David Evans cs.virginia/evans

David Evanshttp://www.cs.virginia.edu/evans

CS588: CryptographyUniversity of VirginiaComputer Science

Lect

ure

19:

Aut

hent

icat

ion

John Daugman, http://www.cl.cam.ac.uk/users/jgd1000/iriscollage.jpg

19 April 2005 University of Virginia CS 588 2

How do you authenticate?• Something you know

– Password• Something you have

– SecureID, physical key• Something you are

– Biometrics (voiceprint, fingerprint, etc.)• Decent authentication requires

combination of at least 2 of these


Early Password Schemes

UserID Passwordalgore internalcombustionclinton buddygeorgew gorangers

Login: algorePassword: tipperFailed login. Guess again.

Login does direct password lookup and comparison.


Login: algorePassword: internalcombustion

Terminal

Trusted Subsystem

Eve

Login Process

login sends <“algore”, “internalcombustion”>


Authentication Problems• Need to store the passwords

somewhere – dangerous to rely on this being secure– Encrypt them? But then, need to hide key

• Need to transmit password from user to host– Use a secure line (i.e., no remote logins)– Encrypt the transmission (what key?)


Encrypted Passwords

UserID Passwordalgore E (“internalcombustion”, K)clinton E (“buddy”, K)georgew E (“gorangers”, K)

Hmmm.... D (E (“buddy”, K), K) = “buddy”


Hashed Passwords

UserID Passwordalgore H (“internalcombustion”)clinton H (“buddy”)georgew H (“gorangers”)


Encrypted Passwords Try 1Login: algorePassword: internalcombustion

Terminal

Trusted Subsystemlogin sends <“algore”, H(“internalcombustion”)>

Trusted subsystem compares to stored value.


Encrypted Passwords Try 2


Terminal

Trusted Subsystemlogin sends <“algore”, “internalcombustion”>

Trusted subsystem computes H(“internalcombustion”) and compares to stored value.


First UNIX Password Scheme• [Wilkes68] (recall DES was 1976)• Encryption based on M-209 cipher

machine (US Army WWII)• Easy to invert unknown plaintext and

known key, used password as key:– Instead of EK (password) used hash function

EPassword (0)

• PDP-11 could check all 5 or less letter lower-case passwords in 4 hours!


Making Brute Force Attacks Harder

• Use a slower encryption (hashing) algorithm– Switched to DES: H(p) = DESp(0)

• Even slower: run DES lots of times– UNIX uses DESp

25(0)

… DESp (DESp (DESp (DESp (0))))

• Require longer passwords– DES key is only 56 bits: only uses first 7.5

characters (ASCII)– 95 printable characters, 958 = 6.6 * 1015


Dictionary Attacks• Try a list of common passwords

– All 1-4 letter words– List of common (dog) names– Words from dictionary– Phone numbers, license plates– All of the above in reverse

• Simple dictionary attacks retrieve most user-selected passwords

• Precompute H(x) for all dictionary entries


86% of users are dumbSingle ASCII character 0.5%Two characters 2%

Three characters 14%

Four alphabetic letters 14%

Five same-case letters 21%

Six lowercase letters 18%

Words in dictionaries or names 15%Other (possibly good passwords) 14%

(Morris/Thompson 79)

At Least


Making Dictionary Attacks Harder

• Force/convince users to pick better passwords– Test selected passwords against a known

dictionary– Enforce rules on non-alphabet characters,

length, etc.• Don’t let attacker see the password file


Problems with User Rules

• Users get annoyed• If you require hard to remember

passwords, users write them down• Attackers know the password selection

rules too – reduces search space!


True Anecdote• One installation: machines generated

random 8-letter passwords• Used PDP-11 pseudo-random number

generator with 215 possible values• Time to try all possible passwords on

PDP-11: One minute! • Good news: at least people don’t have

to remember the 8 random letters


Everybody loves Buddy

UserID Passwordalgore DES25

internalcombustion (0)

clinton DES25 buddy (0)

georgew DES25gorangers(0)

hillaryc DES25 buddy (0)


Salt of the Earth

UserID Salt Passwordalgore 1125 DES+25 (0, “internal”, 1125)clinton 2437 DES+25 (0, “buddy”, 2437)georgew 932 DES+25 (0, “goranger”, 932)hillaryc 1536 DES+25 (0, “buddy”, 1536)

How much harder is the off-line dictionary attack?

DES+ (m, key, salt) is DES except with salt-dependent E-tables.

Salt: 12 random bits

(This is the standard UNIX password scheme.)


Security of UNIX Passwords

• Paper by Robert Morris (Sr.) and Ken Thompson, 1979 (link on manifest)

• Demonstration of guessability of Unix passwords by Robert Morris, Jr. (Internet Worm, 1988)

• L0ftcrack breaks ALL alphanumeric passwords in under 24 hours on Pentium II/450 (Windows NT)


What about Eve?


Terminal

Trusted Subsystemlogin sends <“algore”, “internalcombustion”>

Trusted subsystem computes DES+25 (0, “internal”, 12) and compares

to stored value.

Eve

SSssssshhhh…Be very quiet so Eve

can’t hear


Simplified SSH Protocol

Login: evansPassword: ******

Terminal

viper.cs.virginia.edulogin sends EKUviper

<“evans”, “memodn”>

EveCan’t decrypt without KRviper


Actual SSH ProtocolClient Server

time

KUS - server’s public host keyKUt – server’s public key, changes every hourr – 256-bit random number generated by client

KUS, KUtCompares

to stored KUS

2

EKUS [EKUt [r]]|| { AES | 3DES }3

All traffic encrypted using r and selected algorithm.

requests connection1


Comparing to stored KUS

• It better be stored securely– PuTTY stores it in windows registry

(HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\SshHostKeys)


Why Johnny Can’t Even LoginSecureCRT

Default choice!


ssh.com’s SSH


ssh Error


Jennifer Kahng’s 4th Year Thesis Project

31% clicked Continue

2% typed in “yes”

• People are stupid

• Getting people to pay attention is difficult unless you really want to make them angry. (Security vs. convenience)• Only two people (of > 700) emailed webmaster about potential security vulnerability


Why Johnny (von Neumann) Can’t Even Login

• A smart attacker just replaces the stored key in registry– An ActiveX control can do this trivially– No warning from SSH when you now connect

to the host controlled by the attacker (have to spoof DNS or intercept connection, but this is easy)


Recap – Authentication Problems• Need to store the passwords somewhere –

dangerous to rely on this being secure• Need to transmit password from user to

host• Remaining problems:

• User’s pick bad passwords• Even if everything is secure, can still watch

victim type!• Only have to mess up once



GAO IRS StudyThe auditors called 100 IRS employees and managers, portraying themselves as personnel from the information technology help desk trying to correct a network problem. They asked the employees to provide their network logon name and temporarily change their password to one they suggested."We were able to convince 35 managers and employees to provide us their username and change their password," the report said.That was a 50 percent improvement when compared with a similar test in 2001, when 71 employees cooperated and changed their passwords.

http://www.sfgate.com/cgi-bin/article.cgi?file=/news/archive/2005/03/16/national/w162055S07.DTL


Solution – Don’t Reuse Passwords• One-time passwords• New users have to memorize a list of

secure passwords and use one in turn for each login

• Host generates the list using cryptographic random numbers and stores it securely

• Users spend hours memorizing passwords...and better not forget one!


One-Time Use Passwords

• Can we create a sequence of passwords the host can check without storing anything useful to an attacker on the host?

Recall: Unix repeated use passwordsHost stores: H(p)User provides: x

Password is valid if H(x) = H(p)


S-Key

• Alice picks random number R• S-Key program generates H(R),

H(H(R)), ... , H99(R).• Alice prints out these numbers and

stores somewhere secure• Host stores H100(R).


S/Key Login• Alice enters H99(R). • Host calculates H (H99(R)). • Compares to stored H100(R). • If they match, allows login • And replaces old value with H99(R).• Alice crosses off H99(R), enters H98(R)

next time.• S/Key uses MD4 for H


S/Key> keyinitAdding evans:Reminder - Only use this method if you are directly connected.

If you are using telnet or rlogin exit with no password and use keyinit -s.

Enter secret password: test Again secret password: testID evans s/key is 99 sh69506

H100(test) = sh69506What do I need to enter to log in?


S/Key> key -n 100 99 sh69506Reminder - Do not use this program while logged in via telnet or rlogin.

Enter secret password: test 0: KEEL FLED SUDS BOHR DUD SUP 1: TOW JOBS HOFF GIVE CHUB LAUD …98: JEAN THEN WEAK ELAN SLOB GAS 99: MUG KNOB ACT ALOE REST TOO


Challenge-ResponseLogin: evans

Terminal

EKUmamba[“evans”]

Challenge xChallenge: 2357938523Response: f(x)

f(x)


Challenge-Response Systems• Ask a question, see if the answer is

right• Hard to make up questions only host

and user can answer• Question: x? Answer: f(x).• What’s a good choice for f?

– E (x, key known to both)– Still have to problem of storing the key

• SecureID systems work like this– Challenge is current time (nothing to send)


Biometrics: “Something you are”• Unique(ish) properties of most humans:• Fingerprint

– FBI’s Integrated Automated Fingerprint ID system has 48 Million

• Iris• Hand shape• Voice• Gait, etc.


UAE Iris Scanning

• Required of all entering foreigners, compares to database of ~.5M expelled people– IrisCodes: 4096 feature bits

• Each bit is ½ probability to agree– Measure hamming distance

between 2 irises– 3.8B comparisons per day– 22K matches so far: no false

positives

http://www.cl.cam.ac.uk/users/jgd1000/UAEdeployment.pdf


http://www.cl.cam.ac.uk/users/jgd1000/UAEdeployment.pdf


Problems with Biometrics

• Fuzzy measures: need to set thresholds to have some false positives and negatives

• Easily stolen: expert could obtain all of your fingerprints from this room after you leave– Non-expert can cut off your finger– Voiceprints can be stolen too (Sneakers)

• Hard/impossible to change• Transmission link is still vulnerable


Charge

• Identify and authentication are hard problems

• Passwords don’t work• Windows Longhorn may use two-factor

authenticationI believe that the time of password-only authentication is gone.

We need to go to two-factor authentication. This is the only way to bring the level of trust business needs.

Detlef Eckert, Microsoft’s Trustworthy Computing initiative

Documents

David Evans cs.virginia/evans