Authentication and Passwords

1
Authentication and Passwords

• Prashant Dewan
• Tuesday, December 22, 2009

2
What is Authentication?

• Authentication is the process of determining
  whether someone or something is, in fact, who or
  what it is claimed to be
• Example Authentication of
• A user
• A resource file, machine, network

3
Elements of Authentication

• An entity to be authenticated
• A distinguishing characteristic that
  differentiates a valid entity from an invalid
  one.
• A proprietor who is responsible for the
  administration of the system
• An authentication mechanism to verify the
  presence of the distinguishing characteristic.
• An access control mechanism which can enforce
  the requisite privileges

4
Distinguishing Characteristic

• What you know?
• Passwords, Pin
• What you are?
• Biometrics
• Problem with biometrics
• Active Research area
• What you have?
• Token Smart Cards , Counter or Clock based
  one-time passwords

5
Passwords History

• Passwords came in 1960 with the advent of the
  time sharing systems.
• The first machine that used Password was CTSS
  (Compatible Time Sharing System) at MIT
• It stored user passwords in a file
• Hackers were able to extract the password file
  from the secluded location of the file
• Social Engineering
• Brute force attacks

6
One way functions

• Y F(x)
• You can calculate Y if you know x
• Not Vice Versa
• They are pretty common in everyday life
• Breaking of a glass

7
Password Encryption
Password Checking Procedure
Keyboard Input Procedure
One Way Hash
Joe passwd
Joe -Shihfghas
Username and password stored in RAM
Username and hashed password stored in RAM
Encrypted password Storage ltUserNamegt ltEncrypted
Passwordgt
8
Vulnerabilities

• Guessing attacks
• Use Audit Trails
• Audit Trails are a problem
• People enter passwords in the field of user
  name.
• Audit Trails can reveal the user name of the
  users
• Social Engineering

9
Dictionary Attacks

• Many people use dictionary words as passwords
• An average dictionary contains only 150,000 to
  200,000 words
• Considering each attempt takes a millisecond
• We can hash the complete dictionary in 200
  seconds

10
Dictionary Attacks

• If we take 200,000 entries and generate their
  obvious permutations
• capital first letter
• all letters
• 10 different versions of each word
• It takes half an hour of computation time.
• It takes a 2 million word list of candidates
  which is around 22 MB

11
Dictionary Attacks

• Hence files containing hashed passwords are
  susceptible to pre compiled dictionary attack
• An attacker generates a hashed file of all
  possible dictionary words and their hashes and
  searches for the hash in the stolen file

12
Dictionary Attacks
Index 7210 7211 7212 7213 7214
Plain Text Effluvium Effort Effusive Eft egalitari
an
Hash er4345dg e1qqw3 edf234 jkl244 fgt24
Index 7210 7211 7212 7213 7214
Hash
Jdoe345ert1624Cathy Roe/home/croe/bin/csh St
ewartedf2341624Mark Stewart/home/stewart/bin
/csh Andywer345t1624Andy O Ram/home/andy/bin
/csh
13
Salt

• A random string which is concatenated with the
  password before hashing the complete string
• In Unix the salt is generally 12 bits
• The salt is stored in plain text in the password
  file.
• This made the pre-compiled dictionary attack
  difficult.

14
Dictionary Attack

• For each password a dictionary attack needed
• half an hour of computation time.
• 22 MB space.
• Now two crack any password which could have been
  cracked earlier
• half an hour for each salt value.
• 80 GB space.
• Salt also makes it impossible to find out two
  hashed passwords which are same.

15
Key Loggers

• A Key logger is a program that runs in the
  background, recording all the keystrokes
• A Key Logger normally consists of two files a
  DLL which does all the work and an EXE which
  loads the DLL and sets the hook. Therefore when
  you deploy the hooker on a system, two such files
  must be present in the same directory.
• The exe can be executed at the boot time by
  modifying the registry.

16
Are Key Loggers illegal?

• In December, 2001, a federal court ruled that the
  FBI did not need a special wiretap order to place
  a keystroke logging device on a suspects
  computer
• Also, the judge allowed the FBI to keep details
  of the device secret, citing national security
  concerns
• Examples of free Key Loggers
• CookiePatrol 
• KeyPatrol 
• PestPatrol.exe 
• PestPatrolCL 

17
Authentication Tokens

• You must have the token in your possession in
  order to be authenticated
• Passive Tokens
• Key to a physical lock
• ATM card, WEES card
• Active Tokens
• Smart Card
• SafeWord, SecureID

18
Tokens-Advantages

• If a token is compromised ( lost) its much
  easier for the owner to find it.
• Tokens like smart cards can foil attacks using
  key loggers
• Tokens can be used for multiple access sites
  without sharing the secrets among those sites.
• Compatible hardware is a problem and slowly the
  market is moving towards USB tokens

19
One Time Passwords

• Counter Based
• The token and the authentication mechanism share
  a base secret.
• This secret is used to generate a sequence of
  numbers or passwords
• The algorithm used to do this is public but the
  base secret is only known to the token and the
  authentication mechanism

20
One Time Passwords
Increment the Counter
One Way Hash
0001031
KEY
Format the result to fit The display
Use a base secret stored inside the token
21
One Time password Clocks
CLOCK
One Way Hash
Read the Synchronized clock stored inside the
token
KEY
Format the result to fit The display
Use a base secret stored inside the token
22
Smart Cards

• Memory Cards
• They have only memory inbuilt in them
• They may or may not have any security features
  inbuilt
• Passive Tokens
• Processor Cards
• Miniature computers with an input and a output
  port
• The processing power of the card is much less
  than the computers

23
Smart Card Technologies

• PC/SC
• Microsoft Technology
• Is used to interface smart cards to WIN32 based
  machines
• Not available with other platforms
• Java Card
• A Schlumberger technology
• Java applets run on the card
• May become the de facto standard in the future

24
Smart Card Technologies

• Open Card Standard
• Provides inter-operability of smart card
  applications across desktops, laptops and other
  systems
• Uses 100 Java
• Provides a PC/SC interface for use of existing
  devices on WIN 32 platform.

25
Tokens -Problems

• Tokens can be stolen
• They can be borrowed
• They can be duplicated
• Solutions
• PIN
• Biometrics
• Short Termed Tokens

26
Other Authentication Mechanisms

• Public Private Key infrastructures
• Computation Intensive
• Not a panacea
• Secure storage of the Key is the problem
• Certificate Revocation is a problem
• PKI is not intuitive , hence difficult to use.