Presentation is loading. Please wait.

Presentation is loading. Please wait.

Authentication attacks, causes and solutions Analyzing man in the middle and dictionary attacks against SSL/TLS and password based authentication systems.

Published byBarbra McCarthy Modified over 9 years ago

Similar presentations

Presentation on theme: "Authentication attacks, causes and solutions Analyzing man in the middle and dictionary attacks against SSL/TLS and password based authentication systems."— Presentation transcript:

1 Authentication attacks, causes and solutions Analyzing man in the middle and dictionary attacks against SSL/TLS and password based authentication systems Fletcher Liverance, 16 April 2009

2 Sources Password-Based Authentication: Preventing Dictionary Attacks Password-Based Authentication: Preventing Dictionary Attacks Saikat Chakrabarti, University of Kentucky Saikat Chakrabarti, University of Kentucky Mukesh Singhal, University of Kentucky Mukesh Singhal, University of Kentucky Computer, IEEE CS Press, June 2007, pp. 68-74 Computer, IEEE CS Press, June 2007, pp. 68-74 SSL/TLS Session-Aware User Authentication SSL/TLS Session-Aware User Authentication Rolf Oppliger, eSECURITY Technologies Rolf Oppliger, eSECURITY Technologies Ralf Hauser, PrivaSphere AG Ralf Hauser, PrivaSphere AG David Basin, ETH Zurich David Basin, ETH Zurich Computer, IEEE CS Press, March 2008, pp. 59-65 Computer, IEEE CS Press, March 2008, pp. 59-65

3 Overview What is authentication? What is authentication? Two common attacks Two common attacks Advanced password authentication protocols Advanced password authentication protocols Improvements in SSL/TLS Improvements in SSL/TLS Preventing future attacks Preventing future attacks

4 What is Authentication? Authentication is the binding of an identity to a subject Face Face Voice Voice Signature Signature Birth certificate Birth certificate Social security number Social security number ID card ID card Personal knowledge Personal knowledge Key Key Password Password Name Name Phone number Phone number

5 Impersonal Authentication How do you authenticate over a network? How do you authenticate over a network? No direct visual cues No direct visual cues No direct auditory cues No direct auditory cues No physical connection No physical connection Knowledge based authentication Knowledge based authentication Recreation of human authentication cues Recreation of human authentication cues Electronic IDs Electronic IDs

6

7 Dictionary Attack Online Online Repeated query of authentication server Repeated query of authentication server Slow Slow Easy to block Easy to block Offline Offline Repeated computation and comparison of password hash Repeated computation and comparison of password hash Faster Faster No interaction required No interaction required Top ten passwords: 1. (username) 2. (username)123 3. 123456 4. password 5. 1234 6. 12345 7. passwd 8. 123 9. test 10. 1

8 Man in the Middle “a form of active wiretapping attack in which the attacker intercepts and selectively modifies communicated data to masquerade as one or more of the entities involved in a communication association.” RFC 2828 – Internet Security Glossary

9 Basic Password Authentication

10 Challenge/Response

11 EKE Protocol

12 Plaintext equivalence User and host must have access to the same secret password User and host must have access to the same secret password Attacker can intercept password hash as it is sent to server Attacker can intercept password hash as it is sent to server

13 Secure remote-password protocol

14 Behind the scenes Alice and Bob agree on finite field F(x) Alice and Bob agree on finite field F(x) Alice gives Bob verifier v = F(Hash(salt, password)) and salt. Alice gives Bob verifier v = F(Hash(salt, password)) and salt. Alice sends identity to Bob Alice sends identity to Bob Bob sends salt to Alice Bob sends salt to Alice Alice computes K-a = F(Rand-a) and x = Hash(s, pwd) Alice computes K-a = F(Rand-a) and x = Hash(s, pwd) Alice send K-a to Bob Alice send K-a to Bob Bob computes K-b = v + F(Rand-b) Bob computes K-b = v + F(Rand-b) Bob sends K-b and Rand-r to Alice Bob sends K-b and Rand-r to Alice Alice computes K-ab = Hash(K-b – F(Hash(salt, pwd))^(Rand-a + Rand-r*Hash(salt,pwd)) Alice computes K-ab = Hash(K-b – F(Hash(salt, pwd))^(Rand-a + Rand-r*Hash(salt,pwd)) Bob computes K-ab = Hash(Rand-b*Key-a*v^Rand-r) Bob computes K-ab = Hash(Rand-b*Key-a*v^Rand-r) Alice sends Cert-a to Bob Alice sends Cert-a to Bob Bob verifies Cert-a is correct Bob verifies Cert-a is correct Bob sends Cert-b to Alice Bob sends Cert-b to Alice Alice verifies Cert-b is correct Alice verifies Cert-b is correct

15 Alternative Solutions Delayed response Delayed response Account locking Account locking Extra computation Extra computation Reverse Turing Test Reverse Turing Test Captcha (Completely Automated Public Turing Test to Tell Computers and Humans Apart) Captcha (Completely Automated Public Turing Test to Tell Computers and Humans Apart)

16 SSL/TLS

17 SSL/TLS Issues Prone to man in the middle attack Prone to man in the middle attack Attacker intercepts server messages Attacker intercepts server messages Attacker replaces server certificate with its own Attacker replaces server certificate with its own Client encrypts all future transmissions using attacker’s certificate Client encrypts all future transmissions using attacker’s certificate “the naïve end user usually does SSL/TLS server authentication poorly if at all” “the naïve end user usually does SSL/TLS server authentication poorly if at all” “developers usually decouple SSL/TLS session establishment from user authentication” “developers usually decouple SSL/TLS session establishment from user authentication”

18 Preventing MITM attacks Enforce proper server authentication Enforce proper server authentication Uneducated users Uneducated users Forged certificates Forged certificates Click through Click through Complicated revocation policy Complicated revocation policy Complicated certificate verification tree Complicated certificate verification tree

19

20 TLS-SA Combine user authentication with SSL/TLS session establishment Combine user authentication with SSL/TLS session establishment Provide user authentication code (UAC) that depends on credentials and TLS session Provide user authentication code (UAC) that depends on credentials and TLS session Attacker can start session with user and host, but cannot forward messages between them Attacker can start session with user and host, but cannot forward messages between them

21 TLS-SA Implementation Normal TLS Normal TLS Client token generates session key based on hash of server cert Client token generates session key based on hash of server cert User enters password User enters password UAC is computed from session key and password and is transmitted to server UAC is computed from session key and password and is transmitted to server Server authenticates client at any time by requesting user ID, hash of server cert and the UAC. Server authenticates client at any time by requesting user ID, hash of server cert and the UAC.

22 A Formal Approach “protocols need more than heuristic arguments to provide security guarantees.” Provable security via the Standard model Provable security via the Standard model Uses complexity-theoretic hardness assumptions: Uses complexity-theoretic hardness assumptions: Factoring the product of large primes is hard Factoring the product of large primes is hard Computing the discrete logarithm is hard in certain large groups. Computing the discrete logarithm is hard in certain large groups. AES is a good pseudorandom permutation AES is a good pseudorandom permutation

23 A Formal Approach (cont.) The random oracle model The random oracle model “A public random function that takes any string as input and outputs n bits” “A public random function that takes any string as input and outputs n bits” Use heuristically secure algorithms such as SHA Use heuristically secure algorithms such as SHA The ideal-cipher model The ideal-cipher model A standard block cipher, with k-bit key and n-bit input, chosen uniformly from all block ciphers of this form. A standard block cipher, with k-bit key and n-bit input, chosen uniformly from all block ciphers of this form. Use pseudorandom permutations such as AES Use pseudorandom permutations such as AES

24 Q & A

Download ppt "Authentication attacks, causes and solutions Analyzing man in the middle and dictionary attacks against SSL/TLS and password based authentication systems."

Similar presentations

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
CS470, A.SelcukCryptographic Authentication1 Cryptographic Authentication Protocols CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukCryptographic Authentication1 Cryptographic Authentication Protocols CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.

Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.
CS470, A.SelcukSSL/TLS & SET1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukSSL/TLS & SET1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
1 Network Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

1 Network Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
More on SSL/TLS. Internet security: TLS TLS is one of the more prominent internet security protocols. TLS is one of the more prominent internet security.

More on SSL/TLS. Internet security: TLS TLS is one of the more prominent internet security protocols. TLS is one of the more prominent internet security.
1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.

1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.
1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.

1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.
Implementation of a Two-way Authentication Protocol Using Shared Key with Hash CS265 Sec. 2 David Wang.

Implementation of a Two-way Authentication Protocol Using Shared Key with Hash CS265 Sec. 2 David Wang.
Apr 2, 2002Mårten Trolin1 Previous lecture On the assignment Certificates and key management –Obtaining a certificate –Verifying a certificate –Certificate.

Apr 2, 2002Mårten Trolin1 Previous lecture On the assignment Certificates and key management –Obtaining a certificate –Verifying a certificate –Certificate.
Chapter 12: Authentication Basics Passwords Challenge-Response Biometrics Location Multiple Methods Computer Security: Art and Science ©2002-2004 Matt.

Chapter 12: Authentication Basics Passwords Challenge-Response Biometrics Location Multiple Methods Computer Security: Art and Science © Matt.
 Public key (asymmetric) cryptography o Modular exponentiation for encryption/decryption  Efficient algorithms for this o Attacker needs to factor large.

 Public key (asymmetric) cryptography o Modular exponentiation for encryption/decryption  Efficient algorithms for this o Attacker needs to factor large.
Feb 25, 2003Mårten Trolin1 Previous lecture More on hash functions Digital signatures Message Authentication Codes Padding.

Feb 25, 2003Mårten Trolin1 Previous lecture More on hash functions Digital signatures Message Authentication Codes Padding.
Chap 3: Key exchange protocols In most systems, we distinguish the short term keys from the long term ones: –A short term key (session key) is used to.

Chap 3: Key exchange protocols In most systems, we distinguish the short term keys from the long term ones: –A short term key (session key) is used to.
Mar 5, 2002Mårten Trolin1 Previous lecture More on hash functions Digital signatures Message Authentication Codes Padding.

Mar 5, 2002Mårten Trolin1 Previous lecture More on hash functions Digital signatures Message Authentication Codes Padding.
CMSC 414 Computer and Network Security Lecture 14 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 14 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.
Kemal AkkayaWireless & Network Security 1 Department of Computer Science Southern Illinois University Carbondale CS 591 – Wireless & Network Security Lecture.

Kemal AkkayaWireless & Network Security 1 Department of Computer Science Southern Illinois University Carbondale CS 591 – Wireless & Network Security Lecture.
How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.

How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.

Similar presentations

Ads by Google