1 / 20

Password Authentication

CS 259. Password Authentication. J. Mitchell. Password file. User. kiwifruit. exrygbzyf kgnosfix ggjoklbsz … …. hash function. Basic password authentication. Setup User chooses password Hash of password stored in password file Authentication

Ava
Télécharger la présentation

Password Authentication

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CS 259 Password Authentication J. Mitchell

  2. Password file User kiwifruit exrygbzyf kgnosfix ggjoklbsz … … hash function

  3. Basic password authentication • Setup • User chooses password • Hash of password stored in password file • Authentication • User logs into system, supplies password • System computes hash, compares to file • Attacks • Online dictionary attack • Guess passwords and try to log in • Offline dictionary attack • Steal password file, try to find p with hash(p) in file

  4. Dictionary Attack – some numbers • Typical password dictionary • 1,000,000 entries of common passwords • people's names, common pet names, and ordinary words. • Suppose you generate and analyze 10 guesses per second • This may be reasonable for a web site; offline is much faster • Dictionary attack in at most 100,000 seconds = 28 hours, or 14 hours on average • If passwords were random • Assume six-character password • Upper- and lowercase letters, digits, 32 punctuation characters • 689,869,781,056 password combinations. • Exhaustive search requires 1,093 years on average

  5. Salt • Unix password line walt:fURfuu4.4hY0U:129:129:Belgers:/home/walt:/bin/csh Compare Salt Input Key Constant Ciphertext 25x DES Plaintext When password is set, salt is chosen randomly

  6. Advantages of salt • Without salt • Same hash functions on all machines • Compute hash of all common strings once • Compare hash file with all known password files • With salt • One password hashed 212 different ways • Precompute hash file? • Need much larger file to cover all common strings • Dictionary attack on known password file • For each salt found in file, try all common strings

  7. Web Authentication • Problems • Network sniffing • Malicious or weak-security website • Phishing • Common password problem • Pharming – DNS compromise • Malware on client machine • Spyware • Session hijacking, fabricated transactions Server password Browser cookie next few slides

  8. Password Phishing Problem • User cannot reliably identify fake sites • Captured password can be used at target site Bank A pwdA pwdA Fake Site

  9. pwdA = pwdB low security site Common Password Problem • Phishing attack or break-in at site B reveals pwd at A • Server-side solutions will not keep pwd safe • Solution: Strengthen with client-side support Bank A high security site pwdA Site B

  10. pwdA = pwdB Defense: Password Hashing hash(pwdA, BankA) • Generate a unique password per site • HMACfido:123(banka.com)  Q7a+0ekEXb • HMACfido:123(siteb.com)  OzX2+ICiqc • Hashed password is not usable at any other site • Protects against password phishing • Protects against common password problem Bank A hash(pwdB, SiteB) Site B

  11. Defense: SpyBlock

  12. Defense: SpyBlock Authentication agent communicates through browser agent Authentication agent communicates directly to web site

  13. SpyBlock protection password in trusted client environment server support required better password-based authentication protocols trusted environment confirms site transactions

  14. Goals for password protocol • Authentication relies on password • User can remember password, use anywhere • No additional client-side certificates, etc. • Protect against attacks • Network does not carry cleartext passwords • Malicious user cannot do offline dictionary attack • Malicious server (as in phishing) does not learn password from communication with honest user

  15. Simple approach • Send hashed passwords • Does this “work”? • Good points? • Bad points? Server hash(pwd|0) Browser hash(pwd|1)

  16. “Interlock” password protocols (Set-up Phase) Password p known to both parties (Key Exchange Phase) A  B gx B  A gy k = gxyor some function of gxy (Authentication Phase) A  B mack(p, r) for random r B  A mack(p, s), enck(s) for random s A  B enck(r) [Rivest, Shamir, Bellovin, Merrit, … Pederson, Ellison]

  17. ESP-KE key exchange protocol Prime p and generators , β known Generate random a Generate random b A= a/ βPmod p B= b mod p A B If A=0 Abort k = Bamod p k = (A βP)bmod p Mb=H(0,k,P) Mb If H(0,k,P) ≠ MbAbort Ma= H(1,k,P) Ma If H(1,k,P) ≠ MaAbort [M Scott]

  18. SRP protocol (Set-up Phase) Carol chooses password P Steve chooses s, computes x = H(s, P) and v = gx (Key Exchange Phase) C Bob looks up s, v x = H(s, P) s A = gaA B,u B = v + gb, random u S = (B - gx) (a+ux) S = (Avu)b M1 = H(A,B,S) M1 verify M1 verify M2M2 M2 = H(A,M1,S) Key = H(S) Key = H(S) [Wu]

  19. password? CMU “Phoolproof” proposal • Eliminates reliance on perfect user behavior • Protects against keyloggers, spyware. • Uses a trusted mobile device to perform mutual authentication with the server

More Related