Docstoc

Password authentication

Document Sample
Password authentication Powered By Docstoc
					CS 259




         Password Authentication



                J. Mitchell
User                     Password file
       kiwifruit
                         exrygbzyf
                         kgnosfix
         hash function   ggjoklbsz
                         …
                         …
Basic password authentication
Setup
  • User chooses password
  • Hash of password stored in password file
Authentication
  • User logs into system, supplies password
  • System computes hash, compares to file
Attacks
  • Online dictionary attack
     – Guess passwords and try to log in
  • Offline dictionary attack
     – Steal password file, try to find p with hash(p) in file
Dictionary Attack – some numbers

 Typical password dictionary
   •   1,000,000 entries of common passwords
       – people's names, common pet names, and ordinary words.
   • Suppose you generate and analyze 10 guesses per second
       – This may be reasonable for a web site; offline is much faster
   • Dictionary attack in at most 100,000 seconds = 28 hours,
     or 14 hours on average
 If passwords were random
   • Assume six-character password
       – Upper- and lowercase letters, digits, 32 punctuation
         characters
       – 689,869,781,056 password combinations.
       – Exhaustive search requires 1,093 years on average
 Salt
  Unix password line
     walt:fURfuu4.4hY0U:129:129:Belgers:/home/walt:/bin/csh

                              Compare
                  Salt
  Input
                   Key
Constant                        Ciphertext
                25x DES
Plaintext


             When password is set, salt is chosen randomly
Advantages of salt
Without salt
  • Same hash functions on all machines
     – Compute hash of all common strings once
     – Compare hash file with all known password files
With salt
  • One password hashed 212 different ways
     – Precompute hash file?
        • Need much larger file to cover all common strings
     – Dictionary attack on known password file
        • For each salt found in file, try all common strings
Web Authentication

                         password
    Browser
                           cookie                   Server


 Problems
  • Network sniffing
  • Malicious or weak-security website
     – Phishing
                                        next few slides
     – Common password problem
     – Pharming – DNS compromise
  • Malware on client machine
     – Spyware
     – Session hijacking, fabricated transactions
Password Phishing Problem

                                     Bank A


                    pwdA           pwdA

                                     Fake Site




User cannot reliably identify fake sites
Captured password can be used at target site
Common Password Problem

                                                          Bank A

 pwdA
                                                   pwdA
  =




 pwdB

                                                           Site B


  Phishing attack or break-in at site B reveals pwd at A
      •   Server-side solutions will not keep pwd safe
      •   Solution: Strengthen with client-side support
Defense: Password Hashing
                                                Bank A

  pwdA
  =




  pwdB
                                                Site B



 Generate a unique password per site
   • HMACfido:123(banka.com)  Q7a+0ekEXb
   • HMACfido:123(siteb.com)  OzX2+ICiqc
 Hashed password is not usable at any other site
   • Protects against password phishing
   • Protects against common password problem
Defense: SpyBlock
  Defense: SpyBlock


 Authentication agent
communicates through
    browser agent




 Authentication agent
communicates directly
     to web site
SpyBlock protection




password in trusted client environment

       better password-based authentication protocols                 server
                                                                     support
                    trusted environment confirms site transactions   required
Goals for password protocol
Authentication relies on password
  • User can remember password, use anywhere
  • No additional client-side certificates, etc.
Protect against attacks
  • Network does not carry cleartext passwords
  • Malicious user cannot do offline dictionary
    attack
  • Malicious server (as in phishing) does not learn
    password from communication with honest user
Simple approach

Send hashed passwords
                   hash(pwd|0)
   Browser
                   hash(pwd|1)   Server


Does this “work”?
  • Good points?
  • Bad points?
“Interlock” password protocols
(Set-up Phase) Password p known to both parties

(Key Exchange Phase)
AB         gx
BA         gy      k = gxy or some function of gxy

(Authentication Phase)
AB         mack(p, r)                for random r
BA         mack(p, s), enck(s)       for random s
AB         enck(r)



                 [Rivest, Shamir, Bellovin, Merrit, … Pederson, Ellison]
ESP-KE key exchange protocol
Prime p and generators , β known

Generate random a                   Generate random b
A= a / βP mod p                     B= b mod p
                          A
                          B
                                    If A=0 Abort
k = Ba mod p                        k = (A βP)b mod p
                                    Mb=H(0,k,P)
                          Mb
If H(0,k,P) ≠ Mb Abort
Ma = H(1,k,P)              Ma
                                    If H(1,k,P) ≠ Ma Abort
                                                             [M Scott]
SRP protocol
(Set-up Phase)
   Carol chooses password P
   Steve chooses s, computes x = H(s, P) and v = gx
(Key Exchange Phase)
                        C             Bob looks up s, v
x = H(s, P)             s
A = ga                   A
                        B,u          B = v + gb, random u
S = (B - gx) (a+ux)                  S = (Avu)b
M1 = H(A,B,S)           M1           verify M1
verify M2               M2           M2 = H(A,M1,S)
Key = H(S)                           Key = H(S)        [Wu]
CMU “Phoolproof” proposal
 Eliminates reliance on perfect user behavior
 Protects against keyloggers, spyware.
 Uses a trusted mobile device to perform mutual
  authentication with the server




                     password?

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:13
posted:12/3/2011
language:English
pages:20
liamei12345 liamei12345 http://
About