Authentication John C. Mitchell Stanford University CS 99j

Computer security Computer security is concerned with the detection and prevention of unauthorized actions by users of a computer system.

Authentication uVerify identity Only allow authorized access uMessage authentication (different concept) Confirm source and integrity of message Message received is the same as message sent

Fundamental limitation I am talking to Joe I am talking to someone who has Joe’s Password Private key Thumbprint

Outline uPassword authentication Unix password scheme Dictionary attack uChallenge-response mechanisms uAuthentication protocols uProtocol analysis methods

Password authentication uBasic idea User has a secret password System checks password to authenticate user uIssues How is password stored? How does system check password? How easy is it to guess a password?

Basic password scheme Password fileUser exrygbzyf kgnosfix ggjoklbsz … kiwifruit hash function

Basic password scheme uHash function h : strings  strings Given h(password), hard to find password No known algorithm better than trial and error uUser password stored as h(password) uWhen user enters password System computes h(password) Compares with entry in password file uNo passwords stored on disk

Unix password system uHash function is 25xDES Number 25 was meant to make search slow uPassword file is publicly readable Other information in password file … uAny user can try “dictionary attack” User looks at password file Computes hash(word) for every word in dictionary u“Salt” makes dictionary attack harder Otherwise, compare hash(word) to all passwords

Salt [Belgers] uPassword line account:crypted-passwd:uid:gid:user-name:homedir:shell walt:fURfuu4.4hY0U:129:129:Belgers:/home/walt:/bin/csh uChecking with salt

Another password vulnerability void check_passwd(char *name, passwd) { char buffer1[2]; char buffer2[2]; /* place password for name in buffer 1 */ strcpy(buffer2,passwd) if (buffer1[1]==buffer2[1] && buffer1[1]==buffer2[1]) { /* allow login */ }; else { /* disallow login */ }; }

Extra Reading uFind Phrack archives.oO Phrack 49 Oo. Volume Seven, Issue Forty-Nine uLook for this article XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Smashing The Stack For Fun And Profit XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX by Aleph One

Challenge-response Challenge f(key,string) string Response Secret key User

Challenge-response authentication uChallenge System presents user with some string uResponse User computes f(key,string) uAuthentication Check property of f(key,string) Secret data can stay secret: no password is sent What kind of function will work?

Authentication protocols uMany protocols to confirm identity Clark-Jacob survey of 50 protocols uCommon use Client and server confirm identity and agree on secret encryption key

Network connection uTCP syncronize/acknowledgement Client Server SYN SYN-ACK ACK sequence numbers omitted...

Needham-Schroeder Key Exchange { A, Na } Kb { Na, Nb } Ka { Nb} Kb Result: A and B share two private numbers not known to any observer without K a -1, K b -1 AB

Anomaly in Needham-Schroeder AE B { A, N a } { N a, N b } { N b } KeKe KbKb KaKa KaKa KeKe Evil agent E tricks honest A into revealing private key N b from B. Evil E can then fool B. [Lowe]

Repaired Needham-Schroeder Protocol { A, Na } Kb { Na, B, Nb } Ka { Nb} Kb Result: A and B share two private numbers not known to any observer without K a -1, K b -1 AB

How do we know this is correct? uThink a lot uAsk smart people uSystematic methods Protocol logics –BAN, GNY, SvO, … Model checking –Exhaustive testing of finite systems Mathematical proof –Prove an abstract form of protocol is correct –Even with simplifications, requires computer assistance

Explicit Intruder Method Intruder Model Analysis Tool Formal Protocol Informal Protocol Description Gee whiz. Looks OK to me.