1 / 18

Previous lecture

Previous lecture. TLS details Phases Handshake Securing messages What the messages contain Authentication. Today’s program – passwords. Passwords for authentication Storing hashed passwords Use of salt Passwords for key generation PKCS#5. Passwords for authentication.

bayles
Download Presentation

Previous lecture

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Previous lecture • TLS details • Phases • Handshake • Securing messages • What the messages contain • Authentication Mårten Trolin

  2. Today’s program – passwords • Passwords for authentication • Storing hashed passwords • Use of salt • Passwords for key generation • PKCS#5 Mårten Trolin

  3. Passwords for authentication • Simple way to achieve authentication. • Does not require any special hardware. • Users tend to choose simple passwords. • Counter-measures exist. • Storing passwords requires extended security measures. • Security breach in password database has major consequences. Mårten Trolin

  4. Password authentication – different approaches • Password sent in plain and stored in clear in the database • Password hashed by client and sent to the server. Password hash stored in database. • Password sent in plain to the server. Password hashed by server. Hash compared to hash in database. Mårten Trolin

  5. User Server Password stored in clear User enters password p p Server compares p with the value stored in its database. If the values match, user is allowed. Mårten Trolin

  6. Password stored in clear • If Oscar captures the password database, he can log in as any user. Mårten Trolin

  7. User Server Password sent as hash User enters password p User computes the hash H(p) H(p) Server compares H(p) with the value stored in its database. If the values match, user is allowed. Mårten Trolin

  8. Password sent as hash • If Oscar captures the database with the hashed passwords, he can log on as any user. • Since only the hash is stored, Oscar will not know the passwords. • Because only the hash is needed to log on, Oscar can log on anyway. Mårten Trolin

  9. User Server Password hashed by server User enters password p p Server computes the hash H(p) and compares the value with the database. If the values match, user is allowed. Mårten Trolin

  10. Password hashed by server • If Oscar captures the database with the hashed passwords, it gives him little information. • Since only the hash is stored, Oscar will not know the passwords (provided a good hash is used). • Without the passwords, Oscar cannot log on. Mårten Trolin

  11. Capturing the password database • What happens if Oscar captures the password database with hashed passwords? • Since he only has the hashes, he cannot retrieve the passwords. • If the users of the systems chooses bad passwords, Oscar can try to hash common words until he finds a hit. • To speed up the attack, Oscar can even store a list of commonly used passwords, and compare the password database to his list. • This is called a dictionary attack. Mårten Trolin

  12. Password authenticationover unsecure lines • All the methods discussed require the server to be authenticated and the communication to be secure. • If this is not the case – the only common information is the password – other methods must be used. • Such methods exist, but are outside the scope of this course... Mårten Trolin

  13. Salt • To slow down a dictionary attack, instead of storing H(p) in the database, we H(p | s), the hash of the password concatenated with a string s. • The string s is called the salt. • The salt can be stored in clear in the database. Its purpose is to prevent the use of precalculated lists. • Since. in general, H(p | s1) ≠H(p | s2), Oscar would need one precalculated list per salt. With a salt that is long enough,this becomes infeasible. • Also, the use of salt prevents the detection of a user having the same password on several systems. Mårten Trolin

  14. Avoiding bad passwords • Users choosing weak passwords pose a security risk. • Several counter-measures exist: • Education. • Automatic password checking • Compare with lists of known passwords. • Demand that passwords are of a certain length. • Tip: Using the term pass phrase may give the user an idea that the password should be long enough. • Minimizing the loss in case of security breach • Forcing the users to change passwords regularly means Oscar can only use the password he has found a certain time. Mårten Trolin

  15. Passwords for key generation • It is quite common to use a password for generation of a symmetric key. • Password protection of a private key. • Encryption of backups. • We want a key generation function that takes as input a password p and outputs a key k. Mårten Trolin

  16. Password generated keys – problems and solutions • Password generated keys suffer from the same general problem as passwords for authentication. • Number of passwords is relatively small – possible to create a list with all possible passwords and corresponding keys. • Use a salt to avoid dictionary attacks. • Make key generation “slow”, to make brute-force attacks more time consuming. Mårten Trolin

  17. Iterations • In order to make brute-force attacks harder for the opponent, we want the key generation not to be too fast. • If key generation takes .5 seconds, this is not a problem for the legitimate user. • However, for the opponent, who needs to try a large number of keys, this makes his work considerably harder. • Key generation from passwords should include a some kind of loop, and the number of iterations should be possible to configure. • Parallelizing the loop should not be possible. Mårten Trolin

  18. PKCS#5 • The RSA standard PKCS#5 specifies a method to derive key material from passwords. • Produces key material of arbitrary length. • PKCS#5 uses a salt and a configurable number of iterations. • A minimum of 1000 iterations is recommended. • Implemented in many cryptography library. Mårten Trolin

More Related