David Evans http://www.cs.virginia.edu/~evans Lecture 11: Authenticating Authentic Authenticaters Background just got here last week finished degree at MIT week before Philosophy of advising students don’t come to grad school to implement someone else’s idea can get paid more to do that in industry learn to be a researcher important part of that is deciding what problems and ideas are worth spending time on grad students should have their own project looking for students who can come up with their own ideas for research will take good students interested in things I’m interested in – systems, programming languages & compilers, security rest of talk – give you a flavor of the kinds of things I am interested in meant to give you ideas (hopefully even inspiration!) but not meant to suggest what you should work on CS551: Security and Privacy University of Virginia Computer Science David Evans http://www.cs.virginia.edu/~evans

University of Virginia CS 551 Menu Unix Passwords SSH S-Key Won’t cover in lecture: PGP, SSL Due before midnight: Project Proposals 17 November 2018 University of Virginia CS 551

University of Virginia CS 551 Paco’s Talk There are real security companies that make money VeriSign ($40B market cap, $200M revenues last year, lost $479M) Check Point Software ($23B, $35M profit last quarter) RSA Security ($2B) (For reference: General Motors = $35B, Amazon.com = $12B) 17 November 2018 University of Virginia CS 551

Why look at specific systems? So I have lots of material for easy-to-grade multiple choice questions on your exams Because its important to know details of particular applications Because you want to attack someone maliciously 17 November 2018 University of Virginia CS 551

Why look at specific systems? To learn general principles of good and bad design To see issues that arise when mathematics are deployed in real world To have ideas and knowledge to draw from when you design systems 17 November 2018 University of Virginia CS 551

Early Password Schemes UserID Password algore internalcombustion clinton buddy georgew gorangers Login does direct password lookup and comparison. Login: algore Password: tipper Failed login. Guess again. 17 November 2018 University of Virginia CS 551

University of Virginia CS 551 Login Process Terminal Login: algore Password: internalcombustion login sends <“algore”, “internalcombustion”> Trusted Subsystem Eve 17 November 2018 University of Virginia CS 551

Authentication Problems Need to store the passwords somewhere – dangerous to rely on this being secure Encrypt them? But then, need to hide key Need to transmit password from user to host Use a secure line (i.e., no remote logins) Encrypt the transmission 17 November 2018 University of Virginia CS 551

University of Virginia CS 551 Encrypted Passwords UserID Password algore E (“internalcombustion”, 0) clinton E (“buddy”, 0) georgew E (“gorangers”, 0) Hmmm.... D (E (“buddy”, 0), 0) = “buddy” 17 November 2018 University of Virginia CS 551

University of Virginia CS 551 Encrypted Passwords UserID Password algore DES (0, “internalcombustion”) clinton DES (0, “buddy”) georgew DES (0, “gorangers”) Can you invert DES (0, k) without knowing k? 17 November 2018 University of Virginia CS 551

Encrypted Passwords Try 1 Terminal Login: algore Password: internalcombustion login sends <“algore”, DES(0, “internalcombustion”)> Trusted Subsystem Trusted subsystem compares to stored value. 17 November 2018 University of Virginia CS 551

Encrypted Passwords Try 2 Terminal Login: algore Password: internalcombustion login sends <“algore”, “internalcombustion”> Trusted Subsystem Trusted subsystem computed DES (0, “internalcombustion”) and compares to stored value. 17 November 2018 University of Virginia CS 551

First UNIX Password Scheme [Wilkes68] (recall DES was 1976) Encryption based on M-209 cipher machine (US Army WWII) Easy to invert unknown plaintext and known key, used password as key: Instead of E (password, 0) used E (0, password) (like with DES) PDP-11 could check all 5 or less letter lower-case passwords in 4 hours! 17 November 2018 University of Virginia CS 551

Making Brute Force Attacks Harder Use a slower encryption algorithm Switched to DES Even slower: run DES lots of times UNIX uses DES25 (0, password) Require longer passwords DES key is only 56 bits: only uses first 7.5 characters (ASCII) Brute force is unlikely to work with all possible 8-letter passwords and DES25 17 November 2018 University of Virginia CS 551

University of Virginia CS 551 Dictionary Attacks Try a list of common passwords All 1-4 letter words List of common (dog) names Words from dictionary Phone numbers, license plates All of the above in reverse Simple dictionary attacks retrieve most user-selected passwords 17 November 2018 University of Virginia CS 551

University of Virginia CS 551 86% of users are dumb Single ASCII character 0.5% Two characters 2% Three characters 14% Four alphabetic letters Five same-case letters 21% Six lowercase letters 18% Words in dictionaries or names 15% Other (possibly good passwords) (Morris/Thompson 79) 17 November 2018 University of Virginia CS 551

Making Dictionary Attacks Harder Force/convince users to pick better passwords Test selected passwords against a known dictionary Enforce rules on non-alphabet characters, length, etc. 17 November 2018 University of Virginia CS 551

Problems with User Rules Users get annoyed If you require hard to remember passwords, users write them down Attackers know the password selection rules too – reduces search space! 17 November 2018 University of Virginia CS 551

University of Virginia CS 551 True Anecdote One installation: machines generated random 8-letter passwords Used PDP-11 pseudo-random number generator with 215 possible values Time to try all possible passwords on PDP-11: One minute! Good news: at least people don’t have to remember the 8 random letters 17 November 2018 University of Virginia CS 551

University of Virginia CS 551 Everybody loves Buddy UserID Password algore DES25 (0, “internalcombustion”) clinton DES25 (0, “buddy”) georgew DES25 (0, “gorangers”) hillaryc 17 November 2018 University of Virginia CS 551

Salt of the Earth UserID Salt Password algore 12 (This is the standard UNIX password scheme.) Salt: 12 random bits UserID Salt Password algore 12 DES+25 (0, “internalcombustion”, 12) clinton 37 DES+25 (0, “buddy”, 37) georgew 9 DES+25 (0, “gorangers”, 9) hillaryc 53 DES+25 (0, “buddy”, 53) DES+ is DES except with salt-dependent E-tables. How much harder is the dictionary attack? 17 November 2018 University of Virginia CS 551

Security of UNIX Passwords Paper by Robert Morris (Sr.) and Ken Thompson, 1979 (link on manifest) Demonstration of guessability of Unix passwords by Robert Morris, Jr. (Internet Worm, 1988) L0ftcrack breaks ALL alphanumeric passwords in under 24 hours on Pentium II/450 (Windows NT) 17 November 2018 University of Virginia CS 551

What about Eve? Terminal login sends Trusted Subsystem Login: algore Password: internalcombustion login sends <“algore”, “internalcombustion”> Trusted Subsystem Eve Trusted subsystem computes DES+25 (0, “internalcombustion”, salt) and compares to stored value. 17 November 2018 University of Virginia CS 551

University of Virginia CS 551 ssshhhhh.... Be very quiet so Eve can’t hear anything Encrypt the communication between the terminal and the server How? 17 November 2018 University of Virginia CS 551

Simplified SSH Protocol Terminal Login: evans Password: *********** login sends EKUmamba<“evans”, password> mamba.cs.virginia.edu Eve Can’t decrypt without KRmamba 17 November 2018 University of Virginia CS 551

University of Virginia CS 551 Actual SSH Protocol Client Server requests connection 1 KUS - server’s public host key KUt – server’s public key, changes every hour r – 256-bit random number generated by client KUS, KUt Compares to stored KUS 2 EKUS [EKUt [r]] || { IDEA | 3DES } 3 time All traffic encrypted using r and selected algorithm. Can do regular login (or something more complicated). 17 November 2018 University of Virginia CS 551

Comparing to stored KUS It better be stored securely PuTTY stores it in windows registry (HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\SshHostKeys) 17 November 2018 University of Virginia CS 551

Why Johnny Can’t Even Login SecureCRT Default choice! 17 November 2018 University of Virginia CS 551

University of Virginia CS 551 “Usability in normal environments has been a major design concern from the beginning, and SSH attempts to make things as easy for normal users as possible while still maintaining a sufficient level of security.” Tatu Ylonen, SSH – Secure Login Connections over the Internet, June 1996. 17 November 2018 University of Virginia CS 551

University of Virginia CS 551 ssh.com’s SSH 17 November 2018 University of Virginia CS 551

University of Virginia CS 551 ssh Error 17 November 2018 University of Virginia CS 551

Why Johnny (von Neumann) Can’t Even Login A smart attacker just replaces the stored key in registry An ActiveX control can do this trivially No warning from SSH when you now connect to the host controlled by the attacker (have to spoof DNS or intercept connection, but this is easy) Is there a solution? Exercise for reader (maybe a good midterm question?) 17 November 2018 University of Virginia CS 551

Recap – Authentication Problems Need to store the passwords somewhere – dangerous to rely on this being secure Need to transmit password from user to host Remaining problems: User’s pick bad passwords Even if everything is secure, can still watch victim type! Only have to mess up once 17 November 2018 University of Virginia CS 551

Solution – Don’t Reuse Passwords One-time passwords New users have to memorize a list of secure passwords and use one in turn for each login Host generates the list using cryptographic random numbers and stores it securely Users spend hours memorizing passwords...and better not forget one! 17 November 2018 University of Virginia CS 551

Challenge-Response Systems Ask a question, see if the answer is right Hard to make up questions only host and user can answer Question: x? Answer: f(x). What’s a good choice for f? E (x, key known to both) SecureID systems work like this 17 November 2018 University of Virginia CS 551

University of Virginia CS 551 S-Key Alice picks random number R S-Key program generates f(R), f (f(R)), f (f ((f(R))), ... , f100(R). Alice prints out these numbers and stores somewhere secure Host stores f101(R). (Doesn’t need to be secure) 17 November 2018 University of Virginia CS 551

University of Virginia CS 551 S/Key Login Alice enters f100(R). Host calculates f (f100(R)). Compares to stored f101(R). If they match, allows login and replaces old value with f100(R). Alice crosses off f100(R), enters f 99(R) next time. What is f? One-way function: given f(x) hard to find x. S/Key uses MD4 (not secure) 17 November 2018 University of Virginia CS 551

Authentication Strategies Summary Something you know Password Something you have SecureID Something you are Biometrics (voiceprint, fingerprint, etc.) Demonstration next Wednesday Decent authentication requires combination of at least 2 of these 17 November 2018 University of Virginia CS 551

University of Virginia CS 551 Charge If you are in the 86% with dumb passwords, change it! Don’t get a warm fuzzy feeling just because you use SSH Next time: Randomness, Digital Cash Read randomness papers PS3 due next Weds 17 November 2018 University of Virginia CS 551