is 302 information security and trust week 7 user authentication part i
Download
Skip this Video
Download Presentation
IS 302: Information Security and Trust Week 7: User Authentication (part I)

Loading in 2 Seconds...

play fullscreen
1 / 22

IS 302: Information Security and Trust Week 7: User Authentication (part I) - PowerPoint PPT Presentation


  • 80 Views
  • Uploaded on

IS 302: Information Security and Trust Week 7: User Authentication (part I). 2012. Mallory. Alice, I’m Bob. Alice, I’m Bob. Who are you?. Bob. Alice. Who are you really?. Impersonation in cyber-world How does Bob prove he is Bob?. Asymmetric solution with certificate.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' IS 302: Information Security and Trust Week 7: User Authentication (part I)' - santa


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
who are you really

Mallory

Alice, I’m Bob

Alice, I’m Bob

Who are you?

Bob

Alice

Who are you really?
  • Impersonation in cyber-world
  • How does Bob prove he is Bob?
asymmetric solution with certificate
Asymmetric solution with certificate
  • Bob: Hi, Alice, I am Bob. Here is my signature and certificate.
  • Alice: Ok, let me verify your signature and certificate…

Mallory

Alice, I’m Bob. Here are my sig and cert

Bob

Alice

symmetric solution with shared secret
Symmetric solution with shared secret
  • Bob: Hi, Alice, I am Bob. I know our shared secret S
    • Weak authentication: reveal S itself
    • Strong authentication: Bob does not reveal S itself

Mallory

Alice, I’m Bob. I know our secret S

Bob

Alice

what is shared secret
What is shared secret?
  • What Bob knows
    • Password, PIN, mother’s maiden name…
  • What Bob possesses
    • Physical key, token, smart card, passport…
  • Who Bob is
    • Fingerprint, retina, voice, face, signature dynamics, DNA…
password based authentications
Password based authentications
  • The most popular user authentication technique
    • Weak authentication based on password  this week
    • Strong authentication based on password week 9

Alice, I’m Bob, and I know my pw

Bob

Alice

weak authentication based on password
Weak authentication based on password
  • It is subject to eavesdropping attack when a Bob sends pwd across network to a remote server
  • It can be used when Bob logins into a local computer

Bob id, Bob password

Bob

Alice

store pwd directly
Store pwd directly
  • Non-cryptographic technique
    • Alice: stores “Bob id – Bob password” in a password file
    • Alice: authenticates Bob by comparing received password to the password stored in password file

Password file

Bob id – Bob password .....

Bob id, Bob password

Bob

Alice

store hashed or encrypted pwd
Store hashed or encrypted pwd
  • “hashed or encrypted” password file
    • Alice: stores hash or cipher of Bob’s password
    • Alice: authenticates Bob by hashing (or encrypting) received password and comparing it to the corresponding entry in password file.

Bob id – h(Bob password) .......

Bob id, Bob password

Bob

Alice

example i unix pwd
Example I: Unix pwd
  • Unix pwd
    • DES is repeatedly used 25 times to encrypt 64 bit zeros
    • Encryption key: user password
    • How many possible pwds?

Bob id, DES25

(Bob pwd , zeros) ...

Bob id, Bob password

Bob

Alice

example ii windows lm hash
Example II: Windows LM Hash
  • LAN Manager (LM)
    • Advanced network OS (MS and 3Com)
  • LM hash
    • Windows 9X  Windows Me: store pwd in LM hash
    • Windows 2000, NT, and XP: also store LM hash by default for backwards compatibility (can be disabled)
    • Windows Vista onwards: eliminates LM hash  store NT(LM) hash only
lm hash
LM Hash
  • Security of LM hash
    • Passwords >7 chars  two 7-char halves are hashed independently
    • Upper case only (26+10 for alphabets and numbers)
      • 36^7=2^36 for each half, 2^37 possible pwds
    • Modern desktop can brute-force any LM hash (14-char pw) in a few hours.
  • User pwd  uppercase
  • Null-padded or truncated to 14 bytes  7+7 bytes
  • 1st 7 bytes  DES key1; 2nd 7 bytes  DES key 2
  • Each DES key enc. string “[email protected]#$%” 8+8 bytes

32 hexes=128 bits

nt lm hash
NT(LM) Hash
  • MD4 hash value of password
    • 16 bytes=128 bits (the same length as LM hash)
  • Security of NTLM hash
    • not half-half, not upper case only (52+10 for alphabets and numbers)
    • 62^14 =2^84 possible pwds
    • (compare to 2^37 pwds in LM and 2^56 pwds in UNIX)
sam file
SAM File
  • Where does windows store LM hash and/or NTLM hash?
    • C:\Windows\System32\config\SAM
    • Can you read/copy it?
    • How to get access to it?
    • Password cracking test/lab in week 11
password attacks
Password Attacks
  • Brute force attack
  • Dictionary attack
brute force attack
Brute Force Attack
  • Mallory
    • Get access to a hashed/encrypted password file
    • Hash/encrypt every possible password and compare it to password file
  • How to thwart brute force attack?
dictionary attack
Dictionary Attack
  • Mallory
    • Create a dictionary of commonly used passwords
    • Pre-compute a password file for pwd dictionary
    • Look for a match between pre-computed password file and real password file
  • How to thwart dictionary attack?
choose strong pwd
Choose strong pwd
  • DO NOT use anyone’s name as your password.
  • DO NOT use words in common dictionary as your password.
  • DO NOT use birth date as your password.
  • DO use a combination of alphabets, digits and special characters.
choose long pwd
Choose long pwd
  • Using pass-phrase
    • Easy to remember
    • Longer, thus harder to crack
  • Examples
    • Redskin is My Favorite @ SMU (to login at SMU)
    • Redskin is My Favorite @ gmail (to login at gmail)
review
Review
  • How long is unix password when stored
    • 12 bits
    • 56 bits
    • 64 bits
  • How long is LM hash or NT hash
    • 14 letters
    • 64 bits
    • 128 bits
  • To thwart brute-force attack, we need to choose
    • Strong passwords
    • Long enough passwords
    • Strong authentication of passwords
notice
Notice
  • Project draft (hard copy) due during week 9 class
    • It will not be graded
ad