Password cracking. IN Ethical Hacking. Bruvoll & Sørby. Department of Informatics 1 / 46
|
|
- Archibald Bryan
- 5 years ago
- Views:
Transcription
1 Password cracking IN Ethical Hacking Bruvoll & Sørby Department of Informatics / 46
2 Agenda About passwords Cracking passwords 2 / 46
3 About passwords 3 / 46
4 Passwords as authentication Providing a user name and a password is still the most common form of logging on to computer systems. This can be seen as a two step process: 1. Identification who you are (user name) 2. Authentication proving that you are who you claim to be (password) 4 / 46
5 Other ways of authenticating Passwords belong to one of three categories of user authentication: knowledge-based authentication something you know passwords, passphrases ownership-based authentication something you have tokens (bank id OTP calculators, yubikeys) inherence-based authentication something you are/do biometrics (fingerprints, iris scan,... ) Multi-factor authentication (MFA) requires the use of multiple authentication mechanisms, typically from two or more of the above categories. Two-factor authentication (2FA) is the most common type of MFA, combining two different mechanisms. 5 / 46
6 Cracking passwords There are two major approaches for guessing passwords: Exhaustive search Trying all possible combinations Often called brute force Intelligent search The idea is to reduce the search space Guess based on personal information (names of friends, birthdays... ) Try generally popular passwords Guess based on words in a dictonary (a dictionary attack) 6 / 46
7 Password strength The strength of a truly random password is a function of the size of the set of symbols allowed in the password, and the length of the password. Example How many passwords are possible when the set of symbols are all alphanumerical characters (upper and lower case), and the password length is 6? 7 / 46
8 Password strength The strength of a truly random password is a function of the size of the set of symbols allowed in the password, and the length of the password. Example How many passwords are possible when the set of symbols are all alphanumerical characters (upper and lower case), and the password length is 6? The size of the set is 62 (A-Za-z0-9), and the possible combinations are: 62 6 = / 46
9 Storing passwords Storing passwords in cleartext is obviously a bad idea. Storing passwords encrypted might seem like a good idea, but: anyone with access to the keys and the encrypted passwords can impersonate any user the keys must be protected from attackers Storing the hash value of the password is the preferred method for storing passwords: the hash function is one-way, we cannot deduce the password from the hash similar passwords have totally different hashes the authentication function first computes hash of received password, then compares against stored hash value but there still are issues... 8 / 46
10 Lookup and Rainbow table attacks What if the attacker precomputes and stores the hash of probable passwords in a lookup table? Used to be infeasible due to the storage requirements. A rainbow table is a precomputed table of passwords and their hashes, using clever methods for reducing the storage space required. Using rainbow tables, the attacker can just lookup the stored password hash in the table and get back the password. 9 / 46
11 Salting the password To defend against attacks using precomputed hash tables, we can salt the password. Prepend or append random data (salt) to the password before hashing it Store the salt together with the password hash Now two instances of the same password will get different hashes, and the attacker will have to crack each and every password. Example Password Salt Hashing function call What is stored secret None sha1( secret ) e5e9fa1ba31ecd1ae84f75caaa474f3a663f05f4 secret asdf sha1( asdfsecret ) ( asdf, aaba62303a3ec aff8602ffbda9d ) secret qwer sha1( qwersecret ) ( qwer, 038fbd19069cacc6865a66c25c0f39a663f70b8d ) 10 / 46
12 Bruteforcing password hashes Cryptographic hashes are designed to be fast to compute, and modern day GPUs can compute billions of hashes per second. Thus, slowing the attacker down becomes necessary. This can be done by key stretching making a weak key more secure against brute force attacks by increasing the time it takes to test each candidate key. Some popular algorithms that uses key stretching are PBKDF2 and bcrypt. Simplistically, they do several rounds of hashing, using the output of one round as the input for the next. The number of rounds are given as a parameter, and recommended number of rounds are several thousand. 11 / 46
13 Password policies Choosing good random passwords is hard, and analyses of password dumps have shown that people often do choose poor passwords. Password policies try to mitigate this by setting rules for: password length and complexity requiring at length of 8 or more requiring both upper-case and lower-case letters, one or more numeric digits requiring special characters, such as #,!, %, ;,... password duration changing every 180 days password history remembering and denying the use of old passwords password blacklisting passwords containing patterns as qwerty, password etc... passwords containing the user s personal information 12 / 46
14 Password policies Helping the user choose strong passwords is a good thing, but: remembering dozens of strong, random passwords doesn t scale users will be tempted to reuse their password on other systems users will be tempted to write down the password on a piece of paper the use of password managers can be problematic does the password leave the organization? what if the password manager gets compromised? users might create simple rules that technically follow the password policy, but make future passwords highly predictable given knowledge of the current one 13 / 46
15 Passphrases Passphrases can be a good alternative to traditional passwords, provided the words really are chosen randomly. 14 / 46
16 Cracking passwords 15 / 46
17 Password cracking tools Kali comes with several tools for password cracking: John the Ripper multiple modes, customizable, easy to get running hashcat multiple modes, can use GPUs for cracking Johnny a GUI for John the Ripper RainbowCrack for creating and using rainbow tables 16 / 46
18 Cracking with John the Ripper We will be cracking passwords from a Linux system. On modern systems, the relevant information is stored in two files: /etc/passwd stores user account information, but not the password hashes. Is world-readable as many programs require data from user accounts. /etc/shadow stores the password hashes, and password meta-information. Can only be accessed by root. 17 / 46
19 /etc/passwd $ cat / etc / passwd Ole :x :502:502::/ home / Ole :/ bin / bash Dole :x :504:504::/ home / Dole :/ bin / bash Contents of the file: User name: up to eight characters long Password: x means a shadow file is used for storing the password hash User ID (UID): user identifier for access control Group ID (GID): user s primary group ID string: user s full name Home directory: location of the user s home directory Login shell: program started after successful log in 18 / 46
20 /etc/shadow $ cat / etc / shadow Ole : $1$zPawRL. R$l8n1emmkWk2QJB5FEPzxI1 :14152:0:99999:7::: Dole : $1$. L9uWK48$nwAScuNaqpNuicVdwGHx10 :14152:0:99999:7::: Contents of the file: username encrypted password, really a hash days since password was changed days left before user may change password days left before user is forced to change password days to change password warning days left before password is disabled days since the account has been disabled reserved 19 / 46
21 /etc/shadow Ole :$1$zPawRL.R$l8n1emmkWk2QJB5FEPzxI1: 14152: 0: 99999: 7::: The password is stored on the form $id$salt$hash, where id is the hashing algorithm used (1: MD5, 5: SHA-256, 6: SHA512) 20 / 46
22 unshadow John provides the unshadow command for combining passwd and shadow files so John can use them. $ unshadow passwd shadow > workfile $ cat workfile Ole : $1$zPawRL. R$l8n1emmkWk2QJB5FEPzxI1 :502:502::/ home / Ole :/ bin / bash Dole : $1$. L9uWK48$nwAScuNaqpNuicVdwGHx10 :504:504::/ home / Dole :/ bin / bash 21 / 46
23 Single mode In single mode, John will try to crack the password using the login information as passwords. $ john -- single workfile Using default input encoding : UTF -8 Loaded 8 password hashes with 8 different salts ( md5crypt, crypt (3) $1$ [ MD5 128/128 AVX 4x3 ]) Press q or Ctrl -C to abort, almost any other key for status Borgund ( linebo ) langbein12 ( Langbein ) 2g 0:00:00:00 DONE ( :25) g/s p/s c/s C/s dole dole1900 Use the " -- show " option to display all of the cracked passwords reliably Session completed 22 / 46
24 Wordlist mode In wordlist mode, John will use a file with a list of words to crack the passwords. If the option --rules is specified, John will modify or mangle word according to specified rules. $ john -- wordlist -- rules workfile Using default input encoding : UTF -8 Loaded 8 password hashes with 8 different salts ( md5crypt, crypt (3) $1$ [ MD5 128/128 AVX 4x3 ]) Remaining 6 password hashes with 6 different salts Press q or Ctrl -C to abort, almost any other key for status coffee ( Ole ) eeffoc ( Doffen ) coffee6 ( Dole ) 3g 0:00:00:14 DONE ( :32) g/s p/s c/s C/s Qwerting.. Sssing Use the " -- show " option to display all of the cracked passwords reliably 23 / 46
25 Incremental mode Incremental mode is the most powerful cracking mode, as John will try all possible character combinations as passwords. This mode does not terminate on itself (unless you configure a small search space), but will continue cracking until interrupted. We can define mode definitions for Incremental mode in John s configuration file 1 what symbols to use minimum and maximum lengths 1 On Kali: /etc/john/john.conf 24 / 46
26 Managing the search space Successful password cracking is mostly about managing and reducing the search space. Knowledge of your targets username, full name language and culture password requirements/policy Relevant dictionaries customized with target specific information Good rules customized with target specific information 25 / 46
27 Additional resources John comes with extensive documentation: on Kali it is located under /usr/share/doc/john/ (use zless to read) online documentation: The John wiki: A nice John cheat sheet: jtr-cheat-sheet.pdf 26 / 46
28 Passwords in Windows 27 / 46
29 How are passwords stored in Windows? Passwords are stored in the SAM: The registry: \HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users SAM in file on disk: C:\Windows\System32\config 28 / 46
30 Passwords in the registry Command line to open regedit as SYSTEM: Psexec.exe s i regedit.exe Psexec is part of the SysInternals suite. 29 / 46
31 Passwords in the registry 30 / 46
32 Extract password hashes from the file on disk The SAM in file on disk, C:\Windows\System32\config, is not readable while Windows is running To extract the file, boot the machine from Linux on USB (or CD), if possible Linux USB and physical access 31 / 46
33 Extract the password hashes from the registry Use a tool to extract the hashes. Possible if you are admin user. Extract them manually by learning the format of the registry values. Read more: 32 / 46
34 Possible tool: fgdump 33 / 46
35 Possible tool: fgdump 34 / 46
36 Extracted password hashes User name:number:lm hash:ntlm hash 35 / 46
37 LM hash LM hashes are insecure and out of date. Capitalize Pad with zeros to length of 14 Divide into two parts of length 7 Each part used as DES key to encrypt KGS!@#$% Concatenate 36 / 46
38 NTLM hash MD4 of the little endian UTF-16 Unicode password More secure than LM hash Not of much use as long as LM hashes were stored as well Now normally only NTLM hashes are stored 37 / 46
39 Why crack passwords if you are already admin? Passwords may be reused. Access to other files. Step by step towards more access. 38 / 46
40 Which users are present on the machine? wmic useraccount 39 / 46
41 Recommended reading A good article on salted password hashing: A series of articles from Ars Technica: passwords-under-assault/ how-i-became-a-password-cracker/ how-crackers-make-minced-meat-out-of-your-passwords/ 40 / 46
42 Exercise Task Part 1: Password length Assume that a password can only contain the 26 characters from the alphabet. How many different passwords are possible if a password is at most n, n = 4,6,8, characters long and there is no distinction between upper case and lower case characters? How many different passwords are possible if a password is at most n, n = 4,6,8, characters long and passwords are case sensitive? 41 / 46
43 Exercise Task Part 2: Brute force Assume that passwords have length six and all alphanumerical characters, upper and lower case, can be used in their construction. How long will a brute force attack take on average if: it takes one tenth of a second to check a password? it takes a microsecond to check a password? 42 / 46
44 Exercise Task Part 3: Hashes and salts 1. What is the advantage of storing password databases as hash values instead of in plaintext? 2. What is the advantage of storing passwords as salted hash values instead of just as hash values? 43 / 46
45 Exercise Task Part 4: More hashes and salts Create a text file (c:\pw.txt) on your Windows 7 VM, and write a random string (without any linebreaks). Open a command prompt and use the command certutil to hash the file: certutil -hashfile c:\pw.txt SHA1. Make note of the hash value. Add a single character to the text file. Hash the file again, and note the hash value. Is it similar to the previous hash? Substitute the string with the word secret, and rehash the file. Do you get the same result as in the lecture slides? Try rehashing after appending the salt used in the slides. 44 / 46
46 Exercise Task Part 5: Crack passwords Crack the passwords 45 / 46
47 Questions? 46 / 46
CNIT 124: Advanced Ethical Hacking. Ch 9: Password Attacks
CNIT 124: Advanced Ethical Hacking Ch 9: Password Attacks Topics Password Management Online Password Attacks Offline Password Attacks Dumping Passwords from RAM Password Management Password Alternatives
More informationHashes, MACs & Passwords. Tom Chothia Computer Security Lecture 5
Hashes, MACs & Passwords Tom Chothia Computer Security Lecture 5 Today s Lecture Hashes and Message Authentication Codes Properties of Hashes and MACs CBC-MAC, MAC -> HASH (slow), SHA1, SHA2, SHA3 HASH
More informationO/S & Access Control. Aggelos Kiayias - Justin Neumann
O/S & Access Control Aggelos Kiayias - Justin Neumann One system Many users Objects that require protection memory I/O devices (disks, printers) programs and processes networks stored data in general Separation
More informationNetwork Security Fundamentals
Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University of Michigan 2013 Network Security Fundamentals Module 4 Password Strength & Cracking Roadmap Password Authentication
More informationFundamentals of Linux Platform Security
Fundamentals of Linux Platform Security Security Training Course Dr. Charles J. Antonelli The University of Michigan 2012 Linux Platform Security Module 2 Password Authentication Roadmap Password Authentication
More informationHands-On Network Security: Practical Tools & Methods. Hands-On Network Security. Roadmap. Security Training Course
Hands-On Network Security: Practical Tools & Methods Security Training Course Dr. Charles J. Antonelli The University of Michigan 2012 Hands-On Network Security Module 4 Password Strength & Cracking Roadmap
More informationHands-On Network Security: Practical Tools & Methods
Hands-On Network Security: Practical Tools & Methods Security Training Course Dr. Charles J. Antonelli The University of Michigan 2012 Hands-On Network Security Module 4 Password Strength & Cracking Roadmap
More informationGoals. Understand UNIX pw system. Understand Lamport s hash and its vulnerabilities. How it works How to attack
Last Updated: Nov 7, 2017 Goals Understand UNIX pw system How it works How to attack Understand Lamport s hash and its vulnerabilities History of UNIX passwords Originally the actual passwords were stored
More informationHashes, MACs & Passwords. Tom Chothia Computer Security Lecture 5
Hashes, MACs & Passwords Tom Chothia Computer Security Lecture 5 Today s Lecture Hash functions: Generates a unique short code from a large file Uses of hashes MD5, SHA1, SHA2, SHA3 Message Authentication
More informationLecture 14 Passwords and Authentication
Lecture 14 Passwords and Authentication Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides based on Bailey s ECE 422 Major Portions Courtesy Ryan Cunningham AUTHENTICATION Authentication
More informationPasswords CSC 193 WAKE FOREST. U N I V E R S I T Y Department of Computer Science. Spring 2014
Passwords CSC 193 WAKE FOREST U N I V E R S I T Y Department of Computer Science Spring 2014 Unix Passwords In Unix, users are identified by user names Authenticated by passwords Therefore to login as
More informationn Describe the CEH hacking methodology and system hacking steps n Describe methods used to gain access to systems
Outline n Describe the CEH hacking methodology and system hacking steps n Describe methods used to gain access to systems n Describe methods used to escalate privileges Chapter #5: n Describe methods used
More informationUser Authentication. Modified By: Dr. Ramzi Saifan
User Authentication Modified By: Dr. Ramzi Saifan Authentication Verifying the identity of another entity Computer authenticating to another computer Person authenticating to a local/remote computer Important
More informationWhat is Authentication? All requests for resources have to be monitored. Every request must be authenticated and authorized to use the resource.
P1L4 Authentication What is Authentication? All requests for resources have to be monitored. Every request must be authenticated and authorized to use the resource. Authentication: Who are you? Prove it.
More informationCIT 380: Securing Computer Systems
CIT 380: Securing Computer Systems Passwords CIT 380: Securing Computer Systems Slide #1 Topics 1. Password Systems 2. Password Cracking 3. Hashing and Salting 4. UNIX Password Systems 5. Windows Password
More informationIntroduction to Information Security Prof. V. Kamakoti Department of Computer Science and Engineering Indian Institute of Technology, Madras
Introduction to Information Security Prof. V. Kamakoti Department of Computer Science and Engineering Indian Institute of Technology, Madras Lecture 09 Now, we discuss about the insecurity of passwords.
More informationAnalysis of Password Cracking Methods & Applications
The University of Akron IdeaExchange@UAkron Honors Research Projects The Dr. Gary B. and Pamela S. Williams Honors College Spring 2015 Analysis of Password Cracking Methods & Applications John A. Chester
More informationPassword retrieval. Mag. iur. Dr. techn. Michael Sonntag
Mag. iur. Dr. techn. Michael Sonntag Password retrieval E-Mail: sonntag@fim.uni-linz.ac.at http://www.fim.uni-linz.ac.at/staff/sonntag.htm Institute for Information Processing and Microprocessor Technology
More informationCNT4406/5412 Network Security
CNT4406/5412 Network Security Authentication Zhi Wang Florida State University Fall 2014 Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 1 / 43 Introduction Introduction Authentication is the process
More informationIdentity, Authentication, and Access Control
Identity, Authentication, and Access Control License This work by Z. Cliffe Schreuders at Leeds Metropolitan University is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.
More informationCS530 Authentication
CS530 Authentication Bill Cheng http://merlot.usc.edu/cs530-s10 1 Identification vs. Authentication Identification associating an identity (or a claimed identity) with an individual, process, or request
More informationChapter 3: Hashing. Prof Bill Buchanan OBE
Chapter 3: Hashing Hashing Types. Hashing Methods. Salting. Collisions. LM and NTLM Hashes (Windows). Hash Benchmarks. Message Authentication Codes (MACs). OTP/HOTP. Prof Bill Buchanan OBE http://asecuritysite.com/crypto03
More informationBTEC Level 3. Unit 32 Network System Security Password Authentication and Protection. Level 3 Unit 32 Network System Security
BTEC Level 3 Unit 32 Network System Security Password Authentication and Protection Passwords Why are they important? Passwords are cheap to deploy, but also act as the first line of defense in a security
More informationInformation Security CS 526
Information Security CS 526 Topic 7: User Authentication CS526 Topic 7: User Authentication 1 Readings for This Lecture Wikipedia Password Password strength Salt_(cryptography) Password cracking Trusted
More informationExercises with solutions, Set 2
Exercises with solutions, Set 2 EITF55 Security, 2019 Dept. of Electrical and Information Technology, Lund University, Sweden Instructions These exercises are for self-assessment so you can check your
More informationAuthentication SPRING 2018: GANG WANG. Slides credit: Michelle Mazurek (U-Maryland) and Blase Ur (CMU)
Authentication SPRING 2018: GANG WANG Slides credit: Michelle Mazurek (U-Maryland) and Blase Ur (CMU) Passwords, Hashes, Salt Password database Username Plaintext Password Not a good idea to store plaintext
More informationFrontline Information Protection
Frontline Information Protection a presentation to the Phoenix Chapter of ISACA by Hoyt L Kesterson II October 2014 OBSERVATION Most successful attacks spring from weakly-coded web pages or compromised
More informationIntroduction to Cyber Security Week 2: Cryptography. Ming Chow
Introduction to Cyber Security Week 2: Cryptography Ming Chow (mchow@cs.tufts.edu) Twitter: @0xmchow Learning Objectives By the end of this week, you will be able to: Understand the difference between
More informationUser Authentication. Modified By: Dr. Ramzi Saifan
User Authentication Modified By: Dr. Ramzi Saifan Authentication Verifying the identity of another entity Computer authenticating to another computer Person authenticating to a local/remote computer Important
More informationSumy State University Department of Computer Science
Sumy State University Department of Computer Science Lecture 1 (part 2). Access control. What is access control? A cornerstone in the foundation of information security is controlling how resources are
More informationCSE 565 Computer Security Fall 2018
CSE 565 Computer Security Fall 2018 Lecture 9: Authentication Department of Computer Science and Engineering University at Buffalo 1 Lecture Outline Definition of entity authentication Solutions password-based
More informationPASSWORDS & ENCRYPTION
PASSWORDS & ENCRYPTION Villanova University Department of Computing Sciences D. Justin Price Fall 2014 CRYPTOGRAPHY Hiding the meaning of a message from unintended recipients. Open source algorithms are
More informationInformation Security CS 526
Information Security CS 526 Topic 7: User Authentication CS526 Topic 7: User Authentication 1 Readings for This Lecture Wikipedia Password Password strength Salt_(cryptography) Password cracking Trusted
More informationModule: Authentication. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security
CSE543 - Introduction to Computer and Network Security Module: Authentication Professor Trent Jaeger 1 1 Authentication and Authorization Fundamental mechanisms to enforce security on a system Authentication:
More informationOS Security. Authentication. Radboud University Nijmegen, The Netherlands. Winter 2014/2015
OS Security Authentication Radboud University Nijmegen, The Netherlands Winter 2014/2015 What does an OS do? Definition An operating system (OS) is a computer program that manages access of processes (programs)
More informationCSCE 548 Building Secure Software Entity Authentication. Professor Lisa Luo Spring 2018
CSCE 548 Building Secure Software Entity Authentication Professor Lisa Luo Spring 2018 Previous Class Important Applications of Crypto User Authentication verify the identity based on something you know
More informationComputer Security: Principles and Practice
Computer Security: Principles and Practice Chapter 3 User Authentication First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown User Authentication fundamental security building
More informationPasswords. CS 166: Introduction to Computer Systems Security. 3/1/18 Passwords J. Liebow-Feeser, B. Palazzi, R. Tamassia, CC BY-SA 2.
Passwords CS 166: Introduction to Computer Systems Security 1 Source: https://shop.spectator.co.uk/wp-content/uploads/2015/03/open-sesame.jpg 2 Password Authentication 3 What Do These Passwords Have in
More informationComputer Security 3/20/18
Authentication Identification: who are you? Authentication: prove it Computer Security 08. Authentication Authorization: you can do it Protocols such as Kerberos combine all three Paul Krzyzanowski Rutgers
More informationComputer Security. 08. Authentication. Paul Krzyzanowski. Rutgers University. Spring 2018
Computer Security 08. Authentication Paul Krzyzanowski Rutgers University Spring 2018 1 Authentication Identification: who are you? Authentication: prove it Authorization: you can do it Protocols such
More informationETHICAL HACKING LAB SERIES. Lab 7: Breaking Windows Passwords
ETHICAL HACKING LAB SERIES Lab 7: Breaking Windows Passwords Certified Ethical Hacking Domain: System Hacking Document Version: 2015-08-14 otherwise noted, is licensed under the Creative Commons Attribution
More informationOS Security. Authentication. Radboud University Nijmegen, The Netherlands. Winter 2014/2015
OS Security Authentication Radboud University Nijmegen, The Netherlands Winter 2014/2015 What does an OS do? Definition An operating system (OS) is a computer program that manages access of processes (programs)
More informationFIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 10 Authenticating Users
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 10 Authenticating Users Learning Objectives Explain why authentication is a critical aspect of network security Explain
More informationPRACTICAL PASSWORD AUTHENTICATION ACCORDING TO NIST DRAFT B
PRACTICAL PASSWORD AUTHENTICATION ACCORDING TO NIST DRAFT 800-63B MOTIVATION DATABASE LEAKAGE ADOBE 152,982,479 Encrypted with 3DES ECB Same password == same ciphertext https://nakedsecurity.sophos.com/2013/11/04/anatomy-of-a-password-disaster-adobes-giant-sized-cryptographic-blunder/
More informationCOMPUTER PASSWORDS POLICY
COMPUTER PASSWORDS POLICY 1.0 PURPOSE This policy describes the requirements for acceptable password selection and maintenance to maximize security of the password and minimize its misuse or theft. Passwords
More informationL3: Password Cracking
L3: Password Cracking Sudhir Aggarwal and Shiva Houshmand Florida State University Department of Computer Science E-Crime Investigative Technologies Lab Tallahassee, Florida 32306 August 5-7, 2015 Copyright
More informationLecture 4: Hashes and Message Digests,
T-79.159 Cryptography and Data Security Lecture 4: Hashes and Message Digests Helsinki University of Technology mjos@tcs.hut.fi 1 Cryptographic hash functions Maps a message M (a bit string of arbitrary
More informationSession objectives. Identification and Authentication. A familiar scenario. Identification and Authentication
Session objectives Background Identification and Authentication CSM27 Computer Security Dr Hans Georg Schaathun University of Surrey Autumn 2008 Week 3 Recognise the purposes of (password) identification.
More informationAuthentication CHAPTER 17
Authentication CHAPTER 17 Authentication Authentication is the process by which you decide that someone is who they say they are and therefore permitted to access the requested resources. getting entrance
More informationComputer Security 4/12/19
Authentication Computer Security 09. Authentication Identification: who are you? Authentication: prove it Authorization: you can do it Paul Krzyzanowski Protocols such as Kerberos combine all three Rutgers
More informationPgcrypto Avast! A study in Django's password hashers. Drew tomatohater.com
Pgcrypto Avast! A study in Django's password hashers Drew Engelson @handofdoom tomatohater.com I m Drew Engelson. Intro. Chief Technologist Why are we here? Things I hope to touch on today. Some background
More informationCIS 4360 Introduction to Computer Security Fall WITH ANSWERS in bold. First Midterm
CIS 4360 Introduction to Computer Security Fall 2010 WITH ANSWERS in bold Name:.................................... Number:............ First Midterm Instructions This is a closed-book examination. Maximum
More informationThe LinkedIn Hack: Understanding Why It Was So Easy to Crack the Passwords
The LinkedIn Hack: Understanding Why It Was So Easy to Crack the Passwords LinkedIn was breached in 2012 with a reported 6.5 million user accounts compromised. LinkedIn sent a request to known hacked users
More informationAuthentication and passwords
Authentication and passwords Passwords The Key Idea Prover sends a password to a Verifier. The channel must be private If an attacker obtains a user s password, he can authenticate as her. Passwords must
More informationKeys and Passwords. Steven M. Bellovin October 17,
Keys and Passwords Steven M. Bellovin October 17, 2010 1 Handling Long-Term Keys Where do cryptographic keys come from? How should they be handled? What are the risks? As always, there are tradeoffs Steven
More information5/13/2015 2:54 PM. All your passwords are belong to us. Authorities dig through prescription med databases thanks to pre-digital age precedent.
All your passwords are belong to us. by Dan Goodin - Dec 9, 2012 4:00pm PST Authorities dig through prescription med databases thanks to pre-digital age precedent. Welcome to Radeon City, population: 8.
More informationChapter 3: User Authentication
Chapter 3: User Authentication Comp Sci 3600 Security Outline 1 2 3 4 Outline 1 2 3 4 User Authentication NIST SP 800-63-3 (Digital Authentication Guideline, October 2016) defines user as: The process
More information9/30/2016. Cryptography Basics. Outline. Encryption/Decryption. Cryptanalysis. Caesar Cipher. Mono-Alphabetic Ciphers
Cryptography Basics IT443 Network Security Administration Slides courtesy of Bo Sheng Basic concepts in cryptography systems Secret cryptography Public cryptography 1 2 Encryption/Decryption Cryptanalysis
More informationCryptography Basics. IT443 Network Security Administration Slides courtesy of Bo Sheng
Cryptography Basics IT443 Network Security Administration Slides courtesy of Bo Sheng 1 Outline Basic concepts in cryptography systems Secret key cryptography Public key cryptography Hash functions 2 Encryption/Decryption
More informationInformation Security in Systems and Networks
Information Security in Systems and Networks November 30, 2006 Damira Pon University at Albany, SUNY 1 Password Protection 2 Passwords Everywhere the Eye can See 3 Passwords Basic Problem How do you prove
More informationUser Authentication Protocols Week 7
User Authentication Protocols Week 7 CEN-5079: 2.October.2017 1 Announcement Homework 1 is posted on the class webpage Due in 2 weeks 10 points (out of 100) subtracted each late day CEN-5079: 2.October.2017
More informationComputer Forensics: Investigating File and Operating Systems, Wireless Networks, and Storage, 2nd Edition. Chapter 7 Application Password Crackers
Computer Forensics: Investigating File and Operating Systems, Wireless Networks, and Storage, 2nd Edition Chapter 7 Application Password Crackers Objectives After completing this chapter, you should be
More informationCSCI 667: Concepts of Computer Security
CSCI 667: Concepts of Computer Security Lecture 8 Prof. Adwait Nadkarni Derived from slides by William Enck, Micah Sherr, Patrick McDaniel and Peng Ning 1 2 Announcements Project Proposals due Tonight,
More informationL5: Basic Grammar Based Probabilistic Password Cracking
L5: Basic Grammar Based Probabilistic Password Cracking Sudhir Aggarwal and Shiva Houshmand and Matt Weir Florida State University Department of Computer Science E-Crime Investigative Technologies Lab
More informationTABLE OF CONTENTS. Lakehead University Password Maintenance Standard Operating Procedure
TABLE OF CONTENTS 1.0 General Statement... 3 2.0 Purpose... 3 3.0 Scope... 3 4.0 Procedure... 3 4.1 General... 3 4.2 Requirements... 4 4.3 Guidelines... 4 5.0 Failure to comply... 6 2 1.0 GENERAL STATEMENT
More informationAuthentication. Administrative VM login credentials. September 8, CentOS-6.4 root
Authentication September 8, 2017 Administrative VM login credentials CentOS-6.4 student/c$l@blinux root /c$l@blinux ( mnemonic: compter science lab linux ) Centos 4.3 min-gdb root/password Kali Linux root/c$l@blinux
More informationWorksheet - Reading Guide for Keys and Passwords
Unit 2 Lesson 15 Name(s) Period Date Worksheet - Reading Guide for Keys and Passwords Background Algorithms vs. Keys. An algorithm is how to execute the encryption and decryption and key is the secret
More informationHashcat versions are available for Linux, OS X, and Windows and can come in CPU based or GPU based variants. You can download hashcat here.
Hashcat Guide Hashcat is a password cracking tool used to crack hashes. It is great for brute forcing! And generating hashes with patterns ( masks). It supports many hashing algorithms such as Microsoft
More informationAuthentication System
A Biologically Inspired Password Authentication System Dipankar Dasgupta and Sudip Saha Center for Information Assurance University of Memphis Memphis, TN 38152 Outline Motivation Position Authentication
More informationA hash function is strongly collision-free if it is computationally infeasible to find different messages M and M such that H(M) = H(M ).
CA4005: CRYPTOGRAPHY AND SECURITY PROTOCOLS 1 5 5.1 A hash function is an efficient function mapping binary strings of arbitrary length to binary strings of fixed length (e.g. 128 bits), called the hash-value
More informationCYB 610 Project 1 Workspace Exercise
CYB 610 Project 1 Workspace Exercise I. Project Overview Your deliverables for Project 1 are described below. You will submit your work at the end of Step 6 of Project 1 in your ELM classroom. 1. Non-Technical
More informationInformation System Audit Engr. Abdul-Rahman Mahmood MS, PMP, MCP, QMR(ISO9001:2000)
Information System Audit Engr. Abdul-Rahman Mahmood MS, PMP, MCP, QMR(ISO9001:2000) armahmood786@yahoo.com alphasecure@gmail.com alphapeeler.sf.net/pubkeys/pkey.htm http://alphapeeler.sourceforge.net pk.linkedin.com/in/armahmood
More informationComputer Security 3e. Dieter Gollmann. Security.di.unimi.it/1516/ Chapter 4: 1
Computer Security 3e Dieter Gollmann Security.di.unimi.it/1516/ Chapter 4: 1 Chapter 4: Identification & Authentication Chapter 4: 2 Agenda User authentication Identification & authentication Passwords
More informationProcesses are subjects.
Identification and Authentication Access Control Other security related things: Devices, mounting filesystems Search path Race conditions NOTE: filenames may differ between OS/distributions Principals
More informationCIS 4360 Secure Computer Systems Biometrics (Something You Are)
CIS 4360 Secure Computer Systems Biometrics (Something You Are) Professor Qiang Zeng Spring 2017 Previous Class Credentials Something you know (Knowledge factors) Something you have (Possession factors)
More informationInformation Security & Privacy
IS 2150 / TEL 2810 Information Security & Privacy James Joshi Associate Professor, SIS Lecture 8 Feb 24, 2015 Authentication, Identity 1 Objectives Understand/explain the issues related to, and utilize
More informationAuthentication. Tadayoshi Kohno
CSE 484 / CSE M 584 (Winter 2013) Authentication Tadayoshi Kohno Thanks to Vitaly Shmatikov, Dan Boneh, Dieter Gollmann, Dan Halperin, John Manferdelli, John Mitchell, Bennet Yee, and many others for sample
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 15 February 29, 2012 CPSC 467b, Lecture 15 1/65 Message Digest / Cryptographic Hash Functions Hash Function Constructions Extending
More informationPassword Management. Eugene Davis UAH Information Security Club January 10, 2013
Password Management Eugene Davis UAH Information Security Club January 10, 2013 Password Basics Passwords perform service across a broad range of applications Can act as a way to authenticate a user to
More informationTopics. Authentication System. Passwords
Passwords Topics 1. Password Systems 2. Password Attacks 3. Mitigating Attacks 4. Graphical passwords 5. One-time passwords Authentication System A: set of authentication information information used by
More informationCS 161 Computer Security
Popa & Weaver Fall 2016 CS 161 Computer Security 10/4 Passwords 1 Passwords are widely used for authentication, especially on the web. What practices should be used to make passwords as secure as possible?
More informationAuthentication. Steven M. Bellovin January 31,
Authentication Another trilogy: identification, authentication, authorization ACLs and the like are forms of authorization: what you re allowed to do Identification is whom you claim to be be Authentication
More informationPassword authentication How passwords are compromised How to protect and choose passwords Other types of authentication Biometrics
Password authentication How passwords are compromised How to protect and choose passwords Other types of authentication s Identification Present an identifier to a security system Example: username Authentication
More informationUser Authentication and Passwords
User Authentication and : Security and Cryptography Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 31 October 2012 Y12S2L11, Steve/Courses/2012/s2/css322/lectures/passwords.tex,
More informationCIS 551 / TCOM 401 Computer and Network Security. Spring 2006 Lecture 13
CIS 551 / TCOM 401 Computer and Network Security Spring 2006 Lecture 13 Announcements Talk today: 3:00 Wu & Chen Auditorium Boon Thau Loo "Declarative Networking: Extensible Networks with Declarative Queries"
More informationLecture 3 - Passwords and Authentication
CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Lecture 3 - Passwords and Authentication CSE497b - Spring 2007 Introduction Computer and Network Security Professor
More informationOverview. Terminology. Password Storage
Class: CSG254 Network Security Team: Enigma (team 2) Kevin Kingsbury Tejas Parikh Tony Ryan Shenghan Zhang Assignment: PS3 Secure IM system Overview Our system uses a server to store the passwords, and
More informationEasyChair Preprint. Cryptanalysis of Secure Hash Password Technique (CSHPT) in Linux
EasyChair Preprint 109 Cryptanalysis of Secure Hash Password Technique (CSHPT) in Linux Harshavardhan Metla, Vinay Reddy Mallidi, Sai Kiran Chintalapudi and Madhu Viswanatham V EasyChair preprints are
More informationLecture 9 User Authentication
Lecture 9 User Authentication RFC 4949 RFC 4949 defines user authentication as: The process of verifying an identity claimed by or for a system entity. Authentication Process Fundamental building block
More informationFaculty of Engineering of the University of Porto. Informatics System Security. Password Cracking Techniques
Faculty of Engineering of the University of Porto Informatics System Security Password Cracking Techniques Professor: José Manuel de Magalhães Cruz Students: Arthur Johas Matta 201609953 João Pedro Monteiro
More informationMODULE NO.28: Password Cracking
SUBJECT Paper No. and Title Module No. and Title Module Tag PAPER No. 16: Digital Forensics MODULE No. 28: Password Cracking FSC_P16_M28 TABLE OF CONTENTS 1. Learning Outcomes 2. Introduction 3. Nature
More informationAuthentication. Murat Kantarcioglu
UT DALLAS Erik Jonsson School of Engineering & Computer Science Authentication Murat Kantarcioglu Authentication Overview Basics Passwords Challenge-Response Biometrics Location Multiple Methods Basics
More informationCS 161 Computer Security
Paxson Spring 2011 CS 161 Computer Security Discussion 9 March 30, 2011 Question 1 Another Use for Hash Functions (8 min) The traditional Unix system for password authentication works more or less like
More informationCONTENTS. Professional part. Paradigm shift Virtual world real security Old rules, howto-s: good for re-thinking Passwords
CONTENTS Professional part Paradigm shift Virtual world real security Old rules, howto-s: good for re-thinking Passwords PARADIGM PARADIGM What is that, how could you describe it? PARADIGM Set of generally
More informationControlling Website Account Information. A recent survey done by Privacy Rights Clearinghouse shows that in the past five years
Colson 1 Alex Colson Dr. Lunsford Information Security Management 10 July 2007 Controlling Website Account Information A recent survey done by Privacy Rights Clearinghouse shows that in the past five years
More informationOperating systems and security - Overview
Operating systems and security - Overview Protection in Operating systems Protected objects Protecting memory, files User authentication, especially passwords Trusted operating systems, security kernels,
More informationOperating systems and security - Overview
Operating systems and security - Overview Protection in Operating systems Protected objects Protecting memory, files User authentication, especially passwords Trusted operating systems, security kernels,
More informationUser Authentication. Daniel Halperin Tadayoshi Kohno
CSE 484 / CSE M 584 (Autumn 2011) User Authentication Daniel Halperin Tadayoshi Kohno Thanks to Dan Boneh, Dieter Gollmann, John Manferdelli, John Mitchell, Vitaly Shmatikov, Bennet Yee, and many others
More informationProcesses and authentication
Processes and authentication UNIX process hierarchy ssh b146-* pstree -p less -S pstree -pu crandall lsof -p31009 nc -l 20202 & lsof -p31626 kill -9 31626 Process 1 Process 2 Process 3 System calls Kernel
More informationSecurity: Cryptography
Security: Cryptography Computer Science and Engineering College of Engineering The Ohio State University Lecture 38 Some High-Level Goals Confidentiality Non-authorized users have limited access Integrity
More information