pptx

minorbigarmΑσφάλεια

30 Νοε 2013 (πριν από 3 χρόνια και 10 μήνες)

97 εμφανίσεις

slide
1

Authentication

slide
2

Topics today


Background: Hash Functions


Password


Graphical passwords


Challenge
-
Response


Biometrics



HASH FUNCTIONS

slide
3

slide
4

Hash Functions: Main Idea

bit strings of any length

n
-
bit bit strings

.

.

.

.

.

x’

x’’

x

y’

y

hash function H


Hash function H is a
lossy

compression function


H(x) should look “random”


Every bit (almost) equally likely to be 0 or 1

“message

digest”

message

Collisions


Collision:

H(x)=H(x’) for some inputs
x≠x




Collisions
must

happen


Length of x unlimited, length of H(x) is n
-
bits !


Even if length of x is bounded |x| = b, and
b > n
,
there will be collisions


“Pigeonhole principle”
"
םינויה ךבוש ןורקע
"


A hash function
cannot be
1
-
to
-
1


Cryptographic hash function

must have certain
properties


slide
5

slide
6

Property 1: One
-
Way


Intuition: hash should be hard to invert



Preimage

resistance”


Given random y, it should be “hard” to find any x
such that h(x)=y


How hard?


Brute
-
force: try every possible x, see if h(x)=y


SHA
-
1 (common hash function) has 160
-
bit output


Suppose have hardware that’ll do 2
30

trials a pop


Assuming 2
34

trials per second, can do 2
89

trials per year


Will take 2
71

years to invert SHA
-
1 on a random image

Probability background: “Birthday Paradox”


How likely is it that some people have the same
birthday in a class of T students?



If there are T=366 people in class then


Prob
(not all different birthdays | T people) = 0



How big should T be so


Prob
(not all different birthdays | T people)
>= ½ ??



Let’s experiment !

“Birthday Paradox” analysis


How many possibilities that are all different?


(K)
T

= K(K
-
1
)…(K
-
T+
1
)
-

samples without replacement


Probability of no repetition?

𝑘

𝑘

1

𝑘

2


(
𝑘

𝑡
+
1
)
𝑘

𝑘

𝑘


𝑘
=


𝑘
𝑘

𝑘

1
𝑘




𝑘

𝑡
+
1
𝑘
=
1

1

1
𝑘

1

2
𝑘



1

𝑡

1
𝑘



𝑒

1
𝑘

𝑒

2
𝑘

𝑒

3
𝑘



𝑒

𝑡

1
𝑘


𝑒

𝑡
2
2
𝑘

Birthday Paradox continued

𝑒

𝑡
2
2𝑘

1
2







𝑡
2
2𝑘

ln
2






𝑡
2

2
(
ln
2
)
𝑘
=
1
.
38𝑘



𝑡

1
.
38𝑘



Bottom line: For
k=365, t=23

suffices


In general
𝑡
=
𝛀
(
𝑘
)

suffices

slide
9

slide
10

Property 2: Collision Resistance


Hard to find
some

x≠x
’ such that h(x)=h(x’)


Brute
-
force collision search is O(2
n/2
),
not

O(2
n
)


n = number of bits in the output of hash function


For SHA
-
1, this means O(2
80
) vs. O(2
160
)


Reason: birthday paradox


Let T be the number of values x1, x2, x3, … we need to
look at before finding the first pair
xi≠x
j

s.t.

h(xi)=h(
xj
)


Assuming h is random, how big should T be so the
probability of finding a repetition >= ½ ?


Total number of possible values?


Conclusion:

K=2
n

T


2
n/
2

slide
11

Property 3: Weak Collision Resistance


Given a randomly chosen x, hard to find x’
such that h(x)=h(x’)


Attacker must find collision for a
specific

x…


by contrast, to break collision resistance, enough
to find
any

collision


Brute
-
force attack requires O(2
n
) time


Weak collision resistance does
not

imply
collision resistance (why?)


slide
12

Hashing vs. Encryption


Hashing is one
-
way. There is no “uh
-
hashing”!


In contrast, encryption is two
-
way: can decrypt a
ciphertext

with the decryption key


Hashes have no equivalent of “decryption”


Hash(x) looks “random”… but can be compared
for equality with Hash(x’)



Hashes are also known as
“cryptographic
checksums”

slide
13

Application: Password Hashing


Instead of user password, store
H(password)


When user enters password, compute its hash
and compare with entry in password file


System does not store actual passwords!


Difficult to go from hash to password!



System cannot “restore” your password!

slide
14

Application: Software Integrity

goodFile

Software manufacturer wants to ensure that the executable file


is received by users without modification…

Sends out the file to users and publishes its hash in the NY Times

The goal is
integrity
, not secrecy

Idea: given goodFile and hash(goodFile),


very hard to find badFile such that hash(goodFile)=hash(badFile)

BigFirm™

User

VIRUS

badFile

The Times

hash(goodFile)

slide
15

Which Property Do We Need?


UNIX passwords stored as hash(password)


One
-
wayness
: hard to recover entire password


Are passwords random?


Integrity of software distribution


Weak collision resistance


But software images are not really random… maybe
need full collision resistance

slide
16

Common Hash Functions


MD5


128
-
bit output


Still used very widely


Completely broken by now


RIPEMD
-
160


160
-
bit variant of MD
-
5


SHA
-
1 (Secure Hash Algorithm)


160
-
bit output


US government (NIST) standard as of 1993
-
95


Also the hash algorithm for Digital Signature Standard (DSS)

Overview of MD5


Designed in 1991 by Ron Rivest


Iterative design using compression function









M
1

M
2

M
3

M
4

IHV
0

Com
-

press

Com
-

press

Com
-

press

Com
-

press

IHV
4

slide
17

slide
18

History of MD5 Collisions


2004: first collision attack


Only difference between colliding messages is 128
random
-
looking bytes


2007: chosen
-
prefix collisions


For any prefix, can find colliding messages have this
prefix

and differ up to 716 random
-
looking bytes


2008: rogue certificates


End of MD5


Talk about this in more detail when discussing PKI

slide
19

Basic Structure of SHA
-
1

Against padding attacks

Split message into
512
-
bit blocks

Compression function



Applied to each 512
-
bit block


and current 160
-
bit buffer



This is the heart of SHA
-
1

160
-
bit
buffer

(5 registers)

initialized with magic values

slide
20

How Strong Is SHA
-
1?


Every bit of output depends on every bit of input


Very important property for collision
-
resistance


Brute
-
force inversion requires 2
160

ops, birthday
attack on collision resistance requires 2
80

ops


Some recent weaknesses (2005)


Collisions can be found in 2
63

ops







AUTHENTICATION:

PASSWORDS AND SECURITY
QUESTIONS

slide
21

slide
22

Basic Problem

?

How do you prove to someone that

you are who you claim to be?

Any system with access control must solve this problem

slide
23

Many Ways to Prove Who You Are


What you know


Passwords


Answers to questions that only you know


Where you are


IP address


What you are


Biometrics


What you have


Secure tokens


slide
24

Password
-
Based Authentication

User has a secret password.

System checks it to authenticate the user.


How is the password communicated?


Eavesdropping risk


How is the password stored?


In the clear? Encrypted? Hashed?


How does the system check the password?


How easy is it to guess the password?


Easy
-
to
-
remember passwords tend to be easy to guess


Password file is difficult to keep secret

slide
25

Passwords and Computer Security


Physical intrusion: install


sniffer

or
keylogger

to steal passwords





Run cracking tools on password files


Cracking needed because modern systems usually do
not store passwords in the clear (how are they stored?)


In
Mitnick’s

“Art of Intrusion”, 8 out of 9 exploits
involve password stealing and/or cracking

slide
26

Default Passwords


Pennsylvania ice cream shop phone scam


Voicemail PIN defaults to last 4 digits of phone number;
criminals change message to “I accept collect call”,
make $8600 on a 35
-
hour call to Saudi Arabia


Examples from Mitnick’s “Art of Intrusion”


U.S. District Courthouse server: “public” / “public”


NY Times employee database: pwd = last 4 SSN digits


“Dixie bank”: break into router (pwd=“administrator”),
then into IBM AS/400 server (pwd=“administrator”),
install keylogger to snarf other passwords


“99% of people there used ‘password123’ as their password”

slide
27

Storing Passwords


t4h97t4m43


fa6326b1c2


N53uhjr438


Hgg658n53




user

system password file

“cypherpunk”

hash

function

slide
28

Password Hashing


Instead of user password, store
Hash(password)


When user enters password, compute its hash
and compare with entry in password file


System does not store actual passwords!


Difficult to go from hash from password!


Hash function H must have some properties


Given H(password), hard to find string X such that
H(X)=H(password)
-

why?

slide
29

UNIX Password System


Uses DES encryption as if it were a hash function


Encrypt NULL string using password as the key


Truncates passwords to 8 characters!


Artificial slowdown: run DES 25 times
(why?)


Can instruct modern UNIXes to use MD5 hash function


Problem:
passwords are not truly random


With 52 upper
-

and lower
-
case letters, 10 digits and
32 punctuation symbols, there are 94
8



6 quadrillion

possible 8
-
character passwords


Humans like to use dictionary words, human and pet
names


1 million

common passwords

slide
30

Dictionary Attack


Password file
/etc/passwd

is world
-
readable


Contains user IDs and group IDs which are used by
many system programs


Dictionary attack

is possible because many
passwords come from a small dictionary


Attacker can pre
-
compute H(word) for every word in
the dictionary


this only needs to be done once!!


This is an
offline

attack


Once password file is obtained, cracking is instantaneous


With
1
,
000
,
000
-
word dictionary and assuming
10
guesses per second, brute
-
force
online

attack takes
50
,
000
seconds (
14
hours) on average

slide
31

Old Password Surveys


Klein (1990) and
Spafford

(1992)


2.7% guessed in 15 minutes, 21% in a week


Much more computing power is available now!


U. of Michigan: 5% of passwords were “
goblue



(cheer for their football team)


Zviran

and
Haga

(1999)


Password usage at a
DoD

facility in California


80% of passwords were 4
-
7 characters in length, 80%
used alphabetic characters only, 80% of the users had
never changed their password

slide
32

Password Guessing Techniques


Dictionary with words spelled backwards


First and last names, streets, cities


Same with upper
-
case initials


All valid license plate numbers in your state


Room numbers, telephone numbers, etc.


Letter substitutions and other tricks


If you can think of it, attacker will, too

slide
33

Storing Passwords : Salt

shmat:
fURxfg,4hLBX
:14510:30:Vitaly:/u/shmat:/bin/csh

/etc/passwd entry

salt

(chosen randomly when

password is first set)

hash(salt,pwd)

Password


Users with the same password have
different

entries
in the password file


Offline dictionary attack becomes much harder

slide
34

Advantages of Salting


Without salt, attacker can pre
-
compute hashes of
all dictionary words once for
all

password entries


Same hash function on all UNIX machines; identical
passwords hash to identical values


One table of hash values works for all password files


With salt, attacker must compute hashes of all
dictionary words once for
each

combination of
salt value and password


With 12
-
bit random salt, same password can hash to
4096 different hash values

slide
35

Shadow Passwords

shmat:
x
:14510:30:Vitaly:/u/shmat:/bin/csh


Store hashed passwords in
/etc/shadow

file which is
only readable by system administrator (root)


Add expiration dates for passwords


Early Shadow implementations on Linux called the
login program which had a buffer overflow!

Hashed password is
not

stored in a world
-
readable file

/etc/passwd entry

slide
36

How People Use Passwords


Write them down


Use a single password at multiple sites


Do you use the same password for Amazon and your
bank account? Do you remember them all?


Forget them… many services use “security
questions” to reset passwords


“What is your favorite pet’s name?”


Paris Hilton’s T
-
Mobile cellphone hack

slide
37

Problems with Security Questions


Inapplicable


What high school did your spouse attend?


Not memorable


Name of kindergarten teacher? Price of your first car?


Ambiguous


Name of college you applied to but did not attend?


Easily guessable


Age when you married? Year you met your spouse?
Favorite president? Favorite color?


Automatically attackable (using public records!)

[Rabkin, “Security questions in the era of Facebook”]

slide
38

Answers Are Easy to Find Out…



Make of your first car?


Until 1998, Ford had >25% of market



First name of your best friend?


10% of males: James/Jim, John, Robert/Bob/Rob



Name of your first / favorite pet?


Max, Jake, Buddy, Bear…


Top 500 (covers 65% of names) available online


Information available from Facebook, etc.


Where you went to school, college athletic rivals,
favorite book/movie/pastime, high school mascot

GRAPHICAL PASSWORDS

slide
39

slide
40

Graphical Passwords


Images are easy for humans to remember


Especially if you invent a memorable story to go
along with the images


Dictionary attacks on graphical passwords are
believed to be difficult


Images are very “random” (is this true?)


Still not a perfect solution


Need infrastructure for displaying and storing images


Shoulder surfing

How Passfaces Works

Users Are Assigned a Set of
5
* Passfaces

User Interface

Library of Faces

* Typical implementation


3 to 7 possible as standard

How Passfaces
Works


5 Passfaces are Associated with 40 associated decoys


Passfaces are presented in five 3 by 3 matrices each having 1
Passface and 8 decoys

slide
43

Empirical Results


Experimental study of 154 computer science
students at Johns Hopkins and Carnegie Mellon


Conclusions:


“… faces chosen by users are highly affected by the
race of the user… the gender and attractiveness of the
faces bias password choice…
In the case of male users,
we found this bias so severe that we do not believe it
possible to make this scheme secure against an online
attack
…”


2 guesses enough for 10% of male users


8 guesses enough for 25% of male users

slide
44

User Quotes


“I chose the images of the ladies which appealed
the most”


“I simply picked the best looking girl on each
page”


“I picked her because she was female and Asian
and being female and Asian, I thought I could
remember that”


“I started by deciding to choose faces of people in
my own race…”


“… Plus he is African
-
American like me


CHALLENGE
-

RESPONSE

slide
45

slide
46

Security Against Eavesdropping


Idea: use a shared secret to derive a
one
-
time
password


If the attacker eavesdrops on the network, he’ll
learn this password but it will be useless for
future logins

slide
47

Challenge
-
Response

user

system

secret

challenge value

f(secret,challenge)

Why is this better than the password over a network?

secret

slide
48

Challenge
-
Response Authentication


User and system share a
secret
(key or password)


Challenge
: system presents user with some string


Response
: user computes response based on the
secret and the challenge


Secrecy:

difficult to recover key from response


One
-
way hashing or symmetric encryption work well


Freshness:

if challenge is fresh, attacker on the
network cannot replay an old response


For example, use a fresh random number for each challenge


Good for systems with pre
-
installed secret keys


Car keys; military friend
-
or
-
foe identification

slide
49

SecurID

Alice

Bob

KEY

v= F(KEY, 0)

KEY

Verifies v=F(KEY,
0
)

?


Advancing the counter


Time
-
based (60 seconds) or


every button press


Allow for skew in the counter value


RSA SecurID: 5
-
minute clock skew by default

Setup: generate random key

Counter:

Counter:

v= F(KEY, 1)

Verifies v=F(KEY,1)

?



0

1



0

1



RSA uses a custom function

Input:
64
-
bit key,
24
-
bit ctr

Output:
6
-
digit value

BIOMETRIC
AUTHENTICATION

slide
50

slide
51

Biometric Authentication


Nothing to remember


Passive


Nothing to type, no devices to carry around


Can’t share (usually)


Can be fairly unique


… if measurements are sufficiently accurate

slide
52

Problems with Biometrics



How hard are biometric readings to forge?


Difficulty of forgery is routinely overestimated


Analysis often doesn’t take into account the possibility
of computer
-
generated forgery


Revocation

is difficult or impossible

slide
53

Biometric Error Rates (Benign)


“Fraud rate” vs. “insult rate”


Fraud = system accepts a forgery (false accept)


Insult = system rejects valid user (false reject)


Increasing acceptance threshold increases fraud
rate, decreases insult rate


For biometrics, U.K. banks set target fraud rate of
1%, insult rate of 0.01%
[Ross Anderson]


Common signature recognition systems achieve equal
error rates around 1%
-

not good enough!

slide
54

Biometrics (1)


Face recognition (by a computer algorithm)


Error rates up to 20%, given reasonable variations in
lighting, viewpoint and expression


Fingerprints


Traditional method for identification


1911: first US conviction on fingerprint evidence


U.K. traditionally requires 16
-
point match


Probability of false match is 1 in 10 billion


No successful challenges until 2000


Fingerprint damage impairs recognition


Ross Anderson’s scar crashes FBI scanner

slide
55

Biometrics (2)


Iris scanning


Irises are very random, but stable through life


Different between the two eyes of the same individual


256
-
byte iris code based on concentric rings between
the pupil and the outside of the iris


Equal error rate better than 1 in a million


Best biometric mechanism currently known


Hand geometry


Used in nuclear premises entry control, INSPASS
(discontinued in 2002)


Voice, ear shape, vein pattern, face temperature

slide
56

Surgical Change

slide
57

Stealing Biometrics

slide
58

Involuntary Cloning

Clone a biometric without victim’s knowledge or assistance

“my voice is my

password”

cloned retina

Fingerprints from

beer bottles

Eye laser scan

Bad news: it works!

slide
59

Cloning a Finger

[Matsumoto]

slide
60

Molding

[Matsumoto]

slide
61

The Mold and the Gummy Finger

[Matsumoto]