# pptx

Ασφάλεια

30 Νοε 2013 (πριν από 4 χρόνια και 7 μήνες)

116 εμφανίσεις

slide
1

Authentication

slide
2

Topics today

Background: Hash Functions

Challenge
-
Response

Biometrics

HASH FUNCTIONS

slide
3

slide
4

Hash Functions: Main Idea

bit strings of any length

n
-
bit bit strings

.

.

.

.

.

x’

x’’

x

y’

y

hash function H

Hash function H is a
lossy

compression function

H(x) should look “random”

Every bit (almost) equally likely to be 0 or 1

“message

digest”

message

Collisions

Collision:

H(x)=H(x’) for some inputs
x≠x

Collisions
must

happen

Length of x unlimited, length of H(x) is n
-
bits !

Even if length of x is bounded |x| = b, and
b > n
,
there will be collisions

“Pigeonhole principle”
"
םינויה ךבוש ןורקע
"

A hash function
cannot be
1
-
to
-
1

Cryptographic hash function

must have certain
properties

slide
5

slide
6

Property 1: One
-
Way

Intuition: hash should be hard to invert

Preimage

resistance”

Given random y, it should be “hard” to find any x
such that h(x)=y

How hard?

Brute
-
force: try every possible x, see if h(x)=y

SHA
-
1 (common hash function) has 160
-
bit output

Suppose have hardware that’ll do 2
30

trials a pop

Assuming 2
34

trials per second, can do 2
89

trials per year

Will take 2
71

years to invert SHA
-
1 on a random image

How likely is it that some people have the same
birthday in a class of T students?

If there are T=366 people in class then

Prob
(not all different birthdays | T people) = 0

How big should T be so

Prob
(not all different birthdays | T people)
>= ½ ??

Let’s experiment !

How many possibilities that are all different?

(K)
T

= K(K
-
1
)…(K
-
T+
1
)
-

samples without replacement

Probability of no repetition?

𝑘

𝑘

1

𝑘

2

(
𝑘

𝑡
+
1
)
𝑘

𝑘

𝑘

𝑘
=

𝑘
𝑘

𝑘

1
𝑘

𝑘

𝑡
+
1
𝑘
=
1

1

1
𝑘

1

2
𝑘

1

𝑡

1
𝑘

𝑒

1
𝑘

𝑒

2
𝑘

𝑒

3
𝑘

𝑒

𝑡

1
𝑘

𝑒

𝑡
2
2
𝑘

𝑒

𝑡
2
2𝑘

1
2

𝑡
2
2𝑘

ln
2

𝑡
2

2
(
ln
2
)
𝑘
=
1
.
38𝑘

𝑡

1
.
38𝑘

Bottom line: For
k=365, t=23

suffices

In general
𝑡
=
𝛀
(
𝑘
)

suffices

slide
9

slide
10

Property 2: Collision Resistance

Hard to find
some

x≠x
’ such that h(x)=h(x’)

Brute
-
force collision search is O(2
n/2
),
not

O(2
n
)

n = number of bits in the output of hash function

For SHA
-
1, this means O(2
80
) vs. O(2
160
)

Let T be the number of values x1, x2, x3, … we need to
look at before finding the first pair
xi≠x
j

s.t.

h(xi)=h(
xj
)

Assuming h is random, how big should T be so the
probability of finding a repetition >= ½ ?

Total number of possible values?

Conclusion:

K=2
n

T

2
n/
2

slide
11

Property 3: Weak Collision Resistance

Given a randomly chosen x, hard to find x’
such that h(x)=h(x’)

Attacker must find collision for a
specific

x…

by contrast, to break collision resistance, enough
to find
any

collision

Brute
-
force attack requires O(2
n
) time

Weak collision resistance does
not

imply
collision resistance (why?)

slide
12

Hashing vs. Encryption

Hashing is one
-
way. There is no “uh
-
hashing”!

In contrast, encryption is two
-
way: can decrypt a
ciphertext

with the decryption key

Hashes have no equivalent of “decryption”

Hash(x) looks “random”… but can be compared
for equality with Hash(x’)

Hashes are also known as
“cryptographic
checksums”

slide
13

When user enters password, compute its hash
and compare with entry in password file

System does not store actual passwords!

Difficult to go from hash to password!

slide
14

Application: Software Integrity

goodFile

Software manufacturer wants to ensure that the executable file

is received by users without modification…

Sends out the file to users and publishes its hash in the NY Times

The goal is
integrity
, not secrecy

Idea: given goodFile and hash(goodFile),

BigFirm™

User

VIRUS

The Times

hash(goodFile)

slide
15

Which Property Do We Need?

One
-
wayness
: hard to recover entire password

Integrity of software distribution

Weak collision resistance

But software images are not really random… maybe
need full collision resistance

slide
16

Common Hash Functions

MD5

128
-
bit output

Still used very widely

Completely broken by now

RIPEMD
-
160

160
-
bit variant of MD
-
5

SHA
-
1 (Secure Hash Algorithm)

160
-
bit output

US government (NIST) standard as of 1993
-
95

Also the hash algorithm for Digital Signature Standard (DSS)

Overview of MD5

Designed in 1991 by Ron Rivest

Iterative design using compression function

M
1

M
2

M
3

M
4

IHV
0

Com
-

press

Com
-

press

Com
-

press

Com
-

press

IHV
4

slide
17

slide
18

History of MD5 Collisions

2004: first collision attack

Only difference between colliding messages is 128
random
-
looking bytes

2007: chosen
-
prefix collisions

For any prefix, can find colliding messages have this
prefix

and differ up to 716 random
-
looking bytes

2008: rogue certificates

End of MD5

slide
19

Basic Structure of SHA
-
1

Split message into
512
-
bit blocks

Compression function

Applied to each 512
-
bit block

and current 160
-
bit buffer

This is the heart of SHA
-
1

160
-
bit
buffer

(5 registers)

initialized with magic values

slide
20

How Strong Is SHA
-
1?

Every bit of output depends on every bit of input

Very important property for collision
-
resistance

Brute
-
force inversion requires 2
160

ops, birthday
attack on collision resistance requires 2
80

ops

Some recent weaknesses (2005)

Collisions can be found in 2
63

ops

AUTHENTICATION:

QUESTIONS

slide
21

slide
22

Basic Problem

?

How do you prove to someone that

you are who you claim to be?

Any system with access control must solve this problem

slide
23

Many Ways to Prove Who You Are

What you know

Answers to questions that only you know

Where you are

What you are

Biometrics

What you have

Secure tokens

slide
24

-
Based Authentication

System checks it to authenticate the user.

Eavesdropping risk

In the clear? Encrypted? Hashed?

How does the system check the password?

How easy is it to guess the password?

Easy
-
to
-
remember passwords tend to be easy to guess

Password file is difficult to keep secret

slide
25

Physical intrusion: install

sniffer

or
keylogger

Run cracking tools on password files

Cracking needed because modern systems usually do
not store passwords in the clear (how are they stored?)

In
Mitnick’s

“Art of Intrusion”, 8 out of 9 exploits

slide
26

Pennsylvania ice cream shop phone scam

Voicemail PIN defaults to last 4 digits of phone number;
criminals change message to “I accept collect call”,
make \$8600 on a 35
-
hour call to Saudi Arabia

Examples from Mitnick’s “Art of Intrusion”

U.S. District Courthouse server: “public” / “public”

NY Times employee database: pwd = last 4 SSN digits

“Dixie bank”: break into router (pwd=“administrator”),
then into IBM AS/400 server (pwd=“administrator”),
install keylogger to snarf other passwords

slide
27

t4h97t4m43

fa6326b1c2

N53uhjr438

Hgg658n53

user

“cypherpunk”

hash

function

slide
28

When user enters password, compute its hash
and compare with entry in password file

System does not store actual passwords!

Difficult to go from hash from password!

Hash function H must have some properties

Given H(password), hard to find string X such that
-

why?

slide
29

Uses DES encryption as if it were a hash function

Encrypt NULL string using password as the key

Artificial slowdown: run DES 25 times
(why?)

Can instruct modern UNIXes to use MD5 hash function

Problem:

With 52 upper
-

and lower
-
case letters, 10 digits and
32 punctuation symbols, there are 94
8

possible 8
-

Humans like to use dictionary words, human and pet
names

1 million

slide
30

Dictionary Attack

/etc/passwd

is world
-

Contains user IDs and group IDs which are used by
many system programs

Dictionary attack

is possible because many
passwords come from a small dictionary

Attacker can pre
-
compute H(word) for every word in
the dictionary

this only needs to be done once!!

This is an
offline

attack

Once password file is obtained, cracking is instantaneous

With
1
,
000
,
000
-
word dictionary and assuming
10
guesses per second, brute
-
force
online

attack takes
50
,
000
seconds (
14
hours) on average

slide
31

Klein (1990) and
Spafford

(1992)

2.7% guessed in 15 minutes, 21% in a week

Much more computing power is available now!

U. of Michigan: 5% of passwords were “
goblue

(cheer for their football team)

Zviran

and
Haga

(1999)

DoD

facility in California

-
7 characters in length, 80%
used alphabetic characters only, 80% of the users had

slide
32

Dictionary with words spelled backwards

First and last names, streets, cities

Same with upper
-
case initials

Room numbers, telephone numbers, etc.

Letter substitutions and other tricks

If you can think of it, attacker will, too

slide
33

shmat:
fURxfg,4hLBX
:14510:30:Vitaly:/u/shmat:/bin/csh

/etc/passwd entry

salt

(chosen randomly when

hash(salt,pwd)

Users with the same password have
different

entries

Offline dictionary attack becomes much harder

slide
34

Without salt, attacker can pre
-
compute hashes of
all dictionary words once for
all

Same hash function on all UNIX machines; identical

One table of hash values works for all password files

With salt, attacker must compute hashes of all
dictionary words once for
each

combination of

With 12
-
bit random salt, same password can hash to
4096 different hash values

slide
35

shmat:
x
:14510:30:Vitaly:/u/shmat:/bin/csh

file which is

Early Shadow implementations on Linux called the

not

stored in a world
-

/etc/passwd entry

slide
36

Write them down

Use a single password at multiple sites

Do you use the same password for Amazon and your
bank account? Do you remember them all?

Forget them… many services use “security

“What is your favorite pet’s name?”

Paris Hilton’s T
-
Mobile cellphone hack

slide
37

Problems with Security Questions

Inapplicable

What high school did your spouse attend?

Not memorable

Name of kindergarten teacher? Price of your first car?

Ambiguous

Name of college you applied to but did not attend?

Easily guessable

Age when you married? Year you met your spouse?
Favorite president? Favorite color?

Automatically attackable (using public records!)

[Rabkin, “Security questions in the era of Facebook”]

slide
38

Answers Are Easy to Find Out…

Until 1998, Ford had >25% of market

First name of your best friend?

10% of males: James/Jim, John, Robert/Bob/Rob

Name of your first / favorite pet?

Max, Jake, Buddy, Bear…

Top 500 (covers 65% of names) available online

Where you went to school, college athletic rivals,
favorite book/movie/pastime, high school mascot

slide
39

slide
40

Images are easy for humans to remember

Especially if you invent a memorable story to go
along with the images

Dictionary attacks on graphical passwords are
believed to be difficult

Images are very “random” (is this true?)

Still not a perfect solution

Need infrastructure for displaying and storing images

Shoulder surfing

How Passfaces Works

Users Are Assigned a Set of
5
* Passfaces

User Interface

Library of Faces

* Typical implementation

3 to 7 possible as standard

How Passfaces
Works

5 Passfaces are Associated with 40 associated decoys

Passfaces are presented in five 3 by 3 matrices each having 1
Passface and 8 decoys

slide
43

Empirical Results

Experimental study of 154 computer science
students at Johns Hopkins and Carnegie Mellon

Conclusions:

“… faces chosen by users are highly affected by the
race of the user… the gender and attractiveness of the
In the case of male users,
we found this bias so severe that we do not believe it
possible to make this scheme secure against an online
attack
…”

2 guesses enough for 10% of male users

8 guesses enough for 25% of male users

slide
44

User Quotes

“I chose the images of the ladies which appealed
the most”

“I simply picked the best looking girl on each
page”

“I picked her because she was female and Asian
and being female and Asian, I thought I could
remember that”

“I started by deciding to choose faces of people in
my own race…”

“… Plus he is African
-
American like me

CHALLENGE
-

RESPONSE

slide
45

slide
46

Security Against Eavesdropping

Idea: use a shared secret to derive a
one
-
time

If the attacker eavesdrops on the network, he’ll
learn this password but it will be useless for

slide
47

Challenge
-
Response

user

system

secret

challenge value

f(secret,challenge)

Why is this better than the password over a network?

secret

slide
48

Challenge
-
Response Authentication

User and system share a
secret

Challenge
: system presents user with some string

Response
: user computes response based on the
secret and the challenge

Secrecy:

difficult to recover key from response

One
-
way hashing or symmetric encryption work well

Freshness:

if challenge is fresh, attacker on the
network cannot replay an old response

For example, use a fresh random number for each challenge

Good for systems with pre
-
installed secret keys

Car keys; military friend
-
or
-
foe identification

slide
49

SecurID

Alice

Bob

KEY

v= F(KEY, 0)

KEY

Verifies v=F(KEY,
0
)

?

Time
-
based (60 seconds) or

every button press

Allow for skew in the counter value

RSA SecurID: 5
-
minute clock skew by default

Setup: generate random key

Counter:

Counter:

v= F(KEY, 1)

Verifies v=F(KEY,1)

?

0

1

0

1

RSA uses a custom function

Input:
64
-
bit key,
24
-
bit ctr

Output:
6
-
digit value

BIOMETRIC
AUTHENTICATION

slide
50

slide
51

Biometric Authentication

Nothing to remember

Passive

Nothing to type, no devices to carry around

Can’t share (usually)

Can be fairly unique

… if measurements are sufficiently accurate

slide
52

Problems with Biometrics

How hard are biometric readings to forge?

Difficulty of forgery is routinely overestimated

Analysis often doesn’t take into account the possibility
of computer
-
generated forgery

Revocation

is difficult or impossible

slide
53

Biometric Error Rates (Benign)

“Fraud rate” vs. “insult rate”

Fraud = system accepts a forgery (false accept)

Insult = system rejects valid user (false reject)

Increasing acceptance threshold increases fraud
rate, decreases insult rate

For biometrics, U.K. banks set target fraud rate of
1%, insult rate of 0.01%
[Ross Anderson]

Common signature recognition systems achieve equal
error rates around 1%
-

not good enough!

slide
54

Biometrics (1)

Face recognition (by a computer algorithm)

Error rates up to 20%, given reasonable variations in
lighting, viewpoint and expression

Fingerprints

1911: first US conviction on fingerprint evidence

-
point match

Probability of false match is 1 in 10 billion

No successful challenges until 2000

Fingerprint damage impairs recognition

Ross Anderson’s scar crashes FBI scanner

slide
55

Biometrics (2)

Iris scanning

Irises are very random, but stable through life

Different between the two eyes of the same individual

256
-
byte iris code based on concentric rings between
the pupil and the outside of the iris

Equal error rate better than 1 in a million

Best biometric mechanism currently known

Hand geometry

Used in nuclear premises entry control, INSPASS
(discontinued in 2002)

Voice, ear shape, vein pattern, face temperature

slide
56

Surgical Change

slide
57

Stealing Biometrics

slide
58

Involuntary Cloning

Clone a biometric without victim’s knowledge or assistance

“my voice is my

cloned retina

Fingerprints from

beer bottles

Eye laser scan

slide
59

Cloning a Finger

[Matsumoto]

slide
60

Molding

[Matsumoto]

slide
61

The Mold and the Gummy Finger

[Matsumoto]