1 / 110

ISEC0514-LectureNotes01_Authen

ISEC0514-LectureNotes01

Suthep
Télécharger la présentation

ISEC0514-LectureNotes01_Authen

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. ISEC0514Computer Systems Security and Privacy Lecture Notes #1 Authentication

  2. Overview • This class will focus on various topics in computer administration/security. • Account/password administration • Authentication • High Availability / Disaster recovery planning • File system security • Physical and hardware security • Computer system logs and monitoring • OS-specific security (UNIX/Linux, Windows) • Some content may be related to network security.

  3. Overview • Lab contents will focus on configuring security inside computer systems. • Account management • Authentication system • File system security • Shell scripts • Perl scripts

  4. Grading Policy • Midterm 20% • Quiz 10% • Final 40% • Lab 30% - 2 Lab tests

  5. Materials • This class will incorporate contents from various books and materials. • Focus mainly on the provided handout. • Use the handout as the skeleton of the class contents. • You are strongly advised to take notes during class. • Exam will cover the handout as well as the topics we discuss in class.

  6. Other Notes • Participation is vital for this class. • Do not be late. • This class will include a lot of contents. • Exams are usually not easy.

  7. Who is system administrator? • From Wikipedia: • A system administrator, or sysadmin, is a person who is responsible for the upkeep, configuration, and reliable operation of computer systems; especially multi-user computers, such as servers. • The system administrator seeks to ensure that the uptime, performance, resources, and security of the computers meet the needs of the users, without exceeding the budget. • A system administrator may acquire, install, or upgrade computer components and software; automate routine tasks; write computer programs; troubleshoot; train and/or supervise staff; and provide technical support.

  8. System Administration Responsibility

  9. Related Job Roles • System administrator • Network administrator • Security administrator • Database administrator • Web administrator • Computer operator

  10. Authentication • Maintaining authentication system is a common task for a system administrator. • Authentication is the process to verify a user is who he or she claims to be. • In addition to authenticate a user, authentication system may also authenticate machines and programs.

  11. Authentication • Human authentication relies on at least one of the following factors: • What you know • Usernames/passwords • What you have • Security tokens, smartcards, etc. • What you are • Fingerprints, retina scans • Single or multiple factors may be used to authenticate a user.

  12. Password Authentication • Password authentication is the most widely used authentication system • Users need to provide a username along with the password to access resource on a computer system. • Password weakness is an important issue of system security. • Password cracking is one of the most common actions performed by hackers, both novice and experienced ones. • Only one weak password is needed for a hacker to enter your system. • An user-level entry may lead to a whole system compromise.

  13. Password Security Issues • Users are rarely educated to know good choices for passwords. • If a password is in the dictionary, it is extremely vulnerable to being cracked. • Many think that simply because their password is not in a dictionary, it is safe from detection. • Many users thinks if they do not have important data, they don’t have to be concerned with the security of their account. • An user-level entry point may cause damage to be done on the entire system.

  14. Password Security Issues • Passwords can be compromised in many ways: • Users may write them down or share them, so that they are no longer a secret. • Passwords can be guessed, either by a person or a program designed to try many possibilities in a rapid manner. This program is called password cracker. • Passwords may be transmitted over a network either in plaintext or encoded in a way which can be readily converted back to plaintext. • Passwords may be stored on a workstation, server or backup media in plaintext or encoded in a way which can be readily converted back to plaintext.

  15. Human Factors • It is hard for most people to remember: • Complicated passwords. • Many different passwords. • Passwords that change frequently. • Passwords for systems that are used infrequently.

  16. Human Factors • When people have trouble remembering their passwords, they usually: • Write down their passwords. This reduces the security of systems to the security of their physical building, desk, book or wallet. • Forget their passwords, and require frequent assistance from an IT help desk to reset it. • Use very simple, easy passwords. • Reuse old passwords as often as possible. • Do not overlook people’s inability to maintain good passwords!!

  17. Good Passwords • Long enough (depending on current technologies). • No common names (username, names, etc.) • Should come from variety set of characters (uppercase, lowercase, numeric, symbols, etc.). • Not listed in dictionaries, including dictionaries of non-English words represented in Latin character sets. • Avoid Unicode and other non-Latin passwords. • Change periodically. • Password strength and change period should be relative to importance of the system. • Utilize system features to ensure password strength and age, if possible.

  18. Password Management Tips • Train users to compose hard-to-guess passwords. • Implement intruder detection and lockout. • Encrypt passwords in storage and transit. • Synchronize passwords across systems. • Has IT help desk for forgotten passwords and locked out accounts. • Try password manager software if you have many passwords (admins usually do).

  19. Authentication Best Practices • Avoid using non-Latin usernames. • ALL accounts should have a password. • Change ALL default passwords. • Unused accounts should be disabled. • Utilize groups to grant privileges to users. • Use system features, if possible, to • Enforce users to change their password periodically. • Enforce password complexity. • Minimize reuse of passwords. • Expire temporary accounts. • Expire inactive accounts.

  20. Authentication Best Practices • Minimize number of admin accounts. • Do not share user accounts, both users and admins. • Admin account should be in user-level by default, and only elevated as admin-level when needed. • Admin password should be more complex. • Brute-force your users’ passwords once in a while to make sure you do not have weak passwords in your system. • Make sure your company policy allow this.

  21. Password Cracker • A password cracker is any program that can decrypt (or brute-force) passwords or otherwise circumvent password protection. • A password cracker need not decrypt anything. In fact, most of them don't. • Most encrypted passwords cannot be decrypted. They are usually generated by using cryptographic hash algorithms (one-way). • The result of such algorithm is called password hash. • Most modern, technical encryption processes are now one-way.

  22. Password Complexity vs. Length • Every single character added increases password complexity exponentially.

  23. Password Hash Generation Plaintext Hash Algorithm Password Hash Password Store

  24. How Password Crackers Work Guessed Password Hash Algorithm Password Hash Equals? Password Store

  25. Common Algorithms • Common algorithms used to generate encrypted passwords/hashes include • DES (cracked) • 3DES • MD5 (128 bits) (cracked) • SHA-1 (160 bits) (not for long) • SHA-2 (224, 256, 384, 512 bits) • LM hash (cracked) / NTLM hash

  26. Encoding • To store or transmit passwords in computer storage, encrypted passwords are encoded using different schemes. • Some basic encoding includes • Binary • Unprintable • Hex (100% overhead) • 1 byte => 2 characters • Ex: 3707344A4093822299F31D008 • BASE64 (33% overhead) • 3 bytes => 4 characters • Ex: TWFuIGlzIGRpc3Rpbmd1aXNoZWQs

  27. BASE64 • Most encryption and hashing algorithms results in binary data. • BASE64 is a encoding scheme which is often used to encode binary data into a base64 representation, which is printable. • BASE64 only uses A-Z, a-z, 0-9, +, / • BASE64 can be used in several cases, including password hashes, e-mail attachments. • Any data encoded in BASE64 will grow 33% in size.

  28. BASE64 Encoding/Padding • 6 bits are encoded into 1 character. • Thus, 3 bytes input become 4 output characters. • Padding character is '='. • The number of padded characters depends on the length of the input. • 2-byte input needs 1 padding character. • 1-byte input needs 2 padding characters. * Wikipedia

  29. BASE64 Encoding Example • Example of encoding the word ‘Man’. • Result of encoding is ‘TWFu’. * Wikipedia

  30. BASE64 Encoding Example * gemsres.com

  31. BASE64 Encoding Example * edipermadi.files.wordpress.com

  32. LM Hash / NT Hash • LM hash is used in old versions of Windows. • LM hash has weaknesses in its implementation, and is considered insecure. • You can crack LM hash very easily using on-line password cracker web site. • Passwords longer than 7 characters are divided into two pieces. Each piece is hashed separately. • All lowercase letters in the password are changed to upper case before the password is hashed. • Possible combinations if hashed all 14 characters is , while with only 7 characters is • Using only uppercase letter:

  33. LM Hash / NT Hash • NT hash is the successor of LM hash. • It fixes several weakness of LM, and is a better choice. • Note that Microsoft no longer recommends using NTLM. Use Active Directory (Kerberos) instead. • Normally, Windows will keep LM hash and NT hash along with each other. • You must disable LM hash and then change password again in order to permanently remove LM hash from the system. • Disabling LM hash will break compatibility with (very) old clients.

  34. DES and Crypt • In the past, all passwords under UNIX are stored in /etc/passwd. • Usernames are readable. • The password is stored in an encrypted form. • Later, all encrypted password hashes are stored in /etc/shadow.

  35. Traditional DES • User’s password is truncated to 8 characters. • Only 7 bits of each character are used. • Password becomes 56-bit DES key. • In UNIX, additional 12-bit salt is used.

  36. UNIX crypt(3) • The encryption process is performed using crypt(3), a program based on the data encryption standard (DES). • crypt(3) is the library function which is used to compute a password hash that can be used to be user account passwords. • The function result is a text string which also encodes the salt and identifies the hash algorithm used.

  37. UNIX crypt(3) • Depending on crypt version, different outputs are generated. • Example (traditional format): • VxuFAJXVARROc • Example (modern): • $1$iuC8rfaY$LDDmuoGrX7TDCxjiGfZRG2

  38. UNIX crypt(3) • If the password begins with the string $digit$ then the Modular Crypt Format (MCF) is used. • The digit represents which algorithm is used in encryption. • Different schemes include: • MD5-based scheme ($1$) • Blowfish-based scheme ($2$, $2a$) • SHA-based scheme ($5$, $6$) • The format of MCF is • $<algo>$<salt>$<hash>

  39. More Examples • MD5 in hex • Ae2b1fca515949e5d54fb22b8ed95575 • SHA1 in hex • a9993e364706816aba3e25717850c26c9cd0d89d

  40. Using Password Salts • To increase the strength of a password hash, a salt can be used. • A salt comprises of random bits that are used as additional input to a key derivation algorithm, such as cryptographic hash functions. • Salt also prevent same passwords used by different users to have the same hash value. • Each bit of salt used doubles the amount of storage/computation required.

  41. Using Password Salts • Salt can be used in any OS and can applied to several algorithms. • Salt is used as part of input into the algorithm. • Output hash will contain encrypted salt. Salt Plaintext Encrypt/hash Salt Cypher text

  42. Using Password Salts • Salt data complicates dictionary attacks that pre-compute the encryption of dictionary entries, such as rainbow table. • Early Unix systems used a 12-bit salt, but modern implementations use larger values. • It’s possible to separate salts from the password database. • This provides an advantage when a database is stolen, but the salt is not.

  43. Using Password Salts • The benefit provided by using a salted password is that a simple dictionary attack against the encrypted values becomes impractical if the salt is large enough. • That is, an attacker would not be able to create a rainbow table, a dictionary of encrypted values (password + salt), because it would either take too much time, or too much space. • If you develop a custom web application, you should consider this method of storing user passwords.

  44. Rainbow Table • A rainbow table is a lookup table offering a time-memory tradeoff used in recovering the plaintext password from a password hash generated by a hash function. • A common application is to make attacks against hashed passwords feasible. • This reduces time to crack a password considerably. • RainbowCrack and ophcrack are examples of tools that utilize this technique.

  45. Performance Example • Example taken from using RainbowCrack * project-rainbowcrack.com

  46. Password Cracker Rules • Password crackers may do some simple modification in order to achieve higher hit rate. • Password cracker may accept certain rules, for example: • Add number to the beginning or end of each word. • Alternate lowercase and uppercase • Merge words together (hellohello) • Spell the word forward then backward (helloolleh) • etc.

  47. Features • A password cracker may • accept words from dictionary. • accept word customization rules. • optimized for systems with multi-core / multi-processor or utilize GPU. • support various password format using a single tool (DES, MD5, LM hashes, Zip, SQL server, Oracle, Cisco, Zip, PDF, etc.). • work off-line (file-based). • work on-line (sniffing, server interactive: POP3, FTP, SSH, etc.).

  48. Features • (continue) • issue a job, break and resume. • distribute jobs over several machines. • retrieve password from password store automatically. • pre-computed hashes from dictionary. • utilize rainbow table.

  49. Use of Password Crackers • Password crackers are not only used by attackers. • Password crackers may be used for administration tasks: • Finding accounts with weak or no passwords. • Enforcing password policy on user accounts • Taking actions on violations, e.g. locking accounts

  50. Password Crackers • John the ripper • Aircrack • L0phtcrack • ophcrack • RainbowCrack • Cain and Abel • THC Hydra • Brutus

More Related