Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science

Class 35 - University of Virginia

advertisement 
Class 35:
Cookie
Monsters and
Semi-Secure
Websites
CS200: Computer Science
University of Virginia
Computer Science
David Evans
http://www.cs.virginia.edu/evans
Why Care about Security?
http://www.cs.virginia.edu/cs200/problem-sets/ps8/example/query.php3
21 April 2003
CS 200 Spring 2003
2
Security
• Confidentiality – keeping secrets
– Most web sites don’t want this
• Integrity – making data reliable
– Preventing tampering
– Only authorized people can insert/modify data
• Availability
– Provide service (even when attacked)
– Can’t do much about this without resources
21 April 2003
CS 200 Spring 2003
3
How do you authenticate?
• Something you know
– Password
• Something you have
– Physical key (email account?, transparency?)
• Something you are
– Biometrics (voiceprint, fingerprint, etc.)
Serious authentication requires at least 2 kinds
21 April 2003
CS 200 Spring 2003
4
Early Password Schemes
Login does direct
password lookup
and comparison.
UserID
alyssa
ben
dave
Password
fido
schemer
Lx.Ly.x
Login: alyssa
Password: spot
Failed login. Guess again.
21 April 2003
CS 200 Spring 2003
5
Login Process
Terminal
Login: alyssa
Password: fido
Trusted Subsystem
login sends
<“alyssa”, “fido”>
Eve
21 April 2003
CS 200 Spring 2003
6
Password Problems
• Need to store the passwords
– Dangerous to rely on database being
secure
Solve this today
• Need to transmit password from user
to host
– Dangerous to rely on Internet being
unsniffed
Solve this Wednesday
21 April 2003
CS 200 Spring 2003
7
First Try: Encrypt Passwords
• Instead of storing password, store password
encrypted with secret K.
• When user logs in, encrypt entered password and
compare to stored encrypted password.
UserID
alyssa
ben
dave
Password
encryptK (“fido”)
encryptK (“schemer”)
encryptK (“Lx.Ly.x”)
Problem if K isn’t so secret: decryptK (encryptK (P)) = P
21 April 2003
CS 200 Spring 2003
8
Hashing
0
•
1
2
3
“dog”
“neanderthal”
4
5
•
6
7
“horse”
8
9
H (char s[]) = (s[0] – ‘a’) mod 10 •
21 April 2003
CS 200 Spring 2003
Many-to-one: maps a
large number of values
to a small number of
hash values
Even distribution: for
typical data sets,
probability of (H(x) = n)
= 1/N where N is the
number of hash values
and n = 0..N – 1.
Efficient: H(x) is easy
to compute.
9
Cryptographic Hash Functions
One-way
Given h, it is hard to find x
such that H(x) = h.
Collision resistance
Given x, it is hard to find y  x
such that H(y) = H(x).
21 April 2003
CS 200 Spring 2003
10
Example One-Way Function
Input: two 100 digit numbers, x and y
Output: the middle 100 digits of x * y
Given x and y, it is easy to calculate
f (x, y) = select middle 100 digits (x * y)
Given f (x, y) hard to find x and y.
21 April 2003
CS 200 Spring 2003
11
A Better Hash Function?
• H(x) = encryptx (0)
• Weak collision resistance?
– Given x, it should be hard to find y  x such
that H(y) = H(x).
– Yes – encryption is one-to-one. (There is
no such y.)
• A good hash function?
– No, its output is as big as the message!
21 April 2003
CS 200 Spring 2003
12
Actual Hashing Algorithms
• Based on cipher block chaining
– Start by encrypting 0 with the first block
– Use the next block to encrypt the previous
block
• SHA [NIST95] – 512 bit blocks, 160-bit
hash
• MD5 [Rivest92] – 512 bit blocks, produces
128-bit hash
– This is what we will use: built in to PHP
21 April 2003
CS 200 Spring 2003
13
Hashed Passwords
UserID
alyssa
ben
dave
21 April 2003
Password
md5 (“fido”)
md5 (“schemer”)
md5 (“Lx.Ly.x”)
CS 200 Spring 2003
14
Dictionary Attacks
• Try a list of common passwords
– All 1-4 letter words
– List of common (dog) names
– Words from dictionary
– Phone numbers, license plates
– All of the above in reverse
• Simple dictionary attacks retrieve most
user-selected passwords
• Precompute H(x) for all dictionary entries
21 April 2003
CS 200 Spring 2003
15
86% of users are dumb and dumber
Single ASCII character
Two characters
0.5%
2%
Three characters
14%
Four alphabetic letters
14%
Five same-case letters
21%
Six lowercase letters
18%
Words in dictionaries or names
15%
Other (possibly good passwords)
14%
(Morris/Thompson 79)
21 April 2003
CS 200 Spring 2003
16
Salt of the Earth
(This is the standard UNIX password scheme.)
Salt: 12 random bits
UserID
alyassa
ben
dave
Salt
Password
1125 DES+25 (0, “Lx.Ly.x”, 1125)
2437 DES+25 (0, “schemer”, 2437)
932 DES+25 (0, “Lx.Ly.x”, 932)
DES+ (m, key, salt) is an encryption algorithm that
encrypts in a way that depends on the salt.
How much harder is the off-line dictionary attack?
21 April 2003
CS 200 Spring 2003
17
PHP Code
// We use the username as a "salt" (since they must be unique)
$encryptedpass = md5 ($password . $username);
user
alyssa
password
9928ef0d7a0e4759ffefbadb8bc84228
evans
bafd72c60f450ed665a6eadc92b3647f
Not quite as secure as using a random value.
What is someone picks xdave as their username
and Lx.Ly. as their password?
21 April 2003
CS 200 Spring 2003
18
Authenticating Users
• User proves they are a worthwhile person
by having a legitimate email address
– Not everyone who has an email address is
worthwhile
– Its not too hard to snoop (or intercept)
someone’s email
• But, provides much better authenticating
than just the honor system
21 April 2003
CS 200 Spring 2003
19
Registering for Account
• User enters email address
• Account is marked as “Inactive”
$encryptedpass = md5 ($password . $username);
$query = "INSERT INTO users (username, password, email, activated)
VALUES ('$username', '$encryptedpass', '$email', 0)";
• Send an email with an unguessable URL
URL that activates the account
21 April 2003
CS 200 Spring 2003
20
PHP Code (register-process.php)
Why not just use
md5($username)?
A string only the server
should know. (Hard to
really keep this secret…)
$actcode = md5 ($username . $secret);
$url = "http://" . $_SERVER['HTTP_HOST']
. dirname ($_SERVER['PHP_SELF'])
. "/activate.php?user=$username&code=$actcode";
mail ($email, // User’s email address
"WahooChat Account Activation", // Subject Line
"To activate your account visit $url", // Message body
"From: wahoochat-bot@virginia.edu"); // From address
21 April 2003
CS 200 Spring 2003
21
activate.php
$result = mysql_query ("SELECT activated FROM users WHERE username='$user'");
$rows = mysql_num_rows ($result);
if ($rows == 0) { error ("No account for username: $user");}
else {
$activated = mysql_result ($result, 0, 0);
if ($activated != 0) { error ("Account $username is already activated.");}
else {
$actcode = md5 ($user . $secret);
if ($code == $actcode) {
$result = mysql_query ("UPDATE users SET activated=1
WHERE username='$user'");
if ($result != 1) { error ("Database update failed: $result"); }
else { print "Your account is now activated!<br><p>"; }
} else {
print "Invalid account code!<br>";
}
}
}
21 April 2003
CS 200 Spring 2003
22
Cookies
• HTTP is stateless: every request is
independent
• Don’t want user to keep having to enter
password every time
• A cookie is data that is stored on the
browser’s machine, and sent to the web
server when a matching page is visited
21 April 2003
CS 200 Spring 2003
23
Using Cookies
• Look at the example PHP code
• Cookie must be sent before any HTML is
sent
• Be careful how you use cookies – anyone
can generate any data they want in a cookie
– Make sure they can’t be tampered with: use
md5 hash with secret to authenticate
– Don’t reuse cookies - easy to intercept them (or
steal them from disks): use a counter than
changes every time a cookie is used
21 April 2003
CS 200 Spring 2003
24
Problems Left
• The database password is visible in
plaintext in the PHP code
– No way around this (with UVa mysql server)
– Anyone who can read UVa filesystem can
access your database
• The password is transmitted unencrypted
over the Internet (next class)
• Proving you can read an email account is
not good enough to authenticate for
important applications
21 April 2003
CS 200 Spring 2003
25
Authentication
for Remote Voting
Nathanael Paul
David Evans
University of Virginia
[nrpaul, evans]@cs.virginia.edu
Avi Rubin
Johns Hopkins University
rubin@jhu.edu
Dan Wallach
Rice University
dwallach@cs.rice.edu
Types of Authentication
• Something you know
– passwords
– Example: login to schedule of classes
• Something you are
– Biometrics
– Examples: iris scanner, fingerprint reader
• Something you have
– This: a transparency
21 April 2003
CS 200 Spring 2003
27
Authentication for remote voting
• Remote voting offers convenience
– 69% votes cast by mail in 2001 in state of
Washington
• Electronic voting is cheaper and faster
– More secure?
– New problems: virus, worm, spoofing, denial
of service
• Mutual authentication
– Voter authenticated to server
– Server authenticated to voter
21 April 2003
CS 200 Spring 2003
28
Doing Encryption without Computers
• Can’t trust voters to have trustworthy
computers
– Viruses can tamper with their software
• Need to do authentication in a way that
doesn’t depend on correctness of user’s
software
• Lorenz cipher: use XOR to encrypt
– Is there a way to do lots of XOR’s without a
computer?
21 April 2003
CS 200 Spring 2003
29
Visual cryptography
(Naor & Shamir, 1994)
Option 1
Transparency
Screen
Option 2
Transparency
Screen
Encodes a
clear (grey)
square
Encodes a
dark square
• Perfectly secure (one-time pad)
• Server can encode anything knowing voter’s layer
21 April 2003
CS 200 Spring 2003
30
Remote Voting System
STEP 1
Each voter is
sent a key, ki
keys
Ek (k1)
S
Ek(k2)
…
ki =
…
Ek(kn)
STEP 2
Key: AQEGSDFASDF
ki
STEP 3 – if ki valid…
STEP 4
ki =
“AQEGSDFASDF”
S
21 April 2003
client machine
CS 200 Spring 2003
client machine
31
Summary
• Mutual authentication
– Authentication of user to server
– Authentication of server to user
• Involves the human (as opposed to
machine)
• Anonymity by proper use of layered
images
• You will get a transparency on Wednesday
21 April 2003
CS 200 Spring 2003
32
Related documents
Registration Form - Request for Access to the Local Government
Registration Form - Request for Access to the Local Government
Instructions to access student textbooks online.
Instructions to access student textbooks online.
Paper Reference(s)
Paper Reference(s)
Download
advertisement