CSCE 522 Lecture 12 Malicious Code Identification and Authentication

1
CSCE 522Lecture 12Malicious CodeIdentification
and Authentication
2
Reading

• Reading for this lecture
• Required
• Pfleeger Ch. 4 and 5
• Recommended
• Securing Digital Identities Information
  http//www.entrust.com/
• John the Ripper password cracker
  http//www.openwall.com/john/
• Brutus the remote password cracker
  http//www.hoobie.net/brutus/
• Smart Card Standards and Interoperability
  http//www.estrategy.gov/smartgov/smart_card.cfm
• Smart Cards and Biometrics White Paper
  http//www.smartcardalliance.org/about_alliance/Sm
  art_Card_Biometric_paper.cfm
• Privacy and Secure Identification Systems White
  Paper http//www.smartcardalliance.org/alliance_ac
  tivities/privacy_white_paper.cfm
• Reading for next lecture
• Pfleeger Ch. 4 and 5

3
Covert Channel - Trojan Horse
Only John is permitted to access the document
John
Document
Spys Document copy
Spy
4
Covert Channel

• Need
• Two active agents
• Sender (has access to unauthorized information)
  e.g., TH in MS Word
• Receiver ( reads sent information) e.g.,
  program creating the copy
• Encoding schema
• How the information is sent e.g.,
• File F exists ? 0
• File F is does not exist ? 1
• Synchronization e.g., when to check for
  existence of F

5
Storage Covert Channels

• Based on properties of resources
• Examples
• File locks
• Delete/create file
• Memory allocation

6
Timing Covert Channel

• Time is the factor how fast
• Examples
• Processing time
• Transmission time

7
Covert Channel Detection and Removal

• Identification
• Shared resources
• Program code correctness
• Information flow analysis
• Removal
• Total removal may not be possible
• Reduce bandwidth

8
IdentificationAuthentication
9
Authentication

• Allows an entity (a user or a system) to prove
  its identity to another entity
• Typically, the entity whose identity is verified
  reveals knowledge of some secret S to the
  verifier
• Strong authentication the entity reveals
  knowledge of S to the verifier without revealing
  S to the verifier

10
Authentication Information

• Must be securely maintained by the
• system.

11
Elements of Authentication

• Person/group/code/system to be authenticated
• Distinguishing characteristic differentiates the
  entities to be authenticated
• Proprietor/system owner/administrator
  responsible for the system
• Authentication mechanism verify the
  distinguishing characteristic
• Access control mechanism grant privileges upon
  successful authentication

12
Authentication Requirements

• Network must ensure
• Data exchange is established with addressed peer
  entity not with an entity that masquerades or
  replays previous messages
• Network must ensure data source is the one
  claimed
• Authentication generally follows identification
• Establish validity of claimed identity
• Provide protection against fraudulent transactions

13
User Authentication

• What the user knows
• Password, personal information
• What the user possesses
• Physical key, ticket, passport, token, smart card
• What the user is (biometrics)
• Fingerprints, voiceprint, signature dynamics

14
Passwords

• Commonly used method
• For each user, system stores (user name,
  F(password)), where F is some transformation
  (e.g., one-way hash) in a password file
• F(password) is easy to compute
• From F(password), password is difficult to
  compute
• Password is not stored in the system
• When user enters the password, system computes
  F(password) match provides proof of identity

15
Vulnerabilities of Passwords

• Inherent vulnerabilities
• Easy to guess or snoop
• No control on sharing
• Practical vulnerabilities
• Visible if unencrypted in distributed and network
  environment
• Susceptible for replay attacks if encrypted
  naively
• Password advantage
• Easy to modify compromised password.

16
Weak Passwords

• Bell Labs study (Morris and Thompson, 1979), 3289
  passwords were examined
• 15 single ASCII characters, 72 two ASCII
  characters, 464 three ASCII characters, 477 four
  ASCII characters, 706 five letters (all lower
  case or all upper case), 605 six letters, all
  lower case, 492 week passwords (name, dictionary
  words, etc.)
• Summary 2831 passwords (86 of the sample) were
  weak, i.e., either too easy to predict or too
  short

17
Attacks on Password

• Guessing attack/dictionary attack
• Social Engineering
• Sniffing
• Trojan login
• Van Eck sniffing

18
Guessing Attack

• Exploits human nature to use easy to remember
  passwords
• Trial-and-error attack
• Easy to detect (failed logins) and block
• Need audit mechanism

19
Social Engineering

• Attacker asks for password by masquerading as
  somebody else (not necessarily an authenticated
  user)
• May be difficult to detect
• Protection against social engineering strict
  security policy and users education

20
Dictionary Attacks on Passwords

• Attack 1
• Create dictionary of common words and names and
  their simple transformations
• Use these to guess password
• Attack 2
• Usually F is public and so is the password file
  (encrypted)
• Compute F(word) for each word in dictionary
• Find match
• Attack 3
• Pre-compute dictionary
• Look up matches

21
Password Salt

• Used to make dictionary attack more difficult
• Salt is a 12 bit number between 0 and 4095
• It is derived from the system clock and the
  process identifier
• Compute F(passwordsalt) both salt and
  F(passwordsalt) are stored in the password table
• User gives password, system finds salt and
  computes F(passwordsalt) and check for match
• Note with salt, the same password is computed in
  4096 ways

22
Password Management Policy

• Educate users to make better choices
• Define rules for good password selection and ask
  users to follow them
• Ask or force users to change their password
  periodically
• Actively attempt to break users passwords and
  force users to change broken ones
• Screen password choices

23
One-time Password

• Use the password exactly once!

24
Lamports scheme

• Doesnt require any special hardware
• System computes F(x),F2(x),, F100(x) (this
  allows 100 logins before password change)
• System stores users name and F100(x)
• User supplies F99(x) the first time
• If the login is correct, system replaces F100(x)
  with F99(x)
• Next login user supplies F98(x) and so on
• User calculates Fn(x) using a hand-held
  calculator, a workstation, or other devices

25
Time Synchronized

• There is a hand-held authenticator
• It contains an internal clock, a secret key, and
  a display
• Display outputs a function of the current time
  and the key
• It changes about once per minute
• User supplies the user id and the display value
• Host uses the secret key, the function and its
  clock to calculate the expected output
• Login is valid if the values match

26
Time Synchronized
Secret key
Time
DES
One Time Password
27
Challenge Response

• Non-repeating challenges from the host is used
• The device requires a keypad

Network
Work station
Host
User ID
Challenge
Response
28
Challenge Response
Secret key
Challenge
DES
One Time Password
29
Devices with Personal Identification Number (PIN)

• Devices are subject to theft, some devices
  require PIN (something the user knows)
• PIN is used by the device to authenticate the
  user
• Problems with challenge/response schemes
• Key database is extremely sensitive
• This can be avoided if public key algorithms are
  used

30
Smart Cards

• Portable devices with a CPU, I/O ports, and some
  nonvolatile memory
• Can carry out computation required by public key
  algorithms and transmit directly to the host
• Some use biometrics data about the user instead
  of the PIN

31
Biometrics

• Fingerprint
• Retina scan
• Voice pattern
• Signature
• Typing style

32
Problems with Biometrics

• Expensive
• Retina scan (min. cost) about 2,200
• Voice (min. cost) about 1,500
• Signature (min. cost) about 1,000
• False readings
• Retina scan 1/10,000,000
• Signature 1/50
• Fingerprint 1/500
• Cant be modified when compromised

33
Next Class

• Access Control