Slides by Kent Seamons and Tim van der Horst Last Updated: Nov 30, 2011.

Slides:



Advertisements
Similar presentations
Password Cracking Lesson 10. Why crack passwords?
Advertisements

CSC 474 Information Systems Security
COEN 350: Network Security Authentication. Between human and machine Between machine and machine.
CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.
CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (7) AUTHENTICATION.
Cryptography and Network Security Chapter 20 Intruders
7-1 Last time Protection in General-Purpose Operating Systems History Separation vs. Sharing Segmentation and Paging Access Control Matrix Access Control.
1 Chapter 11: Authentication Basics Passwords. 2 Establishing Identity Authentication: binding of identity to subject One or more of the following –What.
CSE331: Introduction to Networks and Security Lecture 23 Fall 2002.
CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.
Chap 3: Key exchange protocols In most systems, we distinguish the short term keys from the long term ones: –A short term key (session key) is used to.
CMSC 414 Computer and Network Security Lecture 14 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
Strong Password Protocols
MS systems use one of the following: LanManager Hash (LM) LanManager Hash (LM) NT LanManager (NTLM) NT LanManager (NTLM) Cached passwords Cached passwords.
14.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 14 Entity Authentication.
Lecture 7 Page 1 CS 236 Online Password Management Limit login attempts Encrypt your passwords Protecting the password file Forgotten passwords Generating.
IS 302: Information Security and Trust Week 7: User Authentication (part I) 2012.
Password Management. Password Protection Virtually all multiuser systems require that a user provide not only a name or identifier (ID) but also a password.
Slides by Kent Seamons and Tim van der Horst Last Updated: Nov 30, 2011.
CIS 450 – Network Security Chapter 8 – Password Security.
File Protection Mechanisms  All-None Protection Lack of trustLack of trust All or nothingAll or nothing Timesharing issuesTimesharing issues ComplexityComplexity.
Authentication and Authorization Authentication is the process of verifying a principal’s identity (but how to define “identity”?) –Who the person is –Or,
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 3 – User Authentication.
Lecture 11: Strong Passwords
Passwords. Outline Objective Authentication How/Where Passwords are Used Why Password Development is Important Guidelines for Developing Passwords Summary.
1 Chapter 11: Authentication Basics Passwords. 2 Establishing Identity Authentication: binding of identity to subject One or more of the following –What.
Password authentication Basic idea –User has a secret password –System checks password to authenticate user Issues –How is password stored? –How does system.
CSCE 522 Identification and Authentication. CSCE Farkas2Reading Reading for this lecture: Required: – Pfleeger: Ch. 4.5, Ch. 4.3 Kerberos – An Introduction.
Identification and Authentication CS432 - Security in Computing Copyright © 2005,2010 by Scott Orr and the Trustees of Indiana University.
Mitch Parks, GSEC/GCWN ITS Desktop Security Analyst
COEN 350: Network Security Authentication. Between human and machine Between machine and machine.
14.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 14 Entity Authentication.
Authentication Issues and Solutions CSCI 5857: Encoding and Encryption.
COEN 350: Network Security Authentication. Between human and machine Between machine and machine.
CNIT 124: Advanced Ethical Hacking Ch 9: Password Attacks.
Identification Authentication. 2 Authentication Allows an entity (a user or a system) to prove its identity to another entity Typically, the entity whose.
Chapter 1 – Introduction Part 4 1. Message Authentication Codes Allows for Alice and Bob to have data integrity, if they share a secret key. Given a message.
Lecture 5 User Authentication modified from slides of Lawrie Brown.
Authentication Lesson Introduction ●Understand the importance of authentication ●Learn how authentication can be implemented ●Understand threats to authentication.
Authentication What you know? What you have? What you are?
King Mongkut’s University of Technology Network Security 8. Password Authentication Methods Prof. Reuven Aviv, Jan Password Authentication1.
Password. On a Unix system without Shadow Suite, user information including passwords is stored in the /etc/passwd file. Each line in /etc/passwd is a.
My topic is…………. - It is the fundamental building block and the primary lines of defense in computer security. - It is a basic for access control and.
CSCI 530 Lab Passwords. Overview Authentication Passwords Hashing Breaking Passwords Dictionary Hybrid Brute-Force Rainbow Tables Detection.
Managing Users CSCI N321 – System and Network Administration Copyright © 2000, 2011 by Scott Orr and the Trustees of Indiana University.
CIS 450 – Network Security Chapter 10 – UNIX Password Crackers.
 Encryption provides confidentiality  Information is unreadable to anyone without knowledge of the key  Hashing provides integrity  Verify the integrity.
Chapter Six: Authentication 2013 Term 2 Access Control Two parts to access control Authentication: Are you who you say you are?  Determine whether access.
Understanding Security Policies Lesson 3. Objectives.
Effective Password Management Neil Kownacki. Passwords we use today PINs, smartphone unlock codes, computer accounts, websites Passwords are used to protect.
7/10/20161 Computer Security Protection in general purpose Operating Systems.
Security Risk Assessment Determine how important your computer is to your group ● Mission critical? ● Sensitive information? ● Expensive hardware? ● Service.
Understanding Security Policies
Identification and Authentication
Simple Authentication for the Web
Password Management Limit login attempts Encrypt your passwords
Authentication CSE 465 – Information Assurance Fall 2017 Adam Doupé
Password Cracking Lesson 10.
CS 465 PasswordS Last Updated: Nov 7, 2017.
Strong Password Protocols
Strong Password Protocols
Cyber Operation and Penetration Testing Online Password Cracking Cliff Zou University of Central Florida.
Strong Password Protocols
Authentication CSE 365 – Information Assurance Fall 2018 Adam Doupé
Exercise: Hashing, Password security, And File Integrity
Computer Security Authentication
Computer Security Protection in general purpose Operating Systems
Authentication CSE 365 – Information Assurance Fall 2019 Adam Doupé
Presentation transcript:

Slides by Kent Seamons and Tim van der Horst Last Updated: Nov 30, 2011

Goals  Understand UNIX pw system How it works How to attack  Understand Lamport’s hash and its vulnerabilities

History of UNIX passwords  Originally the actual passwords were stored in a plaintext file “Excessively vulnerable to lapses in security”  Improved approach used encryption to protect passwords Led to brute force/dictionary attacks

Pass Phrases  Passwords is a misnomer Do not use single words or variants Supposedly, a large number of passwords in Dallas is some variant of the word cowboys ○ Any cougar passwords out there!  Use a pass-phrase Memorable and harder to guess First letter of a long phrase ○ Rastcao - Rise and shout the cougars are out

How to Attack Password Systems  Guess the user’s password Online attack ○ Attempt to login as the user would Offline attack ○ Repeated guessing involving an encrypted form of the user’s password  Shoulder surfing  Users write down their passwords  Users give away their passwords Phishing, social engineering

Problems with Passwords  Users have too many passwords Encourages password reuse Leads to forgotten passwords Burdens users and administrators  Attempts to increase password strength inconvenience users  Random passwords Only as random as the initialization of the salt value

Time estimates  What is the maximum number of attempts to guess a password? Password length = 8 characters Assume password is alphanumeric ( ) ( ) 8 = 62 8  How many attempts on average? Divide maximum number by 2 (this assumes brute force attack and passwords chosen randomly)

Unix Password File  Original password file /etc/passwd was world readable Anyone could copy the file offline and perform a dictionary attack You could find sample files on Google courtesy of naïve system admins!  Later, the encrypted password was moved to a shadow file /etc/shadow that required root privileges to access

 Unix Password File Creation

Verifying a Password UsernameSaltEncrypted PW  

Password Salts  Why do Unix password files use a salt? Prevents the identification of identical passwords ○ Provided each user has a different salt All password guesses are salt-specific ○ Guess made with one salt aren’t helpful for another ○ Increases the cost of offline attack to crack any password in the file ○ Increases the size requirement for a pre- computed database of hashed passwords

Password Attacks with Salt  How many guesses do password attacks need when a salt is used? Off-line attack – one attempt for each unique salt in the file  How does the salt impact on-line attacks? It doesn’t  How does the salt impact an attempt to crack a specific user’s password in the file? It doesn’t change the number of attempts, but it does increase the size of a pre-computed database of passwords

crypt(3)  2 approaches A modified DES implementation (uses a salt) ○ Can’t use off the shelf DES hardware ○ Effectively limits the size of all passwords to eight characters MD5 hash ○ Any size password ○ Hash function is invoked 1000 times An attack that would have taken 1 day now takes 3 years Minimal impact to user and the system

Password Guessing Attacks  Brute-force  Dictionary  Substitution password, passw0rd

Lamport’s Hash  One time password scheme see Alice Alice’s Workstation Bob Alice, pwd Alice n x = hash n-1 (pwd) BOB knows  n, hash n (password)  Compares hash(x) to hash n (password); If equal, replaces  hash n (password)  With  n-1, x 

Attack on Lamport’s Hash  Small n attack Active attacker intercepts servers reply message with n and changes it to a smaller value Attacker can easily manipulate the response (repeatedly) to impersonate Alice  Eavesdropper captures Alice’s hashed reply and conducts off-line attack  Replay Alice’s response to other servers where Alice may use the same password Thwart using salt at the server – server hashes pw || salt and sends n and the salt to Alice during login Salt also permits automatic password refresh when n reaches 1

Related articles (optional)  The Curse of the Secret Question  Sarah Palin Yahoo! account hacked  Secret Questions Too Easily Answered  Scientists claim GPUs make passwords worthless worthless worthless  How the Bible and Youtube are fueling the next frontier of password cracking next-frontier-of-password-cracking/ next-frontier-of-password-cracking/  32 million passwords show most users careless about security show-most-users-careless-about-security/ show-most-users-careless-about-security/

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.