1 / 29

User authentication

User authentication. Aalto University , autumn 2012. Outline. Passwords Physical security tokens and two-method authentication Biometrics Common mantra: User authentication can be based on something you know something you have something you are. Passwords. Username and password.

sirius
Télécharger la présentation

User authentication

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. User authentication Aalto University, autumn 2012

  2. Outline • Passwords • Physical security tokens and two-method authentication • Biometrics • Common mantra:User authentication can be based on • something you know • something you have • something you are

  3. Passwords

  4. Username and password • Passwords are used for entity authentication • Needed for access control and auditing:access control = authentication + authorization • Entity authentication vs. message authentication • Password is a shared secret between the user and computer system • Limitations arise from the reliance on of human memory and input • What attacks are there against passwords?

  5. Sniffing and key loggers • Password sniffing on the local network used to be a major problem; mostly solved by cryptographic authentication: • SSH, SSL, HTTP Digest Authentication, MS-CHAPv2 • Key logger: software or hardware that stores all key strokes typed on a computer • Used to be a problem in public-access computers e.g. at libraries and cafes • Now can be malwareon any computer • Why do some bank web sites ask you to use the mouse to enter the PIN code?

  6. Password recovery • Humans are prone to forget things  need a process for recovering from password loss • Recovery mechanisms often enable new attacks • What are the advantages and disadvantages of the following recovery mechanisms? • Security question or memorable secret, e.g. birth place, mother’s maiden name, pet’s name • Emailing password to another user account • Physical visit to helpdesk • Yellow sticker on the back of the keyboard • USB memory stick with a password recovery file

  7. Password reuse • How many different user accounts and passwords do you have? Ever used the same password on two accounts? • Using the same or related passwords on multiple accounts means that one compromised system or account can lead to compromise of the other accounts • Administrative countermeasures: • Passwords chosen by the service, not set by users • Exotic password format requirements • Single sign-on to enable just one password • Personal countermeasures: • Generating service-specific passwords from one master password • Password wallet (e.g. on phone) encrypted with a master password

  8. Shoulder surfing • Keyboards and screens are highly visible  others may see what you are typing • Password and PIN prompts usually do not show the characters • Does this make sense for all secrets input? *******

  9. Password guessing • Dictionary attack and other intelligent guessing vs. brute-force trials • Countermeasures against guessing • Limit the number or rate of login attempts • Minimum password length and complexity, password quality check • Preventing reuse of old passwords • System-generated random passwords • Password aging i.e. mandatory periodic password changes (typically every three months)

  10. Measuring password strength • Many possible metrics: • Number of possible passwords • Entropy = amount of missing information • Average/median time to crack a specific password • Average/median time to crack any one password • Probability of success as a function of time or number of trials • etc. • Metrics are important to consider when designing new types of passwords • Graphical passwords • Requirements to use special characters

  11. Password entropy • Entropy = the amount of missing information Entropy H = - ∑ x ∈ passwords (P(x) ⋅ log2 P(x)) ≤ log2(number of possible passwords) • Examples: • Random 8-character alphanumeric passwords have H = 8 ⋅ log2(26+26+10) = 47.6 bits • Random 4-digit PIN codes have about H = 13.3 bits of entropy • For even probability distribution, one-bit increase in entropy doubles the cost of guessing attacks • Human-selected passwords have less entropy than random ones because some are chosen more often than other • Should banks allow the customer to choose the PIN? • Do password quality checks increase entropy? • Passwords rely on human memory password entropy cannot grow over time  human memory cannot compete with computer speed

  12. Online and offline guessing attacks • Offline attack: cracking the password from a know hash (or other function) of the password • E.g. MS-CHAPv2 or HTTP digest authentication without SSL • Unlimited number of guesses attacker can perform an exhaustive brute-force search • Online guessing: attacker tries to login many times • E.g. PIN code entry on a phone • E.g. network login to an authenticated server over SSH or SSL • System can limit the number or rate of guesses • Big difference in the required password strength: • Online guessing success probability ≈ number of allowed guesses / number of possible passwords • Offline attack requires cryptographic strength from the password, e.g. 128-bit entropy, to prevent exhaustive search

  13. Storing passwords on server • Assume that the password database becomes public • Unix /etc/password is traditionally world readable • Attackers often manage to read files or database tables on a web server e.g. with SQL injection • How to store passwords in a public file? • Store a hashi.e. one-way function of the password • When user enters a password, hash and compare • Use a slow hash (many iterations of a hash function) to make brute-force cracking more difficult • Include random account-specific “salt”: slow_hash( password | salt) to prevent simultaneous brute-force cracking of many passwords, pre-computation attacks, and equality comparison between passwords

  14. Password hashing • Password-based key derivation function PBKDF2 [PKCS#5,RFC2898]* • Good practical function; uses any standard hash function, at least 64-bit salt, any number of iterations • Unix crypt(3) [Morris and Thompson 1978]* • Historical function for storing passwords in /etc/passwd aura:lW90gEpaf4wuk:19057:100:Tuomas Aura:/home/aura:/bin/zsh • Password = eight 7-bit characters = 56-bit DES key • Encrypt a zero block 25 times with modified DES • 12-bit salt used to modify DES key schedule • Stored value includes the salt and encryption result • Too short salt enables e.g. rainbow table attacks • Replaced by more modern hash functions and encrypted, read-protectedshadow passwords

  15. DF2PBK Function for slowhashing of passwords Manyiterationsto make the computationslower Used in WPA2-Personal for derivingkeysfrompassword (makesofflinecrackingmoredifficult) Couldalsobeused for hashingstoredpasswords on a server • PBKDF2 (P, S, c, dkLen) P = passwordS = saltc = iteration countdkLen = length of the result PRF = keyed pseudorandom function F (P, S, c, i) = U1 xor U2 xor ... xor Uc U1 = PRF (P, S || i) U2 = PRF (P, U1)... Uc = PRF (P, Uc-1) Repeat for i=1,2,3... until dkLen output bytes produced

  16. Botnets and online guessing • 10 banks, each with 106 customer accounts • Public or easy-to-guess user ID • 4-digit PIN or one-time code required to log in • Client IP address blocked after 3 failed logins per day • Attacker has a botnet of 105 computers • Each bot makes one login attempt to one account in each bank every day  106login attempts in a day  ~100 successful break-ins in a day • Countermeasures: • Make user IDs hard to guess: long, randomly selected, and different from account numbers • Ask a “salt” question, e.g. memorable word, in addition to user ID and PIN  increased entropy reduces attacker success rate

  17. One-time passwords • Use each password only once to thwart password sniffers and key loggers • Lamport hash chain: H1 = hash (secret seed); Hi+1= hash (Hi) • Server stores initially H100 and asks user to enter H99. Next, stores H99 and ask for H98, and so on • Unix S/KEY or OTP [RFC1760,RFC1938] 1: HOLM BONG VARY TIP JUT ROSY 2: LAIR MEMO BERG DARN ROWE RIG 3: FLEA BOP HAUL CLAD DARK ITS 4: MITT HUM FADE CREW SLOG HAST • Hash-based one-time passwords HOTP [RFC4226] HOTP(K,i) = HMAC-SHA-1(K,i) mod 10D • Produces a one-time PIN code of D decimal digits • Time-based one-time passwords • Many commercial products such as RSA SecurID • Which attacks do one-time passwords prevent and which not?

  18. Spoofing attacks • Attacker could spoof the login dialog; how do you know when it is safe to type in the password?

  20. Trusted path • Attacker could spoof the login dialog; how do you know when it is safe to type in the password? • Trusted path is a mechanism that ensures direct and secure communication between the user and a specific part of the system (with the TCB) • Crtl+Alt+Delin Windows opens a security screen that is difficult to spoof • Web browser shows the URL in the address bar in a way that cannot be spoofed by a web server • With malware and virtualization, it is increasingly hard to know what is real

  21. Other threats • No system is perfectly secure: system designers have a specific threat model in mind, but the attacker can break these rules • “The attacker does not agree with the threat model.” (Bruce Christianson) • Some other attacks against PINs and passwords: • Phishing and social engineering • User mistakes: using wrong password • Heat camera to detect pressed keys • Acoustic emanations from the keyboard

  22. Physical security tokens and two-method authentication

  23. Physical security tokens • Smart card is a typical physical security token • Holds cryptographic keys to prove its identity • Tamperproof: secret keys will stay inside • Used for door keys, computer login, ATM • Other security token implementations: smart button, USB dongle, mobile phone • Two-method authentication: require also PIN • Attacker needs to both steal the card and learn the PIN  clear qualitative increase in security

  24. Issues with security tokens • Physical tokens require distribution • Computers (or doors etc.) must have readers • It is not easy to integrate cryptographic tokens to all systems • E.g. how to use a physical token if the application requires cached credentials (password) on the client or on a proxy server • Process needed for recovering from the loss of tokens • Are smart card + PIN really two factors? • One alternative is two-channel authentication: • Confirmation via telephone: callback • Sending a second secret to a known address: text message, email, post

  25. Biometrics

  26. Biometric authentication • Biometric authentication means verifying some physical feature of the user • Physiological characteristic: photo, signature, face geometry, fingerprint, iris scan, DNA • Behavioral characteristic: voice, typing, gait • Biometrics are not 100% reliable: • False acceptance rate FAR • False rejection rate FRR • Equal error rate EER FAR FRR 50% EER

  27. Issues with biometrics • Biometrics require enrollment and readers • Big difference in the security of unsupervised vs. supervised readers • E.g. fingerprint reader on computer vs. iris scanner at immigration • Suitability for security architectures: • Are biometric characteristics secrets? • Can they be copied? • How to revoke biometrics? • What if enrollment fails? • Some people have no fingerprints, or no fingers

  28. Reading material • Dieter Gollmann: Computer Security, 2nd ed., chapter 3; 3rd ed. chapter 4 • Matt Bishop: Introduction to computer security, chapter 11 • Ross Anderson: Security Engineering, 2nd ed., chapters 2, 15 • Edward Amoroso: Fundamentals of Computer Security Technology, chapters 18-19

  29. Exercises • Why do you need both the username and password? Would not just one secret identifier (password) be sufficient for logging in? • What effect do strict guidelines for password format (e.g. 8 characters, at least 2 capitals, at least 2 digits, at least 1 special symbol) have on the password entropy? • What is the probability of guessing the code for a phone that allows 3 attempts to guess a 4-digit PIN code, then 10 attempts to guess an 8-digit PUK code? • In what respects is PBKDF2 better for password hashing than crypt(3)? • How do mandatory periodical password changes increase security? What is the optimal interval? • How to limit the number of login attempts without creating a DoS vulnerability? • Learn about graphical passwords and compare their entropy to different-length passwords and PIN codes. • Learn about HTTP Digest Authentication [RFC2617] and MS-Chap-V2 [RFC2759]. Explain how to perform an offline password guessing attack after sniffing a login. • In a social network, could authentication be based on who you know (or who knows you), or where you are? • What advantages and disadvantages might a fingerprint reader have in a car lock?

More Related