1 / 49

User(-to-Device) Authentication*

User(-to-Device) Authentication*. Nitesh Saxena Polytechnic Institute of NYU * Adopted from a previous lecture by Vitaly Shmatikov. Course Admin . Exam next Thursday: same room, 6-8:30pm Final study topics posted Basically covers most of the lecture materials

tave
Télécharger la présentation

User(-to-Device) Authentication*

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. User(-to-Device) Authentication* Nitesh Saxena Polytechnic Institute of NYU *Adopted from a previous lecture by Vitaly Shmatikov

  2. Course Admin • Exam next Thursday: same room, 6-8:30pm • Final study topics posted • Basically covers most of the lecture materials • A sample final exam will be given out soon • TA will do a short review on coming Monday (5-6pm) • HW6 demos on Dec 20 and Dec 21; please sign-up for your slots • HW5 being graded; solution will be provided very soon

  3. Recall: Basic Problem ? How do you prove to someone that you are who you claim to be? Any system with access control must solve this problem

  4. Recall: Many Ways to Authenticate • Something you know • Passwords/PINs • Something you have • Secure tokens • Something you are • Biometrics • What is the best method to authenticate: secure as well as usable and universal? Is there any?

  5. (Textual) Passwords • User has a secret password. System checks it to authenticate the user. • How is the password communicated? • Eavesdropping risk • How is the password stored? • In the clear? Encrypted? Hashed? • How does the system check the password? • How easy is it to guess the password? • Easy-to-remember passwords tend to be easy to guess • Password file is difficult to keep secret

  6. Passwords in the Real World [PasswordResearch.com] • From high school pranks… • Student in Tyler changes school attendance records • Students in California change grades • Different authentication for network login and grade system, but teachers were using the same password (very common) • …to serious cash • English accountant uses co-workers’ password to steal $17 million for gambling • …to identity theft • Helpdesk employee uses passwords of a credit card database to sell credit reports to Nigerian scammers

  7. Passwords and Computer Security • First step after any successful intrusion: install sniffer or keylogger to steal more passwords • Second step: run cracking tools on password files • Usually on other hijacked computers • In Mitnick’s “Art of Intrusion”, 8 out of 9 exploits involve password stealing and/or cracking • Excite@Home: usernames and passwords stored in the clear in troubleshooting tickets • “Dixie bank” hack: use default router password to change firewall rules to enable incoming connections

  8. UNIX-Style Passwords “cypherpunk” user system password file t4h97t4m43 fa6326b1c2 N53uhjr438 Hgg658n53 … hash function

  9. Password Hashing • Instead of user password, store H(password) • When user enters password, compute its hash and compare with entry in password file • System does not store actual passwords! • Difficult to go from hash from password! • Hash function H must have some properties • One-way: given H(password), hard to find password • No known algorithm better than trial and error • Is collision resistance needed?

  10. UNIX Password System • Uses DES encryption as if it were a hash function • Encrypt NULL string using password as the key • Truncates passwords to 8 characters! • Can instruct modern UNIXes to use MD5 hash function • Problem: passwords are not truly random • With 52 upper- and lower-case letters, 10 digits and 32 punctuation symbols, there are 948 6 quadrillion possible 8-character passwords • Humans like to use dictionary words, human and pet names  1 million common passwords

  11. Dictionary Attack • Password file /etc/passwd is world-readable • Contains user IDs and group IDs which are used by many system programs • Dictionary attack is possible because many passwords come from a small dictionary • Attacker can pre-compute H(word) for every word in the dictionary – this only needs to be done once!! • This is an offline attack • Once password file is obtained, cracking is instantaneous • With 1,000,000-word dictionary and assuming 10 guesses per second, brute-force online attack takes 50,000 seconds (14 hours) on average

  12. Salt • Users with the same password have different entries in the password file • Offline dictionary attack becomes much harder shmat:fURxfg,4hLBX:14510:30:Vitaly:/u/shmat:/bin/csh /etc/passwd entry salt (chosen randomly when password is first set) Password hash(salt,pwd)

  13. Advantages of Salting • Without salt, attacker can pre-compute hashes of all dictionary words once for all password entries • Same hash function on all UNIX machines; identical passwords hash to identical values • One table of hash values works for all password files • With salt, attacker must compute hashes of all dictionary words once for each combination of salt value and password • With 12-bit random salt, same password can hash to 4096 different hash values

  14. Shadow Passwords • Store hashed passwords in /etc/shadow file which is only readable by system administrator (root) • Add expiration dates for passwords • Early Shadow implementations on Linux called the login program which had a buffer overflow! shmat:x:14510:30:Vitaly:/u/shmat:/bin/csh /etc/passwd entry Hashed password is not stored in a world-readable file

  15. Password Security Risks • Keystroke loggers • Hardware • KeyGhost, KeyShark, others • Software (spyware) • Observation attacks • See our recent work on keyboard acoustic emanations: http://eprint.iacr.org/2010/605.pdf • Online attacks • Offline attacks • These can be dealt with somewhat (how?), but…….

  16. User Issues!! • Make passwords easy to remember • “password”, “Longhorns”, “Kevin123” • Write them down • Use a single password at multiple sites • Do you use the same password for Amazon and your bank account? MyPoly? Do you remember them all? • Some services use “secret questions” to reset passwords • “What is your favorite pet’s name?” • Paris Hilton’s T-Mobile cellphone hack • Susceptible to Social Engineering • e.g., Phishing

  17. Social Engineering • Univ. of Sydney study (1996) • 336 CS students emailed asking for their passwords • Pretext: “validate” password database after suspected break-in • 138 returned their passwords; 30 returned invalid passwords; 200 reset passwords (not disjoint) • Treasury Dept. report (2005) • Auditors pose as IT personnel attempting to correct a “network problem” • 35 (of 100) IRS managers and employees provide their usernames and change passwords to a known value • Other examples: Mitnick’s “Art of Deception”

  18. A Recent Email… Images from Anti-Phishing Working Group’s Phishing Archive

  19. Images from Anti-Phishing Working Group’s Phishing Archive

  20. The next page requests: • Name • Address • Telephone • Credit Card Number, Expiration Date, Security Code • PIN • Account Number • Personal ID • Password

  21. Images from Anti-Phishing Working Group’s Phishing Archive

  22. But wait… WHOIS 210.104.211.21: Location: Korea, Republic Of Images from Anti-Phishing Working Group’s Phishing Archive

  23. Phishing: A Growing Problem • Over 16,000 unique phishing attacks reported in Nov. 2005, about double the number from 2004 • Estimates suggest phishing affected 1.2 million US citizens and cost businesses billions of dollars in 2004 • Additional losses due to consumer fears [Anti-Phishing Working Group, Phishing Activity Trends Report, Dec. 2005]

  24. Basic Phishing Attack • Victim receives email seemingly from an institution • Often reports a problem with victim’s account • Email demands immediate action • Victim led to a website that mimics that of the institution • Prompted to enter account information, passwords, personal information, etc. • Two variations: • Passive: Attacker collects victim’s information for later exploitation • Active: Attacker relays victim’s information to the real institution and plunders the account in real time

  25. Current Phishing Techniques • Employ visual elements from target site • DNS Tricks: • www.ebay.com.kr • www.ebay.com@192.168.0.5 • www.gooogle.com • Unicode attacks • JavaScript Attacks • Spoofed SSL lock • Certificates • Phishers can acquire certificates for domains they own • Certificate authorities make mistakes

  26. Advanced Phishing Attacks • Spear-phishing: Improved target selection • Socially aware attacks [Jakobsson 2005] • Mine social relationships from public data • Phishing email appears to arrive from someone known to the victim • Context-aware attacks [ibid] • “Your bid on eBay has won!” • “The books on your Amazon wishlist are on sale!”

  27. User Issues!! • Users are “task-focussed” • Security is a secondary objective • Users choose bad passwords and readily disclose them • Users cannot parse URLs, domain names or PKI certificates • Users are inundated with warnings and pop-ups

  28. Phishing Prevention Approaches • Heuristics • Spoofguard [Chou et al. 2004], TrustBar [HerzGbar 2004], eBay toolbar, SpoofStick • Recent studies indicate users ignore toolbar warnings [Wu et al. 2005]

  29. Spoofguard example

  30. Other Approaches • Origin/Server Authentication • Dynamic Security Skins [DhamTyga 2004], Passmark, and the Petname project; BankofAmerica SiteKey • All rely on user diligence – a single mistake will result in a compromised account (slow to load image!)

  31. Another approach • PwdHash • Instead of the password p, share the hash of the password (concatenated with domain name): H(p, domain) • User types in the password p, the browser computes H(p, domain) and send it to the server • Phishing site learns the hashed value for its own doman, which is of no “direct” use (except running a dictionary attack on the password)

  32. In summary • Lot of problems with the passwords • Especially due to user behavior • Can we help users pick strong(er) passwords • Use of mnemonics: Easy to remember but hard to guess phrases • Phrase to a password • “Jack and Jill went up the hill” (JaJwuth) (probably not good!) • “I’ve owned 4 Gateway computers so far” (Io4Gcsf ) • Other Directions…

  33. Graphical Passwords • Images are easy for humans to recall/recognize • Especially if you invent a memorable story to go along with the images • Images can not be “written down”

  34. Recognition Based Techniques Dhamija and Perrig Scheme Pick several pictures out of many choices, identify them later in authentication. http://www.random-art.org/ • Using Hash Visualization, which, given a seed, automatically generate a set of pictures • No need to store images, but take longer to create passwords password space: N!/K! (N-K)! ( N-total number of pictures; K-number of pictures selected as passwords)

  35. Recognition Based Techniques Sobrado and Birget Scheme System display a number of pass-objects (pre-selected by user) among many other objects, user click inside the convex hull bounded by pass-objects. • authors suggeated using 1000 objects, which makes the display very crowed and the objects almost indistinguishable. password space: N!/K! (N-K)! ( N-total number of picture objects; K-number of pre-registered objects)

  36. Recognition Based Techniques PassFaces Using human faces as password

  37. User Quotes • “I chose the images of the ladies which appealed the most” • “I simply picked the best lookin girl on each page” • “In order to remember all the pictures for my login (after forgetting my ‘password’ 4 times in a row) I needed to pick pictures I could EASILY remember... So I chose beautiful women. The other option I would have chosen was handsome men, but the women are much more pleasing to look at”

  38. More User Quotes • “I picked her because she was female and Asian and being female and Asian, I thought I could remember that” • “I started by deciding to choose faces of people in my own race…” • “… Plus he is African-American like me”

  39. Recall Based Techniques Draw-A-Secret (DAS) Scheme User draws a simple picture on a 2D grid, the coordinates of the grids occupied by the picture are stored in the order of drawing redrawing has to touch the same grids in the same sequence in authentication user studies showed the drawing sequences is hard to Remember

  40. Recall Based Techniques “PassPoint” Scheme User click on any place on an image to create a password. A tolerance around each chosen pixel is calculated. In order to be authenticated, user must click within the tolerances in correct sequence. can be hard to remember the sequences Password Space: N^K ( N -the number of pixels or smallest units of a picture, K - the number of Point to be clicked on )

  41. Disadvantages • Graphical password schemes are perceived to be more vulnerable to “shoulder surfing” • A change in infrastructure is needed • Need to store, transmit images in many cases

  42. Biometric Authentication • Nothing to remember • Passive • Nothing to type, no devices to carry around • Can’t share (usually) • Can be fairly unique • … If measurements are sufficiently accurate

  43. Problems with Biometrics • Identification vs. authentication • Identification = associating an identity with an event or a piece of data • Example: fingerprint at a crime scene • Authentication = verifying a claimed identity • Example: fingerprint scanner to enter a building • How hard are biometric readings to forge? • Difficulty of forgery is routinely overestimated • Analysis often doesn’t take into account the possibility of computer-generated forgery • Revocation is difficult or impossible

  44. Fake Fingers [Schuckers] • Gelatin: gummy fingers • Play-Doh fingers fool 90% of fingerprint scanners • Clarkson University study • Suggested perspiration measurement to test “liveness” of the finger

  45. Face/off 

  46. Tokens • Generally used to improve security of passwords • Two-factor authentication: “Something you have” + “Something you know” • Use of “one time passwords” • Example: RSA SecurID (many different forms) • Problem: token might not be available, when needed; also each secure site needs a different token

  47. Playful Security: Security can be fun! • A direction we have been taking • Make security tasks fun and entertaining for the users; entice them • Hoping that users will better comply at them • Tom Sawyer Effect • Can be applied to many different problems • Currently, Google has shown interest in our research

  48. References • Use google • Some of these can be found here: • http://www.cs.utexas.edu/~shmat/courses/cs378_fall07/cs378_ref.html

More Related