Chapter 12: Authentication Basics Passwords Challenge-Response Biometrics Location Multiple Methods Computer Security: Art and Science ©2002-2004 Matt Bishop

Approaches: Password Selection Random selection Any password from A equally likely to be selected The expected time to find the password is highest when the selection of any set of possible passwords is equi-probable. Removal of short passwords Quality of pseudo-random number generator Short passwords possible – easy to find. Remove short passwords – reduce password-space! Computer Security: Art and Science ©2002-2004 Matt Bishop

Example of randomly generated passwords gone wrong A = { 8-bit composed of lower case alphabets and digits} Password space = (26 + 10)8 If it takes 0.00156 seconds per encryption(at that time), time to try all possible passwords is 140 years. A pseudo-random number generator is used to pick a random password. The total output of the PRN generator = 215 The total number of unique passwords is 215 It takes only 102 seconds to try all 215 passwords http://www.dang.se/texter/passwd.txt Password Security: A Case History Encryption Computing by Robert Morris and Ken Thompson PDP-11 processor – 16-bit Computer Security: Art and Science ©2002-2004 Matt Bishop

Human factors Can remember and repeat up to eight meaningful items One 8-char password Can remember Two 8-char passwords Write it down! On the monitor, on the keyboard, in the wallet Solution: Apply a transformation t to the written down password X to generate A i.e t: X->A e.g. “Capitalize the third letter in the word and append a 2 at the end” t is easy to remember Computer Security: Art and Science ©2002-2004 Matt Bishop

Pronounceable Passwords Compromise between random, un-memorizable passwords and writing passwords Generate phonemes randomly Phoneme is unit of sound, eg. cv, vc, cvc, vcv Examples: helgoret, juttelon are; przbqxdfl, zxrptglfn are not Problem: too few Solution: key crunching Use long keys(passwords) – sentence or phrase that has some meaning Run long key through hash function and convert to acceptable password sequence See paper: DES key crunching for safer cypher keys Use for systems where security is very important but where passwords cannot be changed often. Computer Security: Art and Science ©2002-2004 Matt Bishop

Key crunching DES key crunching for safer cypher keys by Lynn Grant MAC- Message Authentication Code Use password crunching, where logins are infrequent, but the consequences of data being compromised is high. Under normal circumstances, having to type long passwords would be irritating.

User Selection Problem: people pick easy to guess passwords Based on account names, user names, computer names, place names Dictionary words (also reversed, odd capitalizations, control characters, “elite-speak”, conjugations or declensions, swear words, Torah/Bible/Koran/… words) Too short, digits only, letters only License plates, acronyms, social security numbers Personal characteristics or foibles (pet names, nicknames, job characteristics, etc. Computer Security: Art and Science ©2002-2004 Matt Bishop

Computer Security: Art and Science ©2002-2004 Matt Bishop

Computer Security: Art and Science ©2002-2004 Matt Bishop

Picking Good Passwords “LlMm*2^Ap” Names of members of 2 families “OoHeO/FSK” Second letter of each word of length 4 or more in third line of third verse of Star-Spangled Banner, followed by “/”, followed by author’s initials What’s good here may be bad there “DMC/MHmh” bad at Dartmouth (“Dartmouth Medical Center/Mary Hitchcock memorial hospital”), ok here Why are these now bad passwords?  Francis scott key Computer Security: Art and Science ©2002-2004 Matt Bishop

Proactive Password Checking Analyze proposed password for “goodness” Always invoked Can detect, reject bad passwords for an appropriate definition of “bad” Discriminate on per-user, per-site basis Needs to do pattern matching on words Needs to execute subprograms and use results Spell checker, for example Easy to set up and integrate into password selection system Pattern: aaaaaaa Dictionary may not have waters – spell checker will catch it. Computer Security: Art and Science ©2002-2004 Matt Bishop

Example: 4.3 BSD UNIX “passwd” Advise users that passwords must be at least 5 characters long, or at least 6 if the consist of monocase letters. Error message asks user to use a longer password If the user enters the password 3 times, requirements are waived Fails almost all requirements Newer UNIX versions do require password aging, but other requirements are still not met. Computer Security: Art and Science ©2002-2004 Matt Bishop

Example: OPUS Goal: check passwords against large dictionaries quickly Run each word of dictionary through k different hash functions h1, …, hk producing values less than n Set bits h1, …, hk in OPUS dictionary To check new proposed word, generate bit vector and see if all corresponding bits set If so, word is in one of the dictionaries to some degree of probability If not, it is not in the dictionaries Vector of size n. Produce h1,…hk. Set bits h1,h2,..hk of the vector n. Does not satisfy 3, Computer Security: Art and Science ©2002-2004 Matt Bishop

Example: passwd+ Provides a “little language” to describe proactive checking test length(“$p”) < 6 If password under 6 characters, reject it test infile(“/usr/dict/words”, “$p”) If password in file /usr/dict/words, reject it test !inprog(“spell”, “$p”, “$p”) If password not in the output from program spell, given the password as input, reject it (because it’s a properly spelled word) Spell outputs any incorrectly spelled words. So, if the input word is not output, then it is correctly spelled and should therefore be rejected. Computer Security: Art and Science ©2002-2004 Matt Bishop

Computer Security: Art and Science ©2002-2004 Matt Bishop

Salting Goal: slow dictionary attacks Method: perturb hash function so that: Parameter controls which hash function is used Parameter differs for each password So given n password hashes, and therefore n salts, need to hash guess n All the methods seen previously, the goal was to thwart attempt to find one specific password. But, if the goal is to any password, then it is easier. Use “salting” to make it more difficult. Computer Security: Art and Science ©2002-2004 Matt Bishop

Guessing Through L Cannot prevent these Make them slow Otherwise, legitimate users cannot log in Make them slow Backoff eg. Exponential backoff (xn), arithmetic series (x, 2x, 3x …., nx) Disconnection After x number of attempts, the system will get disconnected and must reconnect Disabling After n unsuccessful attempts (security manager) Alerts security manager of potential threat Be very careful with administrative accounts! Jailing Allow in, but restrict activities Use of honeypots EB – wait for x^n seconds before displaying the login screen after the (n-1)th failure. Disconnection works well if the connection procedure is slow – like over a telephone network. Jailing – used in AT&T Bell labs Honeypots – bogus data – user will try to download – was used to capture someone who was hacking into Lawrence Berkely Lab. Lawrence invented the cyclotron! Computer Security: Art and Science ©2002-2004 Matt Bishop

Password Aging Hide F, A, and C. Or change before attacker discovers the correct value If a password can be determined in 180 days, then change password more frequently than every 180 days. Force users to change passwords after some time has expired How do you force users not to re-use passwords? Record (and disallow) previous n passwords Block changes for a period of time Give users time to think of good passwords Don’t force them to change before they can log in Warn them of expiration days in advance Record previous n passwords and not allow it – people will quickly change passwords n times and then revert to old password. So, force password not changing for some time – however, if password compromised cant change it either. Computer Security: Art and Science ©2002-2004 Matt Bishop

Authentication with password Alice says “I am Alice” and sends her secret password to “prove” it. “I’m Alice” Alice’s IP addr password Failure scenario?? OK Alice’s IP addr 8: Network Security

Authentication with password Alice says “I am Alice” and sends her secret password to “prove” it. Alice’s IP addr Alice’s password “I’m Alice” playback attack: Trudy records Alice’s packet and later plays it back to Bob OK Alice’s IP addr “I’m Alice” Alice’s IP addr password 8: Network Security

Challenge-Response Reusable passwords can be “replay” attacked. User, system share a secret function f (in practice, f is a known function with unknown parameters, such as a cryptographic key) request to authenticate user system random message r (the challenge) user IFF in military – ID friend or foe system f(r) (the response) system Compute f(r) for comparison with received response user Computer Security: Art and Science ©2002-2004 Matt Bishop

Pass Algorithms Challenge-response with the function f itself a secret Example: Use in combination with a standard password scheme User enters password Display second login screen Challenge is a random string of characters such as “abcdefg”, “ageksido” Response is some function of that string such as “bdf”, “gkip” Only authorized users know how to respond to the challenge Can alter algorithm based on ancillary information Network connection is as above, dial-up might require “aceg”, “aesd” Computer Security: Art and Science ©2002-2004 Matt Bishop

One-Time Passwords Password that can be used exactly once After use, it is immediately invalidated Challenge-response mechanism Challenge is number of the authentication attempt; response is password for that particular number Problems Synchronization of user, system Generation of good random passwords Password distribution problem Computer Security: Art and Science ©2002-2004 Matt Bishop

h(k) = k1, h(k1) = k2, …, h(kn–1) = kn S/Key One-time password scheme based on idea of Lamport h one-way hash function (MD5 or SHA-1, for example) User chooses initial seed k System calculates: h(k) = k1, h(k1) = k2, …, h(kn–1) = kn Passwords are reverse order: p1 = kn, p2 = kn–1, …, pn–1 = k2, pn = k1 Computer Security: Art and Science ©2002-2004 Matt Bishop

S/Key Protocol System stores maximum number of authentications n, number of next authentication i, last correctly supplied password pi–1. { name } user system { i } user system If I = 2, then user will send p2. h(p2) = h(kn-1) = kn (which was sent previously). { pi } user system System computes h(pi) = h(kn–i+1) = kn–i = pi–1. If match with what is stored, system replaces pi–1 with pi and increments i. Computer Security: Art and Science ©2002-2004 Matt Bishop