Upload
isleen
View
52
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Lecture 19: Authentication. David Evans http://www.cs.virginia.edu/evans. John Daugman, http://www.cl.cam.ac.uk/users/jgd1000/iriscollage.jpg. CS588: Cryptography University of Virginia Computer Science. How do you authenticate?. Something you know Password Something you have - PowerPoint PPT Presentation
Citation preview
David Evanshttp://www.cs.virginia.edu/evans
CS588: CryptographyUniversity of VirginiaComputer Science
Lect
ure
19:
Aut
hent
icat
ion
John Daugman, http://www.cl.cam.ac.uk/users/jgd1000/iriscollage.jpg
19 April 2005 University of Virginia CS 588 2
How do you authenticate?• Something you know
– Password• Something you have
– SecureID, physical key• Something you are
– Biometrics (voiceprint, fingerprint, etc.)• Decent authentication requires
combination of at least 2 of these
19 April 2005 University of Virginia CS 588 3
Early Password Schemes
UserID Passwordalgore internalcombustionclinton buddygeorgew gorangers
Login: algorePassword: tipperFailed login. Guess again.
Login does direct password lookup and comparison.
19 April 2005 University of Virginia CS 588 4
Login: algorePassword: internalcombustion
Terminal
Trusted Subsystem
Eve
Login Process
login sends <“algore”, “internalcombustion”>
19 April 2005 University of Virginia CS 588 5
Authentication Problems• Need to store the passwords
somewhere – dangerous to rely on this being secure– Encrypt them? But then, need to hide key
• Need to transmit password from user to host– Use a secure line (i.e., no remote logins)– Encrypt the transmission (what key?)
19 April 2005 University of Virginia CS 588 6
Encrypted Passwords
UserID Passwordalgore E (“internalcombustion”, K)clinton E (“buddy”, K)georgew E (“gorangers”, K)
Hmmm.... D (E (“buddy”, K), K) = “buddy”
19 April 2005 University of Virginia CS 588 7
Hashed Passwords
UserID Passwordalgore H (“internalcombustion”)clinton H (“buddy”)georgew H (“gorangers”)
19 April 2005 University of Virginia CS 588 8
Encrypted Passwords Try 1Login: algorePassword: internalcombustion
Terminal
Trusted Subsystemlogin sends <“algore”, H(“internalcombustion”)>
Trusted subsystem compares to stored value.
19 April 2005 University of Virginia CS 588 9
Encrypted Passwords Try 2
Login: algorePassword: internalcombustion
Terminal
Trusted Subsystemlogin sends <“algore”, “internalcombustion”>
Trusted subsystem computes H(“internalcombustion”) and compares to stored value.
19 April 2005 University of Virginia CS 588 10
First UNIX Password Scheme• [Wilkes68] (recall DES was 1976)• Encryption based on M-209 cipher
machine (US Army WWII)• Easy to invert unknown plaintext and
known key, used password as key:– Instead of EK (password) used hash function
EPassword (0)
• PDP-11 could check all 5 or less letter lower-case passwords in 4 hours!
19 April 2005 University of Virginia CS 588 11
Making Brute Force Attacks Harder
• Use a slower encryption (hashing) algorithm– Switched to DES: H(p) = DESp(0)
• Even slower: run DES lots of times– UNIX uses DESp
25(0)
… DESp (DESp (DESp (DESp (0))))
• Require longer passwords– DES key is only 56 bits: only uses first 7.5
characters (ASCII)– 95 printable characters, 958 = 6.6 * 1015
19 April 2005 University of Virginia CS 588 12
Dictionary Attacks• Try a list of common passwords
– All 1-4 letter words– List of common (dog) names– Words from dictionary– Phone numbers, license plates– All of the above in reverse
• Simple dictionary attacks retrieve most user-selected passwords
• Precompute H(x) for all dictionary entries
19 April 2005 University of Virginia CS 588 13
86% of users are dumbSingle ASCII character 0.5%Two characters 2%
Three characters 14%
Four alphabetic letters 14%
Five same-case letters 21%
Six lowercase letters 18%
Words in dictionaries or names 15%Other (possibly good passwords) 14%
(Morris/Thompson 79)
At Least
19 April 2005 University of Virginia CS 588 14
Making Dictionary Attacks Harder
• Force/convince users to pick better passwords– Test selected passwords against a known
dictionary– Enforce rules on non-alphabet characters,
length, etc.• Don’t let attacker see the password file
19 April 2005 University of Virginia CS 588 15
Problems with User Rules
• Users get annoyed• If you require hard to remember
passwords, users write them down• Attackers know the password selection
rules too – reduces search space!
19 April 2005 University of Virginia CS 588 16
True Anecdote• One installation: machines generated
random 8-letter passwords• Used PDP-11 pseudo-random number
generator with 215 possible values• Time to try all possible passwords on
PDP-11: One minute! • Good news: at least people don’t have
to remember the 8 random letters
19 April 2005 University of Virginia CS 588 17
Everybody loves Buddy
UserID Passwordalgore DES25
internalcombustion (0)
clinton DES25 buddy (0)
georgew DES25gorangers(0)
hillaryc DES25 buddy (0)
19 April 2005 University of Virginia CS 588 18
Salt of the Earth
UserID Salt Passwordalgore 1125 DES+25 (0, “internal”, 1125)clinton 2437 DES+25 (0, “buddy”, 2437)georgew 932 DES+25 (0, “goranger”, 932)hillaryc 1536 DES+25 (0, “buddy”, 1536)
How much harder is the off-line dictionary attack?
DES+ (m, key, salt) is DES except with salt-dependent E-tables.
Salt: 12 random bits
(This is the standard UNIX password scheme.)
19 April 2005 University of Virginia CS 588 19
Security of UNIX Passwords
• Paper by Robert Morris (Sr.) and Ken Thompson, 1979 (link on manifest)
• Demonstration of guessability of Unix passwords by Robert Morris, Jr. (Internet Worm, 1988)
• L0ftcrack breaks ALL alphanumeric passwords in under 24 hours on Pentium II/450 (Windows NT)
19 April 2005 University of Virginia CS 588 20
What about Eve?
Login: algorePassword: internalcombustion
Terminal
Trusted Subsystemlogin sends <“algore”, “internalcombustion”>
Trusted subsystem computes DES+25 (0, “internal”, 12) and compares
to stored value.
Eve
SSssssshhhh…Be very quiet so Eve
can’t hear
19 April 2005 University of Virginia CS 588 21
Simplified SSH Protocol
Login: evansPassword: ******
Terminal
viper.cs.virginia.edulogin sends EKUviper
<“evans”, “memodn”>
EveCan’t decrypt without KRviper
19 April 2005 University of Virginia CS 588 22
Actual SSH ProtocolClient Server
time
KUS - server’s public host keyKUt – server’s public key, changes every hourr – 256-bit random number generated by client
KUS, KUtCompares
to stored KUS
2
EKUS [EKUt [r]]|| { AES | 3DES }3
All traffic encrypted using r and selected algorithm.
requests connection1
19 April 2005 University of Virginia CS 588 23
Comparing to stored KUS
• It better be stored securely– PuTTY stores it in windows registry
(HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\SshHostKeys)
19 April 2005 University of Virginia CS 588 24
Why Johnny Can’t Even LoginSecureCRT
Default choice!
19 April 2005 University of Virginia CS 588 25
ssh.com’s SSH
19 April 2005 University of Virginia CS 588 26
ssh Error
19 April 2005 University of Virginia CS 588 27
Jennifer Kahng’s 4th Year Thesis Project
31% clicked Continue
2% typed in “yes”
• People are stupid
• Getting people to pay attention is difficult unless you really want to make them angry. (Security vs. convenience)• Only two people (of > 700) emailed webmaster about potential security vulnerability
19 April 2005 University of Virginia CS 588 28
Why Johnny (von Neumann) Can’t Even Login
• A smart attacker just replaces the stored key in registry– An ActiveX control can do this trivially– No warning from SSH when you now connect
to the host controlled by the attacker (have to spoof DNS or intercept connection, but this is easy)
19 April 2005 University of Virginia CS 588 29
Recap – Authentication Problems• Need to store the passwords somewhere –
dangerous to rely on this being secure• Need to transmit password from user to
host• Remaining problems:
• User’s pick bad passwords• Even if everything is secure, can still watch
victim type!• Only have to mess up once
19 April 2005 University of Virginia CS 588 30
19 April 2005 University of Virginia CS 588 31
GAO IRS StudyThe auditors called 100 IRS employees and managers, portraying themselves as personnel from the information technology help desk trying to correct a network problem. They asked the employees to provide their network logon name and temporarily change their password to one they suggested."We were able to convince 35 managers and employees to provide us their username and change their password," the report said.That was a 50 percent improvement when compared with a similar test in 2001, when 71 employees cooperated and changed their passwords.
http://www.sfgate.com/cgi-bin/article.cgi?file=/news/archive/2005/03/16/national/w162055S07.DTL
19 April 2005 University of Virginia CS 588 32
Solution – Don’t Reuse Passwords• One-time passwords• New users have to memorize a list of
secure passwords and use one in turn for each login
• Host generates the list using cryptographic random numbers and stores it securely
• Users spend hours memorizing passwords...and better not forget one!
19 April 2005 University of Virginia CS 588 33
One-Time Use Passwords
• Can we create a sequence of passwords the host can check without storing anything useful to an attacker on the host?
Recall: Unix repeated use passwordsHost stores: H(p)User provides: x
Password is valid if H(x) = H(p)
19 April 2005 University of Virginia CS 588 34
S-Key
• Alice picks random number R• S-Key program generates H(R),
H(H(R)), ... , H99(R).• Alice prints out these numbers and
stores somewhere secure• Host stores H100(R).
19 April 2005 University of Virginia CS 588 35
S/Key Login• Alice enters H99(R). • Host calculates H (H99(R)). • Compares to stored H100(R). • If they match, allows login • And replaces old value with H99(R).• Alice crosses off H99(R), enters H98(R)
next time.• S/Key uses MD4 for H
19 April 2005 University of Virginia CS 588 36
S/Key> keyinitAdding evans:Reminder - Only use this method if you are directly connected.
If you are using telnet or rlogin exit with no password and use keyinit -s.
Enter secret password: test Again secret password: testID evans s/key is 99 sh69506
H100(test) = sh69506What do I need to enter to log in?
19 April 2005 University of Virginia CS 588 37
S/Key> key -n 100 99 sh69506Reminder - Do not use this program while logged in via telnet or rlogin.
Enter secret password: test 0: KEEL FLED SUDS BOHR DUD SUP 1: TOW JOBS HOFF GIVE CHUB LAUD …98: JEAN THEN WEAK ELAN SLOB GAS 99: MUG KNOB ACT ALOE REST TOO
19 April 2005 University of Virginia CS 588 38
Challenge-ResponseLogin: evans
Terminal
EKUmamba[“evans”]
Challenge xChallenge: 2357938523Response: f(x)
f(x)
19 April 2005 University of Virginia CS 588 39
Challenge-Response Systems• Ask a question, see if the answer is
right• Hard to make up questions only host
and user can answer• Question: x? Answer: f(x).• What’s a good choice for f?
– E (x, key known to both)– Still have to problem of storing the key
• SecureID systems work like this– Challenge is current time (nothing to send)
19 April 2005 University of Virginia CS 588 40
Biometrics: “Something you are”• Unique(ish) properties of most humans:• Fingerprint
– FBI’s Integrated Automated Fingerprint ID system has 48 Million
• Iris• Hand shape• Voice• Gait, etc.
19 April 2005 University of Virginia CS 588 41
UAE Iris Scanning
• Required of all entering foreigners, compares to database of ~.5M expelled people– IrisCodes: 4096 feature bits
• Each bit is ½ probability to agree– Measure hamming distance
between 2 irises– 3.8B comparisons per day– 22K matches so far: no false
positives
http://www.cl.cam.ac.uk/users/jgd1000/UAEdeployment.pdf
19 April 2005 University of Virginia CS 588 42
http://www.cl.cam.ac.uk/users/jgd1000/UAEdeployment.pdf
19 April 2005 University of Virginia CS 588 43
Problems with Biometrics
• Fuzzy measures: need to set thresholds to have some false positives and negatives
• Easily stolen: expert could obtain all of your fingerprints from this room after you leave– Non-expert can cut off your finger– Voiceprints can be stolen too (Sneakers)
• Hard/impossible to change• Transmission link is still vulnerable
19 April 2005 University of Virginia CS 588 44
Charge
• Identify and authentication are hard problems
• Passwords don’t work• Windows Longhorn may use two-factor
authenticationI believe that the time of password-only authentication is gone.
We need to go to two-factor authentication. This is the only way to bring the level of trust business needs.
Detlef Eckert, Microsoft’s Trustworthy Computing initiative