Presentation is loading. Please wait.

Presentation is loading. Please wait.

Tuomas Aura T-110.4206 Information security technology User authentication Aalto University, autumn 2011.

Similar presentations


Presentation on theme: "Tuomas Aura T-110.4206 Information security technology User authentication Aalto University, autumn 2011."— Presentation transcript:

1 Tuomas Aura T-110.4206 Information security technology User authentication Aalto University, autumn 2011

2 Outline 1.Passwords 2.Physical security tokens and two-method authentication 3.Biometrics  Common mantra: User authentication can be based on – something you know – something you have – something you are 2

3 PASSWORDS 3

4 Username and password  Passwords are used for entity authentication – Needed for access control and auditing: access control = authentication + authorization – Entity authentication vs. message authentication  Password is a shared secret between the user and computer system – Limitations arise from the reliance on of human memory and input  What attacks are there against passwords? 4

5 Sniffing and key loggers  Password sniffing on the local network used to be a major problem; mostly solved by cryptographic authentication: – SSH, SSL, HTTP Digest Authentication, MS-CHAPv2  Key logger: software or hardware that stores all key strokes (including passwords) typed on a computer – Particular danger in public-access computers e.g. at libraries and cafes – Why do some bank web sites ask you to use the mouse to enter the PIN code? 5

6 Password recovery  Humans are prone to forget things  need a process for recovering from password loss  What are the advantages and disadvantages of the following recovery mechanisms? – Security question or memorable secret, e.g. birth place, mother’s maiden name, pet’s name – Emailing password to another user account – Physical visit to helpdesk – Yellow sticker on the back of the keyboard – USB key or CD with a password recovery file 6

7 Password reuse  How many different user accounts and passwords do you have? Ever used the same password on two accounts?  Using the same or related passwords on multiple accounts means that one corrupt sysadmin or compromised account can lead to compromise of the other accounts  Administrative countermeasures: – Passwords chosen by the service, not set by users – Exotic password format requirements  Personal countermeasures: – Generating service-specific passwords from one master password – Password wallet (e.g. on phone) encrypted with a master password 7

8 Shoulder surfing  Keyboards and screens are highly visible  others may see what you are typing  Password and PIN prompts usually do not show the characters – Does this make sense for all secrets? 8 *******

9 Password guessing  Intelligent guessing vs. brute-force guessing – dictionary attack  Countermeasures – Limit the number or rate of login attempts – Minimum password length and complexity, password quality check – Preventing reuse of old passwords – System-generated random passwords – Password aging i.e. mandatory periodic password changes (typically every three months) 9

10 Password entropy  Entropy = the amount of information the attacker is missing about the password Entropy = - ∑ x ∈ passwords P(x) ⋅ log 2 P(x) ≤ log 2 (number of possible passwords)  Examples: – Random 8-character 7-bit passwords have 56 bits of entropy – Random 8-character alphanumeric passwords have at most 8 × log 2 (26+26+10) ≈ 48 bits – 4-digit PIN codes have about 13 bits of entropy  Human-chosen passwords have less entropy than random ones because some passwords are more common than others  Do password quality checks increase entropy?  Passwords rely on human memory  entropy cannot grow over time  any system that relies on high password entropy to beat brute-force attacks will eventually fail 10

11 Online and offline guessing attacks  Offline attack: the attacker obtains a hash (or other function) of the password and tries to guess the password offline – Attacker who has the hash values from the password database – Older challenge-response network authentication, e.g. MS-CHAPv2 or HTTP digest authentication (without SSL)  Online guessing: attacker tries to login with different passwords – Login prompt at the console; PIN code on a phone – Network login to an authenticated server over SSH or SSL – Firewall blocks client IP address after some failed login attempts  In offline attack, the attacker can perform an exhaustive brute-force search; in online attack, target system can limit the number of guesses  Big difference in the required password entropy: – Online guessing success probability ≈ number of allowed guesses / number of possible passwords – Offline attack requires cryptographic strength, e.g. 128-bit entropy 11

12 Password database storage  Safer to assume that the database is public – Unix /etc/password is traditionally world readable – Attacks on web servers often manage to dump any file or database on the server; e.g. SQL injection  How to store passwords in a public file? – Store a hash (i.e. one-way function) of the password – When user enters a password, hash and compare – Use a slow hash (many iterations of a hash function) to make brute-force cracking more difficult – Include random account-specific “salt”: slow_hash( password | salt) to prevent simultaneous brute-force cracking of many passwords, precomputation attacks and equality comparison between passwords 12

13 Password hashing  Password-based key derivation function PBKDF2 [PKCS#5,RFC2898]** – Good practical guide; uses any standard hash function, at least 64-bit salt, any number of iterations  Unix crypt(3) [Morris and Thompson 1978]** – Historical function for storing passwords in /etc/passwd aura:lW90gEpaf4wuk:19057:100:Tuomas Aura:/home/aura:/bin/zsh – Eight 7-bit characters = 56-bit DES key – Encrypt a zero block 25 times with modified DES – 12-bit salt used to modify DES key schedule – Stored value includes the salt and encryption result – Replaced by more modern hash functions and shadow passwords (stored in /etc/shadow, which is only readable to root) 13

14 DF2PBK  PBKDF2 (P, S, c, dkLen) P = password S = salt c = iteration count dkLen = length of the result PRF = keyed pseudorandom function F (P, S, c, i) = U 1 xor U 2 xor... xor U c U 1 = PRF (P, S || i) U 2 = PRF (P, U 1 )... U c = PRF (P, U c-1 ) Repeat for i=1,2,3... until dkLen output bytes produced 14 Function for slow hashing of passwords Iterations to make the computation slower Used in WPA2- Personal for deriving keys from password Could also be used for storing password hashes Function for slow hashing of passwords Iterations to make the computation slower Used in WPA2- Personal for deriving keys from password Could also be used for storing password hashes

15 Botnets and online guessing  10 banks, each with 10 6 customer accounts – 4-digit PIN or one-time code required to log in – Client IP address blocked after 3 failed login attempts  Attacker has a botnet of 10 5 computers – Each bot makes one login attempt to one account in each bank every day  10 6 login attempts in a day  ~100 successful break-ins in a day  Countermeasures: – Make user IDs hard to guess; long, different from account numbers, and not assigned sequentially – Ask a “salt” question, e.g. memorable word, in addition to user ID and PIN  increased entropy reduces attacker success rate 15

16 One-time passwords  Use each password only once to thwart password sniffers and key loggers  Lamport hash chain: H 1 = hash (secret seed); H i+1 = hash (H i ) – Server stores initially H 100 and requires user to enter H 99. Next stores H 99 and requires H 98, and so on.  Unix S/KEY or OTP [RFC1760/1938] 1: HOLM BONG VARY TIP JUT ROSY 2: LAIR MEMO BERG DARN ROWE RIG 3: FLEA BOP HAUL CLAD DARK ITS 4: MITT HUM FADE CREW SLOG HAST  Hash-based one-time passwords HOTP [RFC4226] HOTP(K,C) = HMAC-SHA-1(K,C) mod 10 D – Produces a one-time PIN code of D decimal digits  Time-based one-time passwords – E.g. RSA SecurID: one of many commercial products  Which attacks are prevented by one-time passwords and which are not? 16

17 Spoofing attacks  Attacker could spoof the login dialog; how do you know when it is safe to type in the password? 17

18

19 Trusted path  Attacker could spoof the login dialog; how do you know when it is safe to type in the password?  Trusted path is a mechanism that ensures direct and secure communication between the user and a specific part of the system – Crtl+Alt+Del in Windows takes to a security screen that cannot be spoofed – Web browser shows the URL in the address bar in a way that cannot be spoofed by the web server  With malware and virtualization, it is increasingly hard to know what is real 19

20 Other threats  No system is perfectly secure: system designers have a specific threat model in mind, but the attacker can break these rules – “The attacker does not agree with the threat model.” (Bruce Christianson)  Other attacks against PINs and passwords: – Phishing and social engineering – Heat camera can detect recently pressed keys – Acoustic emanations from the keyboard 20

21 PHYSICAL SECURITY TOKENS AND TWO-METHOD AUTHENTICATION 21

22 Physical security tokens  Smart card is a typical physical security token – Holds cryptographic keys to prove its identity – Tamperproof: secret keys will stay inside  Used for door keys, computer login, ATM  PIN entry is often also required  two-method authentication – Attacker needs to both steal the card and learn the PIN  clear qualitative increase in security  Other security token implementations: smart button, USB stick, mobile phone 22

23 Issues with security tokens  Physical tokes require distribution  Computers (or doors etc.) must have readers  It is not easy to integrate cryptographic tokens to all systems – E.g. applications that require a password cached on the client or on a proxy server  Process needed for recovering from the loss of tokens  Are smart card + PIN really two factors?  One alternative is two-channel authentication: – Confirmation via telephone: callback – Sending a second secret to a known address: text message, email, post 23

24 BIOMETRICS 24

25 Biometric authentication  Biometric authentication means verifying some physical feature of the user – Physiological characteristic: photo, signature, face geometry, fingerprint, iris scan, DNA – Behavioral characteristic: voice, typing, gait  Biometrics are not 100% reliable: – False acceptance rate FAR – False rejection rate FRR – Equal error rate EER 25 FARFRR 50% EER

26 Issues with biometrics  Biometrics require enrollment and readers  Unsupervised vs. supervised readers have a big difference in security – E.g. fingerprints, face recognition  Suitability for security architectures: – Are biometric characteristics secrets? – Can they be copied? – How to revoke biometrics?  What if enrollment fails? – Some people have no fingerprints, or no fingers 26

27 Reading material  Dieter Gollmann: Computer Security, 2nd ed., chapter 3  Matt Bishop: Introduction to computer security, chapter 11  Ross Anderson: Security Engineering, 2nd ed., chapters 2, 15  Edward Amoroso: Fundamentals of Computer Security Technology, chapters 18-19 27

28 Exercises  Why do you need both the username and password? Would not just one secret identifier (password) be sufficient for logging in?  What effect do strict guidelines for password format (e.g. 8 characters, at least 2 capitals, 2 digits, 1 special symbol) have on the password entropy?  What is the probability of guessing the code for a phone that allows 3 attempts to guess a 4-digit PIN code, then 10 attempts to guess an 8-digit PUK code?  In what respects is PBKDF2 better for password hashing than crypt(3)?  Why may mandatory password changes increase security? What is the optimal interval?  How to limit the number of login attempts without creating a DoS vulnerability?  Learn about graphical passwords and compare their entropy to different length passwords and PIN codes.  Learn about HTTP Digest Authentication [RFC2617] and MS-Chap-V2 [RFC2759]. Explain how to perform an offline password guessing attack after sniffing a login.  In a social network, could authentication be based on who you know (or who knows you), or where you are?  What advantages and disadvantages might a fingerprint reader have in a car lock? 28


Download ppt "Tuomas Aura T-110.4206 Information security technology User authentication Aalto University, autumn 2011."

Similar presentations


Ads by Google