Embed Size (px)
DESCRIPTION
CS 259. Password Authentication. J. Mitchell. Password file. User. kiwifruit. exrygbzyf kgnosfix ggjoklbsz … …. hash function. Basic password authentication. Setup User chooses password Hash of password stored in password file Authentication - PowerPoint PPT Presentation
Citation preview
Password Authentication
J. Mitchell
CS 259
Password fileUser
exrygbzyf kgnosfix ggjoklbsz … …
kiwifruit
hash function
Basic password authentication
Setup• User chooses password• Hash of password stored in password file
Authentication• User logs into system, supplies password• System computes hash, compares to file
Attacks• Online dictionary attack
– Guess passwords and try to log in• Offline dictionary attack
– Steal password file, try to find p with hash(p) in file
Dictionary Attack – some numbers
Typical password dictionary • 1,000,000 entries of common passwords
– people's names, common pet names, and ordinary words.
• Suppose you generate and analyze 10 guesses per second– This may be reasonable for a web site; offline is much faster
• Dictionary attack in at most 100,000 seconds = 28 hours, or 14 hours on average
If passwords were random• Assume six-character password
– Upper- and lowercase letters, digits, 32 punctuation characters– 689,869,781,056 password combinations.– Exhaustive search requires 1,093 years on average
Salt
Unix password linewalt:fURfuu4.4hY0U:129:129:Belgers:/home/walt:/bin/csh
25x DES
InputSalt
KeyConstant
Plaintext
Ciphertext
Compare
When password is set, salt is chosen randomly
Advantages of salt
Without salt• Same hash functions on all machines
– Compute hash of all common strings once– Compare hash file with all known password files
With salt• One password hashed 212 different ways
– Precompute hash file?• Need much larger file to cover all common strings
– Dictionary attack on known password file• For each salt found in file, try all common strings
Web Authentication
Problems• Network sniffing• Malicious or weak-security website
– Phishing– Common password problem– Pharming – DNS compromise
• Malware on client machine– Spyware– Session hijacking, fabricated transactions
BrowserServer
password
cookie
next few slides
Password Phishing Problem
User cannot reliably identify fake sites Captured password can be used at target site
Bank A
Fake Site
pwdApwdA
Common Password Problem
Phishing attack or break-in at site B reveals pwd at A• Server-side solutions will not keep pwd safe• Solution: Strengthen with client-side support
Bank A
low security site
high security site
pwdA
pwdB
= pwdA
Site B
Defense: Password Hashing
Generate a unique password per site• HMACfido:123(banka.com) Q7a+0ekEXb• HMACfido:123(siteb.com) OzX2+ICiqc
Hashed password is not usable at any other site • Protects against password phishing• Protects against common password problem
Bank A
hash(pwdB, SiteB)
hash(pwdA, BankA)
Site B
pwdA
pwdB
=
Defense: SpyBlock
Defense: SpyBlock
Authentication agent communicates
through browser agent
Authentication agent communicates
directly to web site
SpyBlock protection
password in trusted client environment
better password-based authentication protocols
trusted environment confirms site transactions
server support require
d
Goals for password protocol
Authentication relies on password• User can remember password, use anywhere• No additional client-side certificates, etc.
Protect against attacks• Network does not carry cleartext passwords• Malicious user cannot do offline dictionary
attack• Malicious server (as in phishing) does not
learn password from communication with honest user
Simple approach
Send hashed passwords
Does this “work”?• Good points?• Bad points?
BrowserServer
hash(pwd|0)
hash(pwd|1)
“Interlock” password protocols
(Set-up Phase) Password p known to both parties
(Key Exchange Phase)A B gx B A gy k = gxy or some function of gxy
(Authentication Phase)A B mack(p, r) for random rB A mack(p, s), enck(s) for random sA B enck(r)
[Rivest, Shamir, Bellovin, Merrit, … Pederson, Ellison]
ESP-KE key exchange protocol
Prime p and generators , β known
Generate random a Generate random b
A= a / βP mod p B= b mod p
A B If A=0 Abort
k = Ba mod p k = (A βP)b mod p
Mb=H(0,k,P)
Mb
If H(0,k,P) ≠ Mb Abort
Ma = H(1,k,P) Ma
If H(1,k,P) ≠ Ma Abort
[M Scott]
SRP protocol
(Set-up Phase) Carol chooses password P
Steve chooses s, computes x = H(s, P) and v = gx (Key Exchange Phase) C Bob looks up s, v
x = H(s, P) s
A = ga A
B,u B = v + gb, random u
S = (B - gx) (a+ux) S = (Avu)b
M1 = H(A,B,S) M1 verify M1
verify M2 M2 M2 = H(A,M1,S)
Key = H(S) Key = H(S)
[Wu]
CMU “Phoolproof” proposal
Eliminates reliance on perfect user behavior Protects against keyloggers, spyware. Uses a trusted mobile device to perform
mutual authentication with the server
password?
