Lecture 03

parathyroidsanchovyAI and Robotics

Nov 17, 2013 (3 years and 6 months ago)

91 views

Tuomas Aura

T
-
110.4206 Information security technology

User authentication

Aalto
University
,
autumn

2011

Outline

1.
Passwords

2.
Physical security tokens and

two
-
method authentication

3.
Biometrics



Common mantra:

User authentication can be based on



something you know


something you have


something you are

2

PASSWORDS

3

Username and password


Passwords are used for
entity authentication


Needed for access control and auditing:

access control =
authentication

+ authorization


Entity authentication vs. message authentication


Password is a shared secret between the user
and computer system


Limitations arise from the reliance on of human
memory and input


What attacks are there against passwords?

4

Sniffing and key loggers


Password sniffing on the local network
used to
be a major problem; mostly solved by
cryptographic authentication:


SSH, SSL, HTTP Digest Authentication, MS
-
CHAPv2


Key logger
: software or hardware that stores
all key strokes (including passwords) typed on
a computer


Particular danger in public
-
access

computers e.g. at libraries and cafes


Why do some bank web sites ask you to use the
mouse to enter the PIN code?



5

Password recovery


Humans are prone to forget things


need a
process for recovering from password loss


What are the advantages and disadvantages
of the following recovery mechanisms?


Security question or memorable secret, e.g. birth
place, mother’s maiden name, pet’s name


Emailing password to another user account


Physical visit to helpdesk


Yellow sticker on the back of the keyboard


USB key or CD with a password recovery file



6

Password reuse


How many different user accounts and passwords do you
have? Ever used the same password on two accounts?


Using the same or related passwords on multiple accounts
means that one
corrupt
sysadmin

or compromised account

can lead to compromise of the other accounts


Administrative countermeasures:


Passwords chosen by the service, not set by users


Exotic password format requirements


Personal countermeasures:


Generating service
-
specific passwords from one master
password


Password wallet (e.g. on phone) encrypted with a master
password



7

Shoulder surfing


Keyboards and screens are highly visible



others may see what you are typing



Password and PIN prompts usually do not
show the characters


Does this make sense for all secrets?


8

*******

Password guessing


Intelligent guessing vs. brute
-
force guessing


dictionary attack



Countermeasures


Limit the number or rate of login attempts


Minimum password length and complexity, password
quality check


Preventing reuse of old passwords


System
-
generated random passwords


Password aging i.e. mandatory periodic password
changes (typically every three months)


9

Password entropy


Entropy = the amount of information the attacker is missing about
the password


Entropy
=

-



x


p慳aw潲ds

P(x)


log
2
P(x)




log
2
(number of possible passwords)


Examples:


Random 8
-
character 7
-
bit passwords have 56 bits of entropy


Random 8
-
character alphanumeric passwords have at most

8
×

log
2
(26+26+10) ≈ 48 bits


4
-
digit PIN codes have about 13 bits of entropy


Human
-
chosen passwords have less entropy than random ones
because some
passwords are
more common than others


Do password quality checks increase entropy?


Passwords rely on human memory


entropy cannot grow over
time



any system that relies on high password entropy to beat
brute
-
force attacks will eventually fail

10

Online and offline guessing attacks


Offline attack
:
the attacker
obtains a
hash
(or other function) of
the
password
and
tries to guess the password
offline


Attacker who has the hash values from the password database


Older challenge
-
response network authentication, e.g. MS
-
CHAPv2 or
HTTP digest authentication
(without SSL)


Online guessing
:
attacker tries to login
with
different
passwords


Login prompt at the
console; PIN
code on a phone


Network login to an authenticated server over SSH or SSL


Firewall
blocks
client IP address after some failed
login attempts


In offline attack, the attacker
can perform an exhaustive brute
-
force
search; in online attack,
target system can limit the number of
guesses



Big difference in the required password entropy:


Online guessing success probability

≈ number of allowed guesses / number of possible passwords


Offline attack requires cryptographic strength, e.g. 128
-
bit entropy


11

Password database storage


Safer to
assume that the database is public


Unix /etc/password is traditionally world readable


Attacks on web servers often manage to dump any file or
database on the server; e.g. SQL injection


How to store passwords in a public file?


Store a hash

(i.e. one
-
way function) of the password


When user enters a password, hash and compare


Use a slow hash (many iterations of a hash function) to
make brute
-
force cracking more difficult


Include random account
-
specific “salt”:



slow_hash
( password | salt)


to prevent simultaneous brute
-
force cracking of many
passwords,
precomputation

attacks and equality
comparison between passwords

12

Password hashing


Password
-
based key derivation function
PBKDF2

[PKCS#5,RFC2898]
*


Good practical guide; uses any standard hash function, at
least 64
-
bit salt, any number of iterations


Unix
crypt(3)

[Morris and Thompson 1978]
*


Historical function for storing passwords in
/etc/
passwd


aura:
lW90gEpaf4wuk
:19057:100:Tuomas
Aura:/home/aura:/bin/
zsh



Eight 7
-
bit characters = 56
-
bit DES key


Encrypt a zero block 25 times with modified DES


12
-
bit salt used to modify DES key schedule


Stored value includes the salt and encryption result


Replaced by more modern hash functions and
shadow
passwords

(stored in /etc/shadow, which is only readable
to root)


13

DF2PBK


PBKDF2
(P, S, c, dkLen
)

P

=
password

S

=
salt

c

=
iteration

count

dkLen

=
length

of the
result

PRF =
keyed

pseudorandom

function


F
(P, S, c, i) =
U
1

xor U
2

xor ... xor U
c


U
1

= PRF (P, S || i)

U
2

= PRF (P, U
1
)

...

U
c

= PRF (P, U
c
-
1
)

Repeat for i=1,2,3... until dkLen output bytes produced

14

Function

for

slow

hashing

of
passwords


Iterations

to
make

the
computation

slower


Used

in WPA2
-
Personal for
deriving

keys

from

password


Could

also

be

used

for
storing

password

hashes

Botnets and online guessing


10 banks, each with 10
6

customer accounts


4
-
digit PIN or one
-
time code required to log in


Client IP address blocked after 3 failed login attempts


Attacker has a botnet of 10
5

computers


Each
bot

makes one login attempt to one account in
each bank every day


10
6

login attempts in a day



~100 successful break
-
ins in a day


Countermeasures:


Make user IDs hard to guess; long, different from
account numbers, and not assigned sequentially


Ask a “salt” question, e.g. memorable word, in
addition to user ID and PIN



increased entropy reduces attacker success rate




15

One
-
time passwords


Use each password only once to thwart password sniffers and key
loggers


Lamport hash chain
:


H
1

= hash (secret seed); H
i+1
= hash (H
i
)


Server stores initially H
100

and requires user to enter H
99
. Next stores
H
99

and requires H
98
, and so on.


Unix
S/KEY

or
OTP

[RFC1760/1938]

1: HOLM BONG VARY TIP JUT ROSY

2: LAIR MEMO BERG DARN ROWE RIG

3: FLEA BOP HAUL CLAD DARK ITS

4: MITT HUM FADE CREW SLOG HAST


Hash
-
based one
-
time passwords
HOTP

[RFC4226]

HOTP(K,C) = HMAC
-
SHA
-
1(K,C) mod 10
D


Produces a one
-
time PIN code of D decimal digits


Time
-
based one
-
time passwords


E.g.
RSA
SecurID
: one of many commercial products


Which attacks are prevented by one
-
time passwords and which are
not?


16

Spoofing attacks


Attacker could spoof the login dialog; how do you
know when it is safe to type in the password?



17



Trusted path


Attacker could spoof the login dialog; how do you
know when it is safe to type in the password?


Trusted path
is a mechanism that ensures direct
and secure communication between the user and
a specific part of the system


Crtl+Alt+Del

in Windows takes to a security screen
that cannot be spoofed


Web browser shows the URL in the
address bar

in a
way that cannot be spoofed by the web server


With malware and virtualization, it is increasingly
hard to know what is real



19

Other threats


No system is perfectly secure:

system designers have a specific
threat model in mind, but the
attacker can break these rules


“The attacker does not agree with the
threat model.” (Bruce Christianson)


O
ther attacks against PINs and
passwords:


Phishing and social engineering


Heat camera can detect recently
pressed keys


Acoustic emanations from the keyboard






20

PHYSICAL SECURITY TOKENS AND
TWO
-
METHOD AUTHENTICATION

21

Physical security tokens


Smart card

is a typical physical security token


Holds cryptographic keys to prove its identity


Tamperproof: secret keys will stay inside


Used for door keys, computer login, ATM


PIN entry is often also required



two
-
method authentication


Attacker needs to both steal the card and learn
the PIN


clear qualitative increase in security


Other security token implementations: smart
button, USB stick, mobile phone

22

Issues with security tokens


Physical tokes require
distribution



Computers (or doors etc.) must have
readers


It is not easy to integrate cryptographic tokens to all
systems


E.g. applications that require a password cached on the
client or on a proxy server


Process needed for
recovering from the loss of tokens


Are smart card + PIN really two factors?


One alternative is
two
-
channel authentication
:


Confirmation via telephone: callback


Sending a second secret to a known address: text message,
email, post








23

BIOMETRICS

24

Biometric authentication


Biometric authentication means verifying
some physical feature of the user


Physiological characteristic: photo, signature, face
geometry, fingerprint, iris scan, DNA


Behavioral characteristic: voice, typing, gait


Biometrics are not 100% reliable:


False acceptance rate FAR


False rejection rate FRR


Equal error rate EER



25

FAR

FRR

50%

EER

Issues with biometrics


Biometrics require enrollment and readers


Unsupervised vs. supervised readers
have a
big difference in security


E.g. fingerprints, face recognition


Suitability for security architectures:


Are biometric characteristics secrets?


Can they be copied?


How to revoke biometrics?


What if enrollment fails?


Some people have no fingerprints, or no fingers


26

Reading material


Dieter Gollmann: Computer Security, 2nd ed.,
chapter 3


Matt Bishop: Introduction to computer
security, chapter 11


Ross Anderson: Security Engineering, 2nd ed.,
chapters 2, 15


Edward Amoroso: Fundamentals of Computer
Security Technology, chapters 18
-
19


27

Exercises


Why do you need both the username and password? Would not just one secret
identifier (password) be sufficient for logging in?


What effect do strict guidelines for password format (e.g. 8 characters, at least 2
capitals, 2 digits, 1 special symbol) have on the password entropy?


What is the probability of guessing the code for a phone that allows 3 attempts to
guess a 4
-
digit PIN code, then 10 attempts to guess an 8
-
digit PUK code?


In
what respects is
PBKDF2 better for password hashing than crypt(3)?


Why may mandatory password changes increase security? What is the optimal
interval?


How to limit the number of login attempts without creating a DoS vulnerability?


Learn about graphical passwords and compare their entropy to different length
passwords and PIN codes.


Learn about HTTP Digest Authentication [RFC2617] and
MS
-
Chap
-
V2
[RFC2759].
Explain how to perform an offline password guessing attack after sniffing a login.


In a social network, could authentication be based on
who you know

(or who
knows you), or
where you are
?


What advantages and disadvantages might a fingerprint reader have in a car lock?


28