CSC 482582 Computer Security Authentication CSC 482582 Computer

  • Slides: 40
Download presentation
CSC 482/582: Computer Security Authentication CSC 482/582: Computer Security

CSC 482/582: Computer Security Authentication CSC 482/582: Computer Security

Authentication 1. 2. 3. 4. Identity Authentication Systems Biometrics Passwords CSC 482/582: Computer Security

Authentication 1. 2. 3. 4. Identity Authentication Systems Biometrics Passwords CSC 482/582: Computer Security

What is Identity? • Computer’s representation of an entity • Entities can be subjects

What is Identity? • Computer’s representation of an entity • Entities can be subjects or objects. • Authentication binds an entity to an identity. • Example: • username expresses your identity. • password binds the person typing to that particular identity (username). CSC 482/582: Computer Security

Purpose of Identity • Access Control • Most systems base access rights on identity

Purpose of Identity • Access Control • Most systems base access rights on identity of principal executing the process. • Accountability • Logging and auditing functions. • Need to track identity across account/role changes (e. g. , sudo). CSC 482/582: Computer Security

Network Identity • Ethernet (MAC) Address • 48 -bit data link level identifier •

Network Identity • Ethernet (MAC) Address • 48 -bit data link level identifier • example: 00: 0 B: DB: 78: 39: 8 A • IP Address • 32 -bit network level identifier • ex: 10. 17. 0. 101 • IPv 6 Address • 128 -bit network level identifier • ex: fe 80: : 2 a 0: c 9 ff: fe 97: 153 d/64 • Hostname (DNS name) • string application level identifier • ex: www. nku. edu CSC 482/582: Computer Security

What is Authentication? Binding of an identity to a subject Based on: 1. 2.

What is Authentication? Binding of an identity to a subject Based on: 1. 2. 3. What the entity knows (e. g. , passwords) What the entity has (e. g. , access card) What the entity is (e. g. , fingerprints) Two-factor authentication CSC 482/582: Computer Security

Authentication System • A: set of authentication information • information used by entities to

Authentication System • A: set of authentication information • information used by entities to prove identity • C: set of complementary information • information stored by system to validate A • F: set of complementation functions f : A → C • generate C from A • L: set of authentication functions l: A C→{T, F} • verify identity • S: set of selection functions • enable entity to create or alter A or C CSC 482/582: Computer Security

Password System Example User authenticates with 8 -character alphanumeric password. System compares against stored

Password System Example User authenticates with 8 -character alphanumeric password. System compares against stored cleartext password. A = [A-Za-z 0 -9]{8} C=A F={I} L={=} Not a system that anyone should actually use. CSC 482/582: Computer Security

Biometric System Example User authenticates with fingerprint. System compares w/ digital fingerprint template. A

Biometric System Example User authenticates with fingerprint. System compares w/ digital fingerprint template. A = { user fingerprints } C = { digital fingerprint templates } F = { fingerprint reader + analog->digital } L = { tunable similarity function } CSC 482/582: Computer Security

What You Know • Passwords • Pass Phrases • PINs CSC 482/582: Computer Security

What You Know • Passwords • Pass Phrases • PINs CSC 482/582: Computer Security

What You Have • Smart Cards • USB Token • RFID used for toll

What You Have • Smart Cards • USB Token • RFID used for toll collection CSC 482/582: Computer Security

Biometrics can be compromised. • Unique identifiers, not secrets. • You can change a

Biometrics can be compromised. • Unique identifiers, not secrets. • You can change a password. • You can’t change your iris scan. • Examples: • You leave your fingerprints every place. • It’s easy to take a picture of your face. • Other compromises: • Use faux ATM-style devices to collect biometrics. • Obtain all biometric templates from server. CSC 482/582: Computer Security

What You Are: Biometrics Identification by human characteristics: 1. 2. Physiological Behavioral A biometric

What You Are: Biometrics Identification by human characteristics: 1. 2. Physiological Behavioral A biometric characteristic should be: 1. 2. 3. 4. universal: everyone should have it unique: no two people should share it permanent: it should not change with time quantifiable: it must be practically measurable CSC 482/582: Computer Security

Eye Biometrics • Iris Scan • Lowest false accept/reject rates of any biometric. •

Eye Biometrics • Iris Scan • Lowest false accept/reject rates of any biometric. • Person must hold head still and look into camera. • Retinal Scan • Cataracts and pregnancy change retina pattern. • Lower false accept/reject rates than fingerprints. • Intrusive and slow. CSC 482/582: Computer Security

How Biometrics Work 1. User submits sample. 2. Software turns sample into digital template.

How Biometrics Work 1. User submits sample. 2. Software turns sample into digital template. 3. Software compares template against stored reference template. 4. Authentication based on how closely templates match. CSC 482/582: Computer Security

Biometric Measurement Possible Outcomes: Correct person accepted 2. Imposter rejected 3. Correct person rejected

Biometric Measurement Possible Outcomes: Correct person accepted 2. Imposter rejected 3. Correct person rejected (False Rejection) 4. Imposter accepted (False Acceptance) 1. CSC 482/582: Computer Security

False Positives and Negatives Tradeoff between False Accept Rate False Reject Rate CSC 482/582:

False Positives and Negatives Tradeoff between False Accept Rate False Reject Rate CSC 482/582: Computer Security

Think, Share, Pair What are disadvantages of using a biometric authentication system with high

Think, Share, Pair What are disadvantages of using a biometric authentication system with high false accept rates? 2. What are disadvantages of using a biometric authentication system with high false reject rates? 3. As a manufacturer, would you prefer high false accept or reject rates for a personal device like a phone? 4. Which would you prefer for a car? 1. CSC 482/582: Computer Security

Password Storage and Use CSC 482/582: Computer Security

Password Storage and Use CSC 482/582: Computer Security

Password Threat Models 1. Online Attacks • Threat has access to login user interface.

Password Threat Models 1. Online Attacks • Threat has access to login user interface. • Attack is attempts to guess passwords using the normal UI (slow). 2. Offline Attacks • Threat has access to hashed passwords. • Attack is to guess words, hash words, then compare with hashed passwords (fast). 3. Side Channel Attacks • Threat has access to account management UI. • Attack by using password reset functionality. CSC 482/582: Computer Security

Password Leaks are Common CSC 482/582: Computer Security

Password Leaks are Common CSC 482/582: Computer Security

Password Cracking Get Hashed Password pwhash word = Next word from list List of

Password Cracking Get Hashed Password pwhash word = Next word from list List of potential passwords. wordhash = Hash(word) wordhash == pwhash True word is password CSC 482/582: Computer Security False

Cracking Methods List of common passwords 1. • As a result of leaks, lists

Cracking Methods List of common passwords 1. • As a result of leaks, lists of millions are available. List of English/foreign dictionary words Permutation rules 2. 3. • • • Substitute numbers/symbols for letters Change case, pluralize, reverse words, digit/symbol prefix/postfix, replace letters with symbols (a with @) Join words from sources #1 and #2 above, with symbols or 4 -digit or shorter numbers added infix or prefix or postfix. Brute force 4. • All possible passwords CSC 482/582: Computer Security

Parallel Cracking GPUs contain hundreds of small processor cores • Can be used to

Parallel Cracking GPUs contain hundreds of small processor cores • Can be used to crack some types of password hashes. Elcomsoft benchmarks http: //www. elcomsoft. com/eprb. html Cluster of 25 Radeon GPUs. • 350 billion Windows NTLM pws/sec • Cluster can try every password that is <= 8 characters long in 5. 5 hours. CSC 482/582: Computer Security

Countering Password Guessing Choose A, C, and F to select suitably low probability P(T)

Countering Password Guessing Choose A, C, and F to select suitably low probability P(T) of guessing in time T. P(T) >= TG / N • • • G is number of guess per time unit T T is number of time units in attack N is number of possible passwords CSC 482/582: Computer Security

Calculating Minimum Password Length • Password System • There are 96 allowable characters in

Calculating Minimum Password Length • Password System • There are 96 allowable characters in password. • System allows 106 guesses/second. • Requirement: probablility of success guess should be 0. 5 over 365 -day period. • What should the minimum password length be? • N >= TG/P • N >= (365 x 24 x 60) x 106 / 0. 5 = 6. 31 x 1013 • N= S S 96 , where i ranges from 1 to length of password i • 96 i >= N = 6. 31 x 1013 is true when largest i >= 8 • The minimum required password length is 8. CSC 482/582: Computer Security

Password Aging Requirement that password be changed after a period of time or after

Password Aging Requirement that password be changed after a period of time or after an event has occurred If expected time to guess is 180 days, should change password more frequently than 180 days 1. 2. 3. 4. If change time too short, users have difficulty recalling passwords. Cannot allow users to change password to current one. Also prevent users from changing passwords too soon. Give notice of impending password change requirement. CSC 482/582: Computer Security

Think, Pair, Share • How long would passwords need to be to resist a

Think, Pair, Share • How long would passwords need to be to resist a year of brute force cracking at one billion guesses/second? • Assume 100 allowable characters for ease of computation. • Probability of guess is 50%. • How realistic is this computation, with its assumption of brute force cracking instead of dictionary cracking? Should passwords required to be longer than the size you compute above? CSC 482/582: Computer Security

Table-based Cracking • Faster cracking by trading space for time: • Dictionary of passwords

Table-based Cracking • Faster cracking by trading space for time: • Dictionary of passwords and their hashes • Contains all passwords < length n • Find password by looking up hash in table • Rainbow Table algorithm reduces space required. They include most but not all passwords.

Salts protect against Tables Add random, public data to password to create key. Any

Salts protect against Tables Add random, public data to password to create key. Any word may be encrypted in 2 n possible ways: • Your password always uses same n-bit salt. • Someone else with same password (a) probably has different salt, and thus different c = f(a). Traditional UNIX crypt had a 12 -bit salt • Number of possible keys increased by 212 • Means password table would be 4096 times larger • Modern UNIX uses slower hash + larger salt. CSC 482/582: Computer Security

Common Hashing Schemes • SHA 512 crypt (Linux, Mac OS X) • unlimited length

Common Hashing Schemes • SHA 512 crypt (Linux, Mac OS X) • unlimited length passwords • 5000 iterations • 16 character salt • Bcrypt (55 character long passwords, 128 -bit salt) • Based on modified (slower) Blowfish encryption algorithm. • Configurable iteration count for hashing. • Increases cost of guessing on a per-account basis. • PBKDF 2 (Password-Based Key Derivation Function 2) • Framework with configurable hash, iterations, salt. (. NET) • Scrypt • Sequential, memory-hard hashing algorithm. • Defense against specialized hardware (GPUs, ASICs, FPGAs) CSC 482/582: Computer Security

Argon 2 • Winner of Password Hashing Competition (2013 -2015) • Competition hosted by

Argon 2 • Winner of Password Hashing Competition (2013 -2015) • Competition hosted by cryptographers, not NIST. • Goal: hash function for password storage that is slow on CPUs, GPUs (unlike scrypt), and FPGAs (unlike bcrypt) and that is resistant to lookup table attacks. • Argon 2 • Scalable time and memory requirements. • Built-in 128 -bit nonce protects against lookup table attacks. • Configurable output size (128 bit is default. ) CSC 482/582: Computer Security Slide #32

Password Recommendations Ask user to choose a pass phrase, not a password. Minimum password

Password Recommendations Ask user to choose a pass phrase, not a password. Minimum password length of 12 characters. No maximum password length. Ability to use special characters but no requirement. Restrict use of passwords from known breaches. Help users regularly check for breaches using a service like https: //monitor. firefox. com/ 7. Use Multi-Factor Authentication (MFA), so attackers cannot access account with just a password. 1. 2. 3. 4. 5. 6. CSC 482/582: Computer Security

Windows LM Hash Algorithm 1. 2. 3. 4. 5. Password fitted to 14 character

Windows LM Hash Algorithm 1. 2. 3. 4. 5. Password fitted to 14 character length by truncating or padding with 0 s. Password converted to upper case. Password divided into two 7 -byte halves. Each half used as DES key to encrypt same 8 -byte constant. Resultant strings merged to form a 16 -byte hash value. CSC 482/582: Computer Security

Windows LM Hash Problems Last 8 bytes of c known if password < 7

Windows LM Hash Problems Last 8 bytes of c known if password < 7 chars. Dividing password into halves reducing problem of breaking 14 -character password to breaking two 7 character passwords. Conversion to upper case reduces character set. Dictionary of password hashes can be prebuilt • Table only needs upper case 7 character passwords. • No salt, so only need to store one hash per password. CSC 482/582: Computer Security

Windows NT Hash • Modern Windows uses MD 4 hash algorithm, but • Often

Windows NT Hash • Modern Windows uses MD 4 hash algorithm, but • Often both LM Hash and MD 4 are stored for backwards compatibility, so hackers can just crack LM Hash. • It does not use a salt. • Other issues • Password hashes of Active Directory users who login to a PC are stored locally on that PC. • Some network services allow login with the hash, without requiring knowledge of the password. Exploiting this is called a pass-the-hash attack. CSC 482/582: Computer Security

Online Attacks If hashes are not accessible, attacker must use authentication functions to do

Online Attacks If hashes are not accessible, attacker must use authentication functions to do an online attack. Cannot be prevented. To increase difficulty of auth function attack: Backoff: increasing wait before allowing another guess. Disconnection: disconnect after n failures. Disabling: disable account after n failures. Jailing: permit access to limited system, so admins can observe attacker. CSC 482/582: Computer Security

Side Channel Attacks are Easier Web sites will e-mail you password if you answer

Side Channel Attacks are Easier Web sites will e-mail you password if you answer a simple “secret” question: 1. 2. 3. What is your favorite color? What is your pet’s name? What is your mother’s maiden name? Violation of principle of fail-safe defaults Failover to less secure protocol. How many favorite colors are there? CSC 482/582: Computer Security

Key Points 1. 2. Access control is based on identity. Authentication consists of an

Key Points 1. 2. Access control is based on identity. Authentication consists of an entity, the user, attempting to convince another entity, the verifier, of the user’s identity 1. 2. 3. something you know (passwords) something you have (security tokens) something you are (biometrics) Dictionary attacks can break password security • Rainbow tables trade space for time to speedup cracking. • Special hardware (GPUs) and parallelization can speedup. 4. Stored passwords are secured by • Hashing (possibly with multiple iterations) • Salting 5. Modern password advice. CSC 482/582: Computer Security

References 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. Phil

References 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. Phil Agre. “Your Face is not a Bar Code, ” http: //polaris. gseis. ucla. edu/pagre/bar-code. html, 2003. Ross Anderson, Security Engineering, 2 nd edition, Wiley, 2008. Matt Bishop, Introduction to Computer Security, Addison-Wesley, 2005. Mark Burnett and Dave Kleiman, Perfect Passwords, Syngress, 2006. Lorie Faith Cranor and Simson Garfinkel, Security and Usability, O’Reilly, 2005. Dan Goodin, Why passwords have never been weaker—and crackers have never been stronger, Ars Technica, http: //arstechnica. com/security/2012/08/passwords-under-assault/, 2012. Goodrich and Tammasia, Introduction to Computer Security, Pearson, 2011. Cynthia Kuo et. al. , “Human Selection of Mnemonic Phrase-based Passwords, ” SOUPS 2006, http: //cups. cmu. edu/soups/2006/proceedings/p 67_kuo. pdf, 2006. Bruce Schneier, “Biometrics: Truths and Fictions, ” Cryptogram, http: //www. schneier. com/crypto-gram-9808. html#biometrics, 1998. Bruce Schneier, “The Curse of the Secret Question, ” http: //www. schneier. com/essay-081. html, 2005. Solar Designer, Password hashing at scale, Ya. C 2012, http: //www. openwall. com/presentations/Ya. C 2012 -Password-Hashing-At. Scale/, 2012. Joe Wetzels, Open Sesame: The Password Hashing Competition and Argon 2, https: //eprint. iacr. org/2016/104. pdf, 2016. CSC 482/582: Computer Security