200 likes | 326 Views
CS 259. Password Authentication. J. Mitchell. Password file. User. kiwifruit. exrygbzyf kgnosfix ggjoklbsz … …. hash function. Basic password authentication. Setup User chooses password Hash of password stored in password file Authentication
E N D
CS 259 Password Authentication J. Mitchell
Password file User kiwifruit exrygbzyf kgnosfix ggjoklbsz … … hash function
Basic password authentication • Setup • User chooses password • Hash of password stored in password file • Authentication • User logs into system, supplies password • System computes hash, compares to file • Attacks • Online dictionary attack • Guess passwords and try to log in • Offline dictionary attack • Steal password file, try to find p with hash(p) in file
Dictionary Attack – some numbers • Typical password dictionary • 1,000,000 entries of common passwords • people's names, common pet names, and ordinary words. • Suppose you generate and analyze 10 guesses per second • This may be reasonable for a web site; offline is much faster • Dictionary attack in at most 100,000 seconds = 28 hours, or 14 hours on average • If passwords were random • Assume six-character password • Upper- and lowercase letters, digits, 32 punctuation characters • 689,869,781,056 password combinations. • Exhaustive search requires 1,093 years on average
Salt • Unix password line walt:fURfuu4.4hY0U:129:129:Belgers:/home/walt:/bin/csh Compare Salt Input Key Constant Ciphertext 25x DES Plaintext When password is set, salt is chosen randomly
Advantages of salt • Without salt • Same hash functions on all machines • Compute hash of all common strings once • Compare hash file with all known password files • With salt • One password hashed 212 different ways • Precompute hash file? • Need much larger file to cover all common strings • Dictionary attack on known password file • For each salt found in file, try all common strings
Web Authentication • Problems • Network sniffing • Malicious or weak-security website • Phishing • Common password problem • Pharming – DNS compromise • Malware on client machine • Spyware • Session hijacking, fabricated transactions Server password Browser cookie next few slides
Password Phishing Problem • User cannot reliably identify fake sites • Captured password can be used at target site Bank A pwdA pwdA Fake Site
pwdA = pwdB low security site Common Password Problem • Phishing attack or break-in at site B reveals pwd at A • Server-side solutions will not keep pwd safe • Solution: Strengthen with client-side support Bank A high security site pwdA Site B
pwdA = pwdB Defense: Password Hashing hash(pwdA, BankA) • Generate a unique password per site • HMACfido:123(banka.com) Q7a+0ekEXb • HMACfido:123(siteb.com) OzX2+ICiqc • Hashed password is not usable at any other site • Protects against password phishing • Protects against common password problem Bank A hash(pwdB, SiteB) Site B
Defense: SpyBlock Authentication agent communicates through browser agent Authentication agent communicates directly to web site
SpyBlock protection password in trusted client environment server support required better password-based authentication protocols trusted environment confirms site transactions
Goals for password protocol • Authentication relies on password • User can remember password, use anywhere • No additional client-side certificates, etc. • Protect against attacks • Network does not carry cleartext passwords • Malicious user cannot do offline dictionary attack • Malicious server (as in phishing) does not learn password from communication with honest user
Simple approach • Send hashed passwords • Does this “work”? • Good points? • Bad points? Server hash(pwd|0) Browser hash(pwd|1)
“Interlock” password protocols (Set-up Phase) Password p known to both parties (Key Exchange Phase) A B gx B A gy k = gxyor some function of gxy (Authentication Phase) A B mack(p, r) for random r B A mack(p, s), enck(s) for random s A B enck(r) [Rivest, Shamir, Bellovin, Merrit, … Pederson, Ellison]
ESP-KE key exchange protocol Prime p and generators , β known Generate random a Generate random b A= a/ βPmod p B= b mod p A B If A=0 Abort k = Bamod p k = (A βP)bmod p Mb=H(0,k,P) Mb If H(0,k,P) ≠ MbAbort Ma= H(1,k,P) Ma If H(1,k,P) ≠ MaAbort [M Scott]
SRP protocol (Set-up Phase) Carol chooses password P Steve chooses s, computes x = H(s, P) and v = gx (Key Exchange Phase) C Bob looks up s, v x = H(s, P) s A = gaA B,u B = v + gb, random u S = (B - gx) (a+ux) S = (Avu)b M1 = H(A,B,S) M1 verify M1 verify M2M2 M2 = H(A,M1,S) Key = H(S) Key = H(S) [Wu]
password? CMU “Phoolproof” proposal • Eliminates reliance on perfect user behavior • Protects against keyloggers, spyware. • Uses a trusted mobile device to perform mutual authentication with the server