CS 259 Password Authentication J. Mitchell User Password file kiwifruit exrygbzyf kgnosfix hash function ggjoklbsz … … Basic password authentication Setup • User chooses password • Hash of password stored in password file Authentication • User logs into system, supplies password • System computes hash, compares to file Attacks • Online dictionary attack – Guess passwords and try to log in • Offline dictionary attack – Steal password file, try to find p with hash(p) in file Dictionary Attack – some numbers Typical password dictionary • 1,000,000 entries of common passwords – people's names, common pet names, and ordinary words. • Suppose you generate and analyze 10 guesses per second – This may be reasonable for a web site; offline is much faster • Dictionary attack in at most 100,000 seconds = 28 hours, or 14 hours on average If passwords were random • Assume six-character password – Upper- and lowercase letters, digits, 32 punctuation characters – 689,869,781,056 password combinations. – Exhaustive search requires 1,093 years on average Salt Unix password line walt:fURfuu4.4hY0U:129:129:Belgers:/home/walt:/bin/csh Compare Salt Input Key Constant Ciphertext 25x DES Plaintext When password is set, salt is chosen randomly Advantages of salt Without salt • Same hash functions on all machines – Compute hash of all common strings once – Compare hash file with all known password files With salt • One password hashed 212 different ways – Precompute hash file? • Need much larger file to cover all common strings – Dictionary attack on known password file • For each salt found in file, try all common strings Web Authentication password Browser cookie Server Problems • Network sniffing • Malicious or weak-security website – Phishing next few slides – Common password problem – Pharming – DNS compromise • Malware on client machine – Spyware – Session hijacking, fabricated transactions Password Phishing Problem Bank A pwdA pwdA Fake Site User cannot reliably identify fake sites Captured password can be used at target site Common Password Problem Bank A pwdA pwdA = pwdB Site B Phishing attack or break-in at site B reveals pwd at A • Server-side solutions will not keep pwd safe • Solution: Strengthen with client-side support Defense: Password Hashing Bank A pwdA = pwdB Site B Generate a unique password per site • HMACfido:123(banka.com) Q7a+0ekEXb • HMACfido:123(siteb.com) OzX2+ICiqc Hashed password is not usable at any other site • Protects against password phishing • Protects against common password problem Defense: SpyBlock Defense: SpyBlock Authentication agent communicates through browser agent Authentication agent communicates directly to web site SpyBlock protection password in trusted client environment better password-based authentication protocols server support trusted environment confirms site transactions required Goals for password protocol Authentication relies on password • User can remember password, use anywhere • No additional client-side certificates, etc. Protect against attacks • Network does not carry cleartext passwords • Malicious user cannot do offline dictionary attack • Malicious server (as in phishing) does not learn password from communication with honest user Simple approach Send hashed passwords hash(pwd|0) Browser hash(pwd|1) Server Does this “work”? • Good points? • Bad points? “Interlock” password protocols (Set-up Phase) Password p known to both parties (Key Exchange Phase) AB gx BA gy k = gxy or some function of gxy (Authentication Phase) AB mack(p, r) for random r BA mack(p, s), enck(s) for random s AB enck(r) [Rivest, Shamir, Bellovin, Merrit, … Pederson, Ellison] ESP-KE key exchange protocol Prime p and generators , β known Generate random a Generate random b A= a / βP mod p B= b mod p A B If A=0 Abort k = Ba mod p k = (A βP)b mod p Mb=H(0,k,P) Mb If H(0,k,P) ≠ Mb Abort Ma = H(1,k,P) Ma If H(1,k,P) ≠ Ma Abort [M Scott] SRP protocol (Set-up Phase) Carol chooses password P Steve chooses s, computes x = H(s, P) and v = gx (Key Exchange Phase) C Bob looks up s, v x = H(s, P) s A = ga A B,u B = v + gb, random u S = (B - gx) (a+ux) S = (Avu)b M1 = H(A,B,S) M1 verify M1 verify M2 M2 M2 = H(A,M1,S) Key = H(S) Key = H(S) [Wu] CMU “Phoolproof” proposal Eliminates reliance on perfect user behavior Protects against keyloggers, spyware. Uses a trusted mobile device to perform mutual authentication with the server password?
Pages to are hidden for
"Password authentication"Please download to view full document