07 Password Authentication

7/27/2019 07 Password Authentication

1/20

Password Authentication

J. Mitchell

CS 259


2/20

Password fileUser

exrygbzyfkgnosfixggjoklbsz

kiwifruit

hash function


3/20

Basic password authentication

Setup User chooses password Hash of password stored in password file

Authentication User logs into system, supplies password System computes hash, compares to file

Attacks Online dictionary attack

Guess passwords and try to log in Offline dictionary attack

Steal password file, try to find p with hash(p) in file


4/20

Dictionary Attack some numbers

Typical password dictionary 1,000,000 entries of common passwords

people's names, common pet names, and ordinary words.

Suppose you generate and analyze 10 guesses per second

This may be reasonable for a web site; offline is muchfaster Dictionary attack in at most 100,000 seconds = 28 hours,

or 14 hours on average

If passwords were random

Assume six-character password Upper- and lowercase letters, digits, 32 punctuation

characters

689,869,781,056 password combinations.

Exhaustive search requires 1,093 years on average


5/20

Salt

Unix password linewalt:fURfuu4.4hY0U:129:129:Belgers:/home/walt:/bin/csh

25x DES

InputSalt

Key

ConstantPlaintext

Ciphertext

Compare

When password is set, salt is chosen randomly


6/20

Advantages of salt

Without salt Same hash functions on all machines

Compute hash of all common strings once

Compare hash file with all known password filesWith salt

One password hashed 212 different ways Precompute hash file?

Need much larger file to cover all common strings Dictionary attack on known password file

For each salt found in file, try all common strings


7/20

Web Authentication

Problems Network sniffing Malicious or weak-security website

Phishing

Common password problem Pharming DNS compromise

Malware on client machine Spyware Session hijacking, fabricated transactions

BrowserServer

password

cookie

next few slides


8/20

Password Phishing Problem

User cannot reliably identify fake sites

Captured password can be used at target site

Bank A

Fake Site

pwdApwd

A


9/20

Common Password Problem

Phishing attack or break-in at site B reveals pwd at A Server-side solutions will not keep pwd safe

Solution: Strengthen with client-side support

Bank A

pwdA

pwdB=

pwdA

Site B


10/20

Defense: Password Hashing

Generate a unique password per site HMACfido:123(banka.com) Q7a+0ekEXb HMACfido:123(siteb.com) OzX2+ICiqc

Hashed password is not usable at any other site Protects against password phishing Protects against common password problem

Bank A

Site B

pwdA

pwdB=


11/20

Defense: SpyBlock


12/20

Defense: SpyBlock

Authentication agentcommunicates through

browser agent

Authentication agent

communicates directlyto web site


13/20

SpyBlock protection

password in trusted client environment

better password-based authentication protocols

trusted environment confirms site transactions

serversupportrequired


14/20

Goals for password protocol

Authentication relies on password User can remember password, use anywhere

No additional client-side certificates, etc.

Protect against attacks Network does not carry cleartext passwords

Malicious user cannot do offline dictionaryattack

Malicious server (as in phishing) does not learnpassword from communication with honest user


15/20

Simple approach

Send hashed passwords

Does this work?

Good points? Bad points?

Browser

Server

hash(pwd|0)

hash(pwd|1)


16/20

Interlock password protocols

(Set-up Phase) Password p known to both parties

(Key Exchange Phase)A B gx

B A gy k = gxy or some function of gxy

(Authentication Phase)A B mack(p, r) for random r

B

A mack(p, s), enck(s) for random sA B enck(r)

[Rivest, Shamir, Bellovin, Merrit, Pederson, Ellison]


17/20

ESP-KE key exchange protocol

Prime p and generators , known

Generate random a Generate random b

A= a/ Pmod p B= bmod p

A

B

If A=0 Abort

k= Bamod p k= (A P)bmod p

Mb=H(0,k,P)Mb

If H(0,k,P) MbAbort

Ma= H(1,k,P) MaIf H(1,k,P) M

a

Abort[M Scott]


18/20

SRP protocol

(Set-up Phase)Carol chooses password P

Steve chooses s, computes x = H(s, P) and v = gx(Key Exchange Phase)

C Bob looks up s, vx = H(s, P) s

A = ga A

B,u B = v + gb, random u

S = (B - gx) (a+ux) S = (Avu)b

M1 = H(A,B,S) M1 verify M1verify M2 M2 M2 = H(A,M1,S)

Key = H(S) Key = H(S) [Wu]


19/20

CMU Phoolproof proposal

Eliminates reliance on perfect user behavior

Protects against keyloggers, spyware.

Uses a trusted mobile device to perform mutual

authentication with the server

password?


20/20

07 Password Authentication

Documents

Transcript of 07 Password Authentication