Password Authentication J. Mitchell CS 259. Password fileUser exrygbzyf kgnosfix ggjoklbsz … kiwifruit hash function.

Slides:



Advertisements
Similar presentations
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
Advertisements

Slide 1 Vitaly Shmatikov CS 378 Attacks on Authentication.
Networks. User access and levels Most network security involves users having different levels of user access to the network. The network manager will.
Cryptology Passwords and Authentication Prof. David Singer Dept. of Mathematics Case Western Reserve University.
COEN 350: Network Security Authentication. Between human and machine Between machine and machine.
CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.
CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
7-1 Last time Protection in General-Purpose Operating Systems History Separation vs. Sharing Segmentation and Paging Access Control Matrix Access Control.
User Authentication and Password Management John Mitchell CS 142 Winter 2009.
 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.
Outline User authentication –Password authentication, salt –Challenge-response authentication protocols –Biometrics –Token-based authentication Authentication.
1 Chapter 11: Authentication Basics Passwords. 2 Establishing Identity Authentication: binding of identity to subject One or more of the following –What.
Stronger Password Authentication Using Browser Extensions Blake Ross, Collin Jackson, Nick Miyake, Dan Boneh, John Mitchell Stanford University
Dr Alejandra Flores-Mosri Message Authentication Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to:
Authentication John C. Mitchell Stanford University CS 99j.
CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.
Mar 4, 2003Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities.
Context-Aware Phishing Attacks and Client-Side Defenses Collin Jackson Stanford University.
Chap 3: Key exchange protocols In most systems, we distinguish the short term keys from the long term ones: –A short term key (session key) is used to.
CMSC 414 Computer and Network Security Lecture 16 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
Outline User authentication –Password authentication, salt –Challenge-response authentication protocols –Biometrics –Token-based authentication Authentication.
Trustworthy User Interface Design: Dynamic Security Skins Rachna Dhamija and J.D. Tygar University of California, Berkeley TIPPI Workshop June 13, 2005.
Outline User authentication –Password authentication, salt –Challenge-response authentication protocols –Biometrics –Token-based authentication Authentication.
CMSC 414 Computer and Network Security Lecture 17 Jonathan Katz.
Authentication System
Outline User authentication
CMSC 414 Computer and Network Security Lecture 13 Jonathan Katz.
Strong Password Protocols
1 Fluency with Information Technology Lawrence Snyder Chapter 17 Privacy & Digital Security Encryption.
Computer Security Tran, Van Hoai Department of Systems & Networking Faculty of Computer Science & Engineering HCMC University of Technology.
14.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 14 Entity Authentication.
TRUST, Washington, D.C. Meeting January 9–10, 2006 Combating Online Identity Theft Spoofguard, PwdHash, Spyware, Botnets John Mitchell (Stanford)
CIS 450 – Network Security Chapter 8 – Password Security.
The Battle Against Phishing: Dynamic Security Skins Rachna Dhamija and J.D. Tygar U.C. Berkeley.
Lecture 11: Strong Passwords
David Evans CS150: Computer Science University of Virginia Computer Science Class 31: Cookie Monsters and Semi-Secure.
Passwords. Outline Objective Authentication How/Where Passwords are Used Why Password Development is Important Guidelines for Developing Passwords Summary.
Chapter 3: Basic Protocols Dulal C. Kar. Key Exchange with Symmetric Cryptography Session key –A separate key for one particular communication session.
Cryptography Wei Wu. Internet Threat Model Client Network Not trusted!!
1 Chapter 11: Authentication Basics Passwords. 2 Establishing Identity Authentication: binding of identity to subject One or more of the following –What.
Ram Santhanam Application Level Attacks - Session Hijacking & Defences
Password authentication Basic idea –User has a secret password –System checks password to authenticate user Issues –How is password stored? –How does system.
 Access Control 1 Access Control  Access Control 2 Access Control Two parts to access control Authentication: Are you who you say you are? – Determine.
CIST/ETRI/ISIT/KDDI/Kyusyu Univ./NICT Joint Research Workshop on Ubiquitous Network Security 2005 Verifier-Based Password-Authenticated Key Exchange Jeong.
14.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 14 Entity Authentication.
0 1 WHAT KEEPS USERS AWAY? 2 47% 46% 43% 39% 40% 50% 45% 34% 21% 15% 20% 19% 13% 26% 20% 12% I fear that my account information will be viewed by an unauthorized.
Lecture 16 Page 1 CS 236 Online Web Security CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
CMSC 414 Computer and Network Security Lecture 20 Jonathan Katz.
Topic 14: Secure Communication1 Information Security CS 526 Topic 14: Key Distribution & Agreement, Secure Communication.
+ Security. + What is network security? confidentiality: only sender, intended receiver should “understand” message contents sender encrypts message receiver.
Measures to prevent MITM attack and their effectiveness CSCI 5931 Web Security Submitted By Pradeep Rath Date : 23 rd March 2004.
Phishing & Pharming. 2 Oct to July 2005 APWG.
King Mongkut’s University of Technology Network Security 8. Password Authentication Methods Prof. Reuven Aviv, Jan Password Authentication1.
COEN 351 Authentication. Authentication is based on What you know Passwords, Pins, Answers to questions, … What you have (Physical) keys, tokens, smart-card.
Web Server Design Week 12 Old Dominion University Department of Computer Science CS 495/595 Spring 2010 Martin Klein 3/31/10.
Chapter 12: Authentication Basics Passwords Challenge-Response Biometrics Location Multiple Methods Computer Security: Art and Science © Matt.
Threshold password authentication against guessing attacks in Ad hoc networks ► Chai, Zhenchuan; Cao, Zhenfu; Lu, Rongxing ► Ad Hoc Networks Volume: 5,
Approaches to Intrusion Detection statistical anomaly detection – threshold – profile based rule-based detection – anomaly – penetration identification.
 Encryption provides confidentiality  Information is unreadable to anyone without knowledge of the key  Hashing provides integrity  Verify the integrity.
1 Web Technologies Website Publishing/Going Live! Copyright © Texas Education Agency, All rights reserved.
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved DISTRIBUTED SYSTEMS.
Strong Password Protocols, Firewalls
Strong Password Protocols
Strong Password Protocols
Password Authentication
Strong Password Protocols
Presentation transcript:

Password Authentication J. Mitchell CS 259

Password fileUser exrygbzyf kgnosfix ggjoklbsz … kiwifruit hash function

Basic password authentication uSetup User chooses password Hash of password stored in password file uAuthentication User logs into system, supplies password System computes hash, compares to file uAttacks Online dictionary attack –Guess passwords and try to log in Offline dictionary attack –Steal password file, try to find p with hash(p) in file

Dictionary Attack – some numbers uTypical password dictionary 1,000,000 entries of common passwords –people's names, common pet names, and ordinary words. Suppose you generate and analyze 10 guesses per second –This may be reasonable for a web site; offline is much faster Dictionary attack in at most 100,000 seconds = 28 hours, or 14 hours on average uIf passwords were random Assume six-character password –Upper- and lowercase letters, digits, 32 punctuation characters –689,869,781,056 password combinations. –Exhaustive search requires 1,093 years on average

Salt uUnix password line walt:fURfuu4.4hY0U:129:129:Belgers:/home/walt:/bin/csh 25x DES Input Salt Key Constant Plaintext Ciphertext Compare When password is set, salt is chosen randomly

Advantages of salt uWithout salt Same hash functions on all machines –Compute hash of all common strings once –Compare hash file with all known password files uWith salt One password hashed 2 12 different ways –Precompute hash file? Need much larger file to cover all common strings –Dictionary attack on known password file For each salt found in file, try all common strings

Web Authentication uProblems Network sniffing Malicious or weak-security website –Phishing –Common password problem –Pharming – DNS compromise Malware on client machine –Spyware –Session hijacking, fabricated transactions Browser Server password cookie next few slides

Password Phishing Problem uUser cannot reliably identify fake sites uCaptured password can be used at target site Bank A Fake Site pwd A

Common Password Problem uPhishing attack or break-in at site B reveals pwd at A Server-side solutions will not keep pwd safe Solution: Strengthen with client-side support Bank A low security site high security site pwd A pwd B = pwd A Site B

Defense: Password Hashing uGenerate a unique password per site HMAC fido:123 (banka.com)  Q7a+0ekEXb HMAC fido:123 (siteb.com)  OzX2+ICiqc uHashed password is not usable at any other site Protects against password phishing Protects against common password problem Bank A hash(pwd B, SiteB) hash(pwd A, BankA) Site B pwd A pwd B =

Defense: SpyBlock

Authentication agent communicates through browser agent Authentication agent communicates directly to web site

SpyBlock protection password in trusted client environment better password-based authentication protocols trusted environment confirms site transactions server support required

Goals for password protocol uAuthentication relies on password User can remember password, use anywhere No additional client-side certificates, etc. uProtect against attacks Network does not carry cleartext passwords Malicious user cannot do offline dictionary attack Malicious server (as in phishing) does not learn password from communication with honest user

Simple approach uSend hashed passwords uDoes this “work”? Good points? Bad points? Browser Server hash(pwd|0) hash(pwd|1)

“Interlock” password protocols (Set-up Phase) Password p known to both parties (Key Exchange Phase) A  B g x B  A g y k = g xy or some function of g xy (Authentication Phase) A  B mac k (p, r) for random r B  A mac k (p, s), enc k (s) for random s A  B enc k (r) [Rivest, Shamir, Bellovin, Merrit, … Pederson, Ellison]

ESP-KE key exchange protocol Prime p and generators , β known Generate random a Generate random b A=  a / β P mod p B=  b mod p A B If A=0 Abort k = B a mod p k = (A β P ) b mod p M b =H(0,k,P) M b If H(0,k,P) ≠ M b Abort M a = H(1,k,P) M a If H(1,k,P) ≠ M a Abort [M Scott]

SRP protocol (Set-up Phase) Carol chooses password P Steve chooses s, computes x = H(s, P) and v = g x (Key Exchange Phase) C Bob looks up s, v x = H(s, P) s A = g a A B,u B = v + g b, random u S = (B - g x ) (a+ux) S = (Av u ) b M 1 = H(A,B,S) M 1 verify M 1 verify M 2 M 2 M 2 = H(A,M1,S) Key = H(S) [Wu]

CMU “Phoolproof” proposal uEliminates reliance on perfect user behavior uProtects against keyloggers, spyware. uUses a trusted mobile device to perform mutual authentication with the server password?