Authentication
CSC 790
W
AKE
F
OREST
U N I V E R S I T Y
Department of Computer Science
Fall 2015
What is authentication?
• Simple answer: establishes identity
– Answers the question: to whom am I speaking?
• Long answer: evaluates the authenticity of identity proving creditials – Credential is proof of identity
– Evaluation assesses the correctness of the association between credential and claimed identity
Why is authentication important?
• We (real world) constantly deal with rights, permissions, and duties – Authentication establishes our identity so we can obtain rights • Similar for the on-line world, just different constraints
– Need methods for proving the identity of people when they are not physically co-located
Examples of how this is currently done?
• Computer security is dependent on the proper design, management, and application of authentication systems
E. W. Fulp CSC 790 Fall 2015 2
What is identity?
• Identity, along with policy, is what affords you access – We have plenty of identities given different contexts • It is also determined by who is evaluating the credential
– Driver’s license, passport, or SSN, prove... – Credit cards prove...
– Signatures prove... – Password proves... – Voice proves...
An example of poor mapping of identity and the purpose for which it was used?
Credentials
• Credentials are evidence to prove identity, for example 1. What the entity knows
2. What the entity has 3. What the entity is 4. Where the entity is
What are examples of each evidence type?
E. W. Fulp CSC 790 Fall 2015 4
Something you know
• Typically something that is secret (or at least not widely known) – Password, mother’s maiden names, SSN, credit card number • Passwords and pass-phrases are common, but are often not strong
– 5% of passwords at the University of Michigan are goblue – Same password are often used for multiple systems
Magical 7 ± 2
• In 1956 Cognitive psychologist George A. Miller published “The Magical Number Seven, Plus or Minus Two: Some Limits on Our Capacity for Processing Information”
– Used to argue that humans can only remember 7 ± 2 objects • This can be used to estimate the maximal entropy we can maintain?
– This limits the complexity of passwords you can really remember • Similar cognitive limit findings are given in Oliver Sacks’ book
The Man Who Mistook His Wife for a Hat
E. W. Fulp CSC 790 Fall 2015 6
Password Strength
• Measures effectiveness in resisting guessing in brute-force attacks – “How many tries an attacker would need before guessing correctly” • Password strength can be measured in terms of information entropy
– Measures the number of entropy bits in a password
“Entropy of a message is its amount of uncertainty; it increases when the message is closer to random, and decreases when it is less random.”
• Consider a password with 16 bits of strength
– Would be as strong as a 16 generated bits using fair coin flips – Requires 216
unique guesses to exhaust possibilities
– Therefore adding one more bit of entropy doubles the number of guesses, making the task twice as difficult for the attacker
Password Entropy
• Consider randomly selecting l length string from n possible symbols – Number of passwords if nl
– Therefore, increasing l or n will increase entropy
• Strength of the password is log2 of the number of possible passwords
H = log2n l = l log2n 0 5 10 15 20 0 50 100 password length en tr o py Password Strength Numbers Letters Alphanum Case alphanum ASCII printable E. W. Fulp CSC 790 Fall 2015 8
Typical Passwords
• Sadly we tend not to use random passwords, consider the following
Password Occurrences 123456 290,731 12345 79,078 123456789 76,790 password 61,958 iloveyou 51,622 princess 35,231 rock you 22,588 1234567 21,726 12345678 20,553 fulp-is-awsome 17,542 rockyou.com breach 2010 Password Occurrences 123456 120,511 12345 48,452 password 39,448 DEFAULT 34,275 123456789 26,620 qwerty 20,778 12345678 14,172 abc123 10,869 #$@%! 10,683 1234567 9,468
ylehsa nosidam breach 2015 • Human generated passwords are not random, so what is the entropy?
NIST Special Publication 800-63
• Suggests the following scheme to roughly estimate the entropy of human generated passwords
– The entropy of the first character is 4 bits
– The entropy of the next seven characters are 2 bits per character – Characters 9 - 20 have 1.5 bits each (perhaps just 1.3 )
– Characters 21 and above have 1 bit each
– 6 bit bonus if both uppercase letters and non-alpha characters used – 6 bit bonus for passwords of length 1 - 19 characters following an
extensive dictionary check to ensure the password is not contained within a large dictionarya
• As a result, human generated password consisting of only lower case letters has 18 bits of entropy
aPasswords of 20 characters or more do not receive this bonus because it is assumed
they are pass-phrases consisting of multiple dictionary words
E. W. Fulp CSC 790 Fall 2015 10
How much entropy?
• Minimum number of bits required depends on the threat
– If no key stretching, then passwords with more entropy are needed • “Randomness Requirements for Security” (RFC4086), provides some
guidance
– At least 29 bits of entropy if only online attacks
• Diceware uses dice to produce random text for passphrases – Maintains a list of 7776 short words
– Each indexed with unique 5 digit number, each digit is 1 - 6 • Roll 5 dice for each word you want in the passphrase
. . . , 16655 clause, 16656 claw, 16661 clay, 16662 clean, 16663 clear, 16664 cleat, 16665 cleft, 16666 clerk, 21111 cliche, 21112 click, 21113 cliff, 21114 climb, 21115 clime, 21116 cling, 21121 clink, 21122 clint, 21123 clio, 21124 clip, 21125 clive, 21212 yo-mama, 21126 cloak, 21131 clock, . . .
– Use rolled number to look-up the word, repeat...
• Entropy offered is log27776 = 12.9 bits per word, therefore a
five-word passphrase has an entropy of 64.5 bits
E. W. Fulp CSC 790 Fall 2015 12
Storing Passwords
• Rarely are passwords store in cleartext (no encryption) – Actually, they never should be stored in cleartext...
Hopefully this makes sense...
• Typically a hash (one-way encryption) is stored for a password
– If a password is provided for authentication, then it is hashed and the result is compared to the stored hashed value
• This is how Unix stores user (login) passwords (/etc/shadow)
What about your OS or web-browser? How are passwords stored for the “remember this password” feature?
Crack
• Although passwords maybe hashed, they are still sought after – If password file obtained, then passwords guessing done off-line – Simply create a guess, hash, then compare with stored hash
“As of 2011, commercial products are available that claim the ability to test up to 2.8B passwords per second on a standard desktop computer using a high-end graphics processor. Such a device can crack a 10 letter single-case password in one day.”
• Even easier is to hash most common passwords then search for the stored hash in the hashed-common-password table
– This is called an offline dictionary attack
– John the Ripper provides this approach (as well as brute force)
E. W. Fulp CSC 790 Fall 2015 14
Adding Salt
• A defense against dictionary attack is to add salt
– Salt is a random number added to the password before it is hashed – It differentiates passwords when stored in /etc/shadow
• For Unix, the /etc/shadow has the format (“:” delineated)
root:$1$CQoPk7Zh$370xDLmeGD9m4aF/ciIlC.:14425:0:99999:7:::
– Second field is the password, in the example above the encrypted password is $1$CQoPk7Zh$370xDLmeGD9m4aF/ciIlC.
Encrypted Password
• Encrypted password has three parts (“$” delineated) $id$salt$encryptedPassword • The id field identifies the encryption method
ID Encryption Method
1 MD5
2a Blowfish (not part of glib, but some Unix distro’s include)
5 SHA-256 (since glib 2.7)
6 SHA-512 (since glib 2.7, typically used) • The salt field help prevent precomputed hash attacks
– Random value added to the password before it is encrypted – Salt is stored in plaintext
So how does this improve security?
E. W. Fulp CSC 790 Fall 2015 16
• The last field encryptedPassword is the encrypted password • Consider the encryptedPassword entry for root again
$1$CQoPk7Zh$370xDLmeGD9m4aF/ciIlC. – The encryption is MD5
– The salt is CQoPk7Zh
– The encrypted password is 370xDLmeGD9m4aF/ciIlC. • Still got questions? No problem, go see http://goo.gle/QMET
Password Polcies
• What makes a good password?
– Typically there is a password policy • Policy might specify
– Length such as 8, 12 or 16 character minimum
– Content such as password must contain at least one...
– Blacklist such as password must not contain a dictionary word, or no previously used passwords...
E. W. Fulp CSC 790 Fall 2015 18
End of Passwords?
• Will passwords eventually become useless?
– Consider Moore’s law and associated corollaries (not considering quantum computing)
Authentication Based on What You Have
• Tokens
– Speedpass, EZ-pass – SecureID
• Smartcards
– Europay, MasterCard, and Visa (EMV) • Web digital certificates
E. W. Fulp CSC 790 Fall 2015 20
Simple Token Design
• One-time password system using a hash chain as authenticator • Assume a seed (s), chain length (l), and epoch length (t)
– Tamperproof token encodes s in firmware, which calculates pi = h
l −i(s)
then for epoch i, pi is displayed
– Time synchronization allows allows authentication server to know what pi is expected and authenticate the user
• As a result, if someone (Don Gage) sees the token display at a certain point in time, the information will not be useful at later epochs
Smartcard
• Any pocket-sized card containing an embedded integrated circuit – Are sometimes referred to as Integrated Circuit Cards (ICC) – Replaces the traditional magnetic stripe for storing data – Still verify PINs online at ATMs, but verify on chip at PoS • The ISO 7816 specifications specifies 16 different protocols
– 2 of the possible 16 protocols are in use
– Both protocols are half-duplex asynchronous communications – Communication between the terminal and the card is conducted
using Application Protocol Data Units, or APDUs
E. W. Fulp CSC 790 Fall 2015 22
Simplified Smartcard Lifecycle
Smartcard
Producer Bank Customer
1. Producer creates blank (writable) smartcards 2. Bank initializes card
• PIN and PUK (PIN Unlock Key) • Software package (Applets) loaded • Certificate enrollment
3. Customer personalizes
Once complete, the smartcard can be used for authentication, encryption, and signatures
EMV FTW LOL
• Europay, MasterCard, and Visa (EMV) is a popular smartcard standard – Based on ISO/IEC 7816 for contact cards, and standards based on
ISO/IEC 14443 for contactless cards • Following is a normal transaction
1. Card details and digital signature
$$$ PIN transaction and cryptogram result $
5. On-line transaction authorization (optional)
card
merchant
2. PIN entered by customer 3. PIN entered by customer and
transaction description 4. PIN OK (yes/no) and authorization cryptogram
customer issuer
E. W. Fulp CSC 790 Fall 2015 24
Smartcard Security Issues
• First generation smartcards used Static Data Authentication (SDA), where the card contains a certificate signed by the bank
– Certificate is static, just copy it to a fake chip and program to accept any PIN (a “yes-card”)
– Defeated by online transactions where the merchant contacts the bank to verify the card computed a correct message authentication code on the transaction
• Relay attack
– Exploits the fact that while the card authenticates itself to the merchant terminal, the customer does not know which terminal the card is communicating with
• No-PIN attack
terminal and use it with any PIN he likes.
– The device tricks the card into believing it is doing a chip and signature transaction while making the terminal believe the card accepted the PIN that was entered.
Details in Anderson and Murdoch ”EMV: Why Payment Systems Fail” http://sec.cs.ucl.ac.uk/users/smurdoch/papers/cacm14emv.pdf
E. W. Fulp CSC 790 Fall 2015 26
Authentication Based on Something You Are
• Biometrics measure some physical characteristic
– Fingerprint, face recognition, retina, voice, signature, DNA • Passive biometrics are typically used to recognize
– Do not require the user to actively submit a measurement – Covert and potentially invasive
• Active biometrics are typically used to authenticate – Requires the user to submit a measurement
Basic Web Authentication
client server
GET /protected/index.html HTTP/1.0
HTTP/1.0 401 Unauthorized
WWW-Authenticate: Basic realm = "Private"
GET /protected/index.html HTTP/1.0
Authorization: Basic cGx1ZjpuaXJyZXBsdWYK
protected web-page
E. W. Fulp CSC 790 Fall 2015 28
Basic Apache Authentication
• Place file in directory to protect (.htaccess)
AuthType Basic
AuthName "Pluf’s directories"
AuthUserFile /usr/pluf/www-home/.htpasswd AuthGroupFile /dev/null
require valid-user
• In /usr/pluf/www-home/.htpasswd
pluf:l7FwWEqjyzmNo
generated using htpasswd command
Basic Authentication Problems
• Passwords easy to intercept
• Passwords easy to guess (just base-64 encoded) • Passwords easy to share
• No server authentication
– Easy to fool client into sending password to malicious server • Intercepted password may give access to many pages/documents
E. W. Fulp CSC 790 Fall 2015 30
Digest Authentication
client server GET /protected/index.html HTTP/1.1 HTTP/1.1 401 Unauthorized WWW-Authenticate: Digestrealm = "Private" nonce = "98bdc1f9f017..."
GET /protected/index.html HTTP/1.1 Authorization: Digest
username = "egage" realm = "Private"
nonce = "98bdc1f9f017.." response = "5ccc069c4..."
Challenge-Response Approach
• Challenge nonce is a one time random string/value
nonce= h(IP address : timestamp : serverSecret) • Response is the challenge hashed with username and password
response= h(h(name : realm : password) : nonce : h(request)) • Server-specific implementation options
– One-time nonces – Time-stamped nonces
– Method authentication digests
E. W. Fulp CSC 790 Fall 2015 32
Advantages of Digest
• Cleartext password never transmitted across network • Cleartext password never stored on server
• Replay attacks difficult
• Intercepted response only valid for a single URL • Shared disadvantages
– Vulnerable to man-in-the-middle attacks – Protected document can be sniffed
