All Your Browser-saved Passwords Could Belong to Us - A Security Analysis and a Cloud-based New Design By Rui Zhao, Chuan Yue ACM Conference on Data and.

All Your Browser-saved Passwords Could Belong to Us

- A Security Analysis and a Cloud-based New Design

By Rui Zhao, Chuan YueACM Conference on Data and Applications Security (CODASPY), 2013

2

Text Passwords: the Dominant Position in Online User Authentication [1]

[1] J. Bonneau et al., The quest to replace passwords: A framework for comparative evaluation of web authentication schemes. In Proc. of IEEE S&P Symposium, 2012

3

Password Security

• The something you know authentication factor• Expectations: strong, protected from being stolen

4

Problems of Passwords

• The Dilemma– Weak passwords suffer from brute-force and dictionary attacks– Strong passwords are difficult to remember

• Vulnerable to harvesting attacks such as phishing• Web users have more online accounts than before• The reality: use weak passwords, share passwords, write

down passwords, etc. [2,3]

[2] D. Florˆencio and C. Herley. A large-scale study of web password habits. In Proc. of WWW, 2007[3] S. Komanduri et al. Of passwords and people: Measuring the effect of password-composition policies. In Proc. of CHI, 2011.

5

Some Popular Solutions

• Graphical passwords– security and usability concerns

• Password hashing systems– security and usability concerns

• Single sign-on systems– security concerns, business model limitations

• Browser-based password managers– save and autofill, users don’t need to remember– potentially protect against phishing attacks[4]

[4] C. Yue. Preventing the Revealing of Online Passwords to Inappropriate Websites with LoginInspector. In Proc. of LISA, 2012.

6

Browser-based Password Managers (BPMs)Browser Enabled by

DefaultMaster

PasswordPassword Sync.

IE (9.0) Yes No No

Firefox (15.0) Yes Yes Yes

Google Chrome (21.0)

Yes No Yes

Safari (5.1) No No No

Opera (12.02) Yes Yes Yes

7

Outline

• Introduction and Background

• Vulnerability Analysis

• Design of Cloud-based Storage-Free BPM (CSF-BPM)

• Implementation , Evaluation, Security Analysis

• Conclusion, Current and Future Work

8

Are those passwordssaved by BPMs secure?

9

Threat Model - Basic

• “Where a threat intersects with a vulnerability, risk is present.” – NIST Information Security Handbook: A Guide for Managers.

• Threat sources - attackers who want to steal the sensitive login information stored in BPMs

• Basic threat model:– Attackers can temporarily install malware on a user’s

computer using very popular attacks such as drive-by downloads [5,6]

– The installed malware can then steal the data

[5] N. Provos et al., All your iframes point to us. In Proc. of USENIX Security Symposium, 2008.[6] Y.-M. Wang et al., Automated web patrol with strider honeymonkeys: Finding websites that exploit browser vulnerabilities. In Proc. of NDSS, 2006

10

Threat Model - Assumptions

• The installed malware can be removed from the system in a timely manner– Anti-malware software, such as Microsoft Forefront

Endpoint Protection– Solutions such as Back to the Future framework [7]

– Same assumption as in Google’s 2-step-verification [8]

• Hard to identify cryptographic keys from memory [9]

• DNS systems are secure and reliable

[7] F. Hsu et al., Back to the future: A framework for automatic malware removal and system repair. In Proc. of ACSAC, 2006.[8] Eric Grosse, Mayank Upadhyay, Authentication at Scale, IEEE S&P Magazine, 2012[9] J. A. Halderman et al., Lest we remember: Cold boot attacks on encryption keys. In Proc. of USENIX Security Symposium, 2008.

11

The Essential Problem of Existing BPMs

• Computer Home• A BPM The Safe• A Master Password The Combination• Google Chrome, Internet Explorer and Safari:

– No combination at all• Firefox and Opera:

– No mandatory combination– Brute-force attacks and phishing attacks to the master password

The encrypted passwords stored by BPMs of the five browsers are very weakly protected!

12

More Details on Attacks - 1

• Firefox without master password– steal signons.sqlite and key3.db, decrypt on any

computer• Opera without master password– steal wand.dat, decrypt on any computer

• Firefox and Opera with master password– the computation time for verifying a master password

is very small– phishing attacks against the master password

13

The (a) genuine and (b) fake master password entry dialog box in Firefox.

• Created by the JavaScript prompt() function on any regular page• More sophisticated ones can be created by JavaScript and CSS

(Cascading Style Sheets)

14

More Details on Attacks - 2

• Internet Explorer, Google Chrome, and Safari– use the Windows API functions CryptProtectData

and CryptUnprotectData– typically, only a user with the same Windows logon

credential can decrypt the data– attackers steal the ciphertext, decrypt it on the

victim’s computer, send back plaintext

15

Overall Security Analysis Results

• All your browser-saved passwords could belong to us!• We have developed tools and verified these security risks!

16

Responses to our Responsible Vulnerability Disclosure

• Firefox: asked for a development proposal• IE: forwarded to their development team• Safari: it is the limitation of Windows APIs• Opera: “a convenience feature, not a security feature”,

do not assume drive-by download, will improve usability• Google Chrome: engineers quoted Law #1 from

Microsoft “If a bad guy can persuade you to run his program on your computer, it's not your computer anymore”; upper-level researchers have different views

17

Cloud-based Storage-Free BPM (CSF-BPM) Design High-level Architecture

18

CSF-BPM Design DetailsProactive password checker

Single Strong Master Password

(SSMP)

aeKey

Encryption

ELIR ELIR … Authenticated Encryption

WebsitesCredentials

protectedELIRs

siteURl siteUsername

encryptedSitePassword recordSalt

Header

mainSalt aeSalt

PBKDF-id PBKDF-params

E-id E-params

AE-id AE-params

recordKeyrecordKey

recordKey

mainKey

Password-based Key Derivation Function 2 (PBKDF-2) – RFC 2898

19

Security Analysis

• Reduces the opportunities for attackers to steal and further crack regular users’ saved passwords

• Makes it computationally infeasible for attackers to decrypt the stolen data

• Accurately detects any invalid SSMP try and any modification to a saved PUPE data object

• Requires a user to remember SSMP• Offers better security than Firefox and Opera with master

password– They save encrypted data locally– They do not have strong key derivation– They do not detect any modification to the saved data– They need specific storage service