CSC 482582 Computer Security Authentication and Passwords CSC

CSC 482/582: Computer Security Authentication and Passwords CSC 482/582: Computer Security

Authentication 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. Identity Groups and Roles Network Identities Authentication Biometrics UNIX Authentication Password Threat Models and Attacks Storing Passwords: Hashing and Salting Password Selection Graphical Password Systems One-time Passwords CSC 482/582: Computer Security

What is Identity? Computer’s representation of an entity �Entities can be subjects or objects. Authentication binds a principal to an identity. Example: �username expresses your identity. �password binds the person typing to that particular identity (username). CSC 482/582: Computer Security

Purpose of Identity Access Control �Most systems base access rights on identity of principal executing the process. Accountability �Logging and auditing functions. �Need to track identity across account/role changes (e. g. , su, sudo). CSC 482/582: Computer Security

Groups and Roles An “entity” may be a set of entities referred to by a single identifier. Principals often need to share access to files, and thus are taken as groups. �static: alias for a group of principles. �dynamic: principal changes from one group to another as different privileges are needed. role: a group that ties membership to function CSC 482/582: Computer Security

Network Identity Ethernet (MAC) Address � 48 -bit data link level identifier �example: 00: 0 B: DB: 78: 39: 8 A IP Address � 32 -bit network level identifier �ex: 10. 17. 0. 101 IPv 6 Address � 128 -bit network level identifier �ex: fe 80: : 2 a 0: c 9 ff: fe 97: 153 d/64 Hostname (DNS name) �string application level identifier �ex: www. nku. edu CSC 482/582: Computer Security

What is Authentication? Binding of an identity to a subject Based on: 1. 2. 3. 4. What the entity knows (e. g. , passwords) What the entity has (e. g. , access card) What the entity is (e. g. , fingerprints) Where the entity is (e. g. , local terminal) Two-factor authentication CSC 482/582: Computer Security

Authentication System A: set of authentication information �information used by entities to prove identity C: set of complementary information �information stored by system to validate A F: set of complementation functions f : A → C �generate C from A L: set of authentication functions l: A C→{T, F} �verify identity S: set of selection functions �enable entity to create or alter A or C CSC 482/582: Computer Security

Password System Example User authenticates with 8 -character alphanumeric password. System compares against stored cleartext password. A = [A-Za-z 0 -9]{8} C=A F={I} L={=} Not a system that anyone should actually use. CSC 482/582: Computer Security

Biometric System Example User authenticates with fingerprint. System compares w/ digital fingerprint template. A = { user fingerprints } C = { digital fingerprint templates } F = { fingerprint reader + analog->digital } L = { tunable similarity function } CSC 482/582: Computer Security

What You Know �Passwords �Pass Phrases �PINs CSC 482/582: Computer Security

What You Have �Smart Cards �USB Token �RFID used for toll collection CSC 482/582: Computer Security

RFID Radio Frequency Identification Types of Tags �Passive: use power from reader signal �Active: internal power source Applications EPC RFID Tag �Product tracking (EPC barcode replacement) �Transportation payment �Automotive (embedded in car keys) �Passports �Human implants CSC 482/582: Computer Security

What You Are: Biometrics Identification by human characteristics: 1. 2. Physiological Behavioral A biometric characteristic should be: 1. 2. 3. 4. universal: everyone should have it unique: no two people should share it permanent: it should not change with time quantifiable: it must be practically measurable CSC 482/582: Computer Security

How Biometrics Work 1. User submits sample. 2. Software turns sample into digital template. 3. Software compares template against stored reference template. 4. Authentication based on how closely templates match. CSC 482/582: Computer Security

Biometric Measurement Possible Outcomes: Correct person accepted 2. Imposter rejected 3. Correct person rejected (False Rejection) 4. Imposter accepted (False Acceptance) 1. CSC 482/582: Computer Security

False Positives and Negatives Tradeoff between False Accept Rate False Reject Rate CSC 482/582: Computer Security

Fingerprints Capacitive measurement, using differences in electrical charges of whorls on finger to detect those parts touching chip and those raised. CSC 482/582: Computer Security

Brandon Mayfield �Fingerprints found in 2004 Madrid bombing. �Brandon arrested May 6, 2004. �FBI claimed “ 100 percent positive” match. �Held under a false name. �Then transferred to unidentified location. �Spanish police identify fingerprint as belonging to an Algerian man May 21, 2004. �Brandon released May 25, 2004. CSC 482/582: Computer Security

Eye Biometrics Iris Scan �Lowest false accept/reject rates of any biometric. �Person must hold head still and look into camera. Retinal Scan �Cataracts and pregnancy change retina pattern. �Lower false accept/reject rates than fingerprints. �Intrusive and slow. CSC 482/582: Computer Security

Other Types of Biometrics Physiological Behavioral • DNA • Gait recognition • Face recognition • Keyboard dynamics • Hand geometric • Mouse dynamics • Heartbeat • Signatures • Voice recognition CSC 482/582: Computer Security

Biometrics are not infallible What are False Accept and Reject Rates? Do the characteristics change over time? �Retina changes during pregnancy. �Fingerprint damage due to work/pipe smoking. �Young and old people have fainter fingerprints. Is it accurate in the installed environment? �Is someone observing fingerprint or voiceprint checks? �i. e. , did you collect biometric from the person? CSC 482/582: Computer Security

Biometrics can be compromised. Unique identifiers, not secrets. �You can change a password. �You can’t change your iris scan. Examples: �You leave your fingerprints every place. �It’s easy to take a picture of your face. Other compromises. �Use faux ATM-style devices to collect biometrics. �Obtain all biometric templates from server. CSC 482/582: Computer Security

Use and Misuse of Biometrics Employee identification. �Employee enters login name. �System uses fingerprint to verify employee is who he claims to be. �Problem: Does biometric match the employee? Criminal search (Superbowl 2001) �System uses face recognition to search for criminals in public places. �Problem: Does any biometric in database match anyone in a crowd of people? �Assume system is 99. 99% accurate and 1 in 10 million people is a terrorist. Result: 1000 false positives for each terrorist. CSC 482/582: Computer Security

Location Classic: only allow access from a particular terminal or a particular set of remote hosts. Modern: GPS-based �Location Signature Sensor (LSS) for host and user. �Access rules permit user only to access host with specific LSS values. �Cell-phones track location, and some states use them to track drivers’ speed and locations. CSC 482/582: Computer Security

UNIX Authentication UNIX identifies user with a UID �Username is for humans, UID for computers. � 32 -bit unsigned integer. �UID=0 is the superuser, root. Identity and authentication data stored in �/etc/passwd �/etc/shadow �/etc/group CSC 482/582: Computer Security

/etc/{passwd, shadow} Central file(s) describing UNIX user accounts. /etc/passwd �Username �UID �Default GID �GCOS �Home directory �Login shell /etc/shadow �Username �Encrypted password �Date of last pw change. �Days ‘til change allowed. �Days `til change required. �Expiration warning time. �Expiration date. student: x: 1000: Example User, , 555 -1212, : /home/student: /bin/bash student: $1$w/Uu. Kt. LF$ot. SSv. Xt. SN/x. Jz. UOGFEl. Nz 0: 13226: 0: 99999: 7: : : CSC 482/582: Computer Security

Password Storage and Use CSC 482/582: Computer Security

Password Threat Models 1. Online Attacks �Threat has access to login user interface. �Attack is attempts to guess passwords using the normal UI (slow). 2. Offline Attacks �Threat has access to hashed passwords. �Attack is to guess words, hash words, then compare with hashed passwords (fast). 3. Side Channel Attacks �Threat has access to account management UI. �Attack by using password reset functionality. CSC 482/582: Computer Security

Password Leaks are Common CSC 482/582: Computer Security

Password Cracking Get Hashed Password pwhash word = Next word from list List of potential passwords. wordhash = Hash(word) wordhash == pwhash True word is password CSC 482/582: Computer Security False

Cracking Methods 1. List of common passwords � 2. 3. As a result of leaks, lists of millions are available. List of English/foreign dictionary words Permutation rules Substitute numbers/symbols for letters � Change case, pluralize, reverse words, digit/symbol prefix/postfix, replace letters with symbols (a with @) � Join words from sources #1 and #2 above, with symbols or 4 -digit or shorter numbers added infix or prefix or postfix. � 4. Brute force � All possible passwords CSC 482/582: Computer Security

Parallel Cracking GPUs contain hundreds of small processor cores �Can be used to crack some types of password hashes. Elcomsoft benchmarks http: //www. elcomsoft. com/eprb. html Cluster of 25 Radeon GPUs. � 350 billion Windows NTLM pws/sec �Cluster can try every password that is <= 8 characters long in 5. 5 hours. CSC 482/582: Computer Security

Countering Password Guessing Choose A, C, and F to select suitably low probability P(T) of guessing in time T. P(T) >= TG / N G is number of guess per time unit T � T is number of time units in attack � N is number of possible passwords � CSC 482/582: Computer Security

Calculating Minimum Password Length Password System �There are 96 allowable characters in password. �System allows 106 guesses/second. �Requirement: probablility of success guess should be 0. 5 over 365 -day period. What should the minimum password length be? �N >= TG/P �N >= (365 x 24 x 60) x 106 / 0. 5 = 6. 31 x 1013 �N = S S 96 , where i ranges from 1 to length of password i � 96 i >= N = 6. 31 x 1013 is true when largest i >= 8 �The minimum required password length is 8. CSC 482/582: Computer Security

Password Aging Requirement that password be changed after a period of time or after an event has occurred If expected time to guess is 180 days, should change password more frequently than 180 days 1. 2. 3. 4. If change time too short, users have difficulty recalling passwords. Cannot allow users to change password to current one. Also prevent users from changing passwords too soon. Give notice of impending password change requirement. CSC 482/582: Computer Security

Classic UNIX Passwords Format: Up to 8 ASCII characters �A contains 6. 9 x 1016 possible passwords �C contains crypt hashes, strings of length 13 chosen from alphabet of 64 characters, 3. 0 x 1023 strings Storage �/etc/passwd (0644) was traditionally used �/etc/shadow (0600) in modern systems CSC 482/582: Computer Security

Classic UNIX Password Hashing crypt() function used for hashing �DES encrypts 64 -bit block of 0 s (25 rounds) using your password for the key. � Modified tools. DES incompatible with DES hardware cracking �Limited to 8 characters or less. �If limited to 95 printable characters, only 253 possible passwords. CSC 482/582: Computer Security

Rainbow Tables Faster cracking by trading space for time: �Dictionary of passwords and their hashes �Contains all passwords < length n �Find password by looking up hash in table GPU cracking fast enough to reduce importance.

Salts Add random, public data to password to create key. Any word may be encrypted in 2 n possible ways: �Your password always uses same n-bit salt. �Someone else with same password (a) probably has different salt, and thus different c = f(a). Traditional UNIX crypt had a 12 -bit salt �Number of possible keys increased to 266 �Too small for today. �Modern UNIX uses slower hash + larger salt. CSC 482/582: Computer Security

Common Hashing Schemes SHA 512 crypt (Linux, Mac OS X) � unlimited length passwords � 5000 iterations � 16 character salt Bcrypt (55 character long passwords, 128 -bit salt) � Based on modified (slower) Blowfish encryption algorithm. � Configurable iteration count for hashing. � Increases cost of guessing on a per-account basis. PBKDF 2 (Password-Based Key Derivation Function 2) � Framework with configurable hash, iterations, salt. (. NET) Scrypt � Sequential, memory-hard hashing algorithm. � Defense against specialized hardware (GPUs, ASICs, FPGAs) CSC 482/582: Computer Security

Argon 2 �Winner of Password Hashing Competition (2013 -2015) �Competition hosted by cryptographers, not NIST. �Goal: hash function for password storage that is slow on CPUs, GPUs (unlike scrypt), and FPGAs (unlike bcrypt) and that is resistant to lookup table attacks. �Argon 2 �Scalable time and memory requirements. �Built-in 128 -bit nonce protects against lookup table attacks. �Configurable output size (128 bit is default. ) CSC 482/582: Computer Security Slide #42

Windows 2000/XP Passwords Storage �%systemroot%system 32configsam �locked while NT running �%systemroot%repairsam_ backup file �may be accessible via remote registry calls Format �LAN Manager (LM) Hash �NT (MD 4) Hash CSC 482/582: Computer Security

Windows LM Hash Algorithm 1. 2. 3. 4. 5. Password fitted to 14 character length by truncating or padding with 0 s. Password converted to upper case. Password divided into two 7 -byte halves. Each half used as DES key to encrypt same 8 -byte constant. Resultant strings merged to form a 16 -byte hash value. CSC 482/582: Computer Security

Windows LM Hash Problems Last 8 bytes of c known if password < 7 chars. Dividing password into halves reducing problem of breaking 14 -character password to breaking two 7 character passwords. Conversion to upper case reduces character set. Dictionary of password hashes can be prebuilt �Number of possible passwords much smaller than DES space. �No salt is used. CSC 482/582: Computer Security

Windows NT Hash Converts to Unicode, MD 4 hashes result Caveat: Often used in conjunction with LM hash, which is required for backwards compatibility. No salt: identical passwords generate identical hashes. CSC 482/582: Computer Security

Password Selection 1. 2. 3. Random Selection Pronounceable Passwords User Selection CSC 482/582: Computer Security

Random Selection Yields equal distribution of passwords for maximum difficulty in cracking �What about short passwords? Random passwords aren’t easy to remember �Short term memory holds 7 +/- 2 items �People have multiple passwords �Principle of Psychological Acceptability Requires a good PRNG CSC 482/582: Computer Security

Random Selection (Bad)Example PDP-11 password generator � 16 -bit machine � 8 upper-case letters and digits �|P| = 368 = 2. 8 x 1012 �At 0. 00156 sec/encryption, 140 years to brute force PRNG had period of 216 – 1 �Only 65, 535 possible passwords �Requires 102 seconds to try all passwords CSC 482/582: Computer Security

User Selection Allow users to choose passwords. Reject insecure passwords based on ruleset: 1. 2. 3. 4. 5. 6. 7. 8. Based on account, user, or host names Dictionary words Permuted dictionary words Patterns from keyboard Shorter than 6 characters Digits, lowercase, or uppercase only passwords License plates or acronyms Based on previously used passwords CSC 482/582: Computer Security

Human Randomness? CSC 482/582: Computer Security

Bad Passwords CSC 482/582: Computer Security

How to Select Good Passwords Long passwords, consisting of multiple words. . 1. Use nth letter of each word if phrase too long. Themes: 2. 1. 2. 3. 4. 5. 6. 7. Word combinations: 3 blind katz E-mail or URL: yoda@strong-this-password-is. net Phone number: (888) 888 -eight Bracketing: Starfleet -> *!-Starfleet-!* Add a word: shopping -> Goin’ shopping Repetition: Pirate--Pirate. Ship Letter swapping: Sour Grape -> Gour Srape CSC 482/582: Computer Security

Miseducating Users? CSC 482/582: Computer Security https: //xkcd. com/936/

Online Attacks If complements not accessible, attacker must use authentication functions to do an online attack. Cannot be prevented. To increase difficulty of auth function attack: Backoff: increasing wait before allowing another guess. Disconnection: disconnect after n failures. Disabling: disable account after n failures. Jailing: permit access to limited system, so admins can observe attacker. CSC 482/582: Computer Security

Side Channel Attacks are Easier Web sites will e-mail you password if you answer a simple “secret” question: 1. 2. 3. What is your favorite color? What is your pet’s name? What is your mother’s maiden name? Violation of fail-safe defaults Failover to less secure protocol. How many favorite colors are there? CSC 482/582: Computer Security

Graphical Passwords �Face Scheme: Password is sequence of faces, each chosen from a grid of 9 faces. �Story Scheme: Password is sequence of images, each chosen from a grid of 9, to form a story. CSC 482/582: Computer Security

Challenge-Response Problem: passwords are reusable, and thus subject to replay attacks. Solution: authenticate in such a way that the transmitted password changes each time. CSC 482/582: Computer Security

One-Time Passwords A password that’s invalidated once used. Challenge: number of authentication attempt Response: one-time password Problems �Generation of one-time passwords � Use hash or cryptographic function �Synchronization of the user and the system � Number or timestamp passwords CSC 482/582: Computer Security

Key Points 1. 2. Access control is based on identity. Authentication consists of an entity, the user, attempting to convince another entity, the verifier, of the user’s identity 1. 2. 3. something you know (passwords) something you have (security tokens) something you are (biometrics) Dictionary attacks can break password security �Rainbow tables trade space for time to speedup cracking. �Special hardware (GPUs) and parallelization can speedup. 4. Stored passwords are secured by �Hashing (possibly with multiple iterations) �Salting 5. One-time passwords offer greater security. CSC 482/582: Computer Security

References 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. Phil Agre. “Your Face is not a Bar Code, ” http: //polaris. gseis. ucla. edu/pagre/bar-code. html, 2003. Ross Anderson, Security Engineering, 2 nd edition, Wiley, 2008. Matt Bishop, Introduction to Computer Security, Addison-Wesley, 2005. Mark Burnett and Dave Kleiman, Perfect Passwords, Syngress, 2006. Lorie Faith Cranor and Simson Garfinkel, Security and Usability, O’Reilly, 2005. Dan Goodin, Why passwords have never been weaker—and crackers have never been stronger, Ars Technica, http: //arstechnica. com/security/2012/08/passwords-under-assault/, 2012. Goodrich and Tammasia, Introduction to Computer Security, Pearson, 2011. Cynthia Kuo et. al. , “Human Selection of Mnemonic Phrase-based Passwords, ” SOUPS 2006, http: //cups. cmu. edu/soups/2006/proceedings/p 67_kuo. pdf, 2006. Bruce Schneier, “Biometrics: Truths and Fictions, ” Cryptogram, http: //www. schneier. com/crypto-gram-9808. html#biometrics, 1998. Bruce Schneier, “The Curse of the Secret Question, ” http: //www. schneier. com/essay-081. html, 2005. Solar Designer, Password hashing at scale, Ya. C 2012, http: //www. openwall. com/presentations/Ya. C 2012 -Password-Hashing-At. Scale/, 2012. Joe Wetzels, Open Sesame: The Password Hashing Competition and Argon 2, https: //eprint. iacr. org/2016/104. pdf, 2016. CSC 482/582: Computer Security