User Authentication Protocols

Transcription

1 User Authentication Protocols Class 5 Stallings: Ch 15 CIS-5370: 26.September

2 Announcement Homework 1 is due today by end of class CIS-5370: 26.September

3 User Authentication The process of verifying an identity claimed by or for a system entity Fundamental system security building block Basis of access control & user accountability Has two steps: Identification provide claimed identity Authentication verify validity of claim User authentication message authentication CIS-5370: 26.September

4 User Authentication: How? Based on something the individual Knows - e.g. password, PIN Possesses - e.g. key, token, smartcard Is (static biometrics): fingerprint, retina Does (dynamic biometrics): voice, handwriting Can use alone or combined All can provide user authentication All have issues CIS-5370: 26.September

5 Authentication Protocols Convince parties of each others identity Also exchange session keys May be one-way or two-way (mutual) Key issues: 1. Confidentiality Protect session keys Prior keys or secrets need to exist 2. Timeliness Prevent replay attacks CIS-5370: 26.September

6 Replay Attacks Valid signed message is copied and later re-sent Simple replay Copy message; replay later Repetition that can be logged Replay timestamped message within validity interval Repetition that cannot be detected Suppress original message Backward replay without modification Send the replay message back to its sender CIS-5370: 26.September

7 Replay Attacks: Countermeasures Sequence numbers Attach sequence number seqno to message Accept message if seqno follows previous value Not always practical Timestamps Message needs to contain timestamp Accept message if timestamp is within validity window Need synchronized clocks CIS-5370: 26.September

8 Countermeasures (cont d) Challenge/response Ensures message freshness Challenger sends random nonce R Responder s message needs contain a function of R 1 Challenge: R Alice 2 Response: contains F(R) Trent T (Host) CIS-5370: 26.September

9 Authentication One-way authentication Mutual: two-way authentication Using symmetric key crypto Using public-key crypto CIS-5370: 26.September

10 One-Way Authentication 1 Login A Alice 1 Login A Trent T (Host) How can T know it s Alice and not Mallory impersonating Alice? Mallory CIS-5370: 26.September

11 Authentication Approaches Password Host stores Alice s password Alice sends password Host verifies password Problem: Guess? Trent stores all passwords in clear Whoever breaks into Trent can steal passwords Solutions One-Way Functions Dictionary Attacks and Salts CIS-5370: 26.September

12 Authentication Using Hashes Roger Needham and Mike Guy T does not need to know password Only differentiate between valid and invalid ones 1 Login A, pwd User ID H(pwd) Alice Alice H A Trent T (Host) Problem? Password file T: Compare H(pwd) to H A CIS-5370: 26.September

13 Example: Linux Set up the password file,.htpasswd htpasswd -c.htpasswd user-name Prompted for password Username:E(passwd) are stored in.htpasswd Example: cis5370:6f2/1hsvagfrg CIS-5370: 26.September

14 Password Vulnerabilities One-way hashes are vulnerable Which password is better? Barney 9(hH/A. Which one is easier to remember? Dictionary attack Compile list of most probable passwords Apply hash function to each Compare against the password file If match, password has been found! CIS-5370: 26.September

15 Defending with Salts! Salt: per user random value 1 Login A, pwd Alice User ID salt H(salt, pwd) Trent T (Host) Alice s H A Password file H(s, pwd) == H A CIS-5370: 26.September

16 The Goal of Salts Ensure that attacker cannot use the same dictionary to break all passwords Instead, attacker has to do a per-user dictionary + computation CIS-5370: 26.September

17 Improved Dictionary Attack [D. Klein] 1. Copy the password file 2. For each user A with salt s and hash H A 1. Collect dictionary D A of tentative passwords 2. Hash all items in D A using salt s 3. Compare result against H A 3. If match exists, found password 40% of passwords were guessed on average system! CIS-5370: 26.September

18 Building the Dictionary 1. Name, initials, account name Example: Daniel V. Klein, account klone klone0, klone1,, dvk, dklein, DKlein, dvklein, etc 2. Words from databases Men and women names, nicknames (also famous) Places Variations of the above (capitalizations, plurals, etc) 3. Foreign language words 4. Word pairs CIS-5370: 26.September

19 Conclusions Never use your personal information Do not use words (dictionary) Use combination of words and characters Do not use same passwords for all systems Change your password frequently Use passphrases Example: My Password is not easy to crack mpine2c. CIS-5370: 26.September

20 Announcement Homework 1 due by end of class today CIS-5370: 26.September

21 Alternative: SKEY Use hash-chains 1 Init, A, x 100 Alice 2 Login, A, x 99 Trent T (Host) Generate R 3 Compute x 1 = H(R) x 2 = H 2 (R)=H(H(R)) x 3 = H 3 (R)=H(H(H(R))) x 100 = H 100 (R) Login, A, x 98 Store x 100 Compare H(x 99 ) to x 100 Discard x 100 Store x 99 CIS-5370: 26.September

22 Authentication One-way authentication Mutual: two-way authentication Using symmetric key crypto Using public-key crypto CIS-5370: 26.September

23 What is Mutual Authentication? 1 1 Exchange keys Authenticate Alice Bob B Mallory Make sure they don t talk to Mallory! CIS-5370: 26.September

24 Authentication One-way authentication Mutual: two-way authentication Using symmetric key crypto Using public-key crypto CIS-5370: 26.September

25 Using Symmetric Keys 1 1 Exchange keys Authenticate Alice Bob B Assume T shares a key with A (K A ) and B (K B ) Trent T (Host) E A (M) :encryption with key shared by A and T CIS-5370: 26.September

26 Wide-Mouth Frog Simplest Authentication/Key Exchange 5 E K (M) 1 Alice Generate random K 2 A, E A (T A,B,K) 4 E B (T T,A,K) Bob B Trent T (Host) 3 Decrypt message using K A CIS-5370: 26.September

27 Wide-Mouth Frog Observations Alice and Bob trust each other because of Trent Timestamps prevent replay attacks (Why?) Trent is single point of failure/bottleneck Assumption: Alice is able to generate good random numbers CIS-5370: 26.September

28 Yahalom Equal? 1 A, R A Alice 4 E A (B, K, R A, R B ) 5 E B (A,K), E K (R B ) Bob B 4 E B (A,K) 2 B, E B (A, R A, R B ) Equal? Assume T shares a key with A (K A ) and B (K B ) Trent T (Host) 3 Generate random K CIS-5370: 26.September

29 Yahalom Observations T chooses the key K to be shared by A and B A and B trust each other Because of R A and R B Only T and B have access to R B Problem in step 1 -- R A is sent in clear Can Mallory impersonate B? No! In step 4, T includes the identity of B - A will know who it is talking to CIS-5370: 26.September

30 Needham-Schroeder 4 Extract key K 5 E B (K,A) 6 Extract key K 8 E K (R B ) Alice 1 A, B, R A 9 E K (R B -1) 7 Bob B Generate random R B 3 E A (R A, B, K, E B (K,A)) Match? Equal? Trent T (Host) 2 Generate random K CIS-5370: 26.September

31 Needham-Schroeder Observations What is the purpose of R A? For A to prevent replay attacks Ensure it is talking to T What is the purpose of R B? For B to prevent replay attacks And ensure that it is talking to A Major weakness If Mallory gets hold of an old key K, it can impersonate A Solution: use timestamps CIS-5370: 26.September

32 Kerberos - Simplified Kerberos 5: Variant of Needham-Schroeder 6 E K (A,T), E B (T,L,K,A) Alice 7 E K (T+1) Bob B 1 A, B 5 E A (T,L,K,B), E B (T,L,K,A) 2 Generate timestamp T 4 Generate random K Trent T (Host) 3 Generate lifetime L CIS-5370: 26.September

33 Kerberos Observations What is the purpose of the timestamp and lifetime? To prevent replay attacks The messages are valid only in [T,T+L] Major assumption: The clocks are synchronized! Not trivial (see Lamport s clocks) In practice Use time servers Sync within a few minutes CIS-5370: 26.September

34 Authentication One-way authentication Mutual: two-way authentication Using symmetric key crypto Using public-key crypto CIS-5370: 26.September

35 Authentication with Public Keys Alice Bob B pk A : A s public key Assume T has a database of public keys for each participant E(pk A, M): encryption with A s public key Trent T (Host) S A (M): signature with A s private key CIS-5370: 26.September

36 Denning-Sacco 3 Generate timestamp T A 4 Generate random K 5 E(pk B, S A (K,T A )), S T (B, pk B ), S T (A, pk A ) Alice 2 1 A, B S T (B, pk B ), S T (A, pk A ) 6 7 Bob B Decrypt with its private key Verify A s signature Recover key K Trent T (Host) CIS-5370: 26.September

37 Attacking Denning-Sacco! 3 Reuse elements from session with A From the previous session Bob B 4 E(pk C,S A (K,T A )), S T (C, pk C ), S T (A, pk A ) Carol C 2 1 B, C S T (B, pk B ), S T (C, pk C ) 5 6 Decrypt with its private key Verify A s signature Recover key K Bob can impersonate Alice with Carol! Trent T (Host) CIS-5370: 26.September

38 Denning-Sacco Fix 3 4 Generate timestamp T A Generate random K Add the names of the parties 5 E(pk B,S A (A, B, K,T A )), S T (B, pk B ), S T (A, pk A ) Alice 2 1 A, B S T (B, pk B ), S T (A, pk A ) 6 7 Bob B Decrypt with its private key Verify A s signature Verify names A and B are in message Cannot be reused with Carol! Trent T (Host) 7 Recover key K CIS-5370: 26.September

39 Denning-Sacco Lessons Better be prudent than efficient Include more rather than less information Timestamps, random nonces, names of participants CIS-5370: 26.September

40 Summary One-way authentication E.g., passwords Mutual: two-way authentication Using symmetric key crypto Wide-Mouth Frog, Yahalom Needham-Schroeder, Kerberos (v5) Using public-key crypto Denning Sacco CIS-5370: 26.September