Duress Detection for Authentication Attacks Against Multiple Administrators

Duress Detection for Authentication Attacks

AgainstMultiple AdministratorsEmil StefanovUC Berkeley

emil@cs.berkeley.ed

uMikhail Atallah

Purdue Universitymja@cs.purdue.edu

Remedies for Authentication Attacks• Guessing

passwordso Require strong

passwords.• Eavesdropping

o Encrypt traffic (e.g., TSL/SSH).

• Man in the middleo Pre-shared secrets,

certificate based authentication.

• Spywareo Intrusion detection

systems / antivirus• Phishing

o TSL, web filters.• Shoulder surfing

o Common sense.• Physical Coercion

o Duress Detection

Physical Coercion• Alice has an account on a server.• To use the server she must log in

with her password.• One day, Oscar

threatens Alice and demands to know her password.

Duress Signaling• What should Alice do?

o Provide the correct password?• Oscar wins.

o Refuse to cooperate?• Oscar carries out his threat.

o Provide an invalid password?• Oscar tries the password and determines that Alice refused to cooperate.

o Provide a duress password?• The attacker logs in but unknowingly signals a silent alarm.

Duress Password• What should it look like?

o Let’s review a few possibilities.

Two-Password Schemes

• Alice has two passwords:o A correct password

• She always uses this one to log in when she is not under duress.

o A duress passwords• She gives this one to Oscar during duress.

• Advantages?o Simple to explain and implement.

• Problems?o Oscar can ask for both passwords Succeeds with

probability .o Alice will likely forget her duress password because she

never uses it.

N-Password Schemes• Alice has N passwords:

o One correct password• She always uses this one to log in when she is

not under duress.o N-1 duress passwords

• She gives this one to Oscar during duress.

• Advantages?o Oscar’s probability of success is smaller: .

• Problems?o Alice has to remember passwords, and she never

uses of them! This is not practical.

PIN Schemes• Alice has:

o A strong password (e.g., “VHz3xK*bL8”)• This must be correct during normal and duress

authentications.o A PIN (e.g., “8394”)

• Alice uses her PIN for a normal authentication.• She gives Oscar any other PIN during duress.

• Advantages?o Less for Alice to remember.o Oscar’s probability of success is low.

• Problems?o Recall attack – Oscar can ask her to repeat the PIN later.

• Alice might forget the PIN she gave Oscar.o Typos – Easy to mistype a PIN and cause a false alarm.

Our Approach• We split the authentication secret into two:

o A strong password – just like usual.o A keyword from a dictionary.

• Carefully choose a keyword dictionary.o Specify requirements.o Give an example.

• Allows for Alice to be an administrator.o Has access to the password/keyword store.o Can intercept network traffic.

• Allows multiple users/administrators.o Alice, Bob, etc.

Login Screen

Single Administrator Scheme

• A single administrator (Alice) is being attacked.

• Server stores passwords and keywords (hashed & salted).

• Incorrect keyword server notifies authorities.

Single Administrator Scheme

• Problem:oOscar gains administrator access.oOscar can verify the keyword.

• Solution:1. The server notifies the authorities.2. The server overwrites the correct

keyword.

Single Administrator Scheme

• Not secure for multiple administrators!

• Attack:• Alice and Bob are administrators.• Oscar attacks both of them.• Oscar authenticates as one of them and

checks the keyword of the other one.o Solution?• Our multiple administrator scheme.

Multiple Administrator Scheme

• Oscar attacks Alice.• Alice provides a correct password and

an incorrect keyword.• The server receives the credentials.

Multiple Administrator Scheme

• Authentication server:o Has purposely “forgotten” the correct

keyword.o Creates a privacy-preserving record.o Sends it to the monitoring server.

Multiple Administrator Scheme

• Monitoring server:o Checks the authentication record.o If duress notifies monitoring personnel.

Multiple Administrator Scheme

• Monitoring personnel:o Notify the authorities.

• Similar to existing alarm system companies.

• Key ideas:oThe authentication server never

knows the correct keyword.oThe monitoring server can only

decrypt duress authentication records.

oKeywords are picked from a carefully selected dictionary (more on this later).

Multiple Administrator Scheme

Keyword Dictionary Requirements

• Well definedo Implicitly defined by a topic.oAlice can randomly pick a keyword

by only memorizing the topic.• Hard to make a typo

o Large edit distance between keywords.

Keyword Dictionary Example: U.S. States

# Keyword Closest Keyword Edit Distance

1 arkansas kansas 22 kansas arkansas 23 northcarolina southcarolina 24 northdakota southdakota 25 southcarolina northcarolina 26 southdakota northdakota 27 alabama Alaska 3

  …45 rhodeisland louisiana 646 washington michigan 647 newhampshire newmexico 748 connecticut kentucky 849 pennsylvania indiana 850 massachusetts arkansas 9

Performance  Authentication

TimeMonitoring

Time1024-bit

Keys 0.203 ms 0.125 ms2048-bit

Keys 0.250 ms 0.671 ms3072-bit

Keys 0.343 ms 2.075 ms4096-bit

Keys 0.468 ms 6.318 ms