network security fundamentals - university of michigancja/nsf13/lectures/netsec-04... ·...
TRANSCRIPT
Network Security Fundamentals
Security Training Course
Dr. Charles J. Antonelli The University of Michigan
2013
Network Security Fundamentals
Module 4 Password Strength & Cracking
Roadmap
• Password Authentication • How Passwords are Cracked • Countermeasures
04/13 cja 2013 3
Password Authentication
Password Representations
• UNIX DES “Hashes”
Old technology, but still around
• Linux Hashes
Salted SHA-512, SHA-256, MD5, Blowfish
• Mac OS X Hashes
Salted SHA-1
04/13 cja 2013 5
UNIX “Hash” Generation • Password length 8 characters or less • 7 bits of each character used to generate 56-bit key • Key used to encrypt a constant using a variation of the
DES algorithm
Key
MGoBlue1
Constant (0x00000000)
DES’
UNIX Hash zvktPWeeFzCVA
04/13 cja 2013 6
UNIX “Hash” Considerations
• It’s not a hash • Keyboard character set
Common alphanumeric set only Character variations ≈ 126
• Maximum entropy ≈ 6.3*1016 passwords • Salted
04/13 cja 2013 7
Linux Hash Generation
• Hash the password • Store it
SHA-512 Hash $6$dmk52gd$TWOWIDs1q6/uZ.t49s.YkFQr3zeTGzrYwN33Ep2pdTKw!HekN/O2hK0QuSTtUYNmS5Homqtp9lA/jf0hWRE7Bb/!
MGoBlue1
SHA-512
04/13 cja 2013 8
Linux Hash Considerations
• Keyboard character set Common alphanumeric set only Character variations ≈ 126
• Maximum length = 256 characters • Entropy for 256-character password ≈ 4.9*10538
• Entropy for 20-character password from 126 character set ≈ 1.0*1042
• Entropy for 20-character password from 69 “keyboard” character set ≈ 6.0*1036
• Salted
04/13 cja 2013 9
Linux Passwords
• Passwords stored in /etc/shadow readable only by root
• Other per-user information stored in /etc/passwd world readable
• UNIX stored both in /etc/passwd !
04/13 cja 2013 10
Linux Hashes
• Several hashes available • Use SHA-512!
04/13 cja 2013
ID Method
$1$ MD5
$2a$ Blowfish (some distros)
$5$ SHA-256
$6$ SHA-512 (default)
11
SHA-3 Hash Contest Update
• MD5 broken, SHA-1&2 suspect • NIST competition for a SHA-3
Timeframe 2008-2012 51 candidates submitted for Round 1 14 candidates in Round 2
BLAKE, Blue Midnight Wish, CubeHash, ECHO, Fugue, Grøstl, Hamsi, JH, Keccak, Luffa, Shabal, SHAvite-3, SIMD, and Skein
Final candidates announced December 10, 2010 BLAKE, Grøstl, JH, Keccak, and Skein
SHA-3 standard to be published 2012 2013? 10/12 cja 2012 12
Choosing A Password
• Good Pass phrases (much
longer than 8 characters)
miX cAsE digits/punctuation control characters easy to remember no words in any
language
• Bad people’s names dictionary/technical
words or phrases birth dates places common acronyms backwards spelling simple permutations 8 characters or less
04/13 cja 2013 13
Choosing A Password 2013
• Good Pass phrases (much
longer than 8 characters)
• Bad Everything else
04/13 cja 2013 14
How Passwords are Cracked
Passive Online Attacks Man-in-the-Middle and Replay Attacks
• Somehow get access to communications channel
• Wait for authentication sequence • Proxy authentication-traffic • No need to brute-force • Considerations
Relatively hard to perpetrate Must be trusted by one or both sides Some tools widely available Anyone remember MarketScore?
04/13 cja 2013 16
Active Online Attacks Password guessing
• Try different passwords until one works • Made easier by
Bad passwords Excessive information from server Lack of password guessing controls
• Considerations Assuming good passwords, is this even feasible?
Common 8 character password space (69^8) Password Expires in 90 days Need to guess 3,964,493,629 pwds/sec Need throughput of 253,727,592,310 bits/sec Gigabit Ethernet = 1B bits/sec
Easily detected and stopped Core problem: Bad passwords
04/13 cja 2013 17
Offline Attacks
• Attacker has password database Not that hard: Need to be admin (or steal the box)
• Can attack at leisure – Attack types: Dictionary attack
Very Fast Core Problem: Bad Passwords
Brute Force attack AlphaNumerics then AlphaNumerics + Upper Row Symbol, etc Slow, but will eventually find all passwords
Hybrid Start with Dictionary, Insert Entropy
Pre-computed Hashes Rainbow tables Time-space tradeoff
• Considerations Moore’s law
04/13 cja 2013 18
John the Ripper
• http://www.openwall.com/john/ • Fast, open-source password cracker
Created by Solar Designer Active development group
• Runs on Linux, Mac OS X, Solaris, Android, … • Handles DES, BSDI DES, FreeBSD MD5, OpenBSD Blowfish,
Kerberos AFS DES, and LM DES hashes • Runs well on HPC clusters using Open MP • Jumbo patch for 1.7.9, revision 7 adds GPU support
CUDA and OpenCL • Openwall community wiki
http://openwall.info/wiki/john
10/12 cja 2012 19
Hashcat
• http://hashcat.net/hashcat/ • Fast password cracker • Runs on Windows, Linux, Mac OS X • Command line & GUI versions • Supports a large number of hash types • Multiple attack modes (dictionary, rule-based, combinator, …) • GPU support • https://hashcat.net/wiki/doku.php?id=hashcat
10/12 cja 2012 20
Lab: Crack Passwords
1. Install John the Ripper cd; tar zxf /usr/local/lab/john/john-1.7.9.tar.gz; cd ~/john-1.7.9/doc
Follow directions in INSTALL & README
2. Create test account with a weak password using MD5 hashing sudo vi /etc/pam.d/system-auth
Change string sha512 to md5 in third paragraph
sudo useradd sucker
sudo passwd sucker
3. Undo the change to system-auth you made in step 2. 4. Create test account with a weak password using SHA-512 hashing
sudo useradd trout
sudo passwd trout 5. Obtain password hashes
cd ~/john-1.7.9/run; sudo ./unshadow /etc/passwd /etc/shadow >passwd.1
6. Crack ./john passwd.1
04/13 cja 2013 21
Lab: Crack Passwords
• You can interrupt at any time, and restart with ./john –restore
• If you want to start over rm john.pot restore
• To display all passwords found so far ./john –show passwd.1
• To see how fast John is on your machine ./john --test
• When done, delete the test accounts and the local password and crack files! sudo userdel sucker; sudo userdel trout /bin/rm ~/john-1.7.9/run/{john.pot,passwd.1}
04/13 cja 2013 22
Rainbow Tables • What if you precomputed the password hashes?
All Windows LM Hashes: 166 Terabytes All Windows NT Hashes < 15 chars: 140,959,235,198 Exabytes
• This would result in faster cracking, at the cost of storing all those hashes This is the Time-Memory tradeoff Implemented using hash chains
Clever way to link the hashes into chains Only store 1 in 10,000 hashes
• Rainbow tables improve on hash chains Reduce collisions (overlapping chains)
• Ineffective against salted hashes Unix, Linux, and Mac OS X hashes are salted Windows NT hashes are not
04/13 23 cja 2013
Rainbow Tables • http://ophcrack.sourceforge.net/
Windows password cracker that uses rainbow tables Cracks LM and NT hashes Live CD support Free tables for Windows XP and Vista (dictionary based) For-fee tables for Vista (NTLM) Seems to be moribund
• http://www.freerainbowtables.com/ “Folding@home” distributed cracking model Terabytes of tables Free tables For-fee tables Seems to be quite active
04/13 24 cja 2013
Countermeasures
Policy-Based Mitigation
• Develop a password policy Require pass phrases Greater than 15 mixed characters Password expiration for all accounts No password reuse (temporal and spatial) Account lockout (where appropriate)
• Physical security policy Cornerstone for any security No physical security = no security
• No policy = no enforcement 04/13 cja 2013 26
Pass Phrases v. Passwords
• Pass phrases are long strings “I wish we’d use 2Factor authentication instead of passwords” Very strong protection against attacks Easy to remember, a bit longer to type
• Passwords are short complex strings “@Rag0Rnrul3z” Hard to remember Often difficult to type Not resistant against current attacks
Obvious substitutions are quickly broken • Take-away: Long easily-remembered phrases are better
than short complex passwords
04/13 cja 2013 27
http://xkcd.com/936/
Technology-Based Mitigation Multi-factor authentication
• Why use only passwords? • Two-factor authentication
Very difficult to thwart Higher cost of initial deployment Long-term cost benefit
Idea: use your smartphone as your token http://www.duosecurity.com/ Google Authenticator
04/13 28 cja 2013
Technology-Based Mitigation Multi-factor authentication
• Biometrics Measure some physical characteristic Fingerprint, iris color distribution, retinal pattern, …
Usually defeated with non-technical attacks Historically unreliable False positives - bad guy authenticated False negatives - legitimate user refused
Can be stolen Iris scanners popular
Courtesy WIkipedia
04/13 29 cja 2013
Summary
• Bad passwords get broken, even when using good storage and authentication methods!
• Solutions 1. Use better passwords 2. Don’t let bad guys get the hashes
• Combination of policy and technology
04/13 cja 2013 30
References
• http://en.wikipedia.org/wiki/NIST_hash_function_competition • http://keccak.noekeon.org/ • http://csrc.nist.gov/groups/ST/hash/sha-3/ • http://nvlpubs.nist.gov/nistpubs/ir/2012/NIST.IR.7896.pdf • http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/submissions_rnd2.html • http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/
presentations/BURR_SHA-3Conf-day_1_wrapup.pdf • http://en.wikipedia.org/wiki/Rainbow_tables • http://ophcrack.sourceforge.net/ • http://www.freerainbowtables.com/ • man 3 shadow • man 3 crypt
04/13 cja 2013 31
04/13 32 http://threatpost.com/en_us/blogs/social-engineering-attacks-prove-failure-user-education-042110
cja 2013