Fundamentals of Linux Platform Security

Transcription

1 Fundamentals of Linux Platform Security Security Training Course Dr. Charles J. Antonelli The University of Michigan 2012

2 Linux Platform Security Module 2 Password Authentication

3 Roadmap Password Authentication How Passwords are Cracked Countermeasures 3

4 Password Authentication

5 Password Representations UNIX DES Hashes Old technology, but still around Linux Hashes Salted -512, SHA-256, MD5, Blowfish Mac OS X Hashes Salted SHA-1 5

6 UNIX Hash Generation Password length 8 characters or less 7 bits of each character used to generate 56-bit key Key used to encrypt a constant using a variation of the DES algorithm MGoBlue1 Constant (0x ) Key DES UNIX Hash zvktpweefzcva 6

7 It s not a hash Keyboard character set Common alphanumeric set only Character variations 126 UNIX Hash Considerations Maximum entropy 6.3*10 16 passwords Salted 7

8 Hash the password Store it Linux Hash Generation MGoBlue1 SHA-512 SHA-512 Hash $6$dmk52gd$TWOWIDs1q6/uZ.t49s.YkFQr3zeTGzrYwN33Ep2pdTKw! HekN/O2hK0QuSTtUYNmS5Homqtp9lA/jf0hWRE7Bb/! 8

9 Keyboard character set Linux Hash Considerations Common alphanumeric set only Character variations 126 Maximum length = 256 characters Entropy for 256-character password 4.9* Entropy for 20-character password from 126 character set 1.0*10 42 Entropy for 20-character password from 69 keyboard character set 6.0*10 36 Salted 9

10 Passwords stored in /etc/shadow readable only by root Other per-user information stored in /etc/passwd world readable UNIX stored both in /etc/passwd! Linux Passwords 10

11 Linux Hashes Several hashes available Use SHA-512! ID Method $1$ MD5 $2a$ Blowfish (some distros) $5$ SHA-256 $6$ SHA-512 (default) 11

12 SHA-3 Hash Contest Update MD5 broken, SHA-1&2 suspect NIST competition for a SHA-3 Timeframe candidates submitted for Round 1 14 candidates in Round 2 BLAKE, Blue Midnight Wish, CubeHash, ECHO, Fugue, Grøstl, Hamsi, JH, Keccak, Luffa, Shabal, SHAvite-3, SIMD, and Skein Final candidates announced December 10, 2010 BLAKE, Grøstl, JH, Keccak, and Skein SHA-3 standard to be published

13 Choosing A Password Good Pass phrases (much longer than 8 characters) mix case digits/punctuation control characters easy to remember no words in any language Bad people s names dictionary/technical words or phrases birth dates places common acronyms backwards spelling simple permutations 8 characters or less 13

14 Good Pass phrases (much longer than 8 characters) Choosing A Password Bad Everything else

15 How Passwords are Cracked

16 Passive Online Attacks Man-in-the-Middle and Replay Attacks Somehow get access to communications channel Wait for authentication sequence Proxy authentication-traffic No need to brute-force Considerations Relatively hard to perpetrate Must be trusted by one or both sides Some tools widely available Anyone remember MarketScore? 16

17 Try different passwords until one works Made easier by Bad passwords Excessive information from server Lack of password guessing controls Considerations Active Online Attacks Password guessing Assuming good passwords, is this even feasible? Common 8 character password space (69^8) Password Expires in 90 days Need to guess 3,964,493,629 pwds/sec Need throughput of 253,727,592,310 bits/sec Gigabit Ethernet = 1B bits/sec Easily detected and stopped Core problem: Bad passwords 17

18 Offline Attacks Attacker has password database Not that hard: Need to be admin (or steal the box) Can attack at leisure Attack types: Dictionary attack Very Fast Core Problem: Bad Passwords Brute Force attack AlphaNumerics then AlphaNumerics + Upper Row Symbol, etc Slow, but will eventually find all passwords Hybrid Start with Dictionary, Insert Entropy Pre-computed Hashes Rainbow tables Time-space tradeoff Considerations Moore s law 18

19 John the Ripper Fast, open-source password cracker Created by Solar Designer Active development group Runs on Linux, Mac OS X, Solaris, Android, Handles DES, BSDI DES, FreeBSD MD5, OpenBSD Blowfish, Kerberos AFS DES, and LM DES hashes Runs well on HPC clusters using Open MP Jumbo patch for 1.7.9, revision 7 adds GPU support CUDA and OpenCL Openwall community wiki 19

20 Lab: Crack Passwords 1. Install John the Ripper cd; tar zxf /usr/local/lab/john/john tar.gz; cd ~/john-1.7.9/doc Follow directions in INSTALL & README 2. Create test account with a weak password using MD5 hashing sudo vi /etc/pam.d/system-auth Change string sha512 to md5 in third paragraph sudo useradd sucker sudo passwd sucker 3. Undo the change to system-auth you made in step Create test account with a weak password using SHA-512 hashing sudo useradd trout sudo passwd trout 5. Obtain password hashes cd ~/john-1.7.9/run; sudo./unshadow /etc/passwd /etc/shadow >passwd.1 6. Crack./john passwd.1 20

21 Lab: Crack Passwords You can interrupt at any time, and restart with./john restore If you want to start over rm john.pot john.rec To display all passwords found so far./john show passwd.1 To see how fast John is on your machine./john --test When done, delete the test accounts and the local password and crack files! sudo userdel r sucker; sudo r userdel trout /bin/rm ~/john-1.7.9/run/{john.???,passwd.1} 21

22 Rainbow Tables What if you precomputed the password hashes? All Windows LM Hashes: 166 Terabytes All Windows NT Hashes < 15 chars: 140,959,235,198 Exabytes This would result in faster cracking, at the cost of storing all those hashes This is the Time-Memory tradeoff Implemented using hash chains Clever way to link the hashes into chains Only store 1 in 10,000 hashes Rainbow tables improve on hash chains Reduce collisions (overlapping chains) Ineffective against salted hashes Unix, Linux, and Mac OS X hashes are salted Windows NT hashes are not 22

23 Rainbow Tables Windows password cracker that uses rainbow tables Cracks LM and NT hashes Live CD support Free tables for Windows XP and Vista (dictionary based) For-fee tables for Vista (NTLM) Seems to be moribund (but a couple of very recent updates!) Folding@home distributed cracking model Terabytes of tables Free tables For-fee tables Seems to be quite active 23

24 Countermeasures

25 Policy-Based Mitigation Develop a password policy Require pass phrases Greater than 15 mixed characters Password expiration for all accounts No password reuse (temporal and spatial) Account lockout (where appropriate) Physical security policy Cornerstone for any security No physical security = no security No policy = no enforcement 25

26 Pass Phrases v. Passwords Pass phrases are long strings Example: I wish we could use 2Factor authentication instead of passwords Very strong protection against attacks Easy to remember, a bit longer to type Passwords are short complex strings Hard to remember Often difficult to type Not resistant against current attacks Obvious substitutions are quickly broken Take-away: Long easily-remembered phrases are better than short complex passwords 26

27 Technology-Based Mitigation Multi-factor authentication Two-factor authentication RSA Key, Google Authenticator, Duo Very difficult to thwart More expensive than passwords Long-term cost benefit Cost of second factor dropping constantly Biometrics Two- or three-factor authentication More expensive and failure-prone that passwords Iris scans seem to work best 27

28 Summary Bad passwords get broken, even when using good storage and authentication methods! Solutions 1. Use better passwords 2. Don t let bad guys get the hashes Combination of policy and technology 28

29 References presentations/burr_sha-3conf-day_1_wrapup.pdf man 3 shadow man 3 crypt 29