Password Authentication

Password Authentication

J. Mitchell

CS 259

Password fileUser

exrygbzyf kgnosfix ggjoklbsz … …

kiwifruit

hash function

Basic password authentication

Setup• User chooses password• Hash of password stored in password file

Authentication• User logs into system, supplies password• System computes hash, compares to file

Attacks• Online dictionary attack

– Guess passwords and try to log in• Offline dictionary attack

– Steal password file, try to find p with hash(p) in file

Dictionary Attack – some numbers

Typical password dictionary • 1,000,000 entries of common passwords

– people's names, common pet names, and ordinary words.

• Suppose you generate and analyze 10 guesses per second– This may be reasonable for a web site; offline is much faster

• Dictionary attack in at most 100,000 seconds = 28 hours, or 14 hours on average

If passwords were random• Assume six-character password

– Upper- and lowercase letters, digits, 32 punctuation characters– 689,869,781,056 password combinations.– Exhaustive search requires 1,093 years on average

Salt

Unix password linewalt:fURfuu4.4hY0U:129:129:Belgers:/home/walt:/bin/csh

25x DES

InputSalt

KeyConstant

Plaintext

Ciphertext

Compare

When password is set, salt is chosen randomly

Advantages of salt

Without salt• Same hash functions on all machines

– Compute hash of all common strings once– Compare hash file with all known password files

With salt• One password hashed 212 different ways

– Precompute hash file?• Need much larger file to cover all common strings

– Dictionary attack on known password file• For each salt found in file, try all common strings

Web Authentication

Problems• Network sniffing• Malicious or weak-security website

– Phishing– Common password problem– Pharming – DNS compromise

• Malware on client machine– Spyware– Session hijacking, fabricated transactions

BrowserServer

password

cookie

next few slides

Password Phishing Problem

User cannot reliably identify fake sites Captured password can be used at target site

Bank A

Fake Site

pwdApwdA

Common Password Problem

Phishing attack or break-in at site B reveals pwd at A• Server-side solutions will not keep pwd safe• Solution: Strengthen with client-side support

Bank A

low security site

high security site

pwdA

pwdB

= pwdA

Site B

Defense: Password Hashing

Generate a unique password per site• HMACfido:123(banka.com) Q7a+0ekEXb• HMACfido:123(siteb.com) OzX2+ICiqc

Hashed password is not usable at any other site • Protects against password phishing• Protects against common password problem

Bank A

hash(pwdB, SiteB)

hash(pwdA, BankA)

Site B

pwdA

pwdB

=

Defense: SpyBlock

Defense: SpyBlock

Authentication agent communicates

through browser agent

Authentication agent communicates

directly to web site

SpyBlock protection

password in trusted client environment

better password-based authentication protocols

trusted environment confirms site transactions

server support require

d

Goals for password protocol

Authentication relies on password• User can remember password, use anywhere• No additional client-side certificates, etc.

Protect against attacks• Network does not carry cleartext passwords• Malicious user cannot do offline dictionary

attack• Malicious server (as in phishing) does not

learn password from communication with honest user

Simple approach

Send hashed passwords

Does this “work”?• Good points?• Bad points?

BrowserServer

hash(pwd|0)

hash(pwd|1)

“Interlock” password protocols

(Set-up Phase) Password p known to both parties

(Key Exchange Phase)A B gx B A gy k = gxy or some function of gxy

(Authentication Phase)A B mack(p, r) for random rB A mack(p, s), enck(s) for random sA B enck(r)

[Rivest, Shamir, Bellovin, Merrit, … Pederson, Ellison]

ESP-KE key exchange protocol

Prime p and generators , β known

Generate random a Generate random b

A= a / βP mod p B= b mod p

A B If A=0 Abort

k = Ba mod p k = (A βP)b mod p

Mb=H(0,k,P)

Mb

If H(0,k,P) ≠ Mb Abort

Ma = H(1,k,P) Ma

If H(1,k,P) ≠ Ma Abort

[M Scott]

SRP protocol

(Set-up Phase) Carol chooses password P

Steve chooses s, computes x = H(s, P) and v = gx (Key Exchange Phase) C Bob looks up s, v

x = H(s, P) s

A = ga A

B,u B = v + gb, random u

S = (B - gx) (a+ux) S = (Avu)b

M1 = H(A,B,S) M1 verify M1

verify M2 M2 M2 = H(A,M1,S)

Key = H(S) Key = H(S)

[Wu]

CMU “Phoolproof” proposal

Eliminates reliance on perfect user behavior Protects against keyloggers, spyware. Uses a trusted mobile device to perform

mutual authentication with the server

password?