370 likes | 521 Vues
ECE 454/CS594 Computer and Network Security. Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011. Overview of Authentication Systems. Password-based authentication Address-based authentication
E N D
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011
Overview of Authentication Systems Password-based authentication Address-based authentication Cryptography-based authentication Trusted intermediaries Session key establishment Authentication of people
Basic Problem • How do you prove to someone you are who you claim to be? • Any system with access control must solve this problem. ?
Authentication • Verify the identity of a person (or a machine) • Assume there is a secret that is only known by the person (machine). If a remote party can demonstrate the knowledge of the secret, it is authenticated.
Who Is Being Authenticated? • Authenticate a person to a server • Authenticate a machine to a machine • Authenticate both a person and a machine to a server • A machine stores high-quality secret; a person memorizes low-quality password • Cryptographic operations -Use password directly in the cryptographic operation -Use password to derive a high-quality secret first
Password as Cryptographic Key • Secret key: hash a password to get a DES key • Public key: • - Use a password to encrypt a private key • - Use a password as the seed for a random number generator to create a private/public key pair
Password-based Authentication • What you know: user has a secret password, system checks it to authenticate the user • Password is sent over in plaintext for authentication • Problems: • - eavesdropping • - database reading • - password guessing: online, offline (dictionary attack)
Storing User Password • Where to store: • Store passwords individually on each server • Store all passwords at authentication storage node: authentication done at server • Store all passwords at authentication facilitator node: authentication done at facilitator • In what format: • Store passwords in plaintext • Store password hashes: password-guessing • Store encrypted passwords: node compromise • Store encrypted password hashes
UNIX-Style Passwords “cypherpunk” user system password file t4h97t4m43 fa6326b1c2 N53uhjr438 Hgg658n53 … hash function
UNIX Password System Uses modified DES as if it were a hash function Encrypt NULL string using password as the key - Truncates passwords to 8 characters! Artificial slowdown: run DES 25 times Can instruct modern UNIX to use MD5 hash function Problem: passwords are not truly random With 52 upper- and lower-case letters, 10 digits and 32 punctuation symbols, there are 948 6 quadrillion possible 8-character passwords Humans like to use dictionary words, human and pet names 1 million common passwords
Dictionary Attack Password file /etc/passwdis world-readable Dictionary attack is possible because many passwords come from a small dictionary - Attacker can compute H(word) for every word in the dictionary and see if the result is in the password file - With 1,000,000-word dictionary and assuming 10 guesses per second, brute-force online attack takes 50,000 seconds (14 hours) on average (conservative estimate, offline attack is much faster!)
Salt fURxfg,4hLBX salt (chosen randomly when password is first set) Password crypt(pwd,salt) Basically, DES on NULL plaintext • Users with the same password have different entries in the password file • Dictionary attack is still possible!
Advantage of Salting • Without salt, attacker can pre-compute hashes of all dictionary words once for all password entries • With salt, attacker must compute hashes of all dictionary words once for each password entry • - With 12-bit random salt, same password can hash to 212 different hash values • - Attacker must try all dictionary words for each salt value in the password file
Address-based Authentication • Where you are • Each computer stores information which specifies accounts on other computers that should have access to its resources • UNIX, VMS • - File copy, log in, remote execution • Network address impersonation: • - forge source address is easy but the packet might not return back to source (due to destination based routing) • - same LAN, on the path, different LANs
Cryptography-based Authentication • Challenge-response • - secret key cryptography • - hashes • - public key cryptography
Eavesdropping and Database Reading • Public key cryptography is secure against both eavesdropping and server database reading. • Password or secret key cryptography is resilient to one (which one?) but not both.
Trusted Intermediaries • SKC solution: key distribution center (KDC) • - establishes shared secret key over network • - overcomes scalability problem of secret keys: for n machines to mutually authenticate with each other, O(n^2) number of keys are required. • PKC solution: certification authority (CA) • - when Alice obtains Bob’s public from web site, email, disc, how does she know it’s not Trudy’s?
KDC • A trusted central node • Each node i shares a secret key Ki with KDC • Any two nodes must first communicate through KDC
Authentication with KDC (in Principle) • A and B do not authenticate directly • A first authenticates with KDC • KDC selects a temporary secret KAB, and sends KA{KAB} to A and KB{KAB} to B • Now A and B has a common secret KAB, and they can authenticate each other
Authentication with KDC (in Practice) • A and B do not authenticate directly • A first authenticates with KDC • KDC selects a temporary secret KAB, and sends KA{KAB} and KB{KAB} to A • A sends KB{KAB}, called a ticket, to B • Now A and B has a common secret KAB, and they can authenticate each other
KDC Performance • O(n) keys are needed • When a new user arrives or a user key is compromised, only one place (KDC) and one key needs to be re-configured • Disadvantages • - single point of vulnerability • - single point of failure • - performance bottleneck
CA • Public key equivalent of KDC • A trusted central node • - register (by phone or by …) the public key with CA • - CA signs each node’s public key with its private key; the result is called a certificate, which can be stored anywhere • - everyone is required to be pre-configured with CA’s public key
+ + + + digital signature (verify) digital signature (sign) K K K K B B B B K K CA CA Certificate Generation and Verification Bob’s public key Generation CA private key certificate for Bob’s public key, signed by CA - Bob’s identifying information Bob’s public key Verification CA public key +
Advantages of CA • The CA does not need to be on-line • It can be a simpler device • The failure of the CA would not disable the whole network • Certificates are not security-sensitive • A compromised CA cannot decrypt conversations between two parties.
Certificate Revocation • Certificate for A: • - CA.privateKey{A.name, A.publicKey, expiration time, serial number, …} • - Every one in the group has a trust relationship with CA, with CA’s public key pre-configured • - CA can extend this trust relationship by issuing certificates • When A leaves the group, this trust extension should be terminated, but if A’s certificate is not expired, this extension still exists • Certificate Revocation List (CRL) is published periodically to revoke certificate • B accepts A’s certificate only when it has a valid CA signature, has not expired, and is not in the CA’s most recent CRL
Single KDC/CA • Problems: • - Single administration trusted by all principals • - Single point of vulnerability and failure • - Scalability • Solutions: break into multiple domains • Each domain has a trusted administration
Multiple CA Domains • All users of a domain has the public key of the domain’s CA • CAs of different domains hold each other’s public key, forming a mesh, a hierarchy, or a graph. CAs issue certificates for each other • The trust relationship extends along a CA chain
Session Key Establishment • Use long-term shared keys (public/private keys or secret keys) to authenticate • Authentication protocols negotiate session keys for subsequent data encryption • Why: • - Keys “wear out” if used a lot; Shared key requires external means to configure and should be used sparsely • - Shared key encryption is subject to replay attacks • - Once a long term shared key is compromised, all old encrypted messages can be decrypted
Delegation • Alice logs onto a remote computer from a dumb terminal at home. She needs the computer to access various resources on her behalf • Give the shared secrets to the computer? • Set ACL dynamically on the resources? • Use her private key to sign the permissions (like a certificate), or ask KDC to encrypt the permissions in a ticket
Authentication of People • Main techniques: • What you know: password, SSN, DoB • What you have: physical keys, credit cards, smart card • What you are: biometrics
Authentication Token • A physical device used in authenticating • What you have • - generally coupled with one of the other two mechanisms • Examples: Keys, credit cards (magnetic strip) • Disadvantages: • - requires custom hardware on every access device • - subject to loss or theft • - no or little protection against communication eavesdropping
Smart Card • Smart card: keeps secret and possesses processing capability (CPU and memory) to carry out cryptographic authentication • PIN protected memory card • Cryptographic challenge/response cards • Cryptographic calculator • - keypad + display; no card reader • - time encryption protocols to encrypt the current time; no keypad, no card reader.
Biometrics • What you are: • Retinal scanner • Fingerprint reader • Face recognition • Iris scanner • Handprint reader • Voiceprint • Keystroke timing • Signatures
Reading Assignment • [Kaufman] Chapters 9, 10