CSE331:Introduction to Networksand Security

Lecture 23

Fall 2002

CSE331 Fall 2002 2

Announcements

• Class is cancelled next Wednesday (Nov. 6th)

CSE331 Fall 2002 3

Recap

• Protocols– Arbitrated : 3rd party intermediary– Adjudicated : 3rd party rules on validity afterwards– Self enforcing : no 3rd party

• Today– Authentication

CSE331 Fall 2002 4

Authentication

• The process of determining which principal is making a request or statement.

• Humans:– Not good at calculating– Bad memories

• Machines:– Good at calculating– Good memories

• Thus: Different engineering tradeoffs

CSE331 Fall 2002 5

Authenticating Humans: Foundations

• Authentication is based on one or more of the following:

• Something you know– e.g. a password

• Something you have– e.g. a driver’s license

• Something inherent about you– e.g. your fingerprint or retinal pattern

CSE331 Fall 2002 6

Password Vulnerabilities• Writing them down

– Moves problem to physical security

• Stolen passwords (via eavesdropping)– Trojan Horse

• Poor password choice– Easy to guess vs. easy to remember– People use the same password multiple times– Passwords changed infrequently

• Offline attacks– Search through password dictionary

CSE331 Fall 2002 7

1979 Survey of 3,289 Passwords

• With no constraints on choice of password, Morris and Thompson got the following results:– 15 were a single ASCII letter.– 72 were strings of two ASCII letters.– 464 were strings of three ASCII letters.– 47 were strings of four alphanumerics.– 706 were five letters, all upper-case or all lower-

case.– 605 were six letters, all lower case.

CSE331 Fall 2002 8

Heuristics for Guessing Attacks

• The dictionary with the words spelled backwards

• A list of first names (best obtained from some mailing list). Last names, street names, and city names also work well.

• The above with initial upper-case letters.• All valid license plate numbers in your state.

(About 5 hours work in 1979 for New Jersey.)• Room numbers, social security numbers,

telephone numbers, and the like.

CSE331 Fall 2002 9

What makes a good password?

• Password Length– 64 bits of randomness is hard to crack– 64 bits is roughly 20 “common” ASCII characters– But… People can’t remember random strings– Longer not necessarily better: people write the passwords

down

• Pass phrases– English Text has roughly 1.3 random bits/char.– Thus about 50 letters of English text– Hard to type without making mistakes!

• In practice– Non-dictionary, mixed case, mixed alphanumeric– Not too short (or too long)

CSE331 Fall 2002 10

Preventative Mechanisms

• Use a trusted path– CTRL+ALT+DEL is a hardware mechanism to

prevent Trojan Horse login prompts– Disallow remote authentication: users authenticate

to local machines, machines to remote authentication.

• Make on-line guessing attacks expensive– Disconnect after 3 tries, wait 10 seconds– Prevents automated attacks

CSE331 Fall 2002 11

Unix: /etc/passwd

• Passwords stored in a file system are vulnerable to automated attacks– At first Unix was implemented with a password file

holding the actual passwords of users.

• This had many vulnerabilities– Copies were made by privileged users– Copies were made by bugs: classic example

posted password file on daily message file– Physical access to backup was a vulnerability– Information from the password file needed to be

replicated into many other files

CSE331 Fall 2002 12

Preventing Off-line Attacks

• Hash the passwords and store the hashed version.

• Take the password from the user, hash it, and compare with password file entry.

• Problems– Poor user selection of passwords (easy to guess)– Users choose the same password

CSE331 Fall 2002 13

Improvements to First Approach• Slower hashing: use password to create a key,

then hash a constant using 25 iterations of the DES algorithm.– Speed OK for legitimate users– Takes longer to do automatic search

• Use non-standard hash function– Not readily available in hardware

• Enforce password rules– Makes the passwords harder to guess

CSE331 Fall 2002 14

Add Salt

• “Salt” the passwords by adding random bits.– Makes dictionary attacks more expensive.– Decreases the likelihood that two identical

passwords will appear as identical entries in the password file.

• 12 bit salt results in 4,096 versions of each password.

• /etc/passwd entry:user_id saltu Hash(saltu + passwdu) …

CSE331 Fall 2002 15

One Time Passwords

• Shared lists.• Sequentially updated.• One-time password sequences based on a

one-way (hash) function.

• Used in practice: SKey mechanism

CSE331 Fall 2002 16

Hash-based 1-time Passwords

• Alice identifies herself to verifier Bart using a well-known one-way hash function H.

• One-time setup.– Alice chooses a secret w.– Fixes a constant t for the number of times the

authentication can be done.– Alice securely transfers Ht(w) to Bart

H(H(H…(H(w))…))

t times

CSE331 Fall 2002 17

Hash-based 1-time Passwords

• Protocol actions. For session i, claimant A does the following to identify itself:– A computes w’ = H**(t-i)(w) and transmits the

value to B.– B checks that i is the correct session (ie. that the

previous session was i-1) and checks to see if H(v) = w’ where v was the last value provided by A (as part of session i-1).

– B saves w’ and i for use in the next session.

CSE331 Fall 2002 18

One-time passwords: ith authentication

• Alice does the following to identify herself:– A computes w’ = H (t-i)(w) and transmits the value to B.– B checks that i is the correct session (ie. that the previous

session was i-1) and checks to see if H(w’) = v where v was the last value provided by A (as part of session i-1).

– B saves w’ and i for use in the next session.

Alice Bart

WH(-)

H(t-i+1)(w),H(-)

{A, i, H(t-i)(w)}

CSE331 Fall 2002 19

Why This 1-time Password Works

• It’s hard to compute x from H(x).– Even though attacker gets to see H(t-i)(x), they

can’t guess then next message H(t-(i+1))(x).

CSE331 Fall 2002 20

Challenge-Response

• Background.– Random numbers (nonces).– Sequence numbers.– Timestamps.

• Symmetric keys.– With timestamps or random numbers.

• MAC’s.• Asymmetric keys.

– With encryption or signature.

CSE331 Fall 2002 21

Replay

• Replay is the threat in which a transmission is observed by an eavesdropper who subsequently reuses it as part of a protocol, possibly to impersonate the original sender.

• Example: monitor the first part of a telnet session to obtain a sequence of transmissions sufficient to get a log-in.

• There are 3 general strategies for defeating replay attacks: nonces, timestamps, and sequence numbers.

CSE331 Fall 2002 22

Random Numbers

• A random number is a number chosen unpredictably in a range.

• In a challenge-response protocol they are used as follows.– The verifier chooses a (new) random number and

provides it to the claimant.– The claimant performs an operation on it showing

knowledge of a secret.– This information is bound inseparable to the

random number and returned to the verifier for examination.

– A timeout period is used to ensure “freshness”.

CSE331 Fall 2002 23

Sequence Numbers

• Sequence numbers provide a sequential or monotonic counter on messages.

• If a message is replayed and the original message was received, the replay will have an old or too-small sequence number and be discarded.

• Cannot detect forced delay.• Difficult to maintain when there are system

failures.

CSE331 Fall 2002 24

Time Stamps

• The claimant sends a message with a timestamp.

• The verifier checks that it falls within an acceptance window of time.

• The last timestamp received is held, and identification requests with older timestamps are ignored.

• Good only if clock synchronization is close enough for acceptance window.