TY - GEN
T1 - Cracking-resistant password vaults using natural language encoders
AU - Chatterjee, Rahul
AU - Bonneau, Joseph
AU - Juels, Ari
AU - Ristenpart, Thomas
N1 - Publisher Copyright:
© 2015 IEEE.
PY - 2015/7/17
Y1 - 2015/7/17
N2 - Password vaults are increasingly popular applications that store multiple passwords encrypted under a single master password that the user memorizes. A password vault can greatly reduce the burden on a user of remembering passwords, but introduces a single point of failure. An attacker that obtains a user's encrypted vault can mount offline brute-force attacks and, if successful, compromise all of the passwords in the vault. In this paper, we investigate the construction of encrypted vaults that resist such offline cracking attacks and force attackers instead to mount online attacks. Our contributions are as follows. We present an attack and supporting analysis showing that a previous design for cracking-resistant vaults - the only one of which we are aware - actually degrades security relative to conventional password-based approaches. We then introduce a new type of secure encoding scheme that we call a natural language encoder (NLE). An NLE permits the construction of vaults which, when decrypted with the wrong master password, produce plausible-looking decoy passwords. We show how to build NLEs using existing tools from natural language processing, such as n-gram models and probabilistic context-free grammars, and evaluate their ability to generate plausible decoys. Finally, we present, implement, and evaluate a full, NLE-based cracking-resistant vault system called No Crack.
AB - Password vaults are increasingly popular applications that store multiple passwords encrypted under a single master password that the user memorizes. A password vault can greatly reduce the burden on a user of remembering passwords, but introduces a single point of failure. An attacker that obtains a user's encrypted vault can mount offline brute-force attacks and, if successful, compromise all of the passwords in the vault. In this paper, we investigate the construction of encrypted vaults that resist such offline cracking attacks and force attackers instead to mount online attacks. Our contributions are as follows. We present an attack and supporting analysis showing that a previous design for cracking-resistant vaults - the only one of which we are aware - actually degrades security relative to conventional password-based approaches. We then introduce a new type of secure encoding scheme that we call a natural language encoder (NLE). An NLE permits the construction of vaults which, when decrypted with the wrong master password, produce plausible-looking decoy passwords. We show how to build NLEs using existing tools from natural language processing, such as n-gram models and probabilistic context-free grammars, and evaluate their ability to generate plausible decoys. Finally, we present, implement, and evaluate a full, NLE-based cracking-resistant vault system called No Crack.
KW - Honey Encryption
KW - Language Model
KW - PCFG
KW - Passowrd Model
KW - Password Vault
UR - http://www.scopus.com/inward/record.url?scp=84945183162&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84945183162&partnerID=8YFLogxK
U2 - 10.1109/SP.2015.36
DO - 10.1109/SP.2015.36
M3 - Conference contribution
AN - SCOPUS:84945183162
T3 - Proceedings - IEEE Symposium on Security and Privacy
SP - 481
EP - 498
BT - Proceedings - 2015 IEEE Symposium on Security and Privacy, SP 2015
PB - Institute of Electrical and Electronics Engineers Inc.
T2 - 36th IEEE Symposium on Security and Privacy, SP 2015
Y2 - 18 May 2015 through 20 May 2015
ER -