19: Lecture Authentication David Evans
advertisement
Lecture 19:
Authentication
John Daugman, http://www.cl.cam.ac.uk/users/jgd1000/iriscollage.jpg
CS588: Cryptography
University of Virginia
Computer Science
David Evans
http://www.cs.virginia.edu/evans
How do you authenticate?
• Something you know
– Password
• Something you have
– SecureID, physical key
• Something you are
– Biometrics (voiceprint, fingerprint, etc.)
• Decent authentication requires
combination of at least 2 of these
19 April 2005
University of Virginia CS 588
2
Early Password Schemes
Login does direct
password lookup
and comparison.
UserID
algore
clinton
georgew
Password
internalcombustion
buddy
gorangers
Login: algore
Password: tipper
Failed login. Guess again.
19 April 2005
University of Virginia CS 588
3
Login Process
Terminal
Login: algore
Password: internalcombustion
Trusted Subsystem
login sends
<“algore”,
“internalcombustion”>
Eve
19 April 2005
University of Virginia CS 588
4
Authentication Problems
• Need to store the passwords
somewhere – dangerous to rely on this
being secure
– Encrypt them? But then, need to hide key
• Need to transmit password from user to
host
– Use a secure line (i.e., no remote logins)
– Encrypt the transmission (what key?)
19 April 2005
University of Virginia CS 588
5
Encrypted Passwords
UserID
algore
clinton
georgew
Password
E (“internalcombustion”, K)
E (“buddy”, K)
E (“gorangers”, K)
Hmmm.... D (E (“buddy”, K), K) = “buddy”
19 April 2005
University of Virginia CS 588
6
Hashed Passwords
UserID
algore
clinton
georgew
19 April 2005
Password
H (“internalcombustion”)
H (“buddy”)
H (“gorangers”)
University of Virginia CS 588
7
Encrypted Passwords Try 1
Terminal
Login: algore
Password: internalcombustion
Trusted Subsystem
login sends
<“algore”,
H(“internalcombustion”)>
Trusted subsystem
compares to stored value.
19 April 2005
University of Virginia CS 588
8
Encrypted Passwords Try 2
Terminal
Login: algore
Password: internalcombustion
login sends
<“algore”, “internalcombustion”>
Trusted Subsystem
Trusted subsystem computes
H(“internalcombustion”) and
compares to stored value.
19 April 2005
University of Virginia CS 588
9
First UNIX Password Scheme
• [Wilkes68] (recall DES was 1976)
• Encryption based on M-209 cipher
machine (US Army WWII)
• Easy to invert unknown plaintext and
known key, used password as key:
– Instead of EK (password) used hash
function EPassword (0)
• PDP-11 could check all 5 or less letter
lower-case passwords in 4 hours!
19 April 2005
University of Virginia CS 588
10
Making Brute Force
Attacks Harder
• Use a slower encryption (hashing) algorithm
– Switched to DES: H(p) = DESp(0)
• Even slower: run DES lots of times
– UNIX uses DESp25(0)
… DESp (DESp (DESp (DESp (0))))
• Require longer passwords
– DES key is only 56 bits: only uses first 7.5
characters (ASCII)
– 95 printable characters, 958 = 6.6 * 1015
19 April 2005
University of Virginia CS 588
11
Dictionary Attacks
• Try a list of common passwords
– All 1-4 letter words
– List of common (dog) names
– Words from dictionary
– Phone numbers, license plates
– All of the above in reverse
• Simple dictionary attacks retrieve most
user-selected passwords
• Precompute H(x) for all dictionary entries
19 April 2005
University of Virginia CS 588
12
86% of users are dumb
Single ASCII character
Two characters
0.5%
2%
Three characters
14%
Four alphabetic letters
14%
Five same-case letters
21%
Six lowercase letters
18%
Words in dictionaries or names
15%
Other (possibly good passwords)
14%
(Morris/Thompson 79)
19 April 2005
University of Virginia CS 588
13
Making Dictionary Attacks Harder
• Force/convince users to pick better
passwords
– Test selected passwords against a known
dictionary
– Enforce rules on non-alphabet characters,
length, etc.
• Don’t let attacker see the password file
19 April 2005
University of Virginia CS 588
14
Problems with User Rules
• Users get annoyed
• If you require hard to remember
passwords, users write them down
• Attackers know the password selection
rules too – reduces search space!
19 April 2005
University of Virginia CS 588
15
True Anecdote
• One installation: machines generated
random 8-letter passwords
• Used PDP-11 pseudo-random number
generator with 215 possible values
• Time to try all possible passwords on
PDP-11: One minute!
• Good news: at least people don’t have
to remember the 8 random letters
19 April 2005
University of Virginia CS 588
16
Everybody loves Buddy
UserID
Password
algore
DES25 internal
clinton
DES25 buddy (0)
georgew
DES25gorangers(0)
hillaryc
DES25 buddy (0)
19 April 2005
combustion
University of Virginia CS 588
(0)
17
Salt of the Earth
(This is the standard UNIX password scheme.)
Salt: 12 random bits
UserID
algore
clinton
georgew
hillaryc
Salt
1125
2437
932
1536
Password
DES+25 (0, “internal”, 1125)
DES+25 (0, “buddy”, 2437)
DES+25 (0, “goranger”, 932)
DES+25 (0, “buddy”, 1536)
DES+ (m, key, salt) is DES except with salt-dependent E-tables.
How much harder is the off-line dictionary attack?
19 April 2005
University of Virginia CS 588
18
Security of UNIX Passwords
• Paper by Robert Morris (Sr.) and Ken
Thompson, 1979 (link on manifest)
• Demonstration of guessability of Unix
passwords by Robert Morris, Jr.
(Internet Worm, 1988)
• L0ftcrack breaks ALL alphanumeric
passwords in under 24 hours on
Pentium II/450 (Windows NT)
19 April 2005
University of Virginia CS 588
19
What about Eve?
Terminal
Login: algore
Password: internalcombustion
login sends
<“algore”, “internalcombustion”>
SSssssshhhh…
Be very quiet so Eve
can’t hear
Trusted Subsystem
Eve
Trusted subsystem computes
DES+25 (0, “internal”, 12) and compares
to stored value.
19 April 2005
University of Virginia CS 588
20
Simplified SSH Protocol
Terminal
Login: evans
Password: ******
login sends
EKUviper<“evans”, “memodn”>
viper.cs.virginia.edu
Eve
Can’t decrypt without KRviper
19 April 2005
University of Virginia CS 588
21
Actual SSH Protocol
Server
Client
1
requests connection
KUS, KUt
Compares
to stored KUS
time
3
19 April 2005
EKUS [EKUt [r]]
|| { AES | 3DES }
All traffic encrypted using r and
selected algorithm.
University of Virginia CS 588
KUS - server’s
2 public host key
KUt – server’s
public key,
changes every
hour
r – 256-bit
random number
generated by
client
22
Comparing to stored KUS
• It better be stored securely
– PuTTY stores it in windows registry
(HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\SshHostKeys)
19 April 2005
University of Virginia CS 588
23
Why Johnny Can’t Even Login
SecureCRT
Default choice!
19 April 2005
University of Virginia CS 588
24
ssh.com’s SSH
19 April 2005
University of Virginia CS 588
25
ssh Error
19 April 2005
University of Virginia CS 588
26
Jennifer Kahng’s 4th Year Thesis Project
• People are stupid
31% clicked Continue
• Getting people to pay
attention is difficult unless
you really want to make
them angry. (Security vs.
convenience)
• Only two people (of >
700) emailed webmaster
about potential security
vulnerability
2% typed in “yes”
19 April 2005
University of Virginia CS 588
27
Why Johnny (von Neumann)
Can’t Even Login
• A smart attacker just replaces the stored
key in registry
– An ActiveX control can do this trivially
– No warning from SSH when you now connect
to the host controlled by the attacker (have to
spoof DNS or intercept connection, but this is
easy)
19 April 2005
University of Virginia CS 588
28
Recap – Authentication Problems
• Need to store the passwords somewhere –
dangerous to rely on this being secure
• Need to transmit password from user to
host
• Remaining problems:
• User’s pick bad passwords
• Even if everything is secure, can still watch
victim type!
• Only have to mess up once
19 April 2005
University of Virginia CS 588
29
19 April 2005
University of Virginia CS 588
30
GAO IRS Study
The auditors called 100 IRS employees and managers,
portraying themselves as personnel from the information
technology help desk trying to correct a network problem.
They asked the employees to provide their network logon
name and temporarily change their password to one they
suggested.
"We were able to convince 35 managers and employees to
provide us their username and change their password,"
the report said.
That was a 50 percent improvement when compared with
a similar test in 2001, when 71 employees cooperated and
changed their passwords.
http://www.sfgate.com/cgi-bin/article.cgi?file=/news/archive/2005/03/16/national/w162055S07.DTL
19 April 2005
University of Virginia CS 588
31
Solution – Don’t Reuse Passwords
• One-time passwords
• New users have to memorize a list of
secure passwords and use one in turn
for each login
• Host generates the list using
cryptographic random numbers and
stores it securely
• Users spend hours memorizing
passwords...and better not forget one!
19 April 2005
University of Virginia CS 588
32
One-Time Use Passwords
• Can we create a sequence of
passwords the host can check without
storing anything useful to an attacker on
the host?
Recall: Unix repeated use passwords
Host stores: H(p)
User provides: x
Password is valid if H(x) = H(p)
19 April 2005
University of Virginia CS 588
33
S-Key
• Alice picks random number R
• S-Key program generates H(R),
H(H(R)), ... , H99(R).
• Alice prints out these numbers and
stores somewhere secure
• Host stores H100(R).
19 April 2005
University of Virginia CS 588
34
S/Key Login
•
•
•
•
•
•
Alice enters H99(R).
Host calculates H (H99(R)).
Compares to stored H100(R).
If they match, allows login
And replaces old value with H99(R).
Alice crosses off H99(R), enters H98(R)
next time.
• S/Key uses MD4 for H
19 April 2005
University of Virginia CS 588
35
S/Key
> keyinit
Adding evans:
Reminder - Only use this method if you
are directly connected.
If you are using telnet or rlogin exit
with no password and use keyinit -s.
Enter secret password: test
Again secret password: test
ID evans s/key is 99 sh69506
H100(test) = sh69506
What do I need to enter to log in?
19 April 2005
University of Virginia CS 588
36
S/Key
> key -n 100 99 sh69506
Reminder - Do not use this program
while logged in via telnet or
rlogin.
Enter secret password: test
0: KEEL FLED SUDS BOHR DUD SUP
1: TOW JOBS HOFF GIVE CHUB LAUD
…
98: JEAN THEN WEAK ELAN SLOB GAS
99: MUG KNOB ACT ALOE REST TOO
19 April 2005
University of Virginia CS 588
37
Terminal
Challenge-Response
Login: evans
EKUmamba[“evans”]
Challenge x
Challenge: 2357938523
Response: f(x)
f(x)
19 April 2005
University of Virginia CS 588
38
Challenge-Response Systems
• Ask a question, see if the answer is
right
• Hard to make up questions only host
and user can answer
• Question: x? Answer: f(x).
• What’s a good choice for f?
– E (x, key known to both)
– Still have to problem of storing the key
• SecureID systems work like this
– Challenge is current time (nothing to send)
19 April 2005
University of Virginia CS 588
39
Biometrics: “Something you are”
• Unique(ish) properties of most humans:
• Fingerprint
– FBI’s Integrated Automated Fingerprint ID
system has 48 Million
•
•
•
•
Iris
Hand shape
Voice
Gait, etc.
19 April 2005
University of Virginia CS 588
40
UAE Iris Scanning
http://www.cl.cam.ac.uk/users/jgd1000/UAEdeployment.pdf
• Required of all entering
foreigners, compares to
database of ~.5M expelled
people
– IrisCodes: 4096 feature bits
• Each bit is ½ probability to agree
– Measure hamming distance
between 2 irises
– 3.8B comparisons per day
– 22K matches so far: no false
positives
19 April 2005
University of Virginia CS 588
41
http://www.cl.cam.ac.uk/users/jgd1000/UAEdeployment.pdf
19 April 2005
University of Virginia CS 588
42
Problems with Biometrics
• Fuzzy measures: need to set thresholds to
have some false positives and negatives
• Easily stolen: expert could obtain all of your
fingerprints from this room after you leave
– Non-expert can cut off your finger
– Voiceprints can be stolen too (Sneakers)
• Hard/impossible to change
• Transmission link is still vulnerable
19 April 2005
University of Virginia CS 588
43
Charge
• Identify and authentication are hard
problems
• Passwords don’t work
• Windows Longhorn may use two-factor
authentication
I believe that the time of password-only authentication is gone.
We need to go to two-factor authentication. This is the only
way to bring the level of trust business needs.
Detlef Eckert, Microsoft’s Trustworthy Computing initiative
19 April 2005
University of Virginia CS 588
44
