05 user authentication - Noppa

tackynonchalantSoftware and s/w Development

Dec 3, 2013 (3 years and 7 months ago)

190 views

Tuomas Aura

T
-
110.4206 Information security technology

User authentication

Aalto
University
,
autumn

2013

Outline

1.
Passwords

2.
Physical security tokens and

two
-
method authentication

3.
Biometrics



Common mantra:

User authentication can be based on



something you know


something you have


something you are

2

PASSWORDS

3

Username and password


Passwords are used for
entity authentication


Needed for access control and auditing:

access control =
authentication

+ authorization


Entity authentication vs. message authentication


Password is a shared secret between the user
and computer system


Limitations arise from the reliance on of
human
memory and input


What attacks are there against passwords?

4

Sniffing and key loggers


Password sniffing on the local network
used to
be a major problem; mostly solved by
cryptographic authentication:


SSH, SSL, HTTP Digest Authentication, MS
-
CHAPv2


Key logger
: software or hardware that stores
all key strokes typed on a computer


Used to be a problem in public
-
access

computers e.g. at libraries and cafes


Now can be
malware

on any computer


Why do some bank web sites ask you to use the
mouse to enter the PIN code?



5

Password recovery


Humans are prone to forget things


need a
process for recovering from password loss


Recovery mechanisms often enable new attacks


What are the advantages and disadvantages of
the following recovery mechanisms?


Security question or memorable secret, e.g. birth
place, mother’s maiden name, pet’s name


Emailing password to another user account


Physical visit to helpdesk


Yellow sticker on the back of the keyboard


USB memory stick with a password recovery file



6

Password reuse


How many different user accounts and passwords do you
have?
Ever used the same password on two accounts?


Using the same or related passwords on multiple accounts
means that one
compromised system or account

can lead to
compromise of the other accounts


Administrative countermeasures:


Passwords chosen by the service, not set by users


Exotic password format requirements


Single sign
-
on to enable just one password


Personal countermeasures:


Generating service
-
specific passwords from one master
password


Password wallet (e.g. on phone) encrypted with a master
password



7

Shoulder surfing


Keyboards and screens are highly visible



others may see what you are typing



Password and PIN prompts usually do not
show the characters


Does this make sense for all secrets input?


8

*******

Password guessing


Dictionary attack

and other
intelligent
guessing vs.
brute
-
force
trials


Countermeasures against guessing


Limit the number or rate of login attempts


Minimum password length and complexity,
password quality check


Preventing reuse of old passwords


System
-
generated random passwords


Password aging i.e. mandatory periodic password
changes (typically every three months)


9

Measuring password strength


Many possible metrics:


Number of possible passwords


Entropy

= amount of missing information


Average/median time
to crack a specific password


Average/median time to crack any one password


Probability of success
as a function of time or number
of trials


etc.


Metrics are important to consider when
designing new types of passwords


Graphical passwords


Requirements to use special characters




10

Password entropy


Entropy = the amount of missing information


Entropy H =
-



x


p慳aw潲ds

(
P(x)


log
2
P(x))


≤ log
2
(number of possible passwords)


Examples:


Random 8
-
character alphanumeric passwords have

H = 8


log
2
(26+26+10) = 47.6 bits


Random 4
-
digit PIN codes have about H = 13.3 bits of entropy


For even probability distribution, one
-
bit increase in entropy
doubles the cost of guessing attacks


Human
-
selected passwords have less entropy than random ones
because some are chosen more often than other


Should banks allow the customer to choose the PIN?


Do password quality checks increase entropy?


Passwords rely on human memory


password entropy cannot
grow over time



human memory cannot compete with computer
speed

11

Online and offline guessing attacks


Offline attack
: cracking the password from
a know hash
(or
other function) of
the
password


E.g. MS
-
CHAPv2 or HTTP digest authentication
without SSL


Unlimited number of guesses



attacker
can perform an
exhaustive brute
-
force search


Online guessing
:
attacker tries
to login many times


E.g. PIN
code
entry on
a
phone


E.g.

network
login to an authenticated server over SSH or
SSL


System can
limit the number or rate of guesses


Big difference in the required password strength:


Online guessing success probability

≈ number of allowed guesses / number of possible passwords


Offline attack requires cryptographic strength from the
password, e.g. 128
-
bit entropy, to prevent exhaustive search


Authentication
p
rotocols

that are vulnerable to network
sniffing and offline guessing are simply outdated



14

Storing passwords on server


Assume that the password database becomes public


Unix
/
etc
/password
is traditionally world readable


Attackers often manage to read files or database tables on
a web server e.g. with SQL injection


How to store passwords in a public file?


Store a
hash

i.e. one
-
way function of the password


When user enters a password, hash and compare


Use a slow hash (
many iterations
of a hash function) to
make brute
-
force cracking more difficult


Include random account
-
specific “
salt
”:



slow_hash
( password | salt)


to prevent
simultaneous brute
-
force cracking

of many
passwords,
pre
-
computation
attacks, and
equality
comparison

between passwords

15

Password hashing


Password
-
based key derivation function
PBKDF2

[PKCS#5,RFC2898]
*


Good practical
function
; uses any standard hash function, at
least 64
-
bit salt, any number of iterations


Unix
crypt(3)
[Morris and Thompson 1978]
*


Historical

function for storing passwords in
/
etc
/
passwd


aura:
lW90gEpaf4wuk
:19057:100:Tuomas
Aura:/home/aura:/bin/
zsh



Password = eight 7
-
bit characters = 56
-
bit DES key


Encrypt a zero block 25 times with modified DES


12
-
bit salt used to modify DES key schedule


Stored value includes the salt and encryption result


Too short salt enables e.g. rainbow table attacks


Replaced by more modern hash functions and encrypted, read
-
pro
tected

shadow passwords


16

DF2PBK


PBKDF2 (P, S, c, dkLen)

P

= password

S

= salt

c

= iteration count

dkLen = length of the result

PRF = keyed pseudorandom function


F (P, S, c, i) = U
1

xor U
2

xor ... xor U
c


U
1

= PRF (P, S || i)

U
2

= PRF (P, U
1
)

...

U
c

= PRF (P, U
c
-
1
)

Repeat for i=1,2,3... until dkLen output bytes produced

17

Function

for

slow

hashing

of
passwords


Many

iterations

to
make

the
computation

slower


Used

in WPA2
-
Personal
for
deriving

keys

from

password

(
makes

offline

cracking

more

difficult
)


Could

also

be

used

for
hashing

stored

passwords

on a
server

One
-
time passwords


Use each password only once to thwart password sniffers and key
loggers


Lamport

hash chain
:


H
1

= hash (secret seed); H
i+1
= hash (H
i
)


Server stores initially H
100

and asks user to enter H
99
. Next, stores H
99

and ask for H
98
, and so on


Unix
S/KEY

or
OTP

[RFC1760,RFC1938]

1: HOLM BONG VARY TIP JUT ROSY

2: LAIR MEMO BERG DARN ROWE RIG

3: FLEA BOP HAUL CLAD DARK ITS

4: MITT HUM FADE CREW SLOG HAST


Hash
-
based one
-
time passwords
HOTP

[RFC4226]

HOTP(
K,i
) = HMAC
-
SHA
-
1(
K,i
) mod 10
D


Produces a one
-
time PIN code of D decimal digits


Time
-
based one
-
time passwords


Many commercial products such as
RSA
SecurID


Which attacks do one
-
time passwords prevent and which not?


19



Trusted path


Attacker could
spoof the login dialog
; how do you
know when it is safe to type in the password?


Trusted path
is a mechanism that ensures direct
and secure communication between the user and
a specific part of the system (with the TCB)


Crtl+Alt+Del

in Windows opens a security screen that
is difficult to spoof


Web browser shows the URL in the
address bar

in a
way that cannot be spoofed by a web server


With malware and virtualization, it is increasingly
hard to know what is real



22

Other threats


No system is perfectly secure:

system designers have a specific threat
model in mind, but the attacker can break
these rules



The attacker does not agree with the
threat model.
” (Bruce Christianson)


Some other attacks against PINs

and passwords:


Phishing and social engineering


User mistakes: using wrong password


Camera to record key presses


Heat camera to detect pressed keys


Acoustic emanations from the keyboard


etc.






23

PHYSICAL SECURITY TOKENS AND
TWO
-
METHOD AUTHENTICATION

24

Physical security tokens


Smart card
is a typical physical security token


Holds
cryptographic keys
to prove its identity


Tamperproof
: secret keys will stay inside


Used for door keys, computer login, ATM


Other security token implementations:
smart
button, USB dongle, mobile phone


Two
-
method
authentication
: require also PIN


Attacker needs to both steal the card and learn
the PIN


clear qualitative increase in security

25

Issues with security tokens


Physical tokens require
distribution



Computers (or doors etc.) must have
readers


It is not easy to integrate cryptographic tokens
to all systems


E.g. how to use a physical token if the application
requires cached credentials (password) on the
client or on a proxy server


Process needed for
recovering from the loss of
tokens


Are smart card + PIN really two factors?








26

Authentication

with mobile
phone


Two
-
channel
authentication

used by major
online services:


Confirmation via telephone: callback


Sending a second secret to a known address: text
message, email, post


Secure

element

in the mobile
phone

can

be

used

as a
login

token


Also

SIM

could

act as the
secure

element

27

BIOMETRICS

28

Biometric authentication


Biometric authentication means verifying
some physical feature of the user


Physiological characteristic: photo, signature, face
geometry, fingerprint, iris scan, DNA


Behavioral characteristic: voice, typing, gait


Biometrics are not 100% reliable:


False acceptance rate FAR


False rejection rate FRR


Equal error rate EER



29

FAR

FRR

50%

EER

Issues with biometrics


Biometrics require
enrollment

and
readers


Big
difference in
the security of
unsupervised vs.
supervised readers


E.g. fingerprint reader on computer vs. iris scanner at
immigration


Suitability for security architectures:


Are biometric characteristics secrets?


Can they be copied?
E.g. iPhone


How to revoke biometrics?


What if enrollment fails?


Some people have no fingerprints, or no fingers


30

Reading material


Dieter Gollmann: Computer Security, 2nd ed.,
chapter 3; 3rd ed.
c
hapter 4


Matt Bishop: Introduction to computer
security, chapter 11


Ross Anderson: Security Engineering, 2nd ed.,
chapters 2, 15


Edward Amoroso: Fundamentals of Computer
Security Technology, chapters 18
-
19


31

Exercises


Why do you need both the username and password? Would not just one secret
identifier (password) be sufficient for logging in?


What effect do strict guidelines for password format (e.g. 8 characters, at least 2
capitals, at least 2 digits, at least 1 special symbol) have on the password entropy?


What is the probability of guessing the code for a phone that allows 3 attempts to
guess a 4
-
digit PIN code, then 10 attempts to guess an 8
-
digit PUK code?


In
what respects is
PBKDF2 better for password hashing than crypt(3)?


How many hash values van a brute
-
force attacker test in second with a new GPU?
Hint: Check the
BitCoin

mining speeds.


How do mandatory periodical password changes increase security? What is the
optimal interval?


How to limit the number of login attempts without creating a
DoS

vulnerability?


Learn about graphical passwords and compare their entropy to different
-
length
passwords and PIN codes.


Learn about HTTP Digest Authentication [RFC2617] and
MS
-
Chap
-
V2
[RFC2759].
Explain how to perform an offline password guessing attack after sniffing a login.


In a social network, could authentication be based on
who you know

(or who
knows you), or
where you are
?


What advantages and disadvantages might a fingerprint reader have in a car lock?


32