Date post: | 18-Jan-2018 |
Category: |
Documents |
Upload: | marion-davis |
View: | 235 times |
Download: | 0 times |
Entity Authentication (1)
Frank Flanagan
Authentication
(cf. chapter 10 of Handbook of Applied Cryptography) Entity Authentication
People, computers etc Normally interactive Protocol Proves timeliness
Message Authentication Message must contain everything necessary to authenticate itself
Both forms may be used to establish session keys
Definition
Entity Authentication is a process where a claimant or prover (A) proves, to the satisfaction of a verifier (B), its identity That A took part in the proof
Desirable Properties A can authenticate itself to B B can not reuse information from the exchange to impersonate A to
another party The probability that C can successfully convince B that it is actually
A is negligibly small even with C has observed all the communications from a large number of authentications by A to B
Assurances
Not all authentication protocols provide all of the properties we might want
Authentication protocols only provide an assurance of identity at the completion of the protocol
Session Hijacking!
What is Authentication Based on
A Secret Types of Authentication
Information – password, PINs and demonstration of knowledge with challenge response protocols
Possession – smart cards, SecureID tokens etc Inherent attributes of the entity, biometrics,processor ID numbers
etc.
Properties of Authentication Protocols
Unilateral or Mutual authentication A proves its identity to B or A and B prove their identities to one another
Computational efficiency – this may be counter intuitive Communication efficiency Third party involvement Provable security Zero knowledge Storage of secrets – stored plaintext and even encrypted
secrets are a weak point
Basic Password Scheme
B stores a plaintext file of passwords including A’s password Password file should be read and write protected using OS
mechanisms User enters password and is compared with file No protection against privileged users No protection against exploit that obtain file Unlikely as it may seem such schemes are still in use typically as
application passwords by programmers who should know better
“Encrypted” Password File
Replaces the password file of the previous example with one in which a one way function has been applied to the passwords Replay attacks – straight wire tap a la telnet Masquerading as verifier
- Program that produces login prompt around since early 1970’s- Privately owned ATM installed to capture magnetic strips and PINs then
issue error message without issuing cash Early Unix systems allowed deletion or replacement of the hash
- Fixed using shadow file Offline cracking of file
The Memory Problem
People can not remember, nor are they willing to type, passwords with sufficient entropy Do you want to type “5*c]v9Hc,>nMp{T^” every time you want to log
in? Do you think you could remember this? People pick passwords that are reasonably short, consist of a word
or a combination of words in their own native language English has very little entropy (~2.3 bits/character)
- Therefore a 20 character English password has about 46 bits entropy; this is nearly enough but nobody uses 20 character passwords
Entropy can be increased by using non English characters- Do not pick English words and substitute 1 for A, 2 for B … This is well
known- Must use mixed case
Entropy
Basically uncertainty Flipping a coin gives one bit on entropy ASCII (which is what passwords are usually based on) is a
7 bit code, discounting control characters such as <CR> <FF> etc we get about 7.5 bits of entropy in a random character
English does not arrange characters randomly QU – Very few exceptions IE, ING, …CK.., CH
Mixed (not just initial capital) case improves entropy Non alphabetic characters improve entropy
Passwords from Social Engineering
There are a number of good bets for passwords: Post-its with passwords written on them Something with a password written on it in the pen drawer of a
pedestal Standing over some bodies shoulder Even listening to the number of keystrokes gives useful information
for a cracking program- If the user can actually type non alphabetics will take longer- A timing analysis of the keystrokes could reveal a lot
Online Attacks
Online attacks consist of either typing usernames/ passwords interactively or via a program to an active verifier
A number of measures have restricted the usefulness of such attacks: Many systems lock out users after a small number of tries Most systems deliberately waste considerable time after a failed
attempts Locking out users may lead to a denial of service attack
Password Files
Passwords are normally processed through a one way function not actually encrypted Main reason is export control Unix uses a modified DES
- Function is iterated a number of times to consume extra CPU in a cracking attack
- Modification makes most DES chips unusable for cracking attack- High speed FPGA would make excellent cracker
Password is reduced to a hash
Password Cracking
Could just try all combinations of characters starting at minimum length This is a lot of effort Remember that English has very low entropy Dictionary attacks reduce the search space dramatically Modified dictionary attacks can cope with known rules
- Must contain a single non alphabetic- Must contain mixed case- Must not be in a standard dictionary
Remember users will do almost anything possible to minimize their effort- Rule 6 character password with one non alphabetic- Password FRED6- Perpetrator experienced engineer with poor typing skills – very easy to pick out
with one finger
Naive Password Cracking
Take a copy of the password file and a dictionary Sort the password file by hash value Hash words from the dictionary Compare hashes
Birthday paradox limits number of trials that will be needed This simple attack is restricted somewhat by salting
A per user value (sometimes the username) is used to modify the entered password prior to the one way function
With salting two users with the same password will not have the same encrypted password
Exhaustive search for a single user’s password reminds the same Salting does however reduce the efficiency of an attack against a
large password file
Pass Phrases
Pass Phrases are phrases of language used in place of passwords
Being longer than passwords they have more entropy and are somewhat better
Phrases as absurd as possible (but unlike these examples original): A cup of fur Tangerine trees and marmalade skies
PINs
Personal Identification Numbers (PINs) are much beloved of banks
Given their length and the fact that they are only decimal digits (~3.5 bits of entropy each) a 4 digit PIN is only about 14 bits of entropy
PINs are truly awful except perhaps in the ATM type context where the card is confiscated after 3 attempts
GSM SIM cards use a variant where on three bad attempts to enter a PIN the user must move to enter a PUK which has significant entropy
Password Ageing
Password Ageing helps from at least two perspectives: A hacker in possession of a password file may not be able to
complete an attack prior to the passwords being replaced If re-use of earlier passwords is disallowed passwords may improve
with time Passwords gathered through social engineering are replaced
It hurts from one main perspective Users often do not remember the new password This produces an admin overhead It is critical not to make users feel like idiots when they forget
passwords – next time they will write it down
One Time Passwords
An improvement on conventional passwords is to use a shared list of passwords each of which can only be used once
This involves a lot of shared secrets and is not really suitable for use by humans directly
It is possible for the verifier to generate a new password, encrypt it and transmit it to the user at the start of the session (iterated passwords) in the event of communications failures/aborted sessions this does not work well.
Challenge Response (Strong Authentication)
Verifier generates a time varying challenge Typically random
Response is a function of challenge + secret and proves timely knowledge of the secret without divulging
Multi Factor Authentication
Two factor uses two of: Knowledge Possession Inherent attribute
Three Factor uses all three Knowledge + Possession is often known as “know
something bring something”
Token Based Authentication
SecureID – Username - Password Smart Card – U to T Casque Username - Password Bank Cards - Pin I-Button – U - T…
Token Based Authentication
In many cases user authenticates to token giving effective two factor authentication
In other cases the user also enters a username/password pair again giving two factor authentication
Tokens are difficult to duplicate Stolen tokens are usually of little use except in side
channel attacks
Side Channel
Anything other then the intended means of communication that conveys information
Power Electromagnetic Waves Timing Audio Modulation of LED’s by power Modulation of amplitude on signals by internal operations Side channel leakage is an analogue quantity, it can be
attenuated but it will never go away
Side Channel – A simple example
A burglar is stealing from your house when you return home
He hides in a cupboard in a bedroom in which the lights are on
After about 10 minutes the lights dim slightly; he pauses a couple of moments and then he casually gets out of the cupboard and walks out the front door
How could he have known it was safe to leave
SIde Channel Physical Basis
Power supplies are not perfect they exhibit some resistance and inductance
PCB traces are not perfect they are radio antennas, they exhibit cross talk to nearby traces, they have resistance
Optical fibres if bent just below their minimum radius of curvature leak sufficient light to be coupled to
Ideally all security algorithms should take uniform time for all data and for all keys They should not reject early with failure They should behave identically for all failures not provide a choice
of errors – Invalid Login not Invalid Username and Invalid Password
Side Channel Attacks (1)
Power Analysis Simple / Differential / Inferential Basis is usually CMOS switching CMOS output stage contains two
FETS Normally one is off In transition both are very often on This causes current pulses Current pulses cause voltage drops Voltage drops can be measured
externally
Current
Input Voltage
CMOS Output Stage
IPA
I believe the neatest power attack of all time was Paul Fahan’s IPA attack CHES 99 or 2000
C 20,000 signings were performed with a single smart card Subsequently the recorded power consumption from one signing
from by any smart card from the same family (die) allowed the key to be recovered
This would be capable of use in say a petrol station with a digital storage oscilloscope or equivalent under the counter capturing each customer’s card
Smart cards have been improved since this attack and as presented this attack would not work against the current generation
There is no reason to presume that a new and improved attack would fail
The Problem with Compromised Tokens
It is reasonably easy to convince say a credit card company that your magnetic stripe card has been cloned and used fraudulently
Everyone puts substantially more trust in devices such as smart cards
Excessive trust in technology will place the victims of such fraud in an invidious position