210 likes | 300 Views
CS 99j. Authentication. John C. Mitchell Stanford University. Computer security. Computer security is concerned with the detection and prevention of unauthorized actions by users of a computer system. Authentication. Verify identity Only allow authorized access
E N D
CS 99j Authentication John C. Mitchell Stanford University
Computer security Computer security is concerned with the detection and prevention of unauthorized actions by users of a computer system.
Authentication • Verify identity • Only allow authorized access • Message authentication (different concept) • Confirm source and integrity of message • Message received is the same as message sent
Fundamental limitation I am talking to Joe I am talking to someone who has Joe’s • Password • Private key • Thumbprint
Outline • Password authentication • Unix password scheme • Dictionary attack • Challenge-response mechanisms • Authentication protocols • Protocol analysis methods
Password authentication • Basic idea • User has a secret password • System checks password to authenticate user • Issues • How is password stored? • How does system check password? • How easy is it to guess a password?
Basic password scheme Password file User kiwifruit exrygbzyf kgnosfix ggjoklbsz … … hash function
Basic password scheme • Hash function h : strings strings • Given h(password), hard to find password • No known algorithm better than trial and error • User password stored as h(password) • When user enters password • System computes h(password) • Compares with entry in password file • No passwords stored on disk
Unix password system • Hash function is 25xDES • Number 25 was meant to make search slow • Password file is publicly readable • Other information in password file … • Any user can try “dictionary attack” • User looks at password file • Computes hash(word) for every word in dictionary • “Salt” makes dictionary attack harder • Otherwise, compare hash(word) to all passwords
Salt [Belgers] • Password line account:crypted-passwd:uid:gid:user-name:homedir:shell walt:fURfuu4.4hY0U:129:129:Belgers:/home/walt:/bin/csh • Checking with salt
Another password vulnerability void check_passwd(char *name, passwd) { char buffer1[2]; char buffer2[2]; /* place password for name in buffer 1 */ strcpy(buffer2,passwd) if (buffer1[1]==buffer2[1] && buffer1[1]==buffer2[1]) { /* allow login */ }; else { /* disallow login */ }; }
Extra Reading • Find Phrack archives .oO Phrack 49 Oo. Volume Seven, Issue Forty-Nine • Look for this article XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Smashing The Stack For Fun And Profit XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX by Aleph One aleph1@underground.org
Challenge-response Challenge User Secret key string f(key,string) Response
Challenge-response authentication • Challenge • System presents user with some string • Response • User computes f(key,string) • Authentication • Check property of f(key,string) • Secret data can stay secret: no password is sent What kind of function will work?
Authentication protocols • Many protocols to confirm identity • Clark-Jacob survey of 50 protocols • Common use • Client and server confirm identity and agree on secret encryption key
Network connection • TCP syncronize/acknowledgement Client SYN Server SYN-ACK ACK sequence numbers omitted ...
Needham-Schroeder Key Exchange { A, Na } Kb { Na, Nb } Ka { Nb} Kb A B Result: A and B share two private numbers not known to any observer without Ka-1, Kb -1
Anomaly in Needham-Schroeder [Lowe] { A, Na } Ke A E { Na, Nb } Ka { Nb } Ke { A, Na } { Na, Nb } Evil agent E tricks honest A into revealing private key Nb from B. Kb Ka B Evil E can then fool B.
Repaired Needham-Schroeder Protocol { A, Na } Kb { Na, B, Nb } Ka { Nb} Kb A B Result: A and B share two private numbers not known to any observer without Ka-1, Kb -1
How do we know this is correct? • Think a lot • Ask smart people • Systematic methods • Protocol logics • BAN, GNY, SvO, … • Model checking • Exhaustive testing of finite systems • Mathematical proof • Prove an abstract form of protocol is correct • Even with simplifications, requires computer assistance
Explicit Intruder Method Informal Protocol Description Formal Protocol Intruder Model Analysis Tool Gee whiz. Looks OK to me.