cit 380: securing computer systemsslide #1 cit 380: securing computer systems passwords
TRANSCRIPT
CIT 380: Securing Computer Systems Slide #2
Topics
1. Password Systems
2. Password Cracking
3. Hashing and Salting
4. Password Selection
5. Graphical Passwords
6. One-time Passwords
CIT 380: Securing Computer Systems Slide #3
Authentication System
A: set of authentication information– information used by entities to prove identity
C: set of complementary information– information stored by system to validate A
F: set of complementation functions f : A → C– generate C from A
L: set of authentication functions l: A C→{T,F}– verify identity
S: set of selection functions– enable entity to create or alter A or C
CIT 380: Securing Computer Systems Slide #4
Password System Example
User authenticates with 8-character alphanumeric password.
System compares against stored cleartext password.
A = [A-Za-z0-9]{8}C = AF = { I }L = { = }
Not a system that anyone should actually use.
CIT 380: Securing Computer Systems Slide #5
Biometric System Example
User authenticates with fingerprint.
System compares w/ digital fingerprint template.
A = { user fingerprints }
C = { digital fingerprint templates }
F = { fingerprint reader + analog->digital }
L = { tunable similarity function }
CIT 380: Securing Computer Systems Slide #6
Passwords
What you know
Sequence of characters
Complementation Function– Identity: requires access control to protect C– One-way Hash
• easy to compute c = f(a)
• difficult to compute a = f-1(c)
CIT 380: Securing Computer Systems Slide #7
Classic UNIX Passwords
Format: Up to 8 ASCII characters– A contains 6.9 x 1016 possible passwords– C contains crypt hashes, strings of length 13
chosen from alphabet of 64 characters, 3.0 x 1023 strings
Storage– /etc/passwd (0644) was traditionally used
– /etc/shadow (0600) in modern systems
CIT 380: Securing Computer Systems Slide #8
Password CrackingGet Hashed Password pwhash
word = Next word from list
wordhash = Hash(word)
wordhash == pwhash
False
True
word is pw
List of potentialpasswords.
CIT 380: Securing Computer Systems Slide #9
Cracking Methods
1. List of common passwords2. List of English/foreign words3. Permutation rules
– Substitute numbers/symbols for letters– Change case, pluralize, reverse words,
character shifts, digit/symbol prefix/postfix,joining words
4. Brute force– All possible passwords
CIT 380: Securing Computer Systems Slide #10
Making Password Guessing Easier
Web sites will e-mail you password if you answer a simple “secret” question:
1. What is your favorite color?
2. What is your pet’s name?
3. What is your mother’s maiden name?
Violation of fail-safe defaults
Failover to less secure protocol.
How many favorite colors are there?
CIT 380: Securing Computer Systems Slide #11
Countering Password Guessing
Choose A, C, and F to select suitably low probability P(T) of guessing in time T.
P(T) TG / N– G is number of guess per time unit T– T is number of time units in attack– N is number of possible passwords
CIT 380: Securing Computer Systems Slide #12
Calculating Minimum Password Length
Password System– There are 96 allowable characters in password.– System allows 106 guesses/second.– Requirement: probablility of success guess should be 0.5
over 365-day period.What should the minimum password length be?
– N >= TG/P– N >= (365 x 24 x 60 x 60) x 106 / 0.5 = 6.31 x 1013
– N = 96i, where i ranges from 1 to length of password
– 96i >= N = 6.31 x 1013 is true when largest i >= 8– The minimum required password length is 8.
CIT 380: Securing Computer Systems Slide #13
UNIX Password Hashing
crypt() function used for hashing– DES encrypts 64-bit block of 0s (25 rounds)
using your password for the key.• Modified DES incompatible with DES hardware
cracking tools.
– Limited to 8 characters or less.– If limited to 95 printable characters, only 253
possible passwords.– How to resist dictionary attacks? Salting
CIT 380: Securing Computer Systems Slide #14
Salting
Adds a 2-character (12-bit) random, public data to password to create key.
Any word may be encrypted in 4096 possible ways (i.e., there are 4096 f F).– Your password always uses same salt.
– Someone else with same password (a) probably has different salt, and thus different c = f(a).
Number of possible keys increased to 266
– Too small for today; modern UNIX doesn’t use crypt.
CIT 380: Securing Computer Systems Slide #15
Salting (cont.)
Prevents pre-calculated dictionary attack– 266 passwords requires millions of terabytes
crypt() 218 passwords/second– Brute force would require 8000 machines for 48
days.
CIT 380: Securing Computer Systems Slide #16
Modern UNIX Passwords
• Format: long ASCII string
• Hashing techniques:– MD5 (unlimited length, 12-48 bit salt)– SHA1 (unlimited length, 12-48 bit salt)– Bcrypt (55 chars, 128-bit salt, adjustable cost)
CIT 380: Securing Computer Systems Slide #17
Windows 2000/XP Passwords
Storage– %systemroot%\system32\config\sam– locked while NT running
– %systemroot%\repair\sam_ backup file
– may be accessible via remote registry calls
Format– LAN Manager (LM) Hash
– NT (MD4) Hash
CIT 380: Securing Computer Systems Slide #18
Windows LM Hash Algorithm
1. Password fitted to 14 character length by truncating or padding with 0s.
2. Password converted to upper case.3. Password divided into two 7-byte halves. 4. Each half used as DES key to encrypt same
8-byte constant.5. Resultant strings merged to form a 16-byte
hash value.
CIT 380: Securing Computer Systems Slide #19
Windows LM Hash Problems
Last 8 bytes of c known if password < 7 chars.Dividing password into halves reducing problem of
breaking 14-character password to breaking two 7-character passwords.
Conversion to upper case reduces character set.Dictionary of password hashes can be prebuilt
– Number of possible passwords much smaller than DES space.
– No salt is used.
CIT 380: Securing Computer Systems Slide #20
Windows NT Hash
Converts to Unicode, MD4 hashes result
Caveat: Often used in conjunction with LM hash, which is required for backwards compatibility.
No salt: identical passwords generate identical hashes.
CIT 380: Securing Computer Systems Slide #21
Password Selection
1. Random Selection
2. Pronounceable Passwords
3. User Selection
CIT 380: Securing Computer Systems Slide #22
Random Selection
Yields equal distribution of passwords for maximum difficulty in cracking– What about short passwords?
Random passwords aren’t easy to remember– Short term memory holds 7 +/- 2 items– People have multiple passwords– Principle of Psychological Acceptability
Requires a good PRNG
CIT 380: Securing Computer Systems Slide #23
Random Selection (Bad)Example
PDP-11 password generator– 16-bit machine
– 8 upper-case letters and digits
– |P| = 368 = 2.8 x 1012
– At 0.00156 sec/encryption, 140 years to brute force
PRNG had period of 216 – 1– Only 65,535 possible passwords
– Requires 102 seconds to try all passwords
CIT 380: Securing Computer Systems Slide #24
Pronounceable Passwords
Generate passwords from random phonemes instead of random characters.– People can remember password as sequence of
audible phonemes instead of characters, allowing easy recall of longer passwords.
– Fewer pronounceable passwords exist than random passwords.
CIT 380: Securing Computer Systems Slide #25
User Selection
Allow users to choose passwords.
Reject insecure passwords based on ruleset:1. Based on account, user, or host names2. Dictionary words3. Permuted dictionary words4. Patterns from keyboard5. Shorter than 6 characters6. Digits, lowercase, or uppercase only passwords7. License plates or acronyms8. Based on previously used passwords
CIT 380: Securing Computer Systems Slide #27
Bad Passwords• 123456• letmein• password• 12345678• dragon• qwerty• michael• 654321• harley• ranger• iwantu• xxxxxxx• turtle• united
• porsche• guitar• black• diamond• nascar• jun0389• 06031989• amanda• phoenix• mickey• tigers• purple• xmen94• aaaaaa
• prince• beach• amateur• ncc1701• tennis• startrek• swimming• kitty• rainbox• 112233• 232323• giants• enter• 0• cupcake
• 8675309• marlboro• newyork• diablo• sexsex• access14• abgrtyu• 123123• dragon123• applepie• 31415926• 99skip• just4fun• xcvb• typewriter
CIT 380: Securing Computer Systems Slide #28
How to Select Good Passwords
1. Long passwords, consisting of multiple words..Use nth letter of each word if phrase too long.
2. Themes:1. Word combinations: 3 blind katz
2. E-mail or URL: [email protected]
3. Phone number: (888) 888-eight eight
4. Bracketing: Starfleet -> *!-Starfleet-!*
5. Add a word: shopping -> Goin’ shopping
6. Repetition: Pirate--PirateShip
7. Letter swapping: Sour Grape -> Gour Srape
CIT 380: Securing Computer Systems Slide #29
Guessing via Authentication Fns
If complements not accessible, attacker must use authentication functions.
Cannot be prevented.
Increase difficulty of auth function attack:Backoff: increasing wait before reprompting.
Disconnection: disconnect after n failures.
Disabling: disable account after n failures.
Jailing: permit access to limited system, so admins can observe attacker.
CIT 380: Securing Computer Systems Slide #30
Password AgingRequirement that password be changed after a period of time or after an event has occurredIf expected time to guess is 180 days, should change password more frequently than 180 days
1. If change time too short, users have difficulty recalling passwords.
2. Cannot allow users to change password to current one.3. Also prevent users from changing passwords too soon.4. Give notice of impending password change requirement.
CIT 380: Securing Computer Systems Slide #31
Graphical Passwords• Face Scheme: Password is sequence of faces, each chosen
from a grid of 9 faces.• Story Scheme: Password is sequence of images, each
chosen from a grid of 9, to form a story.
CIT 380: Securing Computer Systems Slide #32
Challenge-Response
Problem: passwords are reusable, and thus subject to replay attacks.
Solution: authenticate in such a way that the transmitted password changes each time.
CIT 380: Securing Computer Systems Slide #33
One-Time Passwords
A password that’s invalidated once used.
Challenge: number of auth attemptResponse: one-time password
Problems– Generation of one-time passwords
• Use hash or crytographic function
– Synchronization of the user and the system• Number or timestamp passwords
CIT 380: Securing Computer Systems Slide #34
S/Key
One-time password system based on a hash function h (MD4 or MD5).
User initializes with random seed k.
Key generator calculates:
h(k) = k1, h(k1) = k2, …, h(kn-1) = kn
Passwords, in order used, are
p1 = kn, p2 = kn-1, …, pn-1= k2, pn= k1
CIT 380: Securing Computer Systems Slide #35
S/Key
Attacker cannot derive pi+1 from pi since
pi = kn-i+1, pi+1 = kn-i, and h(kn-i) = kn-i+1
which would require inverting h.
Once user has used all passwords, S/Key must be re-initialized with a new seed.
CIT 380: Securing Computer Systems Slide #36
S/Key Login
1. User supplies account name to server
2. Server replies with number i stored in skeykeys file
3. User supplies corresponding password pi
4. Server computes h(pi) = h(kn-i+1) = kn-i+2 = pi-1 and compares result with stored password. If match, user is authenticated and S/Key updates number in skeykeys file to i-1 and stores pi
CIT 380: Securing Computer Systems Slide #37
S/Key Login
FreeBSD/i386 (example.com) (ttypa) login: <username> s/key 97 fw13894 Password:
Use S/Key calculator on local system to calculate response:
% key 97 fw13894 Enter secret password: WELD LIP ACTS ENDS ME HAAG
CIT 380: Securing Computer Systems Slide #38
Other One Time Password Systems
Software: OPIE– Backwards compatible with S/Key (if same hash
used).
Hardware: RSA SecurID card– Displayed password changes every 60sec.– Password = constant password + SecurID
CIT 380: Securing Computer Systems Slide #39
Key Points
• Good passwords need to be– Complex– Unique– Secret– Changed on a regular basis
• Stored passwords are secured via– Hashing (crypt, MD5, SHA1, bcrypt)– Salting
• One-time passwords offer greater security.
CIT 380: Securing Computer Systems Slide #40
References1. Ross Anderson, Security Engineering, Wiley, 2001.2. Matt Bishop, Introduction to Computer Security, Addison-Wesley,
2005.3. Mark Burnett and Dave Kleiman, Perfect Passwords, Syngress,
2006.4. Lorie Faith Cranor and Simson Garfinkel, Security and Usability,
O’Reilly, 2005.5. Cynthia Kuo et. al., “Human Selection of Mnemonic Phrase-based
Passwords,” SOUPS 2006, http://cups.cs.cmu.edu/soups/2006/proceedings/p67_kuo.pdf, 2006.
6. Neils Provos and David Mazieres, “A Future-Adaptable Password Scheme,” http://www.openbsd.org/papers/bcrypt-paper.pdf, 2006.
7. Ed Skoudis, Counter Hack Reloaded, Prentice Hall, 2006.8. Simson Garfinkel, Gene Spafford, and Alan Schwartz, Practical
UNIX and Internet Security, 3/e O’Reilly, 2003.