CASH: A Cost Asymmetric Secure Hash Algorithm for Optimal Password Protection

An adversary who has obtained the cryptographic hash of a user's password can mount an offline attack to crack the password by comparing this hash value with the cryptographic hashes of likely password guesses. This offline attacker is limited only by the resources he is willing to invest to crack the password. Key-stretching techniques like hash iteration and memory hard functions have been proposed to mitigate the threat of offline attacks by making each password guess more expensive for the adversary to verify. However, these techniques also increase costs for a legitimate authentication server. We introduce a novel Stackelberg game model which captures the essential elements of this interaction between a defender and an offline attacker. In the game the defender first commits to a key-stretching mechanism, and the offline attacker responds in a manner that optimizes his utility (expected reward minus expected guessing costs). We then introduce Cost Asymmetric Secure Hash (CASH), a randomized key-stretching mechanism that minimizes the fraction of passwords that would be cracked by a rational offline attacker without increasing amortized authentication costs for the legitimate authentication server. CASH is motivated by the observation that the legitimate authentication server will typically run the authentication procedure to verify a correct password, while an offline adversary will typically use incorrect password guesses. By using randomization we can ensure that the amortized cost of running CASH to verify a correct password guess is significantly smaller than the cost of rejecting an incorrect password. Using our Stackelberg game framework we can quantify the quality of the underlying CASH running time distribution in terms of the fraction of passwords that a rational offline adversary would crack. We provide an efficient algorithm to compute high quality CASH distributions for the defender. Finally, we analyze CASH using empirical data from two large scale password frequency datasets. Our analysis shows that CASH can significantly reduce (up to 50%) the fraction of password cracked by a rational offline adversary.

[1]  Robert Biddle,et al.  Graphical passwords: Learning from the first twelve years , 2012, CSUR.

[2]  George Danezis,et al.  Proceedings of the 2012 ACM conference on Computer and communications security , 2012, CCS 2012.

[3]  Morten Hertzum Minimal-feedback hints for remembering passwords , 2006, INTR.

[4]  Manuel Blum,et al.  Naturally Rehearsing Passwords , 2013, ASIACRYPT.

[5]  Alex Biryukov,et al.  Fast and Tradeoff-Resilient Memory-Hard Functions for Cryptocurrencies and Password Hashing , 2015, IACR Cryptol. ePrint Arch..

[6]  Manish Jain,et al.  Security Games with Arbitrary Schedules: A Branch and Price Approach , 2010, AAAI.

[7]  Manuel Blum,et al.  GOTCHA password hackers! , 2013, AISec.

[8]  Jan Camenisch,et al.  Practical yet universally composable two-server password-authenticated secret sharing , 2012, CCS.

[9]  Joseph Bonneau,et al.  Towards Reliable Storage of 56-bit Secrets in Human Memory , 2014, USENIX Security Symposium.

[10]  John O. Pliam On the Incomparability of Entropy and Marginal Guesswork in Brute-Force Attacks , 2000, INDOCRYPT.

[11]  Lujo Bauer,et al.  Of passwords and people: measuring the effect of password-composition policies , 2011, CHI.

[12]  Kenton O'Hara,et al.  Social Impact , 2019, Encyclopedia of Food and Agricultural Ethics.

[13]  Jeremiah Blocki,et al.  Client-CASH: Protecting Master Passwords against Offline Attacks , 2016, AsiaCCS.

[14]  Sang Joon Kim,et al.  A Mathematical Theory of Communication , 2006 .

[15]  Ran Canetti,et al.  POSH: a generalized captcha with security applications , 2008, AISec '08.

[16]  Alicia A. Grandey,et al.  From bad to worse , 2012 .

[17]  Dan Boneh,et al.  Stronger Password Authentication Using Browser Extensions , 2005, USENIX Security Symposium.

[18]  Moni Naor,et al.  On Memory-Bound Functions for Fighting Spam , 2003, CRYPTO.

[19]  Donn Seeley Password cracking: a game of wits , 1989, CACM.

[20]  Paul C. van Oorschot,et al.  A Research Agenda Acknowledging the Persistence of Passwords , 2012, IEEE Security & Privacy.

[21]  Ari Juels,et al.  A New Two-Server Approach for Authentication with Short Secrets , 2003, USENIX Security Symposium.

[22]  Proceedings of the 2013 ACM workshop on Artificial intelligence and security , 2013 .

[23]  S. Boztaş Entropies, Guessing and Cryptography , 1999 .

[24]  Lorrie Faith Cranor,et al.  Spaced Repetition and Mnemonics Enable Recall of Multiple Strong Passwords , 2015, NDSS.

[25]  Paul Pimsleur A MEMORY SCHEDULE , 1967 .

[26]  Simon Josefsson,et al.  The scrypt Password-Based Key Derivation Function , 2016, RFC.

[27]  Udi Manber,et al.  A simple scheme to make passwords based on one-way functions much harder to crack , 1996, Comput. Secur..

[28]  Joseph Bonneau,et al.  Differentially Private Password Frequency Lists , 2016, NDSS.

[29]  Paulo S. L. M. Barreto,et al.  Lyra: password-based key derivation with tunable memory and processing costs , 2014, Journal of Cryptographic Engineering.

[30]  Steven Alexander,et al.  Password Protection for Modern Operating Systems , 2004, login Usenix Mag..

[31]  Vincent Conitzer,et al.  Computing the optimal strategy to commit to , 2006, EC '06.

[32]  Nicolas Christin,et al.  Audit Games , 2013, IJCAI.

[33]  Joseph Bonneau,et al.  The Password Thicket: Technical and Market Failures in Human Authentication on the Web , 2010, WEIS.

[34]  H. Stackelberg,et al.  Marktform und Gleichgewicht , 1935 .

[35]  Radu Dragusin Data breach at IEEE.org: 100k plaintext passwords , 2012 .

[36]  Michael K. Reiter,et al.  The Design and Analysis of Graphical Passwords , 1999, USENIX Security Symposium.

[37]  Ariel D. Procaccia,et al.  Optimizing password composition policies , 2013, EC '13.

[38]  Ronald L. Rivest,et al.  Honeywords: making password-cracking detectable , 2013, CCS.

[39]  Blase Ur,et al.  Correct horse battery staple: exploring the usability of system-assigned passphrases , 2012, SOUPS.

[40]  Burton S. Kaliski,et al.  PKCS #5: Password-Based Cryptography Specification Version 2.0 , 2000, RFC.

[41]  Colin Percival STRONGER KEY DERIVATION VIA SEQUENTIAL MEMORY-HARD FUNCTIONS , 2009 .

[42]  Joseph Bonneau,et al.  The Science of Guessing: Analyzing an Anonymized Corpus of 70 Million Passwords , 2012, 2012 IEEE Symposium on Security and Privacy.

[43]  Vincent Conitzer,et al.  Stackelberg vs. Nash in security games: interchangeability, equivalence, and uniqueness , 2010, AAMAS.

[44]  Stefan Lucks,et al.  Catena: A Memory-Consuming Password Scrambler , 2013, IACR Cryptol. ePrint Arch..

[45]  Michael J. Todd,et al.  Polynomial Algorithms for Linear Programming , 1988 .

[46]  Ken Thompson,et al.  Password security: a case history , 1979, CACM.

[47]  Cynthia Dwork,et al.  Calibrating Noise to Sensitivity in Private Data Analysis , 2006, TCC.

[48]  Philippe Oechslin,et al.  Making a Faster Cryptanalytic Time-Memory Trade-Off , 2003, CRYPTO.

[49]  Ran Canetti,et al.  Mitigating Dictionary Attacks on Password-Protected Local Storage , 2006, CRYPTO.

[50]  J. Massey Guessing and entropy , 1994, Proceedings of 1994 IEEE International Symposium on Information Theory.

[51]  M. Angela Sasse,et al.  Are Passfaces More Usable Than Passwords? A Field Trial Investigation , 2000, BCS HCI.