Presentation is loading. Please wait.

Presentation is loading. Please wait.

Password Authentication J. Mitchell CS 259. Password fileUser exrygbzyf kgnosfix ggjoklbsz … kiwifruit hash function.

Published byAnnis Thornton Modified over 9 years ago

Similar presentations

Presentation on theme: "Password Authentication J. Mitchell CS 259. Password fileUser exrygbzyf kgnosfix ggjoklbsz … kiwifruit hash function."— Presentation transcript:

1 Password Authentication J. Mitchell CS 259

2 Password fileUser exrygbzyf kgnosfix ggjoklbsz … kiwifruit hash function

3 Basic password authentication uSetup User chooses password Hash of password stored in password file uAuthentication User logs into system, supplies password System computes hash, compares to file uAttacks Online dictionary attack –Guess passwords and try to log in Offline dictionary attack –Steal password file, try to find p with hash(p) in file

4 Dictionary Attack – some numbers uTypical password dictionary 1,000,000 entries of common passwords –people's names, common pet names, and ordinary words. Suppose you generate and analyze 10 guesses per second –This may be reasonable for a web site; offline is much faster Dictionary attack in at most 100,000 seconds = 28 hours, or 14 hours on average uIf passwords were random Assume six-character password –Upper- and lowercase letters, digits, 32 punctuation characters –689,869,781,056 password combinations. –Exhaustive search requires 1,093 years on average

5 Salt uUnix password line walt:fURfuu4.4hY0U:129:129:Belgers:/home/walt:/bin/csh 25x DES Input Salt Key Constant Plaintext Ciphertext Compare When password is set, salt is chosen randomly

6 Advantages of salt uWithout salt Same hash functions on all machines –Compute hash of all common strings once –Compare hash file with all known password files uWith salt One password hashed 2 12 different ways –Precompute hash file? Need much larger file to cover all common strings –Dictionary attack on known password file For each salt found in file, try all common strings

7 Web Authentication uProblems Network sniffing Malicious or weak-security website –Phishing –Common password problem –Pharming – DNS compromise Malware on client machine –Spyware –Session hijacking, fabricated transactions Browser Server password cookie next few slides

8 Password Phishing Problem uUser cannot reliably identify fake sites uCaptured password can be used at target site Bank A Fake Site pwd A

9 Common Password Problem uPhishing attack or break-in at site B reveals pwd at A Server-side solutions will not keep pwd safe Solution: Strengthen with client-side support Bank A low security site high security site pwd A pwd B = pwd A Site B

10 Defense: Password Hashing uGenerate a unique password per site HMAC fido:123 (banka.com)  Q7a+0ekEXb HMAC fido:123 (siteb.com)  OzX2+ICiqc uHashed password is not usable at any other site Protects against password phishing Protects against common password problem Bank A hash(pwd B, SiteB) hash(pwd A, BankA) Site B pwd A pwd B =

11 Defense: SpyBlock

12 Authentication agent communicates through browser agent Authentication agent communicates directly to web site

13 SpyBlock protection password in trusted client environment better password-based authentication protocols trusted environment confirms site transactions server support required

14 Goals for password protocol uAuthentication relies on password User can remember password, use anywhere No additional client-side certificates, etc. uProtect against attacks Network does not carry cleartext passwords Malicious user cannot do offline dictionary attack Malicious server (as in phishing) does not learn password from communication with honest user

15 Simple approach uSend hashed passwords uDoes this “work”? Good points? Bad points? Browser Server hash(pwd|0) hash(pwd|1)

16 “Interlock” password protocols (Set-up Phase) Password p known to both parties (Key Exchange Phase) A  B g x B  A g y k = g xy or some function of g xy (Authentication Phase) A  B mac k (p, r) for random r B  A mac k (p, s), enc k (s) for random s A  B enc k (r) [Rivest, Shamir, Bellovin, Merrit, … Pederson, Ellison]

17 ESP-KE key exchange protocol Prime p and generators , β known Generate random a Generate random b A=  a / β P mod p B=  b mod p A B If A=0 Abort k = B a mod p k = (A β P ) b mod p M b =H(0,k,P) M b If H(0,k,P) ≠ M b Abort M a = H(1,k,P) M a If H(1,k,P) ≠ M a Abort [M Scott]

18 SRP protocol (Set-up Phase) Carol chooses password P Steve chooses s, computes x = H(s, P) and v = g x (Key Exchange Phase) C Bob looks up s, v x = H(s, P) s A = g a A B,u B = v + g b, random u S = (B - g x ) (a+ux) S = (Av u ) b M 1 = H(A,B,S) M 1 verify M 1 verify M 2 M 2 M 2 = H(A,M1,S) Key = H(S) [Wu]

19 CMU “Phoolproof” proposal uEliminates reliance on perfect user behavior uProtects against keyloggers, spyware. uUses a trusted mobile device to perform mutual authentication with the server password?

20

Download ppt "Password Authentication J. Mitchell CS 259. Password fileUser exrygbzyf kgnosfix ggjoklbsz … kiwifruit hash function."

Similar presentations

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
Slide 1 Vitaly Shmatikov CS 378 Attacks on Authentication.

Slide 1 Vitaly Shmatikov CS 378 Attacks on Authentication.
Networks. User access and levels Most network security involves users having different levels of user access to the network. The network manager will.

Networks. User access and levels Most network security involves users having different levels of user access to the network. The network manager will.
Cryptology Passwords and Authentication Prof. David Singer Dept. of Mathematics Case Western Reserve University.

Cryptology Passwords and Authentication Prof. David Singer Dept. of Mathematics Case Western Reserve University.
COEN 350: Network Security Authentication. Between human and machine Between machine and machine.

COEN 350: Network Security Authentication. Between human and machine Between machine and machine.
CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.
CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.

CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
7-1 Last time Protection in General-Purpose Operating Systems History Separation vs. Sharing Segmentation and Paging Access Control Matrix Access Control.

7-1 Last time Protection in General-Purpose Operating Systems History Separation vs. Sharing Segmentation and Paging Access Control Matrix Access Control.
User Authentication and Password Management John Mitchell CS 142 Winter 2009.

User Authentication and Password Management John Mitchell CS 142 Winter 2009.
 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.

 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.
Outline User authentication –Password authentication, salt –Challenge-response authentication protocols –Biometrics –Token-based authentication Authentication.

Outline User authentication –Password authentication, salt –Challenge-response authentication protocols –Biometrics –Token-based authentication Authentication.
1 Chapter 11: Authentication Basics Passwords. 2 Establishing Identity Authentication: binding of identity to subject One or more of the following –What.

1 Chapter 11: Authentication Basics Passwords. 2 Establishing Identity Authentication: binding of identity to subject One or more of the following –What.
Stronger Password Authentication Using Browser Extensions Blake Ross, Collin Jackson, Nick Miyake, Dan Boneh, John Mitchell Stanford University

Stronger Password Authentication Using Browser Extensions Blake Ross, Collin Jackson, Nick Miyake, Dan Boneh, John Mitchell Stanford University
Dr Alejandra Flores-Mosri Message Authentication Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to:

Dr Alejandra Flores-Mosri Message Authentication Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to:
Authentication John C. Mitchell Stanford University CS 99j.

Authentication John C. Mitchell Stanford University CS 99j.
CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.
Mar 4, 2003Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities.

Mar 4, 2003Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities.
Context-Aware Phishing Attacks and Client-Side Defenses Collin Jackson Stanford University.

Context-Aware Phishing Attacks and Client-Side Defenses Collin Jackson Stanford University.
Chap 3: Key exchange protocols In most systems, we distinguish the short term keys from the long term ones: –A short term key (session key) is used to.

Chap 3: Key exchange protocols In most systems, we distinguish the short term keys from the long term ones: –A short term key (session key) is used to.

Similar presentations

Ads by Google