![Page 1: Password Authentication J. Mitchell CS 259. Password fileUser exrygbzyf kgnosfix ggjoklbsz … kiwifruit hash function](https://reader030.vdocuments.net/reader030/viewer/2022032600/56649d965503460f94a7ea13/html5/thumbnails/1.jpg)
Password Authentication
J. Mitchell
CS 259
![Page 2: Password Authentication J. Mitchell CS 259. Password fileUser exrygbzyf kgnosfix ggjoklbsz … kiwifruit hash function](https://reader030.vdocuments.net/reader030/viewer/2022032600/56649d965503460f94a7ea13/html5/thumbnails/2.jpg)
Password fileUser
exrygbzyf kgnosfix ggjoklbsz … …
kiwifruit
hash function
![Page 3: Password Authentication J. Mitchell CS 259. Password fileUser exrygbzyf kgnosfix ggjoklbsz … kiwifruit hash function](https://reader030.vdocuments.net/reader030/viewer/2022032600/56649d965503460f94a7ea13/html5/thumbnails/3.jpg)
Basic password authentication
Setup• User chooses password• Hash of password stored in password file
Authentication• User logs into system, supplies password• System computes hash, compares to file
Attacks• Online dictionary attack
– Guess passwords and try to log in• Offline dictionary attack
– Steal password file, try to find p with hash(p) in file
![Page 4: Password Authentication J. Mitchell CS 259. Password fileUser exrygbzyf kgnosfix ggjoklbsz … kiwifruit hash function](https://reader030.vdocuments.net/reader030/viewer/2022032600/56649d965503460f94a7ea13/html5/thumbnails/4.jpg)
Dictionary Attack – some numbers
Typical password dictionary • 1,000,000 entries of common passwords
– people's names, common pet names, and ordinary words.
• Suppose you generate and analyze 10 guesses per second– This may be reasonable for a web site; offline is much faster
• Dictionary attack in at most 100,000 seconds = 28 hours, or 14 hours on average
If passwords were random• Assume six-character password
– Upper- and lowercase letters, digits, 32 punctuation characters– 689,869,781,056 password combinations.– Exhaustive search requires 1,093 years on average
![Page 5: Password Authentication J. Mitchell CS 259. Password fileUser exrygbzyf kgnosfix ggjoklbsz … kiwifruit hash function](https://reader030.vdocuments.net/reader030/viewer/2022032600/56649d965503460f94a7ea13/html5/thumbnails/5.jpg)
Salt
Unix password linewalt:fURfuu4.4hY0U:129:129:Belgers:/home/walt:/bin/csh
25x DES
InputSalt
KeyConstant
Plaintext
Ciphertext
Compare
When password is set, salt is chosen randomly
![Page 6: Password Authentication J. Mitchell CS 259. Password fileUser exrygbzyf kgnosfix ggjoklbsz … kiwifruit hash function](https://reader030.vdocuments.net/reader030/viewer/2022032600/56649d965503460f94a7ea13/html5/thumbnails/6.jpg)
Advantages of salt
Without salt• Same hash functions on all machines
– Compute hash of all common strings once– Compare hash file with all known password files
With salt• One password hashed 212 different ways
– Precompute hash file?• Need much larger file to cover all common strings
– Dictionary attack on known password file• For each salt found in file, try all common strings
![Page 7: Password Authentication J. Mitchell CS 259. Password fileUser exrygbzyf kgnosfix ggjoklbsz … kiwifruit hash function](https://reader030.vdocuments.net/reader030/viewer/2022032600/56649d965503460f94a7ea13/html5/thumbnails/7.jpg)
Web Authentication
Problems• Network sniffing• Malicious or weak-security website
– Phishing– Common password problem– Pharming – DNS compromise
• Malware on client machine– Spyware– Session hijacking, fabricated transactions
BrowserServer
password
cookie
next few slides
![Page 8: Password Authentication J. Mitchell CS 259. Password fileUser exrygbzyf kgnosfix ggjoklbsz … kiwifruit hash function](https://reader030.vdocuments.net/reader030/viewer/2022032600/56649d965503460f94a7ea13/html5/thumbnails/8.jpg)
Password Phishing Problem
User cannot reliably identify fake sites Captured password can be used at target site
Bank A
Fake Site
pwdApwdA
![Page 9: Password Authentication J. Mitchell CS 259. Password fileUser exrygbzyf kgnosfix ggjoklbsz … kiwifruit hash function](https://reader030.vdocuments.net/reader030/viewer/2022032600/56649d965503460f94a7ea13/html5/thumbnails/9.jpg)
Common Password Problem
Phishing attack or break-in at site B reveals pwd at A• Server-side solutions will not keep pwd safe• Solution: Strengthen with client-side support
Bank A
low security site
high security site
pwdA
pwdB
= pwdA
Site B
![Page 10: Password Authentication J. Mitchell CS 259. Password fileUser exrygbzyf kgnosfix ggjoklbsz … kiwifruit hash function](https://reader030.vdocuments.net/reader030/viewer/2022032600/56649d965503460f94a7ea13/html5/thumbnails/10.jpg)
Defense: Password Hashing
Generate a unique password per site• HMACfido:123(banka.com) Q7a+0ekEXb• HMACfido:123(siteb.com) OzX2+ICiqc
Hashed password is not usable at any other site • Protects against password phishing• Protects against common password problem
Bank A
hash(pwdB, SiteB)
hash(pwdA, BankA)
Site B
pwdA
pwdB
=
![Page 11: Password Authentication J. Mitchell CS 259. Password fileUser exrygbzyf kgnosfix ggjoklbsz … kiwifruit hash function](https://reader030.vdocuments.net/reader030/viewer/2022032600/56649d965503460f94a7ea13/html5/thumbnails/11.jpg)
Defense: SpyBlock
![Page 12: Password Authentication J. Mitchell CS 259. Password fileUser exrygbzyf kgnosfix ggjoklbsz … kiwifruit hash function](https://reader030.vdocuments.net/reader030/viewer/2022032600/56649d965503460f94a7ea13/html5/thumbnails/12.jpg)
Defense: SpyBlock
Authentication agent communicates
through browser agent
Authentication agent communicates
directly to web site
![Page 13: Password Authentication J. Mitchell CS 259. Password fileUser exrygbzyf kgnosfix ggjoklbsz … kiwifruit hash function](https://reader030.vdocuments.net/reader030/viewer/2022032600/56649d965503460f94a7ea13/html5/thumbnails/13.jpg)
SpyBlock protection
password in trusted client environment
better password-based authentication protocols
trusted environment confirms site transactions
server support require
d
![Page 14: Password Authentication J. Mitchell CS 259. Password fileUser exrygbzyf kgnosfix ggjoklbsz … kiwifruit hash function](https://reader030.vdocuments.net/reader030/viewer/2022032600/56649d965503460f94a7ea13/html5/thumbnails/14.jpg)
Goals for password protocol
Authentication relies on password• User can remember password, use anywhere• No additional client-side certificates, etc.
Protect against attacks• Network does not carry cleartext passwords• Malicious user cannot do offline dictionary
attack• Malicious server (as in phishing) does not
learn password from communication with honest user
![Page 15: Password Authentication J. Mitchell CS 259. Password fileUser exrygbzyf kgnosfix ggjoklbsz … kiwifruit hash function](https://reader030.vdocuments.net/reader030/viewer/2022032600/56649d965503460f94a7ea13/html5/thumbnails/15.jpg)
Simple approach
Send hashed passwords
Does this “work”?• Good points?• Bad points?
BrowserServer
hash(pwd|0)
hash(pwd|1)
![Page 16: Password Authentication J. Mitchell CS 259. Password fileUser exrygbzyf kgnosfix ggjoklbsz … kiwifruit hash function](https://reader030.vdocuments.net/reader030/viewer/2022032600/56649d965503460f94a7ea13/html5/thumbnails/16.jpg)
“Interlock” password protocols
(Set-up Phase) Password p known to both parties
(Key Exchange Phase)A B gx B A gy k = gxy or some function of gxy
(Authentication Phase)A B mack(p, r) for random rB A mack(p, s), enck(s) for random sA B enck(r)
[Rivest, Shamir, Bellovin, Merrit, … Pederson, Ellison]
![Page 17: Password Authentication J. Mitchell CS 259. Password fileUser exrygbzyf kgnosfix ggjoklbsz … kiwifruit hash function](https://reader030.vdocuments.net/reader030/viewer/2022032600/56649d965503460f94a7ea13/html5/thumbnails/17.jpg)
ESP-KE key exchange protocol
Prime p and generators , β known
Generate random a Generate random b
A= a / βP mod p B= b mod p
A B If A=0 Abort
k = Ba mod p k = (A βP)b mod p
Mb=H(0,k,P)
Mb
If H(0,k,P) ≠ Mb Abort
Ma = H(1,k,P) Ma
If H(1,k,P) ≠ Ma Abort
[M Scott]
![Page 18: Password Authentication J. Mitchell CS 259. Password fileUser exrygbzyf kgnosfix ggjoklbsz … kiwifruit hash function](https://reader030.vdocuments.net/reader030/viewer/2022032600/56649d965503460f94a7ea13/html5/thumbnails/18.jpg)
SRP protocol
(Set-up Phase) Carol chooses password P
Steve chooses s, computes x = H(s, P) and v = gx (Key Exchange Phase) C Bob looks up s, v
x = H(s, P) s
A = ga A
B,u B = v + gb, random u
S = (B - gx) (a+ux) S = (Avu)b
M1 = H(A,B,S) M1 verify M1
verify M2 M2 M2 = H(A,M1,S)
Key = H(S) Key = H(S)
[Wu]
![Page 19: Password Authentication J. Mitchell CS 259. Password fileUser exrygbzyf kgnosfix ggjoklbsz … kiwifruit hash function](https://reader030.vdocuments.net/reader030/viewer/2022032600/56649d965503460f94a7ea13/html5/thumbnails/19.jpg)
CMU “Phoolproof” proposal
Eliminates reliance on perfect user behavior Protects against keyloggers, spyware. Uses a trusted mobile device to perform
mutual authentication with the server
password?
![Page 20: Password Authentication J. Mitchell CS 259. Password fileUser exrygbzyf kgnosfix ggjoklbsz … kiwifruit hash function](https://reader030.vdocuments.net/reader030/viewer/2022032600/56649d965503460f94a7ea13/html5/thumbnails/20.jpg)