80 likes | 267 Views
Passwords and Encryption. CSIS 5857: Encoding and Encryption. Passwords. Universal method for claimant to prove identity Attacks on passwords: Adversary may hack into password file Adversary may try large number of common passwords. Hashing the Passwords.
E N D
Passwords and Encryption CSIS 5857: Encoding and Encryption
Passwords • Universal method for claimant to prove identity • Attacks on passwords: • Adversary may hack into password file • Adversary may try large number of common passwords
Hashing the Passwords • Store hash of passwords instead of passwords • Canverify given password hashes to same value in file • Cannot recover user’s password from its hash(or even create one with same hash) “Even if I know h(PA), I still can’t figure out PA”
Salting the Passwords • If passwords short, can use “possible message” attack • Hashing list of commonpasswords • Search table for matching hash value • Tables of common passwords hashed with common algorithms (SHA-2) widely available! “I can just search for these to find someone’s password”
Salting the Passwords • Solution: “Lengthen” passwords (done by Unix) • “Salt” = random bits added to end, indexed to claimant • Digest = h(password + salt) • More difficult for adversary to generate all possible combinations of salts, passwords for large password files
One Time Password • Claimant, verifier have initial password P0 • After each access, both change password using some common scheme • Even if adversary captures current password, cannot use it for future access P0 P0 Pi PiPi+1 Pi Pi+1 “I know Pibut I needPi+1”
Lamport One Time Password • Initial password P0 • Counter n • Initially large value n0 • Decremented by claimant/verifier each access • Current password = initial password with hash function applied n times (one fewer each access) • Pi = hn0 - i(P0) • Adversary intercepts current password hn(P0) • Cannot compute hn-1(P0) since can’t reverse hash function
Passwords and Keys • Problem: How can a user memorize a key if necessary? • Solution: Use hash algorithm to convert a passphrase into a key • Convert passphrase into binary ASCII/Unicode string • Apply hash algorithm (possibly truncating to desired key size) • Has good avalanche effect (2 similar passphrases have very different hashes) Help! 1001010101010100101101010100110010101000011…