King Mongkut’s University of Technology
Network Security
8. Password Authentication Methods
Prof. Reuven Aviv, Jan. 2009
Password Authentication 1
Contents
• Local Authentication (User at a PC)
• User authentication over a network
• One time password
• Strong password authentication
Prof. Reuven Aviv, Dec. 2006
Password Authentication 2
Prof. Reuven Aviv, Dec. 2006
Password Authentication 3
Local Authentication of User(Using passwords)
Prof. Reuven Aviv, Dec. 2006
Password Authentication 4
Password fileUser
exrygbzyf kgnosfix ggjoklbsz … …
kiwifruit
hash function
User authentication on local PC
Prof. Reuven Aviv, Dec. 2006
Password Authentication 5
User authentication to local PC
• Setup– User chooses password– What is stored in the password file?
• Authentication– User logs into system, supplies password– PC computes hash, compares to file
• Dictionary attacks– Online: guess a password, try to log in– Offline: copy set of passwd files, guess passwds
Prof. Reuven Aviv, Dec. 2006
Password Authentication 6
Dictionary Attacks – some numbers
• Typical password dictionary: ???? entries– names, pet names, … ordinary words.
• Suppose you generate & analyze 10 guesses/sec– reasonable for online; offline is much faster– at most 100,000 sec = 28 hours; average 14 hrs
• BUT: If passwords were random– Assume six-character password – all possible printable chars: how many?
• 689,869,781,056 password combinations– Exhaustive search: 1,093 years on average
Prof. Reuven Aviv, Dec. 2006
Password Authentication 7
Authentication a User/ClientOver a networkUsing Passwords
Prof. Reuven Aviv, Dec. 2006
Password Authentication 8
1. Simple password authentication over a network
• User sits at a PC; trustworthy Client software
• User and Authentication Server share password
– W = hash(password) stored in server
• Authentication Server authenticates client
• How?• Client sends Username, W = hash(password)
– Server compare W with stored W
• What can an attacker do?
Prof. Reuven Aviv, Dec. 2006
Password Authentication 9
Attacks on simple password authentication
• 1. W might be sniffed by attacker, or
• 2. DB of Server stolen/copied by attacker, or
• 3. M.I.M: what is that?• Server & User impersonated by attacker
• In all cases: attacker reveals W
• Then it does dictionary attack meaning?• Try a password, then tries W = hash(password)
– Compare with revealed W
Prof. Reuven Aviv, Dec. 2006
Password Authentication 10
Method 2: Passwd + Anonymous Diffie Hellman
• Client & Server create shared secret, K
– Sides agree on g, p
– Sides calculate random private keys a and b
– Sides exchange gamodp, gbmodp
– Sides calculate K = gabmodp
• Client sends password encrypted by K why?• Server decrypts password
– Calculate its hash, compares with stored W
Prof. Reuven Aviv, Dec. 2006
Password Authentication 11
Method 2: Using Anonymous Diffie Hellman
Client
Servergamodp
gbmodp
K = gabmodp
Username, K{password}
What can an attacker do?
Prof. Reuven Aviv, Dec. 2006
Password Authentication 12
Attacking method 2
• K cannot be revealed by sniffing why not?
• Hence can’t find passwd by offline dictionary att.
• M.I.M: Attacker impersonates the Auth Server
– Sending its DH parameters as if it is the Server
– Hence reveal K how?
– Then dictionary attack on K{ password} how?
• Try a password, then K{password}
Prof. Reuven Aviv, Dec. 2006
Password Authentication 13
Method 3: Passwd + Server’s certificate
• Server sends its Certificate to Client
– Client verifies server’s certificate how?• Client sends Username & EKU(passwd)
– password encrypted by server pub. Key. Why?• Server decrypts password, then:
– Server calculate hash of password
– compare with value stored in its database, W
• Note: Client needs a list of trusted CAs why?
Prof. Reuven Aviv, Dec. 2006
Password Authentication 14
Method 3
Client
ServerCertificate(Server, KU)
Username, EKU{password}
What can an attacker do?
Prof. Reuven Aviv, Dec. 2006
Password Authentication 15
Attacking method 3:
• Attacker can sniff the encrypted password
– then do an offline dictionary attack
• Try a password, then EKU{password}
• Since KU is known to attacker
• Attacker can steal/copy Server DB, reveal W
– then do a offline dictionary attack
• Try a password, then W= hash(password)
• Attacker cannot do M.I.M why?
Prof. Reuven Aviv, Dec. 2006
Password Authentication 16
Method 4: Passwd + Challenge Response
• Server sends a random challenge, R, to client.
• Client gets password from User, calculates W
• Client encrypts R with f(W) as a key: f(W){R}
– Using an agreed f(W)
– Client sends Username and the f(W){R}
• Server calculates f(W), decrypts R
– Compares with the value it sent
Prof. Reuven Aviv, Dec. 2006
Password Authentication 17
Method 4
Client
ServerR (random number)
Username, f(W){R}
What can an attacker do?
Prof. Reuven Aviv, Dec. 2006
Password Authentication 18
Attack method 4
• Attacker might sniff
– get both messages (R and f(W){R})
• M.I.M: attacker impersonate the server
• In both cases, R is known to attacker
– Password is found via dictionary attack
• Try a password, then W, then f(W){R}
Prof. Reuven Aviv, Dec. 2006
Password Authentication 19
One Time Password
Prof. Reuven Aviv, Dec. 2006
Password Authentication 20
Lamport Hash – One time password
• Fast, no encryption. Implemented (S/Key)
• sniffing or stealing server’s database does not
enable impersonating the Client.
• User picks passwd, and n (≈1000 )
– registers at Server using its Client software:
• calculates hashn(passwd), sends to Server
– Server DB: [Username, n, y = hashn(passwd)]
Prof. Reuven Aviv, Dec. 2006
Password Authentication 21
Lamport hash: authenticating User by Server• User provides its Client: Username, passwd
– Client sends Username, gets back current n
– Client sends yn-1 = hashn-1(passwd)
• Server: calculates hash(yn-1) (one more hash)
– compares with yn in DB. if OK Client is authenticated
– decrement n n-1
– Replaces current yn by yn-1 = hashn-1(passwd)
– Can attacker calculate yn-1 from yn ?
Prof. Reuven Aviv, Dec. 2006
Password Authentication 22
Lamport Algorithm
•calculates
•Server knows [UserName, n, yn = hashn(passwd)]
•Compares hash(yn-1) to yn. If equal, replace record
with new [UserName, n-1, yn-1= hashn-1(passwd)]
Client
User
passwd
ServerUser Name
n
yn-1 = hashn-1(passwd)
UserName
Prof. Reuven Aviv, Dec. 2006
Password Authentication 23
Dictionary attack on Lamport hash
• Is that possible?
• Attacker will need to try all powers of hash (up to some number) to all dictionary words as password
• Feasible. Why?
• Hashing is quite fast (unlike encryption)
• Note: if attacker knows ym, he knows yn, for n>m
• How can we increase the num of guesses?
Prof. Reuven Aviv, Dec. 2006
Password Authentication 24
Enhanced Lamport Hash: Salt
• User picks a passwd. Client creates extended password with random salt: Expass=passwd|salt
• Lamport algorithm is then used with Expass• Dictionary attack now not feasible why not?• Expass is any string, not a dictionary word• User can use same passwd on different Servers
– With different salts• When n is 1, same passwd may be re-used for new
registration, with different salt• Who knows the salt?
Prof. Reuven Aviv, Dec. 2006
Password Authentication 25
Enhanced Lamport Algorithm
•calculatesC
lient
User
UserName Server
User Name
n
yn-1 = hashn-1(Expass)
•Server knows [UserName, n, yn = hashn(Expass)]
•Compares hash(yn-1) to yn. If equal, replace record
with new [UserName, n-1, yn-1= hashn-1(Expass)]
salt
passwd
Prof. Reuven Aviv, Dec. 2006
Password Authentication 26
Analysis of Lamport hash scheme
• Data base at server can be stolen/copied
– Similar to certificate database
• Server is not authenticated to client
• (i.e. No mutual authentication)
– No shared secret was established so what?• Data cannot be encrypted
• Attacker can impersonate User after Lamport authentication
Prof. Reuven Aviv, Dec. 2006
Password Authentication 27
Lamport authentication + session key
• 1. First Client is authenticated by Lamport hash– Now Diffie Hellman to establish session key– Attacker can replace client just in between
• 2. First Diffie hellman, get session key– Now Lamport hash to authenticate Client
• Lamport hash encrypted by session key– Attacker can get in the middle during D.H.
• What is the source of the problem?
Prof. Reuven Aviv, Dec. 2006
Password Authentication 28
Lamport hash: the small n attack
• Attacker impersonate Server, wait for client• Client connects, expecting n
– Attacker sends small m (and salt)– m is a guess by attacker, hoping it is smaller
then the current real n– Attacker knows salt from previous sniffing
• Client sends hashm-1(passwd)– attacker learns hashm-1(passwd)
• Attacker now impersonate the client – he can calculate hashn(passwd) for any n>m-1
Prof. Reuven Aviv, Dec. 2006
Password Authentication 29
Using OTP (Lamport hash) in Internet cafe
• Assume PC does not calculate hash– The PC does not have the appropriate client– The PC is public, not trusted
• hashi(passwd), for all i<n stored in server– Also encoded by typeable strings– Strings printed on paper
• given to User before travel– User logs in: decrease n, send corresponding
string, scrap that line from the paper– Small n attack not possible
Prof. Reuven Aviv, Dec. 2006
Password Authentication 30
Strong Password Protocols
Prof. Reuven Aviv, Dec. 2006
Password Authentication 31
Strong Password Protocols: Design goal
• Attacker who listens to authentication exchanges, or impersonating either end would not have enough information to do off-line verification of password guesses
• Observing any number of exchanges would not help the attacker
• Impersonating one end will be able to do a single on-line password guess– Unavoidable
• (Several on-line guess failures create an alarm)
Prof. Reuven Aviv, Dec. 2006
Password Authentication 32
Basic Form of Strong Password Protocol
• Encrypted Key Exchange (EKE)
• Client has passwd; Server has W= hash(passwd)
• 1. Do Diffie Hellman to get strong, shared secret
– Each side calculates x, gxmodp
• 2. Sides exchange their gxmodp, encrypted by W
• 3. Incorporate challenge response together with
the D.H. exchanges
Prof. Reuven Aviv, Dec. 2006
Password Authentication 33
EKE Protocol
Client
Server“UesrName”, W{gamodp}
W{gbmodp, C1}
K = gabmodp
K{C1, C2}
K{C2}
Can an attacker guess W?
Prof. Reuven Aviv, Dec. 2006
Password Authentication 34
Attack on EKE
• 1. Attacker listens; tries to guess W offline
– get random numbers; can’t identify the W
• 2. Attacker impersonates one side
– can try 1 guess only; need to guess W and D.H. parameters. Extremely unlikely
• 3. Attacker steal/copy Server data base, gets W
– Attacker do dictionary attack to find password
• Enhancement: make g(W) p(W) depend on W
• Server stores gW(modp), not W.