CIT 380: Securing Computer Systems

Transcription

1 CIT 380: Securing Computer Systems Passwords CIT 380: Securing Computer Systems Slide #1

2 Topics 1. Password Systems 2. Password Cracking 3. Hashing and Salting 4. UNIX Password Systems 5. Windows Password Systems 6. Network Password Systems 7. Password Selection 8. Graphical Passwords 9. One-time Passwords Slide #2

3 Authentication System A: set of authentication information information used by entities to prove identity C: set of complementary information information stored by system to validate A F: set of complementation functions f : A C generate C from A L: set of authentication functions l: A C {T,F} verify identity S: set of selection functions enable entity to create or alter A or C CIT 380: Securing Computer Systems Slide #3

4 Password System Example Authenticate with 8-character alphanumeric password. System compares against stored cleartext password. A = [A-Za-z0-9]{8} C = A F = { I } L = { = } Security problem: a threat who gains access to password file knows password for every user. CIT 380: Securing Computer Systems Slide #4

5 Password Storage Solution: We should store complementary information instead of passwords, so threat doesn t get every password by stealing one file. Idea #1: Encrypt passwords. Encrypt passwords with secret key. Store ciphertext. Problem: what if attacker finds secret key? Idea #2: Hash passwords. Store hash value of password. No Problem: hashes can t be turned back into passwords. Slide #5

6 Password System Example #2 Authenticate with 8-character alphanumeric password. System compares with stored MD5 hash of password. A = [A-Za-z0-9]{8} C = 128-bit numbers F = { MD5 } L = { MD5(a)=c } CIT 380: Securing Computer Systems Slide #6

7 Threat Models 1. Online Attacks Threat has access to login user interface. Attack is attempts to guess passwords using the normal UI (slow). 2. Offline Attacks Threat has access to hashed passwords. Attack is to guess words, hash words, then compare with hashed passwords (fast). 3. Side Channel Attacks Threat has access to account management UI. Attack by using password reset functionality. Slide #7

8 Password Leaks are Common CIT 380: Securing Computer Systems Slide #8

9 Password Cracking Get Hashed Password pw hash word = Next word from list List of potential passwords. word hash = Hash(word) word hash == pw hash False True word is pw CIT 380: Securing Computer Systems Slide #9

10 Cracking Methods 1. List of common passwords 2. List of English/foreign words 3. Permutation rules Substitute numbers/symbols for letters Change case, pluralize, reverse words, character shifts, digit/symbol prefix/postfix,joining words 4. Brute force All possible passwords CIT 380: Securing Computer Systems Slide #10

11 Parallel Cracking This $12,000 computer, dubbed Project Erebus v2.5 by creator d3ad0ne, contains eight AMD Radeon HD7970 GPU cards. Running oclhashcat, it requires just 12 hours to brute force all 8 char passwords. CIT 380: Securing Computer Systems Slide #11

12 Side Channels are Easier Web sites will you password if you answer a simple secret question: 1. What is your favorite color? 2. What is your pet s name? 3. What is your mother s maiden name? Violation of fail-safe defaults Failover to less secure protocol. How many favorite colors are there? CIT 380: Securing Computer Systems Slide #12

13 Countering Password Guessing Choose A, C, and F to select suitably low probability P(T) of guessing in time T. P(T) >= TG / N G is number of guess per time unit T T is number of time units in attack N is number of possible passwords CIT 380: Securing Computer Systems Slide #13

14 Calculating Minimum Password Length Password System There are 96 allowable characters in password. System allows 10 6 guesses/second. Requirement: probablility of success guess should be 0.5 over 365-day period. What should the minimum password length be? N >= TG/P N >= (365 x 24 x 60 x 60) x 10 6 / 0.5 = 6.31 x N = Σ96 i, where i ranges from 1 to length of password Σ96 i >= N = 6.31 x is true when largest i >= 8 The minimum required password length is 8. CIT 380: Securing Computer Systems Slide #14

15 Password Aging Requirement that password be changed after a period of time or after an event has occurred If expected time to guess is 180 days, should change password more frequently than 180 days 1. If change time too short, users have difficulty recalling passwords. 2. Cannot allow users to change password to current one. 3. Also prevent users from changing passwords too soon. 4. Give notice of impending password change requirement. CIT 380: Securing Computer Systems Slide #15

16 Rainbow Tables Faster cracking by trading space for time Dictionary of passwords/hashes Contains all passwords < length n Find password by looking up hash in table Rainbow table is algorithm for reducing storage Slide #16

17 Salts Add random, public data to password to create key. Any word may be hashed in 2 n possible ways: Your password always uses same n-bit salt. Someone else with same password a probably has different salt, and thus different c = f(a). Multiplies size of rainbow table by 2 n. Doesn t significantly slow down other cracking techniques. Classic UNIX crypt hashes had a 12-bit salt: Number of possible keys increased to 2 66 Rainbow table needs to be 4096 times bigger due to salt.

18 Password Storage and Use CIT 380: Securing Computer Systems Slide #18

19 UNIX Passwords Classic Format: Up to 8 ASCII characters A contains 6.9 x possible passwords. C contains crypt hashes with 12-bit salts, strings of length 13 chosen from alphabet of 64 characters, 3.0 x strings. Hashes stored publicly in /etc/passwd. Modern Format A is unlimited, as there is no maximum length. C contains 512-bit hash values bit salt. Hashes stored in /etc/shadow. Slide #19

20 /etc/{passwd,shadow} Central files describing local UNIX user accounts. /etc/passwd Username UID Default GID GCOS Home directory Login shell /etc/shadow Username Encrypted password Date of last pw change. Days til change allowed. Days `til change required. Expiration warning time. Expiration date. student:x:1000:1000:example User,, ,:/home/student:/bin/bash student:$1$w/uuktlf$otssvxtsn/xjzuogfelnz0:13226:0:99999:7::: Slide #20

21 Modern Storage: Iterated Hash + Salt Password security basics Hashes prevent direct access to cleartext passwords. Salts make rainbow tables too expensive to use. How can we make cracking too expensive? Soln: make hashing slower by Use slower hash algorithms. Run the hash function multiple times, passing output of one iteration as input to next. Slide #21

22 Modern Hashing Schemes SHA512crypt (Linux, Mac OS X) Unlimited password length iterations of SHA-512 hash function. 16 character salt. Bcrypt (OpenBSD, 55 chars, 128-bit salt) Based on modified (slower) Blowfish encryption algorithm. Configurable iteration count for hashing. Increases cost of guessing on a per-account basis. PBKDF2 (Password-Based Key Derivation Function 2) (.NET) Scrypt Framework with configurable hash, iterations, salt. Sequential, memory-hard hashing algorithm. Defense against specialized hardware (GPUs, ASICs, FPGAs) Slide #22

23 Windows Passwords Storage %systemroot%\system32\config\sam locked while OS running so other programs can t open. Retrieval Boot system with Ophcrack or Kon-boot USB. Tool will copy SAM to USB drive for cracking. Format Classic: LAN Manager (LM) Hash Modern: NTLM (MD4) Hash Many systems use both for backwards compatibility. CIT 380: Securing Computer Systems Slide #23

24 Windows LM Hash Algorithm 1. Password fitted to 14 character length by truncating or padding with 0s. 2. Password converted to upper case. 3. Password divided into two 7-byte halves. 4. Each half used as DES key to encrypt same 8-byte constant. 5. Resultant strings merged to form a 16-byte hash value. CIT 380: Securing Computer Systems Slide #24

25 Windows LM Hash Problems Last 8 bytes of c known if password < 7 chars. Dividing password into halves reducing problem of breaking 14-character password to breaking two 7- character passwords. Conversion to upper case reduces character set. Dictionary of password hashes can be prebuilt Number of possible passwords much smaller than DES space. No salt is used. CIT 380: Securing Computer Systems Slide #25

26 NTLM Passwords NTLM is a replacement for LM hashes. LM authentication disabled by default as of Windows Server 2008 (and Vista on desktop.) NTLM Hash Algorithm Convert password to Unicode. Hash with MD4 Algorithm. NTLM Security Problems No salt. Passwords cached on client. Pass-the-hash vulnerabilities.

27 Kerberos Kerberos is a challenge/response protocol Passwords are never sent over network. Passwords are never stored on client. Users authenticate via tickets, not passwords or hashes. Open standard based on symmetric cryptography Created by MIT for internal use. Open source and commercial versions exist. Microsoft Active Directory = Kerberos + LDAP. Password storage Multiple allowed hashing techniques. CIT 380: Securing Computer Systems Slide #27

28 Password Selection 1. Random Selection 2. Pronounceable Passwords 3. User Selection CIT 380: Securing Computer Systems Slide #28

29 Random Selection Yields equal distribution of passwords for maximum difficulty in cracking. Random passwords aren t easy to remember Short term memory holds 7 +/- 2 items People have multiple passwords Principle of Psychological Acceptability Requires a secure PRNG to be effective. CIT 380: Securing Computer Systems Slide #29

30 Random Selection (Bad)Example PDP-11 password generator 16-bit machine 8 upper-case letters and digits P = 36 8 = 2.8 x At sec/encryption, 140 years to brute force PRNG had period of Only 65,535 possible passwords Requires 102 seconds to try all passwords CIT 380: Securing Computer Systems Slide #30

31 Pronounceable Passwords Generate passwords from random phonemes instead of random characters. People can remember password as sequence of audible phonemes instead of characters, allowing easy recall of longer passwords. Fewer pronounceable passwords exist than random passwords. CIT 380: Securing Computer Systems Slide #31

32 User Selection Allow users to choose passwords. Reject insecure passwords based on ruleset: 1. Based on account, user, or host names 2. Dictionary words 3. Permuted dictionary words 4. Patterns from keyboard 5. Shorter than 6 characters 6. Digits, lowercase, or uppercase only passwords 7. License plates or acronyms 8. Based on previously used passwords CIT 380: Securing Computer Systems Slide #32

33 Human Randomness? CIT 380: Securing Computer Systems Slide #33

34 Bad Passwords CIT 380: Securing Computer Systems Slide #34

35 How to Select Good Passwords 1. Long passwords, consisting of multiple words.. Use n th letter of each word if phrase too long. 2. Themes: 1. Word combinations: 3 blind katz 2. or URL: yoda@strong-this-password-is.net 3. Phone number: (888) 888-eight eight 4. Bracketing: Starfleet -> *!-Starfleet-!* 5. Add a word: shopping -> Goin shopping 6. Repetition: Pirate--PirateShip 7. Letter swapping: Sour Grape -> Gour Srape CIT 380: Securing Computer Systems Slide #35

36 Miseducating Users? CIT 380: Securing Computer Systems

37 Online Password Attacks If complements (hashes) not accessible, attacker must use authentication functions to do an online attack. You can t stop threats from trying to login. To increase difficulty of online attacks: Backoff: add wait time before asking for username and password again, increasing with each login failure. Disconnection: disconnect after n failures. Disabling: disable account after n failures. Slide #37

38 Graphical Passwords Face Scheme: Password is sequence of faces, each chosen from a grid of 9 faces. Story Scheme: Password is sequence of images, each chosen from a grid of 9, to form a story. CIT 380: Securing Computer Systems Slide #38

39 Password Reuse

40 Challenge-Response Problem: passwords are reusable, and thus subject to replay attacks. Solution: authenticate in such a way that the transmitted password changes each time. CIT 380: Securing Computer Systems Slide #40

41 One-Time Passwords A password that s invalidated once used. Challenge: number of auth attempt Response: one-time password Problems Generation of one-time passwords Use hash or crytographic function Synchronization of the user and the system Number or timestamp passwords CIT 380: Securing Computer Systems Slide #41

42 Key Points 1. Password threat models: 1. Online: use regular login form. 2. Offline: obtain and crack password hashes. 3. Side-Channel: bypass using account management functions like password reset. 2. Stored passwords secured vs. offline attacks by Hashing (possibly with multiple iterations) Salting 3. Cracking techniques Brute-force (try every possible password) Dictionary based Rule based Rainbow tables Slide #42

43 Key Points 4. Designing a password policy P(T) >= TG / N 1. Password complexity (length, character set) 2. Password aging (how often to change) 5. Selecting passwords 1. Random selection 2. Human selection 6. One-time passwords offer greater security. 1. Since passwords can t be reused, it does not matter if an attacker obtains a previously used password. Slide #43

44 References 1. Ross Anderson, Security Engineering, 2 nd edition, Wiley, Matt Bishop, Introduction to Computer Security, Addison-Wesley, Mark Burnett and Dave Kleiman, Perfect Passwords, Syngress, Lorie Faith Cranor and Simson Garfinkel, Security and Usability, O Reilly, Dan Goodin, Why passwords have never been weaker and crackers have never been stronger, Ars Technica, Goodrich and Tammasia, Introduction to Computer Security, Pearson, Cynthia Kuo et. al., Human Selection of Mnemonic Phrase-based Passwords, SOUPS 2006, Solar Designer, Password hashing at scale, YaC 2012, Hashing-At-Scale/, 2012.