CSE543 - Introduction to Computer and Network Security. Module: Authentication

Transcription

1 CSE543 - Introduction to Computer and Network Security Module: Authentication Professor Trent Jaeger 1

2 What is Authentication? Short answer: establishes identity Answers the question: To whom am I speaking? Long answer: evaluates the authenticity of identity proving credentials Credential is proof of identity Evaluation process that assesses the correctness of the association between credential and claimed identity for some purpose under some policy (what constitutes a good cred.?) 2

3 Why authentication? Well, we live in a world of rights, permissions, and duties? Authentication establishes our identity so that we can obtain the set of rights E.g., we establish our identity with Tiffany s by providing a valid credit card which gives us rights to purchase goods ~ physical authentication system Q: How does this relate to security? 3

4 Why authentication (cont.)? Same in online world, just different constraints Vendor/customer are not physically co-located, so we must find other ways of providing identity e.g., by providing credit card number ~ electronic authentication system Risks (for customer and vendor) are different Q: How so? Computer security is crucially dependent on the proper design, management, and application of authentication systems. 4

5 What is Identity? That which gives you access which is largely determined by context We all have lots of identities Pseudo-identities Really, determined by who is evaluating credential Driver s License, Passport, SSN prove Credit cards prove Signature proves Password proves Voice proves Exercise: Give an example of bad mapping between identity and the purpose for which it was used. 5

6 Credentials are evidence used to prove identity Credentials can be Something I am Something I have Something I know 6

7 Something you know Passport number, mothers maiden name, last 4 digits of your social security, credit card number Passwords and pass-phrases Note: passwords are generally pretty weak University of Michigan: 5% of passwords were goblue Passwords used in more than one place Not just because bad ones selected: If you can remember it, then a computer can guess it Computers can often guess very quickly Easy to mount offline attacks Easy countermeasures for online attacks 7

8 A petard... The rule of seven plus or minus two. George Miller observed in 1956 that most humans can remember about 5-9 things more or less at once. Thus is a kind of maximal entropy that one can hold in your head. This limits the complexity of the passwords you can securely use, i.e., not write on a sheet of paper. A perfectly random 8-char password has less entropy than a 56-bit key. Implication? 8

9 Password Storage What if an adversary can gain access to a password file? Is it game over? Where to store password and in what form? Store password as a hash of its value Originally stored in /etc/passwd file (readable by all) How would you attack this? 9

10 Password Cracking Attacker can access the hashed password Can guess and test passwords offline Called password cracking Lots of help John the Ripper How well do these work? 10

11 Salt ing passwords Suppose you want to avoid a offline dictionary attack bad guy precomputing popular passwords and looking at the password file A salt is a random number added to the password differentiate passwords when stored in /etc/shadow salt 1,h(salt 1,pw 1 ) salt i,h(salt 2,pw 2 ) salt i,h(salt 3,pw 3 ) consequence: guesses each password independently... salt n,h(salt n,pw n ) 11

12 Guess Again... How do you know if your password will be guessed? Follow password-composition policies Example properties Length: 8 or12 or 16 chars? Requirements: Password must contain at least one... Blacklist: Password must not contain a dictionary word How do you know which policy to choose? Studied in Guess again...: Measuring password strength by simulating password cracking algorithms, Gage Kelley et al., IEEE Security and Privacy,

13 Guess Number How do you predict how many guesses it will take to crack your password? Try to crack it? That can be time consuming Compute number of guesses it would take? How do we do that? 13

14 Guess Number Use specific cracking algorithm to compute number of guesses it would take to crack a specific password Produce a deterministic guess ordering For brute-force Markov cracker Uses frequencies of start chars and following chars Most likely first, most likely to follow that, so on... Sum the number of guesses to find each character In an N character alphabet and a password of length L: The kth first character is found after (k-1)n L-1 For Weir cracker Uses probabilities of structures (substrings) Cache substrings by probability group and guess to get there 14

15 How Many Guesses For? By password-composition policy 70% Percentage of passwords cracked 60% 50% 40% 30% 20% 10% basic8survey basic8 blacklisteasy blacklistmedium dictionary8 blacklisthard comprehensive8 basic16 1E0 1E1 1E2 1E3 1E4 1E5 1E6 1E7 1E8 1E9 1E10 1E11 1E12 1E13 Number of guesses (log scale) Figure 1. The number of passwords cracked vs. number of guesses, per condition, for experiment E. This experiment uses the Weir calculator and our most comprehensive training set, which combines our passwords with public data. 15

16 Train a Cracker? Training helps for some, but not all 60% 50% 40% 30% 20% 10% basic16 comprehensive8 % of passwords cracked 60% 50% 40% 30% 20% 10% 1E6 1E9 1E12 1E6 1E9 1E12 basic8 blacklistmedium 1E6 1E9 1E12 1E6 1E9 1E12 Number of guesses (log scale) P3 P4 E Figure 4. Showing how increasing training data by adding the Openwall list (P4) and then our collected passwords (E) affects cracking, for four example conditions. Adding training data proves more helpful for the group 1 conditions (top) than for the others (bottom). 16

17 A question? Is there going to come a day where all passwords are useless? Suppose I can remember 16 bytes of entropy (possible?) Won t there come a day when all passwords are useless? Moore s law and its corollaries? 17

18 Answer: no Nope, you just need to make the process of checking passwords more expensive. For example, you can repeat the salted hash many times... Linear cost speedup? salt i,h 100 (salt i,pw i ) 18

19 Something your have Tokens (transponders, ) Speedpass, EZ-pass SecureID Smartcards Unpowered processors Small NV storage Tamper resistant Digital Certificates (used by Websites to authenticate themselves to customers) More on this later 19

20 A (simplified) sample token device A one-time password system that essentially uses a hash chain as authenticators. For seed (S) and chain length (l), epoch length (x) Tamperproof token encodes S in firmware pw i = h l i (S) Device display shows password for epoch i Time synchronization allows authentication server to know what i is expected, and authenticate the user. Note: somebody can see your token display at some time but learn nothing useful for later periods. 20

21 Something your are Biometrics measure some physical characteristic Fingerprint, face recognition, retina scanners, voice, signature, DNA Can be extremely accurate and fast Active biometrics authenticate Passive biometrics recognize Issues with biometrics? Revocation lost fingerprint? fuzzy credential, e.g., your face changes based on mood... Great for physical security, not feasible for on-line systems 21

22 Biometrics Example A fingerprint biometric device (of several) record the conductivity of the surface of your finger to build a map of the ridges scanned map converted into a graph by looking for landmarks, e.g., ridges, cores,... 22

23 Fingerprint Biometrics (cont.) Graph is compared to database of authentic identities Graph is same, the person deemed authentic This is a variant of the graph isomorphism problem Problem: what does it mean to be the same enough rotation imperfect contact finger damage Fundamental Problem: False accept vs. false reject rates? 23

24 Web Authentication Authentication is a bi-directional process Client Server Mutual authentication Several standard authentication tools Basic (client) Digest (client) Secure Socket Layer (server, mutual) Cookies (indirect, persistent) Q: Who to authenticate in an HTTP request? 24

25 Basic Authentication CLIENT GET /protected/index.html HTTP/1.0 CLIENT HTTP/ Unauthorized WWW-Authenticate: Basic realm= Private GET /protected/index.html HTTP/1.0 Authorization: Basic JA87JKAs3NbBDs CLIENT 25

26 Setting up Basic Auth in Apache File in directory to protect (.htacess)!!authtype Basic!!AuthName Patrick s directories (User ID=mcdaniel)"!!AuthUserFile /usr/mcdaniel/www-etc/.htpw1!!authgroupfile /dev/null!!require valid-user In /usr/mcdaniel/www-etc/.htpw1!! m c d a n i e l : l 7 F w W E q j y z m N o generated using htpasswd program Can use different.htaccess files for different directories 26

27 Basic Authentication Problems Passwords easy to intercept Passwords easy to guess Just base-64 encoded Passwords easy to share No server authentication Easy to fool client into sending password to malicious server One intercepted password gives adversary access to many pages/documents 27

28 Digest Authentication CLIENT CLIENT GET /protected/index.html HTTP/1.1 HTTP/ Unauthorized WWW-Authenticate: Digest realm= Private nonce= 98bdc1f9f017.. GET /protected/index.html HTTP/1.1 Authorization: Digest username= lstein realm= Private nonce= 98bdc1f9f017.. response= 5ccc069c4.. CLIENT 28

29 Challenge/Response Challenge nonce is a one time random string/value nonce = H(IPaddress : timestamp : server secret) Response: challenge hashed with uname & password response = H(H(name : realm : password) :nonce : H(request)) Server-specific implementation options One-time nonces Time-stamped nonces Method authentication digests 29

30 Advantages of Digest over Basic Cleartext password never transmitted across network Cleartext password never stored on server Replay attacks difficult Intercepted response only valid for a single URL Shared disadvantages Vulnerable to man-in-the-middle attacks Document itself can be sniffed 30

31 Kerberos History: from UNIX to Networks (late 80s) Solves: password eavesdropping Also mutual authentication Online authentication Variant of Needham-Schroeder protocol Easy application integration API First single sign-on system (SSO) Genesis: rsh, rcp authentication via assertion Most widely used (non-web) centralized password system in existence (and lately only..) Now: Windows 2K/XP/Vista/etc network authentication Old Windows authentication was a cruel joke. 31

32 An aside Authentication Assessing identity of users By using credentials Authorization Determining if users have the right to perform requested action (e.g., write a file, query a database, etc.) Kerberos authenticates users, but does not perform any authorization functions beyond identify user as part of Realm Typically done by application. Q: Do you use any Kerberized programs? How do you know? 32

33 The setup The players Principal - person being authenticated Service (verifier) - entity requiring authentication (e.g, AFS) Key Distribution Center (KDC) Trusted third party for key distribution Each principal and service has a Kerberos password known to KDC, which is munged to make a password ke, e.g., k A Ticket granting server Server granting transient authentication The objectives Authenticate Alice (Principal) to Bob (Service) Negotiate a symmetric (secret) session key k AB 33

34 The protocol A two-phase process 1. User authentication/obtain session key (and ticket granting ticket) key from Key Distribution Center 2. Authenticate Service/obtain session key for communication with service Setup Every user and service get certified and assigns password 34

35 A Kerberos Ticket A kerberos ticket is a token that Alice is the only on that can open it Contains a session key for Alice/Bob (K AB ) Contains inside it a token that can only be opened by Bob Bob s Ticket contains Alice s identity The session key (K AB ) Ticket (K AB ) Ticket (K AB ) Locked by K B Locked by K A Q: What if issuing service is not trusted? 35

36 Phase 1 (obtaining a TGT) Time exp - time of expiration n - nonce (random, one-use value: e.g., timestamp) 1 [A,TGS,Time exp,n] Alice 2 KDC E(k A,[k A,TGS,TGS,Time exp,n]),e(k TGS,[A, k A,TGS, Timeexp],) TGT 36

37 Phase 2 (authentication/key dist.) [B,Time exp,n,e(k A,TGS,[B,Time exp,n])], E(K TGS,[A,k A,TGS,Timeexp])] Alice 1 2 TGS 3 E(k A,TGS,[k A,B,B,Time exp,n]), E(k B,[A,k A,B,Timeexp])] Authenticator E(k A,B,[A,Timeexp,n]), E(k B,[A,k A,B,Timeexp])] Bob 37

38 Cross-Realm Kerberos Extend philosophy to more servers Obtain ticket from TGS for foreign Realm Supply to TGS of foreign Realm Rinse and repeat as necessary Michigan Penn St. Ohio St. Purdue Pitt There is no problem so hard in computer science that it cannot be solved by another layer of indirection. David Wheeler, Cambridge University (circa 1950) 38

39 Kerberos Reality V4 was supposed to be replaced by V5 But wasn t because interface was ugly, complicated, and encoding was infuriating Assumes trusted path between user and Kerberos Widely used in UNIX domains Robust and stable implementation Problem: trust ain t transitive, so not so good for large collections of autonomous enterprises 39