Lecture 11: Strong Passwords

Slides:



Advertisements
Similar presentations
1 CompChall: Addressing Password Guessing Attacks IAS, ITCC-2005, April 2005 CompChall: Addressing Password Guessing Attacks By Vipul Goyal OSP Global.
Advertisements

Chapter 10 Real world security protocols
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.
CS470, A.SelcukCryptographic Authentication1 Cryptographic Authentication Protocols CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
1 Security Handshake Pitfalls. 2 Authentication Handshakes Secure communication almost always includes an initial authentication handshake: –Authenticate.
Cryptology Passwords and Authentication Prof. David Singer Dept. of Mathematics Case Western Reserve University.
COEN 350: Network Security Authentication. Between human and machine Between machine and machine.
CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.
CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.
CSE331: Introduction to Networks and Security Lecture 23 Fall 2002.
CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 17 Jonathan Katz.
Chap 3: Key exchange protocols In most systems, we distinguish the short term keys from the long term ones: –A short term key (session key) is used to.
CMSC 414 Computer and Network Security Lecture 16 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 16 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 14 Jonathan Katz.
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
Chapter 9 Overview of Authentication System
EEC 688/788 Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University
Chapter 9 Cryptographic Protocol Cryptography-Principles and Practice Harbin Institute of Technology School of Computer Science and Technology Zhijun Li.
Authentication System
Introduction to Public Key Infrastructure (PKI) Office of Information Security The University of Texas at Brownsville & Texas Southmost College.
Computer Science CSC 774Dr. Peng Ning1 CSC 774 Advanced Network Security Topic 2. Review of Cryptographic Techniques.
CMSC 414 Computer and Network Security Lecture 13 Jonathan Katz.
Alexander Potapov.  Authentication definition  Protocol architectures  Cryptographic properties  Freshness  Types of attack on protocols  Two-way.
Strong Password Protocols
Page 1 Secure Communication Paul Krzyzanowski Distributed Systems Except as otherwise noted, the content of this presentation.
Tonga Institute of Higher Education Design and Analysis of Algorithms IT 254 Lecture 9: Cryptography.
14.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 14 Entity Authentication.
Chapter 2. Network Security Protocols
Authentication and Authorization Authentication is the process of verifying a principal’s identity (but how to define “identity”?) –Who the person is –Or,
EMBEDDED SECURITY EEN 417 Fall /6/13, Dr. Eric Rozier, V1.0, ECE Thanks to Edward Lee and Sanjit Seshia of UC Berkeley.
Authentication (ch 9~12) IT443 – Network Security Administration 1.
Chapter 3: Basic Protocols Dulal C. Kar. Key Exchange with Symmetric Cryptography Session key –A separate key for one particular communication session.
4 th lecture.  Message to be encrypted: HELLO  Key: XMCKL H E L L O message 7 (H) 4 (E) 11 (L) 11 (L) 14 (O) message + 23 (X) 12 (M) 2 (C) 10 (K) 11.
Chapter 3 (B) – Key Management; Other Public Key Cryptosystems.
Privacy versus Authentication Confidentiality (Privacy) –Interceptors cannot read messages Authentication: proving the sender’s identity –The Problem of.
1 Lecture 9: Cryptographic Authentication objectives and classification one-way –secret key –public key mutual –secret key –public key establishing session.
Upper OSI Layers Natawut Nupairoj, Ph.D. Department of Computer Engineering Chulalongkorn University.
Digital Signatures, Message Digest and Authentication Week-9.
COEN 350: Network Security Authentication. Between human and machine Between machine and machine.
14.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 14 Entity Authentication.
CMSC 414 Computer and Network Security Lecture 20 Jonathan Katz.
Authentication. Goal: Bob wants Alice to “prove” her identity to him Protocol ap1.0: Alice says “I am Alice” Failure scenario?? “I am Alice”
1 Network Security Lecture 7 Overview of Authentication Systems Waleed Ejaz
COEN 350: Network Security Authentication. Between human and machine Between machine and machine.
Identification Authentication. 2 Authentication Allows an entity (a user or a system) to prove its identity to another entity Typically, the entity whose.
The School of Electrical Engineering and Computer Science (EECS) CS/ECE Network Security Dr. Attila Altay Yavuz Authentication Protocols (I): Secure Handshake.
Computer and Network Security - Message Digests, Kerberos, PKI –
King Mongkut’s University of Technology Network Security 8. Password Authentication Methods Prof. Reuven Aviv, Jan Password Authentication1.
Key Management Network Systems Security Mort Anvari.
1 (Re)Introducing Strong Password Protocols Radia Perlman
1 Authentication Protocols Rocky K. C. Chang 9 March 2007.
 Encryption provides confidentiality  Information is unreadable to anyone without knowledge of the key  Hashing provides integrity  Verify the integrity.
Lesson Introduction ●Authentication protocols ●Key exchange protocols ●Kerberos Security Protocols.
1 Example security systems n Kerberos n Secure shell.
Dr. Nermi hamza.  A user may gain access to a particular workstation and pretend to be another user operating from that workstation.  A user may eavesdrop.
Security Handshake Pitfalls. Client Server Hello (K)
Web Applications Security Cryptography 1
Strong Password Protocols
Strong Password Protocols
Strong Password Protocols
Chapter 3 - Public-Key Cryptography & Authentication
AIT 682: Network and Systems Security
Presentation transcript:

Lecture 11: Strong Passwords problem statement Lamport’s hash encrypted key exchange (EKE) secure credentials download

Strong Password Protocols Obtaining the benefits of cryptographic authentication with the user being able to remember passwords only in particular: no security information is kept at the user’s machine (the machine is trusted but not configured) someone impersonating either party will not be able to obtain information for off-line password guessing (online password guessing is not preventable)

Lamport’s Hash Bob stores <username, n, hn(password)>, n is a relatively large number, like 1000 Alice’s workstation sends hn-1(password) if successful, n is decremented, hn-1 replaces hn in Bob’s database Alice, password Alice Alice’s terminal n Alice Bob hn-1(password) why is sequence of hash transmissions reverse? because hash is one-way, if Trudy sees hn-1(password) she will not be able to find hn-2(password) trusted not trusted why is sequence of hash transmissions reverse? properties: safe against eavesdropping, database reading no authentication of Bob

Salting Lamport’s Hash hn-1(pwd|salt) is used for authentication salt is stored at Bob’s at setup time, Bob sends salt each time along with n advantages: Alice can use the same password with multiple servers, why? what may happen if two servers pick the same salt? to ensure that the salt is different, servers name is also hashed in easy password reset (when reaches 1) – just change the salt defense dictionary attacks how would Trudy mount a dictionary attack without the salt? Alice can use the same password with multiple servers, why? if servers use different salt the hashes look different what may happen if two servers pick the same salt? Trudy can remember the hash, and when she predicts that the second server ask for the same N she supplies the hash how would Trudy mount a dictionary attack without the salt? compiles hashes of all the words in the dictionary starting from 1000

Lamport’s Hash: Other Properties small n attack when Alice tries to login Trudy impersonates Bob and sends n’ < n and Bob’s salt, when Trudy gets the reply she can impersonate Alice after n is decremented to n’ defense: Alice’s workstation presents submitted n to Alice to verify the “approximate” range (Alice has to remember it) “human and paper” environment in case Alice workstation is not trusted or too “dumb” to do hashing Alice is given a list of all hashes starting from 1000, she uses each hash exactly once automatically prevents small n attack string size – 64 bits (~10 characters) is secure enough implemented as S/Key and standardized as one-time password system

Encryption-with-Password Protocols share weak secret W = f(pwd) “Alice” Alice Bob challenge C W{C} dictionary attack, how? from C & W{C} problems: dictionary attack, how? server database disclosure

share weak secret W = f(pwd) Enhanced with PKC: (EA&DA: per-session public/private key pair) Why not possible with secret key encryption? What is the weakness in this protocol? share weak secret W = f(pwd) “Alice”, W{EA} Alice Bob EA{C} W{C}

Encrypted Key Exchange (EKE) key establishment as well as authentication EA&DA: per-session public/private key pair KAB – symmetric session key one of the W{.} may possibly be removed. In that case, the non-encrypting side should not issue the first challenge, why? “Alice”, W{EA} W{EA{KAB}} KAB{CA} In that case, the non-encrypting side should not issue the first challenge, why? reflection attack Alice Bob KAB{CA, CB} KAB{CB}

Encrypted Key Exchange (EKE) what’s encrypted by weak key is ga, gb (which looks like a random number) – straightforward dictionary attack is impossible “Alice”, W{ga mod p} W{gb mod p, CA} can compute KAB = gab mod p Alice Bob KAB{CA, CB} KAB{CA}

Augmented EKE EKE vulnerable to database disclosure since Bob stores W in clear what’s the possible attack? defense: Augmented EKE – Alice knows the password, Bob knows a one-way hash of it Bob stores: gW mod p Alice Bob “Alice”, ga mod p gb mod p, H(gab mod p, gbW mod p) H’(gab mod p, gbW mod p) what’s the possible attack? if Trudy steals Alice’s password from Bob, Trudy can impersonate Alice

Secure Credentials Download credential: Y – quantity used for authorization (to prove one’s identity) – something like a private key problem: download Alice’s credential to Alice’s workstation when Alice only knows her password “Alice”, W{ga mod p} what’s the possible attack? if Trudy steals Alice’s password from Bob, Trudy can impersonate Alice Alice Bob stores “Alice”, W, Y gb mod p, (gab mod p){Y}