240 likes | 242 Views
CSE331: Introduction to Networks and Security. Lecture 23 Fall 2002. Announcements. Class is cancelled next Wednesday (Nov. 6 th ). Recap. Protocols Arbitrated : 3 rd party intermediary Adjudicated : 3 rd party rules on validity afterwards Self enforcing : no 3 rd party Today
E N D
CSE331:Introduction to Networksand Security Lecture 23 Fall 2002
Announcements • Class is cancelled next Wednesday (Nov. 6th) CSE331 Fall 2002
Recap • Protocols • Arbitrated : 3rd party intermediary • Adjudicated : 3rd party rules on validity afterwards • Self enforcing : no 3rd party • Today • Authentication CSE331 Fall 2002
Authentication • The process of determining which principal is making a request or statement. • Humans: • Not good at calculating • Bad memories • Machines: • Good at calculating • Good memories • Thus: Different engineering tradeoffs CSE331 Fall 2002
Authenticating Humans: Foundations • Authentication is based on one or more of the following: • Something you know • e.g. a password • Something you have • e.g. a driver’s license • Something inherent about you • e.g. your fingerprint or retinal pattern CSE331 Fall 2002
Password Vulnerabilities • Writing them down • Moves problem to physical security • Stolen passwords (via eavesdropping) • Trojan Horse • Poor password choice • Easy to guess vs. easy to remember • People use the same password multiple times • Passwords changed infrequently • Offline attacks • Search through password dictionary CSE331 Fall 2002
1979 Survey of 3,289 Passwords • With no constraints on choice of password, Morris and Thompson got the following results: • 15 were a single ASCII letter. • 72 were strings of two ASCII letters. • 464 were strings of three ASCII letters. • 47 were strings of four alphanumerics. • 706 were five letters, all upper-case or all lower-case. • 605 were six letters, all lower case. CSE331 Fall 2002
Heuristics for Guessing Attacks • The dictionary with the words spelled backwards • A list of first names (best obtained from some mailing list). Last names, street names, and city names also work well. • The above with initial upper-case letters. • All valid license plate numbers in your state. (About 5 hours work in 1979 for New Jersey.) • Room numbers, social security numbers, telephone numbers, and the like. CSE331 Fall 2002
What makes a good password? • Password Length • 64 bits of randomness is hard to crack • 64 bits is roughly 20 “common” ASCII characters • But… People can’t remember random strings • Longer not necessarily better: people write the passwords down • Pass phrases • English Text has roughly 1.3 random bits/char. • Thus about 50 letters of English text • Hard to type without making mistakes! • In practice • Non-dictionary, mixed case, mixed alphanumeric • Not too short (or too long) CSE331 Fall 2002
Preventative Mechanisms • Use a trusted path • CTRL+ALT+DEL is a hardware mechanism to prevent Trojan Horse login prompts • Disallow remote authentication: users authenticate to local machines, machines to remote authentication. • Make on-line guessing attacks expensive • Disconnect after 3 tries, wait 10 seconds • Prevents automated attacks CSE331 Fall 2002
Unix: /etc/passwd • Passwords stored in a file system are vulnerable to automated attacks • At first Unix was implemented with a password file holding the actual passwords of users. • This had many vulnerabilities • Copies were made by privileged users • Copies were made by bugs: classic example posted password file on daily message file • Physical access to backup was a vulnerability • Information from the password file needed to be replicated into many other files CSE331 Fall 2002
Preventing Off-line Attacks • Hash the passwords and store the hashed version. • Take the password from the user, hash it, and compare with password file entry. • Problems • Poor user selection of passwords (easy to guess) • Users choose the same password CSE331 Fall 2002
Improvements to First Approach • Slower hashing: use password to create a key, then hash a constant using 25 iterations of the DES algorithm. • Speed OK for legitimate users • Takes longer to do automatic search • Use non-standard hash function • Not readily available in hardware • Enforce password rules • Makes the passwords harder to guess CSE331 Fall 2002
Add Salt user_id saltu Hash(saltu + passwdu) … • “Salt” the passwords by adding random bits. • Makes dictionary attacks more expensive. • Decreases the likelihood that two identical passwords will appear as identical entries in the password file. • 12 bit salt results in 4,096 versions of each password. • /etc/passwd entry: CSE331 Fall 2002
One Time Passwords • Shared lists. • Sequentially updated. • One-time password sequences based on a one-way (hash) function. • Used in practice: SKey mechanism CSE331 Fall 2002
Hash-based 1-time Passwords • Alice identifies herself to verifier Bart using a well-known one-way hash function H. • One-time setup. • Alice chooses a secret w. • Fixes a constant t for the number of times the authentication can be done. • Alice securely transfers Ht(w) to Bart H(H(H…(H(w))…)) t times CSE331 Fall 2002
Hash-based 1-time Passwords • Protocol actions. For session i, claimant A does the following to identify itself: • A computes w’ = H**(t-i)(w) and transmits the value to B. • B checks that i is the correct session (ie. that the previous session was i-1) and checks to see if H(v) = w’ where v was the last value provided by A (as part of session i-1). • B saves w’ and i for use in the next session. CSE331 Fall 2002
One-time passwords: ith authentication Alice Bart • Alice does the following to identify herself: • A computes w’ = H (t-i)(w) and transmits the value to B. • B checks that i is the correct session (ie. that the previous session was i-1) and checks to see if H(w’) = v where v was the last value provided by A (as part of session i-1). • B saves w’ and i for use in the next session. • {A, i, H(t-i)(w)} W H(-) H(t-i+1)(w), H(-) CSE331 Fall 2002
Why This 1-time Password Works • It’s hard to compute x from H(x). • Even though attacker gets to see H(t-i)(x), they can’t guess then next message H(t-(i+1))(x). CSE331 Fall 2002
Challenge-Response • Background. • Random numbers (nonces). • Sequence numbers. • Timestamps. • Symmetric keys. • With timestamps or random numbers. • MAC’s. • Asymmetric keys. • With encryption or signature. CSE331 Fall 2002
Replay • Replay is the threat in which a transmission is observed by an eavesdropper who subsequently reuses it as part of a protocol, possibly to impersonate the original sender. • Example: monitor the first part of a telnet session to obtain a sequence of transmissions sufficient to get a log-in. • There are 3 general strategies for defeating replay attacks: nonces, timestamps, and sequence numbers. CSE331 Fall 2002
Random Numbers • A random number is a number chosen unpredictably in a range. • In a challenge-response protocol they are used as follows. • The verifier chooses a (new) random number and provides it to the claimant. • The claimant performs an operation on it showing knowledge of a secret. • This information is bound inseparable to the random number and returned to the verifier for examination. • A timeout period is used to ensure “freshness”. CSE331 Fall 2002
Sequence Numbers • Sequence numbers provide a sequential or monotonic counter on messages. • If a message is replayed and the original message was received, the replay will have an old or too-small sequence number and be discarded. • Cannot detect forced delay. • Difficult to maintain when there are system failures. CSE331 Fall 2002
Time Stamps • The claimant sends a message with a timestamp. • The verifier checks that it falls within an acceptance window of time. • The last timestamp received is held, and identification requests with older timestamps are ignored. • Good only if clock synchronization is close enough for acceptance window. CSE331 Fall 2002