Authentication attacks, causes and solutions Analyzing man in the middle and dictionary attacks against SSL/TLS and password based authentication systems Fletcher Liverance, 16 April 2009

Sources Password-Based Authentication: Preventing Dictionary Attacks Password-Based Authentication: Preventing Dictionary Attacks Saikat Chakrabarti, University of Kentucky Saikat Chakrabarti, University of Kentucky Mukesh Singhal, University of Kentucky Mukesh Singhal, University of Kentucky Computer, IEEE CS Press, June 2007, pp Computer, IEEE CS Press, June 2007, pp SSL/TLS Session-Aware User Authentication SSL/TLS Session-Aware User Authentication Rolf Oppliger, eSECURITY Technologies Rolf Oppliger, eSECURITY Technologies Ralf Hauser, PrivaSphere AG Ralf Hauser, PrivaSphere AG David Basin, ETH Zurich David Basin, ETH Zurich Computer, IEEE CS Press, March 2008, pp Computer, IEEE CS Press, March 2008, pp

Overview What is authentication? What is authentication? Two common attacks Two common attacks Advanced password authentication protocols Advanced password authentication protocols Improvements in SSL/TLS Improvements in SSL/TLS Preventing future attacks Preventing future attacks

What is Authentication? Authentication is the binding of an identity to a subject Face Face Voice Voice Signature Signature Birth certificate Birth certificate Social security number Social security number ID card ID card Personal knowledge Personal knowledge Key Key Password Password Name Name Phone number Phone number

Impersonal Authentication How do you authenticate over a network? How do you authenticate over a network? No direct visual cues No direct visual cues No direct auditory cues No direct auditory cues No physical connection No physical connection Knowledge based authentication Knowledge based authentication Recreation of human authentication cues Recreation of human authentication cues Electronic IDs Electronic IDs

Dictionary Attack Online Online Repeated query of authentication server Repeated query of authentication server Slow Slow Easy to block Easy to block Offline Offline Repeated computation and comparison of password hash Repeated computation and comparison of password hash Faster Faster No interaction required No interaction required Top ten passwords: 1. (username) 2. (username) password passwd test 10. 1

Man in the Middle “a form of active wiretapping attack in which the attacker intercepts and selectively modifies communicated data to masquerade as one or more of the entities involved in a communication association.” RFC 2828 – Internet Security Glossary

Basic Password Authentication

Challenge/Response

EKE Protocol

Plaintext equivalence User and host must have access to the same secret password User and host must have access to the same secret password Attacker can intercept password hash as it is sent to server Attacker can intercept password hash as it is sent to server

Secure remote-password protocol

Behind the scenes Alice and Bob agree on finite field F(x) Alice and Bob agree on finite field F(x) Alice gives Bob verifier v = F(Hash(salt, password)) and salt. Alice gives Bob verifier v = F(Hash(salt, password)) and salt. Alice sends identity to Bob Alice sends identity to Bob Bob sends salt to Alice Bob sends salt to Alice Alice computes K-a = F(Rand-a) and x = Hash(s, pwd) Alice computes K-a = F(Rand-a) and x = Hash(s, pwd) Alice send K-a to Bob Alice send K-a to Bob Bob computes K-b = v + F(Rand-b) Bob computes K-b = v + F(Rand-b) Bob sends K-b and Rand-r to Alice Bob sends K-b and Rand-r to Alice Alice computes K-ab = Hash(K-b – F(Hash(salt, pwd))^(Rand-a + Rand-r*Hash(salt,pwd)) Alice computes K-ab = Hash(K-b – F(Hash(salt, pwd))^(Rand-a + Rand-r*Hash(salt,pwd)) Bob computes K-ab = Hash(Rand-b*Key-a*v^Rand-r) Bob computes K-ab = Hash(Rand-b*Key-a*v^Rand-r) Alice sends Cert-a to Bob Alice sends Cert-a to Bob Bob verifies Cert-a is correct Bob verifies Cert-a is correct Bob sends Cert-b to Alice Bob sends Cert-b to Alice Alice verifies Cert-b is correct Alice verifies Cert-b is correct

Alternative Solutions Delayed response Delayed response Account locking Account locking Extra computation Extra computation Reverse Turing Test Reverse Turing Test Captcha (Completely Automated Public Turing Test to Tell Computers and Humans Apart) Captcha (Completely Automated Public Turing Test to Tell Computers and Humans Apart)

SSL/TLS

SSL/TLS Issues Prone to man in the middle attack Prone to man in the middle attack Attacker intercepts server messages Attacker intercepts server messages Attacker replaces server certificate with its own Attacker replaces server certificate with its own Client encrypts all future transmissions using attacker’s certificate Client encrypts all future transmissions using attacker’s certificate “the naïve end user usually does SSL/TLS server authentication poorly if at all” “the naïve end user usually does SSL/TLS server authentication poorly if at all” “developers usually decouple SSL/TLS session establishment from user authentication” “developers usually decouple SSL/TLS session establishment from user authentication”

Preventing MITM attacks Enforce proper server authentication Enforce proper server authentication Uneducated users Uneducated users Forged certificates Forged certificates Click through Click through Complicated revocation policy Complicated revocation policy Complicated certificate verification tree Complicated certificate verification tree

TLS-SA Combine user authentication with SSL/TLS session establishment Combine user authentication with SSL/TLS session establishment Provide user authentication code (UAC) that depends on credentials and TLS session Provide user authentication code (UAC) that depends on credentials and TLS session Attacker can start session with user and host, but cannot forward messages between them Attacker can start session with user and host, but cannot forward messages between them

TLS-SA Implementation Normal TLS Normal TLS Client token generates session key based on hash of server cert Client token generates session key based on hash of server cert User enters password User enters password UAC is computed from session key and password and is transmitted to server UAC is computed from session key and password and is transmitted to server Server authenticates client at any time by requesting user ID, hash of server cert and the UAC. Server authenticates client at any time by requesting user ID, hash of server cert and the UAC.

A Formal Approach “protocols need more than heuristic arguments to provide security guarantees.” Provable security via the Standard model Provable security via the Standard model Uses complexity-theoretic hardness assumptions: Uses complexity-theoretic hardness assumptions: Factoring the product of large primes is hard Factoring the product of large primes is hard Computing the discrete logarithm is hard in certain large groups. Computing the discrete logarithm is hard in certain large groups. AES is a good pseudorandom permutation AES is a good pseudorandom permutation

A Formal Approach (cont.) The random oracle model The random oracle model “A public random function that takes any string as input and outputs n bits” “A public random function that takes any string as input and outputs n bits” Use heuristically secure algorithms such as SHA Use heuristically secure algorithms such as SHA The ideal-cipher model The ideal-cipher model A standard block cipher, with k-bit key and n-bit input, chosen uniformly from all block ciphers of this form. A standard block cipher, with k-bit key and n-bit input, chosen uniformly from all block ciphers of this form. Use pseudorandom permutations such as AES Use pseudorandom permutations such as AES

Q & A