1. David Evans http://www.cs.virginia.edu/~evans
Lecture 11:
Authenticating Authentic Authenticaters
Background
just got here last week
finished degree at MIT week before
Philosophy of advising students
don’t come to grad school to implement someone else’s idea
can get paid more to do that in industry
learn to be a researcher
important part of that is deciding what problems and ideas are worth spending time on
grad students should have their own project
looking for students who can come up with their own ideas for research
will take good students interested in things I’m interested in – systems, programming languages & compilers, security
rest of talk – give you a flavor of the kinds of things I am interested in
meant to give you ideas (hopefully even inspiration!) but not meant to suggest what you should work on
CS551: Security and Privacy
University of Virginia
Computer Science
David Evans

2. University of Virginia CS 551
Menu
Unix Passwords
SSH
S-Key
Won’t cover in lecture: PGP, SSL
Due before midnight: Project Proposals
17 November 2018
University of Virginia CS 551

3. University of Virginia CS 551
Paco’s Talk
There are real security companies that make money
VeriSign ($40B market cap, $200M revenues last year, lost $479M)
Check Point Software ($23B, $35M profit last quarter)
RSA Security ($2B)
(For reference: General Motors = $35B, Amazon.com = $12B)
17 November 2018
University of Virginia CS 551

4. Why look at specific systems?
So I have lots of material for easy-to-grade multiple choice questions on your exams
Because its important to know details of particular applications
Because you want to attack someone maliciously
17 November 2018
University of Virginia CS 551

5. Why look at specific systems?
To learn general principles of good and bad design
To see issues that arise when mathematics are deployed in real world
To have ideas and knowledge to draw from when you design systems
17 November 2018
University of Virginia CS 551

6. Early Password Schemes
UserID
Password
algore
internalcombustion
clinton
buddy
georgew
gorangers
Login does direct password lookup and comparison.
Login: algore
Password: tipper
Failed login. Guess again.
17 November 2018
University of Virginia CS 551

7. University of Virginia CS 551
Login Process
Terminal
Login: algore
Password: internalcombustion
login sends
<“algore”, “internalcombustion”>
Trusted Subsystem
Eve
17 November 2018
University of Virginia CS 551

8. Authentication Problems
Need to store the passwords somewhere – dangerous to rely on this being secure
Encrypt them? But then, need to hide key
Need to transmit password from user to host
Use a secure line (i.e., no remote logins)
Encrypt the transmission
17 November 2018
University of Virginia CS 551

9. University of Virginia CS 551
Encrypted Passwords
UserID
Password
algore
E (“internalcombustion”, 0)
clinton
E (“buddy”, 0)
georgew
E (“gorangers”, 0)
Hmmm.... D (E (“buddy”, 0), 0) = “buddy”
17 November 2018
University of Virginia CS 551

10. University of Virginia CS 551
Encrypted Passwords
UserID
Password
algore
DES (0, “internalcombustion”)
clinton
DES (0, “buddy”)
georgew
DES (0, “gorangers”)
Can you invert DES (0, k) without knowing k?
17 November 2018
University of Virginia CS 551

11. Encrypted Passwords Try 1
Terminal
Login: algore
Password: internalcombustion
login sends
<“algore”,
DES(0, “internalcombustion”)>
Trusted Subsystem
Trusted subsystem compares to stored value.
17 November 2018
University of Virginia CS 551

12. Encrypted Passwords Try 2
Terminal
Login: algore
Password: internalcombustion
login sends
<“algore”, “internalcombustion”>
Trusted Subsystem
Trusted subsystem computed DES (0, “internalcombustion”) and compares to stored value.
17 November 2018
University of Virginia CS 551

13. First UNIX Password Scheme
[Wilkes68] (recall DES was 1976)
Encryption based on M-209 cipher machine (US Army WWII)
Easy to invert unknown plaintext and known key, used password as key:
Instead of E (password, 0) used
E (0, password) (like with DES)
PDP-11 could check all 5 or less letter lower-case passwords in 4 hours!
17 November 2018
University of Virginia CS 551

14. Making Brute Force Attacks Harder
Use a slower encryption algorithm
Switched to DES
Even slower: run DES lots of times
UNIX uses DES25 (0, password)
Require longer passwords
DES key is only 56 bits: only uses first 7.5 characters (ASCII)
Brute force is unlikely to work with all possible 8-letter passwords and DES25
17 November 2018
University of Virginia CS 551

15. University of Virginia CS 551
Dictionary Attacks
Try a list of common passwords
All 1-4 letter words
List of common (dog) names
Words from dictionary
Phone numbers, license plates
All of the above in reverse
Simple dictionary attacks retrieve most user-selected passwords
17 November 2018
University of Virginia CS 551

16. University of Virginia CS 551
86% of users are dumb
Single ASCII character
0.5%
Two characters 2%
Three characters
14%
Four alphabetic letters
Five same-case letters
21%
Six lowercase letters
18%
Words in dictionaries or names
15%
Other (possibly good passwords)
(Morris/Thompson 79)
17 November 2018
University of Virginia CS 551

17. Making Dictionary Attacks Harder
Force/convince users to pick better passwords
Test selected passwords against a known dictionary
Enforce rules on non-alphabet characters, length, etc.
17 November 2018
University of Virginia CS 551

18. Problems with User Rules
Users get annoyed
If you require hard to remember passwords, users write them down
Attackers know the password selection rules too – reduces search space!
17 November 2018
University of Virginia CS 551

19. University of Virginia CS 551
True Anecdote
One installation: machines generated random 8-letter passwords
Used PDP-11 pseudo-random number generator with 215 possible values
Time to try all possible passwords on PDP-11: One minute!
Good news: at least people don’t have to remember the 8 random letters
17 November 2018
University of Virginia CS 551

20. University of Virginia CS 551
Everybody loves Buddy
UserID
Password
algore
DES25 (0, “internalcombustion”)
clinton
DES25 (0, “buddy”)
georgew
DES25 (0, “gorangers”)
hillaryc
17 November 2018
University of Virginia CS 551

21. Salt of the Earth UserID Salt Password algore 12
(This is the standard UNIX password scheme.)
Salt: 12 random bits
UserID
Salt
Password
algore 12
DES+25 (0, “internalcombustion”, 12)
clinton 37
DES+25 (0, “buddy”, 37)
georgew 9
DES+25 (0, “gorangers”, 9)
hillaryc 53
DES+25 (0, “buddy”, 53)
DES+ is DES except with salt-dependent E-tables.
How much harder is the dictionary attack?
17 November 2018
University of Virginia CS 551

22. Security of UNIX Passwords
Paper by Robert Morris (Sr.) and Ken Thompson, 1979 (link on manifest)
Demonstration of guessability of Unix passwords by Robert Morris, Jr. (Internet Worm, 1988)
L0ftcrack breaks ALL alphanumeric passwords in under 24 hours on Pentium II/450 (Windows NT)
17 November 2018
University of Virginia CS 551

23. What about Eve? Terminal login sends Trusted Subsystem
Login: algore
Password: internalcombustion
login sends
<“algore”, “internalcombustion”>
Trusted Subsystem
Eve
Trusted subsystem computes
DES+25 (0, “internalcombustion”, salt) and compares to stored value.
17 November 2018
University of Virginia CS 551

24. University of Virginia CS 551
ssshhhhh....
Be very quiet so Eve can’t hear anything
Encrypt the communication between the terminal and the server
How?
17 November 2018
University of Virginia CS 551

25. Simplified SSH Protocol
Terminal
Login: evans
Password: ***********
login sends
EKUmamba<“evans”, password>
mamba.cs.virginia.edu
Eve
Can’t decrypt without KRmamba
17 November 2018
University of Virginia CS 551

26. University of Virginia CS 551
Actual SSH Protocol
Client
Server
requests connection 1
KUS - server’s
public host key
KUt – server’s
public key,
changes every
hour
r – 256-bit
random number
generated by
client
KUS, KUt
Compares
to stored KUS 2
EKUS [EKUt [r]]
|| { IDEA | 3DES } 3
time
All traffic encrypted using r and selected algorithm. Can do regular login (or something more complicated).
17 November 2018
University of Virginia CS 551

27. Comparing to stored KUS
It better be stored securely
PuTTY stores it in windows registry (HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\SshHostKeys)
17 November 2018
University of Virginia CS 551

28. Why Johnny Can’t Even Login
SecureCRT
Default choice!
17 November 2018
University of Virginia CS 551

29. University of Virginia CS 551
“Usability in normal environments has been a major design concern from the beginning, and SSH attempts to make things as easy for normal users as possible while still maintaining a sufficient level of security.”
Tatu Ylonen, SSH – Secure Login Connections over the Internet,
June 1996.
17 November 2018
University of Virginia CS 551

30. University of Virginia CS 551
ssh.com’s SSH
17 November 2018
University of Virginia CS 551

31. University of Virginia CS 551
ssh Error
17 November 2018
University of Virginia CS 551

32. Why Johnny (von Neumann) Can’t Even Login
A smart attacker just replaces the stored key in registry
An ActiveX control can do this trivially
No warning from SSH when you now connect to the host controlled by the attacker (have to spoof DNS or intercept connection, but this is easy)
Is there a solution?
Exercise for reader (maybe a good midterm question?)
17 November 2018
University of Virginia CS 551

33. Recap – Authentication Problems
Need to store the passwords somewhere – dangerous to rely on this being secure
Need to transmit password from user to host
Remaining problems:
User’s pick bad passwords
Even if everything is secure, can still watch victim type!
Only have to mess up once
17 November 2018
University of Virginia CS 551

34. Solution – Don’t Reuse Passwords
One-time passwords
New users have to memorize a list of secure passwords and use one in turn for each login
Host generates the list using cryptographic random numbers and stores it securely
Users spend hours memorizing passwords...and better not forget one!
17 November 2018
University of Virginia CS 551

35. Challenge-Response Systems
Ask a question, see if the answer is right
Hard to make up questions only host and user can answer
Question: x? Answer: f(x).
What’s a good choice for f?
E (x, key known to both)
SecureID systems work like this
17 November 2018
University of Virginia CS 551

36. University of Virginia CS 551
S-Key
Alice picks random number R
S-Key program generates f(R), f (f(R)), f (f ((f(R))), ... , f100(R).
Alice prints out these numbers and stores somewhere secure
Host stores f101(R). (Doesn’t need to be secure)
17 November 2018
University of Virginia CS 551

37. University of Virginia CS 551
S/Key Login
Alice enters f100(R).
Host calculates f (f100(R)).
Compares to stored f101(R). If they match, allows login and replaces old value with f100(R).
Alice crosses off f100(R), enters f 99(R) next time.
What is f?
One-way function: given f(x) hard to find x.
S/Key uses MD4 (not secure)
17 November 2018
University of Virginia CS 551

38. Authentication Strategies Summary
Something you know
Password
Something you have
SecureID
Something you are
Biometrics (voiceprint, fingerprint, etc.)
Demonstration next Wednesday
Decent authentication requires combination of at least 2 of these
17 November 2018
University of Virginia CS 551

39. University of Virginia CS 551
Charge
If you are in the 86% with dumb passwords, change it!
Don’t get a warm fuzzy feeling just because you use SSH
Next time: Randomness, Digital Cash
Read randomness papers
PS3 due next Weds
17 November 2018
University of Virginia CS 551