Password. authentication through passwords

Similar documents
Strong Password Protocols

Authentication. Strong Password Protocol. IT352 Network Security Najwa AlGhamdi

Outline. Login w/ Shared Secret: Variant 1. Login With Shared Secret: Variant 2. Login Only Authentication (One Way) Mutual Authentication

6. Security Handshake Pitfalls Contents

Authentication Protocols. Outline. Who Is Authenticated?

Security Handshake Pitfalls

Proceedings of the 10 th USENIX Security Symposium

Security Handshake Pitfalls

Test 2 Review. (b) Give one significant advantage of a nonce over a timestamp.

Security Handshake Pitfalls

5. Authentication Contents

Authentication Handshakes

CSC 474/574 Information Systems Security

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

Test 2 Review. 1. (10 points) Timestamps and nonces are both used in security protocols to prevent replay attacks.

CS 161 Computer Security

Identification Schemes

1 Identification protocols

0/41. Alice Who? Authentication Protocols. Andreas Zeller/Stephan Neuhaus. Lehrstuhl Softwaretechnik Universität des Saarlandes, Saarbrücken

Security Handshake Pitfalls

Real-time protocol. Chapter 16: Real-Time Communication Security

Digital Signatures. Public-Key Signatures. Arbitrated Signatures. Digital Signatures With Encryption. Terminology. Message Authentication Code (MAC)

Computer Security. 08. Authentication. Paul Krzyzanowski. Rutgers University. Spring 2018

ECEN 5022 Cryptography

User Authentication. Modified By: Dr. Ramzi Saifan

CSCI 667: Concepts of Computer Security. Lecture 9. Prof. Adwait Nadkarni

Kurose & Ross, Chapters (5 th ed.)

L13. Reviews. Rocky K. C. Chang, April 10, 2015

10/1/2015. Authentication. Outline. Authentication. Authentication Mechanisms. Authentication Mechanisms. Authentication Mechanisms

HOST Authentication Overview ECE 525

Computer Security 3/20/18

Cryptography CS 555. Topic 16: Key Management and The Need for Public Key Cryptography. CS555 Spring 2012/Topic 16 1

CS Computer Networks 1: Authentication

User Authentication Protocols

Computer Security 4/12/19

Other Uses of Cryptography. Cryptography Goals. Basic Problem and Terminology. Other Uses of Cryptography. What Can Go Wrong? Why Do We Need a Key?

Authentication. Overview of Authentication systems. IT352 Network Security Najwa AlGhamdi

Preventing Attackers From Using Verifiers: A-PAKE With PK-Id

ח'/סיון/תשע "א. RSA: getting ready. Public Key Cryptography. Public key cryptography. Public key encryption algorithms

CIS 6930/4930 Computer and Network Security. Topic 6.2 Authentication Protocols

ECE596C: Handout #9. Authentication Using Shared Secrets. Electrical and Computer Engineering, University of Arizona, Loukas Lazos

Network Working Group. Category: Standards Track September The SRP Authentication and Key Exchange System

CS 494/594 Computer and Network Security

User Authentication Protocols Week 7

CSC/ECE 774 Advanced Network Security

Password Authenticated Key Exchange by Juggling

CS 161 Computer Security

ICT 6541 Applied Cryptography Lecture 8 Entity Authentication/Identification

User Authentication. Modified By: Dr. Ramzi Saifan

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 17: X509. PGP. Authentication protocols. Key establishment.

CS 161 Computer Security

CIS 6930/4930 Computer and Network Security. Topic 7. Trusted Intermediaries

Key Establishment and Authentication Protocols EECE 412

Overview. Terminology. Password Storage

Key Exchange. References: Applied Cryptography, Bruce Schneier Cryptography and Network Securiy, Willian Stallings

Ideal Security Protocol. Identify Friend or Foe (IFF) MIG in the Middle 4/2/2012

18733: Applied Cryptography Anupam Datta (CMU) Basic key exchange. Dan Boneh

CSE 565 Computer Security Fall 2018

Chapter 8 Security. Computer Networking: A Top Down Approach. 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012

Distributed Systems. 26. Cryptographic Systems: An Introduction. Paul Krzyzanowski. Rutgers University. Fall 2015

HY-457 Information Systems Security

Distributed Systems. 25. Authentication Paul Krzyzanowski. Rutgers University. Fall 2018

Public Key Algorithms

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

A Smart Card Based Authentication Protocol for Strong Passwords

ID protocols. Overview. Dan Boneh

Integrated Key Exchange Protocol Capable of Revealing Spoofing and Resisting Dictionary Attacks

CS November 2018

Diffie-Hellman. Part 1 Cryptography 136

CSC 774 Network Security

Introduction. Trusted Intermediaries. CSC/ECE 574 Computer and Network Security. Outline. CSC/ECE 574 Computer and Network Security.

Protocols II. Computer Security Lecture 12. David Aspinall. 17th February School of Informatics University of Edinburgh

CPSC 467b: Cryptography and Computer Security

Chapter 9 Public Key Cryptography. WANG YANG

2.1 Basic Cryptography Concepts

CSCI 454/554 Computer and Network Security. Topic 5.2 Public Key Cryptography

Goals. Understand UNIX pw system. Understand Lamport s hash and its vulnerabilities. How it works How to attack

Authenticating People and Machines over Insecure Networks

Encryption. INST 346, Section 0201 April 3, 2018

Session key establishment protocols

Lecture 9a: Secure Sockets Layer (SSL) March, 2004

Outline. CSCI 454/554 Computer and Network Security. Introduction. Topic 5.2 Public Key Cryptography. 1. Introduction 2. RSA

Session key establishment protocols

Key Agreement. Guilin Wang. School of Computer Science, University of Birmingham

Chapter 9: Key Management

Authentication Objectives People Authentication I

Applied Cryptography and Computer Security CSE 664 Spring 2017

Spring 2010: CS419 Computer Security

Trusted Intermediaries

AIT 682: Network and Systems Security

Outline. Public Key Cryptography. Applications of Public Key Crypto. Applications (Cont d)

Cryptography and Network Security. Prof. D. Mukhopadhyay. Department of Computer Science and Engineering. Indian Institute of Technology, Kharagpur

Cryptographic Checksums

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Cryptographic Protocols 1

Data Security and Privacy. Topic 14: Authentication and Key Establishment

Network Security CHAPTER 31. Solutions to Review Questions and Exercises. Review Questions

Authentication. Murat Kantarcioglu

CSE 3461/5461: Introduction to Computer Networking and Internet Technologies. Network Security. Presentation L

CSC 8560 Computer Networks: Network Security

Transcription:

Password authentication through passwords

Human beings Short keys; possibly used to generate longer keys Dictionary attack: adversary tries more common keys (easy with a large set of users) Trojan horse Countermeasures: slow login, close after several unsuccessful attempts Computers Quality keys (long and not predictable) Hidden: not stored in the clear (encrypted, one time passwords) Passwords a.y. 2014-15 CNS Slide Set 9 2

Eavesdropping: adversary is sniffing password must not be sent in the clear Authentication should be different each time (to avoid replay attacks) Store password securely: Adversary can access database of passwords: encrypt passwords Password problems a.y. 2014-15 CNS Slide Set 9 3

Idea: passwords are not stored: data obtained from passwords are stored (use hash) user password is first converted to a secret key K (56 bits, obtained by considering the 7-bit ASCII associated with each of the first 8 characters of password - then DES parity added) store DES K (000 0) actually DES K (DES K (DES K (..DES K (000 0) ))) (25 times) DES' variant used for making fast DES hardware devices useless Unix password hash a.y. 2014-15 CNS Slide Set 9 4

Problem: dictionary attack (users keys are predictable) attacker reads password database and there is a high probability that there is at least one user with a weak password to increase security use salt (12 bit random number): modify DES through salt and encrypt 000 0<salt> salt is per-user generated and can be stored in the clear salt increases work for attacker because it makes impossible to hash a (guessed) password and check if it matches some user's password, but does not solve the problem of weak users key Unix password hash a.y. 2014-15 CNS Slide Set 9 5

Alice wants to authenticate herself to Bob send passwd in the clear - eavesdropper! do Diffie-Hellman exchange for establishing a secret key to be used for encrypting passwd - Trudy can impersonate Bob! use a challenge/response handshake - eavesdropper can carry out dictionary attack use strong password protocols Alice's authentication a.y. 2014-15 CNS Slide Set 9 6

Goals: Obtaining the benefits of cryptographic authentication with the user being able to remember passwords only in particular: no security information is kept at the user s machine (the machine is trusted but not configured) someone impersonating either party will not be able to obtain information for off-line password guessing (online password guessing is not preventable) Strong password protocols a.y. 2014-15 CNS Slide Set 9 7

Bob stores <username, n, h n (password)>, n is a relatively large number, like 1000 Alice s workstation sends x = h n-1 (password) Bob computes h(x): if successful, n is decremented, x replaces h n in Bob s database why is sequence of hash transmissions reversed? if you increment instead of decrementing it does NOT work safe against eavesdropping, database reading no authentication of Bob Lamport s Hash [1981] a.y. 2014-15 CNS Slide Set 9 8

h n-1 (pwd salt) is used for authentication salt is stored at Bob s at setup time, Bob sends salt each time along with n advantages Alice can use the same password with multiple servers, why? if servers use different salts hashes are different! to ensure that the salts are different, servers name are also hashed in easy password reset (when n reaches 1): just change the salt defense against dictionary attacks dictionary attack without the salt: compile h k of all the words in the dictionary, for all k's from 1 to 1000; easier to check results in pwd db! Salting Lamport s Hash a.y. 2014-15 CNS Slide Set 9 9

small n attack when Alice tries to login Trudy impersonates Bob and sends n < n and salt, when Trudy gets the reply she can impersonate Alice until n is decremented to n defense: Alice s workstation shows submitted n to Alice to verify the approximate range (Alice has to remember it) human and paper environment in case Alice workstation is not trusted or too dumb to do hashing Alice is given a list of all hashes starting from 1000, she uses each hash exactly once automatically prevents small n attack string size? 64 bits (~10 characters) is secure enough implemented as S/Key and standardized as one-time password system (RFC 1938) Lamport s Hash: other properties a.y. 2014-15 CNS Slide Set 9 10

Problem: dictionary attack if weak keys (i.e. easily guessable) are chosen EKE Strong w.r.t. dictionary attack Mutual authentication Define session key Scenario: User and server share a weak secret User and server use secret to authenticate and define a session key (Diffie-Hellman) Authentication EKE: Encrypted Key Exchange a.y. 2014-15 CNS Slide Set 9 11

pwd = Alice s password; Bob just knows W mutual authentication EKE basic authentication a.y. 2014-15 CNS Slide Set 9 12

EKE is strong w.r.t. replay attacks a is changed every time dictionary attacks even if the chosen password is weak the choice of random a does not allow the attacker to compute g a authentication is strong because uses strong session key k Note: if the attacker knows the password then can act in place of A EKE: basic properties a.y. 2014-15 CNS Slide Set 9 13

SPEKE (Simple Password Exponential Key Exchange) uses W in place of g in D.-H. exchange transmits W a mod p and W b mod p, session key is W ab mod p PDM (Password Derived Moduli) chooses p depending upon password and uses g = 2 EKE variants a.y. 2014-15 CNS Slide Set 9 14

if Trudy knew W, could impersonate Alice if passwd file stolen, it is possible to do a dictionary attack if successful Trudy could impersonate the user if unsuccessful, knowledge of W still allows to impersonate Alice basic EKE schemes (EKE, SPEKE, and PDM) can be modified to have a augmented property the idea is for Bob to store a quantity derived from the password that can be used to verify the password, but Alice's machine is required to know the password (not the derived quantity stored at the server) EKE weakness and defence a.y. 2014-15 CNS Slide Set 9 15

example for PDM server stores p and 2 W mod p, where W is (still) a hash of user's password Augmented strong password protocols a.y. 2014-15 CNS Slide Set 9 16

instead of requiring server to do an additional Diffie-Hellman exponentiation, it does an RSA verify operation, which is much less expensive this is accomplished by having Bob store, for Alice, an RSA private key encrypted with Alice's password, and the corresponding public key this can be done with any of the basic schemes (EKE, SPEKE, or PDM) augmentation at higher performance (server side) a.y. 2014-15 CNS Slide Set 9 17

augmented EKE example a.y. 2014-15 CNS Slide Set 9 18

Bob stores Y, which is Alice's private key encrypted with a function of her password different hash of the password than W, or someone that stole the server database would be able to obtain her private key Bob also stores Alice's RSA public key corresponding to the encrypted private key in message 1, Alice sends the usual first EKE message, consisting of her Diffie-Hellman value encrypted with W in message 2, Bob sends his Diffie-Hellman value, along with Y (Alice's encrypted private key), encrypted with the agreed-upon Diffie-Hellman key Alice extracts Y by decrypting with g ab mod p, and then decrypts Y with her password to obtain her private key in message 3, Alice signs a hash of the Diffie-Hellman key and the challenge c, and Bob verifies her signature using the stored public key this achieves mutual authentication as well as the augmented property discussion a.y. 2014-15 CNS Slide Set 9 19

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback