Cracking-resistant password vaults using natural language encoders

Rahul Chatterjee, Joseph Bonneau, Ari Juels, Thomas Ristenpart

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

Password vaults are increasingly popular applications that store multiple passwords encrypted under a single master password that the user memorizes. A password vault can greatly reduce the burden on a user of remembering passwords, but introduces a single point of failure. An attacker that obtains a user's encrypted vault can mount offline brute-force attacks and, if successful, compromise all of the passwords in the vault. In this paper, we investigate the construction of encrypted vaults that resist such offline cracking attacks and force attackers instead to mount online attacks. Our contributions are as follows. We present an attack and supporting analysis showing that a previous design for cracking-resistant vaults - the only one of which we are aware - actually degrades security relative to conventional password-based approaches. We then introduce a new type of secure encoding scheme that we call a natural language encoder (NLE). An NLE permits the construction of vaults which, when decrypted with the wrong master password, produce plausible-looking decoy passwords. We show how to build NLEs using existing tools from natural language processing, such as n-gram models and probabilistic context-free grammars, and evaluate their ability to generate plausible decoys. Finally, we present, implement, and evaluate a full, NLE-based cracking-resistant vault system called No Crack.

Original languageEnglish (US)
Title of host publicationProceedings - 2015 IEEE Symposium on Security and Privacy, SP 2015
PublisherInstitute of Electrical and Electronics Engineers Inc.
Pages481-498
Number of pages18
Volume2015-July
ISBN (Electronic)9781467369497
DOIs
StatePublished - Jul 17 2015
Event36th IEEE Symposium on Security and Privacy, SP 2015 - San Jose, United States
Duration: May 18 2015May 20 2015

Other

Other36th IEEE Symposium on Security and Privacy, SP 2015
CountryUnited States
CitySan Jose
Period5/18/155/20/15

Fingerprint

Context free grammars
Cracks
Processing

Keywords

  • Honey Encryption
  • Language Model
  • Passowrd Model
  • Password Vault
  • PCFG

ASJC Scopus subject areas

  • Safety, Risk, Reliability and Quality
  • Software
  • Computer Networks and Communications

Cite this

Chatterjee, R., Bonneau, J., Juels, A., & Ristenpart, T. (2015). Cracking-resistant password vaults using natural language encoders. In Proceedings - 2015 IEEE Symposium on Security and Privacy, SP 2015 (Vol. 2015-July, pp. 481-498). [7163043] Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/SP.2015.36

Cracking-resistant password vaults using natural language encoders. / Chatterjee, Rahul; Bonneau, Joseph; Juels, Ari; Ristenpart, Thomas.

Proceedings - 2015 IEEE Symposium on Security and Privacy, SP 2015. Vol. 2015-July Institute of Electrical and Electronics Engineers Inc., 2015. p. 481-498 7163043.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Chatterjee, R, Bonneau, J, Juels, A & Ristenpart, T 2015, Cracking-resistant password vaults using natural language encoders. in Proceedings - 2015 IEEE Symposium on Security and Privacy, SP 2015. vol. 2015-July, 7163043, Institute of Electrical and Electronics Engineers Inc., pp. 481-498, 36th IEEE Symposium on Security and Privacy, SP 2015, San Jose, United States, 5/18/15. https://doi.org/10.1109/SP.2015.36
Chatterjee R, Bonneau J, Juels A, Ristenpart T. Cracking-resistant password vaults using natural language encoders. In Proceedings - 2015 IEEE Symposium on Security and Privacy, SP 2015. Vol. 2015-July. Institute of Electrical and Electronics Engineers Inc. 2015. p. 481-498. 7163043 https://doi.org/10.1109/SP.2015.36
Chatterjee, Rahul ; Bonneau, Joseph ; Juels, Ari ; Ristenpart, Thomas. / Cracking-resistant password vaults using natural language encoders. Proceedings - 2015 IEEE Symposium on Security and Privacy, SP 2015. Vol. 2015-July Institute of Electrical and Electronics Engineers Inc., 2015. pp. 481-498
@inproceedings{86e4e832a34b467a80cbb29b7bee189c,
title = "Cracking-resistant password vaults using natural language encoders",
abstract = "Password vaults are increasingly popular applications that store multiple passwords encrypted under a single master password that the user memorizes. A password vault can greatly reduce the burden on a user of remembering passwords, but introduces a single point of failure. An attacker that obtains a user's encrypted vault can mount offline brute-force attacks and, if successful, compromise all of the passwords in the vault. In this paper, we investigate the construction of encrypted vaults that resist such offline cracking attacks and force attackers instead to mount online attacks. Our contributions are as follows. We present an attack and supporting analysis showing that a previous design for cracking-resistant vaults - the only one of which we are aware - actually degrades security relative to conventional password-based approaches. We then introduce a new type of secure encoding scheme that we call a natural language encoder (NLE). An NLE permits the construction of vaults which, when decrypted with the wrong master password, produce plausible-looking decoy passwords. We show how to build NLEs using existing tools from natural language processing, such as n-gram models and probabilistic context-free grammars, and evaluate their ability to generate plausible decoys. Finally, we present, implement, and evaluate a full, NLE-based cracking-resistant vault system called No Crack.",
keywords = "Honey Encryption, Language Model, Passowrd Model, Password Vault, PCFG",
author = "Rahul Chatterjee and Joseph Bonneau and Ari Juels and Thomas Ristenpart",
year = "2015",
month = "7",
day = "17",
doi = "10.1109/SP.2015.36",
language = "English (US)",
volume = "2015-July",
pages = "481--498",
booktitle = "Proceedings - 2015 IEEE Symposium on Security and Privacy, SP 2015",
publisher = "Institute of Electrical and Electronics Engineers Inc.",
address = "United States",

}

TY - GEN

T1 - Cracking-resistant password vaults using natural language encoders

AU - Chatterjee, Rahul

AU - Bonneau, Joseph

AU - Juels, Ari

AU - Ristenpart, Thomas

PY - 2015/7/17

Y1 - 2015/7/17

N2 - Password vaults are increasingly popular applications that store multiple passwords encrypted under a single master password that the user memorizes. A password vault can greatly reduce the burden on a user of remembering passwords, but introduces a single point of failure. An attacker that obtains a user's encrypted vault can mount offline brute-force attacks and, if successful, compromise all of the passwords in the vault. In this paper, we investigate the construction of encrypted vaults that resist such offline cracking attacks and force attackers instead to mount online attacks. Our contributions are as follows. We present an attack and supporting analysis showing that a previous design for cracking-resistant vaults - the only one of which we are aware - actually degrades security relative to conventional password-based approaches. We then introduce a new type of secure encoding scheme that we call a natural language encoder (NLE). An NLE permits the construction of vaults which, when decrypted with the wrong master password, produce plausible-looking decoy passwords. We show how to build NLEs using existing tools from natural language processing, such as n-gram models and probabilistic context-free grammars, and evaluate their ability to generate plausible decoys. Finally, we present, implement, and evaluate a full, NLE-based cracking-resistant vault system called No Crack.

AB - Password vaults are increasingly popular applications that store multiple passwords encrypted under a single master password that the user memorizes. A password vault can greatly reduce the burden on a user of remembering passwords, but introduces a single point of failure. An attacker that obtains a user's encrypted vault can mount offline brute-force attacks and, if successful, compromise all of the passwords in the vault. In this paper, we investigate the construction of encrypted vaults that resist such offline cracking attacks and force attackers instead to mount online attacks. Our contributions are as follows. We present an attack and supporting analysis showing that a previous design for cracking-resistant vaults - the only one of which we are aware - actually degrades security relative to conventional password-based approaches. We then introduce a new type of secure encoding scheme that we call a natural language encoder (NLE). An NLE permits the construction of vaults which, when decrypted with the wrong master password, produce plausible-looking decoy passwords. We show how to build NLEs using existing tools from natural language processing, such as n-gram models and probabilistic context-free grammars, and evaluate their ability to generate plausible decoys. Finally, we present, implement, and evaluate a full, NLE-based cracking-resistant vault system called No Crack.

KW - Honey Encryption

KW - Language Model

KW - Passowrd Model

KW - Password Vault

KW - PCFG

UR - http://www.scopus.com/inward/record.url?scp=84945183162&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84945183162&partnerID=8YFLogxK

U2 - 10.1109/SP.2015.36

DO - 10.1109/SP.2015.36

M3 - Conference contribution

VL - 2015-July

SP - 481

EP - 498

BT - Proceedings - 2015 IEEE Symposium on Security and Privacy, SP 2015

PB - Institute of Electrical and Electronics Engineers Inc.

ER -