Embed Size (px)
Citation preview
AuthenticationChapter 11Modified (heavily) by Dan Fleck
Coming up: Basics
1111
Basics• Authentication: binding of identity to subject• Identity is that of external entity (my identity, Matt, etc.)• Subject is computer entity (process, etc.)
• After login your identity is bound to everything you do!
Coming up: Establishing Identity
2222
Establishing Identity
• One or more of the following• What entity knows (eg. password)• What entity has (eg. badge, smart card)• What entity is (eg. fingerprints, retinal characteristics)• Where entity is (eg. In front of a particular terminal)
Coming up: Passwords
3333
Passwords• Passwords are ubiquitous because they are simple and clear.• Standard tradeoff between usability and security:• Password must be 27 characters and use no words (huh??)
• A typical ruleset (from Chase bank):• Must contain 7-32 characters• Must include at least one number and one letter• Cannot include special characters (&, %, *, etc.)• Cannot be the same as your User ID• Cannot be the same as any of the last five Passwords you’ve used
• Goal: Make it hard for computers to guess by making it random. Reality: its very hard to have a short password that a computer cannot guess
Coming up: Possible Passwords
4444
Possible Passwords• Possible options:• Length of password (L)• Possible characters (N) (letter = 26, upper/lower = 52, digits=+10,
symbols=+33 (ASCII printable)) = 95
8 char password: 95^8 = 6,634,204,312,890,625 = 6.6342e15
Entropy is 6.6342e15 assuming all symbols equally likely!
Coming up: Entropy in bits
5555
Entropy in bits• H(x) is entropy in bits (how many bits it would take to represent that
number of options)
• Example: 2X=6.6342e15• X = 52.5588 bits
• Another way to think about it: • Each symbol adds log2(95) bits• We have 8 symbols, thus our entropy is:• H = L (Log2 N) = 8 ( Log2 95 ) = 52.5 bits• Research1 has shown, lower bound on expected guesses E(G) is:
• Example:• E(G) ≥ (1/4)*6.6342e15 + 1 = 1.6586e15
Coming up: Password Guessing 1: http://www.isiweb.ee.ethz.ch/archive/massey_pub/pdf/BI633.pdf
6666
Password Guessing• Recent password guessers can guess 2,800,000,000 passwords
a second.
• Strength of our example:• 1.6586e15 / 2,800,000,000 = 592,340 seconds = 6.85 days
• How true is that?• Entropy of a letter in English is –log2(1/26) letter is 4.7bits
• Are all letters equally probable? No! • Computed entropy of the English language ranges from 2.77 bits
to 1.3 bits because letters aren’t random. • Is your password random?
Coming up: Cracking
7777
Cracking• Password tools use many methods to guess smarter• Dictionaries• Rulesets
• Is it more likely that the 1st or 2nd letter is capitalized?• Where are numbers generally?• Substituting numbers for letters is c0mm0n!
• Brute force – all possible guesses as a last resort
• How do passwords work? Lets see!
Coming up: Simple Passwords
8888
Simple Passwords• Most passwords today use secure one-way hashing
• Hash function F(P) Q• F – hash function• P – plain text password• Q – hashed password
• One way• Q is stored on the computer• P is provided by the user, hashed and compared to Q
• Secure Hash Functions goal is to NOT be reversible (MD5, SHA1, SHA3, etc…)
• Are they still subject to a guessing attack?
Coming up: Recent Events
9999
Recent Events• Yahoo's password leak: What you need to know (FAQ) (Mar
2012) – Plaintext leaked! (ouch!)
• Millions of LinkedIn passwords reportedly leaked online (June 6, 2012) – hashed passwords (still hurts)
• Nasdaq forum site hacked, passwords compromised (July 2013) – Unclear if hashed or not
• Ubuntu forums hacked, 1.8 million passwords and emails compromised – Unclear if hashed or not
Coming up: How hard is it to crack?
10101010
How hard is it to crack?• Dec 2009 RockYou’s 18million passwords stolen in plaintext
• This started a revolution of password hacking because people could use real world passwords
• Password Cracking program + RockYou DB + some rulesets… lets try it:• Take a password, hash it• Crack it
• Src: http://arstechnica.com/security/2013/03/how-i-became-a-password-cracker/
Coming up: Demo of password cracking
11111111
Demo of password cracking
Coming up: What can we do?
12121212
What can we do?• Increase the time to check• Not good at the algorithmic level -- when doing stream decryption
want it to be fast• Key stretching can be used
• User’s password is run through a stretching algorithm that makes it longer. The algorithm MUST take a long time ~1 second
• If we have an uncompromised server key stretching is simple and effective against guessing attacks! Only a problem when attacker has the hashed password
• Systems using this:• PGP, GPG• WPA, WPA2 in personal mode• OpenSSL ‘passwd’, Apache .htpasswd
• One example algorithm: https://en.wikipedia.org/wiki/PBKDF2
Coming up: What can we do?Ref: http://en.wikipedia.org/wiki/Key_stretching#Some_systems_that_use_key_stretching
13131313
What can we do?• Add some Salt• Append a random value to the password before hashing• Store that random value (in plain text) with the password• This does NOT make cracking a single password harder, but when
cracking a group of passwords, it does. • For example, the attacker typically computes the hash and checks
for it anywhere in the list of hashed passwords. This fails with salt.
• Another form of salt is picking a different hashing algorithm per password and storing that choice with the hashed password
Coming up: Other Authentication TypesRef: https://en.wikipedia.org/wiki/Salt_(cryptography)
14141414
Other Authentication Types
Coming up: Challenge-Response
15151515
Challenge-Response
Coming up: Pass Algorithms
• User, system share a secret function f (in practice, f is aknown function with unknown parameters, such as acryptographic key)
user systemrequest to authenticate
user systemrandom message r(the challenge)
user systemf(r)(the response)
1616
1616
Pass Algorithms
• Challenge-response with the function f itself a secret• Example:• Challenge is a random string of characters such as “abcdefg”, “ageksido”
• Response is some function of that string such as “bdf”, “gkip”• Can alter algorithm based on ancillary information• Network connection is as above, dial-up might require “aceg”, “aesd”
• Usually used in conjunction with fixed, reusable password
Coming up: One-Time Passwords
17171717
One-Time Passwords
• Password that can be used exactly once• After use, it is immediately invalidated
• Challenge-response mechanism• Challenge is number of authentications; response is password for
that particular number
• Problems• Synchronization of user, system• Generation of good random passwords• Password distribution problem
Coming up: S/Key
18181818
S/Key
• One-time password scheme based on idea of Lamport• h one-way hash function (MD5 or SHA-1, for
example)• User chooses initial seed k – k must remain
secret!• System calculates:
h(k) = k1, h(k1) = k2, …, h(kn–1) = kn
• Passwords are reverse order:p1 = kn, p2 = kn–1, …, pn–1 = k2, pn = k1
Coming up: S/Key Protocol
19191919
S/Key Protocol
Coming up: S/Key Protocol
user system{ name }
user system{ i }
user system{ pi }
System stores maximum number of authentications n, numberof next authentication i, last correctly supplied password pi–1.
System computes h(pi) = h(kn–i) = kn–i+1 = pi–1. If match withwhat is stored, system replaces pi–1 with pi and increments i.
20202020
S/Key Protocol
Coming up: Hardware Support
System computes h(pi) = h(kn–i) = kn–i+1 = pi–1. If match withwhat is stored, system replaces pi–1 with pi and increments i.
1 2 3 4
H(x) h(k) h(k1) h(k2) h(k3)
K k1 k2 k3 k4
P p4 p3 p2 p1
Concretely for table and i=2 (all values in col X are equal):
h(p2)=h(k3)=k4=p1
21212121
Hardware Support
• Token-based• Used to compute response to challenge• May encipher or hash challenge• May require PIN from user
• Temporally-based• Every minute (or so) different number shown• Computer knows what number to expect when
• User enters number and fixed password
Coming up: C-R and Dictionary Attacks
22222222
C-R and Dictionary Attacks
• Same as for fixed passwords• Attacker knows challenge r and response f(r); if
f encryption function, can try different keys• May only need to know form of response; attacker
can tell if guess correct by looking to see if deciphered object is of right form• Example: Kerberos Version 4 used DES, but keys had
20 bits of randomness; Purdue attackers guessed keys quickly because deciphered tickets had a fixed set of bits in some locations
Coming up: Encrypted Key Exchange
23232323
Encrypted Key Exchange
• Defeats off-line dictionary attacks• Idea: random challenges enciphered, so attacker
cannot verify correct decipherment of challenge• Assume Alice, Bob share secret password s• In what follows, Alice needs to generate a
random public key p and a corresponding private key q• Also, k is a randomly generated session key, and
RA and RB are random challenges
Coming up: EKE Protocol
24242424
EKE Protocol
Coming up: Biometrics
Alice BobAlice,Es(p)
Alice BobEs(Ep(k))
Now Alice, Bob share a randomly generatedsecret session key k
Alice BobEk(RA)
Alice BobEk(RARB)
Alice BobEk(RB)St
eps
used
to
stop
repl
ay
attac
ks
Step
s us
ed to
st
op re
play
att
acks
Step
s us
ed to
ge
nera
te s
essi
on
key
Step
s us
ed to
ge
nera
te s
essi
on
key
25252525
Biometrics
• Automated measurement of biological, behavioral features that identify a person• Fingerprints: optical or electrical techniques• Maps fingerprint into a graph, then compares with database• Measurements imprecise, so approximate matching
algorithms used• Voices: speaker verification or recognition• Verification: uses statistical techniques to test hypothesis that
speaker is who is claimed (speaker dependent)• Recognition: checks content of answers (speaker
independent)
Coming up: Other Characteristics
26262626
Other Characteristics
• Can use several other characteristics• Eyes: patterns in irises unique• Measure patterns, determine if differences are random; or
correlate images using statistical tests• Faces: image, or specific characteristics like distance
from nose to chin• Lighting, view of face, other noise can hinder this
• Keystroke dynamics: believed to be unique• Keystroke intervals, pressure, duration of stroke, where key is
struck• Statistical tests used
Coming up: Cautions
27272727
Cautions
• These can be fooled!• Assumes biometric device accurate in the environment
it is being used in!• Transmission of data to validator is tamperproof,
correct
Coming up: Multifactor Authentication
28282828
Multifactor Authentication• Many systems now use multi-factor authentication• User must present multiple things typically from different
categories:• What you know• What you have• What you are
• Examples?
Coming up: Pluggable Authentication Modules (PAM)
29292929
Pluggable Authentication Modules (PAM)
• Idea: when program needs to authenticate, it checks central repository for methods to use• Library call: pam_authenticate• Accesses file with name of program in /etc/pam.d/
• Modules do authentication checking• binding (new): succeed immediately upon success, otherwise
continue down the chain, but ultimately fail• sufficient: succeed immediately if module succeeds• required: fail if module fails, but all required modules executed
before reporting failure• requisite: like required, but don’t check all modules upon failure• optional: invoke only, but result is ignored
Coming up: Example PAM File
30303030
Example PAM Fileauth sufficient /usr/lib/pam_ftp.soauth required /usr/lib/pam_unix_auth.so use_first_passauth required /usr/lib/pam_listfile.so onerr=succeed \
item=user sense=deny file=/etc/ftpusers
For ftp:1. If user “anonymous”, return okay; if not, set
PAM_AUTHTOK to password, PAM_RUSER to name, and fail
2. Now check that password in PAM_AUTHTOK belongs to that of user in PAM_RUSER; if not, fail
3. Now see if user in PAM_RUSER named in /etc/ftpusers; if so, fail; if error or not found, succeed
Coming up: PAM Facilities
31313131
PAM Facilities
PAM provides four facilities each with a chain for different things. Each is typically present in the /etc/pam.d/xyz file:
•auth – does the actual authentication of an applicant•account – checks if authentication is allowed ( account not expired, time of day, server’s workload, etc…)•session - after authentication runs chain for session setup / tear down•password – chain used to change passwords
Ref: http://www.freebsd.org/doc/en/articles/pam/pam-essentials.html
Coming up: PAM Test - Explain these
3232
PAM Test - Explain theseauth required serviceAauth sufficient serviceBauth required serviceC
• versus
auth sufficient serviceBauth required serviceAauth required serviceC
Coming up: Key Points
3333
Key Points
• Authentication is not cryptography• You have to consider system components
• Passwords are here to stay• They provide a basis for most forms of authentication
• Authentication methods can be combined• Example: PAM
End of presentation
32323434
