Chapter 11: Authentication
November 1, 2004
Introduction to Computer Security©2004 Matt Bishop
BasicsPasswordsChallenge-ResponseBiometricsLocationMultiple Methods
Overview
November 1, 2004
Introduction to Computer Security©2004 Matt Bishop
BasicsPasswordsStorageSelectionBreaking themOther methodsMultiple methods
Basics
November 1, 2004
Introduction to Computer Security©2004 Matt Bishop
Authentication: binding of identity to subjectIdentity is that of external entity (my identity, Matt,etc.)Subject is computer entity (process,etc.)
Establishing Identity
November 1, 2004
Introduction to Computer Security©2004 Matt Bishop
One or more of the followingWhat entity knows (eg.password)What entity has (eg.badge, smart card)What entity is (eg.fingerprints, retinal characteristics)Where entity is (eg. In front of a particular terminal)
Authentication System
November 1, 2004
Introduction to Computer Security©2004 Matt Bishop
(A,C,F,L,S)Ainformation that proves identityCinformation stored on computer and used to validate authentication informationFcomplementation function;f:ACLfunctions that prove identitySfunctions enabling entity to create, alter information inAorC
Example
November 1, 2004
Introduction to Computer Security©2004 Matt Bishop
Password system, with passwords stored on line in clear textAset of strings making up passwordsC=AFsingleton set of identity function {I}Lsingle equality test function {eq}Sfunction to set/change password
Passwords
November 1, 2004
Introduction to Computer Security©2004 Matt Bishop
Sequence of charactersExamples: 10 digits, a string of letters,etc.Generated randomly, by user, by computer with user inputSequence of wordsExamples: pass-phrasesAlgorithmsExamples: challenge-response, one-time passwords
Storage
November 1, 2004
Introduction to Computer Security©2004 Matt Bishop
Store as cleartextIf password file compromised,allpasswords revealedEncipher fileNeed to have decipherment, encipherment keys in memoryReduces to previous problemStore one-way hash of passwordIf file read, attacker must still guess passwords or invert the hash
Example
November 1, 2004
Introduction to Computer Security©2004 Matt Bishop
UNIX system standard hash functionHashes password into 11 char string using one of 4096 hash functionsAs authentication system:A= { strings of 8 chars or less }C= { 2 char hash id || 11 char hash }F= { 4096 versions of modified DES }L= {login,su, … }S= {passwd,nispasswd,passwd+, … }
Anatomy of Attacking
November 1, 2004
Introduction to Computer Security©2004 Matt Bishop
Goal: findaAsuch that:For somefF,f(a) =cCcis associated with entityTwo ways to determine whetherameets these requirements:Direct approach: as aboveIndirect approach: asl(a) succeeds ifff(a) =cCfor somecassociated with an entity, computel(a)
Preventing Attacks
November 1, 2004
Introduction to Computer Security©2004 Matt Bishop
How to prevent this:Hide one ofa,f, orcPrevents obvious attack from aboveExample: UNIX/Linux shadow password filesHidesc’sBlock access to alllLor result ofl(a)Prevents attacker from knowing if guess succeededExample: preventinganylogins to an account from a networkPrevents knowing results ofl(or accessingl)
Dictionary Attacks
November 1, 2004
Introduction to Computer Security©2004 Matt Bishop
Trial-and-error from a list of potential passwordsOff-line: knowfandc’s, and repeatedly try different guessesgAuntil the list is done or passwords guessedExamples:crack,john-the-ripperOn-line: have access to functions inLand try guessesguntil somel(g) succeedsExamples: trying to log in by guessing a password
Using Time
November 1, 2004
Introduction to Computer Security©2004 Matt Bishop
Anderson’s formula:Pprobability of guessing a password in specified period of timeGnumber of guesses tested in 1 time unitTnumber of time unitsNnumber of possible passwords (|A|)ThenP≥TG/N
Example
November 1, 2004
Introduction to Computer Security©2004 Matt Bishop
GoalPasswords drawn from a 96-char alphabetCan test 104guesses per secondProbability of a success to be 0.5 over a 365 day periodWhat is minimum password length?SolutionN≥TG/P= (365246060)104/0.5 = 6.311011Choosessuch thatsj=096j≥NSos≥ 6, meaning passwords must be at least 6 charslongAssumptions:Time required to test all passwords is the sameEach password is equally likely to selected
Impact of Bandwidth
November 1, 2004
Channel capacity: R bytes / minE = bytes for logging inS = length of password; A = number of characters in alphabetN = Number of possible passwords = ASG = Guesses per min = R/EM = months for guessing; T = M x 30 x 24 x 60 = 43,200 MP >= {43,200 M (R/E)}/ ASAS>= 43,200 MR/PE
Approaches: Password Selection
November 1, 2004
Introduction to Computer Security©2004 Matt Bishop
Random selectionAny password fromAequally likely to be selectedPronounceable passwordsUser selection of passwords
Pronounceable Passwords
November 1, 2004
Introduction to Computer Security©2004 Matt Bishop
Generate phonemes randomlyPhoneme is unit of sound, eg.cv,vc,cvc,vcvExamples: helgoret, juttelon are; przbqxdfl, zxrptglfn are notProblem: too fewSolution: key crunchingRun long key through hash function and convert to printable sequenceUse this sequence as password
User Selection
November 1, 2004
Introduction to Computer Security©2004 Matt Bishop
Problem: people pick easy to guess passwordsBased on account names, user names, computer names, place namesDictionary words (also reversed, odd capitalizations, control characters, “elite-speak”, conjugations or declensions, swear words, Torah/Bible/Koran/… words)Too short, digits only, letters onlyLicense plates, acronyms, social security numbersPersonal characteristics or foibles (pet names, nicknames, job characteristics,etc.
Picking Good Passwords
November 1, 2004
Introduction to Computer Security©2004 Matt Bishop
“LlMm*2^Ap”Names of members of 2 families“OoHeO/FSK”Second letter of each word of length 4 or more in third line of third verse of Star-Spangled Banner, followed by “/”, followed by author’s initialsWhat’s good here may be bad there“DMC/MHmh” bad at Dartmouth (“DartmouthMedicalCenter/MaryHitchcockmemorialhospital”), ok hereWhy are these now bad passwords?
Proactive Password Checking
November 1, 2004
Introduction to Computer Security©2004 Matt Bishop
Analyze proposed password for “goodness”Always invokedCan detect, reject bad passwords for an appropriate definition of “bad”Discriminate on per-user, per-site basisNeeds to do pattern matching on wordsNeeds to execute subprograms and use resultsSpell checker, for exampleEasy to set up and integrate into password selection system
Example: OPUS
November 1, 2004
Introduction to Computer Security©2004 Matt Bishop
Goal: check passwords against large dictionaries quicklyRun each word of dictionary throughkdifferent hash functionsh1, …,hkproducing values less thannSet bitsh1, …,hkin OPUS dictionaryTo check new proposed word, generate bit vector and see ifallcorresponding bits setIf so, word is in one of the dictionaries to some degree of probabilityIf not, it is not in the dictionaries
Example:passwd+
November 1, 2004
Introduction to Computer Security©2004 Matt Bishop
Provides little language to describe proactive checkingtest length(“$p”) < 6If password under 6 characters, reject ittest infile(“/usr/dict/words”, “$p”)If password in file /usr/dict/words, reject ittest !inprog(“spell”, “$p”, “$p”)If password not in the output from program spell, given the password as input, reject it (because it’s a properly spelled word)
Salting
November 1, 2004
Introduction to Computer Security©2004 Matt Bishop
Goal: slow dictionary attacksMethod: perturb hash function so that:Parameter controlswhichhash function is usedParameter differs for each passwordSo givennpassword hashes, and thereforensalts, need to hash guessn
Examples
November 1, 2004
Introduction to Computer Security©2004 Matt Bishop
Vanilla UNIX methodUse DES to encipher 0 message with password as key; iterate 25 timesPerturb E table in DES in one of 4096 ways12 bit salt flips entries 1–11 with entries 25–36Alternate methodsUse salt as first part of input to hash function
Guessing ThroughL
November 1, 2004
Introduction to Computer Security©2004 Matt Bishop
Cannot prevent theseOtherwise, legitimate users cannot log inMake them slowBackoffDisconnectionDisablingBe very careful with administrative accounts!JailingAllow in, but restrict activities
Password Aging
November 1, 2004
Introduction to Computer Security©2004 Matt Bishop
Force users to change passwords after some time has expiredHow do you force users not to re-use passwords?Record previous passwordsBlock changes for a period of timeGive users time to think of good passwordsDon’t force them to change before they can log inWarn them of expiration days in advance
Challenge-Response
November 1, 2004
Introduction to Computer Security©2004 Matt Bishop
User, system share a secret functionf(in practice,fis aknown function with unknown parameters, such as acryptographic key)
user
system
request to authenticate
user
system
random message r(the challenge)
user
system
f(r)(the response)
Pass Algorithms
November 1, 2004
Introduction to Computer Security©2004 Matt Bishop
Challenge-response with the functionfitself a secretExample:Challenge is a random string of characters such as “abcdefg”, “ageksido”Response is some function of that string such as “bdf”, “gkip”Can alter algorithm based on ancillary informationNetwork connection is as above, dial-up might require “aceg”, “aesd”Usually used in conjunction with fixed, reusable password
One-Time Passwords
November 1, 2004
Introduction to Computer Security©2004 Matt Bishop
Password that can be used exactlyonceAfter use, it is immediately invalidatedChallenge-response mechanismChallenge is number of authentications; response is password for that particular numberProblemsSynchronization of user, systemGeneration of good random passwordsPassword distribution problem
S/Key
November 1, 2004
Introduction to Computer Security©2004 Matt Bishop
One-time password scheme based on idea of Lamporthone-way hash function (MD5 or SHA-1, for example)User chooses initial seedkSystem calculates:h(k) =k1,h(k1) =k2, …,h(kn–1) =knPasswords are reverse order:p1=kn,p2=kn–1, …,pn–1=k2,pn=k1
S/Key Protocol
November 1, 2004
Introduction to Computer Security©2004 Matt Bishop
user
system
{name}
user
system
{i}
user
system
{pi}
System stores maximum number of authenticationsn, numberof next authenticationi, last correctly supplied passwordpi–1.
System computesh(pi) =h(kn–i+1) =kn–i=pi–1. If match withwhat is stored, system replacespi–1withpiand incrementsi.
Hardware Support
November 1, 2004
Introduction to Computer Security©2004 Matt Bishop
Token-basedUsed to compute response to challengeMay encipher or hash challengeMay require PIN from userTemporally-basedEvery minute (or so) different number shownComputer knows what number to expect whenUser enters number and fixed password
C-R and Dictionary Attacks
November 1, 2004
Introduction to Computer Security©2004 Matt Bishop
Same as for fixed passwordsAttacker knows challengerand responsef(r); iffencryption function, can try different keysMay only need to knowformof response; attacker can tell if guess correct by looking to see if deciphered object is of right formExample: Kerberos Version 4 used DES, but keys had 20 bits of randomness; Purdue attackers guessed keys quickly because deciphered tickets had a fixed set of bits in some locations
Encrypted Key Exchange
November 1, 2004
Introduction to Computer Security©2004 Matt Bishop
Defeats off-line dictionary attacksIdea: random challenges enciphered, so attacker cannot verify correct decipherment of challengeAssume Alice, Bob share secret passwordsIn what follows, Alice needs to generate a random public keypand a corresponding private keyqAlso,kis a randomly generated session key, andRAandRBare random challenges
EKE Protocol
November 1, 2004
Introduction to Computer Security©2004 Matt Bishop
Alice
Bob
Alice ||Es(p)
Alice
Bob
Es(Ep(k))
Now Alice, Bob share a randomly generatedsecret session keyk
Alice
Bob
Ek(RA)
Alice
Bob
Ek(RARB)
Alice
Bob
Ek(RB)
Biometrics
November 1, 2004
Introduction to Computer Security©2004 Matt Bishop
Automated measurement of biological, behavioral features that identify a personFingerprints: optical or electrical techniquesMaps fingerprint into a graph, then compares with databaseMeasurements imprecise, so approximate matching algorithms usedVoices: speaker verification or recognitionVerification: uses statistical techniques to test hypothesis that speaker is who is claimed (speaker dependent)Recognition: checks content of answers (speaker independent)
Other Characteristics
November 1, 2004
Introduction to Computer Security©2004 Matt Bishop
Can use several other characteristicsEyes: patterns in irises uniqueMeasure patterns, determine if differences are random; or correlate images using statistical testsFaces: image, or specific characteristics like distance from nose to chinLighting, view of face, other noise can hinder thisKeystroke dynamics: believed to be uniqueKeystroke intervals, pressure, duration of stroke, where key is struckStatistical tests used
Cautions
November 1, 2004
Introduction to Computer Security©2004 Matt Bishop
These can be fooled!Assumes biometric device accuratein the environment it is being used in!Transmission of data to validator is tamperproof, correct
Location
November 1, 2004
Introduction to Computer Security©2004 Matt Bishop
If you know where user is, validate identity by seeing if person is where the user isRequires special-purpose hardware to locate userGPS (global positioning system) device gives location signature of entityHost uses LSS (location signature sensor) to get signature for entity
Multiple Methods
November 1, 2004
Introduction to Computer Security©2004 Matt Bishop
Example: “where you are” also requires entity to have LSS and GPS, so also “what you have”Can assign different methods to different tasksAs users perform more and more sensitive tasks, must authenticate in more and more ways (presumably, more stringently) File describes authentication requiredAlso includes controls on access (time of day,etc.), resources, and requests to change passwordsPluggable Authentication Modules
PAM
November 1, 2004
Introduction to Computer Security©2004 Matt Bishop
Idea: when program needs to authenticate, it checks central repository for methods to useLibrary call:pam_authenticateAccesses file with name of program in/etc/pam_dModules do authentication checkingsufficient: succeed if module succeedsrequired: fail if module fails, but all required modules executed before reporting failurerequisite: likerequired, but don’t check all modulesoptional: invoke only if all previous modules fail
Example PAM File
November 1, 2004
Introduction to Computer Security©2004 Matt Bishop
auth sufficient /usr/lib/pam_ftp.soauth required /usr/lib/pam_unix_auth.so use_first_passauth required /usr/lib/pam_listfile.so onerr=succeed \ item=user sense=deny file=/etc/ftpusersFor ftp:If user “anonymous”, return okay; if not, set PAM_AUTHTOK to password, PAM_RUSER to name, and failNow check that password in PAM_AUTHTOK belongs to that of user in PAM_RUSER; if not, failNow see if user in PAM_RUSER named in /etc/ftpusers; if so, fail; if error or not found, succeed
Key Points
November 1, 2004
Introduction to Computer Security©2004 Matt Bishop
Authentication is not cryptographyYou have to consider system componentsPasswords are here to stayThey provide a basis for most forms of authenticationProtocols are importantThey can make masquerading harderAuthentication methods can be combinedExample: PAM
0
Embed
Upload