Authentication Chapter 11 Modified (heavily) by Dan Fleck Coming up: Basics 1111

Basics Authentication: binding of identity to subject Identity is that of external entity (my identity, Matt, etc.) Subject is computer entity (process, etc.) After login your identity is bound to everything you do! Coming up: Establishing Identity 2222

Establishing Identity One or more of the following What entity knows (eg. password) What entity has (eg. badge, smart card) What entity is (eg. fingerprints, retinal characteristics) Where entity is (eg. In front of a particular terminal) Coming up: Passwords 3333

Passwords Passwords are ubiquitous because they are simple and clear. Standard tradeoff between usability and security: Password must be 27 characters and use no words (huh??) A typical ruleset (from Chase bank): Must contain 7-32 characters Must include at least one number and one letter Cannot include special characters (&, %, *, etc.) Cannot be the same as your User ID Cannot be the same as any of the last five Passwords you’ve used Goal: Make it hard for computers to guess by making it random. Reality: its very hard to have a short password that a computer cannot guess Coming up: Possible Passwords 4444

Possible Passwords Possible options: Length of password (L) Possible characters (N) (letter = 26, upper/lower = 52, digits=+10, symbols=+33 (ASCII printable)) = 95 8 char password: 95^8 = 6,634,204,312,890,625 = e15 Entropy is e15 assuming all symbols equally likely! Coming up: Entropy in bits 5555

Entropy in bits H(x) is entropy in bits (how many bits it would take to represent that number of options) Example: 2 X =6.6342e15 X = bits Another way to think about it: Each symbol adds log 2 (95) bits We have 8 symbols, thus our entropy is: H = L (Log 2 N) = 8 ( Log 2 95 ) = 52.5 bits Research 1 has shown, lower bound on expected guesses E(G) is: Example: E(G) ≥ (1/4)*6.6342e = e15 Coming up: Password Guessing 1:

Password Guessing Recent password guessers can guess 2,800,000,000 passwords a second. Strength of our example: e15 / 2,800,000,000 = 592,340 seconds = 6.85 days How true is that? Entropy of a letter in English is –log 2 (1/26) letter is 4.7bits Are all letters equally probable? No! Computed entropy of the English language ranges from 2.77 bits to 1.3 bits because letters aren’t random. Is your password random? Coming up: Cracking 7777

Cracking Password tools use many methods to guess smarter Dictionaries Rulesets Is it more likely that the 1 st or 2 nd letter is capitalized? Where are numbers generally? Substituting numbers for letters is c0mm0n! Brute force – all possible guesses as a last resort How do passwords work? Lets see! Coming up: Simple Passwords 8888

Simple Passwords Most passwords today use secure one-way hashing Hash function F(P)  Q F – hash function P – plain text password Q – hashed password One way Q is stored on the computer P is provided by the user, hashed and compared to Q Secure Hash Functions goal is to NOT be reversible (MD5, SHA1, SHA3, etc…) Are they still subject to a guessing attack? Coming up: Recent Events 9999

Recent Events Yahoo's password leak: What you need to know (FAQ) (Mar 2012) – Plaintext leaked! (ouch!) Millions of LinkedIn passwords reportedly leaked online (June 6, 2012) – hashed passwords (still hurts) Nasdaq forum site hacked, passwords compromised (July 2013) – Unclear if hashed or not Ubuntu forums hacked, 1.8 million passwords and s compromised – Unclear if hashed or not Coming up: How hard is it to crack? 10

How hard is it to crack? Dec 2009 RockYou’s 18million passwords stolen in plaintext This started a revolution of password hacking because people could use real world passwords Password Cracking program + RockYou DB + some rulesets… lets try it: Take a password, hash it Crack it Src: Coming up: Demo of password cracking 11

Demo of password cracking Coming up: What can we do? 12

What can we do? Increase the time to check Not good at the algorithmic level -- when doing stream decryption want it to be fast Key stretching can be used User’s password is run through a stretching algorithm that makes it longer. The algorithm MUST take a long time ~1 second If we have an uncompromised server key stretching is simple and effective against guessing attacks! Only a problem when attacker has the hashed password Systems using this: PGP, GPG WPA, WPA2 in personal mode OpenSSL ‘passwd’, Apache.htpasswd One example algorithm: Coming up: What can we do? Ref: 13

What can we do? Add some Salt Append a random value to the password before hashing Store that random value (in plain text) with the password This does NOT make cracking a single password harder, but when cracking a group of passwords, it does. For example, the attacker typically computes the hash and checks for it anywhere in the list of hashed passwords. This fails with salt. Another form of salt is picking a different hashing algorithm per password and storing that choice with the hashed password Coming up: Other Authentication Types Ref: 14

Other Authentication Types Coming up: Challenge-Response 15

Challenge-Response Coming up: Pass Algorithms User, system share a secret function f (in practice, f is a known function with unknown parameters, such as a cryptographic key) user system request to authenticate user system random message r (the challenge) user system f(r) (the response) 16

Pass Algorithms Challenge-response with the function f itself a secret Example: Challenge is a random string of characters such as “ abcdefg ”, “ ageksido ” Response is some function of that string such as “ bdf ”, “ gkip ” Can alter algorithm based on ancillary information Network connection is as above, dial-up might require “ aceg ”, “ aesd ” Usually used in conjunction with fixed, reusable password Coming up: One-Time Passwords 17

One-Time Passwords Password that can be used exactly once After use, it is immediately invalidated Challenge-response mechanism Challenge is number of authentications; response is password for that particular number Problems Synchronization of user, system Generation of good random passwords Password distribution problem Coming up: S/Key 18

S/Key One-time password scheme based on idea of Lamport h one-way hash function (MD5 or SHA-1, for example) User chooses initial seed k – k must remain secret! System calculates: h(k) = k 1, h(k 1 ) = k 2, …, h(k n–1 ) = k n Passwords are reverse order: p 1 = k n, p 2 = k n–1, …, p n–1 = k 2, p n = k 1 Coming up: S/Key Protocol 19

S/Key Protocol Coming up: S/Key Protocol user system { name } user system { i } user system { p i } System stores maximum number of authentications n, number of next authentication i, last correctly supplied password p i–1. System computes h(p i ) = h(k n–i ) = k n–i+1 = p i–1. If match with what is stored, system replaces p i–1 with p i and increments i. 20

S/Key Protocol Coming up: Hardware Support System computes h(p i ) = h(k n–i ) = k n–i+1 = p i–1. If match with what is stored, system replaces p i–1 with p i and increments i H(x)h(k)h(k 1 )h(k 2 )h(k 3 ) Kk1k1 k2k2 k3k3 k4k4 Pp4p4 p3p3 p2p2 p1p1 Concretely for table and i=2 (all values in col X are equal): h(p 2 )=h(k 3 )=k 4 =p 1 21

Hardware Support Token-based Used to compute response to challenge May encipher or hash challenge May require PIN from user Temporally-based Every minute (or so) different number shown Computer knows what number to expect when User enters number and fixed password Coming up: C-R and Dictionary Attacks 22

C-R and Dictionary Attacks Same as for fixed passwords Attacker knows challenge r and response f(r); if f encryption function, can try different keys May only need to know form of response; attacker can tell if guess correct by looking to see if deciphered object is of right form Example: Kerberos Version 4 used DES, but keys had 20 bits of randomness; Purdue attackers guessed keys quickly because deciphered tickets had a fixed set of bits in some locations Coming up: Encrypted Key Exchange 23

Encrypted Key Exchange Defeats off-line dictionary attacks Idea: random challenges enciphered, so attacker cannot verify correct decipherment of challenge Assume Alice, Bob share secret password s In what follows, Alice needs to generate a random public key p and a corresponding private key q Also, k is a randomly generated session key, and R A and R B are random challenges Coming up: EKE Protocol 24

EKE Protocol Coming up: Biometrics Alice Bob Alice,E s (p) Alice Bob E s (E p (k)) Now Alice, Bob share a randomly generated secret session key k Alice Bob Ek(RA)Ek(RA) Alice Bob Ek(RARB)Ek(RARB) Alice Bob Ek(RB)Ek(RB) Steps used to stop replay attacks Steps used to generate session key 25

Biometrics Automated measurement of biological, behavioral features that identify a person Fingerprints: optical or electrical techniques Maps fingerprint into a graph, then compares with database Measurements imprecise, so approximate matching algorithms used Voices: speaker verification or recognition Verification: uses statistical techniques to test hypothesis that speaker is who is claimed (speaker dependent) Recognition: checks content of answers (speaker independent) Coming up: Other Characteristics 26

Other Characteristics Can use several other characteristics Eyes: patterns in irises unique Measure patterns, determine if differences are random; or correlate images using statistical tests Faces: image, or specific characteristics like distance from nose to chin Lighting, view of face, other noise can hinder this Keystroke dynamics: believed to be unique Keystroke intervals, pressure, duration of stroke, where key is struck Statistical tests used Coming up: Cautions 27

Cautions These can be fooled! Assumes biometric device accurate in the environment it is being used in! Transmission of data to validator is tamperproof, correct Coming up: Multifactor Authentication 28

Multifactor Authentication Many systems now use multi-factor authentication User must present multiple things typically from different categories: What you know What you have What you are Examples? Coming up: Pluggable Authentication Modules (PAM) 29

Pluggable Authentication Modules (PAM) Idea: when program needs to authenticate, it checks central repository for methods to use Library call: pam_authenticate Accesses file with name of program in /etc/pam.d/ Modules do authentication checking binding (new): succeed immediately upon success, otherwise continue down the chain, but ultimately fail sufficient: succeed immediately if module succeeds required: fail if module fails, but all required modules executed before reporting failure requisite: like required, but don’t check all modules upon failure optional: invoke only, but result is ignored Coming up: Example PAM File 30

Example PAM File authsufficient/usr/lib/pam_ftp.so authrequired/usr/lib/pam_unix_auth.so use_first_pass authrequired/usr/lib/pam_listfile.so onerr=succeed \ item=user sense=deny file=/etc/ftpusers For ftp: 1.If user “ anonymous ”, return okay; if not, set PAM_AUTHTOK to password, PAM_RUSER to name, and fail 2.Now check that password in PAM_AUTHTOK belongs to that of user in PAM_RUSER; if not, fail 3.Now see if user in PAM_RUSER named in /etc/ftpusers; if so, fail; if error or not found, succeed Coming up: PAM Facilities 31

PAM Facilities PAM provides four facilities each with a chain for different things. Each is typically present in the /etc/pam.d/xyz file: auth – does the actual authentication of an applicant account – checks if authentication is allowed ( account not expired, time of day, server’s workload, etc…) session - after authentication runs chain for session setup / tear down password – chain used to change passwords Ref: essentials.html Coming up: PAM Test - Explain these 32

PAM Test - Explain these authrequiredserviceA authsufficientserviceB authrequiredserviceC versus authsufficientserviceB authrequiredserviceA authrequiredserviceC Coming up: Key Points 33

Key Points Authentication is not cryptography You have to consider system components Passwords are here to stay They provide a basis for most forms of authentication Authentication methods can be combined Example: PAM End of presentation 32 34