Authentication
Chapter 11
Modified (heavily) by Dan Fleck
1
Coming up: Basics
Basics
• Authentication: binding of identity to subject
• Identity is that of external entity (my identity, Matt, etc.)
• Subject is computer entity (process, etc.)
• After login your identity is bound to everything you do!
2
Coming up: Establishing Identity
Establishing Identity
• One or more of the following
• What entity knows (eg. password)
• What entity has (eg. badge, smart card)
• What entity is (eg. fingerprints, retinal characteristics)
• Where entity is (eg. In front of a particular terminal)
3
Coming up: Passwords
Passwords
• Passwords are ubiquitous because they are simple and clear.
• Standard tradeoff between usability and security:
• Password must be 27 characters and use no words (huh??)
• A typical ruleset (from Chase bank):
•
•
•
•
•
Must contain 7-32 characters
Must include at least one number and one letter
Cannot include special characters (&, %, *, etc.)
Cannot be the same as your User ID
Cannot be the same as any of the last five Passwords you’ve used
• Goal: Make it hard for computers to guess by making it
random. Reality: its very hard to have a short password that a
computer cannot guess
Coming up: Possible Passwords
4
Possible Passwords
• Possible options:
• Length of password (L)
• Possible characters (N) (letter = 26, upper/lower = 52, digits=+10,
symbols=+33 (ASCII printable)) = 95
8 char password: 95^8 = 6,634,204,312,890,625 = 6.6342e15
Entropy is 6.6342e15 assuming all symbols equally likely!
5
Coming up: Entropy in bits
Entropy in bits
• H(x) is entropy in bits (how many bits it would take to represent that
number of options)
• Example: 2X=6.6342e15
• X = 52.5588 bits
• Another way to think about it:
• Each symbol adds log2(95) bits
• We have 8 symbols, thus our entropy is:
• H = L (Log2 N) = 8 ( Log2 95 ) = 52.5 bits
• Research1 has shown, lower bound on expected guesses E(G) is:
E(G) ³ (1/ 4)2
H (X)
+1
• Example:
• E(G) ≥ (1/4)*6.6342e15 + 1 = 1.6586e15
Coming up: Password Guessing
6
1: http://www.isiweb.ee.ethz.ch/archive/massey_pub/pdf/BI633.pdf
Password Guessing
• Recent password guessers can guess 2,800,000,000 passwords
a second.
• Strength of our example:
• 1.6586e15 / 2,800,000,000 = 592,340 seconds = 6.85 days
• How true is that?
• Entropy of a letter in English is –log2(1/26) letter is 4.7bits
• Are all letters equally probable? No!
• Computed entropy of the English language ranges from 2.77 bits
to 1.3 bits because letters aren’t random.
• Is your password random?
Coming up: Cracking
7
Cracking
• Password tools use many methods to guess smarter
• Dictionaries
• Rulesets
• Is it more likely that the 1st or 2nd letter is capitalized?
• Where are numbers generally?
• Substituting numbers for letters is c0mm0n!
• Brute force – all possible guesses as a last resort
• How do passwords work? Lets see!
8
Coming up: Simple Passwords
Simple Passwords
• Most passwords today use secure one-way hashing
• Hash function F(P)  Q
• F – hash function
• P – plain text password
• Q – hashed password
• One way
• Q is stored on the computer
• P is provided by the user, hashed and compared to Q
• Secure Hash Functions goal is to NOT be reversible (MD5,
SHA1, SHA3, etc…)
• Are they still subject to a guessing attack?
Coming up: Recent Events
9
Recent Events
• Yahoo's password leak: What you need to know (FAQ) (Mar
2012) – Plaintext leaked! (ouch!)
• Millions of LinkedIn passwords reportedly leaked online (June
6, 2012) – hashed passwords (still hurts)
• Nasdaq forum site hacked, passwords compromised (July
2013) – Unclear if hashed or not
• Ubuntu forums hacked, 1.8 million passwords and emails
compromised – Unclear if hashed or not
10
Coming up: How hard is it to crack?
How hard is it to crack?
• Dec 2009 RockYou’s 18million passwords stolen in plaintext
• This started a revolution of password hacking because people
could use real world passwords
• Password Cracking program + RockYou DB + some rulesets…
lets try it:
• Take a password, hash it
• Crack it
• Src: http://arstechnica.com/security/2013/03/how-i-became-a-password-cracker/
11
Coming up: Demo of password cracking
Demo of password cracking
12
Coming up: What can we do?
What can we do?
• Increase the time to check
• Not good at the algorithmic level -- when doing stream decryption
want it to be fast
• Key stretching can be used
• User’s password is run through a stretching algorithm that makes it
longer. The algorithm MUST take a long time ~1 second
• If we have an uncompromised server key stretching is simple and
effective against guessing attacks! Only a problem when attacker has the
hashed password
• Systems using this:
• PGP, GPG
• WPA, WPA2 in personal mode
• OpenSSL ‘passwd’, Apache .htpasswd
• One example algorithm: https://en.wikipedia.org/wiki/PBKDF2
13
Ref: http://en.wikipedia.org/wiki/Key_stretching#Some_systems_that_use_key_stretching
Coming up: What can we do?
What can we do?
• Add some Salt
• Append a random value to the password before hashing
• Store that random value (in plain text) with the password
• This does NOT make cracking a single password harder, but when
cracking a group of passwords, it does.
• For example, the attacker typically computes the hash and checks
for it anywhere in the list of hashed passwords. This fails with
salt.
• Another form of salt is picking a different hashing algorithm
per password and storing that choice with the hashed
password
14
Coming up: Other Authentication Types
Ref: https://en.wikipedia.org/wiki/Salt_(cryptography)
Other Authentication Types
15
Coming up: Challenge-Response
Challenge-Response
• User, system share a secret function f (in practice, f is a
known function with unknown parameters, such as a
cryptographic key)
request to authenticate
system
user
random message r
(the challenge)
system
user
f(r)
(the response)
system
user
Coming up: Pass Algorithms
16
Pass Algorithms
• Challenge-response with the function f itself a
secret
• Example:
• Challenge is a random string of characters such as
“abcdefg”, “ageksido”
• Response is some function of that string such as “bdf”,
“gkip”
• Can alter algorithm based on ancillary information
• Network connection is as above, dial-up might require
“aceg”, “aesd”
• Usually used in conjunction with fixed, reusable
password
Coming up: One-Time Passwords
17
One-Time Passwords
• Password that can be used exactly once
• After use, it is immediately invalidated
• Challenge-response mechanism
• Challenge is number of authentications; response is password for
that particular number
• Problems
• Synchronization of user, system
• Generation of good random passwords
• Password distribution problem
18
Coming up: S/Key
S/Key
• One-time password scheme based on idea of
Lamport
• h one-way hash function (MD5 or SHA-1, for
example)
• User chooses initial seed k – k must remain
secret!
• System calculates:
h(k) = k1, h(k1) = k2, …, h(kn–1) = kn
• Passwords are reverse order:
p1 = kn, p2 = kn–1, …, pn–1 = k2, pn = k1
Coming up: S/Key Protocol
19
S/Key Protocol
System stores maximum number of authentications n, number
of next authentication i, last correctly supplied password pi–1.
user
user
user
{ name }
{i}
{ pi }
system
system
system
System computes h(pi) = h(kn–i) = kn–i+1 = pi–1. If match with
what is stored, system replaces pi–1 with pi and increments i.
Coming up: S/Key Protocol
20
S/Key Protocol
System computes h(pi) = h(kn–i) = kn–i+1 = pi–1. If match with
what is stored, system replaces pi–1 with pi and increments i.
Concretely for table and i=2 (all values in col X are equal):
1
2
3
4
H(x)
h(k)
h(k1)
h(k2)
h(k3)
K
k1
k2
k3
k4
P
p4
p3
p2
p1
h(p2)=h(k3)=k4=p1
21
Coming up: Hardware Support
Hardware Support
• Token-based
• Used to compute response to challenge
• May encipher or hash challenge
• May require PIN from user
• Temporally-based
• Every minute (or so) different number shown
• Computer knows what number to expect when
• User enters number and fixed password
22
Coming up: C-R and Dictionary Attacks
C-R and Dictionary Attacks
• Same as for fixed passwords
• Attacker knows challenge r and response f(r); if
f encryption function, can try different keys
• May only need to know form of response; attacker
can tell if guess correct by looking to see if
deciphered object is of right form
• Example: Kerberos Version 4 used DES, but keys had
20 bits of randomness; Purdue attackers guessed
keys quickly because deciphered tickets had a fixed
set of bits in some locations
23
Coming up: Encrypted Key Exchange
Encrypted Key Exchange
• Defeats off-line dictionary attacks
• Idea: random challenges enciphered, so attacker
cannot verify correct decipherment of challenge
• Assume Alice, Bob share secret password s
• In what follows, Alice needs to generate a
random public key p and a corresponding private
key q
• Also, k is a randomly generated session key, and
RA and RB are random challenges
Coming up: EKE Protocol
24
Steps used to
stop replay
attacks
Steps used to
generate session
key
EKE Protocol
Alice
Alice
Alice,Es(p)
Es(Ep(k))
Bob
Bob
Now Alice, Bob share a randomly generated
secret session key k
Alice
Alice
Alice
Ek(RA)
Ek(RARB)
Ek(RB)
Coming up: Biometrics
Bob
Bob
Bob
25
Biometrics
• Automated measurement of biological,
behavioral features that identify a person
• Fingerprints: optical or electrical techniques
• Maps fingerprint into a graph, then compares with database
• Measurements imprecise, so approximate matching
algorithms used
• Voices: speaker verification or recognition
• Verification: uses statistical techniques to test hypothesis that
speaker is who is claimed (speaker dependent)
• Recognition: checks content of answers (speaker
independent)
26
Coming up: Other Characteristics
Other Characteristics
• Can use several other characteristics
• Eyes: patterns in irises unique
• Measure patterns, determine if differences are random; or
correlate images using statistical tests
• Faces: image, or specific characteristics like distance
from nose to chin
• Lighting, view of face, other noise can hinder this
• Keystroke dynamics: believed to be unique
• Keystroke intervals, pressure, duration of stroke, where key is
struck
• Statistical tests used
27
Coming up: Cautions
Cautions
• These can be fooled!
• Assumes biometric device accurate in the environment
it is being used in!
• Transmission of data to validator is tamperproof,
correct
28
Coming up: Multifactor Authentication
Multifactor Authentication
• Many systems now use multi-factor authentication
• User must present multiple things typically from different
categories:
• What you know
• What you have
• What you are
• Examples?
29
Coming up: Pluggable Authentication Modules (PAM)
Pluggable Authentication Modules (PAM)
• Idea: when program needs to authenticate, it checks
central repository for methods to use
• Library call: pam_authenticate
• Accesses file with name of program in /etc/pam.d/
• Modules do authentication checking
• binding (new): succeed immediately upon success, otherwise
continue down the chain, but ultimately fail
• sufficient: succeed immediately if module succeeds
• required: fail if module fails, but all required modules executed
before reporting failure
• requisite: like required, but don’t check all modules upon failure
• optional: invoke only, but result is ignored
30
Coming up: Example PAM File
Example PAM File
auth sufficient /usr/lib/pam_ftp.so
auth required
/usr/lib/pam_unix_auth.so use_first_pass
auth required
/usr/lib/pam_listfile.so onerr=succeed \
item=user sense=deny file=/etc/ftpusers
For ftp:
1. If user “anonymous”, return okay; if not, set
PAM_AUTHTOK to password, PAM_RUSER to name,
and fail
2. Now check that password in PAM_AUTHTOK belongs
to that of user in PAM_RUSER; if not, fail
3. Now see if user in PAM_RUSER named in /etc/ftpusers;
if so, fail; if error or not found, succeed
31
Coming up: PAM Facilities
PAM Facilities
PAM provides four facilities each with a chain for different
things. Each is typically present in the /etc/pam.d/xyz file:
•auth – does the actual authentication of an applicant
•account – checks if authentication is allowed ( account not
expired, time of day, server’s workload, etc…)
•session - after authentication runs chain for session setup /
tear down
•password – chain used to change passwords
Ref: http://www.freebsd.org/doc/en/articles/pam/pamessentials.html
Coming up: PAM Test - Explain these
32
PAM Test - Explain these
auth
auth
auth
required
sufficient
required
serviceA
serviceB
serviceC
• versus
auth
auth
auth
sufficient
required
required
serviceB
serviceA
serviceC
33
Coming up: Key Points
Key Points
• Authentication is not cryptography
• You have to consider system components
• Passwords are here to stay
• They provide a basis for most forms of authentication
• Authentication methods can be combined
• Example: PAM
34
32
End of presentation