Title: Password Authentication
1Password Authentication
CS 259
2User
kiwifruit
exrygbzyf kgnosfix ggjoklbsz
hash function
3Basic password authentication
- Setup
- User chooses password
- Hash of password stored in password file
- Authentication
- User logs into system, supplies password
- System computes hash, compares to file
- Attacks
- Online dictionary attack
- Guess passwords and try to log in
- Offline dictionary attack
- Steal password file, try to find p with hash(p)
in file
4Dictionary Attack some numbers
- Typical password dictionary
- 1,000,000 entries of common passwords
- people's names, common pet names, and ordinary
words. - Suppose you generate and analyze 10 guesses per
second - This may be reasonable for a web site offline is
much faster - Dictionary attack in at most 100,000 seconds 28
hours, or 14 hours on average - If passwords were random
- Assume six-character password
- Upper- and lowercase letters, digits, 32
punctuation characters - 689,869,781,056 password combinations.
- Exhaustive search requires 1,093 years on average
5Salt
- Unix password line
- waltfURfuu4.4hY0U129129Belgers/home/walt/bin
/csh
Compare
Salt
Input
Key
Constant
Ciphertext
25x DES
Plaintext
When password is set, salt is chosen randomly
6Advantages of salt
- Without salt
- Same hash functions on all machines
- Compute hash of all common strings once
- Compare hash file with all known password files
- With salt
- One password hashed 212 different ways
- Precompute hash file?
- Need much larger file to cover all common strings
- Dictionary attack on known password file
- For each salt found in file, try all common
strings
7Web Authentication
Server
password
Browser
cookie
- Problems
- Network sniffing
- Malicious or weak-security website
- Phishing
- Common password problem
- Pharming DNS compromise
- Malware on client machine
- Spyware
- Session hijacking, fabricated transactions
next few slides
8Password Phishing Problem
Bank A
pwdA
pwdA
Fake Site
- User cannot reliably identify fake sites
- Captured password can be used at target site
9Common Password Problem
Bank A
high security site
pwdA
Site B
- Phishing attack or break-in at site B reveals pwd
at A - Server-side solutions will not keep pwd safe
- Solution Strengthen with client-side support
10Defense Password Hashing
hash(pwdA, BankA)
Bank A
hash(pwdB, SiteB)
Site B
- Generate a unique password per site
- HMACfido123(banka.com) ? Q7a0ekEXb
- HMACfido123(siteb.com) ? OzX2ICiqc
- Hashed password is not usable at any other site
- Protects against password phishing
- Protects against common password problem
11Defense SpyBlock
12Defense SpyBlock
Authentication agent communicates through browser
agent
Authentication agent communicates directly to web
site
13SpyBlock protection
password in trusted client environment
server support required
better password-based authentication protocols
trusted environment confirms site transactions
14Goals for password protocol
- Authentication relies on password
- User can remember password, use anywhere
- No additional client-side certificates, etc.
- Protect against attacks
- Network does not carry cleartext passwords
- Malicious user cannot do offline dictionary
attack - Malicious server (as in phishing) does not learn
password from communication with honest user
15Simple approach
- Send hashed passwords
- Does this work?
- Good points?
- Bad points?
Server
hash(pwd0)
Browser
hash(pwd1)
16Interlock password protocols
- (Set-up Phase) Password p known to both parties
- (Key Exchange Phase)
- A ? B gx
- B ? A gy k gxy or some function of
gxy - (Authentication Phase)
- A ? B mack(p, r) for random r
- B ? A mack(p, s), enck(s) for random s
- A ? B enck(r)
Rivest, Shamir, Bellovin, Merrit, Pederson,
Ellison
17ESP-KE key exchange protocol
Prime p and generators ?, ß known Generate
random a Generate random
b A ?a / ßP mod p B
?b mod p
A B
If A0 Abort k Ba mod p
k (A ßP)b mod p
MbH(0,k,P)
Mb If H(0,k,P)
? Mb Abort Ma H(1,k,P) Ma
If H(1,k,P) ? Ma Abort
M Scott
18SRP protocol
- (Set-up Phase)
- Carol chooses password P
- Steve chooses s, computes x H(s, P) and
v gx - (Key Exchange Phase)
- C
Bob looks up s, v - x H(s, P) s
- A ga A
- B,u
B v gb, random u - S (B - gx) (aux)
S (Avu)b - M1 H(A,B,S) M1 verify
M1 - verify M2 M2 M2
H(A,M1,S) - Key H(S)
Key H(S)
Wu
19CMU Phoolproof proposal
- Eliminates reliance on perfect user behavior
- Protects against keyloggers, spyware.
- Uses a trusted mobile device to perform mutual
authentication with the server
20(No Transcript)