All Your Browser-saved Passwords Could Belong to Us - A Security Analysis and a Cloud-based New Design By Rui Zhao, Chuan Yue ACM Conference on Data and Applications Security (CODASPY), 2013
Text Passwords: the Dominant Position in Online User Authentication   J. Bonneau et al., The quest to replace passwords: A framework for comparative evaluation of web authentication schemes. In Proc. of IEEE S&P Symposium, 2012
Password Security • The something you know authentication factor • Expectations: strong, protected from beingstolen
Problems of Passwords • The Dilemma • Weak passwords suffer from brute-force and dictionary attacks • Strong passwords are difficult to remember • Vulnerable to harvesting attacks such as phishing • Web users have more online accounts than before • The reality: use weak passwords, share passwords, write down passwords, etc. [2,3]  D. Florˆencio and C. Herley. A large-scale study of web password habits. In Proc. of WWW, 2007  S. Komanduri et al. Of passwords and people: Measuring the effect of password-composition policies. In Proc. of CHI, 2011.
Some Popular Solutions • Graphical passwords • security and usability concerns • Password hashing systems • security and usability concerns • Single sign-on systems • security concerns, business model limitations • Browser-based password managers • save and autofill, users don’t need to remember • potentially protect against phishing attacks  C. Yue. Preventing the Revealing of Online Passwords to Inappropriate Websites with LoginInspector. In Proc. of LISA, 2012.
Outline • Introduction and Background • Vulnerability Analysis • Design of Cloud-based Storage-Free BPM (CSF-BPM) • Implementation , Evaluation, Security Analysis • Conclusion, Current and Future Work
Threat Model - Basic • “Where a threat intersects with a vulnerability, risk is present.” – NIST Information Security Handbook: A Guide for Managers. • Threat sources - attackers who want to steal the sensitive login information stored in BPMs • Basic threat model: • Attackers can temporarily install malware on a user’s computer using very popular attacks such as drive-by downloads [5,6] • The installed malware can then steal the data  N. Provos et al., All your iframes point to us. In Proc. of USENIX Security Symposium, 2008.  Y.-M. Wang et al., Automated web patrol with strider honeymonkeys: Finding websites that exploit browser vulnerabilities. In Proc. of NDSS, 2006
Threat Model - Assumptions • The installed malware can be removed from the system in a timely manner • Anti-malware software, such as Microsoft Forefront Endpoint Protection • Solutions such as Back to the Future framework  • Same assumption as in Google’s 2-step-verification  • Hard to identify cryptographic keys from memory  • DNS systems are secure and reliable  F. Hsu et al., Back to the future: A framework for automatic malware removal and system repair. In Proc. of ACSAC, 2006.  Eric Grosse, MayankUpadhyay, Authentication at Scale, IEEE S&P Magazine, 2012  J. A. Halderman et al., Lest we remember: Cold boot attacks on encryption keys. In Proc. of USENIX Security Symposium, 2008.
The Essential Problem of Existing BPMs • Computer Home • A BPM The Safe • A Master Password The Combination • Google Chrome, Internet Explorer and Safari: • No combination at all • Firefox and Opera: • No mandatory combination • Brute-force attacks and phishing attacks to the master password The encrypted passwords stored by BPMs of the five browsers are very weakly protected!
More Details on Attacks - 1 • Firefox without master password • steal signons.sqliteand key3.db, decrypt on any computer • Opera without master password • steal wand.dat, decrypt on any computer • Firefox and Opera with master password • the computation time for verifying a master password is very small • phishing attacks against the master password
More Details on Attacks - 2 • Internet Explorer, Google Chrome, and Safari • use the Windows API functions CryptProtectData and CryptUnprotectData • typically, only a user with the same Windows logon credential can decrypt the data • attackers steal the ciphertext, decrypt it on the victim’s computer, send back plaintext
Overall Security Analysis Results • All your browser-saved passwords could belong to us! • We have developed tools and verified these security risks!
Responses to our Responsible Vulnerability Disclosure • Firefox: asked for a development proposal • IE: forwarded to their development team • Safari: it is the limitation of Windows APIs • Opera: “a convenience feature, not a security feature”, do not assume drive-by download, will improve usability • Google Chrome: engineers quoted Law #1 from Microsoft “If a bad guy can persuade you to run his program on your computer, it's not your computer anymore”; upper-level researchers have different views
CSF-BPM Design Details Proactive password checker Password-based Key Derivation Function 2 (PBKDF-2) – RFC 2898 Single Strong Master Password (SSMP) mainKey mainSalt aeSalt PBKDF-params PBKDF-id E-id E-params recordKey AE-id AE-params recordKey recordKey aeKey Websites Credentials Encryption Header ELIR ELIR … Authenticated Encryption protectedELIRs siteURl siteUsername encryptedSitePassword recordSalt
Security Analysis • Reduces the opportunities for attackers to steal and further crack regular users’ saved passwords • Makes it computationally infeasible for attackers to decrypt the stolen data • Accurately detects any invalid SSMP try and any modification to a saved PUPE data object • Requires a user to remember SSMP • Offers better security than Firefox and Opera with master password • They save encrypted data locally • They do not have strong key derivation • They do not detect any modification to the saved data • They need specific storage service