A Security Analysis, and a Fix, of a Code-Corrupted Honeywords System

Interdisciplinary Research Group in Socio-technical Cybersecurity

A Security Analysis, and a Fix, of a Code-Corrupted Honeywords System

Genç Ziya Alper, Lenzini Gabriele, Ryan Peter
Abstract:
In 2013 Juels and Rivest introduced the Honeywords System, a password-based authentication system designed to detect when a password file has been stolen. A Honeywords System stores passwords together with indistinguishable decoy words so when an intruder steals the file, retrieves the words, and tries to log-in, he does not know which one is the password. By guessing one from the decoy words, he may not be lucky and reveal the leak. Juels and Rivest left a problem open: how to make the system secure even when the intruder corrupted the login server’s code. In this paper we study and solve the problem. However, since “code corruption” is a powerful attack, we first define rigorously the threat and set a few assumptions under which the problem is still solvable, before showing meaningful attacks against the original Honeywords System. Then we elicit a fundamental security requirement, implementing which, we are able to restore the honeywords System’s security despite a corrupted login service. We verify the new protocol’s security formally, using ProVerif for this task. We also implement the protocol and test its performance. Finally, at the light of our findings, we discuss whether it is still worth using a fixed honeywords-based system against such a powerful threat, or whether it is better, in order to be resilient against code corruption attacks, to design afresh a completely different password-based authentication solution.
Authors:
Genç Ziya Alper, Lenzini Gabriele, Ryan Peter
Publication date:
2018
Published in:
Proceedings of the 4th International Conference on Information Systems Security and Privacy
Reference:
Genç, Z. A., Lenzini, G., Ryan, P., & Vazquez Sandoval, I. (2018). A security analysis, and a fix, of a code-corrupted honeywords system. In Proceedings of the 4th International Conference on Information Systems Security and Privacy.

Get in touch with us

SnT – Interdisciplinary Centre for Security, Reliability and Trust
29, Avenue J.F Kennedy L-1855 Luxembourg
info-irisc-lab@uni.lu