Password authentication by liamei12345


									CS 259

         Password Authentication

                J. Mitchell
User                     Password file
         hash function   ggjoklbsz
Basic password authentication
  • User chooses password
  • Hash of password stored in password file
  • User logs into system, supplies password
  • System computes hash, compares to file
  • Online dictionary attack
     – Guess passwords and try to log in
  • Offline dictionary attack
     – Steal password file, try to find p with hash(p) in file
Dictionary Attack – some numbers

 Typical password dictionary
   •   1,000,000 entries of common passwords
       – people's names, common pet names, and ordinary words.
   • Suppose you generate and analyze 10 guesses per second
       – This may be reasonable for a web site; offline is much faster
   • Dictionary attack in at most 100,000 seconds = 28 hours,
     or 14 hours on average
 If passwords were random
   • Assume six-character password
       – Upper- and lowercase letters, digits, 32 punctuation
       – 689,869,781,056 password combinations.
       – Exhaustive search requires 1,093 years on average
  Unix password line

Constant                        Ciphertext
                25x DES

             When password is set, salt is chosen randomly
Advantages of salt
Without salt
  • Same hash functions on all machines
     – Compute hash of all common strings once
     – Compare hash file with all known password files
With salt
  • One password hashed 212 different ways
     – Precompute hash file?
        • Need much larger file to cover all common strings
     – Dictionary attack on known password file
        • For each salt found in file, try all common strings
Web Authentication

                           cookie                   Server

 Problems
  • Network sniffing
  • Malicious or weak-security website
     – Phishing
                                        next few slides
     – Common password problem
     – Pharming – DNS compromise
  • Malware on client machine
     – Spyware
     – Session hijacking, fabricated transactions
Password Phishing Problem

                                     Bank A

                    pwdA           pwdA

                                     Fake Site

User cannot reliably identify fake sites
Captured password can be used at target site
Common Password Problem

                                                          Bank A



                                                           Site B

  Phishing attack or break-in at site B reveals pwd at A
      •   Server-side solutions will not keep pwd safe
      •   Solution: Strengthen with client-side support
Defense: Password Hashing
                                                Bank A


                                                Site B

 Generate a unique password per site
   • HMACfido:123(  Q7a+0ekEXb
   • HMACfido:123(  OzX2+ICiqc
 Hashed password is not usable at any other site
   • Protects against password phishing
   • Protects against common password problem
Defense: SpyBlock
  Defense: SpyBlock

 Authentication agent
communicates through
    browser agent

 Authentication agent
communicates directly
     to web site
SpyBlock protection

password in trusted client environment

       better password-based authentication protocols                 server
                    trusted environment confirms site transactions   required
Goals for password protocol
Authentication relies on password
  • User can remember password, use anywhere
  • No additional client-side certificates, etc.
Protect against attacks
  • Network does not carry cleartext passwords
  • Malicious user cannot do offline dictionary
  • Malicious server (as in phishing) does not learn
    password from communication with honest user
Simple approach

Send hashed passwords
                   hash(pwd|1)   Server

Does this “work”?
  • Good points?
  • Bad points?
“Interlock” password protocols
(Set-up Phase) Password p known to both parties

(Key Exchange Phase)
AB         gx
BA         gy      k = gxy or some function of gxy

(Authentication Phase)
AB         mack(p, r)                for random r
BA         mack(p, s), enck(s)       for random s
AB         enck(r)

                 [Rivest, Shamir, Bellovin, Merrit, … Pederson, Ellison]
ESP-KE key exchange protocol
Prime p and generators , β known

Generate random a                   Generate random b
A= a / βP mod p                     B= b mod p
                                    If A=0 Abort
k = Ba mod p                        k = (A βP)b mod p
If H(0,k,P) ≠ Mb Abort
Ma = H(1,k,P)              Ma
                                    If H(1,k,P) ≠ Ma Abort
                                                             [M Scott]
SRP protocol
(Set-up Phase)
   Carol chooses password P
   Steve chooses s, computes x = H(s, P) and v = gx
(Key Exchange Phase)
                        C             Bob looks up s, v
x = H(s, P)             s
A = ga                   A
                        B,u          B = v + gb, random u
S = (B - gx) (a+ux)                  S = (Avu)b
M1 = H(A,B,S)           M1           verify M1
verify M2               M2           M2 = H(A,M1,S)
Key = H(S)                           Key = H(S)        [Wu]
CMU “Phoolproof” proposal
 Eliminates reliance on perfect user behavior
 Protects against keyloggers, spyware.
 Uses a trusted mobile device to perform mutual
  authentication with the server


To top