Lecture 11:
Authenticating Authentic
Authenticaters
CS551: Security and Privacy
University of Virginia
Computer Science
David Evans
http://www.cs.virginia.edu/~evans
Menu
• Unix Passwords
• SSH
• S-Key
• Won’t cover in lecture: PGP, SSL
• Due before midnight: Project Proposals
27 July 2016
University of Virginia CS 551
2
Paco’s Talk
• There are real security companies that
make money
– VeriSign ($40B market cap, $200M
revenues last year, lost $479M)
– Check Point Software ($23B, $35M profit
last quarter)
– RSA Security ($2B)
– (For reference: General Motors = $35B,
Amazon.com = $12B)
27 July 2016
University of Virginia CS 551
3
Why look at specific systems?
• So I have lots of material for easy-tograde multiple choice questions on your
exams
• Because its important to know details of
particular applications
• Because you want to attack someone
maliciously
27 July 2016
University of Virginia CS 551
4
Why look at specific systems?
• To learn general principles of good and
bad design
• To see issues that arise when
mathematics are deployed in real world
• To have ideas and knowledge to draw
from when you design systems
27 July 2016
University of Virginia CS 551
5
Early Password Schemes
Login does direct
password lookup
and comparison.
UserID
algore
clinton
georgew
Password
internalcombustion
buddy
gorangers
Login: algore
Password: tipper
Failed login. Guess again.
27 July 2016
University of Virginia CS 551
6
Login Process
Terminal
Login: algore
Password: internalcombustion
Trusted Subsystem
login sends
<“algore”,
“internalcombustion”>
Eve
27 July 2016
University of Virginia CS 551
7
Authentication Problems
• Need to store the passwords
somewhere – dangerous to rely on this
being secure
– Encrypt them? But then, need to hide key
• Need to transmit password from user to
host
– Use a secure line (i.e., no remote logins)
– Encrypt the transmission
27 July 2016
University of Virginia CS 551
8
Encrypted Passwords
UserID
algore
clinton
georgew
Password
E (“internalcombustion”, 0)
E (“buddy”, 0)
E (“gorangers”, 0)
Hmmm.... D (E (“buddy”, 0), 0) = “buddy”
27 July 2016
University of Virginia CS 551
9
Encrypted Passwords
UserID
algore
clinton
georgew
Password
DES (0, “internalcombustion”)
DES (0, “buddy”)
DES (0, “gorangers”)
Can you invert DES (0, k) without knowing k?
27 July 2016
University of Virginia CS 551
10
Encrypted Passwords Try 1
Terminal
Login: algore
Password: internalcombustion
Trusted Subsystem
login sends
<“algore”,
DES(0, “internalcombustion”)>
Trusted subsystem
compares to stored value.
27 July 2016
University of Virginia CS 551
11
Encrypted Passwords Try 2
Terminal
Login: algore
Password: internalcombustion
login sends
<“algore”, “internalcombustion”>
Trusted Subsystem
Trusted subsystem computed
DES (0, “internalcombustion”) and
compares to stored value.
27 July 2016
University of Virginia CS 551
12
First UNIX Password Scheme
• [Wilkes68] (recall DES was 1976)
• Encryption based on M-209 cipher
machine (US Army WWII)
• Easy to invert unknown plaintext and
known key, used password as key:
– Instead of E (password, 0) used
E (0, password) (like with DES)
• PDP-11 could check all 5 or less letter
lower-case passwords in 4 hours!
27 July 2016
University of Virginia CS 551
13
Making Brute Force Attacks Harder
• Use a slower encryption algorithm
– Switched to DES
• Even slower: run DES lots of times
– UNIX uses DES25 (0, password)
• Require longer passwords
• DES key is only 56 bits: only uses first
7.5 characters (ASCII)
• Brute force is unlikely to work with all
possible 8-letter passwords and DES25
27 July 2016
University of Virginia CS 551
14
Dictionary Attacks
• Try a list of common passwords
– All 1-4 letter words
– List of common (dog) names
– Words from dictionary
– Phone numbers, license plates
– All of the above in reverse
• Simple dictionary attacks retrieve most
user-selected passwords
27 July 2016
University of Virginia CS 551
15
86% of users are dumb
Single ASCII character
Two characters
0.5%
2%
Three characters
14%
Four alphabetic letters
14%
Five same-case letters
21%
Six lowercase letters
18%
Words in dictionaries or names
15%
Other (possibly good passwords)
14%
(Morris/Thompson 79)
27 July 2016
University of Virginia CS 551
16
Making Dictionary Attacks Harder
• Force/convince users to pick better
passwords
– Test selected passwords against a known
dictionary
– Enforce rules on non-alphabet characters,
length, etc.
27 July 2016
University of Virginia CS 551
17
Problems with User Rules
• Users get annoyed
• If you require hard to remember
passwords, users write them down
• Attackers know the password selection
rules too – reduces search space!
27 July 2016
University of Virginia CS 551
18
True Anecdote
• One installation: machines generated
random 8-letter passwords
• Used PDP-11 pseudo-random number
generator with 215 possible values
• Time to try all possible passwords on
PDP-11: One minute!
• Good news: at least people don’t have
to remember the 8 random letters
27 July 2016
University of Virginia CS 551
19
Everybody loves Buddy
UserID
algore
clinton
georgew
hillaryc
27 July 2016
Password
DES25 (0, “internalcombustion”)
DES25 (0, “buddy”)
DES25 (0, “gorangers”)
DES25 (0, “buddy”)
University of Virginia CS 551
20
Salt of the Earth
(This is the standard UNIX password scheme.)
Salt: 12 random bits
UserID
algore
clinton
georgew
hillaryc
Salt
12
37
9
53
Password
DES+25 (0, “internalcombustion”, 12)
DES+25 (0, “buddy”, 37)
DES+25 (0, “gorangers”, 9)
DES+25 (0, “buddy”, 53)
DES+ is DES except with salt-dependent E-tables.
How much harder is the dictionary attack?
27 July 2016
University of Virginia CS 551
21
Security of UNIX Passwords
• Paper by Robert Morris (Sr.) and Ken
Thompson, 1979 (link on manifest)
• Demonstration of guessability of Unix
passwords by Robert Morris, Jr.
(Internet Worm, 1988)
• L0ftcrack breaks ALL alphanumeric
passwords in under 24 hours on
Pentium II/450 (Windows NT)
27 July 2016
University of Virginia CS 551
22
What about Eve?
Terminal
Login: algore
Password: internalcombustion
login sends
<“algore”, “internalcombustion”>
Trusted Subsystem
Eve
Trusted subsystem computes
DES+25 (0, “internalcombustion”, salt)
and compares to stored value.
27 July 2016
University of Virginia CS 551
23
ssshhhhh....
• Be very quiet so Eve can’t hear
anything
• Encrypt the communication between the
terminal and the server
• How?
27 July 2016
University of Virginia CS 551
24
Simplified SSH Protocol
Terminal
Login: evans
Password: ***********
login sends
EKUmamba<“evans”, password>
mamba.cs.virginia.edu
Eve
Can’t decrypt without KRmamba
27 July 2016
University of Virginia CS 551
25
Actual SSH Protocol
Server
Client
1
requests connection
KUS, KUt
Compares
to stored KUS
time
3
27 July 2016
EKUS [EKUt [r]]
|| { IDEA | 3DES }
All traffic encrypted using r and
selected algorithm. Can do
regular login (or something more
complicated).
University of Virginia CS 551
KUS - server’s
2 public host key
KUt – server’s
public key,
changes every
hour
r – 256-bit
random number
generated by
client
26
Comparing to stored KUS
• It better be stored securely
– PuTTY stores it in windows registry
(HKEY_CURRENT_USER\Software\Simon
Tatham\PuTTY\SshHostKeys)
27 July 2016
University of Virginia CS 551
27
Why Johnny Can’t Even Login
SecureCRT
Default choice!
27 July 2016
University of Virginia CS 551
28
“Usability in normal environments has
been a major design concern from the
beginning, and SSH attempts to make
things as easy for normal users as
possible while still maintaining a
sufficient level of security.”
Tatu Ylonen, SSH – Secure Login
Connections over the Internet,
June 1996.
27 July 2016
University of Virginia CS 551
29
ssh.com’s SSH
27 July 2016
University of Virginia CS 551
30
ssh Error
27 July 2016
University of Virginia CS 551
31
Why Johnny (von Neumann)
Can’t Even Login
• A smart attacker just replaces the stored
key in registry
– An ActiveX control can do this trivially
– No warning from SSH when you now connect
to the host controlled by the attacker (have to
spoof DNS or intercept connection, but this is
easy)
• Is there a solution?
– Exercise for reader (maybe a good midterm
question?)
27 July 2016
University of Virginia CS 551
32
Recap – Authentication Problems
• Need to store the passwords somewhere –
dangerous to rely on this being secure
• Need to transmit password from user to
host
• Remaining problems:
• User’s pick bad passwords
• Even if everything is secure, can still watch
victim type!
• Only have to mess up once
27 July 2016
University of Virginia CS 551
33
Solution – Don’t Reuse Passwords
• One-time passwords
• New users have to memorize a list of
secure passwords and use one in turn
for each login
• Host generates the list using
cryptographic random numbers and
stores it securely
• Users spend hours memorizing
passwords...and better not forget one!
27 July 2016
University of Virginia CS 551
34
Challenge-Response Systems
• Ask a question, see if the answer is right
• Hard to make up questions only host
and user can answer
• Question: x? Answer: f(x).
• What’s a good choice for f?
– E (x, key known to both)
• SecureID systems work like this
27 July 2016
University of Virginia CS 551
35
S-Key
• Alice picks random number R
• S-Key program generates f(R), f (f(R)),
f (f ((f(R))), ... , f100(R).
• Alice prints out these numbers and
stores somewhere secure
• Host stores f101(R). (Doesn’t need to be
secure)
27 July 2016
University of Virginia CS 551
36
S/Key Login
• Alice enters f100(R).
• Host calculates f (f100(R)).
• Compares to stored f101(R). If they
match, allows login and replaces old
value with f100(R).
• Alice crosses off f100(R), enters f 99(R)
next time.
• What is f?
– One-way function: given f(x) hard to find x.
– S/Key uses MD4 (not secure)
27 July 2016
University of Virginia CS 551
37
Authentication Strategies
Summary
• Something you know
– Password
• Something you have
– SecureID
• Something you are
– Biometrics (voiceprint, fingerprint, etc.)
– Demonstration next Wednesday
• Decent authentication requires
combination of at least 2 of these
27 July 2016
University of Virginia CS 551
38
Charge
• If you are in the 86% with dumb
passwords, change it!
• Don’t get a warm fuzzy feeling just
because you use SSH
• Next time: Randomness, Digital Cash
• Read randomness papers
• PS3 due next Weds
27 July 2016
University of Virginia CS 551
39