Class 35:
Cookie
Monsters and
Semi-Secure
Websites
(Today’s notes: on-line only.)
CS200: Computer Science
University of Virginia
Computer Science
David Evans
http://www.cs.virginia.edu/evans
Computability in Theory and
Practice
(Intellectual Computability
Discussion on TV Video)
14 April 2004
CS 200 Spring 2004
2
Ali G Multiplication Problem
• Input: a list of 2 numbers with up to d digits
each
• Output: the product of the 2 numbers
Is it decidable?
Yes – a straightforward algorithm
solves it.
Is it tractable? (how much work?)
Yes – it using elementary
multiplication techniques it is O(d2)
Can real computers solve it?
14 April 2004
CS 200 Spring 2004
3
What about C++?
int main (void)
{
int alig = 999999999;
}
printf ("Value: %d\n",
alig = alig * 99;
printf ("Value: %d\n",
alig = alig * 99;
printf ("Value: %d\n",
alig = alig * 99;
printf ("Value: %d\n",
14 April 2004
Results from SunOS 5.8:
alig);
alig);
alig);
Value:
Value:
Value:
Value:
999999999
215752093
-115379273
1462353861
alig);
CS 200 Spring 2004
6
Ali G was Right!
• Theory assumes ideal computers:
– Unlimited, perfect memory
– Unlimited (finite) time
• Real computers have:
– Limited memory, time, power outages, flaky
programming languages, etc.
– There are many decidable problems we cannot
solve with real computer: the numbers do matter
14 April 2004
CS 200 Spring 2004
7
Why Care about Security?
14 April 2004
CS 200 Spring 2004
8
Security
• Confidentiality – keeping secrets
– Most web sites don’t want this
• Integrity – making data reliable
– Preventing tampering
– Only authorized people can insert/modify data
• Availability
– Provide service (even when attacked)
– Can’t do much about this without resources
14 April 2004
CS 200 Spring 2004
9
How do you authenticate?
• Something you know
– Password
• Something you have
– Physical key (email account?, transparency?)
• Something you are
– Biometrics (voiceprint, fingerprint, etc.)
Serious authentication requires at least 2 kinds
14 April 2004
CS 200 Spring 2004
10
Early Password Schemes
Login does direct
password lookup
and comparison.
UserID
alyssa
ben
dave
Password
fido
schemer
Lx.Ly.x
Login: alyssa
Password: spot
Failed login. Guess again.
14 April 2004
CS 200 Spring 2004
11
Login Process
Terminal
Login: alyssa
Password: fido
Trusted Subsystem
login sends
<“alyssa”, “fido”>
Eve
14 April 2004
CS 200 Spring 2004
12
Password Problems
• Need to store the passwords
– Dangerous to rely on database being
secure
Solve this today
• Need to transmit password from user
to host
– Dangerous to rely on Internet being
unsniffed
Solve this Wednesday
14 April 2004
CS 200 Spring 2004
13
First Try: Encrypt Passwords
• Instead of storing password, store password
encrypted with secret K.
• When user logs in, encrypt entered password and
compare to stored encrypted password.
UserID
alyssa
ben
dave
Password
encryptK (“fido”)
encryptK (“schemer”)
encryptK (“Lx.Ly.x”)
Problem if K isn’t so secret: decryptK (encryptK (P)) = P
14 April 2004
CS 200 Spring 2004
14
Hashing
0
•
1
2
3
“dog”
“neanderthal”
4
5
•
6
7
“horse”
8
9
H (char s[]) = (s[0] – ‘a’) mod 10 •
14 April 2004
CS 200 Spring 2004
Many-to-one: maps a
large number of values
to a small number of
hash values
Even distribution: for
typical data sets,
probability of (H(x) = n)
= 1/N where N is the
number of hash values
and n = 0..N – 1.
Efficient: H(x) is easy
to compute.
15
Cryptographic Hash Functions
One-way
Given h, it is hard to find x
such that H(x) = h.
Collision resistance
Given x, it is hard to find y  x
such that H(y) = H(x).
14 April 2004
CS 200 Spring 2004
16
Example One-Way Function
Input: two 100 digit numbers, x and y
Output: the middle 100 digits of x * y
Given x and y, it is easy to calculate
f (x, y) = select middle 100 digits (x * y)
Given f (x, y) hard to find x and y.
14 April 2004
CS 200 Spring 2004
17
A Better Hash Function?
• H(x) = encryptx (0)
• Weak collision resistance?
– Given x, it should be hard to find y  x such
that H(y) = H(x).
– Yes – encryption is one-to-one. (There is
no such y.)
• A good hash function?
– No, its output is as big as the message!
14 April 2004
CS 200 Spring 2004
18
Actual Hashing Algorithms
• Based on cipher block chaining
– Start by encrypting 0 with the first block
– Use the next block to encrypt the previous
block
• SHA [NIST95] – 512 bit blocks, 160-bit
hash
• MD5 [Rivest92] – 512 bit blocks, produces
128-bit hash
– This is what we will use: built in to PHP
14 April 2004
CS 200 Spring 2004
19
Hashed Passwords
UserID
alyssa
ben
dave
14 April 2004
Password
md5 (“fido”)
md5 (“schemer”)
md5 (“Lx.Ly.x”)
CS 200 Spring 2004
20
Dictionary Attacks
• Try a list of common passwords
– All 1-4 letter words
– List of common (dog) names
– Words from dictionary
– Phone numbers, license plates
– All of the above in reverse
• Simple dictionary attacks retrieve most
user-selected passwords
• Precompute H(x) for all dictionary entries
14 April 2004
CS 200 Spring 2004
21
86% of users are dumb and dumber
Single ASCII character
Two characters
0.5%
2%
Three characters
14%
Four alphabetic letters
14%
Five same-case letters
21%
Six lowercase letters
18%
Words in dictionaries or names
15%
Other (possibly good passwords)
14%
(Morris/Thompson 79)
14 April 2004
CS 200 Spring 2004
22
Salt of the Earth
(This is the standard UNIX password scheme.)
Salt: 12 random bits
UserID
alyassa
ben
dave
Salt
Password
1125 DES+25 (0, “Lx.Ly.x”, 1125)
2437 DES+25 (0, “schemer”, 2437)
932 DES+25 (0, “Lx.Ly.x”, 932)
DES+ (m, key, salt) is an encryption algorithm that
encrypts in a way that depends on the salt.
How much harder is the off-line dictionary attack?
14 April 2004
CS 200 Spring 2004
23
PHP Code
// We use the username as a "salt" (since they must be unique)
$encryptedpass = md5 ($password . $username);
user
alyssa
password
9928ef0d7a0e4759ffefbadb8bc84228
evans
bafd72c60f450ed665a6eadc92b3647f
Not quite as secure as using a random value.
What is someone picks xdave as their username
and Lx.Ly. as their password?
14 April 2004
CS 200 Spring 2004
24
Authenticating Users
• User proves they are a worthwhile person
by having a legitimate email address
– Not everyone who has an email address is
worthwhile
– Its not too hard to snoop (or intercept)
someone’s email
• But, provides much better authenticating
than just the honor system
14 April 2004
CS 200 Spring 2004
25
Registering for Account
• User enters email address
• Account is marked as “Inactive”
$encryptedpass = md5 ($password . $username);
$query = "INSERT INTO users (username, password, email, activated)
VALUES ('$username', '$encryptedpass', '$email', 0)";
• Send an email with an unguessable URL
URL that activates the account
14 April 2004
CS 200 Spring 2004
26
PHP Code (register-process.php)
Why not just use
md5($username)?
A string only the server
should know. (Hard to
really keep this secret…)
$actcode = md5 ($username . $secret);
$url = "http://" . $_SERVER['HTTP_HOST']
. dirname ($_SERVER['PHP_SELF'])
. "/activate.php?user=$username&code=$actcode";
mail ($email, // User’s email address
"Account Activation", // Subject Line
"To activate your account visit $url", // Message body
"From: community-bot@virginia.edu"); // From address
14 April 2004
CS 200 Spring 2004
27
activate.php
$result = mysql_query ("SELECT activated FROM users WHERE username='$user'");
$rows = mysql_num_rows ($result);
if ($rows == 0) { error ("No account for username: $user");}
else {
$activated = mysql_result ($result, 0, 0);
if ($activated != 0) { error ("Account $username is already activated.");}
else {
$actcode = md5 ($user . $secret);
if ($code == $actcode) {
$result = mysql_query ("UPDATE users SET activated=1
WHERE username='$user'");
if ($result != 1) { error ("Database update failed: $result"); }
else { print "Your account is now activated!<br><p>"; }
} else {
print "Invalid account code!<br>";
}
}
}
14 April 2004
CS 200 Spring 2004
28
Cookies
• HTTP is stateless: every request is
independent
• Don’t want user to keep having to enter
password every time
• A cookie is data that is stored on the
browser’s machine, and sent to the web
server when a matching page is visited
14 April 2004
CS 200 Spring 2004
29
Using Cookies
• Look at the PS7 provided code
• Cookie must be sent before any HTML is
sent
• Be careful how you use cookies – anyone
can generate any data they want in a cookie
– Make sure they can’t be tampered with: use
md5 hash with secret to authenticate
– Don’t reuse cookies - easy to intercept them (or
steal them from disks): use a counter than
changes every time a cookie is used
14 April 2004
CS 200 Spring 2004
30
Problems Left
• The database password is visible in
plaintext in the PHP code
– No way around this (with UVa mysql server)
– Anyone who can read UVa filesystem can
access your database
• The password is transmitted unencrypted
over the Internet (next class)
• Proving you can read an email account is
not good enough to authenticate for
important applications
14 April 2004
CS 200 Spring 2004
31
Summary
• Mutual authentication
– Authentication of user to server
– Authentication of server to user
• Involves the human (as opposed to
machine)
14 April 2004
CS 200 Spring 2004
32