1 / 24

CSE331: Introduction to Networks and Security

CSE331: Introduction to Networks and Security. Lecture 23 Fall 2002. Announcements. Class is cancelled next Wednesday (Nov. 6 th ). Recap. Protocols Arbitrated : 3 rd party intermediary Adjudicated : 3 rd party rules on validity afterwards Self enforcing : no 3 rd party Today

jamesmelton
Download Presentation

CSE331: Introduction to Networks and Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CSE331:Introduction to Networksand Security Lecture 23 Fall 2002

  2. Announcements • Class is cancelled next Wednesday (Nov. 6th) CSE331 Fall 2002

  3. Recap • Protocols • Arbitrated : 3rd party intermediary • Adjudicated : 3rd party rules on validity afterwards • Self enforcing : no 3rd party • Today • Authentication CSE331 Fall 2002

  4. Authentication • The process of determining which principal is making a request or statement. • Humans: • Not good at calculating • Bad memories • Machines: • Good at calculating • Good memories • Thus: Different engineering tradeoffs CSE331 Fall 2002

  5. Authenticating Humans: Foundations • Authentication is based on one or more of the following: • Something you know • e.g. a password • Something you have • e.g. a driver’s license • Something inherent about you • e.g. your fingerprint or retinal pattern CSE331 Fall 2002

  6. Password Vulnerabilities • Writing them down • Moves problem to physical security • Stolen passwords (via eavesdropping) • Trojan Horse • Poor password choice • Easy to guess vs. easy to remember • People use the same password multiple times • Passwords changed infrequently • Offline attacks • Search through password dictionary CSE331 Fall 2002

  7. 1979 Survey of 3,289 Passwords • With no constraints on choice of password, Morris and Thompson got the following results: • 15 were a single ASCII letter. • 72 were strings of two ASCII letters. • 464 were strings of three ASCII letters. • 47 were strings of four alphanumerics. • 706 were five letters, all upper-case or all lower-case. • 605 were six letters, all lower case. CSE331 Fall 2002

  8. Heuristics for Guessing Attacks • The dictionary with the words spelled backwards • A list of first names (best obtained from some mailing list). Last names, street names, and city names also work well. • The above with initial upper-case letters. • All valid license plate numbers in your state. (About 5 hours work in 1979 for New Jersey.) • Room numbers, social security numbers, telephone numbers, and the like. CSE331 Fall 2002

  9. What makes a good password? • Password Length • 64 bits of randomness is hard to crack • 64 bits is roughly 20 “common” ASCII characters • But… People can’t remember random strings • Longer not necessarily better: people write the passwords down • Pass phrases • English Text has roughly 1.3 random bits/char. • Thus about 50 letters of English text • Hard to type without making mistakes! • In practice • Non-dictionary, mixed case, mixed alphanumeric • Not too short (or too long) CSE331 Fall 2002

  10. Preventative Mechanisms • Use a trusted path • CTRL+ALT+DEL is a hardware mechanism to prevent Trojan Horse login prompts • Disallow remote authentication: users authenticate to local machines, machines to remote authentication. • Make on-line guessing attacks expensive • Disconnect after 3 tries, wait 10 seconds • Prevents automated attacks CSE331 Fall 2002

  11. Unix: /etc/passwd • Passwords stored in a file system are vulnerable to automated attacks • At first Unix was implemented with a password file holding the actual passwords of users. • This had many vulnerabilities • Copies were made by privileged users • Copies were made by bugs: classic example posted password file on daily message file • Physical access to backup was a vulnerability • Information from the password file needed to be replicated into many other files CSE331 Fall 2002

  12. Preventing Off-line Attacks • Hash the passwords and store the hashed version. • Take the password from the user, hash it, and compare with password file entry. • Problems • Poor user selection of passwords (easy to guess) • Users choose the same password CSE331 Fall 2002

  13. Improvements to First Approach • Slower hashing: use password to create a key, then hash a constant using 25 iterations of the DES algorithm. • Speed OK for legitimate users • Takes longer to do automatic search • Use non-standard hash function • Not readily available in hardware • Enforce password rules • Makes the passwords harder to guess CSE331 Fall 2002

  14. Add Salt user_id saltu Hash(saltu + passwdu) … • “Salt” the passwords by adding random bits. • Makes dictionary attacks more expensive. • Decreases the likelihood that two identical passwords will appear as identical entries in the password file. • 12 bit salt results in 4,096 versions of each password. • /etc/passwd entry: CSE331 Fall 2002

  15. One Time Passwords • Shared lists. • Sequentially updated. • One-time password sequences based on a one-way (hash) function. • Used in practice: SKey mechanism CSE331 Fall 2002

  16. Hash-based 1-time Passwords • Alice identifies herself to verifier Bart using a well-known one-way hash function H. • One-time setup. • Alice chooses a secret w. • Fixes a constant t for the number of times the authentication can be done. • Alice securely transfers Ht(w) to Bart H(H(H…(H(w))…)) t times CSE331 Fall 2002

  17. Hash-based 1-time Passwords • Protocol actions. For session i, claimant A does the following to identify itself: • A computes w’ = H**(t-i)(w) and transmits the value to B. • B checks that i is the correct session (ie. that the previous session was i-1) and checks to see if H(v) = w’ where v was the last value provided by A (as part of session i-1). • B saves w’ and i for use in the next session. CSE331 Fall 2002

  18. One-time passwords: ith authentication Alice Bart • Alice does the following to identify herself: • A computes w’ = H (t-i)(w) and transmits the value to B. • B checks that i is the correct session (ie. that the previous session was i-1) and checks to see if H(w’) = v where v was the last value provided by A (as part of session i-1). • B saves w’ and i for use in the next session. • {A, i, H(t-i)(w)} W H(-) H(t-i+1)(w), H(-) CSE331 Fall 2002

  19. Why This 1-time Password Works • It’s hard to compute x from H(x). • Even though attacker gets to see H(t-i)(x), they can’t guess then next message H(t-(i+1))(x). CSE331 Fall 2002

  20. Challenge-Response • Background. • Random numbers (nonces). • Sequence numbers. • Timestamps. • Symmetric keys. • With timestamps or random numbers. • MAC’s. • Asymmetric keys. • With encryption or signature. CSE331 Fall 2002

  21. Replay • Replay is the threat in which a transmission is observed by an eavesdropper who subsequently reuses it as part of a protocol, possibly to impersonate the original sender. • Example: monitor the first part of a telnet session to obtain a sequence of transmissions sufficient to get a log-in. • There are 3 general strategies for defeating replay attacks: nonces, timestamps, and sequence numbers. CSE331 Fall 2002

  22. Random Numbers • A random number is a number chosen unpredictably in a range. • In a challenge-response protocol they are used as follows. • The verifier chooses a (new) random number and provides it to the claimant. • The claimant performs an operation on it showing knowledge of a secret. • This information is bound inseparable to the random number and returned to the verifier for examination. • A timeout period is used to ensure “freshness”. CSE331 Fall 2002

  23. Sequence Numbers • Sequence numbers provide a sequential or monotonic counter on messages. • If a message is replayed and the original message was received, the replay will have an old or too-small sequence number and be discarded. • Cannot detect forced delay. • Difficult to maintain when there are system failures. CSE331 Fall 2002

  24. Time Stamps • The claimant sends a message with a timestamp. • The verifier checks that it falls within an acceptance window of time. • The last timestamp received is held, and identification requests with older timestamps are ignored. • Good only if clock synchronization is close enough for acceptance window. CSE331 Fall 2002

More Related