Passwords. CS 166: Introduction to Computer Systems Security. 3/1/18 Passwords J. Liebow-Feeser, B. Palazzi, R. Tamassia, CC BY-SA 2.

Transcription

1 Passwords CS 166: Introduction to Computer Systems Security 1

2 Source: 2

3 Password Authentication 3

4 What Do These Passwords Have in Common? password football qwerty princess 1234 login welcome solo abc123 admin flower passw0rd dragon sunshine master hottie loveme zaq1zaq1 password1 Top 25 passwords used in 2016 according to SplashData 4

5 Password Authentication Client Username, Password Success / Failure Authentication Server 5

6 Attacks on Passwords Username, Password Client Authentication Server Success / Failure 3/1/18 Passwords J. Liebow-Feeser, B. Palazzi, R. Tamassia, CC BY-SA 2.5 6

7 Storing Passwords 7

8 How Should the Server Store Passwords? Our goal is to defend from attacks that exfiltrate the password database stored by the server Most common password-related attack on server We don t consider other password attacks on the server Eavesdropping passwords submitted by users Modifying the password authentication code 8

9 Attempt #1 - Plaintext Server Client u 1 p 1 u 2 p 2 u 3 p 3 9

10 Attempt #1 - Plaintext What could go wrong? If database is stolen, so are passwords! Admins have access to passwords. Ex. Reddit (2006) 10

11 Attempt #2 - Encryption Store encrypted passwords Decrypt and compare on login Client Server k u 1 c 1 = E k (p 1 ) u 2 c 2 = E k (p 2 ) u 3 c 3 = E k (p 3 ) encryption key 11

12 Attempt #2 - Encryption Advantages If database is stolen, passwords can t be read Only administrators with the encryption key can read the passwords What could go wrong? If the database is stolen, what is to keep the key from being stolen? Anyone with the key (admins) can view passwords Ex. Adobe (2013) 12

13 Attempt #2 - Encryption Even without the key, it s still bad. Why? 13

14 Attempt #2 - Encryption Even without the key, it s still bad. Why? Identical passwords produce identical ciphertexts If you know one password, you know all with the same ciphertext Frequency analysis (0.5% of users use password) Password hints ( numbers ) Some encryption functions produce variable length output that depends on the input 14

15 Attempt #3 - Hashing Password Hash Function Hash Example: 1337p4Ss SHA2 a487cb0eeb4a484a269c703bce7f8c46 b53d a24900ae7ceb577315eb1 15

16 Attempt #3 - Hashing Recall cryptographic hashing: Variable length input, fixed length random output One-way Given hash x, hard to find p such that H(p) = x Weak collision resistance Given input p, hard to find q such that H(p) = H(q) Strong collision resistance Hard to find distinct p, q such that H(p) = H(q) 16

17 Attempt #3 - Hashing Hash the password, store the hash Hash the user-supplied password and compare Server Client u 1 d 1 = H(p 1 ) u 2 d 2 = H(p 2 ) u 3 d 3 = H(p 3 ) 17

18 Attempt #3 - Hashing Registration Hash password, store hash Login Hash user-supplied password, compare with stored hash What advantages does this scheme have? If database is stolen, hashes need to be cracked Correct Cracking is hard (brute-force) so attackers get fewer passwords Is this accurate? 18

19 Attempt #3 - Hashing What could go wrong? Identical passwords produce identical hashes Once you ve cracked a given hash, you can trivially crack it every time you see the same hash again Frequency analysis Precompute massive tables for popular hash functions Rainbow tables trade off space and computation Common passwords are very common! Even a small table cracks most passwords 19

20 Attempt #4 - Salting Password Salt (Random) Hash Function Hash 1337p4Ss fa4dy5 SHA2 35e89a a3c173815d8e7d 6ed2c6957eb5d5228be0942cf93ea72 20

21 Attempt #4 - Salting Server s salt Client u 1 d 1 = H(p 1, s) u 2 d 2 = H(p 2, s) u 3 d 3 = H(p 3, s) 21

22 Attempt #4 - Salting Store hash of salted password Hash the password and hash, then compare What advantages does this scheme provide? In order to precompute, need password and salt Since salts are random, guessing salt is useless Even if salt is known, computation must be redone for every site 22

23 Attempt #4 - Salting What could go wrong? Identical passwords and identical salts produce identical hashes Frequency analysis If you crack one password, you crack them all For big sites, precomputation is worth it 23

24 Attempt #4 - Salting Hashing same password with different salt will produce different hashes 1337p4Ss 4themm SHA2 fa80328eaf40ecbf d8fe63e3b57bc9ee094d b754ca74e034875deb1d 1337p4Ss rsthnks SHA2 2674d6e9c0c1f5ea3235cafccac433a30a9de88ddfa0 c2e044b53daa63c8afdd 24

25 Attempt #5 - Per-User Salting Generate a salt, hash the password, store salt and hash Hash the given password with the user s salt and compare Server u 1 s salt Client u 1 s 1 d 1 = H(p 1, s 1 ) u 2 s 2 d 2 = H(p 2, s 2 ) u 3 s 3 d 3 = H(p 3, s 3 ) 25

26 Attempt #5 - Per-User Salting Generate a salt, hash the password, store the hash Hash the given password with the user s salt and compare What are the advantages of this scheme? Since every user has a different salt, identical passwords will not have identical hashes No frequency analysis No using known passwords to crack other passwords No precomputation - much harder to crack 26

27 Password Cracking 27

28 Brute Force Try all passwords in a given space Eventually succeeds given enough time and CPU power 28

29 Dictionary Attack Precompute hashes of a set of likely passwords Store (hash, password) pairs sorted by hash Fast look up for password given the hash Requires large storage and preprocessing time 29

30 Rainbow Tables Table of previously cracked passwords with their hashes More storage, shorter cracking time 30

31 Time Password Cracking Tradeoff Brute force Rainbow table Dictionary Storage 31

32 Complexity? 10 digits Lower case characters UPPER and lower case Special characters Standard keyboard characters All 7-bit ASCII characters 32

33 Size of Password Space 6 character password (can only use lower case letters, no numbers): Char Index??????

34 Size of Password Space 10 character password (can only use lower case letters, no numbers): Char Index # of choices b?????

35 Size of Password Space 10 character password (can only use lower case letters, no numbers): Char Index # of choices b h????

36 Size of Password Space 10 character password (can only use lower case letters, no numbers): Char Index # of choices b h???? Result: 26 x 26 x 26 or 26 6 possible passwords! 36

37 Back to complexity How many possible passwords? Digits (10): 10 6 UPPER and lower case (52): Special characters: &, %, ^, <, (32): 32 6 Standard keyboard characters (94): 94 6 All 7-bit ASCII characters (128):

38 Password Length Assume a standard keyboard with 94 characters Password length Number of passwords = 7,339,040, = 689,869,781, = 64,847,759,419, = 6,095,689,385,410, = 572,994,802,228,616,704 38

39 Intelligent Guessing Methods Try the top n most common passwords Dictionary of words, names, etc Syntax model e.g., dictionary word with some letters replaced by numbers - elitenoob, e1iten00b, 31it3n00b Markov chain model 39

40 Intelligent Guessing For any scheme that involves guessing, work factor is reduced by guessing intelligently Key insight: not all passwords are equally likely Idea: try most likely passwords first In reality, it doesn t take 9 years to brute force most passwords 40

41 How Unequal? From a study of the Adobe breach password - 0.5% a password in the top % a password in the top % a password in the top 1, % a password in the top 10,000-30% If you re interested, check out these master lists of passwords on Daniel Meissler s github 41

42 What We Have Learned Password authentication Principles and attack vectors Password storage methods Use salted hashes Password cracking Brute-force Dictionary precomputation Intelligent guessing 42