1 / 34

Authentication Chapter 11

Authentication Chapter 11. Modified (heavily) by Dan Fleck. 1. 1. Basics. Authentication: binding of identity to subject Identity is that of external entity (my identity, Matt, etc .) Subject is computer entity (process, etc .) After login your identity is bound to everything you do!. 2.

glain
Download Presentation

Authentication Chapter 11

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. AuthenticationChapter 11 Modified (heavily) by Dan Fleck 1 1 Coming up: Basics

  2. Basics • Authentication: binding of identity to subject • Identity is that of external entity (my identity, Matt, etc.) • Subject is computer entity (process, etc.) • After login your identity is bound to everything you do! 2 2 Coming up: Establishing Identity

  3. Establishing Identity • One or more of the following • What entity knows (eg. password) • What entity has (eg. badge, smart card) • What entity is (eg. fingerprints, retinal characteristics) • Where entity is (eg. In front of a particular terminal) 3 3 Coming up: Passwords

  4. Passwords • Passwords are ubiquitous because they are simple and clear. • Standard tradeoff between usability and security: • Password must be 27 characters and use no words (huh??) • A typical ruleset (from Chase bank): • Must contain 7-32 characters • Must include at least one number and one letter • Cannot include special characters (&, %, *, etc.) • Cannot be the same as your User ID • Cannot be the same as any of the last five Passwords you’ve used • Goal: Make it hard for computers to guess by making it random. Reality: its very hard to have a short password that a computer cannot guess 4 4 Coming up: Possible Passwords

  5. Possible Passwords • Possible options: • Length of password (L) • Possible characters (N) (letter = 26, upper/lower = 52, digits=+10, symbols=+33 (ASCII printable)) = 95 8 char password: 95^8 = 6,634,204,312,890,625 = 6.6342e15 Entropy is 6.6342e15 assuming all symbols equally likely! 5 5 Coming up: Entropy in bits

  6. Entropy in bits • H(x) is entropy in bits (how many bits it would take to represent that number of options) • Example: 2X=6.6342e15 • X = 52.5588 bits • Another way to think about it: • Each symbol adds log2(95) bits • We have 8 symbols, thus our entropy is: • H = L (Log2 N) = 8 ( Log2 95 ) = 52.5 bits • Research1 has shown, lower bound on expected guesses E(G) is: • Example: • E(G) ≥ (1/4)*6.6342e15 + 1 = 1.6586e15 6 6 Coming up: Password Guessing 1: http://www.isiweb.ee.ethz.ch/archive/massey_pub/pdf/BI633.pdf

  7. Password Guessing • Recent password guessers can guess 2,800,000,000 passwords a second. • Strength of our example: • 1.6586e15 / 2,800,000,000 = 592,340 seconds = 6.85 days • How true is that? • Entropy of a letter in English is –log2(1/26) letter is 4.7bits • Are all letters equally probable? No! • Computed entropy of the English language ranges from 2.77 bits to 1.3 bits because letters aren’t random. • Is your password random? 7 7 Coming up: Cracking

  8. Cracking • Password tools use many methods to guess smarter • Dictionaries • Rulesets • Is it more likely that the 1st or 2nd letter is capitalized? • Where are numbers generally? • Substituting numbers for letters is c0mm0n! • Brute force – all possible guesses as a last resort • How do passwords work? Lets see! 8 8 Coming up: Simple Passwords

  9. Simple Passwords • Most passwords today use secure one-way hashing • Hash function F(P)  Q • F – hash function • P – plain text password • Q – hashed password • One way • Q is stored on the computer • P is provided by the user, hashed and compared to Q • Secure Hash Functions goal is to NOT be reversible (MD5, SHA1, SHA3, etc…) • Are they still subject to a guessing attack? 9 9 Coming up: Recent Events

  10. Recent Events • Yahoo's password leak: What you need to know (FAQ) (Mar 2012) – Plaintext leaked! (ouch!) • Millions of LinkedIn passwords reportedly leaked online (June 6, 2012) – hashed passwords (still hurts) • Nasdaq forum site hacked, passwords compromised (July 2013) – Unclear if hashed or not • Ubuntu forums hacked, 1.8 million passwords and emails compromised – Unclear if hashed or not 10 10 Coming up: How hard is it to crack?

  11. How hard is it to crack? • Dec 2009 RockYou’s 18million passwords stolen in plaintext • This started a revolution of password hacking because people could use real world passwords • Password Cracking program + RockYou DB + some rulesets… lets try it: • Take a password, hash it • Crack it • Src: http://arstechnica.com/security/2013/03/how-i-became-a-password-cracker/ 11 11 Coming up: Demo of password cracking

  12. Demo of password cracking 12 12 Coming up: What can we do?

  13. What can we do? • Increase the time to check • Not good at the algorithmic level -- when doing stream decryption want it to be fast • Key stretching can be used • User’s password is run through a stretching algorithm that makes it longer. The algorithm MUST take a long time ~1 second • If we have an uncompromised server key stretching is simple and effective against guessing attacks! Only a problem when attacker has the hashed password • Systems using this: • PGP, GPG • WPA, WPA2 in personal mode • OpenSSL ‘passwd’, Apache .htpasswd • One example algorithm: https://en.wikipedia.org/wiki/PBKDF2 13 13 Ref: http://en.wikipedia.org/wiki/Key_stretching#Some_systems_that_use_key_stretching Coming up: What can we do?

  14. What can we do? • Add some Salt • Append a random value to the password before hashing • Store that random value (in plain text) with the password • This does NOT make cracking a single password harder, but when cracking a group of passwords, it does. • For example, the attacker typically computes the hash and checks for it anywhere in the list of hashed passwords. This fails with salt. • Another form of salt is picking a different hashing algorithm per password and storing that choice with the hashed password 14 14 Ref: https://en.wikipedia.org/wiki/Salt_(cryptography) Coming up: Other Authentication Types

  15. Other Authentication Types 15 15 Coming up: Challenge-Response

  16. Challenge-Response • User, system share a secret function f (in practice, f is a • known function with unknown parameters, such as a • cryptographic key) request to authenticate system user random message r (the challenge) system user f(r) (the response) system user 16 Coming up: Pass Algorithms 16

  17. Pass Algorithms • Challenge-response with the function f itself a secret • Example: • Challenge is a random string of characters such as “abcdefg”, “ageksido” • Response is some function of that string such as “bdf”, “gkip” • Can alter algorithm based on ancillary information • Network connection is as above, dial-up might require “aceg”, “aesd” • Usually used in conjunction with fixed, reusable password 17 17 Coming up: One-Time Passwords

  18. One-Time Passwords • Password that can be used exactly once • After use, it is immediately invalidated • Challenge-response mechanism • Challenge is number of authentications; response is password for that particular number • Problems • Synchronization of user, system • Generation of good random passwords • Password distribution problem 18 18 Coming up: S/Key

  19. S/Key • One-time password scheme based on idea of Lamport • h one-way hash function (MD5 or SHA-1, for example) • User chooses initial seed k – k must remain secret! • System calculates: h(k) = k1, h(k1) = k2, …, h(kn–1) = kn • Passwords are reverse order: p1 = kn, p2 = kn–1, …, pn–1 = k2, pn = k1 19 19 Coming up: S/Key Protocol

  20. S/Key Protocol System stores maximum number of authentications n, number of next authentication i, last correctly supplied password pi–1. { name } system user { i } system user { pi } system user System computes h(pi) = h(kn–i) = kn–i+1 = pi–1. If match with what is stored, system replaces pi–1 with pi and increments i. 20 20 Coming up: S/Key Protocol

  21. S/Key Protocol System computes h(pi) = h(kn–i) = kn–i+1 = pi–1. If match with what is stored, system replaces pi–1 with pi and increments i. Concretely for table and i=2 (all values in col X are equal): h(p2)=h(k3)=k4=p1 21 21 Coming up: Hardware Support

  22. Hardware Support • Token-based • Used to compute response to challenge • May encipher or hash challenge • May require PIN from user • Temporally-based • Every minute (or so) different number shown • Computer knows what number to expect when • User enters number and fixed password 22 22 Coming up: C-R and Dictionary Attacks

  23. C-R and Dictionary Attacks • Same as for fixed passwords • Attacker knows challenge r and response f(r); if f encryption function, can try different keys • May only need to know form of response; attacker can tell if guess correct by looking to see if deciphered object is of right form • Example: Kerberos Version 4 used DES, but keys had 20 bits of randomness; Purdue attackers guessed keys quickly because deciphered tickets had a fixed set of bits in some locations 23 23 Coming up: Encrypted Key Exchange

  24. Encrypted Key Exchange • Defeats off-line dictionary attacks • Idea: random challenges enciphered, so attacker cannot verify correct decipherment of challenge • Assume Alice, Bob share secret password s • In what follows, Alice needs to generate a random public key p and a corresponding private key q • Also, k is a randomly generated session key, and RA and RB are random challenges 24 24 Coming up: EKE Protocol

  25. EKE Protocol Alice,Es(p) Bob Alice Steps used to generate session key Es(Ep(k)) Bob Alice Now Alice, Bob share a randomly generated secret session key k Ek(RA) Bob Alice Steps used to stop replay attacks Ek(RARB) Bob Alice 25 25 Ek(RB) Bob Alice Coming up: Biometrics

  26. Biometrics • Automated measurement of biological, behavioral features that identify a person • Fingerprints: optical or electrical techniques • Maps fingerprint into a graph, then compares with database • Measurements imprecise, so approximate matching algorithms used • Voices: speaker verification or recognition • Verification: uses statistical techniques to test hypothesis that speaker is who is claimed (speaker dependent) • Recognition: checks content of answers (speaker independent) 26 26 Coming up: Other Characteristics

  27. Other Characteristics • Can use several other characteristics • Eyes: patterns in irises unique • Measure patterns, determine if differences are random; or correlate images using statistical tests • Faces: image, or specific characteristics like distance from nose to chin • Lighting, view of face, other noise can hinder this • Keystroke dynamics: believed to be unique • Keystroke intervals, pressure, duration of stroke, where key is struck • Statistical tests used 27 27 Coming up: Cautions

  28. Cautions • These can be fooled! • Assumes biometric device accurate in the environment it is being used in! • Transmission of data to validator is tamperproof, correct 28 28 Coming up: Multifactor Authentication

  29. Multifactor Authentication • Many systems now use multi-factor authentication • User must present multiple things typically from different categories: • What you know • What you have • What you are • Examples? 29 29 Coming up: Pluggable Authentication Modules (PAM)

  30. Pluggable Authentication Modules (PAM) • Idea: when program needs to authenticate, it checks central repository for methods to use • Library call: pam_authenticate • Accesses file with name of program in /etc/pam.d/ • Modules do authentication checking • binding (new): succeed immediately upon success, otherwise continue down the chain, but ultimately fail • sufficient: succeed immediately if module succeeds • required: fail if module fails, but all required modules executed before reporting failure • requisite: like required, but don’t check all modules upon failure • optional: invoke only, but result is ignored 30 30 Coming up: Example PAM File

  31. Example PAM File auth sufficient /usr/lib/pam_ftp.so auth required /usr/lib/pam_unix_auth.so use_first_pass auth required /usr/lib/pam_listfile.so onerr=succeed \ item=user sense=deny file=/etc/ftpusers For ftp: • If user “anonymous”, return okay; if not, set PAM_AUTHTOK to password, PAM_RUSER to name, and fail • Now check that password in PAM_AUTHTOK belongs to that of user in PAM_RUSER; if not, fail • Now see if user in PAM_RUSER named in /etc/ftpusers; if so, fail; if error or not found, succeed 31 31 Coming up: PAM Facilities

  32. PAM Facilities PAM provides four facilities each with a chain for different things. Each is typically present in the /etc/pam.d/xyz file: • auth – does the actual authentication of an applicant • account – checks if authentication is allowed ( account not expired, time of day, server’s workload, etc…) • session - after authentication runs chain for session setup / tear down • password – chain used to change passwords Ref: http://www.freebsd.org/doc/en/articles/pam/pam-essentials.html 32 Coming up: PAM Test - Explain these

  33. PAM Test - Explain these auth required serviceA auth sufficient serviceB auth required serviceC • versus auth sufficient serviceB auth required serviceA auth required serviceC 33 Coming up: Key Points

  34. Key Points • Authentication is not cryptography • You have to consider system components • Passwords are here to stay • They provide a basis for most forms of authentication • Authentication methods can be combined • Example: PAM 32 34 End of presentation

More Related