![Page 1: Network Security Fundamentals - University of Michigancja/NSF13/lectures/netsec-04... · 2013-04-13 · Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli](https://reader036.vdocuments.us/reader036/viewer/2022081406/5f1153f273092452bc17dd4a/html5/thumbnails/1.jpg)
Network Security Fundamentals
Security Training Course
Dr. Charles J. Antonelli The University of Michigan
2013
![Page 2: Network Security Fundamentals - University of Michigancja/NSF13/lectures/netsec-04... · 2013-04-13 · Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli](https://reader036.vdocuments.us/reader036/viewer/2022081406/5f1153f273092452bc17dd4a/html5/thumbnails/2.jpg)
Network Security Fundamentals
Module 4 Password Strength & Cracking
![Page 3: Network Security Fundamentals - University of Michigancja/NSF13/lectures/netsec-04... · 2013-04-13 · Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli](https://reader036.vdocuments.us/reader036/viewer/2022081406/5f1153f273092452bc17dd4a/html5/thumbnails/3.jpg)
Roadmap
• Password Authentication • How Passwords are Cracked • Countermeasures
04/13 cja 2013 3
![Page 4: Network Security Fundamentals - University of Michigancja/NSF13/lectures/netsec-04... · 2013-04-13 · Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli](https://reader036.vdocuments.us/reader036/viewer/2022081406/5f1153f273092452bc17dd4a/html5/thumbnails/4.jpg)
Password Authentication
![Page 5: Network Security Fundamentals - University of Michigancja/NSF13/lectures/netsec-04... · 2013-04-13 · Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli](https://reader036.vdocuments.us/reader036/viewer/2022081406/5f1153f273092452bc17dd4a/html5/thumbnails/5.jpg)
Password Representations
• UNIX DES “Hashes”
Old technology, but still around
• Linux Hashes
Salted SHA-512, SHA-256, MD5, Blowfish
• Mac OS X Hashes
Salted SHA-1
04/13 cja 2013 5
![Page 6: Network Security Fundamentals - University of Michigancja/NSF13/lectures/netsec-04... · 2013-04-13 · Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli](https://reader036.vdocuments.us/reader036/viewer/2022081406/5f1153f273092452bc17dd4a/html5/thumbnails/6.jpg)
UNIX “Hash” Generation • Password length 8 characters or less • 7 bits of each character used to generate 56-bit key • Key used to encrypt a constant using a variation of the
DES algorithm
Key
MGoBlue1
Constant (0x00000000)
DES’
UNIX Hash zvktPWeeFzCVA
04/13 cja 2013 6
![Page 7: Network Security Fundamentals - University of Michigancja/NSF13/lectures/netsec-04... · 2013-04-13 · Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli](https://reader036.vdocuments.us/reader036/viewer/2022081406/5f1153f273092452bc17dd4a/html5/thumbnails/7.jpg)
UNIX “Hash” Considerations
• It’s not a hash • Keyboard character set
Common alphanumeric set only Character variations ≈ 126
• Maximum entropy ≈ 6.3*1016 passwords • Salted
04/13 cja 2013 7
![Page 8: Network Security Fundamentals - University of Michigancja/NSF13/lectures/netsec-04... · 2013-04-13 · Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli](https://reader036.vdocuments.us/reader036/viewer/2022081406/5f1153f273092452bc17dd4a/html5/thumbnails/8.jpg)
Linux Hash Generation
• Hash the password • Store it
SHA-512 Hash $6$dmk52gd$TWOWIDs1q6/uZ.t49s.YkFQr3zeTGzrYwN33Ep2pdTKw!HekN/O2hK0QuSTtUYNmS5Homqtp9lA/jf0hWRE7Bb/!
MGoBlue1
SHA-512
04/13 cja 2013 8
![Page 9: Network Security Fundamentals - University of Michigancja/NSF13/lectures/netsec-04... · 2013-04-13 · Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli](https://reader036.vdocuments.us/reader036/viewer/2022081406/5f1153f273092452bc17dd4a/html5/thumbnails/9.jpg)
Linux Hash Considerations
• Keyboard character set Common alphanumeric set only Character variations ≈ 126
• Maximum length = 256 characters • Entropy for 256-character password ≈ 4.9*10538
• Entropy for 20-character password from 126 character set ≈ 1.0*1042
• Entropy for 20-character password from 69 “keyboard” character set ≈ 6.0*1036
• Salted
04/13 cja 2013 9
![Page 10: Network Security Fundamentals - University of Michigancja/NSF13/lectures/netsec-04... · 2013-04-13 · Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli](https://reader036.vdocuments.us/reader036/viewer/2022081406/5f1153f273092452bc17dd4a/html5/thumbnails/10.jpg)
Linux Passwords
• Passwords stored in /etc/shadow readable only by root
• Other per-user information stored in /etc/passwd world readable
• UNIX stored both in /etc/passwd !
04/13 cja 2013 10
![Page 11: Network Security Fundamentals - University of Michigancja/NSF13/lectures/netsec-04... · 2013-04-13 · Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli](https://reader036.vdocuments.us/reader036/viewer/2022081406/5f1153f273092452bc17dd4a/html5/thumbnails/11.jpg)
Linux Hashes
• Several hashes available • Use SHA-512!
04/13 cja 2013
ID Method
$1$ MD5
$2a$ Blowfish (some distros)
$5$ SHA-256
$6$ SHA-512 (default)
11
![Page 12: Network Security Fundamentals - University of Michigancja/NSF13/lectures/netsec-04... · 2013-04-13 · Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli](https://reader036.vdocuments.us/reader036/viewer/2022081406/5f1153f273092452bc17dd4a/html5/thumbnails/12.jpg)
SHA-3 Hash Contest Update
• MD5 broken, SHA-1&2 suspect • NIST competition for a SHA-3
Timeframe 2008-2012 51 candidates submitted for Round 1 14 candidates in Round 2
BLAKE, Blue Midnight Wish, CubeHash, ECHO, Fugue, Grøstl, Hamsi, JH, Keccak, Luffa, Shabal, SHAvite-3, SIMD, and Skein
Final candidates announced December 10, 2010 BLAKE, Grøstl, JH, Keccak, and Skein
SHA-3 standard to be published 2012 2013? 10/12 cja 2012 12
![Page 13: Network Security Fundamentals - University of Michigancja/NSF13/lectures/netsec-04... · 2013-04-13 · Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli](https://reader036.vdocuments.us/reader036/viewer/2022081406/5f1153f273092452bc17dd4a/html5/thumbnails/13.jpg)
Choosing A Password
• Good Pass phrases (much
longer than 8 characters)
miX cAsE digits/punctuation control characters easy to remember no words in any
language
• Bad people’s names dictionary/technical
words or phrases birth dates places common acronyms backwards spelling simple permutations 8 characters or less
04/13 cja 2013 13
![Page 14: Network Security Fundamentals - University of Michigancja/NSF13/lectures/netsec-04... · 2013-04-13 · Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli](https://reader036.vdocuments.us/reader036/viewer/2022081406/5f1153f273092452bc17dd4a/html5/thumbnails/14.jpg)
Choosing A Password 2013
• Good Pass phrases (much
longer than 8 characters)
• Bad Everything else
04/13 cja 2013 14
![Page 15: Network Security Fundamentals - University of Michigancja/NSF13/lectures/netsec-04... · 2013-04-13 · Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli](https://reader036.vdocuments.us/reader036/viewer/2022081406/5f1153f273092452bc17dd4a/html5/thumbnails/15.jpg)
How Passwords are Cracked
![Page 16: Network Security Fundamentals - University of Michigancja/NSF13/lectures/netsec-04... · 2013-04-13 · Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli](https://reader036.vdocuments.us/reader036/viewer/2022081406/5f1153f273092452bc17dd4a/html5/thumbnails/16.jpg)
Passive Online Attacks Man-in-the-Middle and Replay Attacks
• Somehow get access to communications channel
• Wait for authentication sequence • Proxy authentication-traffic • No need to brute-force • Considerations
Relatively hard to perpetrate Must be trusted by one or both sides Some tools widely available Anyone remember MarketScore?
04/13 cja 2013 16
![Page 17: Network Security Fundamentals - University of Michigancja/NSF13/lectures/netsec-04... · 2013-04-13 · Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli](https://reader036.vdocuments.us/reader036/viewer/2022081406/5f1153f273092452bc17dd4a/html5/thumbnails/17.jpg)
Active Online Attacks Password guessing
• Try different passwords until one works • Made easier by
Bad passwords Excessive information from server Lack of password guessing controls
• Considerations Assuming good passwords, is this even feasible?
Common 8 character password space (69^8) Password Expires in 90 days Need to guess 3,964,493,629 pwds/sec Need throughput of 253,727,592,310 bits/sec Gigabit Ethernet = 1B bits/sec
Easily detected and stopped Core problem: Bad passwords
04/13 cja 2013 17
![Page 18: Network Security Fundamentals - University of Michigancja/NSF13/lectures/netsec-04... · 2013-04-13 · Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli](https://reader036.vdocuments.us/reader036/viewer/2022081406/5f1153f273092452bc17dd4a/html5/thumbnails/18.jpg)
Offline Attacks
• Attacker has password database Not that hard: Need to be admin (or steal the box)
• Can attack at leisure – Attack types: Dictionary attack
Very Fast Core Problem: Bad Passwords
Brute Force attack AlphaNumerics then AlphaNumerics + Upper Row Symbol, etc Slow, but will eventually find all passwords
Hybrid Start with Dictionary, Insert Entropy
Pre-computed Hashes Rainbow tables Time-space tradeoff
• Considerations Moore’s law
04/13 cja 2013 18
![Page 19: Network Security Fundamentals - University of Michigancja/NSF13/lectures/netsec-04... · 2013-04-13 · Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli](https://reader036.vdocuments.us/reader036/viewer/2022081406/5f1153f273092452bc17dd4a/html5/thumbnails/19.jpg)
John the Ripper
• http://www.openwall.com/john/ • Fast, open-source password cracker
Created by Solar Designer Active development group
• Runs on Linux, Mac OS X, Solaris, Android, … • Handles DES, BSDI DES, FreeBSD MD5, OpenBSD Blowfish,
Kerberos AFS DES, and LM DES hashes • Runs well on HPC clusters using Open MP • Jumbo patch for 1.7.9, revision 7 adds GPU support
CUDA and OpenCL • Openwall community wiki
http://openwall.info/wiki/john
10/12 cja 2012 19
![Page 20: Network Security Fundamentals - University of Michigancja/NSF13/lectures/netsec-04... · 2013-04-13 · Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli](https://reader036.vdocuments.us/reader036/viewer/2022081406/5f1153f273092452bc17dd4a/html5/thumbnails/20.jpg)
Hashcat
• http://hashcat.net/hashcat/ • Fast password cracker • Runs on Windows, Linux, Mac OS X • Command line & GUI versions • Supports a large number of hash types • Multiple attack modes (dictionary, rule-based, combinator, …) • GPU support • https://hashcat.net/wiki/doku.php?id=hashcat
10/12 cja 2012 20
![Page 21: Network Security Fundamentals - University of Michigancja/NSF13/lectures/netsec-04... · 2013-04-13 · Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli](https://reader036.vdocuments.us/reader036/viewer/2022081406/5f1153f273092452bc17dd4a/html5/thumbnails/21.jpg)
Lab: Crack Passwords
1. Install John the Ripper cd; tar zxf /usr/local/lab/john/john-1.7.9.tar.gz; cd ~/john-1.7.9/doc
Follow directions in INSTALL & README
2. Create test account with a weak password using MD5 hashing sudo vi /etc/pam.d/system-auth
Change string sha512 to md5 in third paragraph
sudo useradd sucker
sudo passwd sucker
3. Undo the change to system-auth you made in step 2. 4. Create test account with a weak password using SHA-512 hashing
sudo useradd trout
sudo passwd trout 5. Obtain password hashes
cd ~/john-1.7.9/run; sudo ./unshadow /etc/passwd /etc/shadow >passwd.1
6. Crack ./john passwd.1
04/13 cja 2013 21
![Page 22: Network Security Fundamentals - University of Michigancja/NSF13/lectures/netsec-04... · 2013-04-13 · Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli](https://reader036.vdocuments.us/reader036/viewer/2022081406/5f1153f273092452bc17dd4a/html5/thumbnails/22.jpg)
Lab: Crack Passwords
• You can interrupt at any time, and restart with ./john –restore
• If you want to start over rm john.pot restore
• To display all passwords found so far ./john –show passwd.1
• To see how fast John is on your machine ./john --test
• When done, delete the test accounts and the local password and crack files! sudo userdel sucker; sudo userdel trout /bin/rm ~/john-1.7.9/run/{john.pot,passwd.1}
04/13 cja 2013 22
![Page 23: Network Security Fundamentals - University of Michigancja/NSF13/lectures/netsec-04... · 2013-04-13 · Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli](https://reader036.vdocuments.us/reader036/viewer/2022081406/5f1153f273092452bc17dd4a/html5/thumbnails/23.jpg)
Rainbow Tables • What if you precomputed the password hashes?
All Windows LM Hashes: 166 Terabytes All Windows NT Hashes < 15 chars: 140,959,235,198 Exabytes
• This would result in faster cracking, at the cost of storing all those hashes This is the Time-Memory tradeoff Implemented using hash chains
Clever way to link the hashes into chains Only store 1 in 10,000 hashes
• Rainbow tables improve on hash chains Reduce collisions (overlapping chains)
• Ineffective against salted hashes Unix, Linux, and Mac OS X hashes are salted Windows NT hashes are not
04/13 23 cja 2013
![Page 24: Network Security Fundamentals - University of Michigancja/NSF13/lectures/netsec-04... · 2013-04-13 · Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli](https://reader036.vdocuments.us/reader036/viewer/2022081406/5f1153f273092452bc17dd4a/html5/thumbnails/24.jpg)
Rainbow Tables • http://ophcrack.sourceforge.net/
Windows password cracker that uses rainbow tables Cracks LM and NT hashes Live CD support Free tables for Windows XP and Vista (dictionary based) For-fee tables for Vista (NTLM) Seems to be moribund
• http://www.freerainbowtables.com/ “Folding@home” distributed cracking model Terabytes of tables Free tables For-fee tables Seems to be quite active
04/13 24 cja 2013
![Page 25: Network Security Fundamentals - University of Michigancja/NSF13/lectures/netsec-04... · 2013-04-13 · Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli](https://reader036.vdocuments.us/reader036/viewer/2022081406/5f1153f273092452bc17dd4a/html5/thumbnails/25.jpg)
Countermeasures
![Page 26: Network Security Fundamentals - University of Michigancja/NSF13/lectures/netsec-04... · 2013-04-13 · Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli](https://reader036.vdocuments.us/reader036/viewer/2022081406/5f1153f273092452bc17dd4a/html5/thumbnails/26.jpg)
Policy-Based Mitigation
• Develop a password policy Require pass phrases Greater than 15 mixed characters Password expiration for all accounts No password reuse (temporal and spatial) Account lockout (where appropriate)
• Physical security policy Cornerstone for any security No physical security = no security
• No policy = no enforcement 04/13 cja 2013 26
![Page 27: Network Security Fundamentals - University of Michigancja/NSF13/lectures/netsec-04... · 2013-04-13 · Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli](https://reader036.vdocuments.us/reader036/viewer/2022081406/5f1153f273092452bc17dd4a/html5/thumbnails/27.jpg)
Pass Phrases v. Passwords
• Pass phrases are long strings “I wish we’d use 2Factor authentication instead of passwords” Very strong protection against attacks Easy to remember, a bit longer to type
• Passwords are short complex strings “@Rag0Rnrul3z” Hard to remember Often difficult to type Not resistant against current attacks
Obvious substitutions are quickly broken • Take-away: Long easily-remembered phrases are better
than short complex passwords
04/13 cja 2013 27
http://xkcd.com/936/
![Page 28: Network Security Fundamentals - University of Michigancja/NSF13/lectures/netsec-04... · 2013-04-13 · Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli](https://reader036.vdocuments.us/reader036/viewer/2022081406/5f1153f273092452bc17dd4a/html5/thumbnails/28.jpg)
Technology-Based Mitigation Multi-factor authentication
• Why use only passwords? • Two-factor authentication
Very difficult to thwart Higher cost of initial deployment Long-term cost benefit
Idea: use your smartphone as your token http://www.duosecurity.com/ Google Authenticator
04/13 28 cja 2013
![Page 29: Network Security Fundamentals - University of Michigancja/NSF13/lectures/netsec-04... · 2013-04-13 · Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli](https://reader036.vdocuments.us/reader036/viewer/2022081406/5f1153f273092452bc17dd4a/html5/thumbnails/29.jpg)
Technology-Based Mitigation Multi-factor authentication
• Biometrics Measure some physical characteristic Fingerprint, iris color distribution, retinal pattern, …
Usually defeated with non-technical attacks Historically unreliable False positives - bad guy authenticated False negatives - legitimate user refused
Can be stolen Iris scanners popular
Courtesy WIkipedia
04/13 29 cja 2013
![Page 30: Network Security Fundamentals - University of Michigancja/NSF13/lectures/netsec-04... · 2013-04-13 · Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli](https://reader036.vdocuments.us/reader036/viewer/2022081406/5f1153f273092452bc17dd4a/html5/thumbnails/30.jpg)
Summary
• Bad passwords get broken, even when using good storage and authentication methods!
• Solutions 1. Use better passwords 2. Don’t let bad guys get the hashes
• Combination of policy and technology
04/13 cja 2013 30
![Page 31: Network Security Fundamentals - University of Michigancja/NSF13/lectures/netsec-04... · 2013-04-13 · Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli](https://reader036.vdocuments.us/reader036/viewer/2022081406/5f1153f273092452bc17dd4a/html5/thumbnails/31.jpg)
References
• http://en.wikipedia.org/wiki/NIST_hash_function_competition • http://keccak.noekeon.org/ • http://csrc.nist.gov/groups/ST/hash/sha-3/ • http://nvlpubs.nist.gov/nistpubs/ir/2012/NIST.IR.7896.pdf • http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/submissions_rnd2.html • http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/
presentations/BURR_SHA-3Conf-day_1_wrapup.pdf • http://en.wikipedia.org/wiki/Rainbow_tables • http://ophcrack.sourceforge.net/ • http://www.freerainbowtables.com/ • man 3 shadow • man 3 crypt
04/13 cja 2013 31
![Page 32: Network Security Fundamentals - University of Michigancja/NSF13/lectures/netsec-04... · 2013-04-13 · Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli](https://reader036.vdocuments.us/reader036/viewer/2022081406/5f1153f273092452bc17dd4a/html5/thumbnails/32.jpg)
04/13 32 http://threatpost.com/en_us/blogs/social-engineering-attacks-prove-failure-user-education-042110
cja 2013