Download
password authentication n.
Skip this Video
Loading SlideShow in 5 Seconds..
Password Authentication PowerPoint Presentation
Download Presentation
Password Authentication

Password Authentication

425 Views Download Presentation
Download Presentation

Password Authentication

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. CS 259 Password Authentication J. Mitchell

  2. Password file User kiwifruit exrygbzyf kgnosfix ggjoklbsz … … hash function

  3. Basic password authentication • Setup • User chooses password • Hash of password stored in password file • Authentication • User logs into system, supplies password • System computes hash, compares to file • Attacks • Online dictionary attack • Guess passwords and try to log in • Offline dictionary attack • Steal password file, try to find p with hash(p) in file

  4. Dictionary Attack – some numbers • Typical password dictionary • 1,000,000 entries of common passwords • people's names, common pet names, and ordinary words. • Suppose you generate and analyze 10 guesses per second • This may be reasonable for a web site; offline is much faster • Dictionary attack in at most 100,000 seconds = 28 hours, or 14 hours on average • If passwords were random • Assume six-character password • Upper- and lowercase letters, digits, 32 punctuation characters • 689,869,781,056 password combinations. • Exhaustive search requires 1,093 years on average

  5. Salt • Unix password line walt:fURfuu4.4hY0U:129:129:Belgers:/home/walt:/bin/csh Compare Salt Input Key Constant Ciphertext 25x DES Plaintext When password is set, salt is chosen randomly

  6. Advantages of salt • Without salt • Same hash functions on all machines • Compute hash of all common strings once • Compare hash file with all known password files • With salt • One password hashed 212 different ways • Precompute hash file? • Need much larger file to cover all common strings • Dictionary attack on known password file • For each salt found in file, try all common strings

  7. Web Authentication • Problems • Network sniffing • Malicious or weak-security website • Phishing • Common password problem • Pharming – DNS compromise • Malware on client machine • Spyware • Session hijacking, fabricated transactions Server password Browser cookie next few slides

  8. Password Phishing Problem • User cannot reliably identify fake sites • Captured password can be used at target site Bank A pwdA pwdA Fake Site

  9. pwdA = pwdB low security site Common Password Problem • Phishing attack or break-in at site B reveals pwd at A • Server-side solutions will not keep pwd safe • Solution: Strengthen with client-side support Bank A high security site pwdA Site B

  10. pwdA = pwdB Defense: Password Hashing hash(pwdA, BankA) • Generate a unique password per site • HMACfido:123(banka.com)  Q7a+0ekEXb • HMACfido:123(siteb.com)  OzX2+ICiqc • Hashed password is not usable at any other site • Protects against password phishing • Protects against common password problem Bank A hash(pwdB, SiteB) Site B

  11. Defense: SpyBlock

  12. Defense: SpyBlock Authentication agent communicates through browser agent Authentication agent communicates directly to web site

  13. SpyBlock protection password in trusted client environment server support required better password-based authentication protocols trusted environment confirms site transactions

  14. Goals for password protocol • Authentication relies on password • User can remember password, use anywhere • No additional client-side certificates, etc. • Protect against attacks • Network does not carry cleartext passwords • Malicious user cannot do offline dictionary attack • Malicious server (as in phishing) does not learn password from communication with honest user

  15. Simple approach • Send hashed passwords • Does this “work”? • Good points? • Bad points? Server hash(pwd|0) Browser hash(pwd|1)

  16. “Interlock” password protocols (Set-up Phase) Password p known to both parties (Key Exchange Phase) A  B gx B  A gy k = gxyor some function of gxy (Authentication Phase) A  B mack(p, r) for random r B  A mack(p, s), enck(s) for random s A  B enck(r) [Rivest, Shamir, Bellovin, Merrit, … Pederson, Ellison]

  17. ESP-KE key exchange protocol Prime p and generators , β known Generate random a Generate random b A= a/ βPmod p B= b mod p A B If A=0 Abort k = Bamod p k = (A βP)bmod p Mb=H(0,k,P) Mb If H(0,k,P) ≠ MbAbort Ma= H(1,k,P) Ma If H(1,k,P) ≠ MaAbort [M Scott]

  18. SRP protocol (Set-up Phase) Carol chooses password P Steve chooses s, computes x = H(s, P) and v = gx (Key Exchange Phase) C Bob looks up s, v x = H(s, P) s A = gaA B,u B = v + gb, random u S = (B - gx) (a+ux) S = (Avu)b M1 = H(A,B,S) M1 verify M1 verify M2M2 M2 = H(A,M1,S) Key = H(S) Key = H(S) [Wu]

  19. password? CMU “Phoolproof” proposal • Eliminates reliance on perfect user behavior • Protects against keyloggers, spyware. • Uses a trusted mobile device to perform mutual authentication with the server