slide 1

Vitaly Shmatikov

CS 378

Attacks on Authentication

slide 2

Authentication with Shared Secret

?

Alice and Bob share some secret. How can they identify each other on the network?

What have we learned from the systems we’ve seen?

Alice Bob

“kiwifruit”

“kiwifruit”

Activeattacke

r

not just eavesdrops, butinserts his own messages

slide 3

Challenge-Response

Alice Bob

“kiwifruit”

“kiwifruit”

Activeattacke

r

Fresh, random RR

hash(“kiwifruit”,R) hash(“kiwifruit”,R)

Man-in-the-middle attack on challenge-response • Attacker successfully authenticates as Alice by simple replay

This is an attack on authentication, not secrecy• Attacker does not learn the shared secret• However, response opens the door to offline dictionary attack

slide 4

Encrypted Timestamp

Alice Bob

KEYKEY

EncryptKEY(time)

EncryptKEY(time)

Requires synchronized clocks• Bob’s clock must be secure, or else attacker will roll it

back and reuse an old authentication message from Alice

Attacker can replay within clock skew window

slide 5

Replace with(n-1, x)

Lamport’s Hash

Alice Bob

n, y=hashn(“kiwifruit”

)

x=hash(…(hash(“kiwifruit”))

“kiwifruit”

n

n-1 times

Verifies y=hash(x)?

Main idea: “hash stalk”• Moving up the stalk (computing the next hash) is easy,

moving down the stalk (inverting the hash) is hard• n should be large (can only use it for n authentications)

For verification, only need the tip of the stalk

slide 6

hashm(“kiwifruit”)

“Small n” Attack

Alice Bob

n, y=hashn(“kiwifruit”

)

Message from Bob is not authenticated! Alice should remember current value of n

“kiwifruit”

Real n

Verifies y=hash(x)Yes!

?Fake, small m

x=hashn(“kiwifruit”)

Easy to compute hashn(…)if know hashm(…) with m<n

slide 7

fresh random RB; encryptKEY(RA)

Mutual Authentication

Alice Bob

KEY

Mutual authentication: Bob to Alice and Alice to Bob Bob’s reasoning: I must be talking to Alice because…

• Person who correctly encrypted RB is someone who knows KEY… Only Alice knows KEY… Alice must have encrypted RB… Because RB is fresh, Alice can only know RB if she received my message

KEY

“I am Alice”; fresh random RA

encryptKEY(RB)

slide 8

Reflection Attack

Bob’s reasoning: I must be talking to Alice because…• Person who correctly encrypted RB is someone who knows KEY…

Only Alice knows KEY… No! Bob himself knows KEY, too!

Security often fails because of flawed reasoning

fresh random RB; encryptKEY(RA)

Bob

KEY

“I am Alice”; fresh random RA

encryptKEY(RB)

Start new session, replay Bob’s number back at him

“I am Alice”; RB

fresh random R’B; encryptKEY(RB)

Replay Bob’s own message as response from “Alice”

slide 9

Timestamp Reflection

Alice Bob

KEYKEY

“I am Alice”; EncryptKEY(time)

Problem: same key for Alice and Bob• Attacker can get Bob to encrypt using Alice’s key• How would you avoid this with symmetric cryptography?

Problem: messages don’t include intended recipient Problem: Bob doesn’t remember his own messages

EncryptKEY(time+1)

Soon thereafter…

“I am Alice”; EncryptKEY(time+1)

slide 10

Vitaly Shmatikov

CS 378

Single Sign-On Systems

slide 11

Authenticate Once, Use Everywhere

User

Idea similar to Kerberos Trusted third party issues identity

credentials, user uses them to access services all over the Web

Sign on once

Receive Web identity

Access anynetwork service

Stores credit card numbers,personal information

.NET Passport

EmailMessenger

Web retailers

slide 12

3 encrypted cookies

Email and password?

joe@hotmail.com, “kiwifruit”

Identity Management with Passport

UserWebsite.NET

Passport

Log inRedirect browserto Passport server

Passportuser database

Check user against database

Redirect browserback to website

Passportmanager

Decrypt & verify cookiesRequested page

slide 13

Passport: Early Glitches

Flawed password reset procedure• Password reset didn’t require previous password• Attacker sends modified URL requesting reset,

receives email from Passport providing URL to change password

– http://register.passport.net/emailpwdreset.srf?lc=1033&em=victim@hotmail.com&id=&cb=&prefem=attacker@attacker.com

Cross-scripting attack• Victim stores credit card info in Microsoft Wallet

– Information kept in a cookie for 15 minutes

• Victim then logs into Hotmail & reads attacker’s email– Malicious email contains HTML. Hotmail’s web interface

processes it, calls script on another site and hands over cookie.

slide 14

History of Passport

Launched in 1999• By 2002, Microsoft claimed over 200 million

accounts, 3.5 billion authentications each month

Current status• From Directory of Sites at

http://www.passport.net: “We have discontinued our Site Directory…”

• Monster.com dropped support in October 2004• Ebay dropped support in January 2005• Seems to be fizzling out

– Still supported by Microsoft and MSN sites

slide 15

Liberty Alliance

Open-standard alternative to Passport

Promises compliance with privacy legislation

Long list of Liberty-enabled products• See website

http://www.projectliberty.org