09.02.10.HashingPasswords Class.csci4621
Transcript of 09.02.10.HashingPasswords Class.csci4621
-
7/30/2019 09.02.10.HashingPasswords Class.csci4621
1/5
Computer Security, CSCI 4621 Fall 20
Daniel Bilar, CS, UNO
HashFunctions,BirthdayParadox
CSCI4621:ComputerSecurity
Week02,Lecture04:Thursday,09/02/2010
DanielBilar
UniversityofNewOrleans
DepartmentofComputerScience
Fall20101
Goalstoday
Review
Controlsfor
Security
properties
ConfidentialityControl:(Symmetric)Cryptography
n egr y u en c y: eye
MessageAuthentication Code(MAC)
Hashfunctions
Birthdayparadox
Application:Unixpasswords
SomeslidesgratefullyadaptedfromShmatikov (UTAustin)andZhao(ClevelandState)
2
Review:SomedesirableSecurity
Properties
1. Confidentiality isconcealmentofinformation
2. Authenticity isidentificationandassuranceoforiginofinformation
3. Integrity ispreventionofunauthorizedchanges
4. Availability isabilitytouseinformationorresourcesdesired
First,welookedatwaystocontrolfor1) acontrolcalled(symmetric)cryptography
SeeMenezes (2006)
ch1,
Table
1.1
for
more
3
MoreSecurityProperties
4FromMenezes (2006)OverviewofCryptography
Review:CryptographyControl
Encryptionistheprocessofencodingamessagesothatitsmeaningisnotobvious
Decryptionisthereverseprocess,transforminganencryptedmessagebackintoitsnormal,originalform
Plaintext:messagetobeencrypted
Ciphertext:encryptedmessage
Isssues Computationalvs perfectsecrecy
Stream vs Blockcipher
Propertiesofencryptionschemesstrivefor
Diffusion Distributeinformationfromsingleplaintext
lettersovertheentireoutput
Confusion Complexfunctionalrelationshipbetweenthe
plaintext/keypairandtheciphertext
5
Motivation:Integrity
goodFile
VIRUS
badFile
The Times
Softwaremanufacturerwantstoensurethattheexecutablefile
isreceivedbyuserswithoutmodification.
ItsendsoutthefiletousersandpublishesitshashinNYTimes.
Thegoalisintegrity,notconfidentiality
Idea:givengoodFile andhash(goodFile),
veryhardtofindbadFile suchthathash(goodFile)=hash(badFile)
BigFirm Userhash(goodFile)
6
-
7/30/2019 09.02.10.HashingPasswords Class.csci4621
2/5
Computer Security, CSCI 4621 Fall 20
Daniel Bilar, CS, UNO
Integrityvs.Secrecy
Integrity
Attackercannottamperundetectedwithmessage
Authenticity
Attackercannotfakeundetectedthemessage
ncrypt onperse oesnotguarantee ntegr ty cou workforauthenticity)
Attackermayabletomodifymessageunderencryptionwithoutlearningwhatitis
Onetimepad:GivenkeyK,encryptMasMK
Thisguaranteesperfectsecrecy,butattackercaneasilychangeunknownMunderencryptiontoMMforanyM
AndersonsHanghitler vs Heilhitler
WellseenowsomeIntegritycontrols:MACandHMAC7
Motivation:Authentication
msg, hash(KEY,msg)
KEYKEY
Alicewantstomakesurethatnobodymodifiesmessageintransit
Wanttoensuresboth integrityandauthenticity why?
Idea:givenmsg,veryhardtocomputehash(KEY,msg) withoutKEY;veryeasywithKEY
Alice Bob
8
goodFile
BigFirm User
VIRUS
badFile
The Times
hash(goodFile)
Integrity:Canhashwithoutkey
msg, hash(KEY,msg)
Alice Bob
KEYKEY
Integrity withAuthenticity:Hashwithkey
9
MessageAuthentication
MessageAuthenticationCode(MAC) Smallblockofdatathatisappendedto
themessage
MACisgeneratedbyusingasecretkey
AssumesbothpartiesA,BsharecommonsecretkeyKAB
Codeisfunctionofmessageandkey
M AB, .aretransmitted
Ifreceivedcodematchescalculatedcodethen Receiverissuremessagehasnotbeen
altered Messageisfromsendersinceonly
sendersharesthekey
Differentfromencryption MACdoesnothavetobereversible(and
mostlikelyisnot) why? unlikecipher
text
which
has
to
be
reversible
in
encryption
10
HashFunctions:MainIdea
..
...
x
x
x
y
y
hash function Hmessagedigest
message
bit strings of any length n-bit bit strings
Hisalossycompressionfunction Collisions: h(x)=h(x)forsomeinputsx,x
Unavoidable(pigeonholeprinciple)if|x|>>n
Resultofhashingshouldlookrandom Intuition:halfofdigest bitsare1;anybitindigest is1halfthetime
Cryptographichashfunction needsafewproperties
HashwithkeyiscalledaHMAC
11
HashMAC(HMAC)
InventedbyBellare,Canetti,andKrawczyk (1996)
HMACstrengthestablishedbycryptographic analysis
ConstructMACbyapplyingahashfunctionto
Couldalsouseencryptioninsteadofhashing,but
Hashingisfasterthanencryptioninsoftware
Librarycodeforhashfunctionswidelyavailable
Caneasilyreplaceonehashfunctionwithanother
ThereusedtobeUSexportrestrictions (ITAR)on
encryption..andsomestillapply12
-
7/30/2019 09.02.10.HashingPasswords Class.csci4621
3/5
Computer Security, CSCI 4621 Fall 20
Daniel Bilar, CS, UNO
CommonHashFunctions
MD5
128bitoutput
Designed
by
Ron
Rivest,
used
very
widely
Collisionresistancebroken(2004) Verybad canfakePKICAcertificates(usedinallbrowsersforhttpse
commerce,ebanking),seehttp://www.win.tue.nl/hashclash/rogue ca/
160bitvariantofMD5
SHA1(SecureHashAlgorithm)
160bitoutput
USgovernment (NIST)standard AlsothehashalgorithmforDigitalSignatureStandard(DSS)
Collisionresistancebroken(2005)
SHA2isrecommendedbyUSNIST
224/256/385/512bits
Nocollisionsdetectedsofar13
Concept:OneWay
Intuition:hashshouldbehardtoinvert
So
called
Preimage resistance Leth(x)=y{0,1}n forarandomx
Giveny,itshouldbehardtofindanyxsuchthatx =y
Howhard?
Bruteforce:tryeverypossiblex,seeifh(x)=y
SHA1(commonhashfunction)has160bitoutpu ..Calculemus
Supposehavehardwarethatlldo230 trialsapop
Assuming234 trialspersecond,cando289 trialsperyear
Willtake271 yearstoinvertSHA1onarandomimage14
PreludetoBirthdayParadox
T peoplesampled >wanttofindgrowthofmatchofTpeoplewithsamebirthday
SupposeeachbirthdayisarandomnumbertakenfromKdays(K=365) howmanypossibilities?
T
Howmanypossibilitiesthatarealldifferent? (K)T =K(K1)(KT+1) sampleswithoutreplacement
Probabilityofnorepetition? (K)T/K
T 1 T(T1)/2K
Probabilityofrepetition?
O(T2)15
Concept:CollisionResistance
Shouldbehardtofindanypairx,xsuchthath(x)=h(x)
BruteforcecollisionsearchisO(2n/2),not O(2n) n=numberofbitsintheoutputofhashfunction
80 160 , .
Reason:Birthdayparadox LetTbethenumberofvaluesx,x,xweneedtolook
atbeforefindingthefirstpairx,xs.t.h(x)=h(x)
Assuminghisrandom,whatistheprobabilitythatwefindarepetition afterlookingatTvalues?
Totalnumberofpairs?
Conclusion:
O(T2)
O(2n)
T O(2n/2)16
WeakCollisionResistance
Givenrandomlychosenx,hardtofindxsuch
thath(x)=h(x)
Attackermustfindcollisionforaspecific x.By
contrast,to
break
collision
resistance,
enough
to
findany collision.
BruteforceattackrequiresO(2n)time
Howdoesweakvs normalcollisionresistance
makeadifferenceforbreakingintosystems?
Figuringpasswordofspecificaccount?
Figuringpasswordofanyaccount?
17
OneWayvs.CollisionResistance
Onewayness doesnotimplycollisionresistance
Supposegisoneway
Defineh(x)asg(x)wherexisxexceptthelastbit
h
is
one
way
(to
invert
h,
must
invert
g) Co s ons or areeasyto n : oranyx, x 0 = x 1
Collisionresistancedoesnotimplyonewayness
Supposegiscollisionresistant
Defineh(x)tobe0xifxisnbitlong,1g(x)otherwise
Collisionsforharehardtofind:ifystartswith0,thentherearenocollisions,ifystartswith1,thenmustfindcollisionsing
hisnotoneway:halfofallys (thosewhosefirstbitis0)areeasytoinvert(how?);randomyisinvertiblewithprob.1/2
18
-
7/30/2019 09.02.10.HashingPasswords Class.csci4621
4/5
Computer Security, CSCI 4621 Fall 20
Daniel Bilar, CS, UNO
Encrypt+MAC
Goal: confidentiality + integrity + authentication
K1, K2K1, K2
MAC=Hash(K2,msg)
Can tell if messagesare the same! Why is this bad?
Alice Bob
msg
encrypt(msg), MAC(msg)
=?
Encrypt(K1,msg)
ecrypt
Verify MAC
encrypt(msg2), MAC(msg2)
MAC is deterministic: messages are equal their MACs are equal
Solution: Encrypt, then MAC19
UnixPasswordHashing
NotethatUnixpasswordsthemselvesarenotstored
Thehash isstored
ThesystemsadministratorofaUnixsystemcanresetyourpassword, buthe/sheisnotlyingtoyouwhenhe
.
Toverifypassword:
Allowusertoinputusernameandpassword
Runcryptographichashfunctionon(password+salt)
Lookupusersentryinpassword(+shadow)file
Ifthehashvaluestored==thecomputedhash,thenthepasswordmatches
20
PasswordHashing
Insteadofuserpassword,storeH(password)
SometimesH(salt,password)
Whenuserenterspassword,computeitshashandcomparewithentryinpasswordfile
Systemdoesnotstoreactualpasswords!
Difficulttogofromhashfrompassword!
Doyouseewhyhashingisbetterthanencryptionhere?
HashfunctionHmusthavesomeproperties
Oneway: givenH(password),hardtofindpassword
Noknownalgorithmbetterthantrialanderror
Iscollisionresistance needed?Notingeneral21
UNIXPasswordSystem
Problem:passwordsarenottrulyrandom
With52upper andlowercaseletters,10digits8
,
quadrillion possible8characterpasswords
Humansliketousedictionarywords,humanand
petnames 1million commonpasswords
22
DictionaryAttack
Ifyoucangetholdofhashedpasswords,so
calleddictionaryattackarestillpossiblebecausemanypasswordscomefromasmall
dictionary Nosalt:AttackercanprecomputeH(word)for
everywordinthedictionary thisonlyneedstobedoneonce
Thisisanoffline attack
Oncepasswordfileisobtained,crackingisinstantaneous
With1,000,000worddictionaryandassuming10guessespersecond,bruteforceonline attacktakes50,000seconds(14hours)onaverage 23
Salt
dbilar:fURxfg,4hLBX:14510:30:Daniel:/home/dbilar:/bin/bash
/etc/passwd entrysalt
(chosen randomly whenpassword is first set)
hash(salt,pwd)Password
Userswiththesamepasswordhavedifferententriesinthepasswordfile
Offlinedictionaryattackbecomesmuchharder 24
-
7/30/2019 09.02.10.HashingPasswords Class.csci4621
5/5
Computer Security, CSCI 4621 Fall 20
Daniel Bilar, CS, UNO
AdvantagesofSalting
Withoutsalt,attackercanprecomputehashesof
alldictionary
words
once
for
all password
entries
SamehashfunctiononallUNIXmachines;identical
passwordshashtoidenticalvalues
Onetableofhashvaluesworksforallpasswordfiles
Withsalt,attackermustcomputehashesofall
dictionarywordsonceforeach combinationof
saltvalueandpassword
With12bitrandomsalt,samepasswordcanhashto
4096differenthashvalues
25
PanaceaSaltedPasswords?
Sadlynobecauseofhumanbehavior.Passwordqualityintermsofrandomnessisgenerallyterrible
Then:If
universe
of
passwords
is
small,
completely
feasible
to
computedictionaryattacksofsaltedpasswords
H(salts,passwords),|salts|=2^12,|passwords|=|1000|
Jan2010:Rockyou.comsubjecttoSQLinjectionattack
32.6millionpasswordswereexposedandpostedonline
Nearly50percentofthepasswordsontheRockYou.comlistcontainednames,slangwords,dictionarywords,ortrivialcombinationsaspasswords
Mostcommonpassword being'123456',followedby'12345','123456789','Password','iloveyou','princess','rockyou','1234567','12345678',and'abc123
Othervulnerablepasswordsincludedcommonnamessuchas'Jessica'and'Ashley',orkeyboardpatterns patterns suchas 'Qwerty
Seehttp://www.thetechherald.com/article.php/201003/5124/Passwordproblemsbackinthespotlightthankstonewresearch 26
FornextTuesday
Reviewnotes
Onyourcomputer,orinthecomputerlabsonthe
thirdfloor(loginwillbeprovided)
DownloadVMWare player3.1.1atVMWare.comfor
yourplatform(LinuxorWindows)
DownloadNSTVM1.8.1atnstvm1.8.1.zip
UnzipNSTandbootitinVMWare Player
Instructionsallhere:
http://www.vmware.com/appliances/directory/1
41/
WellhavealabonThursday,Sep.9th usingthis 27