1 / 13

Time Passes, Security Changes…

Time Passes, Security Changes…. Christian Huitema Monday, August 1, 2005 IETF, Application Area Meeting. 1 μ s. It takes less than 1 μs to compute an MD5 checksum on this presenter’s laptop. How many guesses before the observer can crack the challenge? 1,000,000 ? 10,000,000?

jhinkson
Download Presentation

Time Passes, Security Changes…

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Time Passes, Security Changes… Christian Huitema Monday, August 1, 2005 IETF, Application Area Meeting

  2. 1 μs It takes less than 1 μs to compute an MD5 checksum on this presenter’s laptop

  3. How many guesses before the observer can crack the challenge? 1,000,000 ? 10,000,000? Do you trust users to generate “good enough” passwords? Dictionary attacks challenge Client Server Response = name + hash (challenge, password) Observer ? Dictionary +

  4. $0.10 A “zombie” PC is rumored to rent for $0.10 per week on the underground market

  5. How much does a crack cost?

  6. Are passwords obsolete? • Basic rules: • If it is generated by the user, it can certainly be cracked • If it can be remembered by the user, it can probably be cracked • Exception: • If the password is exchanged over a protected connection (SSL, TLS, IPSEC) • If the challenge/response mechanism is designed to resist dictionary attacks

  7. Free Internet! The average user will happily connect to a “free Internet” hotspot

  8. Intercept DNS requests Insert a proxy Listen to the data Names, Addresses, Passwords, Challenges Hijack connections SPAM, Ads, Buffer overflows Man in the middle attacks Client Mock DNS AP Proxy DNS Server

  9. Hidden SSID? The practice of “hiding the SSID” facilitates the “evil twin” attack against Wi-Fi

  10. The “evil twin” attack For user convenience, systems try to automatically connect to the “hidden home network” Beacon: No Name Probe: example.net ? Client “Rogue” AP Answer: yes indeed ! Let’s get connected

  11. Evil twin reaps interesting rewards • Exploit automatic connection • Upon a connectivity indication, many systems will automatically “fetch mail”, “empty the outbox”, “synchronize”… • Automatic “man in the middle” attack • Register names, passwords • Store challenge for off-line crack • Quick and silent • Disconnect after a few seconds • Hardly any notification to the user

  12. 2005 Times have changed, old security practices must be revised

  13. Recommendations • Don’t rely on challenge-response • Hardly better than clear-text password! • Identify the server • Prevent man-in-the-middle attacks • Beware of PKI tricks! • Encrypt the session • Protect the identity exchange • Prevent session hijacking • Use secure framework • IPSEC, SSL, secure RPC, Web Services…

More Related