Date post: | 23-Dec-2015 |
Category: |
Documents |
Upload: | andra-anderson |
View: | 212 times |
Download: | 0 times |
1
Introduction to Information Security0368-3065, Spring 2015
Lecture 13:Authentication
Avishai Wool
slide 2
Topics today
Background: Hash Functions Password Graphical passwords Challenge-Response Biometrics
HASH FUNCTIONS
slide 3
slide 4
Hash Functions: Main Idea
bit strings of any length n-bit bit strings
. .
...
x’x’’
x
y’
y
hash function H
Hash function H is a lossy compression function H(x) should look “random”
• Every bit (almost) equally likely to be 0 or 1
“message digest”
message
Collisions
Collision: H(x)=H(x’) for some inputs x≠x’
Collisions must happen• Length of x unlimited, length of H(x) is n-bits !• Even if length of x is bounded |x| = b, and b >
n, there will be collisions• “Pigeonhole principle” " היונים שובך "עקרון
A hash function cannot be 1-to-1 Cryptographic hash function must have
certain properties
slide 5
slide 6
Property 1: One-Way
Intuition: hash should be hard to invert• “Preimage resistance”• Given random y, it should be “hard” to find
any x such that h(x)=y How hard?
• Brute-force: try every possible x, see if h(x)=y• SHA-1 (common hash function) has 160-bit
output– Suppose have hardware that’ll do 230 trials a pop– Assuming 234 trials per second, can do 289 trials per
year– Will take 271 years to invert SHA-1 on a random
image
Probability background: “Birthday Paradox”
How likely is it that some people have the same birthday in a class of T students?
If there are T=366 people in class then • Prob(not all different birthdays | T people) = 0
How big should T be so• Prob(not all different birthdays | T people) >= ½
??
Let’s experiment !
“Birthday Paradox” analysis
How many possibilities that are all different?• (K)T = K(K-1)…(K-T+1) - samples without
replacement Probability of no repetition?
Birthday Paradox continued
Bottom line: For k=365, t=23 suffices In general suffices
slide 9
slide 10
Property 2: Collision Resistance
Hard to find some x≠x’ such that h(x)=h(x’) Brute-force collision search is O(2n/2), not
O(2n)• n = number of bits in the output of hash function• For SHA-1, this means O(280) vs. O(2160)
Reason: birthday paradox• Let T be the number of values x1, x2, x3, … we
need to look at before finding the first pair xi≠xj s.t. h(xi)=h(xj)
• Assuming h is random, how big should T be so the probability of finding a repetition >= ½ ?
• Total number of possible values?• Conclusion:
K=2n
T 2n/2
slide 11
Property 3: Weak Collision Resistance
Given a randomly chosen x, hard to find x’ such that h(x)=h(x’)• Attacker must find collision for a specific x… • by contrast, to break collision resistance,
enough to find any collision• Brute-force attack requires O(2n) time
Weak collision resistance does not imply collision resistance (why?)
slide 12
Hashing vs. Encryption
Hashing is one-way. There is no “un-hashing”!• In contrast, encryption is two-way: can decrypt
a ciphertext with the decryption key• Hashes have no equivalent of “decryption”
Hash(x) looks “random”… but can be compared for equality with Hash(x’)
Hashes are also known as “cryptographic checksums”
slide 13
Application: Password Hashing
Instead of user password, store H(password)
When user enters password, compute its hash and compare with entry in password file• System does not store actual passwords!• Difficult to go from hash to password!
System cannot “restore” your password!
slide 14
Application: Software Integrity
goodFile
Software manufacturer wants to ensure that the executable file is received by users without modification…Sends out the file to users and publishes its hash in the NY TimesThe goal is integrity, not secrecy
Idea: given goodFile and hash(goodFile), very hard to find badFile such that hash(goodFile)=hash(badFile)
BigFirm™ User
VIRUS
badFile
The Times
hash(goodFil
e)
slide 15
Which Property Do We Need?
UNIX passwords stored as hash(password)• One-wayness: hard to recover entire password• Are passwords random?
Integrity of software distribution• Weak collision resistance• But software images are not really random…
maybe need full collision resistance
slide 16
Common Hash Functions
MD5• 128-bit output• Still used very widely• Completely broken by now
RIPEMD-160• 160-bit variant of MD-5
SHA-1 (Secure Hash Algorithm)• 160-bit output• US government (NIST) standard as of 1993-95
– Also the hash algorithm for Digital Signature Standard (DSS)
Overview of MD5
Designed in 1991 by Ron Rivest Iterative design using compression
function
M1 M2 M3 M4IHV0
Com-press
Com-press
Com-press
Com-press
IHV4
slide 17
slide 18
History of MD5 Collisions
2004: first collision attack• Only difference between colliding messages is
128 random-looking bytes 2007: chosen-prefix collisions
• For any prefix, can find colliding messages have this prefix and differ up to 716 random-looking bytes
2008: rogue certificates• End of MD5• Talk about this in more detail when discussing
PKI
slide 19
Basic Structure of SHA-1Against padding attacks
Split message into 512-bit blocks
Compression function• Applied to each 512-bit
block and current 160-bit buffer • This is the heart of SHA-1
160-bit buffer (5 registers)initialized with magic values
slide 20
How Strong Is SHA-1?
Every bit of output depends on every bit of input• Very important property for collision-resistance
Brute-force inversion requires 2160 ops, birthday attack on collision resistance requires 280 ops
Some recent weaknesses (2005)• Collisions can be found in 263 ops
AUTHENTICATION:PASSWORDS AND SECURITY QUESTIONS
slide 21
slide 22
Basic Problem
?
How do you prove to someone that you are who you claim to be?
Any system with access control must solve this problem
slide 23
Many Ways to Prove Who You Are
What you know• Passwords• Answers to questions that only you know
What you have• Secure tokens
What you are• Biometrics
Where you are• IP address• GPS coordinates, Cell tower, WiFi hotspot
slide 24
Password-Based Authentication
User has a secret password. System checks it to authenticate the user. How is the password communicated?
• Eavesdropping risk How is the password stored?
• In the clear? Encrypted? Hashed? How does the system check the password? How easy is it to guess the password?
• Easy-to-remember passwords tend to be easy to guess
• Password file is difficult to keep secret
slide 25
Passwords and Computer Security
Physical intrusion: install sniffer or keylogger to steal passwords
Run cracking tools on password files• Cracking needed because modern systems
usually do not store passwords in the clear (how are they stored?)
In Mitnick’s “Art of Intrusion”, 8 out of 9 exploits involve password stealing and/or cracking
slide 26
Default Passwords
Pennsylvania ice cream shop phone scam• Voicemail PIN defaults to last 4 digits of phone
number; criminals change message to “I accept collect call”, make $8600 on a 35-hour call to Saudi Arabia
Examples from Mitnick’s “Art of Intrusion”• U.S. District Courthouse server: “public” /
“public”• NY Times employee database: pwd = last 4 SSN
digits• “Dixie bank”: break into router
(pwd=“administrator”), then into IBM AS/400 server (pwd=“administrator”), install keylogger to snarf other passwords – “99% of people there used ‘password123’ as their
password”
slide 27
Storing Passwords
t4h97t4m43 fa6326b1c2 N53uhjr438 Hgg658n53 …
user system password file“cypherpun
k”
hashfunction
slide 28
Password Hashing
Instead of user password, store Hash(password)
When user enters password, compute its hash and compare with entry in password file• System does not store actual passwords!• Difficult to go from hash from password!
Hash function H must have some properties• Given H(password), hard to find string X such
that H(X)=H(password) - why?
slide 29
UNIX Password System
Uses DES encryption as if it were a hash function• Encrypt NULL string using password as the key
– Truncates passwords to 8 characters!• Artificial slowdown: run DES 25 times (why?)• Can instruct modern UNIXes to use MD5 hash
function Problem: passwords are not truly random
• With 52 upper- and lower-case letters, 10 digits and 32 punctuation symbols, there are 948 6 quadrillion possible 8-character passwords
• Humans like to use dictionary words, human and pet names 1 million common passwords
slide 30
Dictionary Attack
Password file /etc/passwd is world-readable• Contains user IDs and group IDs which are used
by many system programs Dictionary attack is possible because many
passwords come from a small dictionary• Attacker can pre-compute H(word) for every
word in the dictionary – this only needs to be done once!!– This is an offline attack– Once password file is obtained, cracking is
instantaneous• With 1,000,000-word dictionary and assuming
10 guesses per second, brute-force online attack takes 50,000 seconds (14 hours) on average
slide 31
Old Password Surveys
Klein (1990) and Spafford (1992)• 2.7% guessed in 15 minutes, 21% in a week• Much more computing power is available now!
U. of Michigan: 5% of passwords were “goblue”• (cheer for their football team)
Zviran and Haga (1999)• Password usage at a DoD facility in California• 80% of passwords were 4-7 characters in length,
80% used alphabetic characters only, 80% of the users had never changed their password
slide 32
Password Guessing Techniques
Dictionary with words spelled backwards First and last names, streets, cities Same with upper-case initials All valid license plate numbers in your state Room numbers, telephone numbers, etc. Letter substitutions and other tricks
• If you can think of it, attacker will, too
slide 33
Storing Passwords : Salt
shmat:fURxfg,4hLBX:14510:30:Vitaly:/u/shmat:/bin/csh
/etc/passwd entrysalt
(chosen randomly whenpassword is first set)
hash(salt,pwd)Password
• Users with the same password have different entries in the password file
• Offline dictionary attack becomes much harder
slide 34
Advantages of Salting
Without salt, attacker can pre-compute hashes of all dictionary words once for all password entries• Same hash function on all UNIX machines;
identical passwords hash to identical values• One table of hash values works for all password
files With salt, attacker must compute hashes of
all dictionary words once for each combination of salt value and password• With 12-bit random salt, same password can
hash to 4096 different hash values
slide 35
Shadow Passwords
shmat:x:14510:30:Vitaly:/u/shmat:/bin/csh
• Store hashed passwords in /etc/shadow file which is only readable by system administrator (root)
• Add expiration dates for passwords• Early Shadow implementations on Linux
called the login program which had a buffer overflow!
Hashed password is notstored in a world-readable file
/etc/passwd entry
slide 36
How People Use Passwords
Use a single password at multiple sites• Do you use the same password for Amazon and
your bank account? Do you remember them all? Forget them… many services use “security
questions” to reset passwords• “What is your favorite pet’s name?”• Paris Hilton’s T-Mobile cellphone hack
slide 37
Problems with Security Questions
Inapplicable• What high school did your spouse attend?
Not memorable• Name of kindergarten teacher? Price of your first
car? Ambiguous
• Name of college you applied to but did not attend?
Easily guessable• Age when you married? Year you met your
spouse? Favorite president? Favorite color? Automatically attackable (using public
records!)
[Rabkin, “Security questions in the era of Facebook”]
slide 38
Answers Are Easy to Find Out…
Make of your first car?• Until 1998, Ford had >25% of market
First name of your best friend?• 10% of males: James/Jim, John, Robert/Bob/Rob
Name of your first / favorite pet?• Max, Jake, Buddy, Bear…• Top 500 (covers 65% of names) available online
Information available from Facebook, etc.• Where you went to school, college athletic rivals,
favorite book/movie/pastime, high school mascot
GRAPHICAL PASSWORDS
slide 39
slide 40
Graphical Passwords
Images are easy for humans to remember• Especially if you invent a memorable story to
go along with the images Dictionary attacks on graphical passwords
are believed to be difficult • Images are very “random” (is this true?)
Still not a perfect solution• Need infrastructure for displaying and storing
images• Shoulder surfing
How Passfaces Works
Users Are Assigned a Set of 5* Passfaces
User InterfaceLibrary of Faces
* Typical implementation – 3 to 7 possible as standard
How Passfaces Works
5 Passfaces are Associated with 40 associated decoys Passfaces are presented in five 3 by 3 matrices each
having 1 Passface and 8 decoys
slide 43
Empirical Results
Experimental study of 154 computer science students at Johns Hopkins and Carnegie Mellon
Conclusions:• “… faces chosen by users are highly affected by
the race of the user… the gender and attractiveness of the faces bias password choice… In the case of male users, we found this bias so severe that we do not believe it possible to make this scheme secure against an online attack…”
2 guesses enough for 10% of male users 8 guesses enough for 25% of male users
slide 44
User Quotes
“I chose the images of the ladies which appealed the most”
“I simply picked the best looking girl on each page”
“I picked her because she was female and Asian and being female and Asian, I thought I could remember that”
“I started by deciding to choose faces of people in my own race…”
“… Plus he is African-American like me”
CHALLENGE - RESPONSE
slide 45
slide 46
Security Against Eavesdropping
Idea: use a shared secret to derive a one-time password
If the attacker eavesdrops on the network, he’ll learn this password but it will be useless for future logins
slide 47
Challenge-Response
user system
secret
challenge value
f(secret,challenge)
Why is this better than the password over a network?
secret
slide 48
Challenge-Response Authentication
User and system share a secret (key or password)
Challenge: system presents user with some string
Response: user computes response based on the secret and the challenge• Secrecy: difficult to recover key from response
– One-way hashing or symmetric encryption work well• Freshness: if challenge is fresh, attacker on the
network cannot replay an old response– For example, use a fresh random number for each
challenge
Good for systems with pre-installed secret keys• Car keys; military friend-or-foe identification
slide 49
SecurID
Alice Bob
KEY
v= F(KEY, 0)
KEY
Verifies v=F(KEY,0)?
Advancing the counter• Time-based (60 seconds) or every button press
Allow for skew in the counter value• RSA SecurID: 5-minute clock skew by default
Setup: generate random key
Counter: Counter:
v= F(KEY, 1)
Verifies v=F(KEY,1)?
…
0 1 …
0 1 …
RSA uses a custom functionInput: 64-bit key, 24-bit ctrOutput: 6-digit value
BIOMETRIC AUTHENTICATION
slide 50
slide 51
Biometric Authentication
Nothing to remember Passive
• Nothing to type, no devices to carry around Can’t share (usually) Can be fairly unique
• … if measurements are sufficiently accurate
slide 52
Problems with Biometrics
How hard are biometric readings to forge?• Difficulty of forgery is routinely overestimated• Analysis often doesn’t take into account the
possibility of computer-generated forgery Revocation is difficult or impossible
slide 53
Biometric Error Rates (Benign)
“Fraud rate” vs. “insult rate”• Fraud = system accepts a forgery (false accept)• Insult = system rejects valid user (false reject)
Increasing acceptance threshold increases fraud rate, decreases insult rate
For biometrics, U.K. banks set target fraud rate of 1%, insult rate of 0.01% [Ross Anderson]• Common signature recognition systems achieve
equal error rates around 1% - not good enough!
slide 54
Biometrics (1)
Face recognition (by a computer algorithm)• Error rates up to 20%, given reasonable
variations in lighting, viewpoint and expression Fingerprints
• Traditional method for identification• 1911: first US conviction on fingerprint evidence• U.K. traditionally requires 16-point match
– Probability of false match is 1 in 10 billion– No successful challenges until 2000
• Fingerprint damage impairs recognition– Ross Anderson’s scar crashes FBI scanner
slide 55
Biometrics (2)
Iris scanning• Irises are very random, but stable through life
– Different between the two eyes of the same individual• 256-byte iris code based on concentric rings
between the pupil and the outside of the iris• Equal error rate better than 1 in a million• Best biometric mechanism currently known
Hand geometry• Used in nuclear premises entry control, INSPASS
(discontinued in 2002) Voice, ear shape, vein pattern, face
temperature
slide 56
Surgical Change
slide 57
Stealing Biometrics
slide 58
Involuntary Cloning
Clone a biometric without victim’s knowledge or assistance
“my voice is mypassword” cloned retina Fingerprints from
beer bottlesEye laser scanBad news: it works!
slide 59
Cloning a Finger[Matsumoto]
slide 60
Molding[Matsumoto]
slide 61
The Mold and the Gummy Finger
[Matsumoto]