Presentation is loading. Please wait.

Presentation is loading. Please wait.

CSCI 530 Lab Passwords. Overview Authentication Passwords Hashing Breaking Passwords Dictionary Hybrid Brute-Force Rainbow Tables Detection.

Published byDale Rodgers Modified over 8 years ago

Similar presentations

Presentation on theme: "CSCI 530 Lab Passwords. Overview Authentication Passwords Hashing Breaking Passwords Dictionary Hybrid Brute-Force Rainbow Tables Detection."— Presentation transcript:

1 CSCI 530 Lab Passwords

2 Overview Authentication Passwords Hashing Breaking Passwords Dictionary Hybrid Brute-Force Rainbow Tables Detection

3 Authentication Authentication is verifying the identity of a particular person Example: Logging into a system. You enter your username and password. It’s an authentication system. Different from Authorization Authorization states what he/she can do on a system Example: Administrators can install programs, while guests cannot.

4 Authentication How do we authenticate: Something they know Password Something they are Retina Fingerprint DNA Something they own Smart Card Somewhere they are Login only works at certain terminals

5 How much authentication is needed? We can use either one or a combination of all the above Client systems Normally just a login Military top secret security base Name Badge Passcode Credit card purchases Driver’s license  Name  Picture

6 How can authentication be broken? For security purposes, we need to know how authentication can be broken so we know how to prevent against it Passwords Can be Guessed Can be Cracked Smartcards Can be copied or stolen Fingerprints Can be copied by using scotch tape

7 Passwords A secret code for verifying the identity of a person logging into a system They are not stored as plaintext on a system This would be a very bad thing!!! Passwords are stored as hashes based on the type of system Windows: LM Hash, NTLM Unix/Linux: DES, MD5

8 Hashing Process of processing data through a mathematical formula, and producing a new set of data (called the hash). Process is one-way (you cannot get the original data from the hash. There should be few collisions (two sets of data producing the same hash). Ideally there should be no collisions. Examples: MD5, SHA-1, LM Hash

9 Windows Hashing Uses an algorithm called Lan Manager Hash (LM Hash) Less than 15 characters long Supported in all versions of Windows up to Windows ME. Supported in Windows 2000, XP, and 2003 for “backwards compatibility”  It can be turned off, but it’s on by default!!!!!!!!!!!!!!!!

10 LM Hash process If the password is longer than 14 characters, the rest are cut off All lower case characters are converted to upper case Password is split to form two 7-character strings Strings are used as keys for a cryptographic algorithm called Data Encryption Standard (DES). 1999 – Programs are able to break DES in less than 24 hours 2002 – DES has been abandoned for Advanced Encryption Standard (AES) Both strings are put back together and form the stored password This process is repeated when the user enters in his password for the first time (for storing), and every time he uses the system

11 Linux Passwords MD5 passwords Take the entire password string, send it through the MD5 algorithm, and store that as the password in the /etc/shadow file When the user logs in, the password entered is sent through the MD5 algorithm, and if the strings are the same, then the user is authenticated

12 Password Breaking Dictionary attack List of dictionary words that are tried one after another Very quick If the password is not an exact match to a word on the list, then it will fail Hybrid attack Uses a dictionary list but can detect slight variations to words, or combinations of words. Example: if the word hello is in the database, but the password is Hello, a dictionary attack will not break the password, but a Hybrid attack will Generally finds many more words than a Dictionary attack Not as quick as Dictionary attack

13 Password Breaking Bruteforce attack Will try every character combination until it finds the password EXTREMELY SLOW Will always find the password These techniques can either be used against a system or a file containing the passwords

14 Rainbow Tables Philippe Oechslin Uses a reduce function to attempt to map a hash to a password Uses chains to determine the exact password For a good primer on Rainbow Tables, see: http://kestas.kuliukas.com/RainbowTables/ Pros Can break any password in a matter of minutes Cons Must have specific Rainbow Table for a particular hashing function Can be defeated using Salts

15 Detecting someone trying to break into a system Auto-logout If the user enters the wrong password n times, disable their account for a certain period of time Protect your password list on your system Make sure the administrator has access and no one else, so a normal user cannot copy it onto another system

16 This week’s lab We’re going to use ophcrack, which is an implementation of Rainbow Tables You’re going to set up user accounts on a Windows 2000 system, and are going to practice using Rainbow Tables to break them REMEMBER: Wednesday we are having a guest speaker

Download ppt "CSCI 530 Lab Passwords. Overview Authentication Passwords Hashing Breaking Passwords Dictionary Hybrid Brute-Force Rainbow Tables Detection."

Similar presentations

1 Identification Who are you? How do I know you are who you say you are?

1 Identification Who are you? How do I know you are who you say you are?
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
Lecture 5: Cryptographic Hashes

Lecture 5: Cryptographic Hashes
Password Cracking Lesson 10. Why crack passwords?

Password Cracking Lesson 10. Why crack passwords?
Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
Chapter 3.3 - User authorization & safety Maciej Mensfeld Presented by: Maciej Mensfeld User authorization & safety dev.mensfeld.pl.

Chapter User authorization & safety Maciej Mensfeld Presented by: Maciej Mensfeld User authorization & safety dev.mensfeld.pl.
COEN 350: Network Security Authentication. Between human and machine Between machine and machine.

COEN 350: Network Security Authentication. Between human and machine Between machine and machine.
Password CrackingSECURITY INNOVATION ©2003 1 Sidebar – Password Cracking We have discussed authentication mechanisms including authenticators. We also.

Password CrackingSECURITY INNOVATION © Sidebar – Password Cracking We have discussed authentication mechanisms including authenticators. We also.
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (7) AUTHENTICATION.

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (7) AUTHENTICATION.
1 Chapter 11: Authentication Basics Passwords. 2 Establishing Identity Authentication: binding of identity to subject One or more of the following –What.

1 Chapter 11: Authentication Basics Passwords. 2 Establishing Identity Authentication: binding of identity to subject One or more of the following –What.
Authentication. Terminology  Authentication التثبت من الهوية  Access Control (authorization) التحكم في الوصول  Note the difference between the two.

Authentication. Terminology  Authentication التثبت من الهوية  Access Control (authorization) التحكم في الوصول  Note the difference between the two.
Chapter 4  Hash Functions 1 Overview  Cryptographic hash functions are functions that: o Map an arbitrary-length (but finite) input to a fixed-size output.

Chapter 4  Hash Functions 1 Overview  Cryptographic hash functions are functions that: o Map an arbitrary-length (but finite) input to a fixed-size output.
ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.

ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.
Cryptography April 20, 2010 MIS 4600 – MBA 5880 - © Abdou Illia.

Cryptography April 20, 2010 MIS 4600 – MBA © Abdou Illia.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.
CSCI 530 Lab Authentication. Authentication is verifying the identity of a particular person Example: Logging into a system Example: PGP – Digital Signature.

CSCI 530 Lab Authentication. Authentication is verifying the identity of a particular person Example: Logging into a system Example: PGP – Digital Signature.
Linux Security.

Linux Security.
Chapter 8.  Cryptography is the science of keeping information secure in terms of confidentiality and integrity.  Cryptography is also referred to as.

Chapter 8.  Cryptography is the science of keeping information secure in terms of confidentiality and integrity.  Cryptography is also referred to as.
Windows Security Mechanisms Al Bento - University of Baltimore.

Windows Security Mechanisms Al Bento - University of Baltimore.
Authentication Approaches over Internet Jia Li

Authentication Approaches over Internet Jia Li

Similar presentations

Ads by Google