Is 302 information security and trust week 7 user authentication part i
Download
1 / 22

IS 302: Information Security and Trust Week 7: User Authentication (part I) - PowerPoint PPT Presentation


  • 80 Views
  • Uploaded on

IS 302: Information Security and Trust Week 7: User Authentication (part I). 2012. Mallory. Alice, I’m Bob. Alice, I’m Bob. Who are you?. Bob. Alice. Who are you really?. Impersonation in cyber-world How does Bob prove he is Bob?. Asymmetric solution with certificate.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'IS 302: Information Security and Trust Week 7: User Authentication (part I)' - santa


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Is 302 information security and trust week 7 user authentication part i

IS 302: Information Security and TrustWeek 7: User Authentication (part I)

2012


Who are you really

Mallory

Alice, I’m Bob

Alice, I’m Bob

Who are you?

Bob

Alice

Who are you really?

  • Impersonation in cyber-world

  • How does Bob prove he is Bob?


Asymmetric solution with certificate
Asymmetric solution with certificate

  • Bob: Hi, Alice, I am Bob. Here is my signature and certificate.

  • Alice: Ok, let me verify your signature and certificate…

Mallory

Alice, I’m Bob. Here are my sig and cert

Bob

Alice


Symmetric solution with shared secret
Symmetric solution with shared secret

  • Bob: Hi, Alice, I am Bob. I know our shared secret S

    • Weak authentication: reveal S itself

    • Strong authentication: Bob does not reveal S itself

Mallory

Alice, I’m Bob. I know our secret S

Bob

Alice


What is shared secret
What is shared secret?

  • What Bob knows

    • Password, PIN, mother’s maiden name…

  • What Bob possesses

    • Physical key, token, smart card, passport…

  • Who Bob is

    • Fingerprint, retina, voice, face, signature dynamics, DNA…


Password based authentications
Password based authentications

  • The most popular user authentication technique

    • Weak authentication based on password  this week

    • Strong authentication based on password week 9

Alice, I’m Bob, and I know my pw

Bob

Alice


Weak authentication based on password
Weak authentication based on password

  • It is subject to eavesdropping attack when a Bob sends pwd across network to a remote server

  • It can be used when Bob logins into a local computer

Bob id, Bob password

Bob

Alice


Store pwd directly
Store pwd directly

  • Non-cryptographic technique

    • Alice: stores “Bob id – Bob password” in a password file

    • Alice: authenticates Bob by comparing received password to the password stored in password file

Password file

Bob id – Bob password .....

Bob id, Bob password

Bob

Alice


Store hashed or encrypted pwd
Store hashed or encrypted pwd

  • “hashed or encrypted” password file

    • Alice: stores hash or cipher of Bob’s password

    • Alice: authenticates Bob by hashing (or encrypting) received password and comparing it to the corresponding entry in password file.

Bob id – h(Bob password) .......

Bob id, Bob password

Bob

Alice


Example i unix pwd
Example I: Unix pwd

  • Unix pwd

    • DES is repeatedly used 25 times to encrypt 64 bit zeros

    • Encryption key: user password

    • How many possible pwds?

Bob id, DES25

(Bob pwd , zeros) ...

Bob id, Bob password

Bob

Alice


Example ii windows lm hash
Example II: Windows LM Hash

  • LAN Manager (LM)

    • Advanced network OS (MS and 3Com)

  • LM hash

    • Windows 9X  Windows Me: store pwd in LM hash

    • Windows 2000, NT, and XP: also store LM hash by default for backwards compatibility (can be disabled)

    • Windows Vista onwards: eliminates LM hash  store NT(LM) hash only


Lm hash
LM Hash

  • Security of LM hash

    • Passwords >7 chars  two 7-char halves are hashed independently

    • Upper case only (26+10 for alphabets and numbers)

      • 36^7=2^36 for each half, 2^37 possible pwds

    • Modern desktop can brute-force any LM hash (14-char pw) in a few hours.

  • User pwd  uppercase

  • Null-padded or truncated to 14 bytes  7+7 bytes

  • 1st 7 bytes  DES key1; 2nd 7 bytes  DES key 2

  • Each DES key enc. string “KGS!@#$%” 8+8 bytes

32 hexes=128 bits


Nt lm hash
NT(LM) Hash

  • MD4 hash value of password

    • 16 bytes=128 bits (the same length as LM hash)

  • Security of NTLM hash

    • not half-half, not upper case only (52+10 for alphabets and numbers)

    • 62^14 =2^84 possible pwds

    • (compare to 2^37 pwds in LM and 2^56 pwds in UNIX)


Sam file
SAM File

  • Where does windows store LM hash and/or NTLM hash?

    • C:\Windows\System32\config\SAM

    • Can you read/copy it?

    • How to get access to it?

    • Password cracking test/lab in week 11


Password attacks
Password Attacks

  • Brute force attack

  • Dictionary attack


Brute force attack
Brute Force Attack

  • Mallory

    • Get access to a hashed/encrypted password file

    • Hash/encrypt every possible password and compare it to password file

  • How to thwart brute force attack?


Dictionary attack
Dictionary Attack

  • Mallory

    • Create a dictionary of commonly used passwords

    • Pre-compute a password file for pwd dictionary

    • Look for a match between pre-computed password file and real password file

  • How to thwart dictionary attack?


Choose strong pwd
Choose strong pwd

  • DO NOT use anyone’s name as your password.

  • DO NOT use words in common dictionary as your password.

  • DO NOT use birth date as your password.

  • DO use a combination of alphabets, digits and special characters.


Choose long pwd
Choose long pwd

  • Using pass-phrase

    • Easy to remember

    • Longer, thus harder to crack

  • Examples

    • Redskin is My Favorite @ SMU (to login at SMU)

    • Redskin is My Favorite @ gmail (to login at gmail)



Review
Review

  • How long is unix password when stored

    • 12 bits

    • 56 bits

    • 64 bits

  • How long is LM hash or NT hash

    • 14 letters

    • 64 bits

    • 128 bits

  • To thwart brute-force attack, we need to choose

    • Strong passwords

    • Long enough passwords

    • Strong authentication of passwords


Notice
Notice

  • Project draft (hard copy) due during week 9 class

    • It will not be graded