King Mongkut’s University of Technology Network Security 8. Password Authentication Methods Prof. Reuven Aviv, Jan. 2009 Password Authentication1.

Slides:



Advertisements
Similar presentations
Internet Protocol Security (IP Sec)
Advertisements

1 Key Exchange Solutions Diffie-Hellman Protocol Needham Schroeder Protocol X.509 Certification.
Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)
COS 461 Fall 1997 Todays Lecture u intro to security in networking –confidentiality –integrity –authentication –authorization u orientation for assignment.
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.
Password-based Credentials Download Protocols Radia Perlman
1 Security Handshake Pitfalls. 2 Authentication Handshakes Secure communication almost always includes an initial authentication handshake: –Authenticate.
1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.
Implementation of a Two-way Authentication Protocol Using Shared Key with Hash CS265 Sec. 2 David Wang.
Public-key based. Public-key Techniques based Protocols –may use either weak or strong passwords –high computation complexity (Slow) –high deployment.
 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.
Public Key Algorithms …….. RAIT M. Chatterjee.
Intro To Secure Comm. Exercise 2. Problem  You wish for your users to access a remote server via user and password.  All of the users have modems and.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
Feb 25, 2003Mårten Trolin1 Previous lecture More on hash functions Digital signatures Message Authentication Codes Padding.
Class on Security Raghu. Current state of Security Cracks appear all the time Band Aid solutions Applications are not designed properly OS designs are.
Apr 30, 2002Mårten Trolin1 Previous lecture – passwords Passwords for authentication –Storing hashed passwords –Use of salt Passwords for key generation.
Authentication John C. Mitchell Stanford University CS 99j.
Cryptography1 CPSC 3730 Cryptography Chapter 10 Key Management.
Mar 5, 2002Mårten Trolin1 Previous lecture More on hash functions Digital signatures Message Authentication Codes Padding.
CMSC 414 Computer and Network Security Lecture 16 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 16 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
Authentication System
Cryptography and Network Security Chapter 10. Chapter 10 – Key Management; Other Public Key Cryptosystems No Singhalese, whether man or woman, would venture.
Password Authentication J. Mitchell CS 259. Password fileUser exrygbzyf kgnosfix ggjoklbsz … kiwifruit hash function.
CMSC 414 Computer and Network Security Lecture 13 Jonathan Katz.
Alexander Potapov.  Authentication definition  Protocol architectures  Cryptographic properties  Freshness  Types of attack on protocols  Two-way.
Computer Science Public Key Management Lecture 5.
Strong Password Protocols
14.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 14 Entity Authentication.
SSL and https for Secure Web Communication CSCI 5857: Encoding and Encryption.
Key Management and Diffie- Hellman Dr. Monther Aldwairi New York Institute of Technology- Amman Campus 12/3/2009 INCS 741: Cryptography 12/3/20091Dr. Monther.
CIS 450 – Network Security Chapter 8 – Password Security.
Authentication and Authorization Authentication is the process of verifying a principal’s identity (but how to define “identity”?) –Who the person is –Or,
Lecture 11: Strong Passwords
Authentication Key HMAC(MK, “auth”) Server Encryption Key HMAC(MK, “server_enc”) User Password Master Key (MK) Client Encryption Key HMAC(MK, “client_enc”)
December 2008Prof. Reuven Aviv, SSL1 Web Security with SSL Network Security Prof. Reuven Aviv King Mongkut’s University of Technology Faculty of information.
Cryptography and Network Security (CS435) Part Eight (Key Management)
Password authentication Basic idea –User has a secret password –System checks password to authenticate user Issues –How is password stored? –How does system.
Chapter 3 (B) – Key Management; Other Public Key Cryptosystems.
Digital Signatures, Message Digest and Authentication Week-9.
14.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 14 Entity Authentication.
Authentication Issues and Solutions CSCI 5857: Encoding and Encryption.
Kerberos Guilin Wang School of Computer Science 03 Dec
1 Chapter 10: Key Management in Public key cryptosystems Fourth Edition by William Stallings Lecture slides by Lawrie Brown (Modified by Prof. M. Singhal,
Key Management Network Systems Security Mort Anvari.
CPS Computer Security Tutorial on Creating Certificates SSH Kerberos CPS 290Page 1.
1 (Re)Introducing Strong Password Protocols Radia Perlman
Implementing Secure IRC App with Elgamal By Hyungki Choi ID : Date :
Identify Friend or Foe (IFF) Chapter 9 Simple Authentication protocols Namibia Angola 1. N 2. E(N,K) SAAF Impala Russian MIG 1 Military needs many specialized.
Lecture 9 Overview. Digital Signature Properties CS 450/650 Lecture 9: Digital Signatures 2 Unforgeable: Only the signer can produce his/her signature.
Cryptography and Network Security Chapter 10 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
1 Chapter 3-3 Key Distribution. 2 Key Management public-key encryption helps address key distribution problems have two aspects of this: –distribution.
Diffie-Hellman Key Exchange first public-key type scheme proposed by Diffie & Hellman in 1976 along with the exposition of public key concepts – note:
Lesson Introduction ●Authentication protocols ●Key exchange protocols ●Kerberos Security Protocols.
Pertemuan #8 Key Management Kuliah Pengaman Jaringan.
Prof. Reuven Aviv, Nov 2013 Public Key Infrastructure1 Prof. Reuven Aviv Tel Hai Academic College Department of Computer Science Public Key Infrastructure.
Security Handshake Pitfalls. Client Server Hello (K)
Tutorial on Creating Certificates SSH Kerberos
Secure Sockets Layer (SSL)
PPP – Point to Point Protocol
Tutorial on Creating Certificates SSH Kerberos
刘振 上海交通大学 计算机科学与工程系 电信群楼3-509
Strong Password Protocols
Strong Password Protocols
Strong Password Protocols
Key Management Network Systems Security
刘振 上海交通大学 计算机科学与工程系 电信群楼3-509
Presentation transcript:

King Mongkut’s University of Technology Network Security 8. Password Authentication Methods Prof. Reuven Aviv, Jan Password Authentication1

Contents Local Authentication (User at a PC) User authentication over a network One time password Strong password authentication Prof. Reuven Aviv, Dec Password Authentication2

Prof. Reuven Aviv, Dec Password Authentication3 Local Authentication of User (Using passwords)

Prof. Reuven Aviv, Dec Password Authentication4 Password file User exrygbzyf kgnosfix ggjoklbsz … kiwifruit hash function User authentication on local PC

Prof. Reuven Aviv, Dec Password Authentication5 User authentication to local PC Setup –User chooses password –What is stored in the password file? Authentication –User logs into system, supplies password –PC computes hash, compares to file Dictionary attacks –Online: guess a password, try to log in –Offline: copy set of passwd files, guess passwds

Prof. Reuven Aviv, Dec Password Authentication6 Dictionary Attacks – some numbers Typical password dictionary: ???? entries –names, pet names, … ordinary words. Suppose you generate & analyze 10 guesses/sec –reasonable for online; offline is much faster –at most 100,000 sec = 28 hours; average 14 hrs BUT: If passwords were random –Assume six-character password –all possible printable chars: how many? 689,869,781,056 password combinations –Exhaustive search: 1,093 years on average

Prof. Reuven Aviv, Dec Password Authentication7 Authentication a User/Client Over a network Using Passwords

Prof. Reuven Aviv, Dec Password Authentication8 1. Simple password authentication over a network User sits at a PC; trustworthy Client software User and Authentication Server share password –W = hash(password) stored in server Authentication Server authenticates client How? Client sends Username, W = hash(password) –Server compare W with stored W What can an attacker do?

Prof. Reuven Aviv, Dec Password Authentication9 Attacks on simple password authentication 1. W might be sniffed by attacker, or 2. DB of Server stolen/copied by attacker, or 3. M.I.M : what is that? Server & User impersonated by attacker In all cases: attacker reveals W Then it does dictionary attack meaning? Try a password, then tries W = hash(password) –Compare with revealed W

Prof. Reuven Aviv, Dec Password Authentication10 Method 2: Passwd + Anonymous Diffie Hellman Client & Server create shared secret, K –Sides agree on g, p –Sides calculate random private keys a and b –Sides exchange g a modp, g b modp –Sides calculate K = g ab modp Client sends password encrypted by K why? Server decrypts password –Calculate its hash, compares with stored W

Prof. Reuven Aviv, Dec Password Authentication11 Method 2: Using Anonymous Diffie Hellman Client Server g a modp g b modp K = g ab modp Username, K{password} What can an attacker do?

Prof. Reuven Aviv, Dec Password Authentication12 Attacking method 2 K cannot be revealed by sniffing why not? Hence can’t find passwd by offline dictionary att. M.I.M: Attacker impersonates the Auth Server –Sending its DH parameters as if it is the Server –Hence reveal K how? –Then dictionary attack on K{ password} how? Try a password, then K{password}

Prof. Reuven Aviv, Dec Password Authentication13 Method 3: Passwd + Server’s certificate Server sends its Certificate to Client –Client verifies server’s certificate how? Client sends Username & EK U (passwd) –password encrypted by server pub. Key. Why? Server decrypts password, then: –Server calculate hash of password –compare with value stored in its database, W Note: Client needs a list of trusted CAs why?

Prof. Reuven Aviv, Dec Password Authentication14 Method 3 Client Server Certificate(Server, K U ) Username, EK U {password} What can an attacker do?

Prof. Reuven Aviv, Dec Password Authentication15 Attacking method 3: Attacker can sniff the encrypted password –then do an offline dictionary attack Try a password, then EK U {password} Since K U is known to attacker Attacker can steal/copy Server DB, reveal W –then do a offline dictionary attack Try a password, then W= hash(password) Attacker cannot do M.I.M why?

Prof. Reuven Aviv, Dec Password Authentication16 Method 4: Passwd + Challenge Response Server sends a random challenge, R, to client. Client gets password from User, calculates W Client encrypts R with f(W) as a key: f(W){R} –Using an agreed f(W) –Client sends Username and the f(W){R} Server calculates f(W), decrypts R –Compares with the value it sent

Prof. Reuven Aviv, Dec Password Authentication17 Method 4 Client Server R (random number) Username, f(W){R} What can an attacker do?

Prof. Reuven Aviv, Dec Password Authentication18 Attack method 4 Attacker might sniff –get both messages (R and f(W){R}) M.I.M: attacker impersonate the server In both cases, R is known to attacker –Password is found via dictionary attack Try a password, then W, then f(W){R}

Prof. Reuven Aviv, Dec Password Authentication19 One Time Password

Prof. Reuven Aviv, Dec Password Authentication20 Lamport Hash – One time password Fast, no encryption. Implemented (S/Key) sniffing or stealing server’s database does not enable impersonating the Client. User picks passwd, and n (≈1000 ) – registers at Server using its Client software: calculates hash n (passwd), sends to Server –Server DB: [Username, n, y = hash n (passwd)]

Prof. Reuven Aviv, Dec Password Authentication21 Lamport hash: authenticating User by Server User provides its Client: Username, passwd –Client sends Username, gets back current n – Client sends y n-1 = hash n-1 (passwd) Server: calculates hash(y n-1 ) (one more hash) –compares with y n in DB. if OK Client is authenticated –decrement n  n-1 –Replaces current y n by y n-1 = hash n-1 (passwd) –Can attacker calculate y n-1 from y n ?

Prof. Reuven Aviv, Dec Password Authentication22 Lamport Algorithm calculates Server knows [UserName, n, y n = hash n (passwd)] Compares hash(y n-1 ) to y n. If equal, replace record with new [UserName, n-1, y n-1 = hash n-1 (passwd)] Client User passwd Server User Name n y n-1 = hash n-1 (passwd) User Name

Prof. Reuven Aviv, Dec Password Authentication23 Dictionary attack on Lamport hash Is that possible? Attacker will need to try all powers of hash (up to some number) to all dictionary words as password Feasible. Why? Hashing is quite fast (unlike encryption) Note: if attacker knows y m, he knows y n, for n>m How can we increase the num of guesses?

Prof. Reuven Aviv, Dec Password Authentication24 Enhanced Lamport Hash: Salt User picks a passwd. Client creates extended password with random salt: Expass=passwd|salt Lamport algorithm is then used with Expass Dictionary attack now not feasible why not? Expass is any string, not a dictionary word User can use same passwd on different Servers –With different salts When n is 1, same passwd may be re-used for new registration, with different salt Who knows the salt?

Prof. Reuven Aviv, Dec Password Authentication25 Enhanced Lamport Algorithm calculates Client User Name Server User Name n y n-1 = hash n-1 (Expass) Server knows [UserName, n, y n = hash n (Expass)] Compares hash(y n-1 ) to y n. If equal, replace record with new [UserName, n-1, y n-1 = hash n-1 (Expass)] salt passwd

Prof. Reuven Aviv, Dec Password Authentication26 Analysis of Lamport hash scheme Data base at server can be stolen/copied –Similar to certificate database Server is not authenticated to client (i.e. No mutual authentication) –No shared secret was established so what? Data cannot be encrypted Attacker can impersonate User after Lamport authentication

Prof. Reuven Aviv, Dec Password Authentication27 Lamport authentication + session key 1. First Client is authenticated by Lamport hash –Now Diffie Hellman to establish session key –Attacker can replace client just in between 2. First Diffie hellman, get session key –Now Lamport hash to authenticate Client Lamport hash encrypted by session key –Attacker can get in the middle during D.H. What is the source of the problem?

Prof. Reuven Aviv, Dec Password Authentication28 Lamport hash: the small n attack Attacker impersonate Server, wait for client Client connects, expecting n –Attacker sends small m (and salt) –m is a guess by attacker, hoping it is smaller then the current real n –Attacker knows salt from previous sniffing Client sends hash m-1 (passwd) –attacker learns hash m-1 (passwd) Attacker now impersonate the client – he can calculate hash n (passwd) for any n>m-1

Prof. Reuven Aviv, Dec Password Authentication29 Using OTP (Lamport hash) in Internet cafe Assume PC does not calculate hash –The PC does not have the appropriate client –The PC is public, not trusted hash i (passwd), for all i<n stored in server –Also encoded by typeable strings –Strings printed on paper given to User before travel –User logs in: decrease n, send corresponding string, scrap that line from the paper –Small n attack not possible

Prof. Reuven Aviv, Dec Password Authentication30 Strong Password Protocols

Prof. Reuven Aviv, Dec Password Authentication31 Strong Password Protocols: Design goal Attacker who listens to authentication exchanges, or impersonating either end would not have enough information to do off-line verification of password guesses Observing any number of exchanges would not help the attacker Impersonating one end will be able to do a single on-line password guess –Unavoidable (Several on-line guess failures create an alarm)

Prof. Reuven Aviv, Dec Password Authentication32 Basic Form of Strong Password Protocol Encrypted Key Exchange (EKE) Client has passwd; Server has W= hash(passwd) 1. Do Diffie Hellman to get strong, shared secret –Each side calculates x, g x modp 2. Sides exchange their g x modp, encrypted by W 3. Incorporate challenge response together with the D.H. exchanges

Prof. Reuven Aviv, Dec Password Authentication33 EKE Protocol Client Server “UesrName”, W{g a modp} W{g b modp, C 1 } K = g ab modp K{C 1, C 2 } K{C 2 } Can an attacker guess W?

Prof. Reuven Aviv, Dec Password Authentication34 Attack on EKE 1. Attacker listens; tries to guess W offline –get random numbers; can’t identify the W 2. Attacker impersonates one side –can try 1 guess only; need to guess W and D.H. parameters. Extremely unlikely 3. Attacker steal/copy Server data base, gets W –Attacker do dictionary attack to find password Enhancement: make g(W) p(W) depend on W Server stores g W (modp), not W.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.