CSE331: Introduction to Networks and Security Lecture 23 Fall 2002

CSE331 Fall Announcements Class is cancelled next Wednesday (Nov. 6 th )

CSE331 Fall Recap Protocols –Arbitrated : 3 rd party intermediary –Adjudicated : 3 rd party rules on validity afterwards –Self enforcing : no 3 rd party Today –Authentication

CSE331 Fall Authentication The process of determining which principal is making a request or statement. Humans: –Not good at calculating –Bad memories Machines: –Good at calculating –Good memories Thus: Different engineering tradeoffs

CSE331 Fall Authenticating Humans: Foundations Authentication is based on one or more of the following: Something you know –e.g. a password Something you have –e.g. a driver’s license Something inherent about you –e.g. your fingerprint or retinal pattern

CSE331 Fall Password Vulnerabilities Writing them down –Moves problem to physical security Stolen passwords (via eavesdropping) –Trojan Horse Poor password choice –Easy to guess vs. easy to remember –People use the same password multiple times –Passwords changed infrequently Offline attacks –Search through password dictionary

CSE331 Fall Survey of 3,289 Passwords With no constraints on choice of password, Morris and Thompson got the following results: –15 were a single ASCII letter. –72 were strings of two ASCII letters. –464 were strings of three ASCII letters. –47 were strings of four alphanumerics. –706 were five letters, all upper-case or all lower- case. –605 were six letters, all lower case.

CSE331 Fall Heuristics for Guessing Attacks The dictionary with the words spelled backwards A list of first names (best obtained from some mailing list). Last names, street names, and city names also work well. The above with initial upper-case letters. All valid license plate numbers in your state. (About 5 hours work in 1979 for New Jersey.) Room numbers, social security numbers, telephone numbers, and the like.

CSE331 Fall What makes a good password? Password Length –64 bits of randomness is hard to crack –64 bits is roughly 20 “common” ASCII characters –But… People can’t remember random strings –Longer not necessarily better: people write the passwords down Pass phrases –English Text has roughly 1.3 random bits/char. –Thus about 50 letters of English text –Hard to type without making mistakes! In practice –Non-dictionary, mixed case, mixed alphanumeric –Not too short (or too long)

CSE331 Fall Preventative Mechanisms Use a trusted path –CTRL+ALT+DEL is a hardware mechanism to prevent Trojan Horse login prompts –Disallow remote authentication: users authenticate to local machines, machines to remote authentication. Make on-line guessing attacks expensive –Disconnect after 3 tries, wait 10 seconds –Prevents automated attacks

CSE331 Fall Unix: /etc/passwd Passwords stored in a file system are vulnerable to automated attacks –At first Unix was implemented with a password file holding the actual passwords of users. This had many vulnerabilities –Copies were made by privileged users –Copies were made by bugs: classic example posted password file on daily message file –Physical access to backup was a vulnerability –Information from the password file needed to be replicated into many other files

CSE331 Fall Preventing Off-line Attacks Hash the passwords and store the hashed version. Take the password from the user, hash it, and compare with password file entry. Problems –Poor user selection of passwords (easy to guess) –Users choose the same password

CSE331 Fall Improvements to First Approach Slower hashing: use password to create a key, then hash a constant using 25 iterations of the DES algorithm. –Speed OK for legitimate users –Takes longer to do automatic search Use non-standard hash function –Not readily available in hardware Enforce password rules –Makes the passwords harder to guess

CSE331 Fall Add Salt “Salt” the passwords by adding random bits. –Makes dictionary attacks more expensive. –Decreases the likelihood that two identical passwords will appear as identical entries in the password file. 12 bit salt results in 4,096 versions of each password. /etc/passwd entry: user_idsalt u Hash(salt u + passwd u )…

CSE331 Fall One Time Passwords Shared lists. Sequentially updated. One-time password sequences based on a one-way (hash) function. Used in practice: SKey mechanism

CSE331 Fall Hash-based 1-time Passwords Alice identifies herself to verifier Bart using a well-known one-way hash function H. One-time setup. –Alice chooses a secret w. –Fixes a constant t for the number of times the authentication can be done. –Alice securely transfers H t (w) to Bart H(H(H…(H(w))…)) t times

CSE331 Fall Hash-based 1-time Passwords Protocol actions. For session i, claimant A does the following to identify itself: –A computes w’ = H**(t-i)(w) and transmits the value to B. –B checks that i is the correct session (ie. that the previous session was i-1) and checks to see if H(v) = w’ where v was the last value provided by A (as part of session i-1). –B saves w’ and i for use in the next session.

CSE331 Fall One-time passwords: i th authentication Alice does the following to identify herself: –A computes w’ = H (t-i) (w) and transmits the value to B. –B checks that i is the correct session (ie. that the previous session was i-1) and checks to see if H(w’) = v where v was the last value provided by A (as part of session i-1). –B saves w’ and i for use in the next session. Alice Bart W H(-) H (t-i+1) (w), H(-) {A, i, H (t-i) (w)}

CSE331 Fall Why This 1-time Password Works It’s hard to compute x from H(x). –Even though attacker gets to see H (t-i) (x), they can’t guess then next message H (t-(i+1)) (x).

CSE331 Fall Challenge-Response Background. –Random numbers (nonces). –Sequence numbers. –Timestamps. Symmetric keys. –With timestamps or random numbers. MAC’s. Asymmetric keys. –With encryption or signature.

CSE331 Fall Replay Replay is the threat in which a transmission is observed by an eavesdropper who subsequently reuses it as part of a protocol, possibly to impersonate the original sender. Example: monitor the first part of a telnet session to obtain a sequence of transmissions sufficient to get a log-in. There are 3 general strategies for defeating replay attacks: nonces, timestamps, and sequence numbers.

CSE331 Fall Random Numbers A random number is a number chosen unpredictably in a range. In a challenge-response protocol they are used as follows. –The verifier chooses a (new) random number and provides it to the claimant. –The claimant performs an operation on it showing knowledge of a secret. –This information is bound inseparable to the random number and returned to the verifier for examination. –A timeout period is used to ensure “freshness”.

CSE331 Fall Sequence Numbers Sequence numbers provide a sequential or monotonic counter on messages. If a message is replayed and the original message was received, the replay will have an old or too-small sequence number and be discarded. Cannot detect forced delay. Difficult to maintain when there are system failures.

CSE331 Fall Time Stamps The claimant sends a message with a timestamp. The verifier checks that it falls within an acceptance window of time. The last timestamp received is held, and identification requests with older timestamps are ignored. Good only if clock synchronization is close enough for acceptance window.