Presentation is loading. Please wait.

Presentation is loading. Please wait.

Time Passes, Security Changes… Christian Huitema Monday, August 1, 2005 IETF, Application Area Meeting.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Time Passes, Security Changes… Christian Huitema Monday, August 1, 2005 IETF, Application Area Meeting."— Presentation transcript:

1 Time Passes, Security Changes… Christian Huitema Monday, August 1, 2005 IETF, Application Area Meeting

2 It takes less than 1 μs to compute an MD5 checksum on this presenter’s laptop

3 Dictionary attacks How many guesses before the observer can crack the challenge? –1,000,000 ? –10,000,000? Do you trust users to generate “good enough” passwords? ClientServer challenge Response = name + hash (challenge, password) Observer Dictionary +

4 A “zombie” PC is rumored to rent for $0.10 per week on the underground market

5 How much does a crack cost? bitsCost simple password24< $0.00 strong password32< $0.01 pass phrase40< $0.20 7 random characters47< $50.00 8 random characters54< $5,000.00 64 bits random64> $3,000,000

6 Are passwords obsolete? Basic rules: –If it is generated by the user, it can certainly be cracked –If it can be remembered by the user, it can probably be cracked Exception: –If the password is exchanged over a protected connection (SSL, TLS, IPSEC) –If the challenge/response mechanism is designed to resist dictionary attacks

7 The average user will happily connect to a “free Internet” hotspot

8 Man in the middle attacks Intercept DNS requests Insert a proxy Listen to the data –Names, –Addresses, –Passwords, –Challenges Hijack connections SPAM, Ads, Buffer overflows Client AP Mock DNS Server Proxy

9 The practice of “hiding the SSID” facilitates the “evil twin” attack against Wi-Fi

10 The “evil twin” attack “Rogue” APClient Beacon: No Name Probe: example.net ? Answer: yes indeed ! Let’s get connected For user convenience, systems try to automatically connect to the “hidden home network”

11 Evil twin reaps interesting rewards Exploit automatic connection –Upon a connectivity indication, many systems will automatically “fetch mail”, “empty the outbox”, “synchronize”… Automatic “man in the middle” attack –Register names, passwords –Store challenge for off-line crack Quick and silent –Disconnect after a few seconds –Hardly any notification to the user

12 Times have changed, old security practices must be revised

13 Recommendations Don’t rely on challenge-response –Hardly better than clear-text password! Identify the server –Prevent man-in-the-middle attacks –Beware of PKI tricks! Encrypt the session –Protect the identity exchange –Prevent session hijacking Use secure framework –IPSEC, SSL, secure RPC, Web Services…

Download ppt "Time Passes, Security Changes… Christian Huitema Monday, August 1, 2005 IETF, Application Area Meeting."

Similar presentations

1 Password-based authenticated key exchange Ravi Sandhu.

1 Password-based authenticated key exchange Ravi Sandhu.
Point3r$. Password Introduction Passwords are a key part of any security system : –Work or Personal Strong passwords make your personal and work.

Point3r$. Password Introduction Passwords are a key part of any security system : –Work or Personal Strong passwords make your personal and work.
Internet Protocol Security (IP Sec)

Internet Protocol Security (IP Sec)
Secure Mobile IP Communication

Secure Mobile IP Communication
Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.

Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.
Networks. User access and levels Most network security involves users having different levels of user access to the network. The network manager will.

Networks. User access and levels Most network security involves users having different levels of user access to the network. The network manager will.
OPSEC Awareness Briefing Man-In-The-Middle Attacks (MITM)

OPSEC Awareness Briefing Man-In-The-Middle Attacks (MITM)
Chapter 14 Wireless Attacks, Intrusion Monitoring and Policy

Chapter 14 Wireless Attacks, Intrusion Monitoring and Policy
Hacking Presented By :KUMAR ANAND SINGH 04-243,ETC/2008.

Hacking Presented By :KUMAR ANAND SINGH ,ETC/2008.
1 MD5 Cracking One way hash. Used in online passwords and file verification.

1 MD5 Cracking One way hash. Used in online passwords and file verification.
Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.

Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.
Security Presented by : Qing Ma. Introduction Security overview security threats password security, encryption and network security as specific.

Security Presented by : Qing Ma. Introduction Security overview security threats password security, encryption and network security as specific.
Security in Wireless LAN 802.11 Layla Pezeshkmehr CS 265 Fall 2003-SJSU Dr.Mark Stamp.

Security in Wireless LAN Layla Pezeshkmehr CS 265 Fall 2003-SJSU Dr.Mark Stamp.
Man in the Middle Paul Box Beatrice Wilds Will Lefevers.

Man in the Middle Paul Box Beatrice Wilds Will Lefevers.
11 WIRELESS SECURITY by Prof. Russell Jones. WIRELESS COMMUNICATION ISSUES  Wireless connections are becoming popular.  Network data is transmitted.

11 WIRELESS SECURITY by Prof. Russell Jones. WIRELESS COMMUNICATION ISSUES  Wireless connections are becoming popular.  Network data is transmitted.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
IEEE 802.11 Wireless Local Area Networks (WLAN’s).

IEEE Wireless Local Area Networks (WLAN’s).
CMSC 414 Computer and Network Security Lecture 17 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 17 Jonathan Katz.
Georgy Melamed Eran Stiller

Georgy Melamed Eran Stiller
Assessing the Threat How much money is lost due to cyber crimes? –Estimates range from $100 million to $100s billions –Why the discrepancy? Companies don’t.

Assessing the Threat How much money is lost due to cyber crimes? –Estimates range from $100 million to $100s billions –Why the discrepancy? Companies don’t.

Similar presentations

Ads by Google