CS 465 PasswordS Last Updated: Nov 7, 2017.

Slides:



Advertisements
Similar presentations
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
Advertisements

Password Cracking Lesson 10. Why crack passwords?
CSC 474 Information Systems Security
COEN 350: Network Security Authentication. Between human and machine Between machine and machine.
CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.
CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.
Cryptography and Network Security Chapter 20 Intruders
1 Chapter 11: Authentication Basics Passwords. 2 Establishing Identity Authentication: binding of identity to subject One or more of the following –What.
CSE331: Introduction to Networks and Security Lecture 23 Fall 2002.
CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.
Chap 3: Key exchange protocols In most systems, we distinguish the short term keys from the long term ones: –A short term key (session key) is used to.
CMSC 414 Computer and Network Security Lecture 14 Jonathan Katz.
Strong Password Protocols
MS systems use one of the following: LanManager Hash (LM) LanManager Hash (LM) NT LanManager (NTLM) NT LanManager (NTLM) Cached passwords Cached passwords.
14.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 14 Entity Authentication.
Lecture 7 Page 1 CS 236 Online Password Management Limit login attempts Encrypt your passwords Protecting the password file Forgotten passwords Generating.
IS 302: Information Security and Trust Week 7: User Authentication (part I) 2012.
Slides by Kent Seamons and Tim van der Horst Last Updated: Nov 30, 2011.
CIS 450 – Network Security Chapter 8 – Password Security.
File Protection Mechanisms  All-None Protection Lack of trustLack of trust All or nothingAll or nothing Timesharing issuesTimesharing issues ComplexityComplexity.
Lecture 11: Strong Passwords
Mark Shtern. Passwords are the most common authentication method They are inherently insecure.
Brute Force Password Cracking and its Role in Penetration Testing Andrew Keener and Uche Iheadindu.
1 Chapter 11: Authentication Basics Passwords. 2 Establishing Identity Authentication: binding of identity to subject One or more of the following –What.
G53SEC 1 Authentication and Identification Who? What? Where?
Identification and Authentication CS432 - Security in Computing Copyright © 2005,2010 by Scott Orr and the Trustees of Indiana University.
Slides by Kent Seamons and Tim van der Horst Last Updated: Nov 30, 2011.
COEN 350: Network Security Authentication. Between human and machine Between machine and machine.
14.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 14 Entity Authentication.
CMSC 414 Computer and Network Security Lecture 20 Jonathan Katz.
G53SEC 1 Authentication and Identification Who? What? Where?
COEN 350: Network Security Authentication. Between human and machine Between machine and machine.
Identification Authentication. 2 Authentication Allows an entity (a user or a system) to prove its identity to another entity Typically, the entity whose.
Chapter 1 – Introduction Part 4 1. Message Authentication Codes Allows for Alice and Bob to have data integrity, if they share a secret key. Given a message.
Lecture 5 User Authentication modified from slides of Lawrie Brown.
Encryption CS110: Computer Science and the Internet.
Authentication Lesson Introduction ●Understand the importance of authentication ●Learn how authentication can be implemented ●Understand threats to authentication.
King Mongkut’s University of Technology Network Security 8. Password Authentication Methods Prof. Reuven Aviv, Jan Password Authentication1.
Password. On a Unix system without Shadow Suite, user information including passwords is stored in the /etc/passwd file. Each line in /etc/passwd is a.
SCSC 455 Computer Security Chapter 3 User Security.
© Copyright 2009 SSLPost 01. © Copyright 2009 SSLPost 02 a recipient is sent an encrypted that contains data specific to that recipient the data.
Preventing MySQL Injection Sonja Parson COSC 5010 Security Presentation April 26, 2005.
CSCI 530 Lab Passwords. Overview Authentication Passwords Hashing Breaking Passwords Dictionary Hybrid Brute-Force Rainbow Tables Detection.
CIS 450 – Network Security Chapter 10 – UNIX Password Crackers.
 Encryption provides confidentiality  Information is unreadable to anyone without knowledge of the key  Hashing provides integrity  Verify the integrity.
Understanding Security Policies Lesson 3. Objectives.
CSEN 1001 Computer and Network Security Amr El Mougy Mouaz ElAbsawi.
Effective Password Management Neil Kownacki. Passwords we use today PINs, smartphone unlock codes, computer accounts, websites Passwords are used to protect.
7/10/20161 Computer Security Protection in general purpose Operating Systems.
Understanding Security Policies
Identification and Authentication
Penetration Testing Offline Password Cracking
I have edited and added material.
Password Management Limit login attempts Encrypt your passwords
Authentication CSE 465 – Information Assurance Fall 2017 Adam Doupé
Password Cracking Lesson 10.
Authentication and Identification
IMAGE-BASED AUTHENTICATION
Strong Password Protocols
Strong Password Protocols
Unit 1.6 Systems security Lesson 2
Kiran Subramanyam Password Cracking 1.
Cyber Operation and Penetration Testing Online Password Cracking Cliff Zou University of Central Florida.
Strong Password Protocols
Authentication CSE 365 – Information Assurance Fall 2018 Adam Doupé
KERBEROS.
Exercise: Hashing, Password security, And File Integrity
Computer Security Authentication
Computer Security Protection in general purpose Operating Systems
Authentication CSE 365 – Information Assurance Fall 2019 Adam Doupé
Presentation transcript:

CS 465 PasswordS Last Updated: Nov 7, 2017

Goals Understand UNIX pw system How it works How to attack Understand Lamport’s hash and its vulnerabilities

History of UNIX passwords Originally the actual passwords were stored in a plaintext file “Excessively vulnerable to lapses in security” Improved approach used encryption to protect passwords Led to brute force/dictionary attacks

How to Attack Password Systems Guess the user’s password Online attack Attempt to login as the user would Offline attack Repeated guessing involving an encrypted form of the user’s password Shoulder surfing Users write down their passwords Users give away their passwords Phishing, social engineering

Problems with Passwords Users have too many passwords Encourages password reuse Leads to forgotten passwords Burdens users and administrators Attempts to increase password strength inconvenience users

Time estimates What is the maximum number of attempts to guess a password? Password length = 8 characters Assume password is alphanumeric (26+26+10) (26+26+10)8 = 628 How many attempts on average? Divide maximum number by 2 (this assumes brute force attack and passwords chosen randomly)

Unix Passwords

Unix Password File Original password file /etc/passwd was world readable Anyone could copy the file offline and perform a dictionary attack You could find sample files on Google courtesy of naïve system admins! Later, the encrypted password was moved to a shadow file /etc/shadow that required root privileges to access

The Unix Crypt Function Slower is better

Unix Password File Creation salt crypt(3)  username salt E(pwd, salt)

Verifying a Password crypt(3) Compare username password E(pwd, salt) Encrypted PW  Verifying a Password username salt E(pwd, salt) username password crypt(3) Compare E(pwd, salt)

Password Salts Why do Unix password files use a salt? Prevents the identification of identical passwords Provided each user has a different salt All password guesses are salt-specific Guess made with one salt aren’t helpful for another Increases the cost of offline attack to crack any password in the file Increases the size requirement for a pre-computed database of hashed passwords

Password Attacks with Salt How many guesses do password attacks need when a salt is used? Off-line attack – one attempt for each unique salt in the file How does the salt impact on-line attacks? It doesn’t How does the salt impact an attempt to crack a specific user’s password in the file? It doesn’t change the number of attempts, but it does increase the size of a pre-computed database of passwords or rainbow table

Password Hashing Schemes

Password Guessing Attacks Brute-force Dictionary Substitution password, passw0rd

Lamport’s Hash

Lamport’s Hash One time password scheme see http://lodestone.org/people/hoss/ops/node5.html BOB knows  n, hashn(password)  Compares hash(x) to hashn (password); If equal, replaces  hashn (password)  With  n-1, x  Alice Alice, pwd Alice’s Workstation Bob Alice n x = hashn-1 (pwd)

Attack on Lamport’s Hash Small n attack Active attacker intercepts servers reply message with n and changes it to a smaller value Attacker can easily manipulate the response (repeatedly) to impersonate Alice Eavesdropper captures Alice’s hashed reply and conducts off-line attack Replay Alice’s response to other servers where Alice may use the same password Thwart using salt at the server – server hashes pw || salt and sends n and the salt to Alice during login Salt also permits automatic password refresh when n reaches 1

Related articles (optional) The Curse of the Secret Question http://www.schneier.com/essay-081.html Sarah Palin Yahoo! account hacked http://www.informationweek.com/news/security/cybercrime/showArticle.jhtml?articleID=210602271 http://en.wikipedia.org/wiki/Sarah_Palin_email_hack Secret Questions Too Easily Answered http://www.technologyreview.com/web/22662/ Scientists claim GPUs make passwords worthless http://www.pcpro.co.uk/news/security/360313/scientists-claim-gpus-make-passwords-worthless How the Bible and Youtube are fueling the next frontier of password cracking http://arstechnica.com/security/2013/10/how-the-bible-and-youtube-are-fueling-the-next-frontier-of-password-cracking/ 32 million passwords show most users careless about security http://arstechnica.com/security/2010/01/32-million-passwords-show-most-users-careless-about-security/

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.