200 likes | 300 Views
Authentication & Passwords CS 665 Spring 07 03/15/07. Lane Department of Computer Science and Electrical Engineering. Authentication. Based on Chapter 2 from “Authentication: From Passwords to Public Keys” by Richard E. Smith, 39-72.
E N D
Authentication & PasswordsCS 665 Spring 0703/15/07 Lane Department of Computer Science and Electrical Engineering
Authentication • Based on Chapter 2 from “Authentication: From Passwords to Public Keys” by Richard E. Smith, 39-72. • Authentication- A mechanism or process that associates a particular person’s identity with a statement, action, or event. In a computer system it verifies that an internal user identification is correctly associated with its owner. • Authentication Factors • What you know- passwords, DOB, SSN, etc.. • What you have- drivers license, passport, smart card / token, etc… • What you are- fingerprint, iris print, DNA, height / weight, etc… • Where you are- physical location, GPS, RFid, etc..
p.43 Passwords • Base Secret- A piece of secret information that is associated with a particular user. An authentication mechanism that uses a base secret will not be able to authenticate a user unless the user has access to the corresponding base secret. • Password- A memorized base secret that is constructed from keystrokes. Traditionally passwords consisted of letters without special characters or embedded blanks, but many modern systems have relaxed these restrictions. Many systems restrict the length of passwords to 10 or 20 characters, or even less. • Passphrase- A memorized base secret constructed of text that may include embedded blanks. Passphrases are typically allowed to be much longer than passwords, and may extend for dozens of characters. It is usually assumed that a passphrase consists of a piece of readable text that the owner finds memorable. • Base secret of a mechanical lock is the pattern of notch lengths
Passwords & Combination Locks (why they fail) • Often set to a “factory default” which is intended to be reset. This phase is often neglected which effectively minimizes the space of possibilities. Try out lists are generally 100 entries or less. Routers as another example. • People rarely use “secure” passwords (based on random, memorized secrets including arbitrary digits & special characters) and sometimes use personal information that can be easily obtained once again effectively minimizing the space of possibilities. • People write down hard to remember combinations and passwords.
Cultural Authentication vs. Random Secrets • Biblical Example- Escaped Ephraimites trying to cross the passages of Jordan had to pronounce “Shibboleth” and were only able to say “Sibboleth,” resulting in an immediate slaying. • WWII Example- German Soldiers dressed up as Americans, and would ask the Americans ask about baseball and the World Series. • Modern Day Examples- SSN, Mother’s Maiden Name, Business Associate Knowledge. • Cultural authentication often does not require “explicit exchange” of the secret; the two parties may have participated in a similar event. • Random Secrets necessitate password exchange as there is no way to predict the value of the secret, i.e. transmitting new user credentials on a piece of paper.
UNIX Password System • First multiuser system with login capabilies developed at Bell Labs in early 1970’s which stored passwords in a plaintext file /etc/passwd in which only the ROOT user had access to. Passwords were traditionally limited to 8 characters in length (95 printable ASCII characters). • 1973 UNIX incorporates password hashing. (see right) • Hash Function- A function that takes an arbitrary amount of input data and computes a fixed-sized result (presumably in an format unrecognizable to humans). p.49
Attacking the UNIX Password File • Typical attacks on the UNIX password file are off-line in nature as login delays and limits help thwart this effort. • The password file is extracted once a user is logged in and passwords are guessed and the resulting hashes are checked.
M-209 Hash • Plaintext + Secret Code → Ciphertext 1970’s UNIX system case study ≤ 8 chars, 95 keys → 951 + 952 + 953 + 954 + 955 + 956 + 957 + 958 = 95+ 9025 + 857375 + 81450625 + 7737809375 + 735091890625 + 69833729609375 + 6634204312890625= 6,704,780,954,517,120 = 6.7 Quadrillion possibilities PDP 11 crypt() 1.25 milliseconds = 8,380,976,193,146,400 ms = 8,380,976,193,146 sec = 139,682,936,552 min = 2,328,048,942 hr = 97,002,039 days = 265,759 years ≈ 262,961 years for all 8 letter passwords ≈ 107 hours for all 6 letter passwords ≈ 10 min for all 4 letter passwords
DES Hash • 2nd Version of UNIX password hashing was a modified version of the DES algorithm that included a 12 bit salt (the modification which invalidated attacks of the standard DES algo) • By the end of the 80’s the DES crypt ran at 0.92 milliseconds. • The real threat comes from poor password selection habits, and dictionary attacks p.56 p.55
Dictionary Attacks • Taken literally, there are ≈ 150,000 – 200,00 entries in a typical dictionary. • Compile 10 permutations of each word=2,000,000 entries • 11 bytes per hashed word= 22 MB file & ≈ 30 min • Adding the salt value adds another layer of complexity meaning that any given password could have up to 4,096 different hash values. • 4,096 * 2,000,000 words requires a dictionary of over 80 gigabytes. • Current UNIX distributions have a limit of 40 characters.
Resisting Guessing Attacks • Increase the possible password space, ensure each password is equally likely to be selected. • Given this, a guessing attack must, on average, try half of the possibilities in order to succeed. • Entropy- unit of measure reflective of the password space, 3 digit luggage lock: entropy=1,000. • 56 bit: entropy 72 quadrillion • Bit entropy = log2(entropy) • log2 (16,000,000)=23.93 bits. p.69
Resisting Guessing Attacks (cont) • Biases in base secrets • Placing limitations (imposed or not) on password selection reduces password entropy • i.e. 50% of customers choose dates as combinations to luggage locks p.65
Password Management • From "Evaluating the Reliability of Credential Hardening through Keystroke Dynamics," Proc. of 17th IEEE International Symposium on Software Reliability Engineering (ISSRE'06), (Raleigh, NC, USA), November 2006. • The problem of password management still exists • MANY still resort to highly vulnerable tactics • Others employ advanced tactics • These remain vulnerable to classic attacks Published on : 10.17.06
Motivation / Introduction • Credential Sets I’ve used recently • Horizons Credit Union • Huntington Banks • MBNA • Capital One • Turbo Tax • Federal Direct Loans • Adelphia PowerPay • Amazon • New Egg • Digg • ESPN • Studies suggest active web users use on average 15 credential sets per day • High risks associated with compromise: • Once Compromised (lost/stolen), 100% FAR (False Acceptance Rate) • Inability to Recognize when Compromised • A Potential Solution: • Harden username / password credentials with a keystroke dynamics behavioral biometric (“the way you type”)
Motivation / Introduction • Keystroke Dynamics Defined • The pattern associated with the way one types • “detailed timing information that describes exactly when each key was depressed and when it was released as a person is typing at a computer keyboard.” • Benefits of Keystroke Dynamics • Ease of use • Ease of deployability • Transparency of use • Allows for template replaceability (in short input schemes) • Cost to performance ratio • Perfect fit with already existing username & password authentication schemes
A D S A D F A F S S S D F F A D S S S S A Keystroke Dynamics Semantics Primer • KeyDown • Fires when a key is pressed down. Continually fires until the key being depressed is released. • KeyUp • Fires when a currently depressed key is subsequently released. • Keystroke • The combination of an initial KeyDown event and the corresponding KeyUp event. • Hold Time • Length of time between an initial KeyDown and the corresponding KeyUp. • Delay (latency) • Time between two successive keystrokes. Can be positive or negative (overlapping strokes). {Hold Time = 500 ms} {Delay = -500 ms}
Keystroke Dynamics Goals • Harden authentication credentials with username & password keystroke dynamics • Provide framework for readily deployable biometric system in an unsupervised and remote fashion • Establish the difference in performance associated with two passwords types • Acquire a significantly large database to begin answering questions of scalability
More to Come • Turns out keystroke dynamics can increase the security level associated with traditional passwords • For more info see: • Evaluating the Reliability of Credential Hardening through Keystroke Dynamics
Polyalphabetic Cipher Project • 1. Determine # of alphabets • Index of Coincidence (I.C.) => ni=frequency of each char in alphabet (a-z), N=total number of letters in sample, c=# chars in alphabet • Kasiski Location 01234 56789 01234 56789 01234 56789 Keyword: RELAT IONSR ELATI ONSRE LATIO NSREL Plaintext: TOBEO RNOTT OBETH ATIST HEQUE STION Ciphertext: KSMEH ZBBLK SMEMP OGAJX SEJCS FLZSY the Kasiski method would create something like the following list: Repeated Digraph Location Distance Factors KS 9 9 3, 9 SM 10 9 3, 9 ME 11 9 3, 9 • 2. Determine Substitutions for individual alphabets • Frequency Analysis • Genetic Algorithm • Simulated Annealing • Etc…