Entity Authentication (1)

Frank Flanagan

Authentication

(cf. chapter 10 of Handbook of Applied Cryptography) Entity Authentication

People, computers etc Normally interactive Protocol Proves timeliness

Message Authentication Message must contain everything necessary to authenticate itself

Both forms may be used to establish session keys

Definition

Entity Authentication is a process where a claimant or prover (A) proves, to the satisfaction of a verifier (B), its identity That A took part in the proof

Desirable Properties A can authenticate itself to B B can not reuse information from the exchange to impersonate A to

another party The probability that C can successfully convince B that it is actually

A is negligibly small even with C has observed all the communications from a large number of authentications by A to B

Assurances

Not all authentication protocols provide all of the properties we might want

Authentication protocols only provide an assurance of identity at the completion of the protocol

Session Hijacking!

What is Authentication Based on

A Secret Types of Authentication

Information – password, PINs and demonstration of knowledge with challenge response protocols

Possession – smart cards, SecureID tokens etc Inherent attributes of the entity, biometrics,processor ID numbers

etc.

Properties of Authentication Protocols

Unilateral or Mutual authentication A proves its identity to B or A and B prove their identities to one another

Computational efficiency – this may be counter intuitive Communication efficiency Third party involvement Provable security Zero knowledge Storage of secrets – stored plaintext and even encrypted

secrets are a weak point

Basic Password Scheme

B stores a plaintext file of passwords including A’s password Password file should be read and write protected using OS

mechanisms User enters password and is compared with file No protection against privileged users No protection against exploit that obtain file Unlikely as it may seem such schemes are still in use typically as

application passwords by programmers who should know better

“Encrypted” Password File

Replaces the password file of the previous example with one in which a one way function has been applied to the passwords Replay attacks – straight wire tap a la telnet Masquerading as verifier

- Program that produces login prompt around since early 1970’s- Privately owned ATM installed to capture magnetic strips and PINs then

issue error message without issuing cash Early Unix systems allowed deletion or replacement of the hash

- Fixed using shadow file Offline cracking of file

The Memory Problem

People can not remember, nor are they willing to type, passwords with sufficient entropy Do you want to type “5*c]v9Hc,>nMp{T^” every time you want to log

in? Do you think you could remember this? People pick passwords that are reasonably short, consist of a word

or a combination of words in their own native language English has very little entropy (~2.3 bits/character)

- Therefore a 20 character English password has about 46 bits entropy; this is nearly enough but nobody uses 20 character passwords

Entropy can be increased by using non English characters- Do not pick English words and substitute 1 for A, 2 for B … This is well

known- Must use mixed case

Entropy

Basically uncertainty Flipping a coin gives one bit on entropy ASCII (which is what passwords are usually based on) is a

7 bit code, discounting control characters such as <CR> <FF> etc we get about 7.5 bits of entropy in a random character

English does not arrange characters randomly QU – Very few exceptions IE, ING, …CK.., CH

Mixed (not just initial capital) case improves entropy Non alphabetic characters improve entropy

Passwords from Social Engineering

There are a number of good bets for passwords: Post-its with passwords written on them Something with a password written on it in the pen drawer of a

pedestal Standing over some bodies shoulder Even listening to the number of keystrokes gives useful information

for a cracking program- If the user can actually type non alphabetics will take longer- A timing analysis of the keystrokes could reveal a lot

Online Attacks

Online attacks consist of either typing usernames/ passwords interactively or via a program to an active verifier

A number of measures have restricted the usefulness of such attacks: Many systems lock out users after a small number of tries Most systems deliberately waste considerable time after a failed

attempts Locking out users may lead to a denial of service attack

Password Files

Passwords are normally processed through a one way function not actually encrypted Main reason is export control Unix uses a modified DES

- Function is iterated a number of times to consume extra CPU in a cracking attack

- Modification makes most DES chips unusable for cracking attack- High speed FPGA would make excellent cracker

Password is reduced to a hash

Password Cracking

Could just try all combinations of characters starting at minimum length This is a lot of effort Remember that English has very low entropy Dictionary attacks reduce the search space dramatically Modified dictionary attacks can cope with known rules

- Must contain a single non alphabetic- Must contain mixed case- Must not be in a standard dictionary

Remember users will do almost anything possible to minimize their effort- Rule 6 character password with one non alphabetic- Password FRED6- Perpetrator experienced engineer with poor typing skills – very easy to pick out

with one finger

Naive Password Cracking

Take a copy of the password file and a dictionary Sort the password file by hash value Hash words from the dictionary Compare hashes

Birthday paradox limits number of trials that will be needed This simple attack is restricted somewhat by salting

A per user value (sometimes the username) is used to modify the entered password prior to the one way function

With salting two users with the same password will not have the same encrypted password

Exhaustive search for a single user’s password reminds the same Salting does however reduce the efficiency of an attack against a

large password file

Pass Phrases

Pass Phrases are phrases of language used in place of passwords

Being longer than passwords they have more entropy and are somewhat better

Phrases as absurd as possible (but unlike these examples original): A cup of fur Tangerine trees and marmalade skies

PINs

Personal Identification Numbers (PINs) are much beloved of banks

Given their length and the fact that they are only decimal digits (~3.5 bits of entropy each) a 4 digit PIN is only about 14 bits of entropy

PINs are truly awful except perhaps in the ATM type context where the card is confiscated after 3 attempts

GSM SIM cards use a variant where on three bad attempts to enter a PIN the user must move to enter a PUK which has significant entropy

Password Ageing

Password Ageing helps from at least two perspectives: A hacker in possession of a password file may not be able to

complete an attack prior to the passwords being replaced If re-use of earlier passwords is disallowed passwords may improve

with time Passwords gathered through social engineering are replaced

It hurts from one main perspective Users often do not remember the new password This produces an admin overhead It is critical not to make users feel like idiots when they forget

passwords – next time they will write it down

One Time Passwords

An improvement on conventional passwords is to use a shared list of passwords each of which can only be used once

This involves a lot of shared secrets and is not really suitable for use by humans directly

It is possible for the verifier to generate a new password, encrypt it and transmit it to the user at the start of the session (iterated passwords) in the event of communications failures/aborted sessions this does not work well.

Challenge Response (Strong Authentication)

Verifier generates a time varying challenge Typically random

Response is a function of challenge + secret and proves timely knowledge of the secret without divulging

Multi Factor Authentication

Two factor uses two of: Knowledge Possession Inherent attribute

Three Factor uses all three Knowledge + Possession is often known as “know

something bring something”

Token Based Authentication

SecureID – Username - Password Smart Card – U to T Casque Username - Password Bank Cards - Pin I-Button – U - T…

Token Based Authentication

In many cases user authenticates to token giving effective two factor authentication

In other cases the user also enters a username/password pair again giving two factor authentication

Tokens are difficult to duplicate Stolen tokens are usually of little use except in side

channel attacks

Side Channel

Anything other then the intended means of communication that conveys information

Power Electromagnetic Waves Timing Audio Modulation of LED’s by power Modulation of amplitude on signals by internal operations Side channel leakage is an analogue quantity, it can be

attenuated but it will never go away

Side Channel – A simple example

A burglar is stealing from your house when you return home

He hides in a cupboard in a bedroom in which the lights are on

After about 10 minutes the lights dim slightly; he pauses a couple of moments and then he casually gets out of the cupboard and walks out the front door

How could he have known it was safe to leave

SIde Channel Physical Basis

Power supplies are not perfect they exhibit some resistance and inductance

PCB traces are not perfect they are radio antennas, they exhibit cross talk to nearby traces, they have resistance

Optical fibres if bent just below their minimum radius of curvature leak sufficient light to be coupled to

Ideally all security algorithms should take uniform time for all data and for all keys They should not reject early with failure They should behave identically for all failures not provide a choice

of errors – Invalid Login not Invalid Username and Invalid Password

Side Channel Attacks (1)

Power Analysis Simple / Differential / Inferential Basis is usually CMOS switching CMOS output stage contains two

FETS Normally one is off In transition both are very often on This causes current pulses Current pulses cause voltage drops Voltage drops can be measured

externally

Current

Input Voltage

CMOS Output Stage

IPA

I believe the neatest power attack of all time was Paul Fahan’s IPA attack CHES 99 or 2000

C 20,000 signings were performed with a single smart card Subsequently the recorded power consumption from one signing

from by any smart card from the same family (die) allowed the key to be recovered

This would be capable of use in say a petrol station with a digital storage oscilloscope or equivalent under the counter capturing each customer’s card

Smart cards have been improved since this attack and as presented this attack would not work against the current generation

There is no reason to presume that a new and improved attack would fail

The Problem with Compromised Tokens

It is reasonably easy to convince say a credit card company that your magnetic stripe card has been cloned and used fraudulently

Everyone puts substantially more trust in devices such as smart cards

Excessive trust in technology will place the victims of such fraud in an invidious position