1 / 44

David Evans cs.virginia/evans

Lecture 19: Authentication. David Evans http://www.cs.virginia.edu/evans. John Daugman, http://www.cl.cam.ac.uk/users/jgd1000/iriscollage.jpg. CS588: Cryptography University of Virginia Computer Science. How do you authenticate?. Something you know Password Something you have

isleen
Télécharger la présentation

David Evans cs.virginia/evans

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Lecture 19: Authentication David Evans http://www.cs.virginia.edu/evans John Daugman, http://www.cl.cam.ac.uk/users/jgd1000/iriscollage.jpg CS588: Cryptography University of Virginia Computer Science

  2. How do you authenticate? • Something you know • Password • Something you have • SecureID, physical key • Something you are • Biometrics (voiceprint, fingerprint, etc.) • Decent authentication requires combination of at least 2 of these University of Virginia CS 588

  3. Early Password Schemes Login does direct password lookup and comparison. Login: algore Password: tipper Failed login. Guess again. University of Virginia CS 588

  4. Eve Login Process Terminal Login: algore Password: internalcombustion Trusted Subsystem login sends <“algore”, “internalcombustion”> University of Virginia CS 588

  5. Authentication Problems • Need to store the passwords somewhere – dangerous to rely on this being secure • Encrypt them? But then, need to hide key • Need to transmit password from user to host • Use a secure line (i.e., no remote logins) • Encrypt the transmission (what key?) University of Virginia CS 588

  6. Encrypted Passwords Hmmm.... D (E (“buddy”, K), K) = “buddy” University of Virginia CS 588

  7. Hashed Passwords University of Virginia CS 588

  8. Encrypted Passwords Try 1 Terminal Login: algore Password: internalcombustion Trusted Subsystem login sends <“algore”, H(“internalcombustion”)> Trusted subsystem compares to stored value. University of Virginia CS 588

  9. Encrypted Passwords Try 2 Terminal Login: algore Password: internalcombustion Trusted Subsystem login sends <“algore”, “internalcombustion”> Trusted subsystem computes H(“internalcombustion”) and compares to stored value. University of Virginia CS 588

  10. First UNIX Password Scheme • [Wilkes68] (recall DES was 1976) • Encryption based on M-209 cipher machine (US Army WWII) • Easy to invert unknown plaintext and known key, used password as key: • Instead of EK (password) used hash function EPassword (0) • PDP-11 could check all 5 or less letter lower-case passwords in 4 hours! University of Virginia CS 588

  11. Making Brute Force Attacks Harder • Use a slower encryption (hashing) algorithm • Switched to DES: H(p) = DESp(0) • Even slower: run DES lots of times • UNIX uses DESp25(0) … DESp (DESp (DESp (DESp (0)))) • Require longer passwords • DES key is only 56 bits: only uses first 7.5 characters (ASCII) • 95 printable characters, 958 = 6.6 * 1015 University of Virginia CS 588

  12. Dictionary Attacks • Try a list of common passwords • All 1-4 letter words • List of common (dog) names • Words from dictionary • Phone numbers, license plates • All of the above in reverse • Simple dictionary attacks retrieve most user-selected passwords • Precompute H(x) for all dictionary entries University of Virginia CS 588

  13. At Least 86% of users are dumb (Morris/Thompson 79) University of Virginia CS 588

  14. Making Dictionary Attacks Harder • Force/convince users to pick better passwords • Test selected passwords against a known dictionary • Enforce rules on non-alphabet characters, length, etc. • Don’t let attacker see the password file University of Virginia CS 588

  15. Problems with User Rules • Users get annoyed • If you require hard to remember passwords, users write them down • Attackers know the password selection rules too – reduces search space! University of Virginia CS 588

  16. True Anecdote • One installation: machines generated random 8-letter passwords • Used PDP-11 pseudo-random number generator with 215 possible values • Time to try all possible passwords on PDP-11: One minute! • Good news: at least people don’t have to remember the 8 random letters University of Virginia CS 588

  17. Everybody loves Buddy University of Virginia CS 588

  18. Salt of the Earth (This is the standard UNIX password scheme.) Salt: 12 random bits DES+ (m, key, salt) is DES except with salt-dependent E-tables. How much harder is the off-line dictionary attack? University of Virginia CS 588

  19. Security of UNIX Passwords • Paper by Robert Morris (Sr.) and Ken Thompson, 1979 (link on manifest) • Demonstration of guessability of Unix passwords by Robert Morris, Jr. (Internet Worm, 1988) • L0ftcrack breaks ALL alphanumeric passwords in under 24 hours on Pentium II/450 (Windows NT) University of Virginia CS 588

  20. Eve What about Eve? Terminal Login: algore Password: internalcombustion Trusted Subsystem login sends <“algore”, “internalcombustion”> SSssssshhhh… Be very quiet so Eve can’t hear Trusted subsystem computes DES+25 (0, “internal”, 12) and compares to stored value. University of Virginia CS 588

  21. Simplified SSH Protocol Terminal Login: evans Password: ****** viper.cs.virginia.edu login sends EKUviper<“evans”, “memodn”> Eve Can’t decrypt without KRviper University of Virginia CS 588

  22. requests connection 1 KUS, KUt 2 Compares to stored KUS EKUS[EKUt [r]] || { AES | 3DES } 3 All traffic encrypted using r and selected algorithm. Actual SSH Protocol Server Client KUS - server’s public host key KUt – server’s public key, changes every hour r – 256-bit random number generated by client time University of Virginia CS 588

  23. Comparing to stored KUS • It better be stored securely • PuTTY stores it in windows registry (HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\SshHostKeys) University of Virginia CS 588

  24. Default choice! Why Johnny Can’t Even Login SecureCRT University of Virginia CS 588

  25. ssh.com’s SSH University of Virginia CS 588

  26. ssh Error University of Virginia CS 588

  27. Jennifer Kahng’s 4th Year Thesis Project • People are stupid • Getting people to pay attention is difficult unless you really want to make them angry. (Security vs. convenience) • Only two people (of > 700) emailed webmaster about potential security vulnerability 31% clicked Continue 2%typed in “yes” University of Virginia CS 588

  28. Why Johnny (von Neumann) Can’t Even Login • A smart attacker just replaces the stored key in registry • An ActiveX control can do this trivially • No warning from SSH when you now connect to the host controlled by the attacker (have to spoof DNS or intercept connection, but this is easy) University of Virginia CS 588

  29. Recap – Authentication Problems • Need to store the passwords somewhere – dangerous to rely on this being secure • Need to transmit password from user to host • Remaining problems: • User’s pick bad passwords • Even if everything is secure, can still watch victim type! • Only have to mess up once University of Virginia CS 588

  30. University of Virginia CS 588

  31. GAO IRS Study The auditors called 100 IRS employees and managers, portraying themselves as personnel from the information technology help desk trying to correct a network problem. They asked the employees to provide their network logon name and temporarily change their password to one they suggested. "We were able to convince 35 managers and employees to provide us their username and change their password," the report said. That was a 50 percent improvement when compared with a similar test in 2001, when 71 employees cooperated and changed their passwords. http://www.sfgate.com/cgi-bin/article.cgi?file=/news/archive/2005/03/16/national/w162055S07.DTL University of Virginia CS 588

  32. Solution – Don’t Reuse Passwords • One-time passwords • New users have to memorize a list of secure passwords and use one in turn for each login • Host generates the list using cryptographic random numbers and stores it securely • Users spend hours memorizing passwords...and better not forget one! University of Virginia CS 588

  33. One-Time Use Passwords • Can we create a sequence of passwords the host can check without storing anything useful to an attacker on the host? Recall: Unix repeated use passwords Host stores: H(p) User provides: x Password is valid if H(x) = H(p) University of Virginia CS 588

  34. S-Key • Alice picks random number R • S-Key program generates H(R), H(H(R)), ... , H99(R). • Alice prints out these numbers and stores somewhere secure • Host stores H100(R). University of Virginia CS 588

  35. S/Key Login • Alice enters H99(R). • Host calculates H (H99(R)). • Compares to stored H100(R). • If they match, allows login • And replaces old value with H99(R). • Alice crosses off H99(R), enters H98(R) next time. • S/Key uses MD4 for H University of Virginia CS 588

  36. S/Key > keyinit Adding evans: Reminder - Only use this method if you are directly connected. If you are using telnet or rlogin exit with no password and use keyinit -s. Enter secret password: test Again secret password: test ID evans s/key is 99 sh69506 H100(test) = sh69506 What do I need to enter to log in? University of Virginia CS 588

  37. S/Key > key -n 100 99 sh69506 Reminder - Do not use this program while logged in via telnet or rlogin. Enter secret password: test 0: KEEL FLED SUDS BOHR DUD SUP 1: TOW JOBS HOFF GIVE CHUB LAUD … 98: JEAN THEN WEAK ELAN SLOB GAS 99: MUG KNOB ACT ALOE REST TOO University of Virginia CS 588

  38. Challenge-Response Terminal Login: evans EKUmamba[“evans”] Challenge x Challenge: 2357938523 Response: f(x) f(x) University of Virginia CS 588

  39. Challenge-Response Systems • Ask a question, see if the answer is right • Hard to make up questions only host and user can answer • Question: x? Answer: f(x). • What’s a good choice for f? • E (x, key known to both) • Still have to problem of storing the key • SecureID systems work like this • Challenge is current time (nothing to send) University of Virginia CS 588

  40. Biometrics: “Something you are” • Unique(ish) properties of most humans: • Fingerprint • FBI’s Integrated Automated Fingerprint ID system has 48 Million • Iris • Hand shape • Voice • Gait, etc. University of Virginia CS 588

  41. UAE Iris Scanning http://www.cl.cam.ac.uk/users/jgd1000/UAEdeployment.pdf • Required of all entering foreigners, compares to database of ~.5M expelled people • IrisCodes: 4096 feature bits • Each bit is ½ probability to agree • Measure hamming distance between 2 irises • 3.8B comparisons per day • 22K matches so far: no false positives University of Virginia CS 588

  42. http://www.cl.cam.ac.uk/users/jgd1000/UAEdeployment.pdf University of Virginia CS 588

  43. Problems with Biometrics • Fuzzy measures: need to set thresholds to have some false positives and negatives • Easily stolen: expert could obtain all of your fingerprints from this room after you leave • Non-expert can cut off your finger • Voiceprints can be stolen too (Sneakers) • Hard/impossible to change • Transmission link is still vulnerable University of Virginia CS 588

  44. Charge • Identify and authentication are hard problems • Passwords don’t work • Windows Longhorn may use two-factor authentication I believe that the time of password-only authentication is gone. We need to go to two-factor authentication. This is the only way to bring the level of trust business needs. Detlef Eckert, Microsoft’s Trustworthy Computing initiative University of Virginia CS 588

More Related