Presentation is loading. Please wait.

Presentation is loading. Please wait.

King Mongkut’s University of Technology Network Security 8. Password Authentication Methods Prof. Reuven Aviv, Jan. 2009 Password Authentication1.

Similar presentations


Presentation on theme: "King Mongkut’s University of Technology Network Security 8. Password Authentication Methods Prof. Reuven Aviv, Jan. 2009 Password Authentication1."— Presentation transcript:

1 King Mongkut’s University of Technology Network Security 8. Password Authentication Methods Prof. Reuven Aviv, Jan. 2009 Password Authentication1

2 Contents Local Authentication (User at a PC) User authentication over a network One time password Strong password authentication Prof. Reuven Aviv, Dec. 2006 Password Authentication2

3 Prof. Reuven Aviv, Dec. 2006 Password Authentication3 Local Authentication of User (Using passwords)

4 Prof. Reuven Aviv, Dec. 2006 Password Authentication4 Password file User exrygbzyf kgnosfix ggjoklbsz … kiwifruit hash function User authentication on local PC

5 Prof. Reuven Aviv, Dec. 2006 Password Authentication5 User authentication to local PC Setup –User chooses password –What is stored in the password file? Authentication –User logs into system, supplies password –PC computes hash, compares to file Dictionary attacks –Online: guess a password, try to log in –Offline: copy set of passwd files, guess passwds

6 Prof. Reuven Aviv, Dec. 2006 Password Authentication6 Dictionary Attacks – some numbers Typical password dictionary: ???? entries –names, pet names, … ordinary words. Suppose you generate & analyze 10 guesses/sec –reasonable for online; offline is much faster –at most 100,000 sec = 28 hours; average 14 hrs BUT: If passwords were random –Assume six-character password –all possible printable chars: how many? 689,869,781,056 password combinations –Exhaustive search: 1,093 years on average

7 Prof. Reuven Aviv, Dec. 2006 Password Authentication7 Authentication a User/Client Over a network Using Passwords

8 Prof. Reuven Aviv, Dec. 2006 Password Authentication8 1. Simple password authentication over a network User sits at a PC; trustworthy Client software User and Authentication Server share password –W = hash(password) stored in server Authentication Server authenticates client How? Client sends Username, W = hash(password) –Server compare W with stored W What can an attacker do?

9 Prof. Reuven Aviv, Dec. 2006 Password Authentication9 Attacks on simple password authentication 1. W might be sniffed by attacker, or 2. DB of Server stolen/copied by attacker, or 3. M.I.M : what is that? Server & User impersonated by attacker In all cases: attacker reveals W Then it does dictionary attack meaning? Try a password, then tries W = hash(password) –Compare with revealed W

10 Prof. Reuven Aviv, Dec. 2006 Password Authentication10 Method 2: Passwd + Anonymous Diffie Hellman Client & Server create shared secret, K –Sides agree on g, p –Sides calculate random private keys a and b –Sides exchange g a modp, g b modp –Sides calculate K = g ab modp Client sends password encrypted by K why? Server decrypts password –Calculate its hash, compares with stored W

11 Prof. Reuven Aviv, Dec. 2006 Password Authentication11 Method 2: Using Anonymous Diffie Hellman Client Server g a modp g b modp K = g ab modp Username, K{password} What can an attacker do?

12 Prof. Reuven Aviv, Dec. 2006 Password Authentication12 Attacking method 2 K cannot be revealed by sniffing why not? Hence can’t find passwd by offline dictionary att. M.I.M: Attacker impersonates the Auth Server –Sending its DH parameters as if it is the Server –Hence reveal K how? –Then dictionary attack on K{ password} how? Try a password, then K{password}

13 Prof. Reuven Aviv, Dec. 2006 Password Authentication13 Method 3: Passwd + Server’s certificate Server sends its Certificate to Client –Client verifies server’s certificate how? Client sends Username & EK U (passwd) –password encrypted by server pub. Key. Why? Server decrypts password, then: –Server calculate hash of password –compare with value stored in its database, W Note: Client needs a list of trusted CAs why?

14 Prof. Reuven Aviv, Dec. 2006 Password Authentication14 Method 3 Client Server Certificate(Server, K U ) Username, EK U {password} What can an attacker do?

15 Prof. Reuven Aviv, Dec. 2006 Password Authentication15 Attacking method 3: Attacker can sniff the encrypted password –then do an offline dictionary attack Try a password, then EK U {password} Since K U is known to attacker Attacker can steal/copy Server DB, reveal W –then do a offline dictionary attack Try a password, then W= hash(password) Attacker cannot do M.I.M why?

16 Prof. Reuven Aviv, Dec. 2006 Password Authentication16 Method 4: Passwd + Challenge Response Server sends a random challenge, R, to client. Client gets password from User, calculates W Client encrypts R with f(W) as a key: f(W){R} –Using an agreed f(W) –Client sends Username and the f(W){R} Server calculates f(W), decrypts R –Compares with the value it sent

17 Prof. Reuven Aviv, Dec. 2006 Password Authentication17 Method 4 Client Server R (random number) Username, f(W){R} What can an attacker do?

18 Prof. Reuven Aviv, Dec. 2006 Password Authentication18 Attack method 4 Attacker might sniff –get both messages (R and f(W){R}) M.I.M: attacker impersonate the server In both cases, R is known to attacker –Password is found via dictionary attack Try a password, then W, then f(W){R}

19 Prof. Reuven Aviv, Dec. 2006 Password Authentication19 One Time Password

20 Prof. Reuven Aviv, Dec. 2006 Password Authentication20 Lamport Hash – One time password Fast, no encryption. Implemented (S/Key) sniffing or stealing server’s database does not enable impersonating the Client. User picks passwd, and n (≈1000 ) – registers at Server using its Client software: calculates hash n (passwd), sends to Server –Server DB: [Username, n, y = hash n (passwd)]

21 Prof. Reuven Aviv, Dec. 2006 Password Authentication21 Lamport hash: authenticating User by Server User provides its Client: Username, passwd –Client sends Username, gets back current n – Client sends y n-1 = hash n-1 (passwd) Server: calculates hash(y n-1 ) (one more hash) –compares with y n in DB. if OK Client is authenticated –decrement n  n-1 –Replaces current y n by y n-1 = hash n-1 (passwd) –Can attacker calculate y n-1 from y n ?

22 Prof. Reuven Aviv, Dec. 2006 Password Authentication22 Lamport Algorithm calculates Server knows [UserName, n, y n = hash n (passwd)] Compares hash(y n-1 ) to y n. If equal, replace record with new [UserName, n-1, y n-1 = hash n-1 (passwd)] Client User passwd Server User Name n y n-1 = hash n-1 (passwd) User Name

23 Prof. Reuven Aviv, Dec. 2006 Password Authentication23 Dictionary attack on Lamport hash Is that possible? Attacker will need to try all powers of hash (up to some number) to all dictionary words as password Feasible. Why? Hashing is quite fast (unlike encryption) Note: if attacker knows y m, he knows y n, for n>m How can we increase the num of guesses?

24 Prof. Reuven Aviv, Dec. 2006 Password Authentication24 Enhanced Lamport Hash: Salt User picks a passwd. Client creates extended password with random salt: Expass=passwd|salt Lamport algorithm is then used with Expass Dictionary attack now not feasible why not? Expass is any string, not a dictionary word User can use same passwd on different Servers –With different salts When n is 1, same passwd may be re-used for new registration, with different salt Who knows the salt?

25 Prof. Reuven Aviv, Dec. 2006 Password Authentication25 Enhanced Lamport Algorithm calculates Client User Name Server User Name n y n-1 = hash n-1 (Expass) Server knows [UserName, n, y n = hash n (Expass)] Compares hash(y n-1 ) to y n. If equal, replace record with new [UserName, n-1, y n-1 = hash n-1 (Expass)] salt passwd

26 Prof. Reuven Aviv, Dec. 2006 Password Authentication26 Analysis of Lamport hash scheme Data base at server can be stolen/copied –Similar to certificate database Server is not authenticated to client (i.e. No mutual authentication) –No shared secret was established so what? Data cannot be encrypted Attacker can impersonate User after Lamport authentication

27 Prof. Reuven Aviv, Dec. 2006 Password Authentication27 Lamport authentication + session key 1. First Client is authenticated by Lamport hash –Now Diffie Hellman to establish session key –Attacker can replace client just in between 2. First Diffie hellman, get session key –Now Lamport hash to authenticate Client Lamport hash encrypted by session key –Attacker can get in the middle during D.H. What is the source of the problem?

28 Prof. Reuven Aviv, Dec. 2006 Password Authentication28 Lamport hash: the small n attack Attacker impersonate Server, wait for client Client connects, expecting n –Attacker sends small m (and salt) –m is a guess by attacker, hoping it is smaller then the current real n –Attacker knows salt from previous sniffing Client sends hash m-1 (passwd) –attacker learns hash m-1 (passwd) Attacker now impersonate the client – he can calculate hash n (passwd) for any n>m-1

29 Prof. Reuven Aviv, Dec. 2006 Password Authentication29 Using OTP (Lamport hash) in Internet cafe Assume PC does not calculate hash –The PC does not have the appropriate client –The PC is public, not trusted hash i (passwd), for all i<n stored in server –Also encoded by typeable strings –Strings printed on paper given to User before travel –User logs in: decrease n, send corresponding string, scrap that line from the paper –Small n attack not possible

30 Prof. Reuven Aviv, Dec. 2006 Password Authentication30 Strong Password Protocols

31 Prof. Reuven Aviv, Dec. 2006 Password Authentication31 Strong Password Protocols: Design goal Attacker who listens to authentication exchanges, or impersonating either end would not have enough information to do off-line verification of password guesses Observing any number of exchanges would not help the attacker Impersonating one end will be able to do a single on-line password guess –Unavoidable (Several on-line guess failures create an alarm)

32 Prof. Reuven Aviv, Dec. 2006 Password Authentication32 Basic Form of Strong Password Protocol Encrypted Key Exchange (EKE) Client has passwd; Server has W= hash(passwd) 1. Do Diffie Hellman to get strong, shared secret –Each side calculates x, g x modp 2. Sides exchange their g x modp, encrypted by W 3. Incorporate challenge response together with the D.H. exchanges

33 Prof. Reuven Aviv, Dec. 2006 Password Authentication33 EKE Protocol Client Server “UesrName”, W{g a modp} W{g b modp, C 1 } K = g ab modp K{C 1, C 2 } K{C 2 } Can an attacker guess W?

34 Prof. Reuven Aviv, Dec. 2006 Password Authentication34 Attack on EKE 1. Attacker listens; tries to guess W offline –get random numbers; can’t identify the W 2. Attacker impersonates one side –can try 1 guess only; need to guess W and D.H. parameters. Extremely unlikely 3. Attacker steal/copy Server data base, gets W –Attacker do dictionary attack to find password Enhancement: make g(W) p(W) depend on W Server stores g W (modp), not W.


Download ppt "King Mongkut’s University of Technology Network Security 8. Password Authentication Methods Prof. Reuven Aviv, Jan. 2009 Password Authentication1."

Similar presentations


Ads by Google