4 Username and password Passwords are used for entity authentication Needed for access control and auditing: access control = authentication + authorizationEntity authentication vs. message authenticationPassword is a shared secret between the user and computer systemLimitations arise from the reliance on of human memory and input methods (and from the lack of cryptographic computing capability)What attacks are there against passwords?
5 Sniffing and key loggers Password sniffing on the local network used to be a major problem; mostly solved by cryptographic authentication:SSH, SSL, HTTP Digest Authentication, MS-CHAPv2Key logger: software or hardware that stores all key strokes typed on a computerUsed to be a problem in public-access computers e.g. at libraries and cafesNow can be malware on any computerWhy do some bank web sites ask you to use the mouse to enter the PIN code?
6 Password recoveryHumans are prone to forget things need a process for recovering from password lossRecovery mechanisms often enable new attacksWhat are the advantages and disadvantages of the following recovery mechanisms?Security question or memorable secret, e.g. birth place, mother’s maiden name, pet’s nameing password to another user accountPhysical visit to helpdeskYellow sticker on the back of the keyboardUSB memory stick with a password recovery file
7 Password reuse Administrative countermeasures: How many different user accounts and passwords do you have? Ever used the same or similar password on two accounts?Using the same or related passwords on multiple accounts means that one compromised system or account can lead to compromise of the other accountsAdministrative countermeasures:Passwords chosen by the service, not set by usersExotic password format requirementsSingle sign-on to enable just one passwordPersonal countermeasures:Generating service-specific passwords from one master passwordPassword wallet (e.g. on phone) encrypted with a master password (e.g. F-Secure Key)
8 Shoulder surfingKeyboards and screens are highly visible others may see what you are typingPassword and PIN prompts usually do not show the charactersDoes this make sense for all secrets input? Increasingly, showing the characters is a UI option*******
9 Password guessingDictionary attack and other intelligent guessing vs. brute-force trialsCountermeasures against guessingLimit the number or rate of login attemptsMinimum password length and complexity, password quality checkPreventing reuse of old passwordsSystem-generated random passwordsPassword aging i.e. mandatory periodic password changes (typically every three months)
10 Online vs. offline guessing attacks Offline attack: cracking the password from a know hash (or other value computed from) of the passwordE.g. MS-CHAPv2, Kerberos, HTTP digest authentication without SSLUnlimited number of guesses attacker can perform an exhaustive brute-force searchOnline guessing: attacker tries to login many timesE.g. PIN code entry on a phoneE.g. network login to an authenticated server over SSH or SSLSystem can limit the number or rate of guessesBig difference in the required password strength:Online guessing success probability ≈ number of allowed guesses / number of possible passwordsOffline attack requires cryptographic strength from the password, e.g. 128-bit entropy, to prevent exhaustive searchAuthentication protocols that are vulnerable to network sniffing and offline guessing are simply outdated
11 Measuring password strength Many possible metrics:Number of possible passwordsEntropy = amount of missing informationAverage/median time to crack a specific passwordAverage/median time to crack any one passwordProbability of success as a function of time or number of trialsetc.When the user is allowed to choose the password, measuring its strength accurately is impossibleMetrics are important to consider when designing new types of passwordsGraphical passwordsPassword complexity requirements
12 Password entropy Entropy = the amount of missing information Examples: Entropy H = - ∑ x ∈ passwords (P(x) ⋅ log2 P(x))≤ log2(number of possible passwords)Examples:Random 8-character alphanumeric passwords have H = 8 ⋅ log2( ) = 47.6 bitsRandom 4-digit PIN codes have about H = 13.3 bits of entropyOne-bit increase in entropy approximately doubles the cost of guessing attacks (exactly so for even probability distribution)Human-selected passwords have less entropy than random ones because some are chosen more often than otherShould banks allow the customer to choose the PIN?Do password quality checks increase entropy?Passwords rely on human memory password entropy cannot grow over time human memory cannot compete with computer speed
13 PIN entropy examples PIN entropy examples: Password entropy examples: Note: Entropy is not always the best measure of password strength. Nevertheless, the concept should be part of the BSc math courses, and you should learn to calculate basic examples. (Please point out any errors.)PIN entropy examplesPIN entropy examples:Random 4-digit PIN: H = - ∑ 1…10000(1/10000⋅log2(1/10000)) = log2(10000) = 13.3 bitsPIN chosen based on a date (format DDMM): H = log2(365) = 8.5 bitsAssume only 30% of users replace the random PIN with a date:Pdate = 30%⋅1/ %⋅1/10000 =Pother = 70%⋅1/10000 =H = - 365⋅Pdate ⋅log2(Pdate) - ( ) ⋅Pother⋅log2(Pother) = 12.6 bitsPassword entropy examples:Random 8-character (printable ASCII) passwords: H = log2(958) = 52.6 bitsRandom 8-character alphanumeric passwords: H = log2(628) = 47.6 bitsRandom eight lower-case characters: H = log2(268) = 37.6 bitsRandom six lower-case characters + two digits (e.g. okwrsn91): H = log2(266⋅102) = 34.8 bitsRandom 6-character English word + two digits (e.g. banana28): H = log2(15222⋅102) = 20.5 bits
14 Password entropy examples Random 8-character (printable ASCII) passwords: H = log2(958) = 52.6 bitsRandom 8-character passwords with exactly two upper case, two lower case, two digits, two special characters:26 capitals, 26 non-capitals, 10 digits, 33 otherOrderings 8!/(2!⋅2!⋅2!⋅2!) = 2520Different passwords: 262⋅262⋅102⋅332⋅2520H = log2(262⋅262⋅102⋅332⋅2520) = 46.8 bitsRandom 8-character alphanumeric password with at least one upper case and at least one digit:All 8-character alphanumeric passwords: 628Those with no upper case: (62-26)8 = 368Those with no digit: (62-10)8 = 528Those with with no upper case and no digit: ( )8 = 268Allowed passwords: 628 – ( ) (inclusion exclusion principle)H = log2(628 – ( ) + 268) = 47.2 bitsRandom alphanumeric passwords with one special character:7-character alphanumeric passwords: 62733 special characters to choose from, 8 possible locations to insert itH = log2(627 ⋅ 33 ⋅ 8) = 49.7 bitsWhat conclusion should we make? Not any strong one. The rules have different effect on human-chosen passwords and random ones
15 Botnets and parallel online guessing 10 banks, each with 106 customer accountsPublic or easy-to-guess user ID4-digit PIN or one-time code required to log inClient IP address blocked after 3 failed logins per dayAttacker has a botnet of 105 computersEach bot makes one login attempt to one account in each bank every day 106 login attempts in a day ~100 successful break-ins in a dayCountermeasures:Make user IDs hard to guess: long, randomly selected, and different from account numbersAsk a “salt” question, e.g. memorable word, in addition to user ID and PIN increased entropy reduces attacker success rate
16 Storing passwords on server It is prudent to assume that your password database is publicUnix /etc/password is traditionally world readableAttackers often manage to read files or database tables on a web server e.g. with SQL injectionHow to store passwords in a public file?Store a hash i.e. one-way function of the passwordWhen user enters a password, hash and compareUse a slow hash (many iterations of a standard hash function) to make brute-force cracking more difficultInclude random account-specific “salt”:slow_hash( password | salt)to prevent simultaneous brute-force cracking of many passwords, pre-computation attacks, and equality comparison between passwords!
17 Password hashingPassword-based key derivation function PBKDF2 [PKCS#5,RFC2898]*Good practical function; uses any standard hash function, at least 64-bit salt, any number of iterationsUnix crypt(3) [Morris and Thompson 1978]*Historical function for hashing passwords stored in /etc/passwdaura:lW90gEpaf4wuk:19057:100:Tuomas Aura:/home/aura:/bin/zshPassword = eight 7-bit characters = 56-bit DES keyEncrypt a zero block 25 times with modified DES12-bit salt used to modify DES key scheduleStored value includes the salt and encryption resultToo short salt enables e.g. rainbow table attacksReplaced by more modern hash functions and encrypted, read-protected shadow passwords (why?)
18 PBKDF2 PBKDF2 (P, S, c, dkLen) Function for slow hashing of passwordsMany iterations to make the computation slowerUsed in WPA2-Personal for deriving keys from password (makes offline cracking more difficult)Could also be used for hashing stored passwords on a serverPBKDF2 (P, S, c, dkLen)P = password S = salt c = iteration count dkLen = length of the resultPRF = keyed pseudorandom functionF (P, S, c, i) = U1 xor U2 xor ... xor UcU1 = PRF (P, S || i) U2 = PRF (P, U1) ... Uc = PRF (P, Uc-1)Repeat for i=1,2,3... until dkLen output bytes produced
19 One-time passwordsUse each password only once to thwart password sniffers and key loggersLamport hash chain:H1 = hash (secret seed); Hi+1= hash (Hi)Server stores initially H100 and asks user to enter H99. Next, stores H99 and ask for H98, and so onUnix S/KEY or OTP [RFC1760,RFC1938]1: HOLM BONG VARY TIP JUT ROSY2: LAIR MEMO BERG DARN ROWE RIG3: FLEA BOP HAUL CLAD DARK ITS4: MITT HUM FADE CREW SLOG HASTHash-based one-time passwords HOTP [RFC4226]HOTP(K,i) = HMAC-SHA-1(K,i) mod 10DProduces a one-time PIN code of D decimal digitsTime-based one-time passwordsMany commercial products such as RSA SecurIDWhich attacks do one-time passwords prevent and which not?
20 Spoofing attacksAttacker could spoof the login dialog; how do you know when it is safe to type in the password?
22 Trusted pathAttacker could spoof the login dialog; how do you know when it is safe to type in the password?Trusted path is a mechanism that ensures direct and secure communication between the user and a specific part of the system (with the TCB)Crtl+Alt+Del in Windows opens a security screen that is difficult to spoofWeb browser shows the URL in the address bar in a way that cannot be spoofed by a web serverWith malware and virtualization, it is increasingly hard to know what is real
23 Other threatsNo system is perfectly secure: system designers have a specific threat model in mind, but the attacker can break these rules“The attacker does not agree with the threat model.” (Bruce Christianson)Some other attacks against PINs and passwords:Phishing and social engineeringUser mistakes: using wrong passwordCamera to record key pressesHeat camera to detect pressed keysAcoustic emanations from the keyboardetc.
24 Physical security tokens and two-method authentication
25 Physical security tokens Smart card is a typical physical security tokenHolds cryptographic keys to prove its identityTamperproof: secret keys will stay insideUsed for door keys, computer login, bank cardOther security token implementations: smart button, USB dongle, mobile phoneTwo-method authentication: require both physical token and a PINAttacker needs to both steal the physical device and learn the PIN clear qualitative increase in security
26 Issues with physical tokens Physical tokens require distributionComputers (or doors etc.) must have readersIt is not easy to integrate cryptographic tokens to all systemsE.g. how to use a physical token if the application requires cached credentials (password) on the client or on a proxy serverProcess needed for recovering from the loss of tokensAre smart card + PIN really two factors?
27 Authentication with mobile phone Two-channel authentication used by major online services:Confirmation via telephone: callback, text msgSending a second secret to a known address: text message, , postAlerting user to potentially malicious eventsSecure element in the mobile phone can be used as a login tokenThe SIM is a smart card and could also act as the authentication token
29 Biometric authentication T Johdatus tietoliikenteeseen, kevät 2010Biometric authenticationBiometric authentication means verifying some physical feature of the userPhysiological characteristic: photo, signature, face geometry, fingerprint, iris scan, DNABehavioral characteristic: voice, typing, gaitBiometrics are not 100% reliable:False acceptance rate FARFalse rejection rate FRREqual error rate EER (less informative)FARFRR50%EER
30 Issues with biometrics Biometrics require enrollment and readersTypically not usable for online users (over the Internet)Big difference in the security of unsupervised vs. supervised readersE.g. fingerprint reader on computer vs. iris scanner at immigrationSuitability for security architectures:Are biometric characteristics secrets?Can they be copied? E.g. fingerprints on iPhoneHow to revoke biometrics?What if enrollment fails?Some people have no fingerprints, or no fingers
32 ExercisesWhy do you need both the username and password? Would not just one secret identifier (password) be sufficient for logging in?What effect do strict guidelines for password format (e.g. 8 characters, at least 2 capitals, at least 2 digits, at least 1 special symbol) have on the password entropy?What is the probability of guessing the code for a phone that allows 3 attempts to guess a 4-digit PIN code, then 10 attempts to guess an 8-digit PUK code?In what respects is PBKDF2 better for password hashing than crypt(3)?How many hash values van a brute-force attacker test in second with a new GPU? Hint: Check the BitCoin mining speeds.How do mandatory periodical password changes increase security? What is the optimal interval?How to limit the number of login attempts without creating a DoS vulnerability?Learn about graphical passwords and compare their entropy to different-length passwords and PIN codes.Learn about HTTP Digest Authentication [RFC2617] and MS-Chap-V2 [RFC2759]. Explain how to perform an offline password guessing attack after sniffing a login.In a social network, could authentication be based on who you know (or who knows you), or where you are?What advantages and disadvantages might a fingerprint reader have in a car lock?