13-5-Auth
Transcript of 13-5-Auth
-
8/11/2019 13-5-Auth
1/97
Who are you ?
-
8/11/2019 13-5-Auth
2/97
2
How can you identify someone?
Certificates, Protocols: Machine to Machine Human to Machine ?
Lets have some suggestions
Be creative, not necessarily computer oriented
Classification of identification methods
What you know (e.g. password)What you are (e.g. biometrics, behaviour)
What you have (e.g. security token)
-
8/11/2019 13-5-Auth
3/97
Passwordswww.dilbert.com
-
8/11/2019 13-5-Auth
4/97
4
Your passwords
Everybody has several passwords
Did you choose them?
If so how?
Can you remember them?
Also if you do not use often?
Can no one guess them?
`Vectra bad password for known Opel fan.
-
8/11/2019 13-5-Auth
5/97
5
Passwords (what you know)But: How secure & secret is the secret ?
AsD5^#2a2fUHard to guess ~Hard to rememberEasyPassword
Alice
EasyPassword
BobBusterCharlie
PDf47$%2!aDilbert
*****
User:AlicePwd: EasyPassword
Recovery
AlicesMothers
Name
-
8/11/2019 13-5-Auth
6/97
6
Example: pin protected copier
Copier in hallway
Protected by 5 digit code
Enough entropy?
If 10 users with different codes?
Number of tries needed in practice?
*****
-
8/11/2019 13-5-Auth
7/97
7
Ex2: Account passwords in Unix
Usually user chosen
Passwords not stored on systemWhy?
HASHof a password stored insteadHash is one-way
Collision resistant
/etc/passwrd
World readable (for Account info; name, id, group, etc.)Hashed-password
-
8/11/2019 13-5-Auth
8/97
8
Theoretical Strength (ball park)
8 symbols; 128^8 = 72,000,000 G
brute force in little over a year at 1G/s (*)
If restrict to letters, digits or common symbols;
96^8: in ~ 3 months Only letters and numbers: half a day
(*) 1G/s+ easily realistic (e.g. in 2002 75G/s RC5-64passwords per seconds using distributed computing)
-
8/11/2019 13-5-Auth
9/97
9
Account passwords in Unix (cont.) Multiple passwords reduce effort
if any victim is fineSalt
Still significant risk
Faster computers
Weaknesses found in hash functions
Cannot simply make password longer Shadow passwords
Access only for `root, event to hashed pwd
-
8/11/2019 13-5-Auth
10/97
10
Example of password in Unix
Program to create Hashed passwords#!/bin/perl$salt = ab; # should randomly generate
print New Password: ;
$pwd = ; # enter pwdprint crypt( $pwd, $salt ); # lib call
Run
New Password: Hello abdF5znAEMJTk
New Password: Goodbye
abPV5atKxA04c
-
8/11/2019 13-5-Auth
11/97
11
Practical Strength: Password Guessing Often: dictionary words, keyboard patterns
Complexity too low even with added symbolWeak!
WHY?...
Guessing: DB with often used words.
Dictionary, common names, etc.
Add symbols, numbers.
Often only a single bad password needed
-
8/11/2019 13-5-Auth
12/97
12
From (Password) Crack tutorialPeople tend to pick keyboard patterns ("qwerty","!@#$%^&*', etc.) and natural language words.
Suddenly an adversary doesn't have to try 5.96E16strings.
Success rate 22% using a lists of dutch, english,french, german, italian, norwegian and swedishwords plus lists of names, jargon words, keyboardpatterns and anything else people tend to use when
picking passwords.
List of 2.2E7 "words (out of 5.96E16)
(At 1.000 tries a second: all in 6 hrs)
-
8/11/2019 13-5-Auth
13/97
13
Passwords pros and cons
Checking passwords
At time of entry
With password cracking tool
MyOnePwd
AssignedRandomly
generated
Reuse
Password safe(Why cannot use hash?)
Guidelines
Generation
Use
System side
-
8/11/2019 13-5-Auth
14/97
14
Some Conclusions on Passwords Very commonly used system
Well known, easy to use
Cheap
A weak form of authentication
Limited complexity Badly chosen passwords
Have to be used in correct way Prevent access to encrypted passwords
Limit guess rates where possible
Remember it may be broken
-
8/11/2019 13-5-Auth
15/97
www.trustedreviews.com
Biometrics
-
8/11/2019 13-5-Auth
16/97
16
Biometrics Physical and behavioral characteristics, e.g.Fingerprints
Iris
facial characteristics
hand measurementsgrip pattern
signature
voicetyping pattern
DNA
etc.
-
8/11/2019 13-5-Auth
17/97
17www.cl.cam.ac.uk
www.byometric.com
Example: Priviumprogram at Schiphol
Iris recognition
Profile stored on card
Skip passport check Fallback
Regular check
At front of the line
-
8/11/2019 13-5-Auth
18/97
18
Typical Mode of Operation
Verification is easier than identification
-
8/11/2019 13-5-Auth
19/97
19
Characteristics biometric system Universal (everyone has it)
Uniqueness (different for everyone)
Permanence (same over time),... ... ... ...
-
8/11/2019 13-5-Auth
20/97
20
Characteristics biometric system Collectability (usability, convenience),
Performance (accurate and fast)
=
-
8/11/2019 13-5-Auth
21/97
21
Characteristics biometric systemAcceptance (user and societies view)
Circumvention (easy to fake)
-
8/11/2019 13-5-Auth
22/97
22
Some Comparisons
-
8/11/2019 13-5-Auth
23/97
23
Variation in Measurements
Every measurement slightly different Enrollment
Profile (e.g. average) from many measurements
Validation New measurements approximately match profile?
Threshold describes allowed distance
Trade off false acceptance rate - false reject rateQuality often specified by equal error rate
-
8/11/2019 13-5-Auth
24/97
24
threshold => FAR FRR trade-offAccept
imposter
Reject
valid
individual
F
alseAccept
Rate
False Reject Rate
t small
t big
-
8/11/2019 13-5-Auth
25/97
25
Evaluation Security of aBiometric system
-
8/11/2019 13-5-Auth
26/97
26
Biometrics Privacy & `key loss issues:
DNA `blueprint of a person
very privacy sensitive interesting e.g. for health insurance companies
Information does not change, cannot be replaced
Information left everywhere
Your fingerprint is on the chair, desk, lunch plate, etc. Not transferable (*)
Biometric passports electronic picture (e.g. against fraud with ID)
fingerprint (e.g. against `look alike)
-
8/11/2019 13-5-Auth
27/97
Template Protection
27
TemplateStorage
Securely Store templates Normal hash not possible
-
8/11/2019 13-5-Auth
28/97
28
A Template Protection Scheme(*)
Shielding function
G : Rk {0, 1}k{0, 1}K
K-bit secret S chosen randomly,
biometric X
create helper data W so G(X,W) = S
(*)Practical Biometric Authentication with Template Protection, P. Tyles et al.
k Features K bits secret
-
8/11/2019 13-5-Auth
29/97
29
Template Protection Scheme (cont.)
Noise insensitive (-contracting)
d(X, X) < => G(X,W) = G(X,W) = S
Secure (-revealing): I(W; S) W leaks less than bits on S
Template protecting (-revealing) : I(W; X) W leaks less than information on X
Shielding function G : Rk {0, 1}k{0, 1}K
helper data W
-
8/11/2019 13-5-Auth
30/97
30
Template Protection Scheme (cont.)
Enrolment:extract features X from Alices biometrics
choose random secret Scompute helper data WUse one-way hash function H and store
(Alice, W , H(S))
Verification of identity of Alice:
measure biometric: X load helper data W for AliceCompute S = G(X,W) and H(S).
-
8/11/2019 13-5-Auth
31/97
31
Design Biometric Practical
Able to do at home
Able to do in class
Keep characteristics in mind:
Choose collection method
Define Features
Enrolment Create several measurements.
Evaluation
Universal Uniqueness
Permanence
Collectability Performance
Acceptance
Circumvention
-
8/11/2019 13-5-Auth
32/97
www.trustedreviews.com
Biometrics(Experimental results)
-
8/11/2019 13-5-Auth
33/97
33
Measure:
3 points B,C,D (A=(0,0))
A
B
C
D
A
B
C
D
-
8/11/2019 13-5-Auth
34/97
34
Hand features Feature 1: circumference of the middle joint
(typically thickest part of finger)
Feature 2: Length top digit From middle top to separating line
Feature 3: Length middle digit From separating line to separating line (use main;
lower line as end point).
Feature 4: Length bottom digit
Usesindex
finger
-
8/11/2019 13-5-Auth
35/97
35
Feature extraction
Blue line: all users
Purple line: distinctivefeature for user
Red line: weakly
distinctive feature Can help prevent false
accepts
Green: indistinctive
features Very close to average -
expect many to havesimilar results.
-
8/11/2019 13-5-Auth
36/97
36
-
8/11/2019 13-5-Auth
37/97
37
-
8/11/2019 13-5-Auth
38/97
38
-
8/11/2019 13-5-Auth
39/97
39
-
8/11/2019 13-5-Auth
40/97
40
Feature 1 2 3 4
1 1 0.4203 0.4285 0.1291
2 1 0.2217 -0.0403
3 1 0.6790
4 1
Feature correlation
-
8/11/2019 13-5-Auth
41/97
41
Options Translation measurement into features
Pre processing; rotation.Data extraction: A,B,C,D
Features should be scaling insensitive
Relative sizes
Angle insensitive?
Effect collectability
Choose features per user ?
Performance
-
8/11/2019 13-5-Auth
42/97
42
Biometric - Conclusions:
Varying strength of identification Can be tailored to application
Additional hardware needed
Non-replaceable
Privacy & Acceptance
-
8/11/2019 13-5-Auth
43/97
Security Tokens &Tamper resistant
devices
-
8/11/2019 13-5-Auth
44/97
44
Functional & Security Goals
Example Tokens
-
8/11/2019 13-5-Auth
45/97
45
Physical security
Secure processing
(image source: IBM)
-
8/11/2019 13-5-Auth
46/97
46
Smart Card History
Dethloff (68), Arimura (70), Moreno (74) First chip by Motorola & Bull (77)
France Telecom phone card (84)
Java Card (95) 1 Billion Java cards (2005)
Used in many SIM and ATM cards
Standards (ISO 7816, GSM, EMV, VOP, CEPS)
-
8/11/2019 13-5-Auth
47/97
-
8/11/2019 13-5-Auth
48/97
48
What makes the card smart?
CPU (8-bit, 16/32 bit) Memory (RAM, ROM, EEPROM/Flash)
I/O channel (Contact/Contact less)
Cryptographic co-processor
On card devices (Fingerprint, display)
-
8/11/2019 13-5-Auth
49/97
49
Applications of smartcards (1) Banking
(new) creditcards, Chipknip, internet-banking(e.g. ABN-Amro card).
Telephone cards
Toll payment`Rekening rijden
Public transportMany systems in use
OV chip card
-
8/11/2019 13-5-Auth
50/97
50
Applications of smartcards (2) Identification & Authorization
eNik (Electronic ID)SIM cards
Building Access cards
Loyalty cards
Secure data storage/access
Privium program schipholElectronic health record Germany
-
8/11/2019 13-5-Auth
51/97
51
Terminals Embedded systems
Standards (ISO 7816,PC/SC, OCF)
Communication:APDU(Application Protocol DataUnit)
Problems: connections,yield, power, thickness
-
8/11/2019 13-5-Auth
52/97
52
Attacks on smartcards Logical Attacks
crypto, protocols, implementation
Physical attacks
hardware Side Channel attacks
physical properties
Invasive - Non-invasive
-
8/11/2019 13-5-Auth
53/97
53
53
Physical AttackRemoving chip from smartcard
heat, etching, acid, etc. to remove protective covering
[Source: Oliver Kmmerling, Marcus Kuhn]
-
8/11/2019 13-5-Auth
54/97
54
54
Eavesdropping & Altering Physical needles
Electron beam Ion beam
Also remove/create
connection Read out Rom, etc.
[Source: Brightsight]
blown fuse: Restore to re-enable testing mode
-
8/11/2019 13-5-Auth
55/97
55
Countermeasures
Smaller circuitrymakes many physical attacks harder
Obfuscate chip layout
eg hide bus lines
encrypt bus, memory content
add sensorsDetect tampering
L i l tt k
-
8/11/2019 13-5-Auth
56/97
56
Logical attacks
Card reader and PC (*)
Man in the middle
(*) E.g. Software from RU Nijmegen to readout chipknip:http://www.ru.nl/ds/research/smartcards/
-
8/11/2019 13-5-Auth
57/97
57
Countermeasures Don't invent your own cryptographic primitives
GSM: SIM card can be cloned in couple of hoursMifare Classic: ov-chipcard in seconds
Don't invent your own security protocols use standard ones
Beware of random number generationmaking good randomness is difficult
-
8/11/2019 13-5-Auth
58/97
58
You all know Java High-level OO language, portable
Large footprint Good tools, APIs
Java Safety
Type safety: Enforces objects are of correct typeMemory safety:
Only access to `own memory
run-time buffer size check
Helps prevent some common flaws
Program in Java or assembler?
-
8/11/2019 13-5-Auth
59/97
59
Java card Java card VM
Multiple applets possible Subset of java
Subset of API, exceptions Initially: No concurrency, garbage collection
Version 3: adds these, HTTP, RMI (optional)
Java card extends javaTransactions, sharable objects
-
8/11/2019 13-5-Auth
60/97
60
Java implementation
Parsing Type checking
Code generation
Java program Byte codeclass file
interpretercompiler
Class loading Byte code verification
Execution
-
8/11/2019 13-5-Auth
61/97
61
Java Card implementation
Class loading Byte code verification
CAP file generation
Digital signature
Class loading Signature verification
Ver3: On card verifier
Execution
Byte codeclass file
Byte codesCap file
installerconverter
-
8/11/2019 13-5-Auth
62/97
62
Architecture
-
8/11/2019 13-5-Auth
63/97
63
Transaction mechanism
Transaction: set of instructionsShould execute all or none
Roll back changes on failure
Non-Atomic methodsSome things should not be rolled back
Example: PIN try counter
Issues if mixed...
-
8/11/2019 13-5-Auth
64/97
64
Applet firewall
Context switch
Context switch
-
8/11/2019 13-5-Auth
65/97
65
Sharable interfaces
-
8/11/2019 13-5-Auth
66/97
66
Sharable Interfaces
-
8/11/2019 13-5-Auth
67/97
Side ChannelAttacks
-
8/11/2019 13-5-Auth
68/97
68
Side Channel attacks Use physical characteristics of the device
to gain extra information. Examples:Power consumption
electro-magnetic emissions (EE)Heat
Timing information
SPA, DPA, Timing attack
-
8/11/2019 13-5-Auth
69/97
-
8/11/2019 13-5-Auth
70/97
70
(*) Actually for most of current devices: Changing value causes power consumption;data with many changes consume more power.
Power AnalysisTiming attacks
Simple Power Analysis (SPA)
Power consumption is higher for a 1 than a 0(*)
Gain extra information from a single power trace:
Data with many 1s will consume more power.
Differential Power Analysis (DPA)
-
8/11/2019 13-5-Auth
71/97
71
Differential Power Analysis (DPA)Look at differences in average power consumption
Collect a set of power traces
Split into two groups Find difference in average power consumption:
Difference trace
InputI1 I2 In
-
8/11/2019 13-5-Auth
72/97
72
DPA: Bit Propagation Collect Traces (random inputs I1,I2,...In) Choose input bitX
Group traces by value bitX
Difference trace shows where bitXused
Partial diff. traces for DES input bitX= 16,17,18,19
I1 I2 ... In
TraceT1 T2 ... Tn I1 bitX= 1
T1 => G1I2 bitX= 0T2 => G0etc...
AvgAvgDiff. trace
T1
...
T2...
Boolean functionAny function (#1s)
Fundamental idea: Lower Complexity
-
8/11/2019 13-5-Auth
73/97
73
Fundamental idea: Lower Complexity
Goals is to check a guess for PART of the key.
Example: 64 bit key
nr of possibilities: 18,446,744,073,709,551,616
At 1G encryption per second: more than 500 years
If one can check 1 byte at a type:
nr of possibilities (256 per byte, 8 bytes): 2048 Easily doable even if millions of instructions needed
for each check.
-
8/11/2019 13-5-Auth
74/97
74
Extracting keys with DPA What: Validate guess for part of the key
In practice: part < 32 bits
Select intermediate result
Use guess of the key to predict Check prediction
-
8/11/2019 13-5-Auth
75/97
75
Extracting keys with DPA What: Validate guess for part of the key
Select intermediate resultalgorithm needs to compute
Dont care where in implementation
depends on part of the key The part to be guessed
Use guess of the key to predict
Check prediction
Input
Output
Extracting Keys with DPA
-
8/11/2019 13-5-Auth
76/97
What: Validate guess for part of the key
Select intermediate result
Use guess of the key to predict
calculate intermediate result using guess
Check prediction
Extracting Keys with DPA
76
InputI1 I2 ... In
R1 R2 ... Rn
PredictedIntermediate
guess guess
InputI1 I2 ... In
R1 R2 ... Rn
PredictedIntermediate
Each guess=> different function
R, R, ...
Extracting keys with DPA
-
8/11/2019 13-5-Auth
77/97
77
g y
What: Validate guess for part of the key
Use intermediate result
Use guess of the key to predict
Check prediction (see Bit-propagation);
function R, (R, R,...) computed?Group Ti by few 1s/many 1s in Ri, (Ri, Ri, ...)
Can see where computed
Nowhere for wrong guess/prediction
Peak in difference trace: correct guess
(Also shows when R is computed)
-
8/11/2019 13-5-Auth
78/97
78
Difference trace for Correct guess and incorrect guesses
Correlation power analysis (CPA)
-
8/11/2019 13-5-Auth
79/97
79
Compute correlation: #1s in predicatedvalue (X) and power consumption (Y)
Or actually: sample correlation coefficient
Improves efficiency
-
8/11/2019 13-5-Auth
80/97
80
Key Retrieval Example: DES
S-box 1:
subkey candidate: 24, peak value: 0,953 at position 66subkey candidate: 19, peak value: -0,439 at position 66
subkey candidate: 26, peak value: -0,419 at position 66
subkey candidate: 7, peak value: -0,418 at position 66
Example(*): AES (Rijndael)
-
8/11/2019 13-5-Auth
81/97
81
p ( ) ( j )
Symmetric cipher 128 bits key (i.e. 16 bytes)
First round starts with:
Intermediate value: input[ i ] ^ key-guess.(Need to check 256 possibilities.)
void AddRoundKey()
{
for( i = 0; i < 16; i++ )
{
inputdata[ i ] = inputdata[ i ] ^ key[ i ];
}
}
(*) for simple example: assume hamming weight leaks
-
8/11/2019 13-5-Auth
82/97
82
Simulation tool from the PINPAS Project
-
8/11/2019 13-5-Auth
83/97
83
Example: RSA Public key crypto, 512+ bit key size
Encryption: calculate mpk mod M Typical SQR-MUL-implementation:
r = 1;
for ( i = 0; i < bitlength( pk ); i++ )
{
r = SQR( r, M );
if ( bit( pk, i ) == 1 )
{r =MUL( r, m, M );
}
}
-
8/11/2019 13-5-Auth
84/97
84
RSA (2) Smartcard implementation:
SQR, MUL in coprocessor
Coprocessor in tool:
Add two new instructions to processorJava BigIntegerclass for functional behavior
Power consumption: leaks Hamming weights
of coprocessor input output + timing.
-
8/11/2019 13-5-Auth
85/97
85
RSA (3) Timing attack possible:
0 0 0 1 1 0 0 0
...
if ( bit( pk, i ) == 1 )
{
r = MUL( r, m, M );
}
else{
dummy = MUL( r, m, M );
}
...
-
8/11/2019 13-5-Auth
86/97
86
RSA (4) Defense against timing attack lines up traces
No more timing information However: potential for DPA attacks
r = 1;
for ( i = 0; i < bitlength( pk ); i++ )
{
r = SQR( r, M );
if ( bit( pk, i ) == 1 )
r =MUL( r, m, M );else
dummy = MUL( r, m, M );
}
-
8/11/2019 13-5-Auth
87/97
87
RSA Countermeasures (1)
Randomization
Prevent traces from lining up.
Add dummy operations
Randomize order real operations
void AddRoundKey()
{ order = random_permutation( 0, 15 );
for( i = 0; i < 16; i++ )
{ inputdata[ order[ i ] ] =inputdata[ order[ i ] ] ^ key[ order[ i ] ];
}
}
-
8/11/2019 13-5-Auth
88/97
88
RSA Countermeasures (2) Randomization
Dummy operations must appear realCorrelation reduced not removed
Nr traces needed increases ~ square of probability.
MaskingMask intermediate values with random mask
am = a XOR m
confusion: confuse mask also
diffusion: `masked version operation.
Sid Ch l C t
-
8/11/2019 13-5-Auth
89/97
89
Side-Channel Countermeasures Don't make your own implementation
Unless know state-of-the art in side-channel attacks
Architectural defense:
Prevent collection of set of traces: Try counter
Regularly change keys.
May be defeated by `template attacks.
Limit vulnerability of key loss
Do not use single key Have alternate levels of defense; e.g. revocation possibilities
Sid Ch l C t
-
8/11/2019 13-5-Auth
90/97
90
Side-Channel Countermeasures Software defense:
Try to change implementation
Implement countermeasures above
Choose less vulnerable encryption schema
Hardware defense, try to:remove correlation data power consumption
Random activity, noise, reduce power consumption
Prevent traces from lining up e.g. variable clock cycles
Provably resistant against DPA
-
8/11/2019 13-5-Auth
91/97
Sbox:
Compute for every possible input
in random order
return the result for the correct value
Masked computation of S-box Input x + r ( x masked with random r )
Output S(x) + s S(x) masked with new mask s
91
T i t t
-
8/11/2019 13-5-Auth
92/97
92
Tamper resistant
... but not tamper proof
make something foolproof and
somebody will invent a better fool
Design moral: breaking card should notbreak whole system
A ti /I i tt k
-
8/11/2019 13-5-Auth
93/97
93
Active/Invasive attacks
Probing attacks:
Tap specific parts of a chip (a bus)
Change specific parts
reconnect test circuits ...both require special equipment
Map entire chip logic
If algorithm/implementation unknown...
Active/Invasive attacks
-
8/11/2019 13-5-Auth
94/97
94
Fault attacks:Purposefully cause errors in computation;
prevent unwanted updates (e.g. pincounter) use faulty computation to derive information.
check for dummy instructions
How: Change voltage
Bombard with light
Shake it
Drop a hammer on it...
Mifare (also OV chip) hacking
-
8/11/2019 13-5-Auth
95/97
95
Mifare (also: OV-chip) hacking
Hack of Mifare:e.g. http://www.youtube.com/watch?v=Y8VVKnUdECg
Work by researchers in Nijmegen
`Dagkaart broken. Later: All cards broken, cloneable
Recently: Discussion traceability
SCard breakable however
-
8/11/2019 13-5-Auth
96/97
96
SCard breakable, however, ...
Smartcard often not the weakest point
Weaknesses in issuing / use / ...
(missing security goals? e.g. OV-chip)
-
8/11/2019 13-5-Auth
97/97