Post on 28-Dec-2015
transcript
2
Chapter 12: Authentication Basic Concept Password Challenge-Response Biometrics
and gummy bears
3
Basic Concept Authentication: to prove an identity
Strong authentication: without transmitting password Based on
What the user knows – e.g., password, PIN What the user possesses – e.g., ID card, ticket What the user is – e.g., fingerprint, eye scanning,
DNA Attack
Active: e.g., password guessing, stealing password file from server, authentication replay
Passive: e.g., password sniffer
4
Chapter 12: Authentication Basic Concept Password Challenge-Response Biometrics
and gummy bears
5
Basic Model
Alice server
Alice acbd18db4cc2f85cedef654fccc4a4d8
Bob 0b180078d994cb2b5ed89d7ce8e7eea2
… ……
password=foo, user ID=Alice
md5(‘foo’)=acbd18db4cc2f85cedef654fccc4a4d8
6
Dictionary Attacks
Eve server
Alice acbd18db4cc2f85cedef654fccc4a4d8
… ……
password=a, user ID=Alicepassword=aa, user ID=Alicepassword=aaa, user ID=Alice …password=foo, user ID=Alice
Online dictionary attack
aabcapple…foo
EveAlice acbd18db4cc2f8
5cedef654fccc4a4d8
… ……
md5(a)=0cc175b9c0f1b6a831c399e269772661… …
md5(foo)=acbd18db4cc2f85cedef654fccc4a4d8
Offline dictionary attack
aabcapple…foo
7
Countermeasure Overview
Eve serverAlice acbd18db4cc2f8
5cedef654fccc4a4d8
… ……
password=abc, user ID=Alicepassword=foo, user ID=Alice
md5(‘foo’)=acbd18db4cc2f85cedef654fccc4a4d8
• Keep the server-side table secret (e.g., shadowed pass file)
• Use strong password• Salting: md5(‘foo’+r)
• Restrict repetitive attempts• Password aging
EveAlice acbd18db4cc2f8
5cedef654fccc4a4d8
… ……
md5(a)=0cc175b9c0f1b6a831c399e269772661 …md5(‘foo’)=acbd18db4cc2f85cedef654fccc4a4d8
aabcapple…foo
abc…foo
8
Choice of Passwords Dilemma
Password should be random Uniform distribution maximizes entropy (hence
dictionary) Password should be easy to remember
Attacker sorts dictionary in descending order of likelihood An easy-to-remember password requires less
time to guess
9
Choice of Passwords (Cont’d) Users tend to choose weak passwords
Based on user ID, user or relative’s name, computer name, place name, DOB
English words Too short, digits only, letters only License plates, acronyms, SSN, pet name, job,
etc.
10
Choice of Passwords (Still Cont’d)
Force user to choose good passwords Through education and policy Through proactive mechanism
Cannot be bypassed Knows what is bad password Discriminate on per-user, per-site basis
11
Salting Goal: making offline dictionary attacks (on
a large number of passwords) harderAlice
md5(‘foo’)
... ...Bob md5(‘abc’)
aabcapple…foo
md5(‘a’)md5(‘abc’) …md5(‘foo’)...
Alice
md5(‘foo’||r1)
r1
... ... ...Bob md5(‘abc’||
r2)r2
aabcapple…foo
md5(‘a’||r1)
md5(‘abc’|| r1)
md5(‘foo’|| r1)...md5(‘a’||r2)
md5(‘abc’|| r2)
md5(‘foo’|| r2)...
12
Example: UNIX Password UNIX system password authentication
First 8 characters of input password Concatenated by a 12 bit salt Used as a key To encrypt a constant For 25 times The result and the salt stored in password file
13
Prevent Repetitive Attempts Make online attacks harder
Backoff: wait 2n seconds before nth attempt Disconnection: modem user Disabling: only administrators can reactivate
OSF1 uses both backoff and disconnection
14
Password Aging Force users to change passwords after
some time has expired How do you force users not to re-use
passwords? Record previous passwords Block changes for a period of time
Give users time to think of good passwords Warn them of expiration days in advance
15
Chapter 12: Authentication Basic Concept Password Challenge-Response Biometrics
and gummy bears
16
One-Time Password Password replay
sniff password then replay Use password exactly once!
How do user and server synchronize? Lamport’s scheme
Challenge-response mechanism View response as the password
17
Lamport’s Scheme How do user and server synchronize on which password to
use? h: one-way hash function (e.g., MD5 or SHA-1) hn(k): h(h(h(...h(k)...)))
Registration
User Server
k ksecure channel
n
hn(k)
1st Authenticationk hn(k)hn-1(k) hn-1(k)
hn-1(k)
2nd Authenticationk hn-1(k)hn-2(k) hn-2(k)
18
Challenge-Response
DES, RSA, HMAC, etc.
k
User Server
challenge
response
k
response
time
time
challenge
DES, RSA, HMAC, etc.
dictionary attack!
19
Pre-Encrypted Key Exchange
Alice BobAlice || {ks}p
Alice Bob
Alice Bob
{ChallengeB}ks
Alice Bob
p, ksp
p, ks
{ChallengeA ChallengeB}ks
{ChallengeA}ks
Quiz: how is offline dictionary attack possible?
20
Encrypted Key Exchange (RSA) Goal: to defeat off-line dictionary attacks
Alice BobAlice || {eAlice}p
Alice Bob{{(ks}eAlice}p
Alice Bob{ChallengeA}ks
Alice Bob
Alice Bob
p, eAlicep
p, eAlice p, eAlice, ks
p, eAlice, ks
{ChallengeA ChallengeB}ks
{ChallengeB}ks
21
Chapter 12: Authentication Basic Concept Password Challenge-Response Biometrics
and gummy bears
22
Biometrics Automated measurement of biological,
behavioral features that identify a person Fingerprints: graph isomorphism Voices: statistical techniques Eyes: patterns in irises Faces: image, or specific characteristics like
distance from nose to chin Keystroke dynamics: keystroke intervals,
pressure, duration of stroke, where key is struck
23
Can Biometrics Save the World? Gummy bears say: No! Fingerprint scanners are believed to be very
secure, until It was shown they can be reliably fooled
with $10 worth of household supplies From both real fingers or residue fingerprints Can wear a transparent fake finger on real finger Using
Gelatin, what Gummy Bears are made out of Digital camera, inkjet printer, photo-sensitive PCB, etc. Fool all 11 commercial fingerprint scanners, 80% of
time
For more details, refer to Tsutomu Matsumoto’s talk ‘Importance of Open Discussion on Adversarial Analyses for Mobile Security Technology’ whose link is on class web page
24
Key Points Authentication is based on
what users know what they possess what they are
Passwords are here to stay How to use passwords is important Remember the Gummy bears
27
Certificates and Identity Certificates issued to a user
User must be uniquely identified for this purpose What to be the identity?
Name: usually ambiguous “Your name please; your address please; your
telephone no. please; your last 4-digit SSN please”
28
Distinguished Names Include ancillary information in identity
Enough to identify principal uniquely Example: X.509v3 Distinguished Names
/O=University of California/OU=Davis campus/OU=Department of Computer Science/CN=Matt Bishop/refers to the Matt Bishop (CN is common name) in the Department of Computer Science (OU is organizational unit) on the Davis Campus of the University of California (O is organization)
29
CAs and Policies Matt Bishop wants a certificate from Certs-
from-Us How does Certs-from-Us know this is “Matt
Bishop”? CA’s authentication policy says what type and
strength of authentication is needed to identify Matt Bishop to satisfy the CA that this is, in fact, Matt Bishop
CA authenticates user and embed its trust in certificate, later the certificate is used by others for authentication and that trust propagates
30
Example: Verisign CAs Class 1: CA issued certificates to
individuals authenticated by email address Certificate used for sending, receiving email
with various security services at that address Class 2: CA issued certificates to
individuals Authenticated by verifying user-supplied real name and address through an online database Certificate used for online purchasing
31
Example: Verisign CAs (Cont’d) Class 3: CA issued certificates to
individuals Authenticated by background check from investigative service Higher level of assurance of identity than Class
1 and Class 2 CAs Class 4: CA issued certificates to web
servers Same authentication policy as Class 3 CA Consumers using these sites had high degree
of assurance the web site was not spoofed
32
Internet Certification Hierarchy Tree structured arrangement of CAs
Root is Internet Policy Registration Authority, or IPRA
Sets policies all subordinate CAs must follow Certifies subordinate CAs (called policy certification
authorities, or PCAs), each of which has own authentication, issuance policies
Does not issue certificates to individuals or organizations other than subordinate CAs
PCAs issue certificates to ordinary CAs Does not issue certificates to individuals or
organizations other than subordinate CAs CAs issue certificates to organizations or
individuals
33
Example: UValmont
IPRA
PCA-1
UValmontStudent CA
student student
PCA-2
UValmontStaff CA
staff staff
high assurancePCA
low assurancePCA
34
Certificate Differences Student, staff certificates signed using
different private keys (for different CAs) Student’s signed by key corresponding to low
assurance certificate signed by first PCA Staff’s signed by key corresponding to high
assurance certificate signed by second PCA To see how much trust should be placed in
the certificate (what policy used to authenticate): Determine CA signing certificate, check its policy Also go to PCA that signed CA’s certificate
CAs are restricted by PCA’s policy, but CA can (only) restrict itself further
35
Types of Certificates Organizational certificate
Issued based on principal’s affiliation with organization
Example Distinguished Name/O=University of Valmont/OU=Computer Science Department/CN=Marsha Merteuille/
Residential certificate Issued based on where principal lives No affiliation with organization implied Example Distinguished Name
/C=US/SP=Louisiana/L=Valmont/PA=1 Express Way/CN=Marsha Merteuille/
36
Types of Certificates (Cont’d) Certificate tied to a role
UValmont wants comptroller to have a certificate
This way, she can sign contracts and documents digitally
Distinguished Name/O=University of Valmont/OU=Office of the Big Bucks/RN=Comptrollerwhere “RN” is role name; note the individual using the certificate is not named, so no CN
37
Naming Conflicts John Smith, John Smith Jr. live at same
address John Smith Jr. applies for residential certificate
from Certs-from-Us, getting the DN of:/C=US/SP=Maine/L=Portland/PA=1 First Ave./CN=John Smith/
Now his father applies for residential certificate from Quick-Certs, getting DN of:/C=US/SP=Maine/L=Portland/PA=1 First Ave./CN=John Smith/because Quick-Certs has no way of knowing that DN has been taken
38
Solutions Organizational certificates
All CA DNs must be superior to that of the principal
Example: for Marsha Merteuille’s DN:/O=University of Valmont/OU=Computer Science Department/CN=Marsha Merteuille/DN of the CA must be either:/O=University of Valmont/(the issuer being the University) or/O=University of Valmont/OU=Computer Science Department/(the issuer being the Department)
39
Related Problem Single CA issues two types of certificates
under two different PCAs Example
UValmont issues both low assurance, high assurance certificates under two different PCAs
How does validator know under which PCA the certificate was issued?
Reflects on assurance of the identity of the principal to whom certificate was issued
40
Solution CA Distinguished Names need not be
unique CA (Distinguished Name, public key) pair
must be unique Example
In earlier UValmont example, student validation required using first PCA’s public key; validation using second PCA’s public key would fail
Keys used to sign certificate indicate the PCA, and the policy, under which certificate is issued
41
Persona Certificate Anonymous certificate
Certificate with meaningless Distinguished Name Example:
Government requires all citizens with gene X to register because people with this gene more likely commit crimes
No scientific evidence, and government wants no civil rights fuss
Government employee wants to alert media Government will deny plan, change approach Government employee will be fired, prosecuted
Must notify media anonymously
42
Persona Certificate (Cont’d) Employee gets persona certificate, sends copy
of plan to media Media knows message unchanged during transit
(data integrity) But they do not know who sent it (no authentication) Government denies plan, changes it
Employee sends copy of new plan signed using same certificate Media can tell it’s from original whistleblower
(linkability) Media cannot track back whom that whistleblower is
44
Host Identity Host identity at different layers
Ethernet address: 00:05:02:6B:A8:21 IP address: 192.168.35.89 Host name: cherry.orchard.chekhov.ru
These can be spoofed Write your own Ethernet frames Fake source IP address Fake host name
Above protocols rely on spoofed identity
45
Domain Name Server Maps transport identifiers (host names) to
network identifiers (host addresses) Forward records: host names IP addresses
PING Reverse records: IP addresses host names
NSLOOKUP
Weak authentication Not cryptographically based E.g., reverse domain name lookup IP -> host name via DNS -> IP via DNS ->
matching the two IPs
46
DHCP and NAT DHCP server dynamically assigns clients
unused IP addresses Gateway assigns clients internal address
NAT translates all outgoing and incoming packets
Invisible to both inside clients and outsiders Your desktop/laptop ->
router (DHCP and NAT) -> Internet
47
Attacks on DNS Change records on server Cache poisoning
Attacker sends victim request that must be resolved by asking attacker
Legitimately piggyback extra record to response, but have fake name/IP association in the record
The fake record will be cached
48
Anonymity Servers and observers know who is visiting
Sometimes not desirable Anonymizer: a site that hides origins of
connections What about a simple proxy server
Server sees the proxy, not client
client1
client2
proxy server1
server2
49
Problem With Simple Proxy The proxy knows who are the client and
server And we all know this fact
Example: anon.penet.fi Anonymous re-mailer Material claimed to be copyrighted sent through
site Finnish court directed owner to reveal mapping
so plaintiffs could determine sender Owner appealed, subsequently shut down site
What about a chain of proxies?
50
Chain of Proxies Proxies operated by multiple organizations
No single proxy can know client/server association
Traffic encrypted Cannot tell from address in header
client1
client2
proxy server1
server2
proxy proxy
51
Weaknesses of Chain of Proxies First and last proxy collude
One knows client one knows server Traffic analysis
Observes in, out flows of traffic timing message size
What if we mix multiple messages
52
MIX Each mix server
Padding messages to fixed size blocks - size Reorder the blocks - first/last collude Wait before transmitting - timing
client1
client2
mix1
server1
server2
mix2 mix3
53
MIX (Cont’d) How can mix server know where to send
message? Nested public-key encryption (later in Onion
Routing)
client1
client2
mix1
server1
server2
mix2
Mix1, {Mix2, {m,r2}e2, r1}e1
Mix2, {m, r2}e2
m
54
Crowds Intuition
You can never trace back to the origin of a rumor, because “I too heard about it from someone else”
Each node (Jondo) Sends request to server with probability p;
forward it to another node with probability (1-p)
server
55
Privacy Anonymity protects privacy by obstructing
amalgamation of individual records Important, because amalgamation poses 3 risks:
Incorrect conclusions from misinterpreted data Harm from erroneous information Not being let alone
Also hinders monitoring to deter or prevent crime Conclusion: anonymity can be used for good or ill
Right to remain anonymous entails responsibility to use that right wisely
56
Key Points Certificates use Distinguished name as
identity Web identity based on addresses is weak Anonymity can be achieved with
sophisticated proxies