100 063 818 107207 December-06 117177251
March-07 March-07 0 1129 1720 5645 1720 Internet World Stats 3200 06534 835 109771 March-07 123931459
June-07 June-07 0 1173 1780 5865 1780 Internet World Stats 3300 06765 852 112301 June-07 131729073
September-07 September-07 0 1245 1890 6225 1890 Internet World Stats 3400 06993 869 114797 September-07 142922265
December-07 December-07 0 1319 2000 6595 2000 Internet World Stats 3500 0722 886 117258 December-07 154663302
March-08 March-08 0 1407 2110 7035 2110 Internet World Stats 3600 07665 902 119683 March-08 168393981
June-08 June-08 0 1463 2190 7315 2190 Internet World Stats 3700 07884 918 122071 June-08 178589873
September-08 September-08 0 1504 2250 7520 2250 Internet World Stats 3800 08101 949 126736 September-08 190610944
December-08 December-08 0 1574 2350 7870 2350 Internet World Stats 3900 08314 964 12901 December-08 20306174
March-09 March-09 0 1596 2380 7980 2380 Internet World Stats 4000 08525 971 13 March-09 20748
June-09 June-09 0 1669 2470 8345 2470 Internet World Stats 4100 08733 998 134 June-09 223646
September-09 September-09 0 1734 2560 8670 2560 Internet World Stats 4200 08938 1018 137 September-09 237558
December-09 December-09 0 1802 2660 9010 2660 Internet World Stats 4300 0914 1051 142 December-09 255884
June-10 June-10 0 1966 2870 9830 2870 Internet World Stats 4400 09339 1078 146 June-10 287036
September-10 September-10 0 1971 2880 9855 2880 Internet World Stats 4500 09728 1112 151 September-10 297621
09917 000 155333333333
159833333333
33208
35034
35400
35765
36130
36495
36861
37226
37591
37956
38322
38687
39052
39417
39783
40148
40513
Page 36: Attacking Data Independent Memory Hard Functions · As a motivating example consider an adversary who breaks into an authentication server and steals a users crptographic hash va\൬ue.

Depth Robustness

Definition A DAG G=(VE) is (ed)-reducible if there exists 119878119878 sube 119881119881st 119878119878 le 119890119890 and depth(G-S) le d

Otherwise we say that G is (ed)-depth robust

1 2 3 4 5

Example (12)-reducible

Attacking (ed)-reducible DAGs

bull Input |S| lee such that depth(G-S) = d g gt d

bull Light Phase (g rounds) Discard most pebblesbull Goal Pebble the next g nodes in g (sequential) stepsbull Low Memory (only keep pebbles on S and on parents of new nodes)bull Lasts a ``longrdquo time

bull Balloon Phase (d rounds) Greedily Recover Missing Pebblesbull Goal Recover needed pebbles for upcoming light phasebull Expensive but quick (at most d steps in parallel)

Theorem (Depth-Robustness is a necessary condition) If G is not (ed)-node robust then CC 119866119866 = O 119890119890119894119894 + 1198941198943119901119901 In particular CC 119866119866 = o 1198941198942 for ed=o(n)

Depth Robustness is Necessary

Are existing iMHF candidates based on depth-robust DAGs

Answer No

bull Catena [FLW15] is 119890119890 119874119874 119899119899119890119890

-reducible

119862119862119862119862 = 119874119874 119894119894162

bull Balloon Hashing and Argon2i (old version) are 119890119890 119874119874 1198991198992

1198901198902-reducible

119862119862119862119862 = 119874119874 119894119894171

bull Argon2i (latest version) is 119890119890 119874119874 1198991198993

1198901198903-reducible

119862119862119862119862 = 119874119874 119894119894177

bull Similar picture for most other iMHF candidates [AGKKOPRRR16]

Argon2i [BDK]

bull Argon2 Winner of the password hashing competition[2015]

bull Authors recommend Argon2i variant (data-independent) for password hashing

Presenter
Presentation Notes
Alex Biryukov Daniel Dinu and Dmitry Khovratovich from University of Luxembourg

Argon2i

1 2 3 4 ihellip n

Argon2i

1 2 3 4 ihellip n

random predecessor r(i) lt i

Indegree 120575120575 = 2

Argon2i Reducing depth to 119894119894

1 2 3 11989411989434

helliphellip

211989411989434

hellip 4 119894119894

n

Layer 0Layer 1

Layer 4 119894119894helliphelliphellip

Argon2i Reducing depth to 119894119894

1 2 3 11989411989434

helliphellip

211989411989434

hellip 4 119894119894

n

Layer 0Layer 1

Layer 4 119894119894

Definition 1198781198782 = 119907119907119894119894 119907119907119903119903(119894119894)and v119894119894 in same layer

119810119810119816119816119816119816119810119810119827119827 1198781198782119810119810119842119842 119842119842119827119827119816119816119816119816119816119816

helliphelliphellip

119813119813119816119816119813119813119813119813 Easy to reduce the depth of a path

Argon2i is a layered DAG (almost)

1 2 3 11989411989434

+2 +3 helliphellip

211989411989434

hellip 4 119894119894

n

Layer 0Layer 1

Layer 4 119894119894

Let S = S1+S2

helliphelliphellip

Attack Simulation [AB16b]

Attack on Argon 2i-B is practical even for pessimistic parameter ranges (brown line)

Pessimistic Argon 2i-B parameter

Parameter setting could easily be chosen when following Argon2i-B guidelines

hellip

Ideal iMHFs Donrsquot Exist

Thm[AB16] Any graph G (with constant in-degree) is at least somewhat depth-reducible

Implication If CC(G)= Ω 1198941198942 there is an attack A with high quality

QualityR 119860119860 =Ωlog(119894119894)

log log(119894119894)

But we cannot rule them out in practice

Outline

bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Attacksbull Constructing iMHFs (New)

bull Depth-Robustness is sufficient

bull Conclusions and Open Questions

Presenter
Presentation Notes
Joint work with Joel Alwen and Krzysztof Pietrzak

Depth-Robustness is Sufficient [ABP16]

Proof Let P1hellipPt denote an (optimal) pebbling of G For 0lt i lt d defineSi = 119875119875119894119894 cup 119875119875119889119889+119894119894 cup 1198751198752119889119889+119894119894 cup ⋯

one of the sets Si has size at most CC(G)d Now we claim that d ge depth(G-Si)

because any path in G-Si must have been completely pebbled at some point Thus it must have been pebbled entirely during some interval of length d Thus G (CC(G)dd)-reducible It follows that CC(G)ge 119890119890119901119901

119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901

Depth-Robustness is Sufficient [ABP16]

Implications There exists a constant indegree graph G with

CC G ge Ω1198941198942

log119894119894

Previous Best [AS15] Ω 1198991198992

log10 119899119899

[AB16] We cannot do better (in an asymptotic sense)

119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901

Summary

bull BCRYPT and PBKDF2 are no longer sufficient for password hashing

bull Argon2i is an improvement over BCRYPT and PBKDF2bull But still has its flaws [AB16AB17]

bull Current Recommendation Argon2idbull No side channel attacks Resists known attacksbull Side channel attacks reduce security to Argon2i

bull Look for improvements in the near future using depth-robust graphs [ABP17]

Conclusions

bull Depth-robustness is a necessary and sufficient for secure iMHFsbull [AB16] [ABP16]

bull Big Challenge Improved Constructions of Depth-Robust Graphsbull We already have constructions in theory [EGS77 PR80 hellip]bull But constants matter

Thanks for Listening

Passwords vs time Look how far wersquove come

Netscape IPO Dotcom crash

Source Cormacrsquos estimate

ldquoThe password is deadrdquo

Chart1

3
48
1368
322
7791
15376
2527
39639
47953
61115
7353
94674
106021
134538
16527
194616
21681

Sheet1

Sheet1

Sheet2

Sheet3

Biometrics

59

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy

60

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Hardware Tokens

61

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around

62

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Graphical Passwords

bull Examplesbull Passfaces Cued Click Points Windows 8

63

Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13

Graphical Passwords

bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8

Challenge Multiple Passwords

64

Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13

Graphical Passwords Hotspots

Graphical Passwords Hotspots

Password Managers

bull Password Management Software

67

Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313

Related Work

bull Password Management SoftwareChallenge Single point of failure

68

Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313

References

bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]

bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]

bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]

bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]

  • Course Business
  • CryptographyCS 555
  • Password Storage
  • Offline Attacks A Common Problem
  • Offline Attacks A Common Problem
  • A Dangerous Problem
  • Attempt 1 Hash Iteration
  • The Challenge
  • Goal Moderately Expensive Hash Function
  • Memory Costs Equitable Across Architectures
  • Outline
  • Memory Hard Function (MHF)
  • iMHF Candidates
  • iMHF (fGH)
  • Evaluating an iMHF (pebbling)
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example (CC)
  • Measuring Cost
  • Pebbling Example (CC)
  • Pebbling Equivalence
  • Desiderata
  • Depth-Robustness The Key Property
  • Naiumlve Pebbling Algorithms
  • Amortized Attack Quality
  • Desiderata
  • Desiderata
  • c-Ideal iMHF
  • Outline
  • Depth-Robustness The Key Property
  • Depth Robustness
  • Depth Robustness
  • Attacking (ed)-reducible DAGs
  • Depth Robustness is Necessary
  • Answer No
  • Argon2i [BDK]
  • Argon2i
  • Argon2i
  • Argon2i Reducing depth to 119899
  • Argon2i Reducing depth to 119899
  • Argon2i is a layered DAG (almost)
  • Attack Simulation [AB16b]
  • Ideal iMHFs Donrsquot Exist
  • But we cannot rule them out in practice
  • Outline
  • Depth-Robustness is Sufficient [ABP16]
  • Depth-Robustness is Sufficient [ABP16]
  • Summary
  • Conclusions
  • Thanks for Listening
  • Passwords vs time Look how far wersquove come
  • Biometrics
  • Biometrics
  • Hardware Tokens
  • Hardware Tokens
  • Graphical Passwords
  • Graphical Passwords
  • Graphical Passwords Hotspots
  • Graphical Passwords Hotspots
  • Password Managers
  • Related Work
  • References
Everybody
DATE DATE NUMBER OF USERS WORLD WORLD INFORMATION DATE DATE NUMBER OF USERS DATE DATE acctsyr
POPULATION POPULATION SOURCE
December-90 0 3 15 020 00261 000 1 December-90 3 1 December-90 3 1 December-90 3 3 December-90 3 1 3
December-95 December-95 0 16 040 80 040 IDC 100 00522 180 12 December-95 192 December-95 16 1778 December-95 48 28448 December-95 48 3 48
December-96 December-96 0 36 090 180 090 IDC 200 00783 188 13132 December-96 472752 December-96 36 1994916 December-96 126 71816976 December-96 1368 38 126
December-97 December-97 0 70 170 350 170 IDC 300 01043 209 16263 December-97 113841 December-97 70 2238295752 December-97 280 15668070264 December-97 322 46 280
December-98 December-98 0 147 360 735 360 CI Almanac 400 01303 230 19391 December-98 2850477 December-98 147 25113678337 December-98 6615 3691710715604 December-98 7791 53 6615
December-99 December-99 0 248 410 1240 410 Nua Ltd 500 01563 251 22517 December-99 5584216 December-99 248 28177547095 December-99 1240 6988031679463 December-99 15376 62 1240
March-00 March-00 0 304 500 1520 500 Nua Ltd 600 01822 272 25638 March-00 7793952 December-00 361 3161520784 December-00 19855 11413090030294 December-00 2527 7 19855
July-00 July-00 0 359 590 1795 590 Nua Ltd 700 02081 293 28754 July-00 10322686 December-01 543 35472263197 December-01 3258 1926143891578 December-01 39639 73 3258
December-00 December-00 0 361 580 1805 580 Internet World Stats 800 02338 313 31864 December-00 11502904 December-02 607 39799879307 December-02 39455 2415852673913 December-02 47953 79 39455
March-01 March-01 0 458 760 2290 760 Nua Ltd 900 02852 334 34967 March-01 16014886 December-03 719 44655464582 December-03 5033 32107279034493 December-03 61115 85 5033
June-01 June-01 0 479 790 2395 790 Nua Ltd 1000 03107 355 38061 June-01 18231219 December-04 817 50103431261 December-04 61275 40934503340285 December-04 7353 9 61275
August-01 August-01 0 513 860 2565 860 Nua Ltd 1100 03361 396 44221 August-01 22685373 December-05 1018 56216049875 December-05 8144 57227938772657 December-05 9467 93 8144
April-02 April-02 0 558 860 2790 860 Internet World Stats 1200 03614 417 47284 April-02 26384472 December-06 1093 6307440796 December-06 9291 68940327899894 December-06 10602 97 9291
July-02 July-02 0 569 910 2845 910 Internet World Stats 1300 03866 437 50334 July-02 28640046 December-07 1319 70769485731 December-07 11871 93344951678825 December-07 13454 102 11871
September-02 September-02 0 587 940 2935 940 Internet World Stats 1400 04117 458 53371 September-02 31328777 December-08 1574 7940336299 December-08 14953 124980893346059 December-08 16527 105 14953
March-03 March-03 0 608 970 3040 970 Internet World Stats 1500 04366 478 56394 March-03 34287552 December-09 1802 89090573275 December-09 18020 160541213040896 December-09 19462 108 18020
September-03 September-03 0 677 1060 3385 1060 Internet World Stats 1600 04614 498 59401 September-03 40214477 December-10 1971 99959623214 December-10 20696 197020417355075 December-10 21681 11 20696
October-03 October-03 0 682 1070 3410 1070 Internet World Stats 1700 0486 518 62392 October-03 42551344
December-03 December-03 0 719 1110 3595 1110 Internet World Stats 1800 02852 538 65365 December-03 46997435
February-04 February-04 0 745 1150 3725 1150 Internet World Stats 1900 03107 558 6832 February-04 508984
May-04 May-04 0 757 1170 3785 1170 Internet World Stats 2000 03361 597 7417 May-04 5614669
October-04 October-04 0 812 1270 4060 1270 Internet World Stats 2100 03614 616 77064 October-04 62575968
December-04 December-04 0 817 1270 4085 1270 Internet World Stats 2200 03866 636 79935 December-04 65306895
March-05 March-05 0 888 1390 4440 1390 Internet World Stats 2300 04117 655 82782 March-05 73510416
June-05 June-05 0 938 1460 4690 1460 Internet World Stats 2400 04366 674 85606 June-05 80298428
September-05 September-05 0 957 1490 4785 1490 Internet World Stats 2500 04614 692 88404 September-05 84602628
November-05 November-05 0 972 1520 4860 1520 Internet World Stats 2600 0486 711 91176 November-05 88623072
December-05 December-05 0 1018 1570 5090 1570 Internet World Stats 2700 05348 729 93921 December-05 95611578
March-06 March-06 0 1023 1570 5115 1570 Internet World Stats 2800 05589 747 96638 March-06 98860674
June-06 June-06 0 1043 1600 5215 1600 Internet World Stats 2900 05828 783 101984 June-06 106369312
September-06 September-06 0 1086 1670 5430 1670 Internet World Stats 3000 06065 801 104611 September-06 113607546
December-06 December-06 0 1093 1670 5465 1670 Internet World Stats 3100 063 818 107207 December-06 117177251
March-07 March-07 0 1129 1720 5645 1720 Internet World Stats 3200 06534 835 109771 March-07 123931459
June-07 June-07 0 1173 1780 5865 1780 Internet World Stats 3300 06765 852 112301 June-07 131729073
September-07 September-07 0 1245 1890 6225 1890 Internet World Stats 3400 06993 869 114797 September-07 142922265
December-07 December-07 0 1319 2000 6595 2000 Internet World Stats 3500 0722 886 117258 December-07 154663302
March-08 March-08 0 1407 2110 7035 2110 Internet World Stats 3600 07665 902 119683 March-08 168393981
June-08 June-08 0 1463 2190 7315 2190 Internet World Stats 3700 07884 918 122071 June-08 178589873
September-08 September-08 0 1504 2250 7520 2250 Internet World Stats 3800 08101 949 126736 September-08 190610944
December-08 December-08 0 1574 2350 7870 2350 Internet World Stats 3900 08314 964 12901 December-08 20306174
March-09 March-09 0 1596 2380 7980 2380 Internet World Stats 4000 08525 971 13 March-09 20748
June-09 June-09 0 1669 2470 8345 2470 Internet World Stats 4100 08733 998 134 June-09 223646
September-09 September-09 0 1734 2560 8670 2560 Internet World Stats 4200 08938 1018 137 September-09 237558
December-09 December-09 0 1802 2660 9010 2660 Internet World Stats 4300 0914 1051 142 December-09 255884
June-10 June-10 0 1966 2870 9830 2870 Internet World Stats 4400 09339 1078 146 June-10 287036
September-10 September-10 0 1971 2880 9855 2880 Internet World Stats 4500 09728 1112 151 September-10 297621
09917 000 155333333333
159833333333
33208
35034
35400
35765
36130
36495
36861
37226
37591
37956
38322
38687
39052
39417
39783
40148
40513
Page 37: Attacking Data Independent Memory Hard Functions · As a motivating example consider an adversary who breaks into an authentication server and steals a users crptographic hash va\൬ue.

Attacking (ed)-reducible DAGs

bull Input |S| lee such that depth(G-S) = d g gt d

bull Light Phase (g rounds) Discard most pebblesbull Goal Pebble the next g nodes in g (sequential) stepsbull Low Memory (only keep pebbles on S and on parents of new nodes)bull Lasts a ``longrdquo time

bull Balloon Phase (d rounds) Greedily Recover Missing Pebblesbull Goal Recover needed pebbles for upcoming light phasebull Expensive but quick (at most d steps in parallel)

Theorem (Depth-Robustness is a necessary condition) If G is not (ed)-node robust then CC 119866119866 = O 119890119890119894119894 + 1198941198943119901119901 In particular CC 119866119866 = o 1198941198942 for ed=o(n)

Depth Robustness is Necessary

Are existing iMHF candidates based on depth-robust DAGs

Answer No

bull Catena [FLW15] is 119890119890 119874119874 119899119899119890119890

-reducible

119862119862119862119862 = 119874119874 119894119894162

bull Balloon Hashing and Argon2i (old version) are 119890119890 119874119874 1198991198992

1198901198902-reducible

119862119862119862119862 = 119874119874 119894119894171

bull Argon2i (latest version) is 119890119890 119874119874 1198991198993

1198901198903-reducible

119862119862119862119862 = 119874119874 119894119894177

bull Similar picture for most other iMHF candidates [AGKKOPRRR16]

Argon2i [BDK]

bull Argon2 Winner of the password hashing competition[2015]

bull Authors recommend Argon2i variant (data-independent) for password hashing

Presenter
Presentation Notes
Alex Biryukov Daniel Dinu and Dmitry Khovratovich from University of Luxembourg

Argon2i

1 2 3 4 ihellip n

Argon2i

1 2 3 4 ihellip n

random predecessor r(i) lt i

Indegree 120575120575 = 2

Argon2i Reducing depth to 119894119894

1 2 3 11989411989434

helliphellip

211989411989434

hellip 4 119894119894

n

Layer 0Layer 1

Layer 4 119894119894helliphelliphellip

Argon2i Reducing depth to 119894119894

1 2 3 11989411989434

helliphellip

211989411989434

hellip 4 119894119894

n

Layer 0Layer 1

Layer 4 119894119894

Definition 1198781198782 = 119907119907119894119894 119907119907119903119903(119894119894)and v119894119894 in same layer

119810119810119816119816119816119816119810119810119827119827 1198781198782119810119810119842119842 119842119842119827119827119816119816119816119816119816119816

helliphelliphellip

119813119813119816119816119813119813119813119813 Easy to reduce the depth of a path

Argon2i is a layered DAG (almost)

1 2 3 11989411989434

+2 +3 helliphellip

211989411989434

hellip 4 119894119894

n

Layer 0Layer 1

Layer 4 119894119894

Let S = S1+S2

helliphelliphellip

Attack Simulation [AB16b]

Attack on Argon 2i-B is practical even for pessimistic parameter ranges (brown line)

Pessimistic Argon 2i-B parameter

Parameter setting could easily be chosen when following Argon2i-B guidelines

hellip

Ideal iMHFs Donrsquot Exist

Thm[AB16] Any graph G (with constant in-degree) is at least somewhat depth-reducible

Implication If CC(G)= Ω 1198941198942 there is an attack A with high quality

QualityR 119860119860 =Ωlog(119894119894)

log log(119894119894)

But we cannot rule them out in practice

Outline

bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Attacksbull Constructing iMHFs (New)

bull Depth-Robustness is sufficient

bull Conclusions and Open Questions

Presenter
Presentation Notes
Joint work with Joel Alwen and Krzysztof Pietrzak

Depth-Robustness is Sufficient [ABP16]

Proof Let P1hellipPt denote an (optimal) pebbling of G For 0lt i lt d defineSi = 119875119875119894119894 cup 119875119875119889119889+119894119894 cup 1198751198752119889119889+119894119894 cup ⋯

one of the sets Si has size at most CC(G)d Now we claim that d ge depth(G-Si)

because any path in G-Si must have been completely pebbled at some point Thus it must have been pebbled entirely during some interval of length d Thus G (CC(G)dd)-reducible It follows that CC(G)ge 119890119890119901119901

119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901

Depth-Robustness is Sufficient [ABP16]

Implications There exists a constant indegree graph G with

CC G ge Ω1198941198942

log119894119894

Previous Best [AS15] Ω 1198991198992

log10 119899119899

[AB16] We cannot do better (in an asymptotic sense)

119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901

Summary

bull BCRYPT and PBKDF2 are no longer sufficient for password hashing

bull Argon2i is an improvement over BCRYPT and PBKDF2bull But still has its flaws [AB16AB17]

bull Current Recommendation Argon2idbull No side channel attacks Resists known attacksbull Side channel attacks reduce security to Argon2i

bull Look for improvements in the near future using depth-robust graphs [ABP17]

Conclusions

bull Depth-robustness is a necessary and sufficient for secure iMHFsbull [AB16] [ABP16]

bull Big Challenge Improved Constructions of Depth-Robust Graphsbull We already have constructions in theory [EGS77 PR80 hellip]bull But constants matter

Thanks for Listening

Passwords vs time Look how far wersquove come

Netscape IPO Dotcom crash

Source Cormacrsquos estimate

ldquoThe password is deadrdquo

Chart1

3
48
1368
322
7791
15376
2527
39639
47953
61115
7353
94674
106021
134538
16527
194616
21681

Sheet1

Sheet1

Sheet2

Sheet3

Biometrics

59

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy

60

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Hardware Tokens

61

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around

62

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Graphical Passwords

bull Examplesbull Passfaces Cued Click Points Windows 8

63

Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13

Graphical Passwords

bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8

Challenge Multiple Passwords

64

Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13

Graphical Passwords Hotspots

Graphical Passwords Hotspots

Password Managers

bull Password Management Software

67

Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313

Related Work

bull Password Management SoftwareChallenge Single point of failure

68

Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313

References

bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]

bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]

bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]

bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]

  • Course Business
  • CryptographyCS 555
  • Password Storage
  • Offline Attacks A Common Problem
  • Offline Attacks A Common Problem
  • A Dangerous Problem
  • Attempt 1 Hash Iteration
  • The Challenge
  • Goal Moderately Expensive Hash Function
  • Memory Costs Equitable Across Architectures
  • Outline
  • Memory Hard Function (MHF)
  • iMHF Candidates
  • iMHF (fGH)
  • Evaluating an iMHF (pebbling)
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example (CC)
  • Measuring Cost
  • Pebbling Example (CC)
  • Pebbling Equivalence
  • Desiderata
  • Depth-Robustness The Key Property
  • Naiumlve Pebbling Algorithms
  • Amortized Attack Quality
  • Desiderata
  • Desiderata
  • c-Ideal iMHF
  • Outline
  • Depth-Robustness The Key Property
  • Depth Robustness
  • Depth Robustness
  • Attacking (ed)-reducible DAGs
  • Depth Robustness is Necessary
  • Answer No
  • Argon2i [BDK]
  • Argon2i
  • Argon2i
  • Argon2i Reducing depth to 119899
  • Argon2i Reducing depth to 119899
  • Argon2i is a layered DAG (almost)
  • Attack Simulation [AB16b]
  • Ideal iMHFs Donrsquot Exist
  • But we cannot rule them out in practice
  • Outline
  • Depth-Robustness is Sufficient [ABP16]
  • Depth-Robustness is Sufficient [ABP16]
  • Summary
  • Conclusions
  • Thanks for Listening
  • Passwords vs time Look how far wersquove come
  • Biometrics
  • Biometrics
  • Hardware Tokens
  • Hardware Tokens
  • Graphical Passwords
  • Graphical Passwords
  • Graphical Passwords Hotspots
  • Graphical Passwords Hotspots
  • Password Managers
  • Related Work
  • References
Everybody
DATE DATE NUMBER OF USERS WORLD WORLD INFORMATION DATE DATE NUMBER OF USERS DATE DATE acctsyr
POPULATION POPULATION SOURCE
December-90 0 3 15 020 00261 000 1 December-90 3 1 December-90 3 1 December-90 3 3 December-90 3 1 3
December-95 December-95 0 16 040 80 040 IDC 100 00522 180 12 December-95 192 December-95 16 1778 December-95 48 28448 December-95 48 3 48
December-96 December-96 0 36 090 180 090 IDC 200 00783 188 13132 December-96 472752 December-96 36 1994916 December-96 126 71816976 December-96 1368 38 126
December-97 December-97 0 70 170 350 170 IDC 300 01043 209 16263 December-97 113841 December-97 70 2238295752 December-97 280 15668070264 December-97 322 46 280
December-98 December-98 0 147 360 735 360 CI Almanac 400 01303 230 19391 December-98 2850477 December-98 147 25113678337 December-98 6615 3691710715604 December-98 7791 53 6615
December-99 December-99 0 248 410 1240 410 Nua Ltd 500 01563 251 22517 December-99 5584216 December-99 248 28177547095 December-99 1240 6988031679463 December-99 15376 62 1240
March-00 March-00 0 304 500 1520 500 Nua Ltd 600 01822 272 25638 March-00 7793952 December-00 361 3161520784 December-00 19855 11413090030294 December-00 2527 7 19855
July-00 July-00 0 359 590 1795 590 Nua Ltd 700 02081 293 28754 July-00 10322686 December-01 543 35472263197 December-01 3258 1926143891578 December-01 39639 73 3258
December-00 December-00 0 361 580 1805 580 Internet World Stats 800 02338 313 31864 December-00 11502904 December-02 607 39799879307 December-02 39455 2415852673913 December-02 47953 79 39455
March-01 March-01 0 458 760 2290 760 Nua Ltd 900 02852 334 34967 March-01 16014886 December-03 719 44655464582 December-03 5033 32107279034493 December-03 61115 85 5033
June-01 June-01 0 479 790 2395 790 Nua Ltd 1000 03107 355 38061 June-01 18231219 December-04 817 50103431261 December-04 61275 40934503340285 December-04 7353 9 61275
August-01 August-01 0 513 860 2565 860 Nua Ltd 1100 03361 396 44221 August-01 22685373 December-05 1018 56216049875 December-05 8144 57227938772657 December-05 9467 93 8144
April-02 April-02 0 558 860 2790 860 Internet World Stats 1200 03614 417 47284 April-02 26384472 December-06 1093 6307440796 December-06 9291 68940327899894 December-06 10602 97 9291
July-02 July-02 0 569 910 2845 910 Internet World Stats 1300 03866 437 50334 July-02 28640046 December-07 1319 70769485731 December-07 11871 93344951678825 December-07 13454 102 11871
September-02 September-02 0 587 940 2935 940 Internet World Stats 1400 04117 458 53371 September-02 31328777 December-08 1574 7940336299 December-08 14953 124980893346059 December-08 16527 105 14953
March-03 March-03 0 608 970 3040 970 Internet World Stats 1500 04366 478 56394 March-03 34287552 December-09 1802 89090573275 December-09 18020 160541213040896 December-09 19462 108 18020
September-03 September-03 0 677 1060 3385 1060 Internet World Stats 1600 04614 498 59401 September-03 40214477 December-10 1971 99959623214 December-10 20696 197020417355075 December-10 21681 11 20696
October-03 October-03 0 682 1070 3410 1070 Internet World Stats 1700 0486 518 62392 October-03 42551344
December-03 December-03 0 719 1110 3595 1110 Internet World Stats 1800 02852 538 65365 December-03 46997435
February-04 February-04 0 745 1150 3725 1150 Internet World Stats 1900 03107 558 6832 February-04 508984
May-04 May-04 0 757 1170 3785 1170 Internet World Stats 2000 03361 597 7417 May-04 5614669
October-04 October-04 0 812 1270 4060 1270 Internet World Stats 2100 03614 616 77064 October-04 62575968
December-04 December-04 0 817 1270 4085 1270 Internet World Stats 2200 03866 636 79935 December-04 65306895
March-05 March-05 0 888 1390 4440 1390 Internet World Stats 2300 04117 655 82782 March-05 73510416
June-05 June-05 0 938 1460 4690 1460 Internet World Stats 2400 04366 674 85606 June-05 80298428
September-05 September-05 0 957 1490 4785 1490 Internet World Stats 2500 04614 692 88404 September-05 84602628
November-05 November-05 0 972 1520 4860 1520 Internet World Stats 2600 0486 711 91176 November-05 88623072
December-05 December-05 0 1018 1570 5090 1570 Internet World Stats 2700 05348 729 93921 December-05 95611578
March-06 March-06 0 1023 1570 5115 1570 Internet World Stats 2800 05589 747 96638 March-06 98860674
June-06 June-06 0 1043 1600 5215 1600 Internet World Stats 2900 05828 783 101984 June-06 106369312
September-06 September-06 0 1086 1670 5430 1670 Internet World Stats 3000 06065 801 104611 September-06 113607546
December-06 December-06 0 1093 1670 5465 1670 Internet World Stats 3100 063 818 107207 December-06 117177251
March-07 March-07 0 1129 1720 5645 1720 Internet World Stats 3200 06534 835 109771 March-07 123931459
June-07 June-07 0 1173 1780 5865 1780 Internet World Stats 3300 06765 852 112301 June-07 131729073
September-07 September-07 0 1245 1890 6225 1890 Internet World Stats 3400 06993 869 114797 September-07 142922265
December-07 December-07 0 1319 2000 6595 2000 Internet World Stats 3500 0722 886 117258 December-07 154663302
March-08 March-08 0 1407 2110 7035 2110 Internet World Stats 3600 07665 902 119683 March-08 168393981
June-08 June-08 0 1463 2190 7315 2190 Internet World Stats 3700 07884 918 122071 June-08 178589873
September-08 September-08 0 1504 2250 7520 2250 Internet World Stats 3800 08101 949 126736 September-08 190610944
December-08 December-08 0 1574 2350 7870 2350 Internet World Stats 3900 08314 964 12901 December-08 20306174
March-09 March-09 0 1596 2380 7980 2380 Internet World Stats 4000 08525 971 13 March-09 20748
June-09 June-09 0 1669 2470 8345 2470 Internet World Stats 4100 08733 998 134 June-09 223646
September-09 September-09 0 1734 2560 8670 2560 Internet World Stats 4200 08938 1018 137 September-09 237558
December-09 December-09 0 1802 2660 9010 2660 Internet World Stats 4300 0914 1051 142 December-09 255884
June-10 June-10 0 1966 2870 9830 2870 Internet World Stats 4400 09339 1078 146 June-10 287036
September-10 September-10 0 1971 2880 9855 2880 Internet World Stats 4500 09728 1112 151 September-10 297621
09917 000 155333333333
159833333333
33208
35034
35400
35765
36130
36495
36861
37226
37591
37956
38322
38687
39052
39417
39783
40148
40513
Page 38: Attacking Data Independent Memory Hard Functions · As a motivating example consider an adversary who breaks into an authentication server and steals a users crptographic hash va\൬ue.

Theorem (Depth-Robustness is a necessary condition) If G is not (ed)-node robust then CC 119866119866 = O 119890119890119894119894 + 1198941198943119901119901 In particular CC 119866119866 = o 1198941198942 for ed=o(n)

Depth Robustness is Necessary

Are existing iMHF candidates based on depth-robust DAGs

Answer No

bull Catena [FLW15] is 119890119890 119874119874 119899119899119890119890

-reducible

119862119862119862119862 = 119874119874 119894119894162

bull Balloon Hashing and Argon2i (old version) are 119890119890 119874119874 1198991198992

1198901198902-reducible

119862119862119862119862 = 119874119874 119894119894171

bull Argon2i (latest version) is 119890119890 119874119874 1198991198993

1198901198903-reducible

119862119862119862119862 = 119874119874 119894119894177

bull Similar picture for most other iMHF candidates [AGKKOPRRR16]

Argon2i [BDK]

bull Argon2 Winner of the password hashing competition[2015]

bull Authors recommend Argon2i variant (data-independent) for password hashing

Presenter
Presentation Notes
Alex Biryukov Daniel Dinu and Dmitry Khovratovich from University of Luxembourg

Argon2i

1 2 3 4 ihellip n

Argon2i

1 2 3 4 ihellip n

random predecessor r(i) lt i

Indegree 120575120575 = 2

Argon2i Reducing depth to 119894119894

1 2 3 11989411989434

helliphellip

211989411989434

hellip 4 119894119894

n

Layer 0Layer 1

Layer 4 119894119894helliphelliphellip

Argon2i Reducing depth to 119894119894

1 2 3 11989411989434

helliphellip

211989411989434

hellip 4 119894119894

n

Layer 0Layer 1

Layer 4 119894119894

Definition 1198781198782 = 119907119907119894119894 119907119907119903119903(119894119894)and v119894119894 in same layer

119810119810119816119816119816119816119810119810119827119827 1198781198782119810119810119842119842 119842119842119827119827119816119816119816119816119816119816

helliphelliphellip

119813119813119816119816119813119813119813119813 Easy to reduce the depth of a path

Argon2i is a layered DAG (almost)

1 2 3 11989411989434

+2 +3 helliphellip

211989411989434

hellip 4 119894119894

n

Layer 0Layer 1

Layer 4 119894119894

Let S = S1+S2

helliphelliphellip

Attack Simulation [AB16b]

Attack on Argon 2i-B is practical even for pessimistic parameter ranges (brown line)

Pessimistic Argon 2i-B parameter

Parameter setting could easily be chosen when following Argon2i-B guidelines

hellip

Ideal iMHFs Donrsquot Exist

Thm[AB16] Any graph G (with constant in-degree) is at least somewhat depth-reducible

Implication If CC(G)= Ω 1198941198942 there is an attack A with high quality

QualityR 119860119860 =Ωlog(119894119894)

log log(119894119894)

But we cannot rule them out in practice

Outline

bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Attacksbull Constructing iMHFs (New)

bull Depth-Robustness is sufficient

bull Conclusions and Open Questions

Presenter
Presentation Notes
Joint work with Joel Alwen and Krzysztof Pietrzak

Depth-Robustness is Sufficient [ABP16]

Proof Let P1hellipPt denote an (optimal) pebbling of G For 0lt i lt d defineSi = 119875119875119894119894 cup 119875119875119889119889+119894119894 cup 1198751198752119889119889+119894119894 cup ⋯

one of the sets Si has size at most CC(G)d Now we claim that d ge depth(G-Si)

because any path in G-Si must have been completely pebbled at some point Thus it must have been pebbled entirely during some interval of length d Thus G (CC(G)dd)-reducible It follows that CC(G)ge 119890119890119901119901

119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901

Depth-Robustness is Sufficient [ABP16]

Implications There exists a constant indegree graph G with

CC G ge Ω1198941198942

log119894119894

Previous Best [AS15] Ω 1198991198992

log10 119899119899

[AB16] We cannot do better (in an asymptotic sense)

119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901

Summary

bull BCRYPT and PBKDF2 are no longer sufficient for password hashing

bull Argon2i is an improvement over BCRYPT and PBKDF2bull But still has its flaws [AB16AB17]

bull Current Recommendation Argon2idbull No side channel attacks Resists known attacksbull Side channel attacks reduce security to Argon2i

bull Look for improvements in the near future using depth-robust graphs [ABP17]

Conclusions

bull Depth-robustness is a necessary and sufficient for secure iMHFsbull [AB16] [ABP16]

bull Big Challenge Improved Constructions of Depth-Robust Graphsbull We already have constructions in theory [EGS77 PR80 hellip]bull But constants matter

Thanks for Listening

Passwords vs time Look how far wersquove come

Netscape IPO Dotcom crash

Source Cormacrsquos estimate

ldquoThe password is deadrdquo

Chart1

3
48
1368
322
7791
15376
2527
39639
47953
61115
7353
94674
106021
134538
16527
194616
21681

Sheet1

Sheet1

Sheet2

Sheet3

Biometrics

59

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy

60

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Hardware Tokens

61

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around

62

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Graphical Passwords

bull Examplesbull Passfaces Cued Click Points Windows 8

63

Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13

Graphical Passwords

bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8

Challenge Multiple Passwords

64

Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13

Graphical Passwords Hotspots

Graphical Passwords Hotspots

Password Managers

bull Password Management Software

67

Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313

Related Work

bull Password Management SoftwareChallenge Single point of failure

68

Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313

References

bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]

bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]

bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]

bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]

  • Course Business
  • CryptographyCS 555
  • Password Storage
  • Offline Attacks A Common Problem
  • Offline Attacks A Common Problem
  • A Dangerous Problem
  • Attempt 1 Hash Iteration
  • The Challenge
  • Goal Moderately Expensive Hash Function
  • Memory Costs Equitable Across Architectures
  • Outline
  • Memory Hard Function (MHF)
  • iMHF Candidates
  • iMHF (fGH)
  • Evaluating an iMHF (pebbling)
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example (CC)
  • Measuring Cost
  • Pebbling Example (CC)
  • Pebbling Equivalence
  • Desiderata
  • Depth-Robustness The Key Property
  • Naiumlve Pebbling Algorithms
  • Amortized Attack Quality
  • Desiderata
  • Desiderata
  • c-Ideal iMHF
  • Outline
  • Depth-Robustness The Key Property
  • Depth Robustness
  • Depth Robustness
  • Attacking (ed)-reducible DAGs
  • Depth Robustness is Necessary
  • Answer No
  • Argon2i [BDK]
  • Argon2i
  • Argon2i
  • Argon2i Reducing depth to 119899
  • Argon2i Reducing depth to 119899
  • Argon2i is a layered DAG (almost)
  • Attack Simulation [AB16b]
  • Ideal iMHFs Donrsquot Exist
  • But we cannot rule them out in practice
  • Outline
  • Depth-Robustness is Sufficient [ABP16]
  • Depth-Robustness is Sufficient [ABP16]
  • Summary
  • Conclusions
  • Thanks for Listening
  • Passwords vs time Look how far wersquove come
  • Biometrics
  • Biometrics
  • Hardware Tokens
  • Hardware Tokens
  • Graphical Passwords
  • Graphical Passwords
  • Graphical Passwords Hotspots
  • Graphical Passwords Hotspots
  • Password Managers
  • Related Work
  • References
Everybody
DATE DATE NUMBER OF USERS WORLD WORLD INFORMATION DATE DATE NUMBER OF USERS DATE DATE acctsyr
POPULATION POPULATION SOURCE
December-90 0 3 15 020 00261 000 1 December-90 3 1 December-90 3 1 December-90 3 3 December-90 3 1 3
December-95 December-95 0 16 040 80 040 IDC 100 00522 180 12 December-95 192 December-95 16 1778 December-95 48 28448 December-95 48 3 48
December-96 December-96 0 36 090 180 090 IDC 200 00783 188 13132 December-96 472752 December-96 36 1994916 December-96 126 71816976 December-96 1368 38 126
December-97 December-97 0 70 170 350 170 IDC 300 01043 209 16263 December-97 113841 December-97 70 2238295752 December-97 280 15668070264 December-97 322 46 280
December-98 December-98 0 147 360 735 360 CI Almanac 400 01303 230 19391 December-98 2850477 December-98 147 25113678337 December-98 6615 3691710715604 December-98 7791 53 6615
December-99 December-99 0 248 410 1240 410 Nua Ltd 500 01563 251 22517 December-99 5584216 December-99 248 28177547095 December-99 1240 6988031679463 December-99 15376 62 1240
March-00 March-00 0 304 500 1520 500 Nua Ltd 600 01822 272 25638 March-00 7793952 December-00 361 3161520784 December-00 19855 11413090030294 December-00 2527 7 19855
July-00 July-00 0 359 590 1795 590 Nua Ltd 700 02081 293 28754 July-00 10322686 December-01 543 35472263197 December-01 3258 1926143891578 December-01 39639 73 3258
December-00 December-00 0 361 580 1805 580 Internet World Stats 800 02338 313 31864 December-00 11502904 December-02 607 39799879307 December-02 39455 2415852673913 December-02 47953 79 39455
March-01 March-01 0 458 760 2290 760 Nua Ltd 900 02852 334 34967 March-01 16014886 December-03 719 44655464582 December-03 5033 32107279034493 December-03 61115 85 5033
June-01 June-01 0 479 790 2395 790 Nua Ltd 1000 03107 355 38061 June-01 18231219 December-04 817 50103431261 December-04 61275 40934503340285 December-04 7353 9 61275
August-01 August-01 0 513 860 2565 860 Nua Ltd 1100 03361 396 44221 August-01 22685373 December-05 1018 56216049875 December-05 8144 57227938772657 December-05 9467 93 8144
April-02 April-02 0 558 860 2790 860 Internet World Stats 1200 03614 417 47284 April-02 26384472 December-06 1093 6307440796 December-06 9291 68940327899894 December-06 10602 97 9291
July-02 July-02 0 569 910 2845 910 Internet World Stats 1300 03866 437 50334 July-02 28640046 December-07 1319 70769485731 December-07 11871 93344951678825 December-07 13454 102 11871
September-02 September-02 0 587 940 2935 940 Internet World Stats 1400 04117 458 53371 September-02 31328777 December-08 1574 7940336299 December-08 14953 124980893346059 December-08 16527 105 14953
March-03 March-03 0 608 970 3040 970 Internet World Stats 1500 04366 478 56394 March-03 34287552 December-09 1802 89090573275 December-09 18020 160541213040896 December-09 19462 108 18020
September-03 September-03 0 677 1060 3385 1060 Internet World Stats 1600 04614 498 59401 September-03 40214477 December-10 1971 99959623214 December-10 20696 197020417355075 December-10 21681 11 20696
October-03 October-03 0 682 1070 3410 1070 Internet World Stats 1700 0486 518 62392 October-03 42551344
December-03 December-03 0 719 1110 3595 1110 Internet World Stats 1800 02852 538 65365 December-03 46997435
February-04 February-04 0 745 1150 3725 1150 Internet World Stats 1900 03107 558 6832 February-04 508984
May-04 May-04 0 757 1170 3785 1170 Internet World Stats 2000 03361 597 7417 May-04 5614669
October-04 October-04 0 812 1270 4060 1270 Internet World Stats 2100 03614 616 77064 October-04 62575968
December-04 December-04 0 817 1270 4085 1270 Internet World Stats 2200 03866 636 79935 December-04 65306895
March-05 March-05 0 888 1390 4440 1390 Internet World Stats 2300 04117 655 82782 March-05 73510416
June-05 June-05 0 938 1460 4690 1460 Internet World Stats 2400 04366 674 85606 June-05 80298428
September-05 September-05 0 957 1490 4785 1490 Internet World Stats 2500 04614 692 88404 September-05 84602628
November-05 November-05 0 972 1520 4860 1520 Internet World Stats 2600 0486 711 91176 November-05 88623072
December-05 December-05 0 1018 1570 5090 1570 Internet World Stats 2700 05348 729 93921 December-05 95611578
March-06 March-06 0 1023 1570 5115 1570 Internet World Stats 2800 05589 747 96638 March-06 98860674
June-06 June-06 0 1043 1600 5215 1600 Internet World Stats 2900 05828 783 101984 June-06 106369312
September-06 September-06 0 1086 1670 5430 1670 Internet World Stats 3000 06065 801 104611 September-06 113607546
December-06 December-06 0 1093 1670 5465 1670 Internet World Stats 3100 063 818 107207 December-06 117177251
March-07 March-07 0 1129 1720 5645 1720 Internet World Stats 3200 06534 835 109771 March-07 123931459
June-07 June-07 0 1173 1780 5865 1780 Internet World Stats 3300 06765 852 112301 June-07 131729073
September-07 September-07 0 1245 1890 6225 1890 Internet World Stats 3400 06993 869 114797 September-07 142922265
December-07 December-07 0 1319 2000 6595 2000 Internet World Stats 3500 0722 886 117258 December-07 154663302
March-08 March-08 0 1407 2110 7035 2110 Internet World Stats 3600 07665 902 119683 March-08 168393981
June-08 June-08 0 1463 2190 7315 2190 Internet World Stats 3700 07884 918 122071 June-08 178589873
September-08 September-08 0 1504 2250 7520 2250 Internet World Stats 3800 08101 949 126736 September-08 190610944
December-08 December-08 0 1574 2350 7870 2350 Internet World Stats 3900 08314 964 12901 December-08 20306174
March-09 March-09 0 1596 2380 7980 2380 Internet World Stats 4000 08525 971 13 March-09 20748
June-09 June-09 0 1669 2470 8345 2470 Internet World Stats 4100 08733 998 134 June-09 223646
September-09 September-09 0 1734 2560 8670 2560 Internet World Stats 4200 08938 1018 137 September-09 237558
December-09 December-09 0 1802 2660 9010 2660 Internet World Stats 4300 0914 1051 142 December-09 255884
June-10 June-10 0 1966 2870 9830 2870 Internet World Stats 4400 09339 1078 146 June-10 287036
September-10 September-10 0 1971 2880 9855 2880 Internet World Stats 4500 09728 1112 151 September-10 297621
09917 000 155333333333
159833333333
33208
35034
35400
35765
36130
36495
36861
37226
37591
37956
38322
38687
39052
39417
39783
40148
40513
Page 39: Attacking Data Independent Memory Hard Functions · As a motivating example consider an adversary who breaks into an authentication server and steals a users crptographic hash va\൬ue.

Answer No

bull Catena [FLW15] is 119890119890 119874119874 119899119899119890119890

-reducible

119862119862119862119862 = 119874119874 119894119894162

bull Balloon Hashing and Argon2i (old version) are 119890119890 119874119874 1198991198992

1198901198902-reducible

119862119862119862119862 = 119874119874 119894119894171

bull Argon2i (latest version) is 119890119890 119874119874 1198991198993

1198901198903-reducible

119862119862119862119862 = 119874119874 119894119894177

bull Similar picture for most other iMHF candidates [AGKKOPRRR16]

Argon2i [BDK]

bull Argon2 Winner of the password hashing competition[2015]

bull Authors recommend Argon2i variant (data-independent) for password hashing

Presenter
Presentation Notes
Alex Biryukov Daniel Dinu and Dmitry Khovratovich from University of Luxembourg

Argon2i

1 2 3 4 ihellip n

Argon2i

1 2 3 4 ihellip n

random predecessor r(i) lt i

Indegree 120575120575 = 2

Argon2i Reducing depth to 119894119894

1 2 3 11989411989434

helliphellip

211989411989434

hellip 4 119894119894

n

Layer 0Layer 1

Layer 4 119894119894helliphelliphellip

Argon2i Reducing depth to 119894119894

1 2 3 11989411989434

helliphellip

211989411989434

hellip 4 119894119894

n

Layer 0Layer 1

Layer 4 119894119894

Definition 1198781198782 = 119907119907119894119894 119907119907119903119903(119894119894)and v119894119894 in same layer

119810119810119816119816119816119816119810119810119827119827 1198781198782119810119810119842119842 119842119842119827119827119816119816119816119816119816119816

helliphelliphellip

119813119813119816119816119813119813119813119813 Easy to reduce the depth of a path

Argon2i is a layered DAG (almost)

1 2 3 11989411989434

+2 +3 helliphellip

211989411989434

hellip 4 119894119894

n

Layer 0Layer 1

Layer 4 119894119894

Let S = S1+S2

helliphelliphellip

Attack Simulation [AB16b]

Attack on Argon 2i-B is practical even for pessimistic parameter ranges (brown line)

Pessimistic Argon 2i-B parameter

Parameter setting could easily be chosen when following Argon2i-B guidelines

hellip

Ideal iMHFs Donrsquot Exist

Thm[AB16] Any graph G (with constant in-degree) is at least somewhat depth-reducible

Implication If CC(G)= Ω 1198941198942 there is an attack A with high quality

QualityR 119860119860 =Ωlog(119894119894)

log log(119894119894)

But we cannot rule them out in practice

Outline

bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Attacksbull Constructing iMHFs (New)

bull Depth-Robustness is sufficient

bull Conclusions and Open Questions

Presenter
Presentation Notes
Joint work with Joel Alwen and Krzysztof Pietrzak

Depth-Robustness is Sufficient [ABP16]

Proof Let P1hellipPt denote an (optimal) pebbling of G For 0lt i lt d defineSi = 119875119875119894119894 cup 119875119875119889119889+119894119894 cup 1198751198752119889119889+119894119894 cup ⋯

one of the sets Si has size at most CC(G)d Now we claim that d ge depth(G-Si)

because any path in G-Si must have been completely pebbled at some point Thus it must have been pebbled entirely during some interval of length d Thus G (CC(G)dd)-reducible It follows that CC(G)ge 119890119890119901119901

119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901

Depth-Robustness is Sufficient [ABP16]

Implications There exists a constant indegree graph G with

CC G ge Ω1198941198942

log119894119894

Previous Best [AS15] Ω 1198991198992

log10 119899119899

[AB16] We cannot do better (in an asymptotic sense)

119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901

Summary

bull BCRYPT and PBKDF2 are no longer sufficient for password hashing

bull Argon2i is an improvement over BCRYPT and PBKDF2bull But still has its flaws [AB16AB17]

bull Current Recommendation Argon2idbull No side channel attacks Resists known attacksbull Side channel attacks reduce security to Argon2i

bull Look for improvements in the near future using depth-robust graphs [ABP17]

Conclusions

bull Depth-robustness is a necessary and sufficient for secure iMHFsbull [AB16] [ABP16]

bull Big Challenge Improved Constructions of Depth-Robust Graphsbull We already have constructions in theory [EGS77 PR80 hellip]bull But constants matter

Thanks for Listening

Passwords vs time Look how far wersquove come

Netscape IPO Dotcom crash

Source Cormacrsquos estimate

ldquoThe password is deadrdquo

Chart1

3
48
1368
322
7791
15376
2527
39639
47953
61115
7353
94674
106021
134538
16527
194616
21681

Sheet1

Sheet1

Sheet2

Sheet3

Biometrics

59

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy

60

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Hardware Tokens

61

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around

62

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Graphical Passwords

bull Examplesbull Passfaces Cued Click Points Windows 8

63

Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13

Graphical Passwords

bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8

Challenge Multiple Passwords

64

Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13

Graphical Passwords Hotspots

Graphical Passwords Hotspots

Password Managers

bull Password Management Software

67

Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313

Related Work

bull Password Management SoftwareChallenge Single point of failure

68

Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313

References

bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]

bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]

bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]

bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]

  • Course Business
  • CryptographyCS 555
  • Password Storage
  • Offline Attacks A Common Problem
  • Offline Attacks A Common Problem
  • A Dangerous Problem
  • Attempt 1 Hash Iteration
  • The Challenge
  • Goal Moderately Expensive Hash Function
  • Memory Costs Equitable Across Architectures
  • Outline
  • Memory Hard Function (MHF)
  • iMHF Candidates
  • iMHF (fGH)
  • Evaluating an iMHF (pebbling)
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example (CC)
  • Measuring Cost
  • Pebbling Example (CC)
  • Pebbling Equivalence
  • Desiderata
  • Depth-Robustness The Key Property
  • Naiumlve Pebbling Algorithms
  • Amortized Attack Quality
  • Desiderata
  • Desiderata
  • c-Ideal iMHF
  • Outline
  • Depth-Robustness The Key Property
  • Depth Robustness
  • Depth Robustness
  • Attacking (ed)-reducible DAGs
  • Depth Robustness is Necessary
  • Answer No
  • Argon2i [BDK]
  • Argon2i
  • Argon2i
  • Argon2i Reducing depth to 119899
  • Argon2i Reducing depth to 119899
  • Argon2i is a layered DAG (almost)
  • Attack Simulation [AB16b]
  • Ideal iMHFs Donrsquot Exist
  • But we cannot rule them out in practice
  • Outline
  • Depth-Robustness is Sufficient [ABP16]
  • Depth-Robustness is Sufficient [ABP16]
  • Summary
  • Conclusions
  • Thanks for Listening
  • Passwords vs time Look how far wersquove come
  • Biometrics
  • Biometrics
  • Hardware Tokens
  • Hardware Tokens
  • Graphical Passwords
  • Graphical Passwords
  • Graphical Passwords Hotspots
  • Graphical Passwords Hotspots
  • Password Managers
  • Related Work
  • References
Everybody
DATE DATE NUMBER OF USERS WORLD WORLD INFORMATION DATE DATE NUMBER OF USERS DATE DATE acctsyr
POPULATION POPULATION SOURCE
December-90 0 3 15 020 00261 000 1 December-90 3 1 December-90 3 1 December-90 3 3 December-90 3 1 3
December-95 December-95 0 16 040 80 040 IDC 100 00522 180 12 December-95 192 December-95 16 1778 December-95 48 28448 December-95 48 3 48
December-96 December-96 0 36 090 180 090 IDC 200 00783 188 13132 December-96 472752 December-96 36 1994916 December-96 126 71816976 December-96 1368 38 126
December-97 December-97 0 70 170 350 170 IDC 300 01043 209 16263 December-97 113841 December-97 70 2238295752 December-97 280 15668070264 December-97 322 46 280
December-98 December-98 0 147 360 735 360 CI Almanac 400 01303 230 19391 December-98 2850477 December-98 147 25113678337 December-98 6615 3691710715604 December-98 7791 53 6615
December-99 December-99 0 248 410 1240 410 Nua Ltd 500 01563 251 22517 December-99 5584216 December-99 248 28177547095 December-99 1240 6988031679463 December-99 15376 62 1240
March-00 March-00 0 304 500 1520 500 Nua Ltd 600 01822 272 25638 March-00 7793952 December-00 361 3161520784 December-00 19855 11413090030294 December-00 2527 7 19855
July-00 July-00 0 359 590 1795 590 Nua Ltd 700 02081 293 28754 July-00 10322686 December-01 543 35472263197 December-01 3258 1926143891578 December-01 39639 73 3258
December-00 December-00 0 361 580 1805 580 Internet World Stats 800 02338 313 31864 December-00 11502904 December-02 607 39799879307 December-02 39455 2415852673913 December-02 47953 79 39455
March-01 March-01 0 458 760 2290 760 Nua Ltd 900 02852 334 34967 March-01 16014886 December-03 719 44655464582 December-03 5033 32107279034493 December-03 61115 85 5033
June-01 June-01 0 479 790 2395 790 Nua Ltd 1000 03107 355 38061 June-01 18231219 December-04 817 50103431261 December-04 61275 40934503340285 December-04 7353 9 61275
August-01 August-01 0 513 860 2565 860 Nua Ltd 1100 03361 396 44221 August-01 22685373 December-05 1018 56216049875 December-05 8144 57227938772657 December-05 9467 93 8144
April-02 April-02 0 558 860 2790 860 Internet World Stats 1200 03614 417 47284 April-02 26384472 December-06 1093 6307440796 December-06 9291 68940327899894 December-06 10602 97 9291
July-02 July-02 0 569 910 2845 910 Internet World Stats 1300 03866 437 50334 July-02 28640046 December-07 1319 70769485731 December-07 11871 93344951678825 December-07 13454 102 11871
September-02 September-02 0 587 940 2935 940 Internet World Stats 1400 04117 458 53371 September-02 31328777 December-08 1574 7940336299 December-08 14953 124980893346059 December-08 16527 105 14953
March-03 March-03 0 608 970 3040 970 Internet World Stats 1500 04366 478 56394 March-03 34287552 December-09 1802 89090573275 December-09 18020 160541213040896 December-09 19462 108 18020
September-03 September-03 0 677 1060 3385 1060 Internet World Stats 1600 04614 498 59401 September-03 40214477 December-10 1971 99959623214 December-10 20696 197020417355075 December-10 21681 11 20696
October-03 October-03 0 682 1070 3410 1070 Internet World Stats 1700 0486 518 62392 October-03 42551344
December-03 December-03 0 719 1110 3595 1110 Internet World Stats 1800 02852 538 65365 December-03 46997435
February-04 February-04 0 745 1150 3725 1150 Internet World Stats 1900 03107 558 6832 February-04 508984
May-04 May-04 0 757 1170 3785 1170 Internet World Stats 2000 03361 597 7417 May-04 5614669
October-04 October-04 0 812 1270 4060 1270 Internet World Stats 2100 03614 616 77064 October-04 62575968
December-04 December-04 0 817 1270 4085 1270 Internet World Stats 2200 03866 636 79935 December-04 65306895
March-05 March-05 0 888 1390 4440 1390 Internet World Stats 2300 04117 655 82782 March-05 73510416
June-05 June-05 0 938 1460 4690 1460 Internet World Stats 2400 04366 674 85606 June-05 80298428
September-05 September-05 0 957 1490 4785 1490 Internet World Stats 2500 04614 692 88404 September-05 84602628
November-05 November-05 0 972 1520 4860 1520 Internet World Stats 2600 0486 711 91176 November-05 88623072
December-05 December-05 0 1018 1570 5090 1570 Internet World Stats 2700 05348 729 93921 December-05 95611578
March-06 March-06 0 1023 1570 5115 1570 Internet World Stats 2800 05589 747 96638 March-06 98860674
June-06 June-06 0 1043 1600 5215 1600 Internet World Stats 2900 05828 783 101984 June-06 106369312
September-06 September-06 0 1086 1670 5430 1670 Internet World Stats 3000 06065 801 104611 September-06 113607546
December-06 December-06 0 1093 1670 5465 1670 Internet World Stats 3100 063 818 107207 December-06 117177251
March-07 March-07 0 1129 1720 5645 1720 Internet World Stats 3200 06534 835 109771 March-07 123931459
June-07 June-07 0 1173 1780 5865 1780 Internet World Stats 3300 06765 852 112301 June-07 131729073
September-07 September-07 0 1245 1890 6225 1890 Internet World Stats 3400 06993 869 114797 September-07 142922265
December-07 December-07 0 1319 2000 6595 2000 Internet World Stats 3500 0722 886 117258 December-07 154663302
March-08 March-08 0 1407 2110 7035 2110 Internet World Stats 3600 07665 902 119683 March-08 168393981
June-08 June-08 0 1463 2190 7315 2190 Internet World Stats 3700 07884 918 122071 June-08 178589873
September-08 September-08 0 1504 2250 7520 2250 Internet World Stats 3800 08101 949 126736 September-08 190610944
December-08 December-08 0 1574 2350 7870 2350 Internet World Stats 3900 08314 964 12901 December-08 20306174
March-09 March-09 0 1596 2380 7980 2380 Internet World Stats 4000 08525 971 13 March-09 20748
June-09 June-09 0 1669 2470 8345 2470 Internet World Stats 4100 08733 998 134 June-09 223646
September-09 September-09 0 1734 2560 8670 2560 Internet World Stats 4200 08938 1018 137 September-09 237558
December-09 December-09 0 1802 2660 9010 2660 Internet World Stats 4300 0914 1051 142 December-09 255884
June-10 June-10 0 1966 2870 9830 2870 Internet World Stats 4400 09339 1078 146 June-10 287036
September-10 September-10 0 1971 2880 9855 2880 Internet World Stats 4500 09728 1112 151 September-10 297621
09917 000 155333333333
159833333333
33208
35034
35400
35765
36130
36495
36861
37226
37591
37956
38322
38687
39052
39417
39783
40148
40513
Page 40: Attacking Data Independent Memory Hard Functions · As a motivating example consider an adversary who breaks into an authentication server and steals a users crptographic hash va\൬ue.

Argon2i [BDK]

bull Argon2 Winner of the password hashing competition[2015]

bull Authors recommend Argon2i variant (data-independent) for password hashing

Presenter
Presentation Notes
Alex Biryukov Daniel Dinu and Dmitry Khovratovich from University of Luxembourg

Argon2i

1 2 3 4 ihellip n

Argon2i

1 2 3 4 ihellip n

random predecessor r(i) lt i

Indegree 120575120575 = 2

Argon2i Reducing depth to 119894119894

1 2 3 11989411989434

helliphellip

211989411989434

hellip 4 119894119894

n

Layer 0Layer 1

Layer 4 119894119894helliphelliphellip

Argon2i Reducing depth to 119894119894

1 2 3 11989411989434

helliphellip

211989411989434

hellip 4 119894119894

n

Layer 0Layer 1

Layer 4 119894119894

Definition 1198781198782 = 119907119907119894119894 119907119907119903119903(119894119894)and v119894119894 in same layer

119810119810119816119816119816119816119810119810119827119827 1198781198782119810119810119842119842 119842119842119827119827119816119816119816119816119816119816

helliphelliphellip

119813119813119816119816119813119813119813119813 Easy to reduce the depth of a path

Argon2i is a layered DAG (almost)

1 2 3 11989411989434

+2 +3 helliphellip

211989411989434

hellip 4 119894119894

n

Layer 0Layer 1

Layer 4 119894119894

Let S = S1+S2

helliphelliphellip

Attack Simulation [AB16b]

Attack on Argon 2i-B is practical even for pessimistic parameter ranges (brown line)

Pessimistic Argon 2i-B parameter

Parameter setting could easily be chosen when following Argon2i-B guidelines

hellip

Ideal iMHFs Donrsquot Exist

Thm[AB16] Any graph G (with constant in-degree) is at least somewhat depth-reducible

Implication If CC(G)= Ω 1198941198942 there is an attack A with high quality

QualityR 119860119860 =Ωlog(119894119894)

log log(119894119894)

But we cannot rule them out in practice

Outline

bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Attacksbull Constructing iMHFs (New)

bull Depth-Robustness is sufficient

bull Conclusions and Open Questions

Presenter
Presentation Notes
Joint work with Joel Alwen and Krzysztof Pietrzak

Depth-Robustness is Sufficient [ABP16]

Proof Let P1hellipPt denote an (optimal) pebbling of G For 0lt i lt d defineSi = 119875119875119894119894 cup 119875119875119889119889+119894119894 cup 1198751198752119889119889+119894119894 cup ⋯

one of the sets Si has size at most CC(G)d Now we claim that d ge depth(G-Si)

because any path in G-Si must have been completely pebbled at some point Thus it must have been pebbled entirely during some interval of length d Thus G (CC(G)dd)-reducible It follows that CC(G)ge 119890119890119901119901

119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901

Depth-Robustness is Sufficient [ABP16]

Implications There exists a constant indegree graph G with

CC G ge Ω1198941198942

log119894119894

Previous Best [AS15] Ω 1198991198992

log10 119899119899

[AB16] We cannot do better (in an asymptotic sense)

119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901

Summary

bull BCRYPT and PBKDF2 are no longer sufficient for password hashing

bull Argon2i is an improvement over BCRYPT and PBKDF2bull But still has its flaws [AB16AB17]

bull Current Recommendation Argon2idbull No side channel attacks Resists known attacksbull Side channel attacks reduce security to Argon2i

bull Look for improvements in the near future using depth-robust graphs [ABP17]

Conclusions

bull Depth-robustness is a necessary and sufficient for secure iMHFsbull [AB16] [ABP16]

bull Big Challenge Improved Constructions of Depth-Robust Graphsbull We already have constructions in theory [EGS77 PR80 hellip]bull But constants matter

Thanks for Listening

Passwords vs time Look how far wersquove come

Netscape IPO Dotcom crash

Source Cormacrsquos estimate

ldquoThe password is deadrdquo

Chart1

3
48
1368
322
7791
15376
2527
39639
47953
61115
7353
94674
106021
134538
16527
194616
21681

Sheet1

Sheet1

Sheet2

Sheet3

Biometrics

59

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy

60

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Hardware Tokens

61

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around

62

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Graphical Passwords

bull Examplesbull Passfaces Cued Click Points Windows 8

63

Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13

Graphical Passwords

bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8

Challenge Multiple Passwords

64

Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13

Graphical Passwords Hotspots

Graphical Passwords Hotspots

Password Managers

bull Password Management Software

67

Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313

Related Work

bull Password Management SoftwareChallenge Single point of failure

68

Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313

References

bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]

bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]

bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]

bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]

  • Course Business
  • CryptographyCS 555
  • Password Storage
  • Offline Attacks A Common Problem
  • Offline Attacks A Common Problem
  • A Dangerous Problem
  • Attempt 1 Hash Iteration
  • The Challenge
  • Goal Moderately Expensive Hash Function
  • Memory Costs Equitable Across Architectures
  • Outline
  • Memory Hard Function (MHF)
  • iMHF Candidates
  • iMHF (fGH)
  • Evaluating an iMHF (pebbling)
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example (CC)
  • Measuring Cost
  • Pebbling Example (CC)
  • Pebbling Equivalence
  • Desiderata
  • Depth-Robustness The Key Property
  • Naiumlve Pebbling Algorithms
  • Amortized Attack Quality
  • Desiderata
  • Desiderata
  • c-Ideal iMHF
  • Outline
  • Depth-Robustness The Key Property
  • Depth Robustness
  • Depth Robustness
  • Attacking (ed)-reducible DAGs
  • Depth Robustness is Necessary
  • Answer No
  • Argon2i [BDK]
  • Argon2i
  • Argon2i
  • Argon2i Reducing depth to 119899
  • Argon2i Reducing depth to 119899
  • Argon2i is a layered DAG (almost)
  • Attack Simulation [AB16b]
  • Ideal iMHFs Donrsquot Exist
  • But we cannot rule them out in practice
  • Outline
  • Depth-Robustness is Sufficient [ABP16]
  • Depth-Robustness is Sufficient [ABP16]
  • Summary
  • Conclusions
  • Thanks for Listening
  • Passwords vs time Look how far wersquove come
  • Biometrics
  • Biometrics
  • Hardware Tokens
  • Hardware Tokens
  • Graphical Passwords
  • Graphical Passwords
  • Graphical Passwords Hotspots
  • Graphical Passwords Hotspots
  • Password Managers
  • Related Work
  • References
Everybody
DATE DATE NUMBER OF USERS WORLD WORLD INFORMATION DATE DATE NUMBER OF USERS DATE DATE acctsyr
POPULATION POPULATION SOURCE
December-90 0 3 15 020 00261 000 1 December-90 3 1 December-90 3 1 December-90 3 3 December-90 3 1 3
December-95 December-95 0 16 040 80 040 IDC 100 00522 180 12 December-95 192 December-95 16 1778 December-95 48 28448 December-95 48 3 48
December-96 December-96 0 36 090 180 090 IDC 200 00783 188 13132 December-96 472752 December-96 36 1994916 December-96 126 71816976 December-96 1368 38 126
December-97 December-97 0 70 170 350 170 IDC 300 01043 209 16263 December-97 113841 December-97 70 2238295752 December-97 280 15668070264 December-97 322 46 280
December-98 December-98 0 147 360 735 360 CI Almanac 400 01303 230 19391 December-98 2850477 December-98 147 25113678337 December-98 6615 3691710715604 December-98 7791 53 6615
December-99 December-99 0 248 410 1240 410 Nua Ltd 500 01563 251 22517 December-99 5584216 December-99 248 28177547095 December-99 1240 6988031679463 December-99 15376 62 1240
March-00 March-00 0 304 500 1520 500 Nua Ltd 600 01822 272 25638 March-00 7793952 December-00 361 3161520784 December-00 19855 11413090030294 December-00 2527 7 19855
July-00 July-00 0 359 590 1795 590 Nua Ltd 700 02081 293 28754 July-00 10322686 December-01 543 35472263197 December-01 3258 1926143891578 December-01 39639 73 3258
December-00 December-00 0 361 580 1805 580 Internet World Stats 800 02338 313 31864 December-00 11502904 December-02 607 39799879307 December-02 39455 2415852673913 December-02 47953 79 39455
March-01 March-01 0 458 760 2290 760 Nua Ltd 900 02852 334 34967 March-01 16014886 December-03 719 44655464582 December-03 5033 32107279034493 December-03 61115 85 5033
June-01 June-01 0 479 790 2395 790 Nua Ltd 1000 03107 355 38061 June-01 18231219 December-04 817 50103431261 December-04 61275 40934503340285 December-04 7353 9 61275
August-01 August-01 0 513 860 2565 860 Nua Ltd 1100 03361 396 44221 August-01 22685373 December-05 1018 56216049875 December-05 8144 57227938772657 December-05 9467 93 8144
April-02 April-02 0 558 860 2790 860 Internet World Stats 1200 03614 417 47284 April-02 26384472 December-06 1093 6307440796 December-06 9291 68940327899894 December-06 10602 97 9291
July-02 July-02 0 569 910 2845 910 Internet World Stats 1300 03866 437 50334 July-02 28640046 December-07 1319 70769485731 December-07 11871 93344951678825 December-07 13454 102 11871
September-02 September-02 0 587 940 2935 940 Internet World Stats 1400 04117 458 53371 September-02 31328777 December-08 1574 7940336299 December-08 14953 124980893346059 December-08 16527 105 14953
March-03 March-03 0 608 970 3040 970 Internet World Stats 1500 04366 478 56394 March-03 34287552 December-09 1802 89090573275 December-09 18020 160541213040896 December-09 19462 108 18020
September-03 September-03 0 677 1060 3385 1060 Internet World Stats 1600 04614 498 59401 September-03 40214477 December-10 1971 99959623214 December-10 20696 197020417355075 December-10 21681 11 20696
October-03 October-03 0 682 1070 3410 1070 Internet World Stats 1700 0486 518 62392 October-03 42551344
December-03 December-03 0 719 1110 3595 1110 Internet World Stats 1800 02852 538 65365 December-03 46997435
February-04 February-04 0 745 1150 3725 1150 Internet World Stats 1900 03107 558 6832 February-04 508984
May-04 May-04 0 757 1170 3785 1170 Internet World Stats 2000 03361 597 7417 May-04 5614669
October-04 October-04 0 812 1270 4060 1270 Internet World Stats 2100 03614 616 77064 October-04 62575968
December-04 December-04 0 817 1270 4085 1270 Internet World Stats 2200 03866 636 79935 December-04 65306895
March-05 March-05 0 888 1390 4440 1390 Internet World Stats 2300 04117 655 82782 March-05 73510416
June-05 June-05 0 938 1460 4690 1460 Internet World Stats 2400 04366 674 85606 June-05 80298428
September-05 September-05 0 957 1490 4785 1490 Internet World Stats 2500 04614 692 88404 September-05 84602628
November-05 November-05 0 972 1520 4860 1520 Internet World Stats 2600 0486 711 91176 November-05 88623072
December-05 December-05 0 1018 1570 5090 1570 Internet World Stats 2700 05348 729 93921 December-05 95611578
March-06 March-06 0 1023 1570 5115 1570 Internet World Stats 2800 05589 747 96638 March-06 98860674
June-06 June-06 0 1043 1600 5215 1600 Internet World Stats 2900 05828 783 101984 June-06 106369312
September-06 September-06 0 1086 1670 5430 1670 Internet World Stats 3000 06065 801 104611 September-06 113607546
December-06 December-06 0 1093 1670 5465 1670 Internet World Stats 3100 063 818 107207 December-06 117177251
March-07 March-07 0 1129 1720 5645 1720 Internet World Stats 3200 06534 835 109771 March-07 123931459
June-07 June-07 0 1173 1780 5865 1780 Internet World Stats 3300 06765 852 112301 June-07 131729073
September-07 September-07 0 1245 1890 6225 1890 Internet World Stats 3400 06993 869 114797 September-07 142922265
December-07 December-07 0 1319 2000 6595 2000 Internet World Stats 3500 0722 886 117258 December-07 154663302
March-08 March-08 0 1407 2110 7035 2110 Internet World Stats 3600 07665 902 119683 March-08 168393981
June-08 June-08 0 1463 2190 7315 2190 Internet World Stats 3700 07884 918 122071 June-08 178589873
September-08 September-08 0 1504 2250 7520 2250 Internet World Stats 3800 08101 949 126736 September-08 190610944
December-08 December-08 0 1574 2350 7870 2350 Internet World Stats 3900 08314 964 12901 December-08 20306174
March-09 March-09 0 1596 2380 7980 2380 Internet World Stats 4000 08525 971 13 March-09 20748
June-09 June-09 0 1669 2470 8345 2470 Internet World Stats 4100 08733 998 134 June-09 223646
September-09 September-09 0 1734 2560 8670 2560 Internet World Stats 4200 08938 1018 137 September-09 237558
December-09 December-09 0 1802 2660 9010 2660 Internet World Stats 4300 0914 1051 142 December-09 255884
June-10 June-10 0 1966 2870 9830 2870 Internet World Stats 4400 09339 1078 146 June-10 287036
September-10 September-10 0 1971 2880 9855 2880 Internet World Stats 4500 09728 1112 151 September-10 297621
09917 000 155333333333
159833333333
33208
35034
35400
35765
36130
36495
36861
37226
37591
37956
38322
38687
39052
39417
39783
40148
40513
Page 41: Attacking Data Independent Memory Hard Functions · As a motivating example consider an adversary who breaks into an authentication server and steals a users crptographic hash va\൬ue.

Argon2i

1 2 3 4 ihellip n

Argon2i

1 2 3 4 ihellip n

random predecessor r(i) lt i

Indegree 120575120575 = 2

Argon2i Reducing depth to 119894119894

1 2 3 11989411989434

helliphellip

211989411989434

hellip 4 119894119894

n

Layer 0Layer 1

Layer 4 119894119894helliphelliphellip

Argon2i Reducing depth to 119894119894

1 2 3 11989411989434

helliphellip

211989411989434

hellip 4 119894119894

n

Layer 0Layer 1

Layer 4 119894119894

Definition 1198781198782 = 119907119907119894119894 119907119907119903119903(119894119894)and v119894119894 in same layer

119810119810119816119816119816119816119810119810119827119827 1198781198782119810119810119842119842 119842119842119827119827119816119816119816119816119816119816

helliphelliphellip

119813119813119816119816119813119813119813119813 Easy to reduce the depth of a path

Argon2i is a layered DAG (almost)

1 2 3 11989411989434

+2 +3 helliphellip

211989411989434

hellip 4 119894119894

n

Layer 0Layer 1

Layer 4 119894119894

Let S = S1+S2

helliphelliphellip

Attack Simulation [AB16b]

Attack on Argon 2i-B is practical even for pessimistic parameter ranges (brown line)

Pessimistic Argon 2i-B parameter

Parameter setting could easily be chosen when following Argon2i-B guidelines

hellip

Ideal iMHFs Donrsquot Exist

Thm[AB16] Any graph G (with constant in-degree) is at least somewhat depth-reducible

Implication If CC(G)= Ω 1198941198942 there is an attack A with high quality

QualityR 119860119860 =Ωlog(119894119894)

log log(119894119894)

But we cannot rule them out in practice

Outline

bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Attacksbull Constructing iMHFs (New)

bull Depth-Robustness is sufficient

bull Conclusions and Open Questions

Presenter
Presentation Notes
Joint work with Joel Alwen and Krzysztof Pietrzak

Depth-Robustness is Sufficient [ABP16]

Proof Let P1hellipPt denote an (optimal) pebbling of G For 0lt i lt d defineSi = 119875119875119894119894 cup 119875119875119889119889+119894119894 cup 1198751198752119889119889+119894119894 cup ⋯

one of the sets Si has size at most CC(G)d Now we claim that d ge depth(G-Si)

because any path in G-Si must have been completely pebbled at some point Thus it must have been pebbled entirely during some interval of length d Thus G (CC(G)dd)-reducible It follows that CC(G)ge 119890119890119901119901

119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901

Depth-Robustness is Sufficient [ABP16]

Implications There exists a constant indegree graph G with

CC G ge Ω1198941198942

log119894119894

Previous Best [AS15] Ω 1198991198992

log10 119899119899

[AB16] We cannot do better (in an asymptotic sense)

119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901

Summary

bull BCRYPT and PBKDF2 are no longer sufficient for password hashing

bull Argon2i is an improvement over BCRYPT and PBKDF2bull But still has its flaws [AB16AB17]

bull Current Recommendation Argon2idbull No side channel attacks Resists known attacksbull Side channel attacks reduce security to Argon2i

bull Look for improvements in the near future using depth-robust graphs [ABP17]

Conclusions

bull Depth-robustness is a necessary and sufficient for secure iMHFsbull [AB16] [ABP16]

bull Big Challenge Improved Constructions of Depth-Robust Graphsbull We already have constructions in theory [EGS77 PR80 hellip]bull But constants matter

Thanks for Listening

Passwords vs time Look how far wersquove come

Netscape IPO Dotcom crash

Source Cormacrsquos estimate

ldquoThe password is deadrdquo

Chart1

3
48
1368
322
7791
15376
2527
39639
47953
61115
7353
94674
106021
134538
16527
194616
21681

Sheet1

Sheet1

Sheet2

Sheet3

Biometrics

59

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy

60

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Hardware Tokens

61

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around

62

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Graphical Passwords

bull Examplesbull Passfaces Cued Click Points Windows 8

63

Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13

Graphical Passwords

bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8

Challenge Multiple Passwords

64

Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13

Graphical Passwords Hotspots

Graphical Passwords Hotspots

Password Managers

bull Password Management Software

67

Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313

Related Work

bull Password Management SoftwareChallenge Single point of failure

68

Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313

References

bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]

bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]

bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]

bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]

  • Course Business
  • CryptographyCS 555
  • Password Storage
  • Offline Attacks A Common Problem
  • Offline Attacks A Common Problem
  • A Dangerous Problem
  • Attempt 1 Hash Iteration
  • The Challenge
  • Goal Moderately Expensive Hash Function
  • Memory Costs Equitable Across Architectures
  • Outline
  • Memory Hard Function (MHF)
  • iMHF Candidates
  • iMHF (fGH)
  • Evaluating an iMHF (pebbling)
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example (CC)
  • Measuring Cost
  • Pebbling Example (CC)
  • Pebbling Equivalence
  • Desiderata
  • Depth-Robustness The Key Property
  • Naiumlve Pebbling Algorithms
  • Amortized Attack Quality
  • Desiderata
  • Desiderata
  • c-Ideal iMHF
  • Outline
  • Depth-Robustness The Key Property
  • Depth Robustness
  • Depth Robustness
  • Attacking (ed)-reducible DAGs
  • Depth Robustness is Necessary
  • Answer No
  • Argon2i [BDK]
  • Argon2i
  • Argon2i
  • Argon2i Reducing depth to 119899
  • Argon2i Reducing depth to 119899
  • Argon2i is a layered DAG (almost)
  • Attack Simulation [AB16b]
  • Ideal iMHFs Donrsquot Exist
  • But we cannot rule them out in practice
  • Outline
  • Depth-Robustness is Sufficient [ABP16]
  • Depth-Robustness is Sufficient [ABP16]
  • Summary
  • Conclusions
  • Thanks for Listening
  • Passwords vs time Look how far wersquove come
  • Biometrics
  • Biometrics
  • Hardware Tokens
  • Hardware Tokens
  • Graphical Passwords
  • Graphical Passwords
  • Graphical Passwords Hotspots
  • Graphical Passwords Hotspots
  • Password Managers
  • Related Work
  • References
Everybody
DATE DATE NUMBER OF USERS WORLD WORLD INFORMATION DATE DATE NUMBER OF USERS DATE DATE acctsyr
POPULATION POPULATION SOURCE
December-90 0 3 15 020 00261 000 1 December-90 3 1 December-90 3 1 December-90 3 3 December-90 3 1 3
December-95 December-95 0 16 040 80 040 IDC 100 00522 180 12 December-95 192 December-95 16 1778 December-95 48 28448 December-95 48 3 48
December-96 December-96 0 36 090 180 090 IDC 200 00783 188 13132 December-96 472752 December-96 36 1994916 December-96 126 71816976 December-96 1368 38 126
December-97 December-97 0 70 170 350 170 IDC 300 01043 209 16263 December-97 113841 December-97 70 2238295752 December-97 280 15668070264 December-97 322 46 280
December-98 December-98 0 147 360 735 360 CI Almanac 400 01303 230 19391 December-98 2850477 December-98 147 25113678337 December-98 6615 3691710715604 December-98 7791 53 6615
December-99 December-99 0 248 410 1240 410 Nua Ltd 500 01563 251 22517 December-99 5584216 December-99 248 28177547095 December-99 1240 6988031679463 December-99 15376 62 1240
March-00 March-00 0 304 500 1520 500 Nua Ltd 600 01822 272 25638 March-00 7793952 December-00 361 3161520784 December-00 19855 11413090030294 December-00 2527 7 19855
July-00 July-00 0 359 590 1795 590 Nua Ltd 700 02081 293 28754 July-00 10322686 December-01 543 35472263197 December-01 3258 1926143891578 December-01 39639 73 3258
December-00 December-00 0 361 580 1805 580 Internet World Stats 800 02338 313 31864 December-00 11502904 December-02 607 39799879307 December-02 39455 2415852673913 December-02 47953 79 39455
March-01 March-01 0 458 760 2290 760 Nua Ltd 900 02852 334 34967 March-01 16014886 December-03 719 44655464582 December-03 5033 32107279034493 December-03 61115 85 5033
June-01 June-01 0 479 790 2395 790 Nua Ltd 1000 03107 355 38061 June-01 18231219 December-04 817 50103431261 December-04 61275 40934503340285 December-04 7353 9 61275
August-01 August-01 0 513 860 2565 860 Nua Ltd 1100 03361 396 44221 August-01 22685373 December-05 1018 56216049875 December-05 8144 57227938772657 December-05 9467 93 8144
April-02 April-02 0 558 860 2790 860 Internet World Stats 1200 03614 417 47284 April-02 26384472 December-06 1093 6307440796 December-06 9291 68940327899894 December-06 10602 97 9291
July-02 July-02 0 569 910 2845 910 Internet World Stats 1300 03866 437 50334 July-02 28640046 December-07 1319 70769485731 December-07 11871 93344951678825 December-07 13454 102 11871
September-02 September-02 0 587 940 2935 940 Internet World Stats 1400 04117 458 53371 September-02 31328777 December-08 1574 7940336299 December-08 14953 124980893346059 December-08 16527 105 14953
March-03 March-03 0 608 970 3040 970 Internet World Stats 1500 04366 478 56394 March-03 34287552 December-09 1802 89090573275 December-09 18020 160541213040896 December-09 19462 108 18020
September-03 September-03 0 677 1060 3385 1060 Internet World Stats 1600 04614 498 59401 September-03 40214477 December-10 1971 99959623214 December-10 20696 197020417355075 December-10 21681 11 20696
October-03 October-03 0 682 1070 3410 1070 Internet World Stats 1700 0486 518 62392 October-03 42551344
December-03 December-03 0 719 1110 3595 1110 Internet World Stats 1800 02852 538 65365 December-03 46997435
February-04 February-04 0 745 1150 3725 1150 Internet World Stats 1900 03107 558 6832 February-04 508984
May-04 May-04 0 757 1170 3785 1170 Internet World Stats 2000 03361 597 7417 May-04 5614669
October-04 October-04 0 812 1270 4060 1270 Internet World Stats 2100 03614 616 77064 October-04 62575968
December-04 December-04 0 817 1270 4085 1270 Internet World Stats 2200 03866 636 79935 December-04 65306895
March-05 March-05 0 888 1390 4440 1390 Internet World Stats 2300 04117 655 82782 March-05 73510416
June-05 June-05 0 938 1460 4690 1460 Internet World Stats 2400 04366 674 85606 June-05 80298428
September-05 September-05 0 957 1490 4785 1490 Internet World Stats 2500 04614 692 88404 September-05 84602628
November-05 November-05 0 972 1520 4860 1520 Internet World Stats 2600 0486 711 91176 November-05 88623072
December-05 December-05 0 1018 1570 5090 1570 Internet World Stats 2700 05348 729 93921 December-05 95611578
March-06 March-06 0 1023 1570 5115 1570 Internet World Stats 2800 05589 747 96638 March-06 98860674
June-06 June-06 0 1043 1600 5215 1600 Internet World Stats 2900 05828 783 101984 June-06 106369312
September-06 September-06 0 1086 1670 5430 1670 Internet World Stats 3000 06065 801 104611 September-06 113607546
December-06 December-06 0 1093 1670 5465 1670 Internet World Stats 3100 063 818 107207 December-06 117177251
March-07 March-07 0 1129 1720 5645 1720 Internet World Stats 3200 06534 835 109771 March-07 123931459
June-07 June-07 0 1173 1780 5865 1780 Internet World Stats 3300 06765 852 112301 June-07 131729073
September-07 September-07 0 1245 1890 6225 1890 Internet World Stats 3400 06993 869 114797 September-07 142922265
December-07 December-07 0 1319 2000 6595 2000 Internet World Stats 3500 0722 886 117258 December-07 154663302
March-08 March-08 0 1407 2110 7035 2110 Internet World Stats 3600 07665 902 119683 March-08 168393981
June-08 June-08 0 1463 2190 7315 2190 Internet World Stats 3700 07884 918 122071 June-08 178589873
September-08 September-08 0 1504 2250 7520 2250 Internet World Stats 3800 08101 949 126736 September-08 190610944
December-08 December-08 0 1574 2350 7870 2350 Internet World Stats 3900 08314 964 12901 December-08 20306174
March-09 March-09 0 1596 2380 7980 2380 Internet World Stats 4000 08525 971 13 March-09 20748
June-09 June-09 0 1669 2470 8345 2470 Internet World Stats 4100 08733 998 134 June-09 223646
September-09 September-09 0 1734 2560 8670 2560 Internet World Stats 4200 08938 1018 137 September-09 237558
December-09 December-09 0 1802 2660 9010 2660 Internet World Stats 4300 0914 1051 142 December-09 255884
June-10 June-10 0 1966 2870 9830 2870 Internet World Stats 4400 09339 1078 146 June-10 287036
September-10 September-10 0 1971 2880 9855 2880 Internet World Stats 4500 09728 1112 151 September-10 297621
09917 000 155333333333
159833333333
33208
35034
35400
35765
36130
36495
36861
37226
37591
37956
38322
38687
39052
39417
39783
40148
40513
Page 42: Attacking Data Independent Memory Hard Functions · As a motivating example consider an adversary who breaks into an authentication server and steals a users crptographic hash va\൬ue.

Argon2i

1 2 3 4 ihellip n

random predecessor r(i) lt i

Indegree 120575120575 = 2

Argon2i Reducing depth to 119894119894

1 2 3 11989411989434

helliphellip

211989411989434

hellip 4 119894119894

n

Layer 0Layer 1

Layer 4 119894119894helliphelliphellip

Argon2i Reducing depth to 119894119894

1 2 3 11989411989434

helliphellip

211989411989434

hellip 4 119894119894

n

Layer 0Layer 1

Layer 4 119894119894

Definition 1198781198782 = 119907119907119894119894 119907119907119903119903(119894119894)and v119894119894 in same layer

119810119810119816119816119816119816119810119810119827119827 1198781198782119810119810119842119842 119842119842119827119827119816119816119816119816119816119816

helliphelliphellip

119813119813119816119816119813119813119813119813 Easy to reduce the depth of a path

Argon2i is a layered DAG (almost)

1 2 3 11989411989434

+2 +3 helliphellip

211989411989434

hellip 4 119894119894

n

Layer 0Layer 1

Layer 4 119894119894

Let S = S1+S2

helliphelliphellip

Attack Simulation [AB16b]

Attack on Argon 2i-B is practical even for pessimistic parameter ranges (brown line)

Pessimistic Argon 2i-B parameter

Parameter setting could easily be chosen when following Argon2i-B guidelines

hellip

Ideal iMHFs Donrsquot Exist

Thm[AB16] Any graph G (with constant in-degree) is at least somewhat depth-reducible

Implication If CC(G)= Ω 1198941198942 there is an attack A with high quality

QualityR 119860119860 =Ωlog(119894119894)

log log(119894119894)

But we cannot rule them out in practice

Outline

bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Attacksbull Constructing iMHFs (New)

bull Depth-Robustness is sufficient

bull Conclusions and Open Questions

Presenter
Presentation Notes
Joint work with Joel Alwen and Krzysztof Pietrzak

Depth-Robustness is Sufficient [ABP16]

Proof Let P1hellipPt denote an (optimal) pebbling of G For 0lt i lt d defineSi = 119875119875119894119894 cup 119875119875119889119889+119894119894 cup 1198751198752119889119889+119894119894 cup ⋯

one of the sets Si has size at most CC(G)d Now we claim that d ge depth(G-Si)

because any path in G-Si must have been completely pebbled at some point Thus it must have been pebbled entirely during some interval of length d Thus G (CC(G)dd)-reducible It follows that CC(G)ge 119890119890119901119901

119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901

Depth-Robustness is Sufficient [ABP16]

Implications There exists a constant indegree graph G with

CC G ge Ω1198941198942

log119894119894

Previous Best [AS15] Ω 1198991198992

log10 119899119899

[AB16] We cannot do better (in an asymptotic sense)

119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901

Summary

bull BCRYPT and PBKDF2 are no longer sufficient for password hashing

bull Argon2i is an improvement over BCRYPT and PBKDF2bull But still has its flaws [AB16AB17]

bull Current Recommendation Argon2idbull No side channel attacks Resists known attacksbull Side channel attacks reduce security to Argon2i

bull Look for improvements in the near future using depth-robust graphs [ABP17]

Conclusions

bull Depth-robustness is a necessary and sufficient for secure iMHFsbull [AB16] [ABP16]

bull Big Challenge Improved Constructions of Depth-Robust Graphsbull We already have constructions in theory [EGS77 PR80 hellip]bull But constants matter

Thanks for Listening

Passwords vs time Look how far wersquove come

Netscape IPO Dotcom crash

Source Cormacrsquos estimate

ldquoThe password is deadrdquo

Chart1

3
48
1368
322
7791
15376
2527
39639
47953
61115
7353
94674
106021
134538
16527
194616
21681

Sheet1

Sheet1

Sheet2

Sheet3

Biometrics

59

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy

60

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Hardware Tokens

61

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around

62

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Graphical Passwords

bull Examplesbull Passfaces Cued Click Points Windows 8

63

Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13

Graphical Passwords

bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8

Challenge Multiple Passwords

64

Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13

Graphical Passwords Hotspots

Graphical Passwords Hotspots

Password Managers

bull Password Management Software

67

Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313

Related Work

bull Password Management SoftwareChallenge Single point of failure

68

Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313

References

bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]

bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]

bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]

bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]

  • Course Business
  • CryptographyCS 555
  • Password Storage
  • Offline Attacks A Common Problem
  • Offline Attacks A Common Problem
  • A Dangerous Problem
  • Attempt 1 Hash Iteration
  • The Challenge
  • Goal Moderately Expensive Hash Function
  • Memory Costs Equitable Across Architectures
  • Outline
  • Memory Hard Function (MHF)
  • iMHF Candidates
  • iMHF (fGH)
  • Evaluating an iMHF (pebbling)
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example (CC)
  • Measuring Cost
  • Pebbling Example (CC)
  • Pebbling Equivalence
  • Desiderata
  • Depth-Robustness The Key Property
  • Naiumlve Pebbling Algorithms
  • Amortized Attack Quality
  • Desiderata
  • Desiderata
  • c-Ideal iMHF
  • Outline
  • Depth-Robustness The Key Property
  • Depth Robustness
  • Depth Robustness
  • Attacking (ed)-reducible DAGs
  • Depth Robustness is Necessary
  • Answer No
  • Argon2i [BDK]
  • Argon2i
  • Argon2i
  • Argon2i Reducing depth to 119899
  • Argon2i Reducing depth to 119899
  • Argon2i is a layered DAG (almost)
  • Attack Simulation [AB16b]
  • Ideal iMHFs Donrsquot Exist
  • But we cannot rule them out in practice
  • Outline
  • Depth-Robustness is Sufficient [ABP16]
  • Depth-Robustness is Sufficient [ABP16]
  • Summary
  • Conclusions
  • Thanks for Listening
  • Passwords vs time Look how far wersquove come
  • Biometrics
  • Biometrics
  • Hardware Tokens
  • Hardware Tokens
  • Graphical Passwords
  • Graphical Passwords
  • Graphical Passwords Hotspots
  • Graphical Passwords Hotspots
  • Password Managers
  • Related Work
  • References
Everybody
DATE DATE NUMBER OF USERS WORLD WORLD INFORMATION DATE DATE NUMBER OF USERS DATE DATE acctsyr
POPULATION POPULATION SOURCE
December-90 0 3 15 020 00261 000 1 December-90 3 1 December-90 3 1 December-90 3 3 December-90 3 1 3
December-95 December-95 0 16 040 80 040 IDC 100 00522 180 12 December-95 192 December-95 16 1778 December-95 48 28448 December-95 48 3 48
December-96 December-96 0 36 090 180 090 IDC 200 00783 188 13132 December-96 472752 December-96 36 1994916 December-96 126 71816976 December-96 1368 38 126
December-97 December-97 0 70 170 350 170 IDC 300 01043 209 16263 December-97 113841 December-97 70 2238295752 December-97 280 15668070264 December-97 322 46 280
December-98 December-98 0 147 360 735 360 CI Almanac 400 01303 230 19391 December-98 2850477 December-98 147 25113678337 December-98 6615 3691710715604 December-98 7791 53 6615
December-99 December-99 0 248 410 1240 410 Nua Ltd 500 01563 251 22517 December-99 5584216 December-99 248 28177547095 December-99 1240 6988031679463 December-99 15376 62 1240
March-00 March-00 0 304 500 1520 500 Nua Ltd 600 01822 272 25638 March-00 7793952 December-00 361 3161520784 December-00 19855 11413090030294 December-00 2527 7 19855
July-00 July-00 0 359 590 1795 590 Nua Ltd 700 02081 293 28754 July-00 10322686 December-01 543 35472263197 December-01 3258 1926143891578 December-01 39639 73 3258
December-00 December-00 0 361 580 1805 580 Internet World Stats 800 02338 313 31864 December-00 11502904 December-02 607 39799879307 December-02 39455 2415852673913 December-02 47953 79 39455
March-01 March-01 0 458 760 2290 760 Nua Ltd 900 02852 334 34967 March-01 16014886 December-03 719 44655464582 December-03 5033 32107279034493 December-03 61115 85 5033
June-01 June-01 0 479 790 2395 790 Nua Ltd 1000 03107 355 38061 June-01 18231219 December-04 817 50103431261 December-04 61275 40934503340285 December-04 7353 9 61275
August-01 August-01 0 513 860 2565 860 Nua Ltd 1100 03361 396 44221 August-01 22685373 December-05 1018 56216049875 December-05 8144 57227938772657 December-05 9467 93 8144
April-02 April-02 0 558 860 2790 860 Internet World Stats 1200 03614 417 47284 April-02 26384472 December-06 1093 6307440796 December-06 9291 68940327899894 December-06 10602 97 9291
July-02 July-02 0 569 910 2845 910 Internet World Stats 1300 03866 437 50334 July-02 28640046 December-07 1319 70769485731 December-07 11871 93344951678825 December-07 13454 102 11871
September-02 September-02 0 587 940 2935 940 Internet World Stats 1400 04117 458 53371 September-02 31328777 December-08 1574 7940336299 December-08 14953 124980893346059 December-08 16527 105 14953
March-03 March-03 0 608 970 3040 970 Internet World Stats 1500 04366 478 56394 March-03 34287552 December-09 1802 89090573275 December-09 18020 160541213040896 December-09 19462 108 18020
September-03 September-03 0 677 1060 3385 1060 Internet World Stats 1600 04614 498 59401 September-03 40214477 December-10 1971 99959623214 December-10 20696 197020417355075 December-10 21681 11 20696
October-03 October-03 0 682 1070 3410 1070 Internet World Stats 1700 0486 518 62392 October-03 42551344
December-03 December-03 0 719 1110 3595 1110 Internet World Stats 1800 02852 538 65365 December-03 46997435
February-04 February-04 0 745 1150 3725 1150 Internet World Stats 1900 03107 558 6832 February-04 508984
May-04 May-04 0 757 1170 3785 1170 Internet World Stats 2000 03361 597 7417 May-04 5614669
October-04 October-04 0 812 1270 4060 1270 Internet World Stats 2100 03614 616 77064 October-04 62575968
December-04 December-04 0 817 1270 4085 1270 Internet World Stats 2200 03866 636 79935 December-04 65306895
March-05 March-05 0 888 1390 4440 1390 Internet World Stats 2300 04117 655 82782 March-05 73510416
June-05 June-05 0 938 1460 4690 1460 Internet World Stats 2400 04366 674 85606 June-05 80298428
September-05 September-05 0 957 1490 4785 1490 Internet World Stats 2500 04614 692 88404 September-05 84602628
November-05 November-05 0 972 1520 4860 1520 Internet World Stats 2600 0486 711 91176 November-05 88623072
December-05 December-05 0 1018 1570 5090 1570 Internet World Stats 2700 05348 729 93921 December-05 95611578
March-06 March-06 0 1023 1570 5115 1570 Internet World Stats 2800 05589 747 96638 March-06 98860674
June-06 June-06 0 1043 1600 5215 1600 Internet World Stats 2900 05828 783 101984 June-06 106369312
September-06 September-06 0 1086 1670 5430 1670 Internet World Stats 3000 06065 801 104611 September-06 113607546
December-06 December-06 0 1093 1670 5465 1670 Internet World Stats 3100 063 818 107207 December-06 117177251
March-07 March-07 0 1129 1720 5645 1720 Internet World Stats 3200 06534 835 109771 March-07 123931459
June-07 June-07 0 1173 1780 5865 1780 Internet World Stats 3300 06765 852 112301 June-07 131729073
September-07 September-07 0 1245 1890 6225 1890 Internet World Stats 3400 06993 869 114797 September-07 142922265
December-07 December-07 0 1319 2000 6595 2000 Internet World Stats 3500 0722 886 117258 December-07 154663302
March-08 March-08 0 1407 2110 7035 2110 Internet World Stats 3600 07665 902 119683 March-08 168393981
June-08 June-08 0 1463 2190 7315 2190 Internet World Stats 3700 07884 918 122071 June-08 178589873
September-08 September-08 0 1504 2250 7520 2250 Internet World Stats 3800 08101 949 126736 September-08 190610944
December-08 December-08 0 1574 2350 7870 2350 Internet World Stats 3900 08314 964 12901 December-08 20306174
March-09 March-09 0 1596 2380 7980 2380 Internet World Stats 4000 08525 971 13 March-09 20748
June-09 June-09 0 1669 2470 8345 2470 Internet World Stats 4100 08733 998 134 June-09 223646
September-09 September-09 0 1734 2560 8670 2560 Internet World Stats 4200 08938 1018 137 September-09 237558
December-09 December-09 0 1802 2660 9010 2660 Internet World Stats 4300 0914 1051 142 December-09 255884
June-10 June-10 0 1966 2870 9830 2870 Internet World Stats 4400 09339 1078 146 June-10 287036
September-10 September-10 0 1971 2880 9855 2880 Internet World Stats 4500 09728 1112 151 September-10 297621
09917 000 155333333333
159833333333
33208
35034
35400
35765
36130
36495
36861
37226
37591
37956
38322
38687
39052
39417
39783
40148
40513
Page 43: Attacking Data Independent Memory Hard Functions · As a motivating example consider an adversary who breaks into an authentication server and steals a users crptographic hash va\൬ue.

Argon2i Reducing depth to 119894119894

1 2 3 11989411989434

helliphellip

211989411989434

hellip 4 119894119894

n

Layer 0Layer 1

Layer 4 119894119894helliphelliphellip

Argon2i Reducing depth to 119894119894

1 2 3 11989411989434

helliphellip

211989411989434

hellip 4 119894119894

n

Layer 0Layer 1

Layer 4 119894119894

Definition 1198781198782 = 119907119907119894119894 119907119907119903119903(119894119894)and v119894119894 in same layer

119810119810119816119816119816119816119810119810119827119827 1198781198782119810119810119842119842 119842119842119827119827119816119816119816119816119816119816

helliphelliphellip

119813119813119816119816119813119813119813119813 Easy to reduce the depth of a path

Argon2i is a layered DAG (almost)

1 2 3 11989411989434

+2 +3 helliphellip

211989411989434

hellip 4 119894119894

n

Layer 0Layer 1

Layer 4 119894119894

Let S = S1+S2

helliphelliphellip

Attack Simulation [AB16b]

Attack on Argon 2i-B is practical even for pessimistic parameter ranges (brown line)

Pessimistic Argon 2i-B parameter

Parameter setting could easily be chosen when following Argon2i-B guidelines

hellip

Ideal iMHFs Donrsquot Exist

Thm[AB16] Any graph G (with constant in-degree) is at least somewhat depth-reducible

Implication If CC(G)= Ω 1198941198942 there is an attack A with high quality

QualityR 119860119860 =Ωlog(119894119894)

log log(119894119894)

But we cannot rule them out in practice

Outline

bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Attacksbull Constructing iMHFs (New)

bull Depth-Robustness is sufficient

bull Conclusions and Open Questions

Presenter
Presentation Notes
Joint work with Joel Alwen and Krzysztof Pietrzak

Depth-Robustness is Sufficient [ABP16]

Proof Let P1hellipPt denote an (optimal) pebbling of G For 0lt i lt d defineSi = 119875119875119894119894 cup 119875119875119889119889+119894119894 cup 1198751198752119889119889+119894119894 cup ⋯

one of the sets Si has size at most CC(G)d Now we claim that d ge depth(G-Si)

because any path in G-Si must have been completely pebbled at some point Thus it must have been pebbled entirely during some interval of length d Thus G (CC(G)dd)-reducible It follows that CC(G)ge 119890119890119901119901

119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901

Depth-Robustness is Sufficient [ABP16]

Implications There exists a constant indegree graph G with

CC G ge Ω1198941198942

log119894119894

Previous Best [AS15] Ω 1198991198992

log10 119899119899

[AB16] We cannot do better (in an asymptotic sense)

119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901

Summary

bull BCRYPT and PBKDF2 are no longer sufficient for password hashing

bull Argon2i is an improvement over BCRYPT and PBKDF2bull But still has its flaws [AB16AB17]

bull Current Recommendation Argon2idbull No side channel attacks Resists known attacksbull Side channel attacks reduce security to Argon2i

bull Look for improvements in the near future using depth-robust graphs [ABP17]

Conclusions

bull Depth-robustness is a necessary and sufficient for secure iMHFsbull [AB16] [ABP16]

bull Big Challenge Improved Constructions of Depth-Robust Graphsbull We already have constructions in theory [EGS77 PR80 hellip]bull But constants matter

Thanks for Listening

Passwords vs time Look how far wersquove come

Netscape IPO Dotcom crash

Source Cormacrsquos estimate

ldquoThe password is deadrdquo

Chart1

3
48
1368
322
7791
15376
2527
39639
47953
61115
7353
94674
106021
134538
16527
194616
21681

Sheet1

Sheet1

Sheet2

Sheet3

Biometrics

59

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy

60

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Hardware Tokens

61

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around

62

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Graphical Passwords

bull Examplesbull Passfaces Cued Click Points Windows 8

63

Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13

Graphical Passwords

bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8

Challenge Multiple Passwords

64

Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13

Graphical Passwords Hotspots

Graphical Passwords Hotspots

Password Managers

bull Password Management Software

67

Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313

Related Work

bull Password Management SoftwareChallenge Single point of failure

68

Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313

References

bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]

bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]

bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]

bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]

  • Course Business
  • CryptographyCS 555
  • Password Storage
  • Offline Attacks A Common Problem
  • Offline Attacks A Common Problem
  • A Dangerous Problem
  • Attempt 1 Hash Iteration
  • The Challenge
  • Goal Moderately Expensive Hash Function
  • Memory Costs Equitable Across Architectures
  • Outline
  • Memory Hard Function (MHF)
  • iMHF Candidates
  • iMHF (fGH)
  • Evaluating an iMHF (pebbling)
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example (CC)
  • Measuring Cost
  • Pebbling Example (CC)
  • Pebbling Equivalence
  • Desiderata
  • Depth-Robustness The Key Property
  • Naiumlve Pebbling Algorithms
  • Amortized Attack Quality
  • Desiderata
  • Desiderata
  • c-Ideal iMHF
  • Outline
  • Depth-Robustness The Key Property
  • Depth Robustness
  • Depth Robustness
  • Attacking (ed)-reducible DAGs
  • Depth Robustness is Necessary
  • Answer No
  • Argon2i [BDK]
  • Argon2i
  • Argon2i
  • Argon2i Reducing depth to 119899
  • Argon2i Reducing depth to 119899
  • Argon2i is a layered DAG (almost)
  • Attack Simulation [AB16b]
  • Ideal iMHFs Donrsquot Exist
  • But we cannot rule them out in practice
  • Outline
  • Depth-Robustness is Sufficient [ABP16]
  • Depth-Robustness is Sufficient [ABP16]
  • Summary
  • Conclusions
  • Thanks for Listening
  • Passwords vs time Look how far wersquove come
  • Biometrics
  • Biometrics
  • Hardware Tokens
  • Hardware Tokens
  • Graphical Passwords
  • Graphical Passwords
  • Graphical Passwords Hotspots
  • Graphical Passwords Hotspots
  • Password Managers
  • Related Work
  • References
Everybody
DATE DATE NUMBER OF USERS WORLD WORLD INFORMATION DATE DATE NUMBER OF USERS DATE DATE acctsyr
POPULATION POPULATION SOURCE
December-90 0 3 15 020 00261 000 1 December-90 3 1 December-90 3 1 December-90 3 3 December-90 3 1 3
December-95 December-95 0 16 040 80 040 IDC 100 00522 180 12 December-95 192 December-95 16 1778 December-95 48 28448 December-95 48 3 48
December-96 December-96 0 36 090 180 090 IDC 200 00783 188 13132 December-96 472752 December-96 36 1994916 December-96 126 71816976 December-96 1368 38 126
December-97 December-97 0 70 170 350 170 IDC 300 01043 209 16263 December-97 113841 December-97 70 2238295752 December-97 280 15668070264 December-97 322 46 280
December-98 December-98 0 147 360 735 360 CI Almanac 400 01303 230 19391 December-98 2850477 December-98 147 25113678337 December-98 6615 3691710715604 December-98 7791 53 6615
December-99 December-99 0 248 410 1240 410 Nua Ltd 500 01563 251 22517 December-99 5584216 December-99 248 28177547095 December-99 1240 6988031679463 December-99 15376 62 1240
March-00 March-00 0 304 500 1520 500 Nua Ltd 600 01822 272 25638 March-00 7793952 December-00 361 3161520784 December-00 19855 11413090030294 December-00 2527 7 19855
July-00 July-00 0 359 590 1795 590 Nua Ltd 700 02081 293 28754 July-00 10322686 December-01 543 35472263197 December-01 3258 1926143891578 December-01 39639 73 3258
December-00 December-00 0 361 580 1805 580 Internet World Stats 800 02338 313 31864 December-00 11502904 December-02 607 39799879307 December-02 39455 2415852673913 December-02 47953 79 39455
March-01 March-01 0 458 760 2290 760 Nua Ltd 900 02852 334 34967 March-01 16014886 December-03 719 44655464582 December-03 5033 32107279034493 December-03 61115 85 5033
June-01 June-01 0 479 790 2395 790 Nua Ltd 1000 03107 355 38061 June-01 18231219 December-04 817 50103431261 December-04 61275 40934503340285 December-04 7353 9 61275
August-01 August-01 0 513 860 2565 860 Nua Ltd 1100 03361 396 44221 August-01 22685373 December-05 1018 56216049875 December-05 8144 57227938772657 December-05 9467 93 8144
April-02 April-02 0 558 860 2790 860 Internet World Stats 1200 03614 417 47284 April-02 26384472 December-06 1093 6307440796 December-06 9291 68940327899894 December-06 10602 97 9291
July-02 July-02 0 569 910 2845 910 Internet World Stats 1300 03866 437 50334 July-02 28640046 December-07 1319 70769485731 December-07 11871 93344951678825 December-07 13454 102 11871
September-02 September-02 0 587 940 2935 940 Internet World Stats 1400 04117 458 53371 September-02 31328777 December-08 1574 7940336299 December-08 14953 124980893346059 December-08 16527 105 14953
March-03 March-03 0 608 970 3040 970 Internet World Stats 1500 04366 478 56394 March-03 34287552 December-09 1802 89090573275 December-09 18020 160541213040896 December-09 19462 108 18020
September-03 September-03 0 677 1060 3385 1060 Internet World Stats 1600 04614 498 59401 September-03 40214477 December-10 1971 99959623214 December-10 20696 197020417355075 December-10 21681 11 20696
October-03 October-03 0 682 1070 3410 1070 Internet World Stats 1700 0486 518 62392 October-03 42551344
December-03 December-03 0 719 1110 3595 1110 Internet World Stats 1800 02852 538 65365 December-03 46997435
February-04 February-04 0 745 1150 3725 1150 Internet World Stats 1900 03107 558 6832 February-04 508984
May-04 May-04 0 757 1170 3785 1170 Internet World Stats 2000 03361 597 7417 May-04 5614669
October-04 October-04 0 812 1270 4060 1270 Internet World Stats 2100 03614 616 77064 October-04 62575968
December-04 December-04 0 817 1270 4085 1270 Internet World Stats 2200 03866 636 79935 December-04 65306895
March-05 March-05 0 888 1390 4440 1390 Internet World Stats 2300 04117 655 82782 March-05 73510416
June-05 June-05 0 938 1460 4690 1460 Internet World Stats 2400 04366 674 85606 June-05 80298428
September-05 September-05 0 957 1490 4785 1490 Internet World Stats 2500 04614 692 88404 September-05 84602628
November-05 November-05 0 972 1520 4860 1520 Internet World Stats 2600 0486 711 91176 November-05 88623072
December-05 December-05 0 1018 1570 5090 1570 Internet World Stats 2700 05348 729 93921 December-05 95611578
March-06 March-06 0 1023 1570 5115 1570 Internet World Stats 2800 05589 747 96638 March-06 98860674
June-06 June-06 0 1043 1600 5215 1600 Internet World Stats 2900 05828 783 101984 June-06 106369312
September-06 September-06 0 1086 1670 5430 1670 Internet World Stats 3000 06065 801 104611 September-06 113607546
December-06 December-06 0 1093 1670 5465 1670 Internet World Stats 3100 063 818 107207 December-06 117177251
March-07 March-07 0 1129 1720 5645 1720 Internet World Stats 3200 06534 835 109771 March-07 123931459
June-07 June-07 0 1173 1780 5865 1780 Internet World Stats 3300 06765 852 112301 June-07 131729073
September-07 September-07 0 1245 1890 6225 1890 Internet World Stats 3400 06993 869 114797 September-07 142922265
December-07 December-07 0 1319 2000 6595 2000 Internet World Stats 3500 0722 886 117258 December-07 154663302
March-08 March-08 0 1407 2110 7035 2110 Internet World Stats 3600 07665 902 119683 March-08 168393981
June-08 June-08 0 1463 2190 7315 2190 Internet World Stats 3700 07884 918 122071 June-08 178589873
September-08 September-08 0 1504 2250 7520 2250 Internet World Stats 3800 08101 949 126736 September-08 190610944
December-08 December-08 0 1574 2350 7870 2350 Internet World Stats 3900 08314 964 12901 December-08 20306174
March-09 March-09 0 1596 2380 7980 2380 Internet World Stats 4000 08525 971 13 March-09 20748
June-09 June-09 0 1669 2470 8345 2470 Internet World Stats 4100 08733 998 134 June-09 223646
September-09 September-09 0 1734 2560 8670 2560 Internet World Stats 4200 08938 1018 137 September-09 237558
December-09 December-09 0 1802 2660 9010 2660 Internet World Stats 4300 0914 1051 142 December-09 255884
June-10 June-10 0 1966 2870 9830 2870 Internet World Stats 4400 09339 1078 146 June-10 287036
September-10 September-10 0 1971 2880 9855 2880 Internet World Stats 4500 09728 1112 151 September-10 297621
09917 000 155333333333
159833333333
33208
35034
35400
35765
36130
36495
36861
37226
37591
37956
38322
38687
39052
39417
39783
40148
40513
Page 44: Attacking Data Independent Memory Hard Functions · As a motivating example consider an adversary who breaks into an authentication server and steals a users crptographic hash va\൬ue.

Argon2i Reducing depth to 119894119894

1 2 3 11989411989434

helliphellip

211989411989434

hellip 4 119894119894

n

Layer 0Layer 1

Layer 4 119894119894

Definition 1198781198782 = 119907119907119894119894 119907119907119903119903(119894119894)and v119894119894 in same layer

119810119810119816119816119816119816119810119810119827119827 1198781198782119810119810119842119842 119842119842119827119827119816119816119816119816119816119816

helliphelliphellip

119813119813119816119816119813119813119813119813 Easy to reduce the depth of a path

Argon2i is a layered DAG (almost)

1 2 3 11989411989434

+2 +3 helliphellip

211989411989434

hellip 4 119894119894

n

Layer 0Layer 1

Layer 4 119894119894

Let S = S1+S2

helliphelliphellip

Attack Simulation [AB16b]

Attack on Argon 2i-B is practical even for pessimistic parameter ranges (brown line)

Pessimistic Argon 2i-B parameter

Parameter setting could easily be chosen when following Argon2i-B guidelines

hellip

Ideal iMHFs Donrsquot Exist

Thm[AB16] Any graph G (with constant in-degree) is at least somewhat depth-reducible

Implication If CC(G)= Ω 1198941198942 there is an attack A with high quality

QualityR 119860119860 =Ωlog(119894119894)

log log(119894119894)

But we cannot rule them out in practice

Outline

bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Attacksbull Constructing iMHFs (New)

bull Depth-Robustness is sufficient

bull Conclusions and Open Questions

Presenter
Presentation Notes
Joint work with Joel Alwen and Krzysztof Pietrzak

Depth-Robustness is Sufficient [ABP16]

Proof Let P1hellipPt denote an (optimal) pebbling of G For 0lt i lt d defineSi = 119875119875119894119894 cup 119875119875119889119889+119894119894 cup 1198751198752119889119889+119894119894 cup ⋯

one of the sets Si has size at most CC(G)d Now we claim that d ge depth(G-Si)

because any path in G-Si must have been completely pebbled at some point Thus it must have been pebbled entirely during some interval of length d Thus G (CC(G)dd)-reducible It follows that CC(G)ge 119890119890119901119901

119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901

Depth-Robustness is Sufficient [ABP16]

Implications There exists a constant indegree graph G with

CC G ge Ω1198941198942

log119894119894

Previous Best [AS15] Ω 1198991198992

log10 119899119899

[AB16] We cannot do better (in an asymptotic sense)

119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901

Summary

bull BCRYPT and PBKDF2 are no longer sufficient for password hashing

bull Argon2i is an improvement over BCRYPT and PBKDF2bull But still has its flaws [AB16AB17]

bull Current Recommendation Argon2idbull No side channel attacks Resists known attacksbull Side channel attacks reduce security to Argon2i

bull Look for improvements in the near future using depth-robust graphs [ABP17]

Conclusions

bull Depth-robustness is a necessary and sufficient for secure iMHFsbull [AB16] [ABP16]

bull Big Challenge Improved Constructions of Depth-Robust Graphsbull We already have constructions in theory [EGS77 PR80 hellip]bull But constants matter

Thanks for Listening

Passwords vs time Look how far wersquove come

Netscape IPO Dotcom crash

Source Cormacrsquos estimate

ldquoThe password is deadrdquo

Chart1

3
48
1368
322
7791
15376
2527
39639
47953
61115
7353
94674
106021
134538
16527
194616
21681

Sheet1

Sheet1

Sheet2

Sheet3

Biometrics

59

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy

60

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Hardware Tokens

61

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around

62

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Graphical Passwords

bull Examplesbull Passfaces Cued Click Points Windows 8

63

Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13

Graphical Passwords

bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8

Challenge Multiple Passwords

64

Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13

Graphical Passwords Hotspots

Graphical Passwords Hotspots

Password Managers

bull Password Management Software

67

Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313

Related Work

bull Password Management SoftwareChallenge Single point of failure

68

Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313

References

bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]

bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]

bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]

bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]

  • Course Business
  • CryptographyCS 555
  • Password Storage
  • Offline Attacks A Common Problem
  • Offline Attacks A Common Problem
  • A Dangerous Problem
  • Attempt 1 Hash Iteration
  • The Challenge
  • Goal Moderately Expensive Hash Function
  • Memory Costs Equitable Across Architectures
  • Outline
  • Memory Hard Function (MHF)
  • iMHF Candidates
  • iMHF (fGH)
  • Evaluating an iMHF (pebbling)
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example (CC)
  • Measuring Cost
  • Pebbling Example (CC)
  • Pebbling Equivalence
  • Desiderata
  • Depth-Robustness The Key Property
  • Naiumlve Pebbling Algorithms
  • Amortized Attack Quality
  • Desiderata
  • Desiderata
  • c-Ideal iMHF
  • Outline
  • Depth-Robustness The Key Property
  • Depth Robustness
  • Depth Robustness
  • Attacking (ed)-reducible DAGs
  • Depth Robustness is Necessary
  • Answer No
  • Argon2i [BDK]
  • Argon2i
  • Argon2i
  • Argon2i Reducing depth to 119899
  • Argon2i Reducing depth to 119899
  • Argon2i is a layered DAG (almost)
  • Attack Simulation [AB16b]
  • Ideal iMHFs Donrsquot Exist
  • But we cannot rule them out in practice
  • Outline
  • Depth-Robustness is Sufficient [ABP16]
  • Depth-Robustness is Sufficient [ABP16]
  • Summary
  • Conclusions
  • Thanks for Listening
  • Passwords vs time Look how far wersquove come
  • Biometrics
  • Biometrics
  • Hardware Tokens
  • Hardware Tokens
  • Graphical Passwords
  • Graphical Passwords
  • Graphical Passwords Hotspots
  • Graphical Passwords Hotspots
  • Password Managers
  • Related Work
  • References
Everybody
DATE DATE NUMBER OF USERS WORLD WORLD INFORMATION DATE DATE NUMBER OF USERS DATE DATE acctsyr
POPULATION POPULATION SOURCE
December-90 0 3 15 020 00261 000 1 December-90 3 1 December-90 3 1 December-90 3 3 December-90 3 1 3
December-95 December-95 0 16 040 80 040 IDC 100 00522 180 12 December-95 192 December-95 16 1778 December-95 48 28448 December-95 48 3 48
December-96 December-96 0 36 090 180 090 IDC 200 00783 188 13132 December-96 472752 December-96 36 1994916 December-96 126 71816976 December-96 1368 38 126
December-97 December-97 0 70 170 350 170 IDC 300 01043 209 16263 December-97 113841 December-97 70 2238295752 December-97 280 15668070264 December-97 322 46 280
December-98 December-98 0 147 360 735 360 CI Almanac 400 01303 230 19391 December-98 2850477 December-98 147 25113678337 December-98 6615 3691710715604 December-98 7791 53 6615
December-99 December-99 0 248 410 1240 410 Nua Ltd 500 01563 251 22517 December-99 5584216 December-99 248 28177547095 December-99 1240 6988031679463 December-99 15376 62 1240
March-00 March-00 0 304 500 1520 500 Nua Ltd 600 01822 272 25638 March-00 7793952 December-00 361 3161520784 December-00 19855 11413090030294 December-00 2527 7 19855
July-00 July-00 0 359 590 1795 590 Nua Ltd 700 02081 293 28754 July-00 10322686 December-01 543 35472263197 December-01 3258 1926143891578 December-01 39639 73 3258
December-00 December-00 0 361 580 1805 580 Internet World Stats 800 02338 313 31864 December-00 11502904 December-02 607 39799879307 December-02 39455 2415852673913 December-02 47953 79 39455
March-01 March-01 0 458 760 2290 760 Nua Ltd 900 02852 334 34967 March-01 16014886 December-03 719 44655464582 December-03 5033 32107279034493 December-03 61115 85 5033
June-01 June-01 0 479 790 2395 790 Nua Ltd 1000 03107 355 38061 June-01 18231219 December-04 817 50103431261 December-04 61275 40934503340285 December-04 7353 9 61275
August-01 August-01 0 513 860 2565 860 Nua Ltd 1100 03361 396 44221 August-01 22685373 December-05 1018 56216049875 December-05 8144 57227938772657 December-05 9467 93 8144
April-02 April-02 0 558 860 2790 860 Internet World Stats 1200 03614 417 47284 April-02 26384472 December-06 1093 6307440796 December-06 9291 68940327899894 December-06 10602 97 9291
July-02 July-02 0 569 910 2845 910 Internet World Stats 1300 03866 437 50334 July-02 28640046 December-07 1319 70769485731 December-07 11871 93344951678825 December-07 13454 102 11871
September-02 September-02 0 587 940 2935 940 Internet World Stats 1400 04117 458 53371 September-02 31328777 December-08 1574 7940336299 December-08 14953 124980893346059 December-08 16527 105 14953
March-03 March-03 0 608 970 3040 970 Internet World Stats 1500 04366 478 56394 March-03 34287552 December-09 1802 89090573275 December-09 18020 160541213040896 December-09 19462 108 18020
September-03 September-03 0 677 1060 3385 1060 Internet World Stats 1600 04614 498 59401 September-03 40214477 December-10 1971 99959623214 December-10 20696 197020417355075 December-10 21681 11 20696
October-03 October-03 0 682 1070 3410 1070 Internet World Stats 1700 0486 518 62392 October-03 42551344
December-03 December-03 0 719 1110 3595 1110 Internet World Stats 1800 02852 538 65365 December-03 46997435
February-04 February-04 0 745 1150 3725 1150 Internet World Stats 1900 03107 558 6832 February-04 508984
May-04 May-04 0 757 1170 3785 1170 Internet World Stats 2000 03361 597 7417 May-04 5614669
October-04 October-04 0 812 1270 4060 1270 Internet World Stats 2100 03614 616 77064 October-04 62575968
December-04 December-04 0 817 1270 4085 1270 Internet World Stats 2200 03866 636 79935 December-04 65306895
March-05 March-05 0 888 1390 4440 1390 Internet World Stats 2300 04117 655 82782 March-05 73510416
June-05 June-05 0 938 1460 4690 1460 Internet World Stats 2400 04366 674 85606 June-05 80298428
September-05 September-05 0 957 1490 4785 1490 Internet World Stats 2500 04614 692 88404 September-05 84602628
November-05 November-05 0 972 1520 4860 1520 Internet World Stats 2600 0486 711 91176 November-05 88623072
December-05 December-05 0 1018 1570 5090 1570 Internet World Stats 2700 05348 729 93921 December-05 95611578
March-06 March-06 0 1023 1570 5115 1570 Internet World Stats 2800 05589 747 96638 March-06 98860674
June-06 June-06 0 1043 1600 5215 1600 Internet World Stats 2900 05828 783 101984 June-06 106369312
September-06 September-06 0 1086 1670 5430 1670 Internet World Stats 3000 06065 801 104611 September-06 113607546
December-06 December-06 0 1093 1670 5465 1670 Internet World Stats 3100 063 818 107207 December-06 117177251
March-07 March-07 0 1129 1720 5645 1720 Internet World Stats 3200 06534 835 109771 March-07 123931459
June-07 June-07 0 1173 1780 5865 1780 Internet World Stats 3300 06765 852 112301 June-07 131729073
September-07 September-07 0 1245 1890 6225 1890 Internet World Stats 3400 06993 869 114797 September-07 142922265
December-07 December-07 0 1319 2000 6595 2000 Internet World Stats 3500 0722 886 117258 December-07 154663302
March-08 March-08 0 1407 2110 7035 2110 Internet World Stats 3600 07665 902 119683 March-08 168393981
June-08 June-08 0 1463 2190 7315 2190 Internet World Stats 3700 07884 918 122071 June-08 178589873
September-08 September-08 0 1504 2250 7520 2250 Internet World Stats 3800 08101 949 126736 September-08 190610944
December-08 December-08 0 1574 2350 7870 2350 Internet World Stats 3900 08314 964 12901 December-08 20306174
March-09 March-09 0 1596 2380 7980 2380 Internet World Stats 4000 08525 971 13 March-09 20748
June-09 June-09 0 1669 2470 8345 2470 Internet World Stats 4100 08733 998 134 June-09 223646
September-09 September-09 0 1734 2560 8670 2560 Internet World Stats 4200 08938 1018 137 September-09 237558
December-09 December-09 0 1802 2660 9010 2660 Internet World Stats 4300 0914 1051 142 December-09 255884
June-10 June-10 0 1966 2870 9830 2870 Internet World Stats 4400 09339 1078 146 June-10 287036
September-10 September-10 0 1971 2880 9855 2880 Internet World Stats 4500 09728 1112 151 September-10 297621
09917 000 155333333333
159833333333
33208
35034
35400
35765
36130
36495
36861
37226
37591
37956
38322
38687
39052
39417
39783
40148
40513
Page 45: Attacking Data Independent Memory Hard Functions · As a motivating example consider an adversary who breaks into an authentication server and steals a users crptographic hash va\൬ue.

119813119813119816119816119813119813119813119813 Easy to reduce the depth of a path

Argon2i is a layered DAG (almost)

1 2 3 11989411989434

+2 +3 helliphellip

211989411989434

hellip 4 119894119894

n

Layer 0Layer 1

Layer 4 119894119894

Let S = S1+S2

helliphelliphellip

Attack Simulation [AB16b]

Attack on Argon 2i-B is practical even for pessimistic parameter ranges (brown line)

Pessimistic Argon 2i-B parameter

Parameter setting could easily be chosen when following Argon2i-B guidelines

hellip

Ideal iMHFs Donrsquot Exist

Thm[AB16] Any graph G (with constant in-degree) is at least somewhat depth-reducible

Implication If CC(G)= Ω 1198941198942 there is an attack A with high quality

QualityR 119860119860 =Ωlog(119894119894)

log log(119894119894)

But we cannot rule them out in practice

Outline

bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Attacksbull Constructing iMHFs (New)

bull Depth-Robustness is sufficient

bull Conclusions and Open Questions

Presenter
Presentation Notes
Joint work with Joel Alwen and Krzysztof Pietrzak

Depth-Robustness is Sufficient [ABP16]

Proof Let P1hellipPt denote an (optimal) pebbling of G For 0lt i lt d defineSi = 119875119875119894119894 cup 119875119875119889119889+119894119894 cup 1198751198752119889119889+119894119894 cup ⋯

one of the sets Si has size at most CC(G)d Now we claim that d ge depth(G-Si)

because any path in G-Si must have been completely pebbled at some point Thus it must have been pebbled entirely during some interval of length d Thus G (CC(G)dd)-reducible It follows that CC(G)ge 119890119890119901119901

119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901

Depth-Robustness is Sufficient [ABP16]

Implications There exists a constant indegree graph G with

CC G ge Ω1198941198942

log119894119894

Previous Best [AS15] Ω 1198991198992

log10 119899119899

[AB16] We cannot do better (in an asymptotic sense)

119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901

Summary

bull BCRYPT and PBKDF2 are no longer sufficient for password hashing

bull Argon2i is an improvement over BCRYPT and PBKDF2bull But still has its flaws [AB16AB17]

bull Current Recommendation Argon2idbull No side channel attacks Resists known attacksbull Side channel attacks reduce security to Argon2i

bull Look for improvements in the near future using depth-robust graphs [ABP17]

Conclusions

bull Depth-robustness is a necessary and sufficient for secure iMHFsbull [AB16] [ABP16]

bull Big Challenge Improved Constructions of Depth-Robust Graphsbull We already have constructions in theory [EGS77 PR80 hellip]bull But constants matter

Thanks for Listening

Passwords vs time Look how far wersquove come

Netscape IPO Dotcom crash

Source Cormacrsquos estimate

ldquoThe password is deadrdquo

Chart1

3
48
1368
322
7791
15376
2527
39639
47953
61115
7353
94674
106021
134538
16527
194616
21681

Sheet1

Sheet1

Sheet2

Sheet3

Biometrics

59

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy

60

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Hardware Tokens

61

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around

62

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Graphical Passwords

bull Examplesbull Passfaces Cued Click Points Windows 8

63

Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13

Graphical Passwords

bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8

Challenge Multiple Passwords

64

Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13

Graphical Passwords Hotspots

Graphical Passwords Hotspots

Password Managers

bull Password Management Software

67

Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313

Related Work

bull Password Management SoftwareChallenge Single point of failure

68

Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313

References

bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]

bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]

bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]

bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]

  • Course Business
  • CryptographyCS 555
  • Password Storage
  • Offline Attacks A Common Problem
  • Offline Attacks A Common Problem
  • A Dangerous Problem
  • Attempt 1 Hash Iteration
  • The Challenge
  • Goal Moderately Expensive Hash Function
  • Memory Costs Equitable Across Architectures
  • Outline
  • Memory Hard Function (MHF)
  • iMHF Candidates
  • iMHF (fGH)
  • Evaluating an iMHF (pebbling)
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example (CC)
  • Measuring Cost
  • Pebbling Example (CC)
  • Pebbling Equivalence
  • Desiderata
  • Depth-Robustness The Key Property
  • Naiumlve Pebbling Algorithms
  • Amortized Attack Quality
  • Desiderata
  • Desiderata
  • c-Ideal iMHF
  • Outline
  • Depth-Robustness The Key Property
  • Depth Robustness
  • Depth Robustness
  • Attacking (ed)-reducible DAGs
  • Depth Robustness is Necessary
  • Answer No
  • Argon2i [BDK]
  • Argon2i
  • Argon2i
  • Argon2i Reducing depth to 119899
  • Argon2i Reducing depth to 119899
  • Argon2i is a layered DAG (almost)
  • Attack Simulation [AB16b]
  • Ideal iMHFs Donrsquot Exist
  • But we cannot rule them out in practice
  • Outline
  • Depth-Robustness is Sufficient [ABP16]
  • Depth-Robustness is Sufficient [ABP16]
  • Summary
  • Conclusions
  • Thanks for Listening
  • Passwords vs time Look how far wersquove come
  • Biometrics
  • Biometrics
  • Hardware Tokens
  • Hardware Tokens
  • Graphical Passwords
  • Graphical Passwords
  • Graphical Passwords Hotspots
  • Graphical Passwords Hotspots
  • Password Managers
  • Related Work
  • References
Everybody
DATE DATE NUMBER OF USERS WORLD WORLD INFORMATION DATE DATE NUMBER OF USERS DATE DATE acctsyr
POPULATION POPULATION SOURCE
December-90 0 3 15 020 00261 000 1 December-90 3 1 December-90 3 1 December-90 3 3 December-90 3 1 3
December-95 December-95 0 16 040 80 040 IDC 100 00522 180 12 December-95 192 December-95 16 1778 December-95 48 28448 December-95 48 3 48
December-96 December-96 0 36 090 180 090 IDC 200 00783 188 13132 December-96 472752 December-96 36 1994916 December-96 126 71816976 December-96 1368 38 126
December-97 December-97 0 70 170 350 170 IDC 300 01043 209 16263 December-97 113841 December-97 70 2238295752 December-97 280 15668070264 December-97 322 46 280
December-98 December-98 0 147 360 735 360 CI Almanac 400 01303 230 19391 December-98 2850477 December-98 147 25113678337 December-98 6615 3691710715604 December-98 7791 53 6615
December-99 December-99 0 248 410 1240 410 Nua Ltd 500 01563 251 22517 December-99 5584216 December-99 248 28177547095 December-99 1240 6988031679463 December-99 15376 62 1240
March-00 March-00 0 304 500 1520 500 Nua Ltd 600 01822 272 25638 March-00 7793952 December-00 361 3161520784 December-00 19855 11413090030294 December-00 2527 7 19855
July-00 July-00 0 359 590 1795 590 Nua Ltd 700 02081 293 28754 July-00 10322686 December-01 543 35472263197 December-01 3258 1926143891578 December-01 39639 73 3258
December-00 December-00 0 361 580 1805 580 Internet World Stats 800 02338 313 31864 December-00 11502904 December-02 607 39799879307 December-02 39455 2415852673913 December-02 47953 79 39455
March-01 March-01 0 458 760 2290 760 Nua Ltd 900 02852 334 34967 March-01 16014886 December-03 719 44655464582 December-03 5033 32107279034493 December-03 61115 85 5033
June-01 June-01 0 479 790 2395 790 Nua Ltd 1000 03107 355 38061 June-01 18231219 December-04 817 50103431261 December-04 61275 40934503340285 December-04 7353 9 61275
August-01 August-01 0 513 860 2565 860 Nua Ltd 1100 03361 396 44221 August-01 22685373 December-05 1018 56216049875 December-05 8144 57227938772657 December-05 9467 93 8144
April-02 April-02 0 558 860 2790 860 Internet World Stats 1200 03614 417 47284 April-02 26384472 December-06 1093 6307440796 December-06 9291 68940327899894 December-06 10602 97 9291
July-02 July-02 0 569 910 2845 910 Internet World Stats 1300 03866 437 50334 July-02 28640046 December-07 1319 70769485731 December-07 11871 93344951678825 December-07 13454 102 11871
September-02 September-02 0 587 940 2935 940 Internet World Stats 1400 04117 458 53371 September-02 31328777 December-08 1574 7940336299 December-08 14953 124980893346059 December-08 16527 105 14953
March-03 March-03 0 608 970 3040 970 Internet World Stats 1500 04366 478 56394 March-03 34287552 December-09 1802 89090573275 December-09 18020 160541213040896 December-09 19462 108 18020
September-03 September-03 0 677 1060 3385 1060 Internet World Stats 1600 04614 498 59401 September-03 40214477 December-10 1971 99959623214 December-10 20696 197020417355075 December-10 21681 11 20696
October-03 October-03 0 682 1070 3410 1070 Internet World Stats 1700 0486 518 62392 October-03 42551344
December-03 December-03 0 719 1110 3595 1110 Internet World Stats 1800 02852 538 65365 December-03 46997435
February-04 February-04 0 745 1150 3725 1150 Internet World Stats 1900 03107 558 6832 February-04 508984
May-04 May-04 0 757 1170 3785 1170 Internet World Stats 2000 03361 597 7417 May-04 5614669
October-04 October-04 0 812 1270 4060 1270 Internet World Stats 2100 03614 616 77064 October-04 62575968
December-04 December-04 0 817 1270 4085 1270 Internet World Stats 2200 03866 636 79935 December-04 65306895
March-05 March-05 0 888 1390 4440 1390 Internet World Stats 2300 04117 655 82782 March-05 73510416
June-05 June-05 0 938 1460 4690 1460 Internet World Stats 2400 04366 674 85606 June-05 80298428
September-05 September-05 0 957 1490 4785 1490 Internet World Stats 2500 04614 692 88404 September-05 84602628
November-05 November-05 0 972 1520 4860 1520 Internet World Stats 2600 0486 711 91176 November-05 88623072
December-05 December-05 0 1018 1570 5090 1570 Internet World Stats 2700 05348 729 93921 December-05 95611578
March-06 March-06 0 1023 1570 5115 1570 Internet World Stats 2800 05589 747 96638 March-06 98860674
June-06 June-06 0 1043 1600 5215 1600 Internet World Stats 2900 05828 783 101984 June-06 106369312
September-06 September-06 0 1086 1670 5430 1670 Internet World Stats 3000 06065 801 104611 September-06 113607546
December-06 December-06 0 1093 1670 5465 1670 Internet World Stats 3100 063 818 107207 December-06 117177251
March-07 March-07 0 1129 1720 5645 1720 Internet World Stats 3200 06534 835 109771 March-07 123931459
June-07 June-07 0 1173 1780 5865 1780 Internet World Stats 3300 06765 852 112301 June-07 131729073
September-07 September-07 0 1245 1890 6225 1890 Internet World Stats 3400 06993 869 114797 September-07 142922265
December-07 December-07 0 1319 2000 6595 2000 Internet World Stats 3500 0722 886 117258 December-07 154663302
March-08 March-08 0 1407 2110 7035 2110 Internet World Stats 3600 07665 902 119683 March-08 168393981
June-08 June-08 0 1463 2190 7315 2190 Internet World Stats 3700 07884 918 122071 June-08 178589873
September-08 September-08 0 1504 2250 7520 2250 Internet World Stats 3800 08101 949 126736 September-08 190610944
December-08 December-08 0 1574 2350 7870 2350 Internet World Stats 3900 08314 964 12901 December-08 20306174
March-09 March-09 0 1596 2380 7980 2380 Internet World Stats 4000 08525 971 13 March-09 20748
June-09 June-09 0 1669 2470 8345 2470 Internet World Stats 4100 08733 998 134 June-09 223646
September-09 September-09 0 1734 2560 8670 2560 Internet World Stats 4200 08938 1018 137 September-09 237558
December-09 December-09 0 1802 2660 9010 2660 Internet World Stats 4300 0914 1051 142 December-09 255884
June-10 June-10 0 1966 2870 9830 2870 Internet World Stats 4400 09339 1078 146 June-10 287036
September-10 September-10 0 1971 2880 9855 2880 Internet World Stats 4500 09728 1112 151 September-10 297621
09917 000 155333333333
159833333333
33208
35034
35400
35765
36130
36495
36861
37226
37591
37956
38322
38687
39052
39417
39783
40148
40513
Page 46: Attacking Data Independent Memory Hard Functions · As a motivating example consider an adversary who breaks into an authentication server and steals a users crptographic hash va\൬ue.

Attack Simulation [AB16b]

Attack on Argon 2i-B is practical even for pessimistic parameter ranges (brown line)

Pessimistic Argon 2i-B parameter

Parameter setting could easily be chosen when following Argon2i-B guidelines

hellip

Ideal iMHFs Donrsquot Exist

Thm[AB16] Any graph G (with constant in-degree) is at least somewhat depth-reducible

Implication If CC(G)= Ω 1198941198942 there is an attack A with high quality

QualityR 119860119860 =Ωlog(119894119894)

log log(119894119894)

But we cannot rule them out in practice

Outline

bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Attacksbull Constructing iMHFs (New)

bull Depth-Robustness is sufficient

bull Conclusions and Open Questions

Presenter
Presentation Notes
Joint work with Joel Alwen and Krzysztof Pietrzak

Depth-Robustness is Sufficient [ABP16]

Proof Let P1hellipPt denote an (optimal) pebbling of G For 0lt i lt d defineSi = 119875119875119894119894 cup 119875119875119889119889+119894119894 cup 1198751198752119889119889+119894119894 cup ⋯

one of the sets Si has size at most CC(G)d Now we claim that d ge depth(G-Si)

because any path in G-Si must have been completely pebbled at some point Thus it must have been pebbled entirely during some interval of length d Thus G (CC(G)dd)-reducible It follows that CC(G)ge 119890119890119901119901

119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901

Depth-Robustness is Sufficient [ABP16]

Implications There exists a constant indegree graph G with

CC G ge Ω1198941198942

log119894119894

Previous Best [AS15] Ω 1198991198992

log10 119899119899

[AB16] We cannot do better (in an asymptotic sense)

119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901

Summary

bull BCRYPT and PBKDF2 are no longer sufficient for password hashing

bull Argon2i is an improvement over BCRYPT and PBKDF2bull But still has its flaws [AB16AB17]

bull Current Recommendation Argon2idbull No side channel attacks Resists known attacksbull Side channel attacks reduce security to Argon2i

bull Look for improvements in the near future using depth-robust graphs [ABP17]

Conclusions

bull Depth-robustness is a necessary and sufficient for secure iMHFsbull [AB16] [ABP16]

bull Big Challenge Improved Constructions of Depth-Robust Graphsbull We already have constructions in theory [EGS77 PR80 hellip]bull But constants matter

Thanks for Listening

Passwords vs time Look how far wersquove come

Netscape IPO Dotcom crash

Source Cormacrsquos estimate

ldquoThe password is deadrdquo

Chart1

3
48
1368
322
7791
15376
2527
39639
47953
61115
7353
94674
106021
134538
16527
194616
21681

Sheet1

Sheet1

Sheet2

Sheet3

Biometrics

59

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy

60

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Hardware Tokens

61

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around

62

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Graphical Passwords

bull Examplesbull Passfaces Cued Click Points Windows 8

63

Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13

Graphical Passwords

bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8

Challenge Multiple Passwords

64

Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13

Graphical Passwords Hotspots

Graphical Passwords Hotspots

Password Managers

bull Password Management Software

67

Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313

Related Work

bull Password Management SoftwareChallenge Single point of failure

68

Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313

References

bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]

bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]

bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]

bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]

  • Course Business
  • CryptographyCS 555
  • Password Storage
  • Offline Attacks A Common Problem
  • Offline Attacks A Common Problem
  • A Dangerous Problem
  • Attempt 1 Hash Iteration
  • The Challenge
  • Goal Moderately Expensive Hash Function
  • Memory Costs Equitable Across Architectures
  • Outline
  • Memory Hard Function (MHF)
  • iMHF Candidates
  • iMHF (fGH)
  • Evaluating an iMHF (pebbling)
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example (CC)
  • Measuring Cost
  • Pebbling Example (CC)
  • Pebbling Equivalence
  • Desiderata
  • Depth-Robustness The Key Property
  • Naiumlve Pebbling Algorithms
  • Amortized Attack Quality
  • Desiderata
  • Desiderata
  • c-Ideal iMHF
  • Outline
  • Depth-Robustness The Key Property
  • Depth Robustness
  • Depth Robustness
  • Attacking (ed)-reducible DAGs
  • Depth Robustness is Necessary
  • Answer No
  • Argon2i [BDK]
  • Argon2i
  • Argon2i
  • Argon2i Reducing depth to 119899
  • Argon2i Reducing depth to 119899
  • Argon2i is a layered DAG (almost)
  • Attack Simulation [AB16b]
  • Ideal iMHFs Donrsquot Exist
  • But we cannot rule them out in practice
  • Outline
  • Depth-Robustness is Sufficient [ABP16]
  • Depth-Robustness is Sufficient [ABP16]
  • Summary
  • Conclusions
  • Thanks for Listening
  • Passwords vs time Look how far wersquove come
  • Biometrics
  • Biometrics
  • Hardware Tokens
  • Hardware Tokens
  • Graphical Passwords
  • Graphical Passwords
  • Graphical Passwords Hotspots
  • Graphical Passwords Hotspots
  • Password Managers
  • Related Work
  • References
Everybody
DATE DATE NUMBER OF USERS WORLD WORLD INFORMATION DATE DATE NUMBER OF USERS DATE DATE acctsyr
POPULATION POPULATION SOURCE
December-90 0 3 15 020 00261 000 1 December-90 3 1 December-90 3 1 December-90 3 3 December-90 3 1 3
December-95 December-95 0 16 040 80 040 IDC 100 00522 180 12 December-95 192 December-95 16 1778 December-95 48 28448 December-95 48 3 48
December-96 December-96 0 36 090 180 090 IDC 200 00783 188 13132 December-96 472752 December-96 36 1994916 December-96 126 71816976 December-96 1368 38 126
December-97 December-97 0 70 170 350 170 IDC 300 01043 209 16263 December-97 113841 December-97 70 2238295752 December-97 280 15668070264 December-97 322 46 280
December-98 December-98 0 147 360 735 360 CI Almanac 400 01303 230 19391 December-98 2850477 December-98 147 25113678337 December-98 6615 3691710715604 December-98 7791 53 6615
December-99 December-99 0 248 410 1240 410 Nua Ltd 500 01563 251 22517 December-99 5584216 December-99 248 28177547095 December-99 1240 6988031679463 December-99 15376 62 1240
March-00 March-00 0 304 500 1520 500 Nua Ltd 600 01822 272 25638 March-00 7793952 December-00 361 3161520784 December-00 19855 11413090030294 December-00 2527 7 19855
July-00 July-00 0 359 590 1795 590 Nua Ltd 700 02081 293 28754 July-00 10322686 December-01 543 35472263197 December-01 3258 1926143891578 December-01 39639 73 3258
December-00 December-00 0 361 580 1805 580 Internet World Stats 800 02338 313 31864 December-00 11502904 December-02 607 39799879307 December-02 39455 2415852673913 December-02 47953 79 39455
March-01 March-01 0 458 760 2290 760 Nua Ltd 900 02852 334 34967 March-01 16014886 December-03 719 44655464582 December-03 5033 32107279034493 December-03 61115 85 5033
June-01 June-01 0 479 790 2395 790 Nua Ltd 1000 03107 355 38061 June-01 18231219 December-04 817 50103431261 December-04 61275 40934503340285 December-04 7353 9 61275
August-01 August-01 0 513 860 2565 860 Nua Ltd 1100 03361 396 44221 August-01 22685373 December-05 1018 56216049875 December-05 8144 57227938772657 December-05 9467 93 8144
April-02 April-02 0 558 860 2790 860 Internet World Stats 1200 03614 417 47284 April-02 26384472 December-06 1093 6307440796 December-06 9291 68940327899894 December-06 10602 97 9291
July-02 July-02 0 569 910 2845 910 Internet World Stats 1300 03866 437 50334 July-02 28640046 December-07 1319 70769485731 December-07 11871 93344951678825 December-07 13454 102 11871
September-02 September-02 0 587 940 2935 940 Internet World Stats 1400 04117 458 53371 September-02 31328777 December-08 1574 7940336299 December-08 14953 124980893346059 December-08 16527 105 14953
March-03 March-03 0 608 970 3040 970 Internet World Stats 1500 04366 478 56394 March-03 34287552 December-09 1802 89090573275 December-09 18020 160541213040896 December-09 19462 108 18020
September-03 September-03 0 677 1060 3385 1060 Internet World Stats 1600 04614 498 59401 September-03 40214477 December-10 1971 99959623214 December-10 20696 197020417355075 December-10 21681 11 20696
October-03 October-03 0 682 1070 3410 1070 Internet World Stats 1700 0486 518 62392 October-03 42551344
December-03 December-03 0 719 1110 3595 1110 Internet World Stats 1800 02852 538 65365 December-03 46997435
February-04 February-04 0 745 1150 3725 1150 Internet World Stats 1900 03107 558 6832 February-04 508984
May-04 May-04 0 757 1170 3785 1170 Internet World Stats 2000 03361 597 7417 May-04 5614669
October-04 October-04 0 812 1270 4060 1270 Internet World Stats 2100 03614 616 77064 October-04 62575968
December-04 December-04 0 817 1270 4085 1270 Internet World Stats 2200 03866 636 79935 December-04 65306895
March-05 March-05 0 888 1390 4440 1390 Internet World Stats 2300 04117 655 82782 March-05 73510416
June-05 June-05 0 938 1460 4690 1460 Internet World Stats 2400 04366 674 85606 June-05 80298428
September-05 September-05 0 957 1490 4785 1490 Internet World Stats 2500 04614 692 88404 September-05 84602628
November-05 November-05 0 972 1520 4860 1520 Internet World Stats 2600 0486 711 91176 November-05 88623072
December-05 December-05 0 1018 1570 5090 1570 Internet World Stats 2700 05348 729 93921 December-05 95611578
March-06 March-06 0 1023 1570 5115 1570 Internet World Stats 2800 05589 747 96638 March-06 98860674
June-06 June-06 0 1043 1600 5215 1600 Internet World Stats 2900 05828 783 101984 June-06 106369312
September-06 September-06 0 1086 1670 5430 1670 Internet World Stats 3000 06065 801 104611 September-06 113607546
December-06 December-06 0 1093 1670 5465 1670 Internet World Stats 3100 063 818 107207 December-06 117177251
March-07 March-07 0 1129 1720 5645 1720 Internet World Stats 3200 06534 835 109771 March-07 123931459
June-07 June-07 0 1173 1780 5865 1780 Internet World Stats 3300 06765 852 112301 June-07 131729073
September-07 September-07 0 1245 1890 6225 1890 Internet World Stats 3400 06993 869 114797 September-07 142922265
December-07 December-07 0 1319 2000 6595 2000 Internet World Stats 3500 0722 886 117258 December-07 154663302
March-08 March-08 0 1407 2110 7035 2110 Internet World Stats 3600 07665 902 119683 March-08 168393981
June-08 June-08 0 1463 2190 7315 2190 Internet World Stats 3700 07884 918 122071 June-08 178589873
September-08 September-08 0 1504 2250 7520 2250 Internet World Stats 3800 08101 949 126736 September-08 190610944
December-08 December-08 0 1574 2350 7870 2350 Internet World Stats 3900 08314 964 12901 December-08 20306174
March-09 March-09 0 1596 2380 7980 2380 Internet World Stats 4000 08525 971 13 March-09 20748
June-09 June-09 0 1669 2470 8345 2470 Internet World Stats 4100 08733 998 134 June-09 223646
September-09 September-09 0 1734 2560 8670 2560 Internet World Stats 4200 08938 1018 137 September-09 237558
December-09 December-09 0 1802 2660 9010 2660 Internet World Stats 4300 0914 1051 142 December-09 255884
June-10 June-10 0 1966 2870 9830 2870 Internet World Stats 4400 09339 1078 146 June-10 287036
September-10 September-10 0 1971 2880 9855 2880 Internet World Stats 4500 09728 1112 151 September-10 297621
09917 000 155333333333
159833333333
33208
35034
35400
35765
36130
36495
36861
37226
37591
37956
38322
38687
39052
39417
39783
40148
40513
Page 47: Attacking Data Independent Memory Hard Functions · As a motivating example consider an adversary who breaks into an authentication server and steals a users crptographic hash va\൬ue.

Ideal iMHFs Donrsquot Exist

Thm[AB16] Any graph G (with constant in-degree) is at least somewhat depth-reducible

Implication If CC(G)= Ω 1198941198942 there is an attack A with high quality

QualityR 119860119860 =Ωlog(119894119894)

log log(119894119894)

But we cannot rule them out in practice

Outline

bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Attacksbull Constructing iMHFs (New)

bull Depth-Robustness is sufficient

bull Conclusions and Open Questions

Presenter
Presentation Notes
Joint work with Joel Alwen and Krzysztof Pietrzak

Depth-Robustness is Sufficient [ABP16]

Proof Let P1hellipPt denote an (optimal) pebbling of G For 0lt i lt d defineSi = 119875119875119894119894 cup 119875119875119889119889+119894119894 cup 1198751198752119889119889+119894119894 cup ⋯

one of the sets Si has size at most CC(G)d Now we claim that d ge depth(G-Si)

because any path in G-Si must have been completely pebbled at some point Thus it must have been pebbled entirely during some interval of length d Thus G (CC(G)dd)-reducible It follows that CC(G)ge 119890119890119901119901

119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901

Depth-Robustness is Sufficient [ABP16]

Implications There exists a constant indegree graph G with

CC G ge Ω1198941198942

log119894119894

Previous Best [AS15] Ω 1198991198992

log10 119899119899

[AB16] We cannot do better (in an asymptotic sense)

119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901

Summary

bull BCRYPT and PBKDF2 are no longer sufficient for password hashing

bull Argon2i is an improvement over BCRYPT and PBKDF2bull But still has its flaws [AB16AB17]

bull Current Recommendation Argon2idbull No side channel attacks Resists known attacksbull Side channel attacks reduce security to Argon2i

bull Look for improvements in the near future using depth-robust graphs [ABP17]

Conclusions

bull Depth-robustness is a necessary and sufficient for secure iMHFsbull [AB16] [ABP16]

bull Big Challenge Improved Constructions of Depth-Robust Graphsbull We already have constructions in theory [EGS77 PR80 hellip]bull But constants matter

Thanks for Listening

Passwords vs time Look how far wersquove come

Netscape IPO Dotcom crash

Source Cormacrsquos estimate

ldquoThe password is deadrdquo

Chart1

3
48
1368
322
7791
15376
2527
39639
47953
61115
7353
94674
106021
134538
16527
194616
21681

Sheet1

Sheet1

Sheet2

Sheet3

Biometrics

59

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy

60

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Hardware Tokens

61

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around

62

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Graphical Passwords

bull Examplesbull Passfaces Cued Click Points Windows 8

63

Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13

Graphical Passwords

bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8

Challenge Multiple Passwords

64

Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13

Graphical Passwords Hotspots

Graphical Passwords Hotspots

Password Managers

bull Password Management Software

67

Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313

Related Work

bull Password Management SoftwareChallenge Single point of failure

68

Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313

References

bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]

bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]

bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]

bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]

  • Course Business
  • CryptographyCS 555
  • Password Storage
  • Offline Attacks A Common Problem
  • Offline Attacks A Common Problem
  • A Dangerous Problem
  • Attempt 1 Hash Iteration
  • The Challenge
  • Goal Moderately Expensive Hash Function
  • Memory Costs Equitable Across Architectures
  • Outline
  • Memory Hard Function (MHF)
  • iMHF Candidates
  • iMHF (fGH)
  • Evaluating an iMHF (pebbling)
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example (CC)
  • Measuring Cost
  • Pebbling Example (CC)
  • Pebbling Equivalence
  • Desiderata
  • Depth-Robustness The Key Property
  • Naiumlve Pebbling Algorithms
  • Amortized Attack Quality
  • Desiderata
  • Desiderata
  • c-Ideal iMHF
  • Outline
  • Depth-Robustness The Key Property
  • Depth Robustness
  • Depth Robustness
  • Attacking (ed)-reducible DAGs
  • Depth Robustness is Necessary
  • Answer No
  • Argon2i [BDK]
  • Argon2i
  • Argon2i
  • Argon2i Reducing depth to 119899
  • Argon2i Reducing depth to 119899
  • Argon2i is a layered DAG (almost)
  • Attack Simulation [AB16b]
  • Ideal iMHFs Donrsquot Exist
  • But we cannot rule them out in practice
  • Outline
  • Depth-Robustness is Sufficient [ABP16]
  • Depth-Robustness is Sufficient [ABP16]
  • Summary
  • Conclusions
  • Thanks for Listening
  • Passwords vs time Look how far wersquove come
  • Biometrics
  • Biometrics
  • Hardware Tokens
  • Hardware Tokens
  • Graphical Passwords
  • Graphical Passwords
  • Graphical Passwords Hotspots
  • Graphical Passwords Hotspots
  • Password Managers
  • Related Work
  • References
Everybody
DATE DATE NUMBER OF USERS WORLD WORLD INFORMATION DATE DATE NUMBER OF USERS DATE DATE acctsyr
POPULATION POPULATION SOURCE
December-90 0 3 15 020 00261 000 1 December-90 3 1 December-90 3 1 December-90 3 3 December-90 3 1 3
December-95 December-95 0 16 040 80 040 IDC 100 00522 180 12 December-95 192 December-95 16 1778 December-95 48 28448 December-95 48 3 48
December-96 December-96 0 36 090 180 090 IDC 200 00783 188 13132 December-96 472752 December-96 36 1994916 December-96 126 71816976 December-96 1368 38 126
December-97 December-97 0 70 170 350 170 IDC 300 01043 209 16263 December-97 113841 December-97 70 2238295752 December-97 280 15668070264 December-97 322 46 280
December-98 December-98 0 147 360 735 360 CI Almanac 400 01303 230 19391 December-98 2850477 December-98 147 25113678337 December-98 6615 3691710715604 December-98 7791 53 6615
December-99 December-99 0 248 410 1240 410 Nua Ltd 500 01563 251 22517 December-99 5584216 December-99 248 28177547095 December-99 1240 6988031679463 December-99 15376 62 1240
March-00 March-00 0 304 500 1520 500 Nua Ltd 600 01822 272 25638 March-00 7793952 December-00 361 3161520784 December-00 19855 11413090030294 December-00 2527 7 19855
July-00 July-00 0 359 590 1795 590 Nua Ltd 700 02081 293 28754 July-00 10322686 December-01 543 35472263197 December-01 3258 1926143891578 December-01 39639 73 3258
December-00 December-00 0 361 580 1805 580 Internet World Stats 800 02338 313 31864 December-00 11502904 December-02 607 39799879307 December-02 39455 2415852673913 December-02 47953 79 39455
March-01 March-01 0 458 760 2290 760 Nua Ltd 900 02852 334 34967 March-01 16014886 December-03 719 44655464582 December-03 5033 32107279034493 December-03 61115 85 5033
June-01 June-01 0 479 790 2395 790 Nua Ltd 1000 03107 355 38061 June-01 18231219 December-04 817 50103431261 December-04 61275 40934503340285 December-04 7353 9 61275
August-01 August-01 0 513 860 2565 860 Nua Ltd 1100 03361 396 44221 August-01 22685373 December-05 1018 56216049875 December-05 8144 57227938772657 December-05 9467 93 8144
April-02 April-02 0 558 860 2790 860 Internet World Stats 1200 03614 417 47284 April-02 26384472 December-06 1093 6307440796 December-06 9291 68940327899894 December-06 10602 97 9291
July-02 July-02 0 569 910 2845 910 Internet World Stats 1300 03866 437 50334 July-02 28640046 December-07 1319 70769485731 December-07 11871 93344951678825 December-07 13454 102 11871
September-02 September-02 0 587 940 2935 940 Internet World Stats 1400 04117 458 53371 September-02 31328777 December-08 1574 7940336299 December-08 14953 124980893346059 December-08 16527 105 14953
March-03 March-03 0 608 970 3040 970 Internet World Stats 1500 04366 478 56394 March-03 34287552 December-09 1802 89090573275 December-09 18020 160541213040896 December-09 19462 108 18020
September-03 September-03 0 677 1060 3385 1060 Internet World Stats 1600 04614 498 59401 September-03 40214477 December-10 1971 99959623214 December-10 20696 197020417355075 December-10 21681 11 20696
October-03 October-03 0 682 1070 3410 1070 Internet World Stats 1700 0486 518 62392 October-03 42551344
December-03 December-03 0 719 1110 3595 1110 Internet World Stats 1800 02852 538 65365 December-03 46997435
February-04 February-04 0 745 1150 3725 1150 Internet World Stats 1900 03107 558 6832 February-04 508984
May-04 May-04 0 757 1170 3785 1170 Internet World Stats 2000 03361 597 7417 May-04 5614669
October-04 October-04 0 812 1270 4060 1270 Internet World Stats 2100 03614 616 77064 October-04 62575968
December-04 December-04 0 817 1270 4085 1270 Internet World Stats 2200 03866 636 79935 December-04 65306895
March-05 March-05 0 888 1390 4440 1390 Internet World Stats 2300 04117 655 82782 March-05 73510416
June-05 June-05 0 938 1460 4690 1460 Internet World Stats 2400 04366 674 85606 June-05 80298428
September-05 September-05 0 957 1490 4785 1490 Internet World Stats 2500 04614 692 88404 September-05 84602628
November-05 November-05 0 972 1520 4860 1520 Internet World Stats 2600 0486 711 91176 November-05 88623072
December-05 December-05 0 1018 1570 5090 1570 Internet World Stats 2700 05348 729 93921 December-05 95611578
March-06 March-06 0 1023 1570 5115 1570 Internet World Stats 2800 05589 747 96638 March-06 98860674
June-06 June-06 0 1043 1600 5215 1600 Internet World Stats 2900 05828 783 101984 June-06 106369312
September-06 September-06 0 1086 1670 5430 1670 Internet World Stats 3000 06065 801 104611 September-06 113607546
December-06 December-06 0 1093 1670 5465 1670 Internet World Stats 3100 063 818 107207 December-06 117177251
March-07 March-07 0 1129 1720 5645 1720 Internet World Stats 3200 06534 835 109771 March-07 123931459
June-07 June-07 0 1173 1780 5865 1780 Internet World Stats 3300 06765 852 112301 June-07 131729073
September-07 September-07 0 1245 1890 6225 1890 Internet World Stats 3400 06993 869 114797 September-07 142922265
December-07 December-07 0 1319 2000 6595 2000 Internet World Stats 3500 0722 886 117258 December-07 154663302
March-08 March-08 0 1407 2110 7035 2110 Internet World Stats 3600 07665 902 119683 March-08 168393981
June-08 June-08 0 1463 2190 7315 2190 Internet World Stats 3700 07884 918 122071 June-08 178589873
September-08 September-08 0 1504 2250 7520 2250 Internet World Stats 3800 08101 949 126736 September-08 190610944
December-08 December-08 0 1574 2350 7870 2350 Internet World Stats 3900 08314 964 12901 December-08 20306174
March-09 March-09 0 1596 2380 7980 2380 Internet World Stats 4000 08525 971 13 March-09 20748
June-09 June-09 0 1669 2470 8345 2470 Internet World Stats 4100 08733 998 134 June-09 223646
September-09 September-09 0 1734 2560 8670 2560 Internet World Stats 4200 08938 1018 137 September-09 237558
December-09 December-09 0 1802 2660 9010 2660 Internet World Stats 4300 0914 1051 142 December-09 255884
June-10 June-10 0 1966 2870 9830 2870 Internet World Stats 4400 09339 1078 146 June-10 287036
September-10 September-10 0 1971 2880 9855 2880 Internet World Stats 4500 09728 1112 151 September-10 297621
09917 000 155333333333
159833333333
33208
35034
35400
35765
36130
36495
36861
37226
37591
37956
38322
38687
39052
39417
39783
40148
40513
Page 48: Attacking Data Independent Memory Hard Functions · As a motivating example consider an adversary who breaks into an authentication server and steals a users crptographic hash va\൬ue.

But we cannot rule them out in practice

Outline

bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Attacksbull Constructing iMHFs (New)

bull Depth-Robustness is sufficient

bull Conclusions and Open Questions

Presenter
Presentation Notes
Joint work with Joel Alwen and Krzysztof Pietrzak

Depth-Robustness is Sufficient [ABP16]

Proof Let P1hellipPt denote an (optimal) pebbling of G For 0lt i lt d defineSi = 119875119875119894119894 cup 119875119875119889119889+119894119894 cup 1198751198752119889119889+119894119894 cup ⋯

one of the sets Si has size at most CC(G)d Now we claim that d ge depth(G-Si)

because any path in G-Si must have been completely pebbled at some point Thus it must have been pebbled entirely during some interval of length d Thus G (CC(G)dd)-reducible It follows that CC(G)ge 119890119890119901119901

119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901

Depth-Robustness is Sufficient [ABP16]

Implications There exists a constant indegree graph G with

CC G ge Ω1198941198942

log119894119894

Previous Best [AS15] Ω 1198991198992

log10 119899119899

[AB16] We cannot do better (in an asymptotic sense)

119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901

Summary

bull BCRYPT and PBKDF2 are no longer sufficient for password hashing

bull Argon2i is an improvement over BCRYPT and PBKDF2bull But still has its flaws [AB16AB17]

bull Current Recommendation Argon2idbull No side channel attacks Resists known attacksbull Side channel attacks reduce security to Argon2i

bull Look for improvements in the near future using depth-robust graphs [ABP17]

Conclusions

bull Depth-robustness is a necessary and sufficient for secure iMHFsbull [AB16] [ABP16]

bull Big Challenge Improved Constructions of Depth-Robust Graphsbull We already have constructions in theory [EGS77 PR80 hellip]bull But constants matter

Thanks for Listening

Passwords vs time Look how far wersquove come

Netscape IPO Dotcom crash

Source Cormacrsquos estimate

ldquoThe password is deadrdquo

Chart1

3
48
1368
322
7791
15376
2527
39639
47953
61115
7353
94674
106021
134538
16527
194616
21681

Sheet1

Sheet1

Sheet2

Sheet3

Biometrics

59

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy

60

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Hardware Tokens

61

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around

62

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Graphical Passwords

bull Examplesbull Passfaces Cued Click Points Windows 8

63

Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13

Graphical Passwords

bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8

Challenge Multiple Passwords

64

Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13

Graphical Passwords Hotspots

Graphical Passwords Hotspots

Password Managers

bull Password Management Software

67

Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313

Related Work

bull Password Management SoftwareChallenge Single point of failure

68

Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313

References

bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]

bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]

bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]

bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]

  • Course Business
  • CryptographyCS 555
  • Password Storage
  • Offline Attacks A Common Problem
  • Offline Attacks A Common Problem
  • A Dangerous Problem
  • Attempt 1 Hash Iteration
  • The Challenge
  • Goal Moderately Expensive Hash Function
  • Memory Costs Equitable Across Architectures
  • Outline
  • Memory Hard Function (MHF)
  • iMHF Candidates
  • iMHF (fGH)
  • Evaluating an iMHF (pebbling)
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example (CC)
  • Measuring Cost
  • Pebbling Example (CC)
  • Pebbling Equivalence
  • Desiderata
  • Depth-Robustness The Key Property
  • Naiumlve Pebbling Algorithms
  • Amortized Attack Quality
  • Desiderata
  • Desiderata
  • c-Ideal iMHF
  • Outline
  • Depth-Robustness The Key Property
  • Depth Robustness
  • Depth Robustness
  • Attacking (ed)-reducible DAGs
  • Depth Robustness is Necessary
  • Answer No
  • Argon2i [BDK]
  • Argon2i
  • Argon2i
  • Argon2i Reducing depth to 119899
  • Argon2i Reducing depth to 119899
  • Argon2i is a layered DAG (almost)
  • Attack Simulation [AB16b]
  • Ideal iMHFs Donrsquot Exist
  • But we cannot rule them out in practice
  • Outline
  • Depth-Robustness is Sufficient [ABP16]
  • Depth-Robustness is Sufficient [ABP16]
  • Summary
  • Conclusions
  • Thanks for Listening
  • Passwords vs time Look how far wersquove come
  • Biometrics
  • Biometrics
  • Hardware Tokens
  • Hardware Tokens
  • Graphical Passwords
  • Graphical Passwords
  • Graphical Passwords Hotspots
  • Graphical Passwords Hotspots
  • Password Managers
  • Related Work
  • References
Everybody
DATE DATE NUMBER OF USERS WORLD WORLD INFORMATION DATE DATE NUMBER OF USERS DATE DATE acctsyr
POPULATION POPULATION SOURCE
December-90 0 3 15 020 00261 000 1 December-90 3 1 December-90 3 1 December-90 3 3 December-90 3 1 3
December-95 December-95 0 16 040 80 040 IDC 100 00522 180 12 December-95 192 December-95 16 1778 December-95 48 28448 December-95 48 3 48
December-96 December-96 0 36 090 180 090 IDC 200 00783 188 13132 December-96 472752 December-96 36 1994916 December-96 126 71816976 December-96 1368 38 126
December-97 December-97 0 70 170 350 170 IDC 300 01043 209 16263 December-97 113841 December-97 70 2238295752 December-97 280 15668070264 December-97 322 46 280
December-98 December-98 0 147 360 735 360 CI Almanac 400 01303 230 19391 December-98 2850477 December-98 147 25113678337 December-98 6615 3691710715604 December-98 7791 53 6615
December-99 December-99 0 248 410 1240 410 Nua Ltd 500 01563 251 22517 December-99 5584216 December-99 248 28177547095 December-99 1240 6988031679463 December-99 15376 62 1240
March-00 March-00 0 304 500 1520 500 Nua Ltd 600 01822 272 25638 March-00 7793952 December-00 361 3161520784 December-00 19855 11413090030294 December-00 2527 7 19855
July-00 July-00 0 359 590 1795 590 Nua Ltd 700 02081 293 28754 July-00 10322686 December-01 543 35472263197 December-01 3258 1926143891578 December-01 39639 73 3258
December-00 December-00 0 361 580 1805 580 Internet World Stats 800 02338 313 31864 December-00 11502904 December-02 607 39799879307 December-02 39455 2415852673913 December-02 47953 79 39455
March-01 March-01 0 458 760 2290 760 Nua Ltd 900 02852 334 34967 March-01 16014886 December-03 719 44655464582 December-03 5033 32107279034493 December-03 61115 85 5033
June-01 June-01 0 479 790 2395 790 Nua Ltd 1000 03107 355 38061 June-01 18231219 December-04 817 50103431261 December-04 61275 40934503340285 December-04 7353 9 61275
August-01 August-01 0 513 860 2565 860 Nua Ltd 1100 03361 396 44221 August-01 22685373 December-05 1018 56216049875 December-05 8144 57227938772657 December-05 9467 93 8144
April-02 April-02 0 558 860 2790 860 Internet World Stats 1200 03614 417 47284 April-02 26384472 December-06 1093 6307440796 December-06 9291 68940327899894 December-06 10602 97 9291
July-02 July-02 0 569 910 2845 910 Internet World Stats 1300 03866 437 50334 July-02 28640046 December-07 1319 70769485731 December-07 11871 93344951678825 December-07 13454 102 11871
September-02 September-02 0 587 940 2935 940 Internet World Stats 1400 04117 458 53371 September-02 31328777 December-08 1574 7940336299 December-08 14953 124980893346059 December-08 16527 105 14953
March-03 March-03 0 608 970 3040 970 Internet World Stats 1500 04366 478 56394 March-03 34287552 December-09 1802 89090573275 December-09 18020 160541213040896 December-09 19462 108 18020
September-03 September-03 0 677 1060 3385 1060 Internet World Stats 1600 04614 498 59401 September-03 40214477 December-10 1971 99959623214 December-10 20696 197020417355075 December-10 21681 11 20696
October-03 October-03 0 682 1070 3410 1070 Internet World Stats 1700 0486 518 62392 October-03 42551344
December-03 December-03 0 719 1110 3595 1110 Internet World Stats 1800 02852 538 65365 December-03 46997435
February-04 February-04 0 745 1150 3725 1150 Internet World Stats 1900 03107 558 6832 February-04 508984
May-04 May-04 0 757 1170 3785 1170 Internet World Stats 2000 03361 597 7417 May-04 5614669
October-04 October-04 0 812 1270 4060 1270 Internet World Stats 2100 03614 616 77064 October-04 62575968
December-04 December-04 0 817 1270 4085 1270 Internet World Stats 2200 03866 636 79935 December-04 65306895
March-05 March-05 0 888 1390 4440 1390 Internet World Stats 2300 04117 655 82782 March-05 73510416
June-05 June-05 0 938 1460 4690 1460 Internet World Stats 2400 04366 674 85606 June-05 80298428
September-05 September-05 0 957 1490 4785 1490 Internet World Stats 2500 04614 692 88404 September-05 84602628
November-05 November-05 0 972 1520 4860 1520 Internet World Stats 2600 0486 711 91176 November-05 88623072
December-05 December-05 0 1018 1570 5090 1570 Internet World Stats 2700 05348 729 93921 December-05 95611578
March-06 March-06 0 1023 1570 5115 1570 Internet World Stats 2800 05589 747 96638 March-06 98860674
June-06 June-06 0 1043 1600 5215 1600 Internet World Stats 2900 05828 783 101984 June-06 106369312
September-06 September-06 0 1086 1670 5430 1670 Internet World Stats 3000 06065 801 104611 September-06 113607546
December-06 December-06 0 1093 1670 5465 1670 Internet World Stats 3100 063 818 107207 December-06 117177251
March-07 March-07 0 1129 1720 5645 1720 Internet World Stats 3200 06534 835 109771 March-07 123931459
June-07 June-07 0 1173 1780 5865 1780 Internet World Stats 3300 06765 852 112301 June-07 131729073
September-07 September-07 0 1245 1890 6225 1890 Internet World Stats 3400 06993 869 114797 September-07 142922265
December-07 December-07 0 1319 2000 6595 2000 Internet World Stats 3500 0722 886 117258 December-07 154663302
March-08 March-08 0 1407 2110 7035 2110 Internet World Stats 3600 07665 902 119683 March-08 168393981
June-08 June-08 0 1463 2190 7315 2190 Internet World Stats 3700 07884 918 122071 June-08 178589873
September-08 September-08 0 1504 2250 7520 2250 Internet World Stats 3800 08101 949 126736 September-08 190610944
December-08 December-08 0 1574 2350 7870 2350 Internet World Stats 3900 08314 964 12901 December-08 20306174
March-09 March-09 0 1596 2380 7980 2380 Internet World Stats 4000 08525 971 13 March-09 20748
June-09 June-09 0 1669 2470 8345 2470 Internet World Stats 4100 08733 998 134 June-09 223646
September-09 September-09 0 1734 2560 8670 2560 Internet World Stats 4200 08938 1018 137 September-09 237558
December-09 December-09 0 1802 2660 9010 2660 Internet World Stats 4300 0914 1051 142 December-09 255884
June-10 June-10 0 1966 2870 9830 2870 Internet World Stats 4400 09339 1078 146 June-10 287036
September-10 September-10 0 1971 2880 9855 2880 Internet World Stats 4500 09728 1112 151 September-10 297621
09917 000 155333333333
159833333333
33208
35034
35400
35765
36130
36495
36861
37226
37591
37956
38322
38687
39052
39417
39783
40148
40513
Page 49: Attacking Data Independent Memory Hard Functions · As a motivating example consider an adversary who breaks into an authentication server and steals a users crptographic hash va\൬ue.

Outline

bull Motivationbull Data Independent Memory Hard Functions (iMHFs)bull Attacksbull Constructing iMHFs (New)

bull Depth-Robustness is sufficient

bull Conclusions and Open Questions

Presenter
Presentation Notes
Joint work with Joel Alwen and Krzysztof Pietrzak

Depth-Robustness is Sufficient [ABP16]

Proof Let P1hellipPt denote an (optimal) pebbling of G For 0lt i lt d defineSi = 119875119875119894119894 cup 119875119875119889119889+119894119894 cup 1198751198752119889119889+119894119894 cup ⋯

one of the sets Si has size at most CC(G)d Now we claim that d ge depth(G-Si)

because any path in G-Si must have been completely pebbled at some point Thus it must have been pebbled entirely during some interval of length d Thus G (CC(G)dd)-reducible It follows that CC(G)ge 119890119890119901119901

119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901

Depth-Robustness is Sufficient [ABP16]

Implications There exists a constant indegree graph G with

CC G ge Ω1198941198942

log119894119894

Previous Best [AS15] Ω 1198991198992

log10 119899119899

[AB16] We cannot do better (in an asymptotic sense)

119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901

Summary

bull BCRYPT and PBKDF2 are no longer sufficient for password hashing

bull Argon2i is an improvement over BCRYPT and PBKDF2bull But still has its flaws [AB16AB17]

bull Current Recommendation Argon2idbull No side channel attacks Resists known attacksbull Side channel attacks reduce security to Argon2i

bull Look for improvements in the near future using depth-robust graphs [ABP17]

Conclusions

bull Depth-robustness is a necessary and sufficient for secure iMHFsbull [AB16] [ABP16]

bull Big Challenge Improved Constructions of Depth-Robust Graphsbull We already have constructions in theory [EGS77 PR80 hellip]bull But constants matter

Thanks for Listening

Passwords vs time Look how far wersquove come

Netscape IPO Dotcom crash

Source Cormacrsquos estimate

ldquoThe password is deadrdquo

Chart1

3
48
1368
322
7791
15376
2527
39639
47953
61115
7353
94674
106021
134538
16527
194616
21681

Sheet1

Sheet1

Sheet2

Sheet3

Biometrics

59

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy

60

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Hardware Tokens

61

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around

62

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Graphical Passwords

bull Examplesbull Passfaces Cued Click Points Windows 8

63

Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13

Graphical Passwords

bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8

Challenge Multiple Passwords

64

Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13

Graphical Passwords Hotspots

Graphical Passwords Hotspots

Password Managers

bull Password Management Software

67

Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313

Related Work

bull Password Management SoftwareChallenge Single point of failure

68

Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313

References

bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]

bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]

bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]

bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]

  • Course Business
  • CryptographyCS 555
  • Password Storage
  • Offline Attacks A Common Problem
  • Offline Attacks A Common Problem
  • A Dangerous Problem
  • Attempt 1 Hash Iteration
  • The Challenge
  • Goal Moderately Expensive Hash Function
  • Memory Costs Equitable Across Architectures
  • Outline
  • Memory Hard Function (MHF)
  • iMHF Candidates
  • iMHF (fGH)
  • Evaluating an iMHF (pebbling)
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example (CC)
  • Measuring Cost
  • Pebbling Example (CC)
  • Pebbling Equivalence
  • Desiderata
  • Depth-Robustness The Key Property
  • Naiumlve Pebbling Algorithms
  • Amortized Attack Quality
  • Desiderata
  • Desiderata
  • c-Ideal iMHF
  • Outline
  • Depth-Robustness The Key Property
  • Depth Robustness
  • Depth Robustness
  • Attacking (ed)-reducible DAGs
  • Depth Robustness is Necessary
  • Answer No
  • Argon2i [BDK]
  • Argon2i
  • Argon2i
  • Argon2i Reducing depth to 119899
  • Argon2i Reducing depth to 119899
  • Argon2i is a layered DAG (almost)
  • Attack Simulation [AB16b]
  • Ideal iMHFs Donrsquot Exist
  • But we cannot rule them out in practice
  • Outline
  • Depth-Robustness is Sufficient [ABP16]
  • Depth-Robustness is Sufficient [ABP16]
  • Summary
  • Conclusions
  • Thanks for Listening
  • Passwords vs time Look how far wersquove come
  • Biometrics
  • Biometrics
  • Hardware Tokens
  • Hardware Tokens
  • Graphical Passwords
  • Graphical Passwords
  • Graphical Passwords Hotspots
  • Graphical Passwords Hotspots
  • Password Managers
  • Related Work
  • References
Everybody
DATE DATE NUMBER OF USERS WORLD WORLD INFORMATION DATE DATE NUMBER OF USERS DATE DATE acctsyr
POPULATION POPULATION SOURCE
December-90 0 3 15 020 00261 000 1 December-90 3 1 December-90 3 1 December-90 3 3 December-90 3 1 3
December-95 December-95 0 16 040 80 040 IDC 100 00522 180 12 December-95 192 December-95 16 1778 December-95 48 28448 December-95 48 3 48
December-96 December-96 0 36 090 180 090 IDC 200 00783 188 13132 December-96 472752 December-96 36 1994916 December-96 126 71816976 December-96 1368 38 126
December-97 December-97 0 70 170 350 170 IDC 300 01043 209 16263 December-97 113841 December-97 70 2238295752 December-97 280 15668070264 December-97 322 46 280
December-98 December-98 0 147 360 735 360 CI Almanac 400 01303 230 19391 December-98 2850477 December-98 147 25113678337 December-98 6615 3691710715604 December-98 7791 53 6615
December-99 December-99 0 248 410 1240 410 Nua Ltd 500 01563 251 22517 December-99 5584216 December-99 248 28177547095 December-99 1240 6988031679463 December-99 15376 62 1240
March-00 March-00 0 304 500 1520 500 Nua Ltd 600 01822 272 25638 March-00 7793952 December-00 361 3161520784 December-00 19855 11413090030294 December-00 2527 7 19855
July-00 July-00 0 359 590 1795 590 Nua Ltd 700 02081 293 28754 July-00 10322686 December-01 543 35472263197 December-01 3258 1926143891578 December-01 39639 73 3258
December-00 December-00 0 361 580 1805 580 Internet World Stats 800 02338 313 31864 December-00 11502904 December-02 607 39799879307 December-02 39455 2415852673913 December-02 47953 79 39455
March-01 March-01 0 458 760 2290 760 Nua Ltd 900 02852 334 34967 March-01 16014886 December-03 719 44655464582 December-03 5033 32107279034493 December-03 61115 85 5033
June-01 June-01 0 479 790 2395 790 Nua Ltd 1000 03107 355 38061 June-01 18231219 December-04 817 50103431261 December-04 61275 40934503340285 December-04 7353 9 61275
August-01 August-01 0 513 860 2565 860 Nua Ltd 1100 03361 396 44221 August-01 22685373 December-05 1018 56216049875 December-05 8144 57227938772657 December-05 9467 93 8144
April-02 April-02 0 558 860 2790 860 Internet World Stats 1200 03614 417 47284 April-02 26384472 December-06 1093 6307440796 December-06 9291 68940327899894 December-06 10602 97 9291
July-02 July-02 0 569 910 2845 910 Internet World Stats 1300 03866 437 50334 July-02 28640046 December-07 1319 70769485731 December-07 11871 93344951678825 December-07 13454 102 11871
September-02 September-02 0 587 940 2935 940 Internet World Stats 1400 04117 458 53371 September-02 31328777 December-08 1574 7940336299 December-08 14953 124980893346059 December-08 16527 105 14953
March-03 March-03 0 608 970 3040 970 Internet World Stats 1500 04366 478 56394 March-03 34287552 December-09 1802 89090573275 December-09 18020 160541213040896 December-09 19462 108 18020
September-03 September-03 0 677 1060 3385 1060 Internet World Stats 1600 04614 498 59401 September-03 40214477 December-10 1971 99959623214 December-10 20696 197020417355075 December-10 21681 11 20696
October-03 October-03 0 682 1070 3410 1070 Internet World Stats 1700 0486 518 62392 October-03 42551344
December-03 December-03 0 719 1110 3595 1110 Internet World Stats 1800 02852 538 65365 December-03 46997435
February-04 February-04 0 745 1150 3725 1150 Internet World Stats 1900 03107 558 6832 February-04 508984
May-04 May-04 0 757 1170 3785 1170 Internet World Stats 2000 03361 597 7417 May-04 5614669
October-04 October-04 0 812 1270 4060 1270 Internet World Stats 2100 03614 616 77064 October-04 62575968
December-04 December-04 0 817 1270 4085 1270 Internet World Stats 2200 03866 636 79935 December-04 65306895
March-05 March-05 0 888 1390 4440 1390 Internet World Stats 2300 04117 655 82782 March-05 73510416
June-05 June-05 0 938 1460 4690 1460 Internet World Stats 2400 04366 674 85606 June-05 80298428
September-05 September-05 0 957 1490 4785 1490 Internet World Stats 2500 04614 692 88404 September-05 84602628
November-05 November-05 0 972 1520 4860 1520 Internet World Stats 2600 0486 711 91176 November-05 88623072
December-05 December-05 0 1018 1570 5090 1570 Internet World Stats 2700 05348 729 93921 December-05 95611578
March-06 March-06 0 1023 1570 5115 1570 Internet World Stats 2800 05589 747 96638 March-06 98860674
June-06 June-06 0 1043 1600 5215 1600 Internet World Stats 2900 05828 783 101984 June-06 106369312
September-06 September-06 0 1086 1670 5430 1670 Internet World Stats 3000 06065 801 104611 September-06 113607546
December-06 December-06 0 1093 1670 5465 1670 Internet World Stats 3100 063 818 107207 December-06 117177251
March-07 March-07 0 1129 1720 5645 1720 Internet World Stats 3200 06534 835 109771 March-07 123931459
June-07 June-07 0 1173 1780 5865 1780 Internet World Stats 3300 06765 852 112301 June-07 131729073
September-07 September-07 0 1245 1890 6225 1890 Internet World Stats 3400 06993 869 114797 September-07 142922265
December-07 December-07 0 1319 2000 6595 2000 Internet World Stats 3500 0722 886 117258 December-07 154663302
March-08 March-08 0 1407 2110 7035 2110 Internet World Stats 3600 07665 902 119683 March-08 168393981
June-08 June-08 0 1463 2190 7315 2190 Internet World Stats 3700 07884 918 122071 June-08 178589873
September-08 September-08 0 1504 2250 7520 2250 Internet World Stats 3800 08101 949 126736 September-08 190610944
December-08 December-08 0 1574 2350 7870 2350 Internet World Stats 3900 08314 964 12901 December-08 20306174
March-09 March-09 0 1596 2380 7980 2380 Internet World Stats 4000 08525 971 13 March-09 20748
June-09 June-09 0 1669 2470 8345 2470 Internet World Stats 4100 08733 998 134 June-09 223646
September-09 September-09 0 1734 2560 8670 2560 Internet World Stats 4200 08938 1018 137 September-09 237558
December-09 December-09 0 1802 2660 9010 2660 Internet World Stats 4300 0914 1051 142 December-09 255884
June-10 June-10 0 1966 2870 9830 2870 Internet World Stats 4400 09339 1078 146 June-10 287036
September-10 September-10 0 1971 2880 9855 2880 Internet World Stats 4500 09728 1112 151 September-10 297621
09917 000 155333333333
159833333333
33208
35034
35400
35765
36130
36495
36861
37226
37591
37956
38322
38687
39052
39417
39783
40148
40513
Page 50: Attacking Data Independent Memory Hard Functions · As a motivating example consider an adversary who breaks into an authentication server and steals a users crptographic hash va\൬ue.

Depth-Robustness is Sufficient [ABP16]

Proof Let P1hellipPt denote an (optimal) pebbling of G For 0lt i lt d defineSi = 119875119875119894119894 cup 119875119875119889119889+119894119894 cup 1198751198752119889119889+119894119894 cup ⋯

one of the sets Si has size at most CC(G)d Now we claim that d ge depth(G-Si)

because any path in G-Si must have been completely pebbled at some point Thus it must have been pebbled entirely during some interval of length d Thus G (CC(G)dd)-reducible It follows that CC(G)ge 119890119890119901119901

119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901

Depth-Robustness is Sufficient [ABP16]

Implications There exists a constant indegree graph G with

CC G ge Ω1198941198942

log119894119894

Previous Best [AS15] Ω 1198991198992

log10 119899119899

[AB16] We cannot do better (in an asymptotic sense)

119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901

Summary

bull BCRYPT and PBKDF2 are no longer sufficient for password hashing

bull Argon2i is an improvement over BCRYPT and PBKDF2bull But still has its flaws [AB16AB17]

bull Current Recommendation Argon2idbull No side channel attacks Resists known attacksbull Side channel attacks reduce security to Argon2i

bull Look for improvements in the near future using depth-robust graphs [ABP17]

Conclusions

bull Depth-robustness is a necessary and sufficient for secure iMHFsbull [AB16] [ABP16]

bull Big Challenge Improved Constructions of Depth-Robust Graphsbull We already have constructions in theory [EGS77 PR80 hellip]bull But constants matter

Thanks for Listening

Passwords vs time Look how far wersquove come

Netscape IPO Dotcom crash

Source Cormacrsquos estimate

ldquoThe password is deadrdquo

Chart1

3
48
1368
322
7791
15376
2527
39639
47953
61115
7353
94674
106021
134538
16527
194616
21681

Sheet1

Sheet1

Sheet2

Sheet3

Biometrics

59

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy

60

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Hardware Tokens

61

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around

62

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Graphical Passwords

bull Examplesbull Passfaces Cued Click Points Windows 8

63

Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13

Graphical Passwords

bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8

Challenge Multiple Passwords

64

Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13

Graphical Passwords Hotspots

Graphical Passwords Hotspots

Password Managers

bull Password Management Software

67

Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313

Related Work

bull Password Management SoftwareChallenge Single point of failure

68

Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313

References

bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]

bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]

bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]

bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]

  • Course Business
  • CryptographyCS 555
  • Password Storage
  • Offline Attacks A Common Problem
  • Offline Attacks A Common Problem
  • A Dangerous Problem
  • Attempt 1 Hash Iteration
  • The Challenge
  • Goal Moderately Expensive Hash Function
  • Memory Costs Equitable Across Architectures
  • Outline
  • Memory Hard Function (MHF)
  • iMHF Candidates
  • iMHF (fGH)
  • Evaluating an iMHF (pebbling)
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example (CC)
  • Measuring Cost
  • Pebbling Example (CC)
  • Pebbling Equivalence
  • Desiderata
  • Depth-Robustness The Key Property
  • Naiumlve Pebbling Algorithms
  • Amortized Attack Quality
  • Desiderata
  • Desiderata
  • c-Ideal iMHF
  • Outline
  • Depth-Robustness The Key Property
  • Depth Robustness
  • Depth Robustness
  • Attacking (ed)-reducible DAGs
  • Depth Robustness is Necessary
  • Answer No
  • Argon2i [BDK]
  • Argon2i
  • Argon2i
  • Argon2i Reducing depth to 119899
  • Argon2i Reducing depth to 119899
  • Argon2i is a layered DAG (almost)
  • Attack Simulation [AB16b]
  • Ideal iMHFs Donrsquot Exist
  • But we cannot rule them out in practice
  • Outline
  • Depth-Robustness is Sufficient [ABP16]
  • Depth-Robustness is Sufficient [ABP16]
  • Summary
  • Conclusions
  • Thanks for Listening
  • Passwords vs time Look how far wersquove come
  • Biometrics
  • Biometrics
  • Hardware Tokens
  • Hardware Tokens
  • Graphical Passwords
  • Graphical Passwords
  • Graphical Passwords Hotspots
  • Graphical Passwords Hotspots
  • Password Managers
  • Related Work
  • References
Everybody
DATE DATE NUMBER OF USERS WORLD WORLD INFORMATION DATE DATE NUMBER OF USERS DATE DATE acctsyr
POPULATION POPULATION SOURCE
December-90 0 3 15 020 00261 000 1 December-90 3 1 December-90 3 1 December-90 3 3 December-90 3 1 3
December-95 December-95 0 16 040 80 040 IDC 100 00522 180 12 December-95 192 December-95 16 1778 December-95 48 28448 December-95 48 3 48
December-96 December-96 0 36 090 180 090 IDC 200 00783 188 13132 December-96 472752 December-96 36 1994916 December-96 126 71816976 December-96 1368 38 126
December-97 December-97 0 70 170 350 170 IDC 300 01043 209 16263 December-97 113841 December-97 70 2238295752 December-97 280 15668070264 December-97 322 46 280
December-98 December-98 0 147 360 735 360 CI Almanac 400 01303 230 19391 December-98 2850477 December-98 147 25113678337 December-98 6615 3691710715604 December-98 7791 53 6615
December-99 December-99 0 248 410 1240 410 Nua Ltd 500 01563 251 22517 December-99 5584216 December-99 248 28177547095 December-99 1240 6988031679463 December-99 15376 62 1240
March-00 March-00 0 304 500 1520 500 Nua Ltd 600 01822 272 25638 March-00 7793952 December-00 361 3161520784 December-00 19855 11413090030294 December-00 2527 7 19855
July-00 July-00 0 359 590 1795 590 Nua Ltd 700 02081 293 28754 July-00 10322686 December-01 543 35472263197 December-01 3258 1926143891578 December-01 39639 73 3258
December-00 December-00 0 361 580 1805 580 Internet World Stats 800 02338 313 31864 December-00 11502904 December-02 607 39799879307 December-02 39455 2415852673913 December-02 47953 79 39455
March-01 March-01 0 458 760 2290 760 Nua Ltd 900 02852 334 34967 March-01 16014886 December-03 719 44655464582 December-03 5033 32107279034493 December-03 61115 85 5033
June-01 June-01 0 479 790 2395 790 Nua Ltd 1000 03107 355 38061 June-01 18231219 December-04 817 50103431261 December-04 61275 40934503340285 December-04 7353 9 61275
August-01 August-01 0 513 860 2565 860 Nua Ltd 1100 03361 396 44221 August-01 22685373 December-05 1018 56216049875 December-05 8144 57227938772657 December-05 9467 93 8144
April-02 April-02 0 558 860 2790 860 Internet World Stats 1200 03614 417 47284 April-02 26384472 December-06 1093 6307440796 December-06 9291 68940327899894 December-06 10602 97 9291
July-02 July-02 0 569 910 2845 910 Internet World Stats 1300 03866 437 50334 July-02 28640046 December-07 1319 70769485731 December-07 11871 93344951678825 December-07 13454 102 11871
September-02 September-02 0 587 940 2935 940 Internet World Stats 1400 04117 458 53371 September-02 31328777 December-08 1574 7940336299 December-08 14953 124980893346059 December-08 16527 105 14953
March-03 March-03 0 608 970 3040 970 Internet World Stats 1500 04366 478 56394 March-03 34287552 December-09 1802 89090573275 December-09 18020 160541213040896 December-09 19462 108 18020
September-03 September-03 0 677 1060 3385 1060 Internet World Stats 1600 04614 498 59401 September-03 40214477 December-10 1971 99959623214 December-10 20696 197020417355075 December-10 21681 11 20696
October-03 October-03 0 682 1070 3410 1070 Internet World Stats 1700 0486 518 62392 October-03 42551344
December-03 December-03 0 719 1110 3595 1110 Internet World Stats 1800 02852 538 65365 December-03 46997435
February-04 February-04 0 745 1150 3725 1150 Internet World Stats 1900 03107 558 6832 February-04 508984
May-04 May-04 0 757 1170 3785 1170 Internet World Stats 2000 03361 597 7417 May-04 5614669
October-04 October-04 0 812 1270 4060 1270 Internet World Stats 2100 03614 616 77064 October-04 62575968
December-04 December-04 0 817 1270 4085 1270 Internet World Stats 2200 03866 636 79935 December-04 65306895
March-05 March-05 0 888 1390 4440 1390 Internet World Stats 2300 04117 655 82782 March-05 73510416
June-05 June-05 0 938 1460 4690 1460 Internet World Stats 2400 04366 674 85606 June-05 80298428
September-05 September-05 0 957 1490 4785 1490 Internet World Stats 2500 04614 692 88404 September-05 84602628
November-05 November-05 0 972 1520 4860 1520 Internet World Stats 2600 0486 711 91176 November-05 88623072
December-05 December-05 0 1018 1570 5090 1570 Internet World Stats 2700 05348 729 93921 December-05 95611578
March-06 March-06 0 1023 1570 5115 1570 Internet World Stats 2800 05589 747 96638 March-06 98860674
June-06 June-06 0 1043 1600 5215 1600 Internet World Stats 2900 05828 783 101984 June-06 106369312
September-06 September-06 0 1086 1670 5430 1670 Internet World Stats 3000 06065 801 104611 September-06 113607546
December-06 December-06 0 1093 1670 5465 1670 Internet World Stats 3100 063 818 107207 December-06 117177251
March-07 March-07 0 1129 1720 5645 1720 Internet World Stats 3200 06534 835 109771 March-07 123931459
June-07 June-07 0 1173 1780 5865 1780 Internet World Stats 3300 06765 852 112301 June-07 131729073
September-07 September-07 0 1245 1890 6225 1890 Internet World Stats 3400 06993 869 114797 September-07 142922265
December-07 December-07 0 1319 2000 6595 2000 Internet World Stats 3500 0722 886 117258 December-07 154663302
March-08 March-08 0 1407 2110 7035 2110 Internet World Stats 3600 07665 902 119683 March-08 168393981
June-08 June-08 0 1463 2190 7315 2190 Internet World Stats 3700 07884 918 122071 June-08 178589873
September-08 September-08 0 1504 2250 7520 2250 Internet World Stats 3800 08101 949 126736 September-08 190610944
December-08 December-08 0 1574 2350 7870 2350 Internet World Stats 3900 08314 964 12901 December-08 20306174
March-09 March-09 0 1596 2380 7980 2380 Internet World Stats 4000 08525 971 13 March-09 20748
June-09 June-09 0 1669 2470 8345 2470 Internet World Stats 4100 08733 998 134 June-09 223646
September-09 September-09 0 1734 2560 8670 2560 Internet World Stats 4200 08938 1018 137 September-09 237558
December-09 December-09 0 1802 2660 9010 2660 Internet World Stats 4300 0914 1051 142 December-09 255884
June-10 June-10 0 1966 2870 9830 2870 Internet World Stats 4400 09339 1078 146 June-10 287036
September-10 September-10 0 1971 2880 9855 2880 Internet World Stats 4500 09728 1112 151 September-10 297621
09917 000 155333333333
159833333333
33208
35034
35400
35765
36130
36495
36861
37226
37591
37956
38322
38687
39052
39417
39783
40148
40513
Page 51: Attacking Data Independent Memory Hard Functions · As a motivating example consider an adversary who breaks into an authentication server and steals a users crptographic hash va\൬ue.

Depth-Robustness is Sufficient [ABP16]

Implications There exists a constant indegree graph G with

CC G ge Ω1198941198942

log119894119894

Previous Best [AS15] Ω 1198991198992

log10 119899119899

[AB16] We cannot do better (in an asymptotic sense)

119818119818119827119827119818119818 119827119827119827119827119827119827119827119827119827119827119827119827119827119827 Let G=(VE) be (ed)-depth robust then CC(G)ge 119890119890119901119901

Summary

bull BCRYPT and PBKDF2 are no longer sufficient for password hashing

bull Argon2i is an improvement over BCRYPT and PBKDF2bull But still has its flaws [AB16AB17]

bull Current Recommendation Argon2idbull No side channel attacks Resists known attacksbull Side channel attacks reduce security to Argon2i

bull Look for improvements in the near future using depth-robust graphs [ABP17]

Conclusions

bull Depth-robustness is a necessary and sufficient for secure iMHFsbull [AB16] [ABP16]

bull Big Challenge Improved Constructions of Depth-Robust Graphsbull We already have constructions in theory [EGS77 PR80 hellip]bull But constants matter

Thanks for Listening

Passwords vs time Look how far wersquove come

Netscape IPO Dotcom crash

Source Cormacrsquos estimate

ldquoThe password is deadrdquo

Chart1

3
48
1368
322
7791
15376
2527
39639
47953
61115
7353
94674
106021
134538
16527
194616
21681

Sheet1

Sheet1

Sheet2

Sheet3

Biometrics

59

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy

60

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Hardware Tokens

61

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around

62

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Graphical Passwords

bull Examplesbull Passfaces Cued Click Points Windows 8

63

Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13

Graphical Passwords

bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8

Challenge Multiple Passwords

64

Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13

Graphical Passwords Hotspots

Graphical Passwords Hotspots

Password Managers

bull Password Management Software

67

Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313

Related Work

bull Password Management SoftwareChallenge Single point of failure

68

Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313

References

bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]

bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]

bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]

bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]

  • Course Business
  • CryptographyCS 555
  • Password Storage
  • Offline Attacks A Common Problem
  • Offline Attacks A Common Problem
  • A Dangerous Problem
  • Attempt 1 Hash Iteration
  • The Challenge
  • Goal Moderately Expensive Hash Function
  • Memory Costs Equitable Across Architectures
  • Outline
  • Memory Hard Function (MHF)
  • iMHF Candidates
  • iMHF (fGH)
  • Evaluating an iMHF (pebbling)
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example (CC)
  • Measuring Cost
  • Pebbling Example (CC)
  • Pebbling Equivalence
  • Desiderata
  • Depth-Robustness The Key Property
  • Naiumlve Pebbling Algorithms
  • Amortized Attack Quality
  • Desiderata
  • Desiderata
  • c-Ideal iMHF
  • Outline
  • Depth-Robustness The Key Property
  • Depth Robustness
  • Depth Robustness
  • Attacking (ed)-reducible DAGs
  • Depth Robustness is Necessary
  • Answer No
  • Argon2i [BDK]
  • Argon2i
  • Argon2i
  • Argon2i Reducing depth to 119899
  • Argon2i Reducing depth to 119899
  • Argon2i is a layered DAG (almost)
  • Attack Simulation [AB16b]
  • Ideal iMHFs Donrsquot Exist
  • But we cannot rule them out in practice
  • Outline
  • Depth-Robustness is Sufficient [ABP16]
  • Depth-Robustness is Sufficient [ABP16]
  • Summary
  • Conclusions
  • Thanks for Listening
  • Passwords vs time Look how far wersquove come
  • Biometrics
  • Biometrics
  • Hardware Tokens
  • Hardware Tokens
  • Graphical Passwords
  • Graphical Passwords
  • Graphical Passwords Hotspots
  • Graphical Passwords Hotspots
  • Password Managers
  • Related Work
  • References
Everybody
DATE DATE NUMBER OF USERS WORLD WORLD INFORMATION DATE DATE NUMBER OF USERS DATE DATE acctsyr
POPULATION POPULATION SOURCE
December-90 0 3 15 020 00261 000 1 December-90 3 1 December-90 3 1 December-90 3 3 December-90 3 1 3
December-95 December-95 0 16 040 80 040 IDC 100 00522 180 12 December-95 192 December-95 16 1778 December-95 48 28448 December-95 48 3 48
December-96 December-96 0 36 090 180 090 IDC 200 00783 188 13132 December-96 472752 December-96 36 1994916 December-96 126 71816976 December-96 1368 38 126
December-97 December-97 0 70 170 350 170 IDC 300 01043 209 16263 December-97 113841 December-97 70 2238295752 December-97 280 15668070264 December-97 322 46 280
December-98 December-98 0 147 360 735 360 CI Almanac 400 01303 230 19391 December-98 2850477 December-98 147 25113678337 December-98 6615 3691710715604 December-98 7791 53 6615
December-99 December-99 0 248 410 1240 410 Nua Ltd 500 01563 251 22517 December-99 5584216 December-99 248 28177547095 December-99 1240 6988031679463 December-99 15376 62 1240
March-00 March-00 0 304 500 1520 500 Nua Ltd 600 01822 272 25638 March-00 7793952 December-00 361 3161520784 December-00 19855 11413090030294 December-00 2527 7 19855
July-00 July-00 0 359 590 1795 590 Nua Ltd 700 02081 293 28754 July-00 10322686 December-01 543 35472263197 December-01 3258 1926143891578 December-01 39639 73 3258
December-00 December-00 0 361 580 1805 580 Internet World Stats 800 02338 313 31864 December-00 11502904 December-02 607 39799879307 December-02 39455 2415852673913 December-02 47953 79 39455
March-01 March-01 0 458 760 2290 760 Nua Ltd 900 02852 334 34967 March-01 16014886 December-03 719 44655464582 December-03 5033 32107279034493 December-03 61115 85 5033
June-01 June-01 0 479 790 2395 790 Nua Ltd 1000 03107 355 38061 June-01 18231219 December-04 817 50103431261 December-04 61275 40934503340285 December-04 7353 9 61275
August-01 August-01 0 513 860 2565 860 Nua Ltd 1100 03361 396 44221 August-01 22685373 December-05 1018 56216049875 December-05 8144 57227938772657 December-05 9467 93 8144
April-02 April-02 0 558 860 2790 860 Internet World Stats 1200 03614 417 47284 April-02 26384472 December-06 1093 6307440796 December-06 9291 68940327899894 December-06 10602 97 9291
July-02 July-02 0 569 910 2845 910 Internet World Stats 1300 03866 437 50334 July-02 28640046 December-07 1319 70769485731 December-07 11871 93344951678825 December-07 13454 102 11871
September-02 September-02 0 587 940 2935 940 Internet World Stats 1400 04117 458 53371 September-02 31328777 December-08 1574 7940336299 December-08 14953 124980893346059 December-08 16527 105 14953
March-03 March-03 0 608 970 3040 970 Internet World Stats 1500 04366 478 56394 March-03 34287552 December-09 1802 89090573275 December-09 18020 160541213040896 December-09 19462 108 18020
September-03 September-03 0 677 1060 3385 1060 Internet World Stats 1600 04614 498 59401 September-03 40214477 December-10 1971 99959623214 December-10 20696 197020417355075 December-10 21681 11 20696
October-03 October-03 0 682 1070 3410 1070 Internet World Stats 1700 0486 518 62392 October-03 42551344
December-03 December-03 0 719 1110 3595 1110 Internet World Stats 1800 02852 538 65365 December-03 46997435
February-04 February-04 0 745 1150 3725 1150 Internet World Stats 1900 03107 558 6832 February-04 508984
May-04 May-04 0 757 1170 3785 1170 Internet World Stats 2000 03361 597 7417 May-04 5614669
October-04 October-04 0 812 1270 4060 1270 Internet World Stats 2100 03614 616 77064 October-04 62575968
December-04 December-04 0 817 1270 4085 1270 Internet World Stats 2200 03866 636 79935 December-04 65306895
March-05 March-05 0 888 1390 4440 1390 Internet World Stats 2300 04117 655 82782 March-05 73510416
June-05 June-05 0 938 1460 4690 1460 Internet World Stats 2400 04366 674 85606 June-05 80298428
September-05 September-05 0 957 1490 4785 1490 Internet World Stats 2500 04614 692 88404 September-05 84602628
November-05 November-05 0 972 1520 4860 1520 Internet World Stats 2600 0486 711 91176 November-05 88623072
December-05 December-05 0 1018 1570 5090 1570 Internet World Stats 2700 05348 729 93921 December-05 95611578
March-06 March-06 0 1023 1570 5115 1570 Internet World Stats 2800 05589 747 96638 March-06 98860674
June-06 June-06 0 1043 1600 5215 1600 Internet World Stats 2900 05828 783 101984 June-06 106369312
September-06 September-06 0 1086 1670 5430 1670 Internet World Stats 3000 06065 801 104611 September-06 113607546
December-06 December-06 0 1093 1670 5465 1670 Internet World Stats 3100 063 818 107207 December-06 117177251
March-07 March-07 0 1129 1720 5645 1720 Internet World Stats 3200 06534 835 109771 March-07 123931459
June-07 June-07 0 1173 1780 5865 1780 Internet World Stats 3300 06765 852 112301 June-07 131729073
September-07 September-07 0 1245 1890 6225 1890 Internet World Stats 3400 06993 869 114797 September-07 142922265
December-07 December-07 0 1319 2000 6595 2000 Internet World Stats 3500 0722 886 117258 December-07 154663302
March-08 March-08 0 1407 2110 7035 2110 Internet World Stats 3600 07665 902 119683 March-08 168393981
June-08 June-08 0 1463 2190 7315 2190 Internet World Stats 3700 07884 918 122071 June-08 178589873
September-08 September-08 0 1504 2250 7520 2250 Internet World Stats 3800 08101 949 126736 September-08 190610944
December-08 December-08 0 1574 2350 7870 2350 Internet World Stats 3900 08314 964 12901 December-08 20306174
March-09 March-09 0 1596 2380 7980 2380 Internet World Stats 4000 08525 971 13 March-09 20748
June-09 June-09 0 1669 2470 8345 2470 Internet World Stats 4100 08733 998 134 June-09 223646
September-09 September-09 0 1734 2560 8670 2560 Internet World Stats 4200 08938 1018 137 September-09 237558
December-09 December-09 0 1802 2660 9010 2660 Internet World Stats 4300 0914 1051 142 December-09 255884
June-10 June-10 0 1966 2870 9830 2870 Internet World Stats 4400 09339 1078 146 June-10 287036
September-10 September-10 0 1971 2880 9855 2880 Internet World Stats 4500 09728 1112 151 September-10 297621
09917 000 155333333333
159833333333
33208
35034
35400
35765
36130
36495
36861
37226
37591
37956
38322
38687
39052
39417
39783
40148
40513
Page 52: Attacking Data Independent Memory Hard Functions · As a motivating example consider an adversary who breaks into an authentication server and steals a users crptographic hash va\൬ue.

Summary

bull BCRYPT and PBKDF2 are no longer sufficient for password hashing

bull Argon2i is an improvement over BCRYPT and PBKDF2bull But still has its flaws [AB16AB17]

bull Current Recommendation Argon2idbull No side channel attacks Resists known attacksbull Side channel attacks reduce security to Argon2i

bull Look for improvements in the near future using depth-robust graphs [ABP17]

Conclusions

bull Depth-robustness is a necessary and sufficient for secure iMHFsbull [AB16] [ABP16]

bull Big Challenge Improved Constructions of Depth-Robust Graphsbull We already have constructions in theory [EGS77 PR80 hellip]bull But constants matter

Thanks for Listening

Passwords vs time Look how far wersquove come

Netscape IPO Dotcom crash

Source Cormacrsquos estimate

ldquoThe password is deadrdquo

Chart1

3
48
1368
322
7791
15376
2527
39639
47953
61115
7353
94674
106021
134538
16527
194616
21681

Sheet1

Sheet1

Sheet2

Sheet3

Biometrics

59

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy

60

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Hardware Tokens

61

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around

62

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Graphical Passwords

bull Examplesbull Passfaces Cued Click Points Windows 8

63

Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13

Graphical Passwords

bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8

Challenge Multiple Passwords

64

Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13

Graphical Passwords Hotspots

Graphical Passwords Hotspots

Password Managers

bull Password Management Software

67

Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313

Related Work

bull Password Management SoftwareChallenge Single point of failure

68

Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313

References

bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]

bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]

bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]

bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]

  • Course Business
  • CryptographyCS 555
  • Password Storage
  • Offline Attacks A Common Problem
  • Offline Attacks A Common Problem
  • A Dangerous Problem
  • Attempt 1 Hash Iteration
  • The Challenge
  • Goal Moderately Expensive Hash Function
  • Memory Costs Equitable Across Architectures
  • Outline
  • Memory Hard Function (MHF)
  • iMHF Candidates
  • iMHF (fGH)
  • Evaluating an iMHF (pebbling)
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example (CC)
  • Measuring Cost
  • Pebbling Example (CC)
  • Pebbling Equivalence
  • Desiderata
  • Depth-Robustness The Key Property
  • Naiumlve Pebbling Algorithms
  • Amortized Attack Quality
  • Desiderata
  • Desiderata
  • c-Ideal iMHF
  • Outline
  • Depth-Robustness The Key Property
  • Depth Robustness
  • Depth Robustness
  • Attacking (ed)-reducible DAGs
  • Depth Robustness is Necessary
  • Answer No
  • Argon2i [BDK]
  • Argon2i
  • Argon2i
  • Argon2i Reducing depth to 119899
  • Argon2i Reducing depth to 119899
  • Argon2i is a layered DAG (almost)
  • Attack Simulation [AB16b]
  • Ideal iMHFs Donrsquot Exist
  • But we cannot rule them out in practice
  • Outline
  • Depth-Robustness is Sufficient [ABP16]
  • Depth-Robustness is Sufficient [ABP16]
  • Summary
  • Conclusions
  • Thanks for Listening
  • Passwords vs time Look how far wersquove come
  • Biometrics
  • Biometrics
  • Hardware Tokens
  • Hardware Tokens
  • Graphical Passwords
  • Graphical Passwords
  • Graphical Passwords Hotspots
  • Graphical Passwords Hotspots
  • Password Managers
  • Related Work
  • References
Everybody
DATE DATE NUMBER OF USERS WORLD WORLD INFORMATION DATE DATE NUMBER OF USERS DATE DATE acctsyr
POPULATION POPULATION SOURCE
December-90 0 3 15 020 00261 000 1 December-90 3 1 December-90 3 1 December-90 3 3 December-90 3 1 3
December-95 December-95 0 16 040 80 040 IDC 100 00522 180 12 December-95 192 December-95 16 1778 December-95 48 28448 December-95 48 3 48
December-96 December-96 0 36 090 180 090 IDC 200 00783 188 13132 December-96 472752 December-96 36 1994916 December-96 126 71816976 December-96 1368 38 126
December-97 December-97 0 70 170 350 170 IDC 300 01043 209 16263 December-97 113841 December-97 70 2238295752 December-97 280 15668070264 December-97 322 46 280
December-98 December-98 0 147 360 735 360 CI Almanac 400 01303 230 19391 December-98 2850477 December-98 147 25113678337 December-98 6615 3691710715604 December-98 7791 53 6615
December-99 December-99 0 248 410 1240 410 Nua Ltd 500 01563 251 22517 December-99 5584216 December-99 248 28177547095 December-99 1240 6988031679463 December-99 15376 62 1240
March-00 March-00 0 304 500 1520 500 Nua Ltd 600 01822 272 25638 March-00 7793952 December-00 361 3161520784 December-00 19855 11413090030294 December-00 2527 7 19855
July-00 July-00 0 359 590 1795 590 Nua Ltd 700 02081 293 28754 July-00 10322686 December-01 543 35472263197 December-01 3258 1926143891578 December-01 39639 73 3258
December-00 December-00 0 361 580 1805 580 Internet World Stats 800 02338 313 31864 December-00 11502904 December-02 607 39799879307 December-02 39455 2415852673913 December-02 47953 79 39455
March-01 March-01 0 458 760 2290 760 Nua Ltd 900 02852 334 34967 March-01 16014886 December-03 719 44655464582 December-03 5033 32107279034493 December-03 61115 85 5033
June-01 June-01 0 479 790 2395 790 Nua Ltd 1000 03107 355 38061 June-01 18231219 December-04 817 50103431261 December-04 61275 40934503340285 December-04 7353 9 61275
August-01 August-01 0 513 860 2565 860 Nua Ltd 1100 03361 396 44221 August-01 22685373 December-05 1018 56216049875 December-05 8144 57227938772657 December-05 9467 93 8144
April-02 April-02 0 558 860 2790 860 Internet World Stats 1200 03614 417 47284 April-02 26384472 December-06 1093 6307440796 December-06 9291 68940327899894 December-06 10602 97 9291
July-02 July-02 0 569 910 2845 910 Internet World Stats 1300 03866 437 50334 July-02 28640046 December-07 1319 70769485731 December-07 11871 93344951678825 December-07 13454 102 11871
September-02 September-02 0 587 940 2935 940 Internet World Stats 1400 04117 458 53371 September-02 31328777 December-08 1574 7940336299 December-08 14953 124980893346059 December-08 16527 105 14953
March-03 March-03 0 608 970 3040 970 Internet World Stats 1500 04366 478 56394 March-03 34287552 December-09 1802 89090573275 December-09 18020 160541213040896 December-09 19462 108 18020
September-03 September-03 0 677 1060 3385 1060 Internet World Stats 1600 04614 498 59401 September-03 40214477 December-10 1971 99959623214 December-10 20696 197020417355075 December-10 21681 11 20696
October-03 October-03 0 682 1070 3410 1070 Internet World Stats 1700 0486 518 62392 October-03 42551344
December-03 December-03 0 719 1110 3595 1110 Internet World Stats 1800 02852 538 65365 December-03 46997435
February-04 February-04 0 745 1150 3725 1150 Internet World Stats 1900 03107 558 6832 February-04 508984
May-04 May-04 0 757 1170 3785 1170 Internet World Stats 2000 03361 597 7417 May-04 5614669
October-04 October-04 0 812 1270 4060 1270 Internet World Stats 2100 03614 616 77064 October-04 62575968
December-04 December-04 0 817 1270 4085 1270 Internet World Stats 2200 03866 636 79935 December-04 65306895
March-05 March-05 0 888 1390 4440 1390 Internet World Stats 2300 04117 655 82782 March-05 73510416
June-05 June-05 0 938 1460 4690 1460 Internet World Stats 2400 04366 674 85606 June-05 80298428
September-05 September-05 0 957 1490 4785 1490 Internet World Stats 2500 04614 692 88404 September-05 84602628
November-05 November-05 0 972 1520 4860 1520 Internet World Stats 2600 0486 711 91176 November-05 88623072
December-05 December-05 0 1018 1570 5090 1570 Internet World Stats 2700 05348 729 93921 December-05 95611578
March-06 March-06 0 1023 1570 5115 1570 Internet World Stats 2800 05589 747 96638 March-06 98860674
June-06 June-06 0 1043 1600 5215 1600 Internet World Stats 2900 05828 783 101984 June-06 106369312
September-06 September-06 0 1086 1670 5430 1670 Internet World Stats 3000 06065 801 104611 September-06 113607546
December-06 December-06 0 1093 1670 5465 1670 Internet World Stats 3100 063 818 107207 December-06 117177251
March-07 March-07 0 1129 1720 5645 1720 Internet World Stats 3200 06534 835 109771 March-07 123931459
June-07 June-07 0 1173 1780 5865 1780 Internet World Stats 3300 06765 852 112301 June-07 131729073
September-07 September-07 0 1245 1890 6225 1890 Internet World Stats 3400 06993 869 114797 September-07 142922265
December-07 December-07 0 1319 2000 6595 2000 Internet World Stats 3500 0722 886 117258 December-07 154663302
March-08 March-08 0 1407 2110 7035 2110 Internet World Stats 3600 07665 902 119683 March-08 168393981
June-08 June-08 0 1463 2190 7315 2190 Internet World Stats 3700 07884 918 122071 June-08 178589873
September-08 September-08 0 1504 2250 7520 2250 Internet World Stats 3800 08101 949 126736 September-08 190610944
December-08 December-08 0 1574 2350 7870 2350 Internet World Stats 3900 08314 964 12901 December-08 20306174
March-09 March-09 0 1596 2380 7980 2380 Internet World Stats 4000 08525 971 13 March-09 20748
June-09 June-09 0 1669 2470 8345 2470 Internet World Stats 4100 08733 998 134 June-09 223646
September-09 September-09 0 1734 2560 8670 2560 Internet World Stats 4200 08938 1018 137 September-09 237558
December-09 December-09 0 1802 2660 9010 2660 Internet World Stats 4300 0914 1051 142 December-09 255884
June-10 June-10 0 1966 2870 9830 2870 Internet World Stats 4400 09339 1078 146 June-10 287036
September-10 September-10 0 1971 2880 9855 2880 Internet World Stats 4500 09728 1112 151 September-10 297621
09917 000 155333333333
159833333333
33208
35034
35400
35765
36130
36495
36861
37226
37591
37956
38322
38687
39052
39417
39783
40148
40513
Page 53: Attacking Data Independent Memory Hard Functions · As a motivating example consider an adversary who breaks into an authentication server and steals a users crptographic hash va\൬ue.

Conclusions

bull Depth-robustness is a necessary and sufficient for secure iMHFsbull [AB16] [ABP16]

bull Big Challenge Improved Constructions of Depth-Robust Graphsbull We already have constructions in theory [EGS77 PR80 hellip]bull But constants matter

Thanks for Listening

Passwords vs time Look how far wersquove come

Netscape IPO Dotcom crash

Source Cormacrsquos estimate

ldquoThe password is deadrdquo

Chart1

3
48
1368
322
7791
15376
2527
39639
47953
61115
7353
94674
106021
134538
16527
194616
21681

Sheet1

Sheet1

Sheet2

Sheet3

Biometrics

59

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy

60

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Hardware Tokens

61

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around

62

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Graphical Passwords

bull Examplesbull Passfaces Cued Click Points Windows 8

63

Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13

Graphical Passwords

bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8

Challenge Multiple Passwords

64

Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13

Graphical Passwords Hotspots

Graphical Passwords Hotspots

Password Managers

bull Password Management Software

67

Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313

Related Work

bull Password Management SoftwareChallenge Single point of failure

68

Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313

References

bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]

bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]

bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]

bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]

  • Course Business
  • CryptographyCS 555
  • Password Storage
  • Offline Attacks A Common Problem
  • Offline Attacks A Common Problem
  • A Dangerous Problem
  • Attempt 1 Hash Iteration
  • The Challenge
  • Goal Moderately Expensive Hash Function
  • Memory Costs Equitable Across Architectures
  • Outline
  • Memory Hard Function (MHF)
  • iMHF Candidates
  • iMHF (fGH)
  • Evaluating an iMHF (pebbling)
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example (CC)
  • Measuring Cost
  • Pebbling Example (CC)
  • Pebbling Equivalence
  • Desiderata
  • Depth-Robustness The Key Property
  • Naiumlve Pebbling Algorithms
  • Amortized Attack Quality
  • Desiderata
  • Desiderata
  • c-Ideal iMHF
  • Outline
  • Depth-Robustness The Key Property
  • Depth Robustness
  • Depth Robustness
  • Attacking (ed)-reducible DAGs
  • Depth Robustness is Necessary
  • Answer No
  • Argon2i [BDK]
  • Argon2i
  • Argon2i
  • Argon2i Reducing depth to 119899
  • Argon2i Reducing depth to 119899
  • Argon2i is a layered DAG (almost)
  • Attack Simulation [AB16b]
  • Ideal iMHFs Donrsquot Exist
  • But we cannot rule them out in practice
  • Outline
  • Depth-Robustness is Sufficient [ABP16]
  • Depth-Robustness is Sufficient [ABP16]
  • Summary
  • Conclusions
  • Thanks for Listening
  • Passwords vs time Look how far wersquove come
  • Biometrics
  • Biometrics
  • Hardware Tokens
  • Hardware Tokens
  • Graphical Passwords
  • Graphical Passwords
  • Graphical Passwords Hotspots
  • Graphical Passwords Hotspots
  • Password Managers
  • Related Work
  • References
Everybody
DATE DATE NUMBER OF USERS WORLD WORLD INFORMATION DATE DATE NUMBER OF USERS DATE DATE acctsyr
POPULATION POPULATION SOURCE
December-90 0 3 15 020 00261 000 1 December-90 3 1 December-90 3 1 December-90 3 3 December-90 3 1 3
December-95 December-95 0 16 040 80 040 IDC 100 00522 180 12 December-95 192 December-95 16 1778 December-95 48 28448 December-95 48 3 48
December-96 December-96 0 36 090 180 090 IDC 200 00783 188 13132 December-96 472752 December-96 36 1994916 December-96 126 71816976 December-96 1368 38 126
December-97 December-97 0 70 170 350 170 IDC 300 01043 209 16263 December-97 113841 December-97 70 2238295752 December-97 280 15668070264 December-97 322 46 280
December-98 December-98 0 147 360 735 360 CI Almanac 400 01303 230 19391 December-98 2850477 December-98 147 25113678337 December-98 6615 3691710715604 December-98 7791 53 6615
December-99 December-99 0 248 410 1240 410 Nua Ltd 500 01563 251 22517 December-99 5584216 December-99 248 28177547095 December-99 1240 6988031679463 December-99 15376 62 1240
March-00 March-00 0 304 500 1520 500 Nua Ltd 600 01822 272 25638 March-00 7793952 December-00 361 3161520784 December-00 19855 11413090030294 December-00 2527 7 19855
July-00 July-00 0 359 590 1795 590 Nua Ltd 700 02081 293 28754 July-00 10322686 December-01 543 35472263197 December-01 3258 1926143891578 December-01 39639 73 3258
December-00 December-00 0 361 580 1805 580 Internet World Stats 800 02338 313 31864 December-00 11502904 December-02 607 39799879307 December-02 39455 2415852673913 December-02 47953 79 39455
March-01 March-01 0 458 760 2290 760 Nua Ltd 900 02852 334 34967 March-01 16014886 December-03 719 44655464582 December-03 5033 32107279034493 December-03 61115 85 5033
June-01 June-01 0 479 790 2395 790 Nua Ltd 1000 03107 355 38061 June-01 18231219 December-04 817 50103431261 December-04 61275 40934503340285 December-04 7353 9 61275
August-01 August-01 0 513 860 2565 860 Nua Ltd 1100 03361 396 44221 August-01 22685373 December-05 1018 56216049875 December-05 8144 57227938772657 December-05 9467 93 8144
April-02 April-02 0 558 860 2790 860 Internet World Stats 1200 03614 417 47284 April-02 26384472 December-06 1093 6307440796 December-06 9291 68940327899894 December-06 10602 97 9291
July-02 July-02 0 569 910 2845 910 Internet World Stats 1300 03866 437 50334 July-02 28640046 December-07 1319 70769485731 December-07 11871 93344951678825 December-07 13454 102 11871
September-02 September-02 0 587 940 2935 940 Internet World Stats 1400 04117 458 53371 September-02 31328777 December-08 1574 7940336299 December-08 14953 124980893346059 December-08 16527 105 14953
March-03 March-03 0 608 970 3040 970 Internet World Stats 1500 04366 478 56394 March-03 34287552 December-09 1802 89090573275 December-09 18020 160541213040896 December-09 19462 108 18020
September-03 September-03 0 677 1060 3385 1060 Internet World Stats 1600 04614 498 59401 September-03 40214477 December-10 1971 99959623214 December-10 20696 197020417355075 December-10 21681 11 20696
October-03 October-03 0 682 1070 3410 1070 Internet World Stats 1700 0486 518 62392 October-03 42551344
December-03 December-03 0 719 1110 3595 1110 Internet World Stats 1800 02852 538 65365 December-03 46997435
February-04 February-04 0 745 1150 3725 1150 Internet World Stats 1900 03107 558 6832 February-04 508984
May-04 May-04 0 757 1170 3785 1170 Internet World Stats 2000 03361 597 7417 May-04 5614669
October-04 October-04 0 812 1270 4060 1270 Internet World Stats 2100 03614 616 77064 October-04 62575968
December-04 December-04 0 817 1270 4085 1270 Internet World Stats 2200 03866 636 79935 December-04 65306895
March-05 March-05 0 888 1390 4440 1390 Internet World Stats 2300 04117 655 82782 March-05 73510416
June-05 June-05 0 938 1460 4690 1460 Internet World Stats 2400 04366 674 85606 June-05 80298428
September-05 September-05 0 957 1490 4785 1490 Internet World Stats 2500 04614 692 88404 September-05 84602628
November-05 November-05 0 972 1520 4860 1520 Internet World Stats 2600 0486 711 91176 November-05 88623072
December-05 December-05 0 1018 1570 5090 1570 Internet World Stats 2700 05348 729 93921 December-05 95611578
March-06 March-06 0 1023 1570 5115 1570 Internet World Stats 2800 05589 747 96638 March-06 98860674
June-06 June-06 0 1043 1600 5215 1600 Internet World Stats 2900 05828 783 101984 June-06 106369312
September-06 September-06 0 1086 1670 5430 1670 Internet World Stats 3000 06065 801 104611 September-06 113607546
December-06 December-06 0 1093 1670 5465 1670 Internet World Stats 3100 063 818 107207 December-06 117177251
March-07 March-07 0 1129 1720 5645 1720 Internet World Stats 3200 06534 835 109771 March-07 123931459
June-07 June-07 0 1173 1780 5865 1780 Internet World Stats 3300 06765 852 112301 June-07 131729073
September-07 September-07 0 1245 1890 6225 1890 Internet World Stats 3400 06993 869 114797 September-07 142922265
December-07 December-07 0 1319 2000 6595 2000 Internet World Stats 3500 0722 886 117258 December-07 154663302
March-08 March-08 0 1407 2110 7035 2110 Internet World Stats 3600 07665 902 119683 March-08 168393981
June-08 June-08 0 1463 2190 7315 2190 Internet World Stats 3700 07884 918 122071 June-08 178589873
September-08 September-08 0 1504 2250 7520 2250 Internet World Stats 3800 08101 949 126736 September-08 190610944
December-08 December-08 0 1574 2350 7870 2350 Internet World Stats 3900 08314 964 12901 December-08 20306174
March-09 March-09 0 1596 2380 7980 2380 Internet World Stats 4000 08525 971 13 March-09 20748
June-09 June-09 0 1669 2470 8345 2470 Internet World Stats 4100 08733 998 134 June-09 223646
September-09 September-09 0 1734 2560 8670 2560 Internet World Stats 4200 08938 1018 137 September-09 237558
December-09 December-09 0 1802 2660 9010 2660 Internet World Stats 4300 0914 1051 142 December-09 255884
June-10 June-10 0 1966 2870 9830 2870 Internet World Stats 4400 09339 1078 146 June-10 287036
September-10 September-10 0 1971 2880 9855 2880 Internet World Stats 4500 09728 1112 151 September-10 297621
09917 000 155333333333
159833333333
33208
35034
35400
35765
36130
36495
36861
37226
37591
37956
38322
38687
39052
39417
39783
40148
40513
Page 54: Attacking Data Independent Memory Hard Functions · As a motivating example consider an adversary who breaks into an authentication server and steals a users crptographic hash va\൬ue.

Thanks for Listening

Passwords vs time Look how far wersquove come

Netscape IPO Dotcom crash

Source Cormacrsquos estimate

ldquoThe password is deadrdquo

Chart1

3
48
1368
322
7791
15376
2527
39639
47953
61115
7353
94674
106021
134538
16527
194616
21681

Sheet1

Sheet1

Sheet2

Sheet3

Biometrics

59

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy

60

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Hardware Tokens

61

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around

62

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Graphical Passwords

bull Examplesbull Passfaces Cued Click Points Windows 8

63

Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13

Graphical Passwords

bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8

Challenge Multiple Passwords

64

Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13

Graphical Passwords Hotspots

Graphical Passwords Hotspots

Password Managers

bull Password Management Software

67

Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313

Related Work

bull Password Management SoftwareChallenge Single point of failure

68

Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313

References

bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]

bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]

bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]

bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]

  • Course Business
  • CryptographyCS 555
  • Password Storage
  • Offline Attacks A Common Problem
  • Offline Attacks A Common Problem
  • A Dangerous Problem
  • Attempt 1 Hash Iteration
  • The Challenge
  • Goal Moderately Expensive Hash Function
  • Memory Costs Equitable Across Architectures
  • Outline
  • Memory Hard Function (MHF)
  • iMHF Candidates
  • iMHF (fGH)
  • Evaluating an iMHF (pebbling)
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example (CC)
  • Measuring Cost
  • Pebbling Example (CC)
  • Pebbling Equivalence
  • Desiderata
  • Depth-Robustness The Key Property
  • Naiumlve Pebbling Algorithms
  • Amortized Attack Quality
  • Desiderata
  • Desiderata
  • c-Ideal iMHF
  • Outline
  • Depth-Robustness The Key Property
  • Depth Robustness
  • Depth Robustness
  • Attacking (ed)-reducible DAGs
  • Depth Robustness is Necessary
  • Answer No
  • Argon2i [BDK]
  • Argon2i
  • Argon2i
  • Argon2i Reducing depth to 119899
  • Argon2i Reducing depth to 119899
  • Argon2i is a layered DAG (almost)
  • Attack Simulation [AB16b]
  • Ideal iMHFs Donrsquot Exist
  • But we cannot rule them out in practice
  • Outline
  • Depth-Robustness is Sufficient [ABP16]
  • Depth-Robustness is Sufficient [ABP16]
  • Summary
  • Conclusions
  • Thanks for Listening
  • Passwords vs time Look how far wersquove come
  • Biometrics
  • Biometrics
  • Hardware Tokens
  • Hardware Tokens
  • Graphical Passwords
  • Graphical Passwords
  • Graphical Passwords Hotspots
  • Graphical Passwords Hotspots
  • Password Managers
  • Related Work
  • References
Everybody
DATE DATE NUMBER OF USERS WORLD WORLD INFORMATION DATE DATE NUMBER OF USERS DATE DATE acctsyr
POPULATION POPULATION SOURCE
December-90 0 3 15 020 00261 000 1 December-90 3 1 December-90 3 1 December-90 3 3 December-90 3 1 3
December-95 December-95 0 16 040 80 040 IDC 100 00522 180 12 December-95 192 December-95 16 1778 December-95 48 28448 December-95 48 3 48
December-96 December-96 0 36 090 180 090 IDC 200 00783 188 13132 December-96 472752 December-96 36 1994916 December-96 126 71816976 December-96 1368 38 126
December-97 December-97 0 70 170 350 170 IDC 300 01043 209 16263 December-97 113841 December-97 70 2238295752 December-97 280 15668070264 December-97 322 46 280
December-98 December-98 0 147 360 735 360 CI Almanac 400 01303 230 19391 December-98 2850477 December-98 147 25113678337 December-98 6615 3691710715604 December-98 7791 53 6615
December-99 December-99 0 248 410 1240 410 Nua Ltd 500 01563 251 22517 December-99 5584216 December-99 248 28177547095 December-99 1240 6988031679463 December-99 15376 62 1240
March-00 March-00 0 304 500 1520 500 Nua Ltd 600 01822 272 25638 March-00 7793952 December-00 361 3161520784 December-00 19855 11413090030294 December-00 2527 7 19855
July-00 July-00 0 359 590 1795 590 Nua Ltd 700 02081 293 28754 July-00 10322686 December-01 543 35472263197 December-01 3258 1926143891578 December-01 39639 73 3258
December-00 December-00 0 361 580 1805 580 Internet World Stats 800 02338 313 31864 December-00 11502904 December-02 607 39799879307 December-02 39455 2415852673913 December-02 47953 79 39455
March-01 March-01 0 458 760 2290 760 Nua Ltd 900 02852 334 34967 March-01 16014886 December-03 719 44655464582 December-03 5033 32107279034493 December-03 61115 85 5033
June-01 June-01 0 479 790 2395 790 Nua Ltd 1000 03107 355 38061 June-01 18231219 December-04 817 50103431261 December-04 61275 40934503340285 December-04 7353 9 61275
August-01 August-01 0 513 860 2565 860 Nua Ltd 1100 03361 396 44221 August-01 22685373 December-05 1018 56216049875 December-05 8144 57227938772657 December-05 9467 93 8144
April-02 April-02 0 558 860 2790 860 Internet World Stats 1200 03614 417 47284 April-02 26384472 December-06 1093 6307440796 December-06 9291 68940327899894 December-06 10602 97 9291
July-02 July-02 0 569 910 2845 910 Internet World Stats 1300 03866 437 50334 July-02 28640046 December-07 1319 70769485731 December-07 11871 93344951678825 December-07 13454 102 11871
September-02 September-02 0 587 940 2935 940 Internet World Stats 1400 04117 458 53371 September-02 31328777 December-08 1574 7940336299 December-08 14953 124980893346059 December-08 16527 105 14953
March-03 March-03 0 608 970 3040 970 Internet World Stats 1500 04366 478 56394 March-03 34287552 December-09 1802 89090573275 December-09 18020 160541213040896 December-09 19462 108 18020
September-03 September-03 0 677 1060 3385 1060 Internet World Stats 1600 04614 498 59401 September-03 40214477 December-10 1971 99959623214 December-10 20696 197020417355075 December-10 21681 11 20696
October-03 October-03 0 682 1070 3410 1070 Internet World Stats 1700 0486 518 62392 October-03 42551344
December-03 December-03 0 719 1110 3595 1110 Internet World Stats 1800 02852 538 65365 December-03 46997435
February-04 February-04 0 745 1150 3725 1150 Internet World Stats 1900 03107 558 6832 February-04 508984
May-04 May-04 0 757 1170 3785 1170 Internet World Stats 2000 03361 597 7417 May-04 5614669
October-04 October-04 0 812 1270 4060 1270 Internet World Stats 2100 03614 616 77064 October-04 62575968
December-04 December-04 0 817 1270 4085 1270 Internet World Stats 2200 03866 636 79935 December-04 65306895
March-05 March-05 0 888 1390 4440 1390 Internet World Stats 2300 04117 655 82782 March-05 73510416
June-05 June-05 0 938 1460 4690 1460 Internet World Stats 2400 04366 674 85606 June-05 80298428
September-05 September-05 0 957 1490 4785 1490 Internet World Stats 2500 04614 692 88404 September-05 84602628
November-05 November-05 0 972 1520 4860 1520 Internet World Stats 2600 0486 711 91176 November-05 88623072
December-05 December-05 0 1018 1570 5090 1570 Internet World Stats 2700 05348 729 93921 December-05 95611578
March-06 March-06 0 1023 1570 5115 1570 Internet World Stats 2800 05589 747 96638 March-06 98860674
June-06 June-06 0 1043 1600 5215 1600 Internet World Stats 2900 05828 783 101984 June-06 106369312
September-06 September-06 0 1086 1670 5430 1670 Internet World Stats 3000 06065 801 104611 September-06 113607546
December-06 December-06 0 1093 1670 5465 1670 Internet World Stats 3100 063 818 107207 December-06 117177251
March-07 March-07 0 1129 1720 5645 1720 Internet World Stats 3200 06534 835 109771 March-07 123931459
June-07 June-07 0 1173 1780 5865 1780 Internet World Stats 3300 06765 852 112301 June-07 131729073
September-07 September-07 0 1245 1890 6225 1890 Internet World Stats 3400 06993 869 114797 September-07 142922265
December-07 December-07 0 1319 2000 6595 2000 Internet World Stats 3500 0722 886 117258 December-07 154663302
March-08 March-08 0 1407 2110 7035 2110 Internet World Stats 3600 07665 902 119683 March-08 168393981
June-08 June-08 0 1463 2190 7315 2190 Internet World Stats 3700 07884 918 122071 June-08 178589873
September-08 September-08 0 1504 2250 7520 2250 Internet World Stats 3800 08101 949 126736 September-08 190610944
December-08 December-08 0 1574 2350 7870 2350 Internet World Stats 3900 08314 964 12901 December-08 20306174
March-09 March-09 0 1596 2380 7980 2380 Internet World Stats 4000 08525 971 13 March-09 20748
June-09 June-09 0 1669 2470 8345 2470 Internet World Stats 4100 08733 998 134 June-09 223646
September-09 September-09 0 1734 2560 8670 2560 Internet World Stats 4200 08938 1018 137 September-09 237558
December-09 December-09 0 1802 2660 9010 2660 Internet World Stats 4300 0914 1051 142 December-09 255884
June-10 June-10 0 1966 2870 9830 2870 Internet World Stats 4400 09339 1078 146 June-10 287036
September-10 September-10 0 1971 2880 9855 2880 Internet World Stats 4500 09728 1112 151 September-10 297621
09917 000 155333333333
159833333333
33208
35034
35400
35765
36130
36495
36861
37226
37591
37956
38322
38687
39052
39417
39783
40148
40513
Page 55: Attacking Data Independent Memory Hard Functions · As a motivating example consider an adversary who breaks into an authentication server and steals a users crptographic hash va\൬ue.

Passwords vs time Look how far wersquove come

Netscape IPO Dotcom crash

Source Cormacrsquos estimate

ldquoThe password is deadrdquo

Chart1

3
48
1368
322
7791
15376
2527
39639
47953
61115
7353
94674
106021
134538
16527
194616
21681

Sheet1

Sheet1

Sheet2

Sheet3

Biometrics

59

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy

60

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Hardware Tokens

61

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around

62

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Graphical Passwords

bull Examplesbull Passfaces Cued Click Points Windows 8

63

Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13

Graphical Passwords

bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8

Challenge Multiple Passwords

64

Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13

Graphical Passwords Hotspots

Graphical Passwords Hotspots

Password Managers

bull Password Management Software

67

Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313

Related Work

bull Password Management SoftwareChallenge Single point of failure

68

Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313

References

bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]

bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]

bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]

bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]

  • Course Business
  • CryptographyCS 555
  • Password Storage
  • Offline Attacks A Common Problem
  • Offline Attacks A Common Problem
  • A Dangerous Problem
  • Attempt 1 Hash Iteration
  • The Challenge
  • Goal Moderately Expensive Hash Function
  • Memory Costs Equitable Across Architectures
  • Outline
  • Memory Hard Function (MHF)
  • iMHF Candidates
  • iMHF (fGH)
  • Evaluating an iMHF (pebbling)
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example (CC)
  • Measuring Cost
  • Pebbling Example (CC)
  • Pebbling Equivalence
  • Desiderata
  • Depth-Robustness The Key Property
  • Naiumlve Pebbling Algorithms
  • Amortized Attack Quality
  • Desiderata
  • Desiderata
  • c-Ideal iMHF
  • Outline
  • Depth-Robustness The Key Property
  • Depth Robustness
  • Depth Robustness
  • Attacking (ed)-reducible DAGs
  • Depth Robustness is Necessary
  • Answer No
  • Argon2i [BDK]
  • Argon2i
  • Argon2i
  • Argon2i Reducing depth to 119899
  • Argon2i Reducing depth to 119899
  • Argon2i is a layered DAG (almost)
  • Attack Simulation [AB16b]
  • Ideal iMHFs Donrsquot Exist
  • But we cannot rule them out in practice
  • Outline
  • Depth-Robustness is Sufficient [ABP16]
  • Depth-Robustness is Sufficient [ABP16]
  • Summary
  • Conclusions
  • Thanks for Listening
  • Passwords vs time Look how far wersquove come
  • Biometrics
  • Biometrics
  • Hardware Tokens
  • Hardware Tokens
  • Graphical Passwords
  • Graphical Passwords
  • Graphical Passwords Hotspots
  • Graphical Passwords Hotspots
  • Password Managers
  • Related Work
  • References
Everybody
DATE DATE NUMBER OF USERS WORLD WORLD INFORMATION DATE DATE NUMBER OF USERS DATE DATE acctsyr
POPULATION POPULATION SOURCE
December-90 0 3 15 020 00261 000 1 December-90 3 1 December-90 3 1 December-90 3 3 December-90 3 1 3
December-95 December-95 0 16 040 80 040 IDC 100 00522 180 12 December-95 192 December-95 16 1778 December-95 48 28448 December-95 48 3 48
December-96 December-96 0 36 090 180 090 IDC 200 00783 188 13132 December-96 472752 December-96 36 1994916 December-96 126 71816976 December-96 1368 38 126
December-97 December-97 0 70 170 350 170 IDC 300 01043 209 16263 December-97 113841 December-97 70 2238295752 December-97 280 15668070264 December-97 322 46 280
December-98 December-98 0 147 360 735 360 CI Almanac 400 01303 230 19391 December-98 2850477 December-98 147 25113678337 December-98 6615 3691710715604 December-98 7791 53 6615
December-99 December-99 0 248 410 1240 410 Nua Ltd 500 01563 251 22517 December-99 5584216 December-99 248 28177547095 December-99 1240 6988031679463 December-99 15376 62 1240
March-00 March-00 0 304 500 1520 500 Nua Ltd 600 01822 272 25638 March-00 7793952 December-00 361 3161520784 December-00 19855 11413090030294 December-00 2527 7 19855
July-00 July-00 0 359 590 1795 590 Nua Ltd 700 02081 293 28754 July-00 10322686 December-01 543 35472263197 December-01 3258 1926143891578 December-01 39639 73 3258
December-00 December-00 0 361 580 1805 580 Internet World Stats 800 02338 313 31864 December-00 11502904 December-02 607 39799879307 December-02 39455 2415852673913 December-02 47953 79 39455
March-01 March-01 0 458 760 2290 760 Nua Ltd 900 02852 334 34967 March-01 16014886 December-03 719 44655464582 December-03 5033 32107279034493 December-03 61115 85 5033
June-01 June-01 0 479 790 2395 790 Nua Ltd 1000 03107 355 38061 June-01 18231219 December-04 817 50103431261 December-04 61275 40934503340285 December-04 7353 9 61275
August-01 August-01 0 513 860 2565 860 Nua Ltd 1100 03361 396 44221 August-01 22685373 December-05 1018 56216049875 December-05 8144 57227938772657 December-05 9467 93 8144
April-02 April-02 0 558 860 2790 860 Internet World Stats 1200 03614 417 47284 April-02 26384472 December-06 1093 6307440796 December-06 9291 68940327899894 December-06 10602 97 9291
July-02 July-02 0 569 910 2845 910 Internet World Stats 1300 03866 437 50334 July-02 28640046 December-07 1319 70769485731 December-07 11871 93344951678825 December-07 13454 102 11871
September-02 September-02 0 587 940 2935 940 Internet World Stats 1400 04117 458 53371 September-02 31328777 December-08 1574 7940336299 December-08 14953 124980893346059 December-08 16527 105 14953
March-03 March-03 0 608 970 3040 970 Internet World Stats 1500 04366 478 56394 March-03 34287552 December-09 1802 89090573275 December-09 18020 160541213040896 December-09 19462 108 18020
September-03 September-03 0 677 1060 3385 1060 Internet World Stats 1600 04614 498 59401 September-03 40214477 December-10 1971 99959623214 December-10 20696 197020417355075 December-10 21681 11 20696
October-03 October-03 0 682 1070 3410 1070 Internet World Stats 1700 0486 518 62392 October-03 42551344
December-03 December-03 0 719 1110 3595 1110 Internet World Stats 1800 02852 538 65365 December-03 46997435
February-04 February-04 0 745 1150 3725 1150 Internet World Stats 1900 03107 558 6832 February-04 508984
May-04 May-04 0 757 1170 3785 1170 Internet World Stats 2000 03361 597 7417 May-04 5614669
October-04 October-04 0 812 1270 4060 1270 Internet World Stats 2100 03614 616 77064 October-04 62575968
December-04 December-04 0 817 1270 4085 1270 Internet World Stats 2200 03866 636 79935 December-04 65306895
March-05 March-05 0 888 1390 4440 1390 Internet World Stats 2300 04117 655 82782 March-05 73510416
June-05 June-05 0 938 1460 4690 1460 Internet World Stats 2400 04366 674 85606 June-05 80298428
September-05 September-05 0 957 1490 4785 1490 Internet World Stats 2500 04614 692 88404 September-05 84602628
November-05 November-05 0 972 1520 4860 1520 Internet World Stats 2600 0486 711 91176 November-05 88623072
December-05 December-05 0 1018 1570 5090 1570 Internet World Stats 2700 05348 729 93921 December-05 95611578
March-06 March-06 0 1023 1570 5115 1570 Internet World Stats 2800 05589 747 96638 March-06 98860674
June-06 June-06 0 1043 1600 5215 1600 Internet World Stats 2900 05828 783 101984 June-06 106369312
September-06 September-06 0 1086 1670 5430 1670 Internet World Stats 3000 06065 801 104611 September-06 113607546
December-06 December-06 0 1093 1670 5465 1670 Internet World Stats 3100 063 818 107207 December-06 117177251
March-07 March-07 0 1129 1720 5645 1720 Internet World Stats 3200 06534 835 109771 March-07 123931459
June-07 June-07 0 1173 1780 5865 1780 Internet World Stats 3300 06765 852 112301 June-07 131729073
September-07 September-07 0 1245 1890 6225 1890 Internet World Stats 3400 06993 869 114797 September-07 142922265
December-07 December-07 0 1319 2000 6595 2000 Internet World Stats 3500 0722 886 117258 December-07 154663302
March-08 March-08 0 1407 2110 7035 2110 Internet World Stats 3600 07665 902 119683 March-08 168393981
June-08 June-08 0 1463 2190 7315 2190 Internet World Stats 3700 07884 918 122071 June-08 178589873
September-08 September-08 0 1504 2250 7520 2250 Internet World Stats 3800 08101 949 126736 September-08 190610944
December-08 December-08 0 1574 2350 7870 2350 Internet World Stats 3900 08314 964 12901 December-08 20306174
March-09 March-09 0 1596 2380 7980 2380 Internet World Stats 4000 08525 971 13 March-09 20748
June-09 June-09 0 1669 2470 8345 2470 Internet World Stats 4100 08733 998 134 June-09 223646
September-09 September-09 0 1734 2560 8670 2560 Internet World Stats 4200 08938 1018 137 September-09 237558
December-09 December-09 0 1802 2660 9010 2660 Internet World Stats 4300 0914 1051 142 December-09 255884
June-10 June-10 0 1966 2870 9830 2870 Internet World Stats 4400 09339 1078 146 June-10 287036
September-10 September-10 0 1971 2880 9855 2880 Internet World Stats 4500 09728 1112 151 September-10 297621
09917 000 155333333333
159833333333
33208
35034
35400
35765
36130
36495
36861
37226
37591
37956
38322
38687
39052
39417
39783
40148
40513
Page 56: Attacking Data Independent Memory Hard Functions · As a motivating example consider an adversary who breaks into an authentication server and steals a users crptographic hash va\൬ue.

Chart1

3
48
1368
322
7791
15376
2527
39639
47953
61115
7353
94674
106021
134538
16527
194616
21681

Sheet1

Sheet1

Sheet2

Sheet3

Biometrics

59

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy

60

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Hardware Tokens

61

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around

62

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Graphical Passwords

bull Examplesbull Passfaces Cued Click Points Windows 8

63

Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13

Graphical Passwords

bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8

Challenge Multiple Passwords

64

Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13

Graphical Passwords Hotspots

Graphical Passwords Hotspots

Password Managers

bull Password Management Software

67

Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313

Related Work

bull Password Management SoftwareChallenge Single point of failure

68

Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313

References

bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]

bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]

bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]

bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]

  • Course Business
  • CryptographyCS 555
  • Password Storage
  • Offline Attacks A Common Problem
  • Offline Attacks A Common Problem
  • A Dangerous Problem
  • Attempt 1 Hash Iteration
  • The Challenge
  • Goal Moderately Expensive Hash Function
  • Memory Costs Equitable Across Architectures
  • Outline
  • Memory Hard Function (MHF)
  • iMHF Candidates
  • iMHF (fGH)
  • Evaluating an iMHF (pebbling)
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example (CC)
  • Measuring Cost
  • Pebbling Example (CC)
  • Pebbling Equivalence
  • Desiderata
  • Depth-Robustness The Key Property
  • Naiumlve Pebbling Algorithms
  • Amortized Attack Quality
  • Desiderata
  • Desiderata
  • c-Ideal iMHF
  • Outline
  • Depth-Robustness The Key Property
  • Depth Robustness
  • Depth Robustness
  • Attacking (ed)-reducible DAGs
  • Depth Robustness is Necessary
  • Answer No
  • Argon2i [BDK]
  • Argon2i
  • Argon2i
  • Argon2i Reducing depth to 119899
  • Argon2i Reducing depth to 119899
  • Argon2i is a layered DAG (almost)
  • Attack Simulation [AB16b]
  • Ideal iMHFs Donrsquot Exist
  • But we cannot rule them out in practice
  • Outline
  • Depth-Robustness is Sufficient [ABP16]
  • Depth-Robustness is Sufficient [ABP16]
  • Summary
  • Conclusions
  • Thanks for Listening
  • Passwords vs time Look how far wersquove come
  • Biometrics
  • Biometrics
  • Hardware Tokens
  • Hardware Tokens
  • Graphical Passwords
  • Graphical Passwords
  • Graphical Passwords Hotspots
  • Graphical Passwords Hotspots
  • Password Managers
  • Related Work
  • References
Everybody
DATE DATE NUMBER OF USERS WORLD WORLD INFORMATION DATE DATE NUMBER OF USERS DATE DATE acctsyr
POPULATION POPULATION SOURCE
December-90 0 3 15 020 00261 000 1 December-90 3 1 December-90 3 1 December-90 3 3 December-90 3 1 3
December-95 December-95 0 16 040 80 040 IDC 100 00522 180 12 December-95 192 December-95 16 1778 December-95 48 28448 December-95 48 3 48
December-96 December-96 0 36 090 180 090 IDC 200 00783 188 13132 December-96 472752 December-96 36 1994916 December-96 126 71816976 December-96 1368 38 126
December-97 December-97 0 70 170 350 170 IDC 300 01043 209 16263 December-97 113841 December-97 70 2238295752 December-97 280 15668070264 December-97 322 46 280
December-98 December-98 0 147 360 735 360 CI Almanac 400 01303 230 19391 December-98 2850477 December-98 147 25113678337 December-98 6615 3691710715604 December-98 7791 53 6615
December-99 December-99 0 248 410 1240 410 Nua Ltd 500 01563 251 22517 December-99 5584216 December-99 248 28177547095 December-99 1240 6988031679463 December-99 15376 62 1240
March-00 March-00 0 304 500 1520 500 Nua Ltd 600 01822 272 25638 March-00 7793952 December-00 361 3161520784 December-00 19855 11413090030294 December-00 2527 7 19855
July-00 July-00 0 359 590 1795 590 Nua Ltd 700 02081 293 28754 July-00 10322686 December-01 543 35472263197 December-01 3258 1926143891578 December-01 39639 73 3258
December-00 December-00 0 361 580 1805 580 Internet World Stats 800 02338 313 31864 December-00 11502904 December-02 607 39799879307 December-02 39455 2415852673913 December-02 47953 79 39455
March-01 March-01 0 458 760 2290 760 Nua Ltd 900 02852 334 34967 March-01 16014886 December-03 719 44655464582 December-03 5033 32107279034493 December-03 61115 85 5033
June-01 June-01 0 479 790 2395 790 Nua Ltd 1000 03107 355 38061 June-01 18231219 December-04 817 50103431261 December-04 61275 40934503340285 December-04 7353 9 61275
August-01 August-01 0 513 860 2565 860 Nua Ltd 1100 03361 396 44221 August-01 22685373 December-05 1018 56216049875 December-05 8144 57227938772657 December-05 9467 93 8144
April-02 April-02 0 558 860 2790 860 Internet World Stats 1200 03614 417 47284 April-02 26384472 December-06 1093 6307440796 December-06 9291 68940327899894 December-06 10602 97 9291
July-02 July-02 0 569 910 2845 910 Internet World Stats 1300 03866 437 50334 July-02 28640046 December-07 1319 70769485731 December-07 11871 93344951678825 December-07 13454 102 11871
September-02 September-02 0 587 940 2935 940 Internet World Stats 1400 04117 458 53371 September-02 31328777 December-08 1574 7940336299 December-08 14953 124980893346059 December-08 16527 105 14953
March-03 March-03 0 608 970 3040 970 Internet World Stats 1500 04366 478 56394 March-03 34287552 December-09 1802 89090573275 December-09 18020 160541213040896 December-09 19462 108 18020
September-03 September-03 0 677 1060 3385 1060 Internet World Stats 1600 04614 498 59401 September-03 40214477 December-10 1971 99959623214 December-10 20696 197020417355075 December-10 21681 11 20696
October-03 October-03 0 682 1070 3410 1070 Internet World Stats 1700 0486 518 62392 October-03 42551344
December-03 December-03 0 719 1110 3595 1110 Internet World Stats 1800 02852 538 65365 December-03 46997435
February-04 February-04 0 745 1150 3725 1150 Internet World Stats 1900 03107 558 6832 February-04 508984
May-04 May-04 0 757 1170 3785 1170 Internet World Stats 2000 03361 597 7417 May-04 5614669
October-04 October-04 0 812 1270 4060 1270 Internet World Stats 2100 03614 616 77064 October-04 62575968
December-04 December-04 0 817 1270 4085 1270 Internet World Stats 2200 03866 636 79935 December-04 65306895
March-05 March-05 0 888 1390 4440 1390 Internet World Stats 2300 04117 655 82782 March-05 73510416
June-05 June-05 0 938 1460 4690 1460 Internet World Stats 2400 04366 674 85606 June-05 80298428
September-05 September-05 0 957 1490 4785 1490 Internet World Stats 2500 04614 692 88404 September-05 84602628
November-05 November-05 0 972 1520 4860 1520 Internet World Stats 2600 0486 711 91176 November-05 88623072
December-05 December-05 0 1018 1570 5090 1570 Internet World Stats 2700 05348 729 93921 December-05 95611578
March-06 March-06 0 1023 1570 5115 1570 Internet World Stats 2800 05589 747 96638 March-06 98860674
June-06 June-06 0 1043 1600 5215 1600 Internet World Stats 2900 05828 783 101984 June-06 106369312
September-06 September-06 0 1086 1670 5430 1670 Internet World Stats 3000 06065 801 104611 September-06 113607546
December-06 December-06 0 1093 1670 5465 1670 Internet World Stats 3100 063 818 107207 December-06 117177251
March-07 March-07 0 1129 1720 5645 1720 Internet World Stats 3200 06534 835 109771 March-07 123931459
June-07 June-07 0 1173 1780 5865 1780 Internet World Stats 3300 06765 852 112301 June-07 131729073
September-07 September-07 0 1245 1890 6225 1890 Internet World Stats 3400 06993 869 114797 September-07 142922265
December-07 December-07 0 1319 2000 6595 2000 Internet World Stats 3500 0722 886 117258 December-07 154663302
March-08 March-08 0 1407 2110 7035 2110 Internet World Stats 3600 07665 902 119683 March-08 168393981
June-08 June-08 0 1463 2190 7315 2190 Internet World Stats 3700 07884 918 122071 June-08 178589873
September-08 September-08 0 1504 2250 7520 2250 Internet World Stats 3800 08101 949 126736 September-08 190610944
December-08 December-08 0 1574 2350 7870 2350 Internet World Stats 3900 08314 964 12901 December-08 20306174
March-09 March-09 0 1596 2380 7980 2380 Internet World Stats 4000 08525 971 13 March-09 20748
June-09 June-09 0 1669 2470 8345 2470 Internet World Stats 4100 08733 998 134 June-09 223646
September-09 September-09 0 1734 2560 8670 2560 Internet World Stats 4200 08938 1018 137 September-09 237558
December-09 December-09 0 1802 2660 9010 2660 Internet World Stats 4300 0914 1051 142 December-09 255884
June-10 June-10 0 1966 2870 9830 2870 Internet World Stats 4400 09339 1078 146 June-10 287036
September-10 September-10 0 1971 2880 9855 2880 Internet World Stats 4500 09728 1112 151 September-10 297621
09917 000 155333333333
159833333333
33208
35034
35400
35765
36130
36495
36861
37226
37591
37956
38322
38687
39052
39417
39783
40148
40513
Page 57: Attacking Data Independent Memory Hard Functions · As a motivating example consider an adversary who breaks into an authentication server and steals a users crptographic hash va\൬ue.

Sheet1

Sheet1

Sheet2

Sheet3

Biometrics

59

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy

60

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Hardware Tokens

61

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around

62

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Graphical Passwords

bull Examplesbull Passfaces Cued Click Points Windows 8

63

Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13

Graphical Passwords

bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8

Challenge Multiple Passwords

64

Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13

Graphical Passwords Hotspots

Graphical Passwords Hotspots

Password Managers

bull Password Management Software

67

Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313

Related Work

bull Password Management SoftwareChallenge Single point of failure

68

Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313

References

bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]

bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]

bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]

bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]

  • Course Business
  • CryptographyCS 555
  • Password Storage
  • Offline Attacks A Common Problem
  • Offline Attacks A Common Problem
  • A Dangerous Problem
  • Attempt 1 Hash Iteration
  • The Challenge
  • Goal Moderately Expensive Hash Function
  • Memory Costs Equitable Across Architectures
  • Outline
  • Memory Hard Function (MHF)
  • iMHF Candidates
  • iMHF (fGH)
  • Evaluating an iMHF (pebbling)
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example (CC)
  • Measuring Cost
  • Pebbling Example (CC)
  • Pebbling Equivalence
  • Desiderata
  • Depth-Robustness The Key Property
  • Naiumlve Pebbling Algorithms
  • Amortized Attack Quality
  • Desiderata
  • Desiderata
  • c-Ideal iMHF
  • Outline
  • Depth-Robustness The Key Property
  • Depth Robustness
  • Depth Robustness
  • Attacking (ed)-reducible DAGs
  • Depth Robustness is Necessary
  • Answer No
  • Argon2i [BDK]
  • Argon2i
  • Argon2i
  • Argon2i Reducing depth to 119899
  • Argon2i Reducing depth to 119899
  • Argon2i is a layered DAG (almost)
  • Attack Simulation [AB16b]
  • Ideal iMHFs Donrsquot Exist
  • But we cannot rule them out in practice
  • Outline
  • Depth-Robustness is Sufficient [ABP16]
  • Depth-Robustness is Sufficient [ABP16]
  • Summary
  • Conclusions
  • Thanks for Listening
  • Passwords vs time Look how far wersquove come
  • Biometrics
  • Biometrics
  • Hardware Tokens
  • Hardware Tokens
  • Graphical Passwords
  • Graphical Passwords
  • Graphical Passwords Hotspots
  • Graphical Passwords Hotspots
  • Password Managers
  • Related Work
  • References
Everybody
DATE DATE NUMBER OF USERS WORLD WORLD INFORMATION DATE DATE NUMBER OF USERS DATE DATE acctsyr
POPULATION POPULATION SOURCE
December-90 0 3 15 020 00261 000 1 December-90 3 1 December-90 3 1 December-90 3 3 December-90 3 1 3
December-95 December-95 0 16 040 80 040 IDC 100 00522 180 12 December-95 192 December-95 16 1778 December-95 48 28448 December-95 48 3 48
December-96 December-96 0 36 090 180 090 IDC 200 00783 188 13132 December-96 472752 December-96 36 1994916 December-96 126 71816976 December-96 1368 38 126
December-97 December-97 0 70 170 350 170 IDC 300 01043 209 16263 December-97 113841 December-97 70 2238295752 December-97 280 15668070264 December-97 322 46 280
December-98 December-98 0 147 360 735 360 CI Almanac 400 01303 230 19391 December-98 2850477 December-98 147 25113678337 December-98 6615 3691710715604 December-98 7791 53 6615
December-99 December-99 0 248 410 1240 410 Nua Ltd 500 01563 251 22517 December-99 5584216 December-99 248 28177547095 December-99 1240 6988031679463 December-99 15376 62 1240
March-00 March-00 0 304 500 1520 500 Nua Ltd 600 01822 272 25638 March-00 7793952 December-00 361 3161520784 December-00 19855 11413090030294 December-00 2527 7 19855
July-00 July-00 0 359 590 1795 590 Nua Ltd 700 02081 293 28754 July-00 10322686 December-01 543 35472263197 December-01 3258 1926143891578 December-01 39639 73 3258
December-00 December-00 0 361 580 1805 580 Internet World Stats 800 02338 313 31864 December-00 11502904 December-02 607 39799879307 December-02 39455 2415852673913 December-02 47953 79 39455
March-01 March-01 0 458 760 2290 760 Nua Ltd 900 02852 334 34967 March-01 16014886 December-03 719 44655464582 December-03 5033 32107279034493 December-03 61115 85 5033
June-01 June-01 0 479 790 2395 790 Nua Ltd 1000 03107 355 38061 June-01 18231219 December-04 817 50103431261 December-04 61275 40934503340285 December-04 7353 9 61275
August-01 August-01 0 513 860 2565 860 Nua Ltd 1100 03361 396 44221 August-01 22685373 December-05 1018 56216049875 December-05 8144 57227938772657 December-05 9467 93 8144
April-02 April-02 0 558 860 2790 860 Internet World Stats 1200 03614 417 47284 April-02 26384472 December-06 1093 6307440796 December-06 9291 68940327899894 December-06 10602 97 9291
July-02 July-02 0 569 910 2845 910 Internet World Stats 1300 03866 437 50334 July-02 28640046 December-07 1319 70769485731 December-07 11871 93344951678825 December-07 13454 102 11871
September-02 September-02 0 587 940 2935 940 Internet World Stats 1400 04117 458 53371 September-02 31328777 December-08 1574 7940336299 December-08 14953 124980893346059 December-08 16527 105 14953
March-03 March-03 0 608 970 3040 970 Internet World Stats 1500 04366 478 56394 March-03 34287552 December-09 1802 89090573275 December-09 18020 160541213040896 December-09 19462 108 18020
September-03 September-03 0 677 1060 3385 1060 Internet World Stats 1600 04614 498 59401 September-03 40214477 December-10 1971 99959623214 December-10 20696 197020417355075 December-10 21681 11 20696
October-03 October-03 0 682 1070 3410 1070 Internet World Stats 1700 0486 518 62392 October-03 42551344
December-03 December-03 0 719 1110 3595 1110 Internet World Stats 1800 02852 538 65365 December-03 46997435
February-04 February-04 0 745 1150 3725 1150 Internet World Stats 1900 03107 558 6832 February-04 508984
May-04 May-04 0 757 1170 3785 1170 Internet World Stats 2000 03361 597 7417 May-04 5614669
October-04 October-04 0 812 1270 4060 1270 Internet World Stats 2100 03614 616 77064 October-04 62575968
December-04 December-04 0 817 1270 4085 1270 Internet World Stats 2200 03866 636 79935 December-04 65306895
March-05 March-05 0 888 1390 4440 1390 Internet World Stats 2300 04117 655 82782 March-05 73510416
June-05 June-05 0 938 1460 4690 1460 Internet World Stats 2400 04366 674 85606 June-05 80298428
September-05 September-05 0 957 1490 4785 1490 Internet World Stats 2500 04614 692 88404 September-05 84602628
November-05 November-05 0 972 1520 4860 1520 Internet World Stats 2600 0486 711 91176 November-05 88623072
December-05 December-05 0 1018 1570 5090 1570 Internet World Stats 2700 05348 729 93921 December-05 95611578
March-06 March-06 0 1023 1570 5115 1570 Internet World Stats 2800 05589 747 96638 March-06 98860674
June-06 June-06 0 1043 1600 5215 1600 Internet World Stats 2900 05828 783 101984 June-06 106369312
September-06 September-06 0 1086 1670 5430 1670 Internet World Stats 3000 06065 801 104611 September-06 113607546
December-06 December-06 0 1093 1670 5465 1670 Internet World Stats 3100 063 818 107207 December-06 117177251
March-07 March-07 0 1129 1720 5645 1720 Internet World Stats 3200 06534 835 109771 March-07 123931459
June-07 June-07 0 1173 1780 5865 1780 Internet World Stats 3300 06765 852 112301 June-07 131729073
September-07 September-07 0 1245 1890 6225 1890 Internet World Stats 3400 06993 869 114797 September-07 142922265
December-07 December-07 0 1319 2000 6595 2000 Internet World Stats 3500 0722 886 117258 December-07 154663302
March-08 March-08 0 1407 2110 7035 2110 Internet World Stats 3600 07665 902 119683 March-08 168393981
June-08 June-08 0 1463 2190 7315 2190 Internet World Stats 3700 07884 918 122071 June-08 178589873
September-08 September-08 0 1504 2250 7520 2250 Internet World Stats 3800 08101 949 126736 September-08 190610944
December-08 December-08 0 1574 2350 7870 2350 Internet World Stats 3900 08314 964 12901 December-08 20306174
March-09 March-09 0 1596 2380 7980 2380 Internet World Stats 4000 08525 971 13 March-09 20748
June-09 June-09 0 1669 2470 8345 2470 Internet World Stats 4100 08733 998 134 June-09 223646
September-09 September-09 0 1734 2560 8670 2560 Internet World Stats 4200 08938 1018 137 September-09 237558
December-09 December-09 0 1802 2660 9010 2660 Internet World Stats 4300 0914 1051 142 December-09 255884
June-10 June-10 0 1966 2870 9830 2870 Internet World Stats 4400 09339 1078 146 June-10 287036
September-10 September-10 0 1971 2880 9855 2880 Internet World Stats 4500 09728 1112 151 September-10 297621
09917 000 155333333333
159833333333
Page 58: Attacking Data Independent Memory Hard Functions · As a motivating example consider an adversary who breaks into an authentication server and steals a users crptographic hash va\൬ue.

Sheet1

Sheet2

Sheet3

Biometrics

59

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy

60

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Hardware Tokens

61

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around

62

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Graphical Passwords

bull Examplesbull Passfaces Cued Click Points Windows 8

63

Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13

Graphical Passwords

bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8

Challenge Multiple Passwords

64

Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13

Graphical Passwords Hotspots

Graphical Passwords Hotspots

Password Managers

bull Password Management Software

67

Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313

Related Work

bull Password Management SoftwareChallenge Single point of failure

68

Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313

References

bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]

bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]

bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]

bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]

  • Course Business
  • CryptographyCS 555
  • Password Storage
  • Offline Attacks A Common Problem
  • Offline Attacks A Common Problem
  • A Dangerous Problem
  • Attempt 1 Hash Iteration
  • The Challenge
  • Goal Moderately Expensive Hash Function
  • Memory Costs Equitable Across Architectures
  • Outline
  • Memory Hard Function (MHF)
  • iMHF Candidates
  • iMHF (fGH)
  • Evaluating an iMHF (pebbling)
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example (CC)
  • Measuring Cost
  • Pebbling Example (CC)
  • Pebbling Equivalence
  • Desiderata
  • Depth-Robustness The Key Property
  • Naiumlve Pebbling Algorithms
  • Amortized Attack Quality
  • Desiderata
  • Desiderata
  • c-Ideal iMHF
  • Outline
  • Depth-Robustness The Key Property
  • Depth Robustness
  • Depth Robustness
  • Attacking (ed)-reducible DAGs
  • Depth Robustness is Necessary
  • Answer No
  • Argon2i [BDK]
  • Argon2i
  • Argon2i
  • Argon2i Reducing depth to 119899
  • Argon2i Reducing depth to 119899
  • Argon2i is a layered DAG (almost)
  • Attack Simulation [AB16b]
  • Ideal iMHFs Donrsquot Exist
  • But we cannot rule them out in practice
  • Outline
  • Depth-Robustness is Sufficient [ABP16]
  • Depth-Robustness is Sufficient [ABP16]
  • Summary
  • Conclusions
  • Thanks for Listening
  • Passwords vs time Look how far wersquove come
  • Biometrics
  • Biometrics
  • Hardware Tokens
  • Hardware Tokens
  • Graphical Passwords
  • Graphical Passwords
  • Graphical Passwords Hotspots
  • Graphical Passwords Hotspots
  • Password Managers
  • Related Work
  • References
Everybody
Page 59: Attacking Data Independent Memory Hard Functions · As a motivating example consider an adversary who breaks into an authentication server and steals a users crptographic hash va\൬ue.

Sheet2

Sheet3

Biometrics

59

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy

60

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Hardware Tokens

61

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around

62

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Graphical Passwords

bull Examplesbull Passfaces Cued Click Points Windows 8

63

Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13

Graphical Passwords

bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8

Challenge Multiple Passwords

64

Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13

Graphical Passwords Hotspots

Graphical Passwords Hotspots

Password Managers

bull Password Management Software

67

Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313

Related Work

bull Password Management SoftwareChallenge Single point of failure

68

Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313

References

bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]

bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]

bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]

bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]

  • Course Business
  • CryptographyCS 555
  • Password Storage
  • Offline Attacks A Common Problem
  • Offline Attacks A Common Problem
  • A Dangerous Problem
  • Attempt 1 Hash Iteration
  • The Challenge
  • Goal Moderately Expensive Hash Function
  • Memory Costs Equitable Across Architectures
  • Outline
  • Memory Hard Function (MHF)
  • iMHF Candidates
  • iMHF (fGH)
  • Evaluating an iMHF (pebbling)
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example (CC)
  • Measuring Cost
  • Pebbling Example (CC)
  • Pebbling Equivalence
  • Desiderata
  • Depth-Robustness The Key Property
  • Naiumlve Pebbling Algorithms
  • Amortized Attack Quality
  • Desiderata
  • Desiderata
  • c-Ideal iMHF
  • Outline
  • Depth-Robustness The Key Property
  • Depth Robustness
  • Depth Robustness
  • Attacking (ed)-reducible DAGs
  • Depth Robustness is Necessary
  • Answer No
  • Argon2i [BDK]
  • Argon2i
  • Argon2i
  • Argon2i Reducing depth to 119899
  • Argon2i Reducing depth to 119899
  • Argon2i is a layered DAG (almost)
  • Attack Simulation [AB16b]
  • Ideal iMHFs Donrsquot Exist
  • But we cannot rule them out in practice
  • Outline
  • Depth-Robustness is Sufficient [ABP16]
  • Depth-Robustness is Sufficient [ABP16]
  • Summary
  • Conclusions
  • Thanks for Listening
  • Passwords vs time Look how far wersquove come
  • Biometrics
  • Biometrics
  • Hardware Tokens
  • Hardware Tokens
  • Graphical Passwords
  • Graphical Passwords
  • Graphical Passwords Hotspots
  • Graphical Passwords Hotspots
  • Password Managers
  • Related Work
  • References
Everybody
Page 60: Attacking Data Independent Memory Hard Functions · As a motivating example consider an adversary who breaks into an authentication server and steals a users crptographic hash va\൬ue.

Sheet3

Biometrics

59

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy

60

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Hardware Tokens

61

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around

62

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Graphical Passwords

bull Examplesbull Passfaces Cued Click Points Windows 8

63

Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13

Graphical Passwords

bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8

Challenge Multiple Passwords

64

Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13

Graphical Passwords Hotspots

Graphical Passwords Hotspots

Password Managers

bull Password Management Software

67

Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313

Related Work

bull Password Management SoftwareChallenge Single point of failure

68

Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313

References

bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]

bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]

bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]

bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]

  • Course Business
  • CryptographyCS 555
  • Password Storage
  • Offline Attacks A Common Problem
  • Offline Attacks A Common Problem
  • A Dangerous Problem
  • Attempt 1 Hash Iteration
  • The Challenge
  • Goal Moderately Expensive Hash Function
  • Memory Costs Equitable Across Architectures
  • Outline
  • Memory Hard Function (MHF)
  • iMHF Candidates
  • iMHF (fGH)
  • Evaluating an iMHF (pebbling)
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example (CC)
  • Measuring Cost
  • Pebbling Example (CC)
  • Pebbling Equivalence
  • Desiderata
  • Depth-Robustness The Key Property
  • Naiumlve Pebbling Algorithms
  • Amortized Attack Quality
  • Desiderata
  • Desiderata
  • c-Ideal iMHF
  • Outline
  • Depth-Robustness The Key Property
  • Depth Robustness
  • Depth Robustness
  • Attacking (ed)-reducible DAGs
  • Depth Robustness is Necessary
  • Answer No
  • Argon2i [BDK]
  • Argon2i
  • Argon2i
  • Argon2i Reducing depth to 119899
  • Argon2i Reducing depth to 119899
  • Argon2i is a layered DAG (almost)
  • Attack Simulation [AB16b]
  • Ideal iMHFs Donrsquot Exist
  • But we cannot rule them out in practice
  • Outline
  • Depth-Robustness is Sufficient [ABP16]
  • Depth-Robustness is Sufficient [ABP16]
  • Summary
  • Conclusions
  • Thanks for Listening
  • Passwords vs time Look how far wersquove come
  • Biometrics
  • Biometrics
  • Hardware Tokens
  • Hardware Tokens
  • Graphical Passwords
  • Graphical Passwords
  • Graphical Passwords Hotspots
  • Graphical Passwords Hotspots
  • Password Managers
  • Related Work
  • References
Everybody
Page 61: Attacking Data Independent Memory Hard Functions · As a motivating example consider an adversary who breaks into an authentication server and steals a users crptographic hash va\൬ue.

Biometrics

59

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy

60

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Hardware Tokens

61

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around

62

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Graphical Passwords

bull Examplesbull Passfaces Cued Click Points Windows 8

63

Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13

Graphical Passwords

bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8

Challenge Multiple Passwords

64

Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13

Graphical Passwords Hotspots

Graphical Passwords Hotspots

Password Managers

bull Password Management Software

67

Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313

Related Work

bull Password Management SoftwareChallenge Single point of failure

68

Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313

References

bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]

bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]

bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]

bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]

  • Course Business
  • CryptographyCS 555
  • Password Storage
  • Offline Attacks A Common Problem
  • Offline Attacks A Common Problem
  • A Dangerous Problem
  • Attempt 1 Hash Iteration
  • The Challenge
  • Goal Moderately Expensive Hash Function
  • Memory Costs Equitable Across Architectures
  • Outline
  • Memory Hard Function (MHF)
  • iMHF Candidates
  • iMHF (fGH)
  • Evaluating an iMHF (pebbling)
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example (CC)
  • Measuring Cost
  • Pebbling Example (CC)
  • Pebbling Equivalence
  • Desiderata
  • Depth-Robustness The Key Property
  • Naiumlve Pebbling Algorithms
  • Amortized Attack Quality
  • Desiderata
  • Desiderata
  • c-Ideal iMHF
  • Outline
  • Depth-Robustness The Key Property
  • Depth Robustness
  • Depth Robustness
  • Attacking (ed)-reducible DAGs
  • Depth Robustness is Necessary
  • Answer No
  • Argon2i [BDK]
  • Argon2i
  • Argon2i
  • Argon2i Reducing depth to 119899
  • Argon2i Reducing depth to 119899
  • Argon2i is a layered DAG (almost)
  • Attack Simulation [AB16b]
  • Ideal iMHFs Donrsquot Exist
  • But we cannot rule them out in practice
  • Outline
  • Depth-Robustness is Sufficient [ABP16]
  • Depth-Robustness is Sufficient [ABP16]
  • Summary
  • Conclusions
  • Thanks for Listening
  • Passwords vs time Look how far wersquove come
  • Biometrics
  • Biometrics
  • Hardware Tokens
  • Hardware Tokens
  • Graphical Passwords
  • Graphical Passwords
  • Graphical Passwords Hotspots
  • Graphical Passwords Hotspots
  • Password Managers
  • Related Work
  • References
Everybody
Page 62: Attacking Data Independent Memory Hard Functions · As a motivating example consider an adversary who breaks into an authentication server and steals a users crptographic hash va\൬ue.

Biometrics

59

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy

60

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Hardware Tokens

61

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around

62

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Graphical Passwords

bull Examplesbull Passfaces Cued Click Points Windows 8

63

Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13

Graphical Passwords

bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8

Challenge Multiple Passwords

64

Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13

Graphical Passwords Hotspots

Graphical Passwords Hotspots

Password Managers

bull Password Management Software

67

Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313

Related Work

bull Password Management SoftwareChallenge Single point of failure

68

Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313

References

bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]

bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]

bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]

bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]

  • Course Business
  • CryptographyCS 555
  • Password Storage
  • Offline Attacks A Common Problem
  • Offline Attacks A Common Problem
  • A Dangerous Problem
  • Attempt 1 Hash Iteration
  • The Challenge
  • Goal Moderately Expensive Hash Function
  • Memory Costs Equitable Across Architectures
  • Outline
  • Memory Hard Function (MHF)
  • iMHF Candidates
  • iMHF (fGH)
  • Evaluating an iMHF (pebbling)
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example (CC)
  • Measuring Cost
  • Pebbling Example (CC)
  • Pebbling Equivalence
  • Desiderata
  • Depth-Robustness The Key Property
  • Naiumlve Pebbling Algorithms
  • Amortized Attack Quality
  • Desiderata
  • Desiderata
  • c-Ideal iMHF
  • Outline
  • Depth-Robustness The Key Property
  • Depth Robustness
  • Depth Robustness
  • Attacking (ed)-reducible DAGs
  • Depth Robustness is Necessary
  • Answer No
  • Argon2i [BDK]
  • Argon2i
  • Argon2i
  • Argon2i Reducing depth to 119899
  • Argon2i Reducing depth to 119899
  • Argon2i is a layered DAG (almost)
  • Attack Simulation [AB16b]
  • Ideal iMHFs Donrsquot Exist
  • But we cannot rule them out in practice
  • Outline
  • Depth-Robustness is Sufficient [ABP16]
  • Depth-Robustness is Sufficient [ABP16]
  • Summary
  • Conclusions
  • Thanks for Listening
  • Passwords vs time Look how far wersquove come
  • Biometrics
  • Biometrics
  • Hardware Tokens
  • Hardware Tokens
  • Graphical Passwords
  • Graphical Passwords
  • Graphical Passwords Hotspots
  • Graphical Passwords Hotspots
  • Password Managers
  • Related Work
  • References
Everybody
Page 63: Attacking Data Independent Memory Hard Functions · As a motivating example consider an adversary who breaks into an authentication server and steals a users crptographic hash va\൬ue.

Biometrics

59

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy

60

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Hardware Tokens

61

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around

62

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Graphical Passwords

bull Examplesbull Passfaces Cued Click Points Windows 8

63

Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13

Graphical Passwords

bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8

Challenge Multiple Passwords

64

Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13

Graphical Passwords Hotspots

Graphical Passwords Hotspots

Password Managers

bull Password Management Software

67

Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313

Related Work

bull Password Management SoftwareChallenge Single point of failure

68

Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313

References

bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]

bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]

bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]

bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]

  • Course Business
  • CryptographyCS 555
  • Password Storage
  • Offline Attacks A Common Problem
  • Offline Attacks A Common Problem
  • A Dangerous Problem
  • Attempt 1 Hash Iteration
  • The Challenge
  • Goal Moderately Expensive Hash Function
  • Memory Costs Equitable Across Architectures
  • Outline
  • Memory Hard Function (MHF)
  • iMHF Candidates
  • iMHF (fGH)
  • Evaluating an iMHF (pebbling)
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example (CC)
  • Measuring Cost
  • Pebbling Example (CC)
  • Pebbling Equivalence
  • Desiderata
  • Depth-Robustness The Key Property
  • Naiumlve Pebbling Algorithms
  • Amortized Attack Quality
  • Desiderata
  • Desiderata
  • c-Ideal iMHF
  • Outline
  • Depth-Robustness The Key Property
  • Depth Robustness
  • Depth Robustness
  • Attacking (ed)-reducible DAGs
  • Depth Robustness is Necessary
  • Answer No
  • Argon2i [BDK]
  • Argon2i
  • Argon2i
  • Argon2i Reducing depth to 119899
  • Argon2i Reducing depth to 119899
  • Argon2i is a layered DAG (almost)
  • Attack Simulation [AB16b]
  • Ideal iMHFs Donrsquot Exist
  • But we cannot rule them out in practice
  • Outline
  • Depth-Robustness is Sufficient [ABP16]
  • Depth-Robustness is Sufficient [ABP16]
  • Summary
  • Conclusions
  • Thanks for Listening
  • Passwords vs time Look how far wersquove come
  • Biometrics
  • Biometrics
  • Hardware Tokens
  • Hardware Tokens
  • Graphical Passwords
  • Graphical Passwords
  • Graphical Passwords Hotspots
  • Graphical Passwords Hotspots
  • Password Managers
  • Related Work
  • References
Everybody
Page 64: Attacking Data Independent Memory Hard Functions · As a motivating example consider an adversary who breaks into an authentication server and steals a users crptographic hash va\൬ue.

Biometrics

59

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy

60

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Hardware Tokens

61

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around

62

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Graphical Passwords

bull Examplesbull Passfaces Cued Click Points Windows 8

63

Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13

Graphical Passwords

bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8

Challenge Multiple Passwords

64

Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13

Graphical Passwords Hotspots

Graphical Passwords Hotspots

Password Managers

bull Password Management Software

67

Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313

Related Work

bull Password Management SoftwareChallenge Single point of failure

68

Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313

References

bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]

bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]

bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]

bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]

  • Course Business
  • CryptographyCS 555
  • Password Storage
  • Offline Attacks A Common Problem
  • Offline Attacks A Common Problem
  • A Dangerous Problem
  • Attempt 1 Hash Iteration
  • The Challenge
  • Goal Moderately Expensive Hash Function
  • Memory Costs Equitable Across Architectures
  • Outline
  • Memory Hard Function (MHF)
  • iMHF Candidates
  • iMHF (fGH)
  • Evaluating an iMHF (pebbling)
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example (CC)
  • Measuring Cost
  • Pebbling Example (CC)
  • Pebbling Equivalence
  • Desiderata
  • Depth-Robustness The Key Property
  • Naiumlve Pebbling Algorithms
  • Amortized Attack Quality
  • Desiderata
  • Desiderata
  • c-Ideal iMHF
  • Outline
  • Depth-Robustness The Key Property
  • Depth Robustness
  • Depth Robustness
  • Attacking (ed)-reducible DAGs
  • Depth Robustness is Necessary
  • Answer No
  • Argon2i [BDK]
  • Argon2i
  • Argon2i
  • Argon2i Reducing depth to 119899
  • Argon2i Reducing depth to 119899
  • Argon2i is a layered DAG (almost)
  • Attack Simulation [AB16b]
  • Ideal iMHFs Donrsquot Exist
  • But we cannot rule them out in practice
  • Outline
  • Depth-Robustness is Sufficient [ABP16]
  • Depth-Robustness is Sufficient [ABP16]
  • Summary
  • Conclusions
  • Thanks for Listening
  • Passwords vs time Look how far wersquove come
  • Biometrics
  • Biometrics
  • Hardware Tokens
  • Hardware Tokens
  • Graphical Passwords
  • Graphical Passwords
  • Graphical Passwords Hotspots
  • Graphical Passwords Hotspots
  • Password Managers
  • Related Work
  • References
Everybody
Page 65: Attacking Data Independent Memory Hard Functions · As a motivating example consider an adversary who breaks into an authentication server and steals a users crptographic hash va\൬ue.

Biometrics

59

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy

60

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Hardware Tokens

61

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around

62

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Graphical Passwords

bull Examplesbull Passfaces Cued Click Points Windows 8

63

Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13

Graphical Passwords

bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8

Challenge Multiple Passwords

64

Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13

Graphical Passwords Hotspots

Graphical Passwords Hotspots

Password Managers

bull Password Management Software

67

Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313

Related Work

bull Password Management SoftwareChallenge Single point of failure

68

Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313

References

bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]

bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]

bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]

bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]

  • Course Business
  • CryptographyCS 555
  • Password Storage
  • Offline Attacks A Common Problem
  • Offline Attacks A Common Problem
  • A Dangerous Problem
  • Attempt 1 Hash Iteration
  • The Challenge
  • Goal Moderately Expensive Hash Function
  • Memory Costs Equitable Across Architectures
  • Outline
  • Memory Hard Function (MHF)
  • iMHF Candidates
  • iMHF (fGH)
  • Evaluating an iMHF (pebbling)
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example (CC)
  • Measuring Cost
  • Pebbling Example (CC)
  • Pebbling Equivalence
  • Desiderata
  • Depth-Robustness The Key Property
  • Naiumlve Pebbling Algorithms
  • Amortized Attack Quality
  • Desiderata
  • Desiderata
  • c-Ideal iMHF
  • Outline
  • Depth-Robustness The Key Property
  • Depth Robustness
  • Depth Robustness
  • Attacking (ed)-reducible DAGs
  • Depth Robustness is Necessary
  • Answer No
  • Argon2i [BDK]
  • Argon2i
  • Argon2i
  • Argon2i Reducing depth to 119899
  • Argon2i Reducing depth to 119899
  • Argon2i is a layered DAG (almost)
  • Attack Simulation [AB16b]
  • Ideal iMHFs Donrsquot Exist
  • But we cannot rule them out in practice
  • Outline
  • Depth-Robustness is Sufficient [ABP16]
  • Depth-Robustness is Sufficient [ABP16]
  • Summary
  • Conclusions
  • Thanks for Listening
  • Passwords vs time Look how far wersquove come
  • Biometrics
  • Biometrics
  • Hardware Tokens
  • Hardware Tokens
  • Graphical Passwords
  • Graphical Passwords
  • Graphical Passwords Hotspots
  • Graphical Passwords Hotspots
  • Password Managers
  • Related Work
  • References
Page 66: Attacking Data Independent Memory Hard Functions · As a motivating example consider an adversary who breaks into an authentication server and steals a users crptographic hash va\൬ue.

Biometrics

59

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy

60

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Hardware Tokens

61

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around

62

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Graphical Passwords

bull Examplesbull Passfaces Cued Click Points Windows 8

63

Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13

Graphical Passwords

bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8

Challenge Multiple Passwords

64

Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13

Graphical Passwords Hotspots

Graphical Passwords Hotspots

Password Managers

bull Password Management Software

67

Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313

Related Work

bull Password Management SoftwareChallenge Single point of failure

68

Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313

References

bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]

bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]

bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]

bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]

  • Course Business
  • CryptographyCS 555
  • Password Storage
  • Offline Attacks A Common Problem
  • Offline Attacks A Common Problem
  • A Dangerous Problem
  • Attempt 1 Hash Iteration
  • The Challenge
  • Goal Moderately Expensive Hash Function
  • Memory Costs Equitable Across Architectures
  • Outline
  • Memory Hard Function (MHF)
  • iMHF Candidates
  • iMHF (fGH)
  • Evaluating an iMHF (pebbling)
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example (CC)
  • Measuring Cost
  • Pebbling Example (CC)
  • Pebbling Equivalence
  • Desiderata
  • Depth-Robustness The Key Property
  • Naiumlve Pebbling Algorithms
  • Amortized Attack Quality
  • Desiderata
  • Desiderata
  • c-Ideal iMHF
  • Outline
  • Depth-Robustness The Key Property
  • Depth Robustness
  • Depth Robustness
  • Attacking (ed)-reducible DAGs
  • Depth Robustness is Necessary
  • Answer No
  • Argon2i [BDK]
  • Argon2i
  • Argon2i
  • Argon2i Reducing depth to 119899
  • Argon2i Reducing depth to 119899
  • Argon2i is a layered DAG (almost)
  • Attack Simulation [AB16b]
  • Ideal iMHFs Donrsquot Exist
  • But we cannot rule them out in practice
  • Outline
  • Depth-Robustness is Sufficient [ABP16]
  • Depth-Robustness is Sufficient [ABP16]
  • Summary
  • Conclusions
  • Thanks for Listening
  • Passwords vs time Look how far wersquove come
  • Biometrics
  • Biometrics
  • Hardware Tokens
  • Hardware Tokens
  • Graphical Passwords
  • Graphical Passwords
  • Graphical Passwords Hotspots
  • Graphical Passwords Hotspots
  • Password Managers
  • Related Work
  • References
Page 67: Attacking Data Independent Memory Hard Functions · As a motivating example consider an adversary who breaks into an authentication server and steals a users crptographic hash va\൬ue.

Biometricsbull Alternatives to PasswordsChallenges Revoke Secrecy

60

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Hardware Tokens

61

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around

62

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Graphical Passwords

bull Examplesbull Passfaces Cued Click Points Windows 8

63

Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13

Graphical Passwords

bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8

Challenge Multiple Passwords

64

Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13

Graphical Passwords Hotspots

Graphical Passwords Hotspots

Password Managers

bull Password Management Software

67

Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313

Related Work

bull Password Management SoftwareChallenge Single point of failure

68

Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313

References

bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]

bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]

bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]

bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]

  • Course Business
  • CryptographyCS 555
  • Password Storage
  • Offline Attacks A Common Problem
  • Offline Attacks A Common Problem
  • A Dangerous Problem
  • Attempt 1 Hash Iteration
  • The Challenge
  • Goal Moderately Expensive Hash Function
  • Memory Costs Equitable Across Architectures
  • Outline
  • Memory Hard Function (MHF)
  • iMHF Candidates
  • iMHF (fGH)
  • Evaluating an iMHF (pebbling)
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example (CC)
  • Measuring Cost
  • Pebbling Example (CC)
  • Pebbling Equivalence
  • Desiderata
  • Depth-Robustness The Key Property
  • Naiumlve Pebbling Algorithms
  • Amortized Attack Quality
  • Desiderata
  • Desiderata
  • c-Ideal iMHF
  • Outline
  • Depth-Robustness The Key Property
  • Depth Robustness
  • Depth Robustness
  • Attacking (ed)-reducible DAGs
  • Depth Robustness is Necessary
  • Answer No
  • Argon2i [BDK]
  • Argon2i
  • Argon2i
  • Argon2i Reducing depth to 119899
  • Argon2i Reducing depth to 119899
  • Argon2i is a layered DAG (almost)
  • Attack Simulation [AB16b]
  • Ideal iMHFs Donrsquot Exist
  • But we cannot rule them out in practice
  • Outline
  • Depth-Robustness is Sufficient [ABP16]
  • Depth-Robustness is Sufficient [ABP16]
  • Summary
  • Conclusions
  • Thanks for Listening
  • Passwords vs time Look how far wersquove come
  • Biometrics
  • Biometrics
  • Hardware Tokens
  • Hardware Tokens
  • Graphical Passwords
  • Graphical Passwords
  • Graphical Passwords Hotspots
  • Graphical Passwords Hotspots
  • Password Managers
  • Related Work
  • References
Page 68: Attacking Data Independent Memory Hard Functions · As a motivating example consider an adversary who breaks into an authentication server and steals a users crptographic hash va\൬ue.

Hardware Tokens

61

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around

62

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Graphical Passwords

bull Examplesbull Passfaces Cued Click Points Windows 8

63

Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13

Graphical Passwords

bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8

Challenge Multiple Passwords

64

Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13

Graphical Passwords Hotspots

Graphical Passwords Hotspots

Password Managers

bull Password Management Software

67

Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313

Related Work

bull Password Management SoftwareChallenge Single point of failure

68

Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313

References

bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]

bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]

bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]

bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]

  • Course Business
  • CryptographyCS 555
  • Password Storage
  • Offline Attacks A Common Problem
  • Offline Attacks A Common Problem
  • A Dangerous Problem
  • Attempt 1 Hash Iteration
  • The Challenge
  • Goal Moderately Expensive Hash Function
  • Memory Costs Equitable Across Architectures
  • Outline
  • Memory Hard Function (MHF)
  • iMHF Candidates
  • iMHF (fGH)
  • Evaluating an iMHF (pebbling)
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example (CC)
  • Measuring Cost
  • Pebbling Example (CC)
  • Pebbling Equivalence
  • Desiderata
  • Depth-Robustness The Key Property
  • Naiumlve Pebbling Algorithms
  • Amortized Attack Quality
  • Desiderata
  • Desiderata
  • c-Ideal iMHF
  • Outline
  • Depth-Robustness The Key Property
  • Depth Robustness
  • Depth Robustness
  • Attacking (ed)-reducible DAGs
  • Depth Robustness is Necessary
  • Answer No
  • Argon2i [BDK]
  • Argon2i
  • Argon2i
  • Argon2i Reducing depth to 119899
  • Argon2i Reducing depth to 119899
  • Argon2i is a layered DAG (almost)
  • Attack Simulation [AB16b]
  • Ideal iMHFs Donrsquot Exist
  • But we cannot rule them out in practice
  • Outline
  • Depth-Robustness is Sufficient [ABP16]
  • Depth-Robustness is Sufficient [ABP16]
  • Summary
  • Conclusions
  • Thanks for Listening
  • Passwords vs time Look how far wersquove come
  • Biometrics
  • Biometrics
  • Hardware Tokens
  • Hardware Tokens
  • Graphical Passwords
  • Graphical Passwords
  • Graphical Passwords Hotspots
  • Graphical Passwords Hotspots
  • Password Managers
  • Related Work
  • References
Page 69: Attacking Data Independent Memory Hard Functions · As a motivating example consider an adversary who breaks into an authentication server and steals a users crptographic hash va\൬ue.

Hardware Tokensbull Alternatives to PasswordsChallenge $$$ + more stuff to carry around

62

Presenter
Presentation Notes
Another line of research has sought to eliminate text passwords One might ask whether or not password research will be relevant in the future Bonneau et al considered each of these alternatives to text passwords in 2012 and concluded that there was no silver bullet to replace text passwords While every proposed replacement has desirable properties every replacement scheme they evaluated also had its disadvantages For example biometrics signals like fingerprints cannot be changed if they are compromised131313Quest to Replace Passwords13Bonneau J Univ of Cambridge Cambridge UK Herley C van Oorschot PC Stajano F13

Graphical Passwords

bull Examplesbull Passfaces Cued Click Points Windows 8

63

Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13

Graphical Passwords

bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8

Challenge Multiple Passwords

64

Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13

Graphical Passwords Hotspots

Graphical Passwords Hotspots

Password Managers

bull Password Management Software

67

Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313

Related Work

bull Password Management SoftwareChallenge Single point of failure

68

Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313

References

bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]

bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]

bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]

bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]

  • Course Business
  • CryptographyCS 555
  • Password Storage
  • Offline Attacks A Common Problem
  • Offline Attacks A Common Problem
  • A Dangerous Problem
  • Attempt 1 Hash Iteration
  • The Challenge
  • Goal Moderately Expensive Hash Function
  • Memory Costs Equitable Across Architectures
  • Outline
  • Memory Hard Function (MHF)
  • iMHF Candidates
  • iMHF (fGH)
  • Evaluating an iMHF (pebbling)
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example (CC)
  • Measuring Cost
  • Pebbling Example (CC)
  • Pebbling Equivalence
  • Desiderata
  • Depth-Robustness The Key Property
  • Naiumlve Pebbling Algorithms
  • Amortized Attack Quality
  • Desiderata
  • Desiderata
  • c-Ideal iMHF
  • Outline
  • Depth-Robustness The Key Property
  • Depth Robustness
  • Depth Robustness
  • Attacking (ed)-reducible DAGs
  • Depth Robustness is Necessary
  • Answer No
  • Argon2i [BDK]
  • Argon2i
  • Argon2i
  • Argon2i Reducing depth to 119899
  • Argon2i Reducing depth to 119899
  • Argon2i is a layered DAG (almost)
  • Attack Simulation [AB16b]
  • Ideal iMHFs Donrsquot Exist
  • But we cannot rule them out in practice
  • Outline
  • Depth-Robustness is Sufficient [ABP16]
  • Depth-Robustness is Sufficient [ABP16]
  • Summary
  • Conclusions
  • Thanks for Listening
  • Passwords vs time Look how far wersquove come
  • Biometrics
  • Biometrics
  • Hardware Tokens
  • Hardware Tokens
  • Graphical Passwords
  • Graphical Passwords
  • Graphical Passwords Hotspots
  • Graphical Passwords Hotspots
  • Password Managers
  • Related Work
  • References
Page 70: Attacking Data Independent Memory Hard Functions · As a motivating example consider an adversary who breaks into an authentication server and steals a users crptographic hash va\൬ue.

Graphical Passwords

bull Examplesbull Passfaces Cued Click Points Windows 8

63

Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13

Graphical Passwords

bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8

Challenge Multiple Passwords

64

Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13

Graphical Passwords Hotspots

Graphical Passwords Hotspots

Password Managers

bull Password Management Software

67

Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313

Related Work

bull Password Management SoftwareChallenge Single point of failure

68

Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313

References

bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]

bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]

bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]

bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]

  • Course Business
  • CryptographyCS 555
  • Password Storage
  • Offline Attacks A Common Problem
  • Offline Attacks A Common Problem
  • A Dangerous Problem
  • Attempt 1 Hash Iteration
  • The Challenge
  • Goal Moderately Expensive Hash Function
  • Memory Costs Equitable Across Architectures
  • Outline
  • Memory Hard Function (MHF)
  • iMHF Candidates
  • iMHF (fGH)
  • Evaluating an iMHF (pebbling)
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example (CC)
  • Measuring Cost
  • Pebbling Example (CC)
  • Pebbling Equivalence
  • Desiderata
  • Depth-Robustness The Key Property
  • Naiumlve Pebbling Algorithms
  • Amortized Attack Quality
  • Desiderata
  • Desiderata
  • c-Ideal iMHF
  • Outline
  • Depth-Robustness The Key Property
  • Depth Robustness
  • Depth Robustness
  • Attacking (ed)-reducible DAGs
  • Depth Robustness is Necessary
  • Answer No
  • Argon2i [BDK]
  • Argon2i
  • Argon2i
  • Argon2i Reducing depth to 119899
  • Argon2i Reducing depth to 119899
  • Argon2i is a layered DAG (almost)
  • Attack Simulation [AB16b]
  • Ideal iMHFs Donrsquot Exist
  • But we cannot rule them out in practice
  • Outline
  • Depth-Robustness is Sufficient [ABP16]
  • Depth-Robustness is Sufficient [ABP16]
  • Summary
  • Conclusions
  • Thanks for Listening
  • Passwords vs time Look how far wersquove come
  • Biometrics
  • Biometrics
  • Hardware Tokens
  • Hardware Tokens
  • Graphical Passwords
  • Graphical Passwords
  • Graphical Passwords Hotspots
  • Graphical Passwords Hotspots
  • Password Managers
  • Related Work
  • References
Page 71: Attacking Data Independent Memory Hard Functions · As a motivating example consider an adversary who breaks into an authentication server and steals a users crptographic hash va\൬ue.

Graphical Passwords

bull Graphical Passwordsbull Passfaces Cued Click Points Windows 8

Challenge Multiple Passwords

64

Presenter
Presentation Notes
Graphical passwords have been an active area of research over the past 2 decades Graphical password schemes aim to make passwords easier to remember by taking advantage of the natural human capacity for visual memory and cued recall We will seek to exploit visual and associative memory with Person-Action-Object stories The key difference is that we are focused on strategies for creating and remembering multiple passwords 131313Graphical password authentication using cued click points13S Chiasson PC van Oorschot R Biddle - Computer SecurityndashESORICS13

Graphical Passwords Hotspots

Graphical Passwords Hotspots

Password Managers

bull Password Management Software

67

Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313

Related Work

bull Password Management SoftwareChallenge Single point of failure

68

Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313

References

bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]

bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]

bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]

bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]

  • Course Business
  • CryptographyCS 555
  • Password Storage
  • Offline Attacks A Common Problem
  • Offline Attacks A Common Problem
  • A Dangerous Problem
  • Attempt 1 Hash Iteration
  • The Challenge
  • Goal Moderately Expensive Hash Function
  • Memory Costs Equitable Across Architectures
  • Outline
  • Memory Hard Function (MHF)
  • iMHF Candidates
  • iMHF (fGH)
  • Evaluating an iMHF (pebbling)
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example (CC)
  • Measuring Cost
  • Pebbling Example (CC)
  • Pebbling Equivalence
  • Desiderata
  • Depth-Robustness The Key Property
  • Naiumlve Pebbling Algorithms
  • Amortized Attack Quality
  • Desiderata
  • Desiderata
  • c-Ideal iMHF
  • Outline
  • Depth-Robustness The Key Property
  • Depth Robustness
  • Depth Robustness
  • Attacking (ed)-reducible DAGs
  • Depth Robustness is Necessary
  • Answer No
  • Argon2i [BDK]
  • Argon2i
  • Argon2i
  • Argon2i Reducing depth to 119899
  • Argon2i Reducing depth to 119899
  • Argon2i is a layered DAG (almost)
  • Attack Simulation [AB16b]
  • Ideal iMHFs Donrsquot Exist
  • But we cannot rule them out in practice
  • Outline
  • Depth-Robustness is Sufficient [ABP16]
  • Depth-Robustness is Sufficient [ABP16]
  • Summary
  • Conclusions
  • Thanks for Listening
  • Passwords vs time Look how far wersquove come
  • Biometrics
  • Biometrics
  • Hardware Tokens
  • Hardware Tokens
  • Graphical Passwords
  • Graphical Passwords
  • Graphical Passwords Hotspots
  • Graphical Passwords Hotspots
  • Password Managers
  • Related Work
  • References
Page 72: Attacking Data Independent Memory Hard Functions · As a motivating example consider an adversary who breaks into an authentication server and steals a users crptographic hash va\൬ue.

Graphical Passwords Hotspots

Graphical Passwords Hotspots

Password Managers

bull Password Management Software

67

Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313

Related Work

bull Password Management SoftwareChallenge Single point of failure

68

Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313

References

bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]

bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]

bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]

bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]

  • Course Business
  • CryptographyCS 555
  • Password Storage
  • Offline Attacks A Common Problem
  • Offline Attacks A Common Problem
  • A Dangerous Problem
  • Attempt 1 Hash Iteration
  • The Challenge
  • Goal Moderately Expensive Hash Function
  • Memory Costs Equitable Across Architectures
  • Outline
  • Memory Hard Function (MHF)
  • iMHF Candidates
  • iMHF (fGH)
  • Evaluating an iMHF (pebbling)
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example (CC)
  • Measuring Cost
  • Pebbling Example (CC)
  • Pebbling Equivalence
  • Desiderata
  • Depth-Robustness The Key Property
  • Naiumlve Pebbling Algorithms
  • Amortized Attack Quality
  • Desiderata
  • Desiderata
  • c-Ideal iMHF
  • Outline
  • Depth-Robustness The Key Property
  • Depth Robustness
  • Depth Robustness
  • Attacking (ed)-reducible DAGs
  • Depth Robustness is Necessary
  • Answer No
  • Argon2i [BDK]
  • Argon2i
  • Argon2i
  • Argon2i Reducing depth to 119899
  • Argon2i Reducing depth to 119899
  • Argon2i is a layered DAG (almost)
  • Attack Simulation [AB16b]
  • Ideal iMHFs Donrsquot Exist
  • But we cannot rule them out in practice
  • Outline
  • Depth-Robustness is Sufficient [ABP16]
  • Depth-Robustness is Sufficient [ABP16]
  • Summary
  • Conclusions
  • Thanks for Listening
  • Passwords vs time Look how far wersquove come
  • Biometrics
  • Biometrics
  • Hardware Tokens
  • Hardware Tokens
  • Graphical Passwords
  • Graphical Passwords
  • Graphical Passwords Hotspots
  • Graphical Passwords Hotspots
  • Password Managers
  • Related Work
  • References
Page 73: Attacking Data Independent Memory Hard Functions · As a motivating example consider an adversary who breaks into an authentication server and steals a users crptographic hash va\൬ue.

Graphical Passwords Hotspots

Password Managers

bull Password Management Software

67

Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313

Related Work

bull Password Management SoftwareChallenge Single point of failure

68

Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313

References

bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]

bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]

bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]

bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]

  • Course Business
  • CryptographyCS 555
  • Password Storage
  • Offline Attacks A Common Problem
  • Offline Attacks A Common Problem
  • A Dangerous Problem
  • Attempt 1 Hash Iteration
  • The Challenge
  • Goal Moderately Expensive Hash Function
  • Memory Costs Equitable Across Architectures
  • Outline
  • Memory Hard Function (MHF)
  • iMHF Candidates
  • iMHF (fGH)
  • Evaluating an iMHF (pebbling)
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example (CC)
  • Measuring Cost
  • Pebbling Example (CC)
  • Pebbling Equivalence
  • Desiderata
  • Depth-Robustness The Key Property
  • Naiumlve Pebbling Algorithms
  • Amortized Attack Quality
  • Desiderata
  • Desiderata
  • c-Ideal iMHF
  • Outline
  • Depth-Robustness The Key Property
  • Depth Robustness
  • Depth Robustness
  • Attacking (ed)-reducible DAGs
  • Depth Robustness is Necessary
  • Answer No
  • Argon2i [BDK]
  • Argon2i
  • Argon2i
  • Argon2i Reducing depth to 119899
  • Argon2i Reducing depth to 119899
  • Argon2i is a layered DAG (almost)
  • Attack Simulation [AB16b]
  • Ideal iMHFs Donrsquot Exist
  • But we cannot rule them out in practice
  • Outline
  • Depth-Robustness is Sufficient [ABP16]
  • Depth-Robustness is Sufficient [ABP16]
  • Summary
  • Conclusions
  • Thanks for Listening
  • Passwords vs time Look how far wersquove come
  • Biometrics
  • Biometrics
  • Hardware Tokens
  • Hardware Tokens
  • Graphical Passwords
  • Graphical Passwords
  • Graphical Passwords Hotspots
  • Graphical Passwords Hotspots
  • Password Managers
  • Related Work
  • References
Page 74: Attacking Data Independent Memory Hard Functions · As a motivating example consider an adversary who breaks into an authentication server and steals a users crptographic hash va\൬ue.

Password Managers

bull Password Management Software

67

Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313

Related Work

bull Password Management SoftwareChallenge Single point of failure

68

Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313

References

bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]

bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]

bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]

bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]

  • Course Business
  • CryptographyCS 555
  • Password Storage
  • Offline Attacks A Common Problem
  • Offline Attacks A Common Problem
  • A Dangerous Problem
  • Attempt 1 Hash Iteration
  • The Challenge
  • Goal Moderately Expensive Hash Function
  • Memory Costs Equitable Across Architectures
  • Outline
  • Memory Hard Function (MHF)
  • iMHF Candidates
  • iMHF (fGH)
  • Evaluating an iMHF (pebbling)
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example (CC)
  • Measuring Cost
  • Pebbling Example (CC)
  • Pebbling Equivalence
  • Desiderata
  • Depth-Robustness The Key Property
  • Naiumlve Pebbling Algorithms
  • Amortized Attack Quality
  • Desiderata
  • Desiderata
  • c-Ideal iMHF
  • Outline
  • Depth-Robustness The Key Property
  • Depth Robustness
  • Depth Robustness
  • Attacking (ed)-reducible DAGs
  • Depth Robustness is Necessary
  • Answer No
  • Argon2i [BDK]
  • Argon2i
  • Argon2i
  • Argon2i Reducing depth to 119899
  • Argon2i Reducing depth to 119899
  • Argon2i is a layered DAG (almost)
  • Attack Simulation [AB16b]
  • Ideal iMHFs Donrsquot Exist
  • But we cannot rule them out in practice
  • Outline
  • Depth-Robustness is Sufficient [ABP16]
  • Depth-Robustness is Sufficient [ABP16]
  • Summary
  • Conclusions
  • Thanks for Listening
  • Passwords vs time Look how far wersquove come
  • Biometrics
  • Biometrics
  • Hardware Tokens
  • Hardware Tokens
  • Graphical Passwords
  • Graphical Passwords
  • Graphical Passwords Hotspots
  • Graphical Passwords Hotspots
  • Password Managers
  • Related Work
  • References
Page 75: Attacking Data Independent Memory Hard Functions · As a motivating example consider an adversary who breaks into an authentication server and steals a users crptographic hash va\൬ue.

Related Work

bull Password Management SoftwareChallenge Single point of failure

68

Presenter
Presentation Notes
LastPass13KeePass131Password1313A Usability Study and Critique of Two Password Managers lowast13by S Chiasson PC van Oorschot R Biddle 1313PwdHash13Blake Ross Collin Jackson Nicholas Miyake Dan Boneh and John C Mitchell1313

References

bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]

bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]

bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]

bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]

  • Course Business
  • CryptographyCS 555
  • Password Storage
  • Offline Attacks A Common Problem
  • Offline Attacks A Common Problem
  • A Dangerous Problem
  • Attempt 1 Hash Iteration
  • The Challenge
  • Goal Moderately Expensive Hash Function
  • Memory Costs Equitable Across Architectures
  • Outline
  • Memory Hard Function (MHF)
  • iMHF Candidates
  • iMHF (fGH)
  • Evaluating an iMHF (pebbling)
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example (CC)
  • Measuring Cost
  • Pebbling Example (CC)
  • Pebbling Equivalence
  • Desiderata
  • Depth-Robustness The Key Property
  • Naiumlve Pebbling Algorithms
  • Amortized Attack Quality
  • Desiderata
  • Desiderata
  • c-Ideal iMHF
  • Outline
  • Depth-Robustness The Key Property
  • Depth Robustness
  • Depth Robustness
  • Attacking (ed)-reducible DAGs
  • Depth Robustness is Necessary
  • Answer No
  • Argon2i [BDK]
  • Argon2i
  • Argon2i
  • Argon2i Reducing depth to 119899
  • Argon2i Reducing depth to 119899
  • Argon2i is a layered DAG (almost)
  • Attack Simulation [AB16b]
  • Ideal iMHFs Donrsquot Exist
  • But we cannot rule them out in practice
  • Outline
  • Depth-Robustness is Sufficient [ABP16]
  • Depth-Robustness is Sufficient [ABP16]
  • Summary
  • Conclusions
  • Thanks for Listening
  • Passwords vs time Look how far wersquove come
  • Biometrics
  • Biometrics
  • Hardware Tokens
  • Hardware Tokens
  • Graphical Passwords
  • Graphical Passwords
  • Graphical Passwords Hotspots
  • Graphical Passwords Hotspots
  • Password Managers
  • Related Work
  • References
Page 76: Attacking Data Independent Memory Hard Functions · As a motivating example consider an adversary who breaks into an authentication server and steals a users crptographic hash va\൬ue.

References

bull Depth-Robust Graphs and Their Cumulative Memory Complexity with Joel Alwen and Krzysztof Pietrzak EUROCRYPT 2017 (to appear) [ePrint]

bull On the Computational Complexity of Minimal Cumulative Cost Graph Pebbling with Samson Zhou (Working Paper) [arXiv]

bull Towards Practical Attacks on Argon2i and Balloon Hashing with Joel Alwen EuroSampP 2017 (to appear) [ePrint]

bull Efficiently Computing Data Independent Memory Hard Functions with Joel Alwen CRYPTO 2016 [Full Version]

  • Course Business
  • CryptographyCS 555
  • Password Storage
  • Offline Attacks A Common Problem
  • Offline Attacks A Common Problem
  • A Dangerous Problem
  • Attempt 1 Hash Iteration
  • The Challenge
  • Goal Moderately Expensive Hash Function
  • Memory Costs Equitable Across Architectures
  • Outline
  • Memory Hard Function (MHF)
  • iMHF Candidates
  • iMHF (fGH)
  • Evaluating an iMHF (pebbling)
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example
  • Pebbling Example (CC)
  • Measuring Cost
  • Pebbling Example (CC)
  • Pebbling Equivalence
  • Desiderata
  • Depth-Robustness The Key Property
  • Naiumlve Pebbling Algorithms
  • Amortized Attack Quality
  • Desiderata
  • Desiderata
  • c-Ideal iMHF
  • Outline
  • Depth-Robustness The Key Property
  • Depth Robustness
  • Depth Robustness
  • Attacking (ed)-reducible DAGs
  • Depth Robustness is Necessary
  • Answer No
  • Argon2i [BDK]
  • Argon2i
  • Argon2i
  • Argon2i Reducing depth to 119899
  • Argon2i Reducing depth to 119899
  • Argon2i is a layered DAG (almost)
  • Attack Simulation [AB16b]
  • Ideal iMHFs Donrsquot Exist
  • But we cannot rule them out in practice
  • Outline
  • Depth-Robustness is Sufficient [ABP16]
  • Depth-Robustness is Sufficient [ABP16]
  • Summary
  • Conclusions
  • Thanks for Listening
  • Passwords vs time Look how far wersquove come
  • Biometrics
  • Biometrics
  • Hardware Tokens
  • Hardware Tokens
  • Graphical Passwords
  • Graphical Passwords
  • Graphical Passwords Hotspots
  • Graphical Passwords Hotspots
  • Password Managers
  • Related Work
  • References

Side Channel Attacks - courses.cs.washington.edu...–Adversary can run code, in the same process. –Adversary can control the value x. –Adversary has access to array2. –Adversary

Side Channel Attacks - courses.cs.washington.edu...–Adversary can run code, in the same process. –Adversary can control the value x. –Adversary has access to array2. –Adversary

The Secret Adversary...The Secret Adversary Author Agatha Christie, Agatha Miller Christie ...

The Secret Adversary...The Secret Adversary Author Agatha Christie, Agatha Miller Christie ...

Our Constitutionalized Adversary System...Our Constitutionalized Adversary System effective ideas for breaking the adversary mold. .". ."" Thus, the adversary system has become a battleground

Our Constitutionalized Adversary System...Our Constitutionalized Adversary System effective ideas for breaking the adversary mold. .". ."" Thus, the adversary system has become a battleground

AMAZING STEALS LIVE AUCTION 2001

AMAZING STEALS LIVE AUCTION 2001

Loyal Pup Steals From

Loyal Pup Steals From

Steals & Deals Central Edition 6-2-16

Steals & Deals Central Edition 6-2-16

Steals & Deals Southeastern Edition 6-16-16

Steals & Deals Southeastern Edition 6-16-16

Attacking & Defending Two versus two each player attacking ...

Attacking & Defending Two versus two each player attacking ...

Adversary TEXT

Adversary TEXT

Identifying the COG - Army War College of Gravity Article... · on an adversary by attacking or otherwise seeking to affect his capabilities and intentions. ... by the strength of

Identifying the COG - Army War College of Gravity Article... · on an adversary by attacking or otherwise seeking to affect his capabilities and intentions. ... by the strength of

The Voir Dire Examination, Juror Challenges, and Adversary ... · Juror Challenges, and Adversary Advocacy ~ ... THE VOIR DIRE EXAMINATION, JUROR CHALLENGES, AND ADVERSARY ... relative

The Voir Dire Examination, Juror Challenges, and Adversary ... · Juror Challenges, and Adversary Advocacy ~ ... THE VOIR DIRE EXAMINATION, JUROR CHALLENGES, AND ADVERSARY ... relative

Secret adversary

Secret adversary

Ally or adversary?

Ally or adversary?

adversary oracle

adversary oracle

2006 Lethal Adversary

2006 Lethal Adversary

Temple of the Adversary by the Adversary of God _SMY

Temple of the Adversary by the Adversary of God _SMY

McConnell, Oma, Adversary

McConnell, Oma, Adversary

Satan Our Adversary

Satan Our Adversary

Adversary Cards

Adversary Cards

COMPLAINT - ADVERSARY PROCEEDING

COMPLAINT - ADVERSARY PROCEEDING