Authentication and Passwords. CSC 482/582: Computer Security

Transcription

1 Authentication and Passwords

2 Authentication 1. Identity 2. Groups and Roles 3. Network Identities 4. Authentication 5. Biometrics 6. UNIX Authentication 7. Password Threat Models and Attacks 8. Storing Passwords: Hashing and Salting 9. Password Selection 10. Graphical Password Systems 11. One-time Passwords

3 What is Identity? Computer s representation of an entity Entities can be subjects or objects. Authentication binds a principal to an identity. Example: username expresses your identity. password binds the person typing to that particular identity (username).

4 Purpose of Identity Access Control Most systems base access rights on identity of principal executing the process. Accountability Logging and auditing functions. Need to track identity across account/role changes (e.g., su, sudo).

5 Groups and Roles An entity may be a set of entities referred to by a single identifier. Principals often need to share access to files, and thus are taken as groups. static: alias for a group of principles. dynamic: principal changes from one group to another as different privileges are needed. role: a group that ties membership to function

6 Network Identity Ethernet (MAC) Address 48-bit data link level identifier example: 00:0B:DB:78:39:8A IP Address 32-bit network level identifier ex: IPv6 Address 128-bit network level identifier ex: fe80::2a0:c9ff:fe97:153d/64 Hostname (DNS name) string application level identifier ex:

7 What is Authentication? Binding of an identity to a subject Based on: 1. What the entity knows (e.g., passwords) 2. What the entity has (e.g., access card) 3. What the entity is (e.g., fingerprints) 4. Where the entity is (e.g., local terminal) Two-factor authentication

8 Authentication System A: set of authentication information information used by entities to prove identity C: set of complementary information information stored by system to validate A F: set of complementation functions f : A C generate C from A L: set of authentication functions l: A C {T,F} verify identity S: set of selection functions enable entity to create or alter A or C

9 Password System Example User authenticates with 8-character alphanumeric password. System compares against stored cleartext password. A = [A-Za-z0-9]{8} C = A F = { I } L = { = } Not a system that anyone should actually use.

10 Biometric System Example User authenticates with fingerprint. System compares w/ digital fingerprint template. A = { user fingerprints } C = { digital fingerprint templates } F = { fingerprint reader + analog->digital } L = { tunable similarity function }

11 What You Know Passwords Pass Phrases PINs

12 What You Have Smart Cards USB Token RFID RFID used for toll collection

13 RFID Radio Frequency Identification Types of Tags Passive: use power from reader signal Active: internal power source Applications Product tracking (EPC barcode replacement) Transportation payment Automotive (embedded in car keys) Passports Human implants EPC RFID Tag

14 What You Are: Biometrics Identification by human characteristics: 1. Physiological 2. Behavioral A biometric characteristic should be: 1. universal: everyone should have it 2. unique: no two people should share it 3. permanent: it should not change with time 4. quantifiable: it must be practically measurable

15 How Biometrics Work 1. User submits sample. 2. Software turns sample into digital template. 3. Software compares template against stored reference template. 4. Authentication based on how closely templates match.

16 Biometric Measurement Possible Outcomes: 1. Correct person accepted 2. Imposter rejected 3. Correct person rejected (False Rejection) 4. Imposter accepted (False Acceptance)

17 False Positives and Negatives Tradeoff between False Accept Rate False Reject Rate

18 Fingerprints Capacitive measurement, using differences in electrical charges of whorls on finger to detect those parts touching chip and those raised.

19 Brandon Mayfield Fingerprints found in 2004 Madrid bombing. Brandon arrested May 6, FBI claimed 100 percent positive match. Held under a false name. Then transferred to unidentified location. Spanish police identify fingerprint as belonging to an Algerian man May 21, Brandon released May 25, 2004.

20 Eye Biometrics Iris Scan Lowest false accept/reject rates of any biometric. Person must hold head still and look into camera. Retinal Scan Cataracts and pregnancy change retina pattern. Lower false accept/reject rates than fingerprints. Intrusive and slow.

21 Other Types of Biometrics Physiological Behavioral DNA Face recognition Hand geometric Heartbeat Voice recognition Gait recognition Keyboard dynamics Mouse dynamics Signatures

22 Biometrics are not infallible What are False Accept and Reject Rates? Do the characteristics change over time? Retina changes during pregnancy. Fingerprint damage due to work/pipe smoking. Young and old people have fainter fingerprints. Is it accurate in the installed environment? Is someone observing fingerprint or voiceprint checks? i.e., did you collect biometric from the person?

23 Biometrics can be compromised. Unique identifiers, not secrets. You can change a password. You can t change your iris scan. Examples: You leave your fingerprints every place. It s easy to take a picture of your face. Other compromises. Use faux ATM-style devices to collect biometrics. Obtain all biometric templates from server.

24 Use and Misuse of Biometrics Employee identification. Employee enters login name. System uses fingerprint to verify employee is who he claims to be. Problem: Does biometric match the employee? Criminal search (Superbowl 2001) System uses face recognition to search for criminals in public places. Problem: Does any biometric in database match anyone in a crowd of people? Assume system is 99.99% accurate and 1 in 10million people is a terrorist. Result: 1000 false positives for each terrorist.

25 Location Classic: only allow access from a particular terminal or a particular set of remote hosts. Modern: GPS-based Location Signature Sensor (LSS) for host and user. Access rules permit user only to access host with specific LSS values. Cell-phones track location, and some states use them to track drivers speed and locations.

26 UNIX Authentication UNIX identifies user with a UID Username is for humans, UID for computers. 32-bit unsigned integer. UID=0 is the superuser, root. Identity and authentication data stored in /etc/passwd /etc/shadow /etc/group

27 /etc/{passwd,shadow} Central file(s) describing UNIX user accounts. /etc/passwd /etc/shadow Username Username UID Encrypted password Default GID Date of last pw change. Days til change allowed. GCOS Days `til change Home directory required. Login shell Expiration warning time. Expiration date. student:x:1000:1000:example User,, ,:/home/student:/bin/bash student:$1$w/uuktlf$otssvxtsn/xjzuogfelnz0:13226:0:99999:7:::

28 Password Storage and Use

29 Password Threat Models 1. Online Attacks Threat has access to login user interface. Attack is attempts to guess passwords using the normal UI (slow). 2. Offline Attacks Threat has access to hashed passwords. Attack is to guess words, hash words, then compare with hashed passwords (fast). 3. Side Channel Attacks Threat has access to account management UI. Attack by using password reset functionality.

30 Password Leaks are Common

31 Password Cracking Get Hashed Password pw hash word = Next word from list List of potential passwords. word hash = Hash(word) word hash == pw hash False True word is password

32 Cracking Methods 1. List of common passwords As a result of leaks, lists of millions are available. 2. List of English/foreign dictionary words 3. Permutation rules Substitute numbers/symbols for letters Change case, pluralize, reverse words, digit/symbol prefix/postfix, replace letters with symbols (a Join words from sources #1 and #2 above, with symbols or 4-digit or shorter numbers added infix or prefix or postfix. 4. Brute force All possible passwords

33 Parallel Cracking GPUs contain hundreds of small processor cores Can be used to crack some types of password hashes. Elcomsoft benchmarks Cluster of 25 Radeon GPUs. 350 billion Windows NTLM pws/sec Cluster can try every password that is <= 8 characters long in 5.5 hours.

34 Countering Password Guessing Choose A, C, and F to select suitably low probability P(T) of guessing in time T. P(T) >= TG / N G is number of guess per time unit T T is number of time units in attack N is number of possible passwords

35 Calculating Minimum Password Length Password System There are 96 allowable characters in password. System allows 10 6 guesses/second. Requirement: probablility of success guess should be 0.5 over 365-day period. What should the minimum password length be? N >= TG/P N >= (365 x 24 x 60 x 60) x 10 6 / 0.5 = 6.31 x N = Σ96 i, where i ranges from 1 to length of password Σ96 i >= N = 6.31 x is true when largest i >= 8 The minimum required password length is 8.

36 Password Aging Requirement that password be changed after a period of time or after an event has occurred If expected time to guess is 180 days, should change password more frequently than 180 days 1. If change time too short, users have difficulty recalling passwords. 2. Cannot allow users to change password to current one. 3. Also prevent users from changing passwords too soon. 4. Give notice of impending password change requirement.

37 Classic UNIX Passwords Format: Up to 8 ASCII characters A contains 6.9 x possible passwords C contains crypt hashes, strings of length 13 chosen from alphabet of 64 characters, 3.0 x strings Storage /etc/passwd (0644) was traditionally used /etc/shadow (0600) in modern systems

38 Classic UNIX Password Hashing crypt() function used for hashing DES encrypts 64-bit block of 0s (25 rounds) using your password for the key. Modified DES incompatible with DES hardware cracking tools. Limited to 8 characters or less. If limited to 95 printable characters, only 2 53 possible passwords.

39 Rainbow Tables Faster cracking by trading space for time: Dictionary of passwords and their hashes Contains all passwords < length n Find password by looking up hash in table GPU cracking fast enough to reduce importance.

40 Salts Add random, public data to password to create key. Any word may be encrypted in 2 n possible ways: Your password always uses same n-bit salt. Someone else with same password (a) probably has different salt, and thus different c = f(a). Traditional UNIX crypt had a 12-bit salt Number of possible keys increased to 2 66 Too small for today. Modern UNIX uses slower hash + larger salt.

41 Modern Hashing Schemes SHA512crypt (Linux, Mac OS X) unlimited length passwords 5000 iterations 16 character salt Bcrypt (55 character long passwords, 128-bit salt) Based on modified (slower) Blowfish encryption algorithm. Configurable iteration count for hashing. Increases cost of guessing on a per-account basis. PBKDF2 (Password-Based Key Derivation Function 2) Framework with configurable hash, iterations, salt. (.NET) Scrypt Sequential, memory-hard hashing algorithm. Defense against specialized hardware (GPUs, ASICs, FPGAs) None of these can be attacked via GPU cracking today.

42 Windows 2000/XP Passwords Storage %systemroot%\system32\config\sam locked while NT running %systemroot%\repair\sam_ backup file may be accessible via remote registry calls Format LAN Manager (LM) Hash NT (MD4) Hash

43 Windows LM Hash Algorithm 1. Password fitted to 14 character length by truncating or padding with 0s. 2. Password converted to upper case. 3. Password divided into two 7-byte halves. 4. Each half used as DES key to encrypt same 8-byte constant. 5. Resultant strings merged to form a 16-byte hash value.

44 Windows LM Hash Problems Last 8 bytes of c known if password < 7 chars. Dividing password into halves reducing problem of breaking 14-character password to breaking two 7- character passwords. Conversion to upper case reduces character set. Dictionary of password hashes can be prebuilt Number of possible passwords much smaller than DES space. No salt is used.

45 Windows NT Hash Converts to Unicode, MD4 hashes result Caveat: Often used in conjunction with LM hash, which is required for backwards compatibility. No salt: identical passwords generate identical hashes.

46 Password Selection 1. Random Selection 2. Pronounceable Passwords 3. User Selection

47 Random Selection Yields equal distribution of passwords for maximum difficulty in cracking What about short passwords? Random passwords aren t easy to remember Short term memory holds 7 +/- 2 items People have multiple passwords Principle of Psychological Acceptability Requires a good PRNG

48 Random Selection (Bad)Example PDP-11 password generator 16-bit machine 8 upper-case letters and digits P = 36 8 = 2.8 x At sec/encryption, 140 years to brute force PRNG had period of Only 65,535 possible passwords Requires 102 seconds to try all passwords

49 User Selection Allow users to choose passwords. Reject insecure passwords based on ruleset: 1. Based on account, user, or host names 2. Dictionary words 3. Permuted dictionary words 4. Patterns from keyboard 5. Shorter than 6 characters 6. Digits, lowercase, or uppercase only passwords 7. License plates or acronyms 8. Based on previously used passwords

50 Human Randomness?

51 Bad Passwords

52 How to Select Good Passwords 1. Long passwords, consisting of multiple words.. Use n th letter of each word if phrase too long. 2. Themes: 1. Word combinations: 3 blind katz 2. or URL: yoda@strong-this-password-is.net 3. Phone number: (888) 888-eight eight 4. Bracketing: Starfleet -> *!-Starfleet-!* 5. Add a word: shopping -> Goin shopping 6. Repetition: Pirate--PirateShip 7. Letter swapping: Sour Grape -> Gour Srape

53 Miseducating Users?

54 Online Attacks If complements not accessible, attacker must use authentication functions to do an online attack. Cannot be prevented. To increase difficulty of auth function attack: Backoff: increasing wait before allowing another guess. Disconnection: disconnect after n failures. Disabling: disable account after n failures. Jailing: permit access to limited system, so admins can observe attacker.

55 Side Channel Attacks are Easier Web sites will you password if you answer a simple secret question: 1. What is your favorite color? 2. What is your pet s name? 3. What is your mother s maiden name? Violation of fail-safe defaults Failover to less secure protocol. How many favorite colors are there?

56 Graphical Passwords Face Scheme: Password is sequence of faces, each chosen from a grid of 9 faces. Story Scheme: Password is sequence of images, each chosen from a grid of 9, to form a story.

57 Challenge-Response Problem: passwords are reusable, and thus subject to replay attacks. Solution: authenticate in such a way that the transmitted password changes each time.

58 One-Time Passwords A password that s invalidated once used. Challenge: number of authentication attempt Response: one-time password Problems Generation of one-time passwords Use hash or cryptographic function Synchronization of the user and the system Number or timestamp passwords

59 Key Points 1. Access control is based on identity. 2. Authentication consists of an entity, the user, attempting to convince another entity, the verifier, of the user s identity 1. something you know (passwords) 2. something you have (security tokens) 3. something you are (biometrics) 3. Dictionary attacks can break password security Rainbow tables trade space for time to speedup cracking. Special hardware (GPUs) and parallelization can speedup. 4. Stored passwords are secured by Hashing (possibly with multiple iterations) Salting 5. One-time passwords offer greater security.

60 References 1. Phil Agre. Your Face is not a Bar Code, Ross Anderson, Security Engineering, 2 nd edition, Wiley, Matt Bishop, Introduction to Computer Security, Addison-Wesley, Mark Burnett and Dave Kleiman, Perfect Passwords, Syngress, Lorie Faith Cranor and Simson Garfinkel, Security and Usability, O Reilly, Dan Goodin, Why passwords have never been weaker and crackers have never been stronger, Ars Technica, Goodrich and Tammasia, Introduction to Computer Security, Pearson, Cynthia Kuo et. al., Human Selection of Mnemonic Phrase-based Passwords, SOUPS 2006, Bruce Schneier, Biometrics: Truths and Fictions, Cryptogram, Bruce Schneier, The Curse of the Secret Question, Solar Designer, Password hashing at scale, YaC 2012, Scale/, 2012.