User authentication Aalto University, autumn 2012
Outline • Passwords • Physical security tokens and two-method authentication • Biometrics • Common mantra:User authentication can be based on • something you know • something you have • something you are
Username and password • Passwords are used for entity authentication • Needed for access control and auditing:access control = authentication + authorization • Entity authentication vs. message authentication • Password is a shared secret between the user and computer system • Limitations arise from the reliance on of human memory and input • What attacks are there against passwords?
Sniffing and key loggers • Password sniffing on the local network used to be a major problem; mostly solved by cryptographic authentication: • SSH, SSL, HTTP Digest Authentication, MS-CHAPv2 • Key logger: software or hardware that stores all key strokes typed on a computer • Used to be a problem in public-access computers e.g. at libraries and cafes • Now can be malwareon any computer • Why do some bank web sites ask you to use the mouse to enter the PIN code?
Password recovery • Humans are prone to forget things need a process for recovering from password loss • Recovery mechanisms often enable new attacks • What are the advantages and disadvantages of the following recovery mechanisms? • Security question or memorable secret, e.g. birth place, mother’s maiden name, pet’s name • Emailing password to another user account • Physical visit to helpdesk • Yellow sticker on the back of the keyboard • USB memory stick with a password recovery file
Password reuse • How many different user accounts and passwords do you have? Ever used the same password on two accounts? • Using the same or related passwords on multiple accounts means that one compromised system or account can lead to compromise of the other accounts • Administrative countermeasures: • Passwords chosen by the service, not set by users • Exotic password format requirements • Single sign-on to enable just one password • Personal countermeasures: • Generating service-specific passwords from one master password • Password wallet (e.g. on phone) encrypted with a master password
Shoulder surfing • Keyboards and screens are highly visible others may see what you are typing • Password and PIN prompts usually do not show the characters • Does this make sense for all secrets input? *******
Password guessing • Dictionary attack and other intelligent guessing vs. brute-force trials • Countermeasures against guessing • Limit the number or rate of login attempts • Minimum password length and complexity, password quality check • Preventing reuse of old passwords • System-generated random passwords • Password aging i.e. mandatory periodic password changes (typically every three months)
Measuring password strength • Many possible metrics: • Number of possible passwords • Entropy = amount of missing information • Average/median time to crack a specific password • Average/median time to crack any one password • Probability of success as a function of time or number of trials • etc. • Metrics are important to consider when designing new types of passwords • Graphical passwords • Requirements to use special characters
Password entropy • Entropy = the amount of missing information Entropy H = - ∑ x ∈ passwords (P(x) ⋅ log2 P(x)) ≤ log2(number of possible passwords) • Examples: • Random 8-character alphanumeric passwords have H = 8 ⋅ log2(26+26+10) = 47.6 bits • Random 4-digit PIN codes have about H = 13.3 bits of entropy • For even probability distribution, one-bit increase in entropy doubles the cost of guessing attacks • Human-selected passwords have less entropy than random ones because some are chosen more often than other • Should banks allow the customer to choose the PIN? • Do password quality checks increase entropy? • Passwords rely on human memory password entropy cannot grow over time human memory cannot compete with computer speed
Online and offline guessing attacks • Offline attack: cracking the password from a know hash (or other function) of the password • E.g. MS-CHAPv2 or HTTP digest authentication without SSL • Unlimited number of guesses attacker can perform an exhaustive brute-force search • Online guessing: attacker tries to login many times • E.g. PIN code entry on a phone • E.g. network login to an authenticated server over SSH or SSL • System can limit the number or rate of guesses • Big difference in the required password strength: • Online guessing success probability ≈ number of allowed guesses / number of possible passwords • Offline attack requires cryptographic strength from the password, e.g. 128-bit entropy, to prevent exhaustive search
Storing passwords on server • Assume that the password database becomes public • Unix /etc/password is traditionally world readable • Attackers often manage to read files or database tables on a web server e.g. with SQL injection • How to store passwords in a public file? • Store a hashi.e. one-way function of the password • When user enters a password, hash and compare • Use a slow hash (many iterations of a hash function) to make brute-force cracking more difficult • Include random account-specific “salt”: slow_hash( password | salt) to prevent simultaneous brute-force cracking of many passwords, pre-computation attacks, and equality comparison between passwords
Password hashing • Password-based key derivation function PBKDF2 [PKCS#5,RFC2898]* • Good practical function; uses any standard hash function, at least 64-bit salt, any number of iterations • Unix crypt(3) [Morris and Thompson 1978]* • Historical function for storing passwords in /etc/passwd aura:lW90gEpaf4wuk:19057:100:Tuomas Aura:/home/aura:/bin/zsh • Password = eight 7-bit characters = 56-bit DES key • Encrypt a zero block 25 times with modified DES • 12-bit salt used to modify DES key schedule • Stored value includes the salt and encryption result • Too short salt enables e.g. rainbow table attacks • Replaced by more modern hash functions and encrypted, read-protectedshadow passwords
DF2PBK Function for slowhashing of passwords Manyiterationsto make the computationslower Used in WPA2-Personal for derivingkeysfrompassword (makesofflinecrackingmoredifficult) Couldalsobeused for hashingstoredpasswords on a server • PBKDF2 (P, S, c, dkLen) P = passwordS = saltc = iteration countdkLen = length of the result PRF = keyed pseudorandom function F (P, S, c, i) = U1 xor U2 xor ... xor Uc U1 = PRF (P, S || i) U2 = PRF (P, U1)... Uc = PRF (P, Uc-1) Repeat for i=1,2,3... until dkLen output bytes produced
Botnets and online guessing • 10 banks, each with 106 customer accounts • Public or easy-to-guess user ID • 4-digit PIN or one-time code required to log in • Client IP address blocked after 3 failed logins per day • Attacker has a botnet of 105 computers • Each bot makes one login attempt to one account in each bank every day 106login attempts in a day ~100 successful break-ins in a day • Countermeasures: • Make user IDs hard to guess: long, randomly selected, and different from account numbers • Ask a “salt” question, e.g. memorable word, in addition to user ID and PIN increased entropy reduces attacker success rate
One-time passwords • Use each password only once to thwart password sniffers and key loggers • Lamport hash chain: H1 = hash (secret seed); Hi+1= hash (Hi) • Server stores initially H100 and asks user to enter H99. Next, stores H99 and ask for H98, and so on • Unix S/KEY or OTP [RFC1760,RFC1938] 1: HOLM BONG VARY TIP JUT ROSY 2: LAIR MEMO BERG DARN ROWE RIG 3: FLEA BOP HAUL CLAD DARK ITS 4: MITT HUM FADE CREW SLOG HAST • Hash-based one-time passwords HOTP [RFC4226] HOTP(K,i) = HMAC-SHA-1(K,i) mod 10D • Produces a one-time PIN code of D decimal digits • Time-based one-time passwords • Many commercial products such as RSA SecurID • Which attacks do one-time passwords prevent and which not?
Spoofing attacks • Attacker could spoof the login dialog; how do you know when it is safe to type in the password?
Trusted path • Attacker could spoof the login dialog; how do you know when it is safe to type in the password? • Trusted path is a mechanism that ensures direct and secure communication between the user and a specific part of the system (with the TCB) • Crtl+Alt+Delin Windows opens a security screen that is difficult to spoof • Web browser shows the URL in the address bar in a way that cannot be spoofed by a web server • With malware and virtualization, it is increasingly hard to know what is real
Other threats • No system is perfectly secure: system designers have a specific threat model in mind, but the attacker can break these rules • “The attacker does not agree with the threat model.” (Bruce Christianson) • Some other attacks against PINs and passwords: • Phishing and social engineering • User mistakes: using wrong password • Heat camera to detect pressed keys • Acoustic emanations from the keyboard
Physical security tokens • Smart card is a typical physical security token • Holds cryptographic keys to prove its identity • Tamperproof: secret keys will stay inside • Used for door keys, computer login, ATM • Other security token implementations: smart button, USB dongle, mobile phone • Two-method authentication: require also PIN • Attacker needs to both steal the card and learn the PIN clear qualitative increase in security
Issues with security tokens • Physical tokens require distribution • Computers (or doors etc.) must have readers • It is not easy to integrate cryptographic tokens to all systems • E.g. how to use a physical token if the application requires cached credentials (password) on the client or on a proxy server • Process needed for recovering from the loss of tokens • Are smart card + PIN really two factors? • One alternative is two-channel authentication: • Confirmation via telephone: callback • Sending a second secret to a known address: text message, email, post
Biometric authentication • Biometric authentication means verifying some physical feature of the user • Physiological characteristic: photo, signature, face geometry, fingerprint, iris scan, DNA • Behavioral characteristic: voice, typing, gait • Biometrics are not 100% reliable: • False acceptance rate FAR • False rejection rate FRR • Equal error rate EER FAR FRR 50% EER
Issues with biometrics • Biometrics require enrollment and readers • Big difference in the security of unsupervised vs. supervised readers • E.g. fingerprint reader on computer vs. iris scanner at immigration • Suitability for security architectures: • Are biometric characteristics secrets? • Can they be copied? • How to revoke biometrics? • What if enrollment fails? • Some people have no fingerprints, or no fingers
Reading material • Dieter Gollmann: Computer Security, 2nd ed., chapter 3; 3rd ed. chapter 4 • Matt Bishop: Introduction to computer security, chapter 11 • Ross Anderson: Security Engineering, 2nd ed., chapters 2, 15 • Edward Amoroso: Fundamentals of Computer Security Technology, chapters 18-19
Exercises • Why do you need both the username and password? Would not just one secret identifier (password) be sufficient for logging in? • What effect do strict guidelines for password format (e.g. 8 characters, at least 2 capitals, at least 2 digits, at least 1 special symbol) have on the password entropy? • What is the probability of guessing the code for a phone that allows 3 attempts to guess a 4-digit PIN code, then 10 attempts to guess an 8-digit PUK code? • In what respects is PBKDF2 better for password hashing than crypt(3)? • How do mandatory periodical password changes increase security? What is the optimal interval? • How to limit the number of login attempts without creating a DoS vulnerability? • Learn about graphical passwords and compare their entropy to different-length passwords and PIN codes. • Learn about HTTP Digest Authentication [RFC2617] and MS-Chap-V2 [RFC2759]. Explain how to perform an offline password guessing attack after sniffing a login. • In a social network, could authentication be based on who you know (or who knows you), or where you are? • What advantages and disadvantages might a fingerprint reader have in a car lock?