CSE331: Introduction to Networks and Security Lecture 23 Fall 2002.
-
date post
20-Dec-2015 -
Category
Documents
-
view
216 -
download
0
Transcript of CSE331: Introduction to Networks and Security Lecture 23 Fall 2002.
CSE331 Fall 2002 3
Recap
• Protocols– Arbitrated : 3rd party intermediary– Adjudicated : 3rd party rules on validity afterwards– Self enforcing : no 3rd party
• Today– Authentication
CSE331 Fall 2002 4
Authentication
• The process of determining which principal is making a request or statement.
• Humans:– Not good at calculating– Bad memories
• Machines:– Good at calculating– Good memories
• Thus: Different engineering tradeoffs
CSE331 Fall 2002 5
Authenticating Humans: Foundations
• Authentication is based on one or more of the following:
• Something you know– e.g. a password
• Something you have– e.g. a driver’s license
• Something inherent about you– e.g. your fingerprint or retinal pattern
CSE331 Fall 2002 6
Password Vulnerabilities• Writing them down
– Moves problem to physical security
• Stolen passwords (via eavesdropping)– Trojan Horse
• Poor password choice– Easy to guess vs. easy to remember– People use the same password multiple times– Passwords changed infrequently
• Offline attacks– Search through password dictionary
CSE331 Fall 2002 7
1979 Survey of 3,289 Passwords
• With no constraints on choice of password, Morris and Thompson got the following results:– 15 were a single ASCII letter.– 72 were strings of two ASCII letters.– 464 were strings of three ASCII letters.– 47 were strings of four alphanumerics.– 706 were five letters, all upper-case or all lower-
case.– 605 were six letters, all lower case.
CSE331 Fall 2002 8
Heuristics for Guessing Attacks
• The dictionary with the words spelled backwards
• A list of first names (best obtained from some mailing list). Last names, street names, and city names also work well.
• The above with initial upper-case letters.• All valid license plate numbers in your state.
(About 5 hours work in 1979 for New Jersey.)• Room numbers, social security numbers,
telephone numbers, and the like.
CSE331 Fall 2002 9
What makes a good password?
• Password Length– 64 bits of randomness is hard to crack– 64 bits is roughly 20 “common” ASCII characters– But… People can’t remember random strings– Longer not necessarily better: people write the passwords
down
• Pass phrases– English Text has roughly 1.3 random bits/char.– Thus about 50 letters of English text– Hard to type without making mistakes!
• In practice– Non-dictionary, mixed case, mixed alphanumeric– Not too short (or too long)
CSE331 Fall 2002 10
Preventative Mechanisms
• Use a trusted path– CTRL+ALT+DEL is a hardware mechanism to
prevent Trojan Horse login prompts– Disallow remote authentication: users authenticate
to local machines, machines to remote authentication.
• Make on-line guessing attacks expensive– Disconnect after 3 tries, wait 10 seconds– Prevents automated attacks
CSE331 Fall 2002 11
Unix: /etc/passwd
• Passwords stored in a file system are vulnerable to automated attacks– At first Unix was implemented with a password file
holding the actual passwords of users.
• This had many vulnerabilities– Copies were made by privileged users– Copies were made by bugs: classic example
posted password file on daily message file– Physical access to backup was a vulnerability– Information from the password file needed to be
replicated into many other files
CSE331 Fall 2002 12
Preventing Off-line Attacks
• Hash the passwords and store the hashed version.
• Take the password from the user, hash it, and compare with password file entry.
• Problems– Poor user selection of passwords (easy to guess)– Users choose the same password
CSE331 Fall 2002 13
Improvements to First Approach• Slower hashing: use password to create a key,
then hash a constant using 25 iterations of the DES algorithm.– Speed OK for legitimate users– Takes longer to do automatic search
• Use non-standard hash function– Not readily available in hardware
• Enforce password rules– Makes the passwords harder to guess
CSE331 Fall 2002 14
Add Salt
• “Salt” the passwords by adding random bits.– Makes dictionary attacks more expensive.– Decreases the likelihood that two identical
passwords will appear as identical entries in the password file.
• 12 bit salt results in 4,096 versions of each password.
• /etc/passwd entry:user_id saltu Hash(saltu + passwdu) …
CSE331 Fall 2002 15
One Time Passwords
• Shared lists.• Sequentially updated.• One-time password sequences based on a
one-way (hash) function.
• Used in practice: SKey mechanism
CSE331 Fall 2002 16
Hash-based 1-time Passwords
• Alice identifies herself to verifier Bart using a well-known one-way hash function H.
• One-time setup.– Alice chooses a secret w.– Fixes a constant t for the number of times the
authentication can be done.– Alice securely transfers Ht(w) to Bart
H(H(H…(H(w))…))
t times
CSE331 Fall 2002 17
Hash-based 1-time Passwords
• Protocol actions. For session i, claimant A does the following to identify itself:– A computes w’ = H**(t-i)(w) and transmits the
value to B.– B checks that i is the correct session (ie. that the
previous session was i-1) and checks to see if H(v) = w’ where v was the last value provided by A (as part of session i-1).
– B saves w’ and i for use in the next session.
CSE331 Fall 2002 18
One-time passwords: ith authentication
• Alice does the following to identify herself:– A computes w’ = H (t-i)(w) and transmits the value to B.– B checks that i is the correct session (ie. that the previous
session was i-1) and checks to see if H(w’) = v where v was the last value provided by A (as part of session i-1).
– B saves w’ and i for use in the next session.
Alice Bart
WH(-)
H(t-i+1)(w),H(-)
{A, i, H(t-i)(w)}
CSE331 Fall 2002 19
Why This 1-time Password Works
• It’s hard to compute x from H(x).– Even though attacker gets to see H(t-i)(x), they
can’t guess then next message H(t-(i+1))(x).
CSE331 Fall 2002 20
Challenge-Response
• Background.– Random numbers (nonces).– Sequence numbers.– Timestamps.
• Symmetric keys.– With timestamps or random numbers.
• MAC’s.• Asymmetric keys.
– With encryption or signature.
CSE331 Fall 2002 21
Replay
• Replay is the threat in which a transmission is observed by an eavesdropper who subsequently reuses it as part of a protocol, possibly to impersonate the original sender.
• Example: monitor the first part of a telnet session to obtain a sequence of transmissions sufficient to get a log-in.
• There are 3 general strategies for defeating replay attacks: nonces, timestamps, and sequence numbers.
CSE331 Fall 2002 22
Random Numbers
• A random number is a number chosen unpredictably in a range.
• In a challenge-response protocol they are used as follows.– The verifier chooses a (new) random number and
provides it to the claimant.– The claimant performs an operation on it showing
knowledge of a secret.– This information is bound inseparable to the
random number and returned to the verifier for examination.
– A timeout period is used to ensure “freshness”.
CSE331 Fall 2002 23
Sequence Numbers
• Sequence numbers provide a sequential or monotonic counter on messages.
• If a message is replayed and the original message was received, the replay will have an old or too-small sequence number and be discarded.
• Cannot detect forced delay.• Difficult to maintain when there are system
failures.
CSE331 Fall 2002 24
Time Stamps
• The claimant sends a message with a timestamp.
• The verifier checks that it falls within an acceptance window of time.
• The last timestamp received is held, and identification requests with older timestamps are ignored.
• Good only if clock synchronization is close enough for acceptance window.