1. David Evans http://www.cs.virginia.edu/evans CS588: Cryptography University of Virginia Computer Science Lecture 19: Authentication John Daugman, http://www.cl.cam.ac.uk/users/jgd1000/iriscollage.jpg

2. 19 April 2005University of Virginia CS 5882 How do you authenticate? Something you know –Password Something you have –SecureID, physical key Something you are –Biometrics (voiceprint, fingerprint, etc.) Decent authentication requires combination of at least 2 of these

3. 19 April 2005University of Virginia CS 5883 Early Password Schemes UserIDPassword algoreinternalcombustion clintonbuddy georgewgorangers Login: algore Password: tipper Failed login. Guess again. Login does direct password lookup and comparison.

4. 19 April 2005University of Virginia CS 5884 Login: algore Password: internalcombustion Terminal Trusted Subsystem Eve Login Process login sends

5. 19 April 2005University of Virginia CS 5885 Authentication Problems Need to store the passwords somewhere – dangerous to rely on this being secure –Encrypt them? But then, need to hide key Need to transmit password from user to host –Use a secure line (i.e., no remote logins) –Encrypt the transmission (what key?)

6. 19 April 2005University of Virginia CS 5886 Encrypted Passwords UserIDPassword algoreE (“internalcombustion”, K) clintonE (“buddy”, K) georgewE (“gorangers”, K) Hmmm.... D (E (“buddy”, K), K) = “buddy”

7. 19 April 2005University of Virginia CS 5887 Hashed Passwords UserIDPassword algoreH (“internalcombustion”) clintonH (“buddy”) georgewH (“gorangers”)

8. 19 April 2005University of Virginia CS 5888 Encrypted Passwords Try 1 Login: algore Password: internalcombustion Terminal Trusted Subsystem login sends <“algore”, H(“internalcombustion”)> Trusted subsystem compares to stored value.

9. 19 April 2005University of Virginia CS 5889 Encrypted Passwords Try 2 Login: algore Password: internalcombustion Terminal Trusted Subsystem login sends Trusted subsystem computes H(“internalcombustion”) and compares to stored value.

10. 19 April 2005University of Virginia CS 58810 First UNIX Password Scheme [Wilkes68] (recall DES was 1976) Encryption based on M-209 cipher machine (US Army WWII) Easy to invert unknown plaintext and known key, used password as key: –Instead of E K (password) used hash function E Password (0) PDP-11 could check all 5 or less letter lower-case passwords in 4 hours!

11. 19 April 2005University of Virginia CS 58811 Making Brute Force Attacks Harder Use a slower encryption (hashing) algorithm –Switched to DES: H(p) = DES p (0) Even slower: run DES lots of times –UNIX uses DES p 25 (0) … DES p (DES p (DES p (DES p (0)))) Require longer passwords –DES key is only 56 bits: only uses first 7.5 characters (ASCII) –95 printable characters, 95 8 = 6.6 * 10 15

12. 19 April 2005University of Virginia CS 58812 Dictionary Attacks Try a list of common passwords –All 1-4 letter words –List of common (dog) names –Words from dictionary –Phone numbers, license plates –All of the above in reverse Simple dictionary attacks retrieve most user-selected passwords Precompute H(x) for all dictionary entries

13. 19 April 2005University of Virginia CS 58813 86% of users are dumb Single ASCII character0.5% Two characters2% Three characters14% Four alphabetic letters14% Five same-case letters21% Six lowercase letters18% Words in dictionaries or names15% Other (possibly good passwords)14% (Morris/Thompson 79) At Least

14. 19 April 2005University of Virginia CS 58814 Making Dictionary Attacks Harder Force/convince users to pick better passwords –Test selected passwords against a known dictionary –Enforce rules on non-alphabet characters, length, etc. Don’t let attacker see the password file

15. 19 April 2005University of Virginia CS 58815 Problems with User Rules Users get annoyed If you require hard to remember passwords, users write them down Attackers know the password selection rules too – reduces search space!

16. 19 April 2005University of Virginia CS 58816 True Anecdote One installation: machines generated random 8-letter passwords Used PDP-11 pseudo-random number generator with 2 15 possible values Time to try all possible passwords on PDP-11: One minute! Good news: at least people don’t have to remember the 8 random letters

17. 19 April 2005University of Virginia CS 58817 Everybody loves Buddy UserIDPassword algoreDES 25 internal combustion (0) clintonDES 25 buddy (0) georgewDES 25 goranger s (0) hillarycDES 25 buddy (0)

18. 19 April 2005University of Virginia CS 58818 Salt of the Earth UserIDSaltPassword algore1125DES+ 25 (0, “internal”, 1125 ) clinton2437DES+ 25 (0, “buddy”, 2437) georgew932DES+ 25 (0, “goranger”, 932) hillaryc1536DES+ 25 (0, “buddy”, 1536) How much harder is the off-line dictionary attack? DES+ (m, key, salt) is DES except with salt-dependent E-tables. Salt: 12 random bits (This is the standard UNIX password scheme.)

19. 19 April 2005University of Virginia CS 58819 Security of UNIX Passwords Paper by Robert Morris (Sr.) and Ken Thompson, 1979 (link on manifest) Demonstration of guessability of Unix passwords by Robert Morris, Jr. (Internet Worm, 1988) L0ftcrack breaks ALL alphanumeric passwords in under 24 hours on Pentium II/450 (Windows NT)

20. 19 April 2005University of Virginia CS 58820 What about Eve? Login: algore Password: internalcombustion Terminal Trusted Subsystem login sends Trusted subsystem computes DES+ 25 (0, “internal”, 12) and compares to stored value. Eve SSssssshhhh… Be very quiet so Eve can’t hear

21. 19 April 2005University of Virginia CS 58821 Simplified SSH Protocol Login: evans Password: ****** Terminal viper.cs.virginia.edu login sends E KU viper Eve Can’t decrypt without KR viper

22. 19 April 2005University of Virginia CS 58822 Actual SSH Protocol Client Server time KU S - server’s public host key KU t – server’s public key, changes every hour r – 256-bit random number generated by client KU S, KU t Compares to stored KU S 2 E KU S [E KU t [r]] || { AES | 3DES } 3 All traffic encrypted using r and selected algorithm. requests connection 1

23. 19 April 2005University of Virginia CS 58823 Comparing to stored KU S It better be stored securely –PuTTY stores it in windows registry (HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\SshHostKeys)

24. 19 April 2005University of Virginia CS 58824 Why Johnny Can’t Even Login SecureCRT Default choice!

25. 19 April 2005University of Virginia CS 58825 ssh.com’s SSH

26. 19 April 2005University of Virginia CS 58826 ssh Error

27. 19 April 2005University of Virginia CS 58827 Jennifer Kahng’s 4 th Year Thesis Project 31 % clicked Continue 2% typed in “yes” People are stupid Getting people to pay attention is difficult unless you really want to make them angry. (Security vs. convenience) Only two people (of > 700) emailed webmaster about potential security vulnerability

28. 19 April 2005University of Virginia CS 58828 Why Johnny (von Neumann) Can’t Even Login A smart attacker just replaces the stored key in registry –An ActiveX control can do this trivially –No warning from SSH when you now connect to the host controlled by the attacker (have to spoof DNS or intercept connection, but this is easy)

29. 19 April 2005University of Virginia CS 58829 Recap – Authentication Problems Need to store the passwords somewhere – dangerous to rely on this being secure Need to transmit password from user to host Remaining problems: User’s pick bad passwords Even if everything is secure, can still watch victim type! Only have to mess up once

30. 19 April 2005University of Virginia CS 58830

31. 19 April 2005University of Virginia CS 58831 GAO IRS Study The auditors called 100 IRS employees and managers, portraying themselves as personnel from the information technology help desk trying to correct a network problem. They asked the employees to provide their network logon name and temporarily change their password to one they suggested. "We were able to convince 35 managers and employees to provide us their username and change their password," the report said. That was a 50 percent improvement when compared with a similar test in 2001, when 71 employees cooperated and changed their passwords. http://www.sfgate.com/cgi-bin/article.cgi?file=/news/archive/2005/03/16/national/w162055S07.DTL

32. 19 April 2005University of Virginia CS 58832 Solution – Don’t Reuse Passwords One-time passwords New users have to memorize a list of secure passwords and use one in turn for each login Host generates the list using cryptographic random numbers and stores it securely Users spend hours memorizing passwords...and better not forget one!

33. 19 April 2005University of Virginia CS 58833 One-Time Use Passwords Can we create a sequence of passwords the host can check without storing anything useful to an attacker on the host? Recall: Unix repeated use passwords Host stores: H(p) User provides: x Password is valid if H(x) = H(p)

34. 19 April 2005University of Virginia CS 58834 S-Key Alice picks random number R S-Key program generates H(R), H(H(R)),..., H 99 (R). Alice prints out these numbers and stores somewhere secure Host stores H 100 (R).

35. 19 April 2005University of Virginia CS 58835 S/Key Login Alice enters H 99 (R). Host calculates H (H 99 (R)). Compares to stored H 100 (R). If they match, allows login And replaces old value with H 99 (R). Alice crosses off H 99 (R), enters H 98 (R) next time. S/Key uses MD4 for H

36. 19 April 2005University of Virginia CS 58836 S/Key > keyinit Adding evans: Reminder - Only use this method if you are directly connected. If you are using telnet or rlogin exit with no password and use keyinit -s. Enter secret password: test Again secret password: test ID evans s/key is 99 sh69506 H 100 (test) = sh69506 What do I need to enter to log in?

37. 19 April 2005University of Virginia CS 58837 S/Key > key -n 100 99 sh69506 Reminder - Do not use this program while logged in via telnet or rlogin. Enter secret password: test 0: KEEL FLED SUDS BOHR DUD SUP 1: TOW JOBS HOFF GIVE CHUB LAUD … 98: JEAN THEN WEAK ELAN SLOB GAS 99: MUG KNOB ACT ALOE REST TOO

38. 19 April 2005University of Virginia CS 58838 Challenge-Response Login: evans Terminal E KU mamba [“evans”] Challenge x Challenge: 2357938523 Response: f(x) f(x)

39. 19 April 2005University of Virginia CS 58839 Challenge-Response Systems Ask a question, see if the answer is right Hard to make up questions only host and user can answer Question: x ? Answer: f(x). What’s a good choice for f ? –E (x, key known to both) –Still have to problem of storing the key SecureID systems work like this –Challenge is current time (nothing to send)

40. 19 April 2005University of Virginia CS 58840 Biometrics: “Something you are” Unique(ish) properties of most humans: Fingerprint –FBI’s Integrated Automated Fingerprint ID system has 48 Million Iris Hand shape Voice Gait, etc.

41. 19 April 2005University of Virginia CS 58841 UAE Iris Scanning Required of all entering foreigners, compares to database of ~.5M expelled people –IrisCodes: 4096 feature bits Each bit is ½ probability to agree –Measure hamming distance between 2 irises –3.8B comparisons per day –22K matches so far: no false positives http://www.cl.cam.ac.uk/users/jgd1000/UAEdeployment.pdf

42. 19 April 2005University of Virginia CS 58842 http://www.cl.cam.ac.uk/users/jgd1000/UAEdeployment.pdf

43. 19 April 2005University of Virginia CS 58843 Problems with Biometrics Fuzzy measures: need to set thresholds to have some false positives and negatives Easily stolen: expert could obtain all of your fingerprints from this room after you leave –Non-expert can cut off your finger –Voiceprints can be stolen too (Sneakers) Hard/impossible to change Transmission link is still vulnerable

44. 19 April 2005University of Virginia CS 58844 Charge Identify and authentication are hard problems Passwords don’t work Windows Longhorn may use two-factor authentication I believe that the time of password-only authentication is gone. We need to go to two-factor authentication. This is the only way to bring the level of trust business needs. Detlef Eckert, Microsoft’s Trustworthy Computing initiative