A Security Analysis, and a Fix, of a Code-Corrupted Honeywords System

Ziya Alper Genç, Gabriele Lenzini, Peter Y. A. Ryan, Itzel Vazquez Sandoval

2018

Abstract

In 2013 Juels and Rivest introduced the Honeywords System, a password-based authentication system designed to detect when a password file has been stolen. A Honeywords System stores passwords together with indistinguishable decoy words so when an intruder steals the file, retrieves the words, and tries to log-in, he does not know which one is the password. By guessing one from the decoy words, he may not be lucky and reveal the leak. Juels and Rivest left a problem open: how to make the system secure even when the intruder corrupted the login server’s code. In this paper we study and solve the problem. However, since “code corruption” is a powerful attack, we first define rigorously the threat and set a few assumptions under which the problem is still solvable, before showing meaningful attacks against the original Honeywords System. Then we elicit a fundamental security requirement, implementing which, we are able to restore the Honeywords System’s security despite a corrupted login service. We verify the new protocol’s security formally, using ProVerif for this task. We also implement the protocol and test its performance. Finally, at the light of our findings, we discuss whether it is still worth using a fixed honeywords-based system against such a powerful threat, or whether it is better, in order to be resilient against code corruption attacks, to design afresh a completely different password-based authentication solution.

Download


Paper Citation


in Harvard Style

Genç Z., Lenzini G., Ryan P. and Sandoval I. (2018). A Security Analysis, and a Fix, of a Code-Corrupted Honeywords System.In Proceedings of the 4th International Conference on Information Systems Security and Privacy - Volume 1: ICISSP, ISBN 978-989-758-282-0, pages 83-95. DOI: 10.5220/0006609100830095


in Bibtex Style

@conference{icissp18,
author={Ziya Alper Genç and Gabriele Lenzini and Peter Y. A. Ryan and Itzel Vazquez Sandoval},
title={A Security Analysis, and a Fix, of a Code-Corrupted Honeywords System},
booktitle={Proceedings of the 4th International Conference on Information Systems Security and Privacy - Volume 1: ICISSP,},
year={2018},
pages={83-95},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0006609100830095},
isbn={978-989-758-282-0},
}


in EndNote Style

TY - CONF

JO - Proceedings of the 4th International Conference on Information Systems Security and Privacy - Volume 1: ICISSP,
TI - A Security Analysis, and a Fix, of a Code-Corrupted Honeywords System
SN - 978-989-758-282-0
AU - Genç Z.
AU - Lenzini G.
AU - Ryan P.
AU - Sandoval I.
PY - 2018
SP - 83
EP - 95
DO - 10.5220/0006609100830095