180 likes | 203 Views
Learn about authentication mechanisms, dictionary attacks, and how to defend against attacks by creating strong and secure passwords.
E N D
Authentication CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute March 11, 2004
Outline • Authentication mechanisms • Dictionary attacks • Passwords • Defense against attacks
Authentication • Authentication is the binding of an identity to a subject • How? • what the subject knows • what the subject has • what the subject is • where the subject is
Authentication Mechanisms (1/2) • Set A of authentication information: specific information used to prove identity (belongs to subject) • Set C of complementation information: system stores this to use for validation • Set F of complementation functions: generate complementation information from authentication information f F, f: A C
Authentication Mechanisms (2/2) • Set L of authentication functions: verify identity l L, l: A C { true, false } • Set S of selection functions: enable a subject to create or alter the authentication and complementation information
Passwords • A password is information associated with a user that confirms the user's identity • Passwords may be generated by a system and given to users or selected by the users
Dictionary Attack • Guess a password by repeated trial and error using a list of words (the dictionary) • Type 1: complementation information C and complementation function f are known • compute f(g) for each guess g • look for match in C • Type 2: • use l(a, g) for each guess g
Bad Passwords (1/6) • Many user-selected passwords are easy to guess via dictionary attack • Passwords based on account names • Passwords based on user names • Passwords based on computer names • Dictionary words • Reversed dictionary words • Dictionary words with some or all letters capitalized
Bad Passwords (2/6) • Reversed dictionary words with some or all letters capitalized • Dictionary words with arbitrary letters turned into control characters
Bad Passwords (3/6) • Dictionary words with any of the following changes: • a -> 2 or 4 • e -> 3 • h -> 4 • i -> 1 • l -> 1 • o -> 0 • s -> 5 or $ • z -> 5
Bad Passwords (4/6) • Conjugations or declensions of dictionary words • Patterns from the keyboard • Passwords shorter than 6 characters • Passwords containing only digits • Passwords containing only uppercase or lowercase letters, or letters and numbers, or letters and punctuation • Passwords that look like license plate numbers
Bad Passwords (5/6) • Acronyms or abbreviations • Passwords used in the past • Concatenations of dictionary words • Dictionary words preceded or followed by digits, punctuation marks, or spaces • Dictionary words with all vowels deleted • Dictionary words with white spaces deleted
Bad Passwords (6/6) • Passwords with too many characters in common with the previous (current) password
Good Passwords (1/2) • at least one digit • at least one letter • at least one punctuation symbol
Good Passwords (2/2) • Take a verse and select from it "Where were you when we were getting high?" -> wwywwwgh? • Change repetition to count wwywwwgh? -> w2yw3gh?
Defensive Strategies • Salting: change the complementation function based on the user • Backoff: wait longer after each failed attempt • Disconnection • Disabling
Password Aging • Require new password every N days • Need to prevent "changing" to same password • Could prevent reuse of a password for a fixed time period • Need to give users notice before requiring a new password
Challenge Response • System and user share a secret function f • System sends random message m [challenge] • User replies with f(m) [response]