1 / 8

Passwords and Encryption

Passwords and Encryption. CSIS 5857: Encoding and Encryption. Passwords. Universal method for claimant to prove identity Attacks on passwords: Adversary may hack into password file Adversary may try large number of common passwords. Hashing the Passwords.

judson
Download Presentation

Passwords and Encryption

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Passwords and Encryption CSIS 5857: Encoding and Encryption

  2. Passwords • Universal method for claimant to prove identity • Attacks on passwords: • Adversary may hack into password file • Adversary may try large number of common passwords

  3. Hashing the Passwords • Store hash of passwords instead of passwords • Canverify given password hashes to same value in file • Cannot recover user’s password from its hash(or even create one with same hash) “Even if I know h(PA), I still can’t figure out PA”

  4. Salting the Passwords • If passwords short, can use “possible message” attack • Hashing list of commonpasswords • Search table for matching hash value • Tables of common passwords hashed with common algorithms (SHA-2) widely available! “I can just search for these to find someone’s password”

  5. Salting the Passwords • Solution: “Lengthen” passwords (done by Unix) • “Salt” = random bits added to end, indexed to claimant • Digest = h(password + salt) • More difficult for adversary to generate all possible combinations of salts, passwords for large password files

  6. One Time Password • Claimant, verifier have initial password P0 • After each access, both change password using some common scheme • Even if adversary captures current password, cannot use it for future access P0 P0 Pi PiPi+1 Pi Pi+1 “I know Pibut I needPi+1”

  7. Lamport One Time Password • Initial password P0 • Counter n • Initially large value n0 • Decremented by claimant/verifier each access • Current password = initial password with hash function applied n times (one fewer each access) • Pi = hn0 - i(P0) • Adversary intercepts current password hn(P0) • Cannot compute hn-1(P0) since can’t reverse hash function

  8. Passwords and Keys • Problem: How can a user memorize a key if necessary? • Solution: Use hash algorithm to convert a passphrase into a key • Convert passphrase into binary ASCII/Unicode string • Apply hash algorithm (possibly truncating to desired key size) • Has good avalanche effect (2 similar passphrases have very different hashes) Help! 1001010101010100101101010100110010101000011…

More Related