slide 1 vitaly shmatikov cs 378 attacks on authentication
TRANSCRIPT
slide 2
Authentication with Shared Secret
?
Alice and Bob share some secret. How can they identify each other on the network?
What have we learned from the systems we’ve seen?
Alice Bob
“kiwifruit”
“kiwifruit”
Activeattacke
r
not just eavesdrops, butinserts his own messages
slide 3
Challenge-Response
Alice Bob
“kiwifruit”
“kiwifruit”
Activeattacke
r
Fresh, random RR
hash(“kiwifruit”,R) hash(“kiwifruit”,R)
Man-in-the-middle attack on challenge-response • Attacker successfully authenticates as Alice by simple replay
This is an attack on authentication, not secrecy• Attacker does not learn the shared secret• However, response opens the door to offline dictionary attack
slide 4
Encrypted Timestamp
Alice Bob
KEYKEY
EncryptKEY(time)
EncryptKEY(time)
Requires synchronized clocks• Bob’s clock must be secure, or else attacker will roll it
back and reuse an old authentication message from Alice
Attacker can replay within clock skew window
slide 5
Replace with(n-1, x)
Lamport’s Hash
Alice Bob
n, y=hashn(“kiwifruit”
)
x=hash(…(hash(“kiwifruit”))
“kiwifruit”
n
n-1 times
Verifies y=hash(x)?
Main idea: “hash stalk”• Moving up the stalk (computing the next hash) is easy,
moving down the stalk (inverting the hash) is hard• n should be large (can only use it for n authentications)
For verification, only need the tip of the stalk
slide 6
hashm(“kiwifruit”)
“Small n” Attack
Alice Bob
n, y=hashn(“kiwifruit”
)
Message from Bob is not authenticated! Alice should remember current value of n
“kiwifruit”
Real n
Verifies y=hash(x)Yes!
?Fake, small m
x=hashn(“kiwifruit”)
Easy to compute hashn(…)if know hashm(…) with m<n
slide 7
fresh random RB; encryptKEY(RA)
Mutual Authentication
Alice Bob
KEY
Mutual authentication: Bob to Alice and Alice to Bob Bob’s reasoning: I must be talking to Alice because…
• Person who correctly encrypted RB is someone who knows KEY… Only Alice knows KEY… Alice must have encrypted RB… Because RB is fresh, Alice can only know RB if she received my message
KEY
“I am Alice”; fresh random RA
encryptKEY(RB)
slide 8
Reflection Attack
Bob’s reasoning: I must be talking to Alice because…• Person who correctly encrypted RB is someone who knows KEY…
Only Alice knows KEY… No! Bob himself knows KEY, too!
Security often fails because of flawed reasoning
fresh random RB; encryptKEY(RA)
Bob
KEY
“I am Alice”; fresh random RA
encryptKEY(RB)
Start new session, replay Bob’s number back at him
“I am Alice”; RB
fresh random R’B; encryptKEY(RB)
Replay Bob’s own message as response from “Alice”
slide 9
Timestamp Reflection
Alice Bob
KEYKEY
“I am Alice”; EncryptKEY(time)
Problem: same key for Alice and Bob• Attacker can get Bob to encrypt using Alice’s key• How would you avoid this with symmetric cryptography?
Problem: messages don’t include intended recipient Problem: Bob doesn’t remember his own messages
EncryptKEY(time+1)
Soon thereafter…
“I am Alice”; EncryptKEY(time+1)
slide 11
Authenticate Once, Use Everywhere
User
Idea similar to Kerberos Trusted third party issues identity
credentials, user uses them to access services all over the Web
Sign on once
Receive Web identity
Access anynetwork service
Stores credit card numbers,personal information
.NET Passport
EmailMessenger
Web retailers
slide 12
3 encrypted cookies
Email and password?
[email protected], “kiwifruit”
Identity Management with Passport
UserWebsite.NET
Passport
Log inRedirect browserto Passport server
Passportuser database
Check user against database
Redirect browserback to website
Passportmanager
Decrypt & verify cookiesRequested page
slide 13
Passport: Early Glitches
Flawed password reset procedure• Password reset didn’t require previous password• Attacker sends modified URL requesting reset,
receives email from Passport providing URL to change password
– http://register.passport.net/emailpwdreset.srf?lc=1033&[email protected]&id=&cb=&[email protected]
Cross-scripting attack• Victim stores credit card info in Microsoft Wallet
– Information kept in a cookie for 15 minutes
• Victim then logs into Hotmail & reads attacker’s email– Malicious email contains HTML. Hotmail’s web interface
processes it, calls script on another site and hands over cookie.
slide 14
History of Passport
Launched in 1999• By 2002, Microsoft claimed over 200 million
accounts, 3.5 billion authentications each month
Current status• From Directory of Sites at
http://www.passport.net: “We have discontinued our Site Directory…”
• Monster.com dropped support in October 2004• Ebay dropped support in January 2005• Seems to be fizzling out
– Still supported by Microsoft and MSN sites