Vitaly Shmatikov - PowerPoint PPT Presentation

Loading...

PPT – Vitaly Shmatikov PowerPoint presentation | free to download - id: 208fca-YmViY



Loading


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation
Title:

Vitaly Shmatikov

Description:

Single Sign-On Systems. 11. Authenticate Once, Use ... hotmail.com, 'kiwifruit' Identity Management with Passport. User. Website .NET. Passport. Log in ... – PowerPoint PPT presentation

Number of Views:37
Avg rating:3.0/5.0
Slides: 16
Provided by: vita51
Learn more at: http://cs.uccs.edu
Category:

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Vitaly Shmatikov


1
Attacks on Authentication
CS 378
  • Vitaly Shmatikov

2
Authentication with Shared Secret
Active attacker
not just eavesdrops, but inserts his own messages
kiwifruit
kiwifruit
?
Bob
Alice
Alice and Bob share some secret. How can they
identify each other on the network?
What have we learned from the systems weve seen?
3
Challenge-Response
Active attacker
kiwifruit
kiwifruit
Fresh, random R
R
hash(kiwifruit,R)
hash(kiwifruit,R)
Bob
Alice
  • Man-in-the-middle attack on challenge-response
  • Attacker successfully authenticates as Alice by
    simple replay
  • This is an attack on authentication, not secrecy
  • Attacker does not learn the shared secret
  • However, response opens the door to offline
    dictionary attack

4
Encrypted Timestamp
KEY
KEY
EncryptKEY(time)
Bob
Alice
  • Requires synchronized clocks
  • Bobs clock must be secure, or else attacker will
    roll it back and reuse an old authentication
    message from Alice
  • Attacker can replay within clock skew window

5
Lamports Hash
n, yhashn(kiwifruit)
kiwifruit
n
?
Verifies yhash(x)
xhash((hash(kiwifruit))
Replace with (n-1, x)
Bob
Alice
n-1 times
  • Main idea hash stalk
  • Moving up the stalk (computing the next hash) is
    easy, moving down the stalk (inverting the hash)
    is hard
  • n should be large (can only use it for n
    authentications)
  • For verification, only need the tip of the stalk

6
Small n Attack
n, yhashn(kiwifruit)
kiwifruit
Real n
Fake, small m
?
Verifies yhash(x) Yes!
hashm(kiwifruit)
xhashn(kiwifruit)
Bob
Alice
Easy to compute hashn() if know hashm() with mltn
  • Message from Bob is not authenticated!
  • Alice should remember current value of n

7
Mutual Authentication
KEY
KEY
I am Alice fresh random RA
fresh random RB encryptKEY(RA)
encryptKEY(RB)
Bob
Alice
  • Mutual authentication Bob to Alice and Alice to
    Bob
  • Bobs reasoning I must be talking to Alice
    because
  • Person who correctly encrypted RB is someone who
    knows KEY Only Alice knows KEY Alice must have
    encrypted RB Because RB is fresh, Alice can only
    know RB if she received my message

8
Reflection Attack
I am Alice fresh random RA
KEY
fresh random RB encryptKEY(RA)
Start new session, replay Bobs number back at him
I am Alice RB
fresh random RB encryptKEY(RB)
Bob
Replay Bobs own message as response from Alice
encryptKEY(RB)
  • Bobs reasoning I must be talking to Alice
    because
  • Person who correctly encrypted RB is someone who
    knows KEY Only Alice knows KEY No! Bob himself
    knows KEY, too!
  • Security often fails because of flawed reasoning

9
Timestamp Reflection
KEY
KEY
I am Alice EncryptKEY(time)
EncryptKEY(time1)
Soon thereafter
Bob
Alice
I am Alice EncryptKEY(time1)
  • Problem same key for Alice and Bob
  • Attacker can get Bob to encrypt using Alices key
  • How would you avoid this with symmetric
    cryptography?
  • Problem messages dont include intended
    recipient
  • Problem Bob doesnt remember his own messages

10
Single Sign-On Systems
CS 378
  • Vitaly Shmatikov

11
Authenticate Once, Use Everywhere
Stores credit card numbers, personal information
Sign on once
.NET Passport
Receive Web identity
Access any network service
Web retailers
User
Email
Messenger
  • Idea similar to Kerberos
  • Trusted third party issues identity credentials,
    user uses them to access services all over the
    Web

12
Identity Management with Passport
?Log in
?Redirect browser to Passport server
?Email and password?
?joe_at_hotmail.com, kiwifruit
?Redirect browser back to website
?3 encrypted cookies
.NET Passport
Website
User
?Decrypt verify cookies
?Check user against database
?Requested page
Passport manager
Passport user database
13
Passport Early Glitches
  • Flawed password reset procedure
  • Password reset didnt require previous password
  • Attacker sends modified URL requesting reset,
    receives email from Passport providing URL to
    change password
  • http//register.passport.net/emailpwdreset.srf?lc
    1033emvictim_at_hotmail.comidcbprefemattacker
    _at_attacker.com
  • Cross-scripting attack
  • Victim stores credit card info in Microsoft
    Wallet
  • Information kept in a cookie for 15 minutes
  • Victim then logs into Hotmail reads attackers
    email
  • Malicious email contains HTML. Hotmails web
    interface processes it, calls script on another
    site and hands over cookie.

14
History of Passport
  • Launched in 1999
  • By 2002, Microsoft claimed over 200 million
    accounts, 3.5 billion authentications each month
  • Current status
  • From Directory of Sites at http//www.passport.net
    We have discontinued our Site Directory
  • Monster.com dropped support in October 2004
  • Ebay dropped support in January 2005
  • Seems to be fizzling out
  • Still supported by Microsoft and MSN sites

15
Liberty Alliance
  • Open-standard alternative to Passport
  • Promises compliance with privacy legislation
  • Long list of Liberty-enabled products
  • See website

http//www.projectliberty.org
About PowerShow.com