COEN 350: Network Security
Authentication
Authentication
Between human and machine Between machine and machine
Human Machine Authentication Authentication protocols are based
on What you know.
E.g. password, pass-phrase, (secret key, private key).
What you have. Physical key, smart card.
What you are. Biometrics.
Where you are. E.g. trusted machine, access to room, …
Authentication
Passwords Predate computers. As do some attacks (stealing, guessing)
Older cell phone technology transmits originating number with a password.
Password good, call goes through. Eavesdropper receives phone number –
password combination. Eavesdropper can now clone the phone.
Authentication Password Attacks
Guessing On-line
Time consuming. Authentication attempts are usually logged. Can detect attack long before it is likely to succeed. Can disrupt the attack.
Off-line Attacker needs to steal relevant data from which
password(s) can be determined. Attacker can use arbitrary amount of computing power.
Capturing Passwords Eavesdropping Login Trojan Horse
Authentication
Passwords are stored On each server Alice uses. Centrally: Authentication Storage Node:
Each server retrieves the information when it wants to authenticate Alice.
Centrally: Authentication Facilitator Node:
Each server takes Alice’s data and password and goes to the AFN.
Authentication
Password can be stored Unencrypted
Simple Dangerous
Implicitly as hashes of passwords As in UNIX, VMS
Encrypted Hashed and Encrypted
Authentication
Example: Network Information Service Directory service is the authentication
storage node. Stores hashed passwords of users. Typically, hashed passwords list is
world readable (by claiming to be a server).
NIS authentication storage node is
Authentication Passwords for machine – machine
communication can be made difficult to guess. Arbitrary length Truly random choice of characters.
Human-machine passwords Guessable Subject to dictionary attack.
Authentication Dictionary attack
Most passwords are natural language words. Or derived from natural language words. Guess the language. Use a dictionary to try out all words in the
language. Start with common passwords first. Replace a single character in a word, attach
a random character, etc.
Authentication
Brute-Force Attack Generate all possible password.
Sometimes make assumptions on the alphabet
only printable character characters on a key-board
Authentication Salting
Protects hashed passwords against an offline attack.
Brute Force attack attacks all passwords in password file simultaneously.
Authentication
Salting Store a salt with each password Hash depends on salt and
password. Use different salts for different
passwords. Store salt with password.
Authentication Salting
Brute force attack, dictionary attack can only attack a single password.
Authentication
Passwords are compromised: By obtaining password file.
Safeguard by Hashing and Salting Encryption
By eavesdropping on an exchange Use one-way passwords:
Lamport Hash
Authentication Address Based
Common in early UNIX Rtools:
.rhosts In user home directory (Computer, Account) pairs These pairs are allowed access to the user’s
account /etc/hosts.equiv
List of network addresses of “equivalent” machines Account name on A is equivalent to account name on B.
Users have to have identical account names.
Authentication
Addressed based authentication threatened by Access escalation
Attacker gains access to one hosts. Access cascades to equivalent hosts /
rhosts. Spoofing addresses
Very easy to spoof source address. Harder to intercept traffic back.
Authentication Ethernet network address
impersonation Easy on the same link. Hubs do not protect. Switches can be spoofed through the
ARP protocol. Routers are harder to fool, but can be
attacked and provided with misleading routing data.
Authentication
Cryptographic authentication Alice proves her identity to Bob by
proving to Bob that she knows a secret.
Hashes Secret key cryptography Public key cryptography.
Human Machine Authentication
Initial password distribution to humans Pre-expired, strong passwords
Through mail Derivable from common knowledge
Student ID
Human Machine Authentication Authentication Token
Possession of the token proves right to access.
Magnetic stripe as on credit cards. Harder to reproduce “Impossible” to guess
Demand special hardware Can be lost or stolen
Add pin or password protection Are not safe against communication
eavesdropping and forging
Human Machine Authentication Authentication Token
Smart Card. Needs to be inserted in a smart card reader. Card authenticates to the smart card reader.
PIN protected smart cards. Stops working after a number of false PINs.
Cryptographic challenge / response cards Card contains a cryptographic key. Authenticating computer issues a challenge. Card solves the challenge after PIN is entered. Harder to crack than PIN protected smart cards
because key is never revealed.
Human Machine Authentication Authentication Token
Smart Card. Readerless smart card (Cryptographic
calculator) Communicates with owner through mini-keyboard
and display. Authenticating computer issues a challenge to
Alice. Alice types in challenge into readerless smart card. Readerless smart card solves the challenge.
After Alice puts in her password. Alice transfers the answer to the computer.
Human Machine Authentication Biometrics
Retinal scanner Fingerprint reader Face recognition Iris scanner Handprint readers Voiceprints Keystroke timing Signatures
Strong Passwords
Goal: Eavesdropper does not obtain enough
information to do an off-line verification of password guesses.
Strong Passwords
Bob (Machine) and Alice (Human) share a “weak” secret W. W is a hash of Alice’s password. Bob knows W because he stores it.
Strong Passwords: EKEAlice Bob
Alice and Bob share a weak secret W = f (password)Alice chooses a random number a.
She sends:
Alice, W{ga}
Bob chooses a random b and a challenge C1.
He sends
W {gb, C1}
Both Bob and Alice use their knowledge of W to encrypt their mutual messages. They both calculate K = gab.Alice then proves her knowledge of W by her ability to calculate
K. She also picks a challenge C2 and sends K { C1, C2 } to Bob.
Bob encrypts this message and finds that Alice has solved his challenge C 1. Finally, Bob authenticates himself to Alice. He proves his knowledge of W by his knowledge of K, which he proves by being able to correctly encrypt Alice’s challenge C2. He sends
K {C2 } to Alice.
Strong Passwords: EKE A bad implementation of EKE allows an
eavesdropper to exclude passwords. Assume that we calculate in the field of number
modulo p, p a prime. Then ga and gb are both m bit numbers smaller than p. Attacker maintains a dictionary of possible passwords
and observes many authentication rounds. If W is in the dictionary, he encrypts Alice’s round 1
message M. If W -1{M } > p, then attacker excludes W. Chance of excluding a false password W is 2m – p / p. If this chance is about 80%, then 50 rounds determine
the password out of a normal dictionary.
Nr of Exchanges Chance of false password surviving
1 80%
2 64%
5 33%
10 10%
20 1.2%
50 0.0014%
Strong Passwords
Simple Password Exponential Key Exchange: SPEKE Like EKE, but
Transmit W a and W b and agree on key K. Has a related vulnerability:
W shares algebraic properties with W a. Generator, perfect square
Strong Passwords
PDM: Password Derived Moduli Key Idea: Pick the field based on the
password. Diffie Hellman exchange based on
p = f (password) with base 2:
Alice to Bob: Alice, 2a mod p. Bob to Alice: 2b mod p. Prove knowledge of K = 2ab mod p.
Strong Passwords
Augmented Strong Password Protocols Prevent someone who has stolen the
server data base to impersonate a user. Server does not store the password, but a
quantity sufficient to evaluate it. Augmented EKE:
http://citeseer.ist.psu.edu/bellovin93augmented.html
Strong Passwords
Strong Passwords
Augmented PDM Server Information Creation
Alice has password pssw Alice sends to Bob
p = f (pssw) [this is a prime] W = hash (pssw) [one-way hash]
Bob stores: Alice, p, W,
Strong Passwords:Augmented PDMAlice creates random number a.
She recomputes W and p from her password.
Alice 2a mod p Bob
Bob chooses a random number b.
Bob calculates 2b mod p.
Bob sends 2b, hash1 (2ab mod p , 2bW mod p) to Alice
Alice knows that Bob is Bob because Bob proves that he knows 2bW. Alice now sends
hash2 (2ab mod p , 2bW mod p)
Bob knows that Alice is Alice because she proves to him that she knows W. If Alice had just broken into the server, she would have to calculate 2bW from 2W mod p.
Strong Passwords
Secure Remote Password RFC 2945 Bob stores {Alice, gW mod p}, where
W = f (passwd).
Strong PasswordsSRP
Alice creates random a and sends ga to Bob.Bob creates random b, challenge CBOB and 32b number u.
Bob sends gb + gW mod p, u, CBOB to Alice.Both calculate K = g b(a+uW) mod p
Alice sends K {CBob}, CAlice to Bob.
Bob sends K {CAlice} to Bob.