Lecture 12: Public-Key Protocols David Evans CS588: Security and Privacy
advertisement
Lecture 12: Public-Key Protocols CS588: Security and Privacy University of Virginia Computer Science David Evans http://www.cs.virginia.edu/~evans Menu • Humilation-Free Matchmaking Protocol • Proof Carrying Code – Plug for Amy Felty’s talk: 3:30 Today • Authentication 8 Oct 2001 University of Virginia CS 588 2 Finding Problem Set Partners • Simple way: – Ask people in the class if they want to work with you • Problems: – You face rejection and ridicule if they say no • Can you find partners without revealing your wishes unless they are reciprocated? – Identify people who want to work together, but don’t reveal anything about anyone’s desires to work with people who don’t want to work with them 8 Oct 2001 University of Virginia CS 588 3 Use a Universally Trusted Third Party MatchMaker.com Bob would like to work with: Ron Rivest Sandra Bullock Alice Alice: Thomas Jefferson Colleen Hacker Bob Alice is your best match Bob 8 Oct 2001 Alice University of Virginia CS 588 4 Use a Universally Trusted Third Party MatchMaker.com EKUM [EKRB [“Bob would like …”]] EKUB [EKRM [“Alice”]] Bob 8 Oct 2001 University of Virginia CS 588 5 HashMaker.com? • Bob writes H(“I am looking for someone who wants to play with Euler’s totient function.”) on the board. • No on else can tell Bob’s deepest darkest desires (H is one-way) • If someone else writes the same hash on the board, Bob has found his match • How well does this work? 8 Oct 2001 University of Virginia CS 588 6 Untrusted Third Party HashMatcher.com EH(W) [W] Bob 8 Oct 2001 Use the hash of the wish as the encryption key so some symmetric cipher: HashMatcher can’t determine the wish Someone with the same exact wish will match exactly University of Virginia CS 588 7 Untrusted Third Party HashMatcher.com EH(W) [W] Bob 8 Oct 2001 University of Virginia CS 588 8 How can we send a message to HashMaker without it knowing who sent it? To: To: HashMaker Router4 To:Router1 Router2 Router3 To: From: Anonymous From: Bob 8 Oct 2001 University of Virginia CS 588 9 Onion Routing R3 Bob R2 R4 R1 R5 Pick n random routers, Ri1…Rin Rik gets a message Mk: EKURik (To: Rik+1 || Mk+1) 8 Oct 2001 University of Virginia CS 588 HashMatcher.com 10 Onion Routing R3 HashMatcher.com Bob R2 R4 R1 R5 Pick 1 random router: R2 Send R2: EKUR2 (To: HashMatcher.com || M) 8 Oct 2001 University of Virginia CS 588 11 Onion Routing R3 HashMatcher.com Bob R2 R4 R1 R5 Pick 2 random routers: R2, R5 Send R2: EKUR2 [To: R5 || EKUR5 [To: HashMatcher.com || M] 8 Oct 2001 University of Virginia CS 588 12 Finding Problem Set Partners • If Bob wants to work with Alice, he constructs W = “Alice + Bob” (all students agree to list names in this way in alphabetical order) • Using onion rounting, sends HashMaker: EH(W) [W] • Using onion rounting, queries HashMaker is there is a matching item – If so, Alice want to work with him 8 Oct 2001 University of Virginia CS 588 13 Problems with this Protocol • Cathy could send W = “Alice + Bob” • Anyone can query “x + Bob” for all students to find out who Bob wants to work with (or who wants to work with Bob, can’t tell the difference) • If Sandra B. wants to work with Bob too, how do matches reflect preferences without revealing them? • Challenge Problem #2: Design a good matchmaking protocol 8 Oct 2001 University of Virginia CS 588 14 Proof-Carrying Code Amy Felty, University of Ottawa Foundational Proof-Carrying Code for Software Safety Today at 3:30 (right here) 8 Oct 2001 University of Virginia CS 588 15 Proof-Carrying Code Certifying Compiler Program Native Code Proof Native Code Proof Code Producer Code Consumer Ok Proof Checker Policy CPU 8 Oct 2001 University of Virginia CS 588 16 Tamper with Code Certifying Compiler Program Native Code Proof Code Producer Wily Hacker Code Consumer Tampered Code No! Proof Proof Checker Policy CPU 8 Oct 2001 University of Virginia CS 588 17 Tamper with Both Certifying Compiler Program Native Code Proof Code Producer Wily P. Hacker Code Consumer But it means the desired property still holds! Tampered Code Ok No! Tampered Proof Proof Checker Policy CPU 8 Oct 2001 University of Virginia CS 588 18 How many PCC systems in active use? • • • • • • 2 100 1000 1 Million 10 Million > 20 Million 8 Oct 2001 Java byte code verifier is a limited implementation of PCC: • Bytecodes include extra information on typing, stack use, etc. • Bytecode verifier checks it to enforce low-level code safety properties Peter Lee claims most linkers are instances of PCC also. University of Virginia CS 588 19 Authentication 8 Oct 2001 University of Virginia CS 588 20 How do you authenticate? • Something you know – Password • Something you have – SecureID, physical key • Something you are – Biometrics (voiceprint, fingerprint, etc.) • Decent authentication requires combination of at least 2 of these 8 Oct 2001 University of Virginia CS 588 21 Early Password Schemes Login does direct password lookup and comparison. UserID algore clinton georgew Password internalcombustion buddy gorangers Login: algore Password: tipper Failed login. Guess again. 8 Oct 2001 University of Virginia CS 588 22 Login Process Terminal Login: algore Password: internalcombustion Trusted Subsystem login sends <“algore”, “internalcombustion”> Eve 8 Oct 2001 University of Virginia CS 588 23 Authentication Problems • Need to store the passwords somewhere – dangerous to rely on this being secure – Encrypt them? But then, need to hide key • Need to transmit password from user to host – Use a secure line (i.e., no remote logins) – Encrypt the transmission (what key?) 8 Oct 2001 University of Virginia CS 588 24 Encrypted Passwords UserID algore clinton georgew Password E (“internalcombustion”, K) E (“buddy”, K) E (“gorangers”, K) Hmmm.... D (E (“buddy”, K), K) = “buddy” 8 Oct 2001 University of Virginia CS 588 25 Hashed Passwords UserID algore clinton georgew 8 Oct 2001 Password H (“internalcombustion”) H (“buddy”) H (“gorangers”) University of Virginia CS 588 26 Encrypted Passwords Try 1 Terminal Login: algore Password: internalcombustion Trusted Subsystem login sends <“algore”, H(“internalcombustion”)> Trusted subsystem compares to stored value. 8 Oct 2001 University of Virginia CS 588 27 Encrypted Passwords Try 2 Terminal Login: algore Password: internalcombustion login sends <“algore”, “internalcombustion”> Trusted Subsystem Trusted subsystem computes H(“internalcombustion”) and compares to stored value. 8 Oct 2001 University of Virginia CS 588 28 First UNIX Password Scheme • [Wilkes68] (recall DES was 1976) • Encryption based on M-209 cipher machine (US Army WWII) • Easy to invert unknown plaintext and known key, used password as key: – Instead of EK (password) used hash function EPassword (0) • PDP-11 could check all 5 or less letter lower-case passwords in 4 hours! 8 Oct 2001 University of Virginia CS 588 29 Making Brute Force Attacks Harder • Use a slower encryption (hashing) algorithm – Switched to DES: H(p) = DESp(0) • Even slower: run DES lots of times – UNIX uses DESp25(0) … DESp (DESp (DESp (DESp (0)))) • Require longer passwords – DES key is only 56 bits: only uses first 7.5 characters (ASCII) – 95 printable characters, 958 = 6.6 * 1015 8 Oct 2001 University of Virginia CS 588 30 Dictionary Attacks • Try a list of common passwords – All 1-4 letter words – List of common (dog) names – Words from dictionary – Phone numbers, license plates – All of the above in reverse • Simple dictionary attacks retrieve most user-selected passwords • Precompute H(x) for all dictionary entries 8 Oct 2001 University of Virginia CS 588 31 86% of users are dumb Single ASCII character Two characters 0.5% 2% Three characters 14% Four alphabetic letters 14% Five same-case letters 21% Six lowercase letters 18% Words in dictionaries or names 15% Other (possibly good passwords) 14% (Morris/Thompson 79) 8 Oct 2001 University of Virginia CS 588 32 Making Dictionary Attacks Harder • Force/convince users to pick better passwords – Test selected passwords against a known dictionary – Enforce rules on non-alphabet characters, length, etc. • Don’t let attacker see the password file 8 Oct 2001 University of Virginia CS 588 33 Problems with User Rules • Users get annoyed • If you require hard to remember passwords, users write them down • Attackers know the password selection rules too – reduces search space! 8 Oct 2001 University of Virginia CS 588 34 True Anecdote • One installation: machines generated random 8-letter passwords • Used PDP-11 pseudo-random number generator with 215 possible values • Time to try all possible passwords on PDP-11: One minute! • Good news: at least people don’t have to remember the 8 random letters 8 Oct 2001 University of Virginia CS 588 35 Everybody loves Buddy UserID Password algore DES25 internal clinton DES25 buddy (0) georgew DES25gorangers(0) hillaryc DES25 buddy (0) 8 Oct 2001 combustion University of Virginia CS 588 (0) 36 Salt of the Earth (This is the standard UNIX password scheme.) Salt: 12 random bits UserID algore clinton georgew hillaryc Salt 1125 2437 932 1536 Password DES+25 (0, “internal”, 1125) DES+25 (0, “buddy”, 2437) DES+25 (0, “goranger”, 932) DES+25 (0, “buddy”, 1536) DES+ (m, key, salt) is DES except with salt-dependent E-tables. How much harder is the off-line dictionary attack? 8 Oct 2001 University of Virginia CS 588 37 Security of UNIX Passwords • Paper by Robert Morris (Sr.) and Ken Thompson, 1979 (link on manifest) • Demonstration of guessability of Unix passwords by Robert Morris, Jr. (Internet Worm, 1988) • L0ftcrack breaks ALL alphanumeric passwords in under 24 hours on Pentium II/450 (Windows NT) 8 Oct 2001 University of Virginia CS 588 38 What about Eve? Terminal Login: algore Password: internalcombustion login sends <“algore”, “internalcombustion”> Trusted Subsystem Eve Trusted subsystem computes DES+25 (0, “internal”, 12) and compares to stored value. 8 Oct 2001 University of Virginia CS 588 39 sshhhhh.... • Be very quiet so Eve can’t hear anything – Encrypt the communication between the terminal and the server – How? (Next class…) • Stay for Amy Felty’s Talk 8 Oct 2001 University of Virginia CS 588 40
