CSC 382/582: Computer SecuritySlide #1 CSC 382/582: Computer Security Passwords

CSC 382/582: Computer SecuritySlide #2 Topics 1.Password Systems 2.Password Cracking 3.Hashing and Salting 4.Password Selection 5.Graphical Passwords 6.One-time Passwords

CSC 382/582: Computer SecuritySlide #3 Authentication System A: set of authentication information –information used by entities to prove identity C: set of complementary information –information stored by system to validate A F: set of complementation functions f : A → C –generate C from A L: set of authentication functions l: A  C→{T,F} –verify identity S: set of selection functions –enable entity to create or alter A or C

CSC 382/582: Computer SecuritySlide #4 Password System Example User authenticates with 8-character alphanumeric password. System compares against stored cleartext password. A = [A-Za-z0-9]{8} C = A F = { I } L = { = } Not a system that anyone should actually use.

CSC 382/582: Computer SecuritySlide #5 Passwords What you know Sequence of characters Complementation Function –Identity: requires access control to protect C –One-way Hash easy to compute c = f(a) difficult to compute a = f -1 (c)

CSC 382/582: Computer SecuritySlide #6 Classic UNIX Passwords Format: Up to 8 ASCII characters –A contains 6.9 x possible passwords –C contains crypt hashes, strings of length 13 chosen from alphabet of 64 characters, 3.0 x strings Storage –/etc/passwd (0644) was traditionally used –/etc/shadow (0600) in modern systems

CSC 382/582: Computer SecuritySlide #7 Threats to Password Systems Interception of Passwords –Shoulder surfing –Keylogging –Network sniffing Login Spoofing –Phishing Password Guessing –Repeated trial and error logins –Repeated trial and error hashing of passwords

CSC 382/582: Computer SecuritySlide #8 Password Cracking Attempt to discover passwords by for each word in list if have hashed password: hash word if hashed password == hashed word you know a valid password else attempt to login with word if login successful you know a valid password end

CSC 382/582: Computer SecuritySlide #9 Cracking Methods 1.List of common passwords 2.List of English/foreign words 3.Permutation rules –Substitute numbers/symbols for letters –Change case, pluralize, reverse words, character shifts, digit/symbol prefix/postfix,joining words 4.Brute force –All possible passwords

CSC 382/582: Computer SecuritySlide #10 Making Password Guessing Easier Web sites will you password if you answer a simple “secret” question: 1.What is your favorite color? 2.What is your pet’s name? 3.What is your mother’s maiden name? Violation of fail-safe defaults Failover to less secure protocol. How many favorite colors are there?

CSC 382/582: Computer SecuritySlide #11 Countering Password Guessing Choose a, c, and f to select suitably low probability of successful guessing P(T)  TG / N –G is number of guess per time unit T –T is number of time units in attack –N is number of possible passwords

CSC 382/582: Computer SecuritySlide #12 Example Password System –A = 96 characters –System allows 10 4 guesses/second –Requirement: probablility of success guess should be 0.5 over 365-day period What should the minimum password length be? –N >= TG/P –N >= (365 x 24 x 60 x 60) x 10 4 / 0.5 = 6.31 x –  96 i >= N = 6.31 x is true when S >= 6 –The minimum required password length is 6.

CSC 382/582: Computer SecuritySlide #13 UNIX Password Hashing crypt() function used for hashing –DES encrypts 64-bit block of 0s (25 rounds) using your password for the key. Modified DES incompatible with DES hardware cracking tools. –Limited to 8 characters or less. –If limited to 95 printable characters, only 2 53 possible passwords. –How to resist dictionary attacks? Salting

CSC 382/582: Computer SecuritySlide #14 Salting Adds a 2-character (12-bit) random, public data to password to create key. Any word may be encrypted in 4096 possible ways (i.e., there are 4096 f  F). –Your password always uses same salt. –Someone else with same password (a) probably has different salt, and thus different c = f(a). Number of possible keys increased to 2 66 –Too small for today; modern UNIX doesn’t use crypt.

CSC 382/582: Computer SecuritySlide #15 Salting (cont.) Prevents pre-calculated dictionary attack –2 66 passwords requires millions of terabytes crypt() 2 18 passwords/second –Brute force would require 8000 machines for 48 days.

CSC 382/582: Computer SecuritySlide #16 Modern UNIX Passwords Format: long ASCII string Hashing techniques: –MD5 (unlimited length, bit salt) –SHA1 (unlimited length, bit salt) –Bcrypt (55 chars, 128-bit salt, adjustable cost)

CSC 382/582: Computer SecuritySlide #17 Windows 2000/XP Passwords Storage –%systemroot%\system32\config\sam –locked while NT running –%systemroot%\repair\sam_ backup file –may be accessible via remote registry calls Format –LAN Manager (LM) Hash –NT (MD4) Hash

CSC 382/582: Computer SecuritySlide #18 Windows LM Hash Algorithm 1.Password fitted to 14 character length by truncating or padding with 0s. 2.Password converted to upper case. 3.Password divided into two 7-byte halves. 4.Each half used as DES key to encrypt same 8-byte constant. 5.Resultant strings merged to form a 16-byte hash value.

CSC 382/582: Computer SecuritySlide #19 Windows LM Hash Problems Last 8 bytes of c known if password < 7 chars. Dividing password into halves reducing problem of breaking 14-character password to breaking two 7- character passwords. Conversion to upper case reduces character set. Dictionary of password hashes can be prebuilt –Number of possible passwords much smaller than DES space. –No salt is used.

CSC 382/582: Computer SecuritySlide #20 Windows NT Hash Converts to Unicode, MD4 hashes result Caveat: Often used in conjunction with LM hash, which is required for backwards compatibility. No salt: identical passwords generate identical hashes.

CSC 382/582: Computer SecuritySlide #21 Password Selection 1.Random Selection 2.Pronounceable Passwords 3.User Selection

CSC 382/582: Computer SecuritySlide #22 Random Selection Yields equal distribution of passwords for maximum difficulty in cracking –What about short passwords? Random passwords aren’t easy to remember –Short term memory holds 7 +/- 2 items –People have multiple passwords –Principle of Psychological Acceptability Requires a good PRNG

CSC 382/582: Computer SecuritySlide #23 Random Selection (Bad)Example PDP-11 password generator –16-bit machine –8 upper-case letters and digits –|P| = 36 8 = 2.8 x –At sec/encryption, 140 years to brute force PRNG had period of 2 16 – 1 –Only 65,535 possible passwords –Requires 102 seconds to try all passwords

CSC 382/582: Computer SecuritySlide #24 Pronounceable Passwords Generate passwords from random phonemes instead of random characters. –People can remember password as sequence of audible phonemes instead of characters, allowing easy recall of longer passwords. –Fewer pronounceable passwords exist than random passwords.

CSC 382/582: Computer SecuritySlide #25 User Selection Allow users to choose passwords. Reject insecure passwords based on ruleset: 1.Based on account, user, or host names 2.Dictionary words 3.Permuted dictionary words 4.Patterns from keyboard 5.Shorter than 6 characters 6.Digits, lowercase, or uppercase only passwords 7.License plates or acronyms 8.Based on previously used passwords

CSC 382/582: Computer SecuritySlide #26 Human Randomness?

CSC 382/582: Computer SecuritySlide #27 Bad Passwords letmein password dragon qwerty michael harley ranger iwantu xxxxxxx turtle united porsche guitar black diamond nascar jun amanda phoenix mickey tigers purple xmen94 aaaaaa prince beach amateur ncc1701 tennis startrek swimming kitty rainbox giants enter 0 cupcake marlboro newyork diablo sexsex access14 abgrtyu dragon123 applepie skip just4fun xcvb typewriter

CSC 382/582: Computer SecuritySlide #28 How to Select Good Passwords 1.Long passwords, consisting of multiple words.. Use n th letter of each word if phrase too long. 2.Themes: 1.Word combinations: 3 blind katz 2. or URL: 3.Phone number: (888) 888-eight eight 4.Bracketing: Starfleet -> *!-Starfleet-!* 5.Add a word: shopping -> Goin’ shopping 6.Repetition: Pirate--PirateShip 7.Letter swapping: Sour Grape -> Gour Srape

CSC 382/582: Computer SecuritySlide #29 Guessing via Authentication Fns If complements not accessible, attacker must use authentication functions. Cannot be prevented. Increase difficulty of auth function attack: Backoff: increasing wait before reprompting. Disconnection: disconnect after n failures. Disabling: disable account after n failures. Jailing: permit access to limited system, so admins can observe attacker.

CSC 382/582: Computer SecuritySlide #30 Password Aging Requirement that password be changed after a period of time or after an event has occurred If expected time to guess is 180 days, should change password more frequently than 180 days 1.If change time too short, users have difficulty recalling passwords. 2.Cannot allow users to change password to current one. 3.Also prevent users from changing passwords too soon. 4.Give notice of impending password change requirement.

CSC 382/582: Computer SecuritySlide #31 Graphical Passwords Face Scheme: Password is sequence of faces, each chosen from a grid of 9 faces. Story Scheme: Password is sequence of images, each chosen from a grid of 9, to form a story.

CSC 382/582: Computer SecuritySlide #32 Challenge-Response Problem: passwords are reusable, and thus subject to replay attacks. Solution: authenticate in such a way that the transmitted password changes each time.

CSC 382/582: Computer SecuritySlide #33 One-Time Passwords A password that’s invalidated once used. Challenge: number of auth attempt Response: one-time password Problems –Generation of one-time passwords Use hash or crytographic function –Synchronization of the user and the system Number or timestamp passwords

CSC 382/582: Computer SecuritySlide #34 S/Key One-time password system based on a hash function h (MD4 or MD5). User initializes with random seed k. Key generator calculates: h(k) = k 1, h(k 1 ) = k 2, …, h(k n-1 ) = k n Passwords, in order used, are p 1 = k n, p 2 = k n-1, …, p n-1 = k 2, p n = k 1

CSC 382/582: Computer SecuritySlide #35 S/Key Attacker cannot derive p i+1 from p i since p i = k n-i+1, p i+1 = k n-i, and h(k n-i ) = k n-i+1 which would require inverting h. Once user has used all passwords, S/Key must be re-initialized with a new seed.

CSC 382/582: Computer SecuritySlide #36 S/Key Login 1.User supplies account name to server 2.Server replies with number i stored in skeykeys file 3.User supplies corresponding password p i 4.Server computes h(p i ) = h(k n-i+1 ) = k n-i+2 = p i-1 and compares result with stored password. If match, user is authenticated and S/Key updates number in skeykeys file to i-1 and stores p i

CSC 382/582: Computer SecuritySlide #37 S/Key Login FreeBSD/i386 (example.com) (ttypa) login: s/key 97 fw13894 Password: Use S/Key calculator on local system to calculate response: % key 97 fw13894 Enter secret password: WELD LIP ACTS ENDS ME HAAG

CSC 382/582: Computer SecuritySlide #38 Other One Time Password Systems Software: OPIE –Backwards compatible with S/Key (if same hash used). Hardware: RSA SecurID card –Displayed password changes every 60sec. –Password = constant password + SecurID

CSC 382/582: Computer SecuritySlide #39 Key Points Good passwords need to be –Complex –Unique –Secret –Changed on a regular basis Stored passwords are secured via –Hashing (crypt, MD5, SHA1, bcrypt) –Salting One-time passwords offer greater security.

CSC 382/582: Computer SecuritySlide #40 References 1.Ross Anderson, Security Engineering, Wiley, Matt Bishop, Introduction to Computer Security, Addison-Wesley, Mark Burnett and Dave Kleiman, Perfect Passwords, Syngress, Lorie Faith Cranor and Simson Garfinkel, Security and Usability, O’Reilly, Cynthia Kuo et. al., “Human Selection of Mnemonic Phrase-based Passwords,” SOUPS 2006, Neils Provos and David Mazieres, “A Future-Adaptable Password Scheme,” Ed Skoudis, Counter Hack Reloaded, Prentice Hall, Simson Garfinkel, Gene Spafford, and Alan Schwartz, Practical UNIX and Internet Security, 3/e O’Reilly, 2003.