Title: Authentication and Passwords
1Authentication and Passwords
- Prashant Dewan
- Tuesday, December 22, 2009
2What is Authentication?
- Authentication is the process of determining
whether someone or something is, in fact, who or
what it is claimed to be - Example Authentication of
- A user
- A resource file, machine, network
3Elements of Authentication
- An entity to be authenticated
- A distinguishing characteristic that
differentiates a valid entity from an invalid
one. - A proprietor who is responsible for the
administration of the system - An authentication mechanism to verify the
presence of the distinguishing characteristic. - An access control mechanism which can enforce
the requisite privileges
4Distinguishing Characteristic
- What you know?
- Passwords, Pin
- What you are?
- Biometrics
- Problem with biometrics
- Active Research area
- What you have?
- Token Smart Cards , Counter or Clock based
one-time passwords
5Passwords History
- Passwords came in 1960 with the advent of the
time sharing systems. - The first machine that used Password was CTSS
(Compatible Time Sharing System) at MIT - It stored user passwords in a file
- Hackers were able to extract the password file
from the secluded location of the file - Social Engineering
- Brute force attacks
6One way functions
- Y F(x)
- You can calculate Y if you know x
- Not Vice Versa
- They are pretty common in everyday life
- Breaking of a glass
7Password Encryption
Password Checking Procedure
Keyboard Input Procedure
One Way Hash
Joe passwd
Joe -Shihfghas
Username and password stored in RAM
Username and hashed password stored in RAM
Encrypted password Storage ltUserNamegt ltEncrypted
Passwordgt
8Vulnerabilities
- Guessing attacks
- Use Audit Trails
- Audit Trails are a problem
- People enter passwords in the field of user
name. - Audit Trails can reveal the user name of the
users - Social Engineering
9Dictionary Attacks
- Many people use dictionary words as passwords
- An average dictionary contains only 150,000 to
200,000 words - Considering each attempt takes a millisecond
- We can hash the complete dictionary in 200
seconds
10Dictionary Attacks
- If we take 200,000 entries and generate their
obvious permutations - capital first letter
- all letters
- 10 different versions of each word
- It takes half an hour of computation time.
- It takes a 2 million word list of candidates
which is around 22 MB
11Dictionary Attacks
- Hence files containing hashed passwords are
susceptible to pre compiled dictionary attack - An attacker generates a hashed file of all
possible dictionary words and their hashes and
searches for the hash in the stolen file
12Dictionary Attacks
Index 7210 7211 7212 7213 7214
Plain Text Effluvium Effort Effusive Eft egalitari
an
Hash er4345dg e1qqw3 edf234 jkl244 fgt24
Index 7210 7211 7212 7213 7214
Hash
Jdoe345ert1624Cathy Roe/home/croe/bin/csh St
ewartedf2341624Mark Stewart/home/stewart/bin
/csh Andywer345t1624Andy O Ram/home/andy/bin
/csh
13Salt
- A random string which is concatenated with the
password before hashing the complete string - In Unix the salt is generally 12 bits
- The salt is stored in plain text in the password
file. - This made the pre-compiled dictionary attack
difficult.
14Dictionary Attack
- For each password a dictionary attack needed
- half an hour of computation time.
- 22 MB space.
- Now two crack any password which could have been
cracked earlier - half an hour for each salt value.
- 80 GB space.
- Salt also makes it impossible to find out two
hashed passwords which are same.
15Key Loggers
- A Key logger is a program that runs in the
background, recording all the keystrokes - A Key Logger normally consists of two files a
DLL which does all the work and an EXE which
loads the DLL and sets the hook. Therefore when
you deploy the hooker on a system, two such files
must be present in the same directory. - The exe can be executed at the boot time by
modifying the registry.
16Are Key Loggers illegal?
- In December, 2001, a federal court ruled that the
FBI did not need a special wiretap order to place
a keystroke logging device on a suspects
computer - Also, the judge allowed the FBI to keep details
of the device secret, citing national security
concerns - Examples of free Key Loggers
- CookiePatrol
- KeyPatrol
- PestPatrol.exe
- PestPatrolCL
17Authentication Tokens
- You must have the token in your possession in
order to be authenticated - Passive Tokens
- Key to a physical lock
- ATM card, WEES card
- Active Tokens
- Smart Card
- SafeWord, SecureID
18Tokens-Advantages
- If a token is compromised ( lost) its much
easier for the owner to find it. - Tokens like smart cards can foil attacks using
key loggers - Tokens can be used for multiple access sites
without sharing the secrets among those sites. - Compatible hardware is a problem and slowly the
market is moving towards USB tokens
19One Time Passwords
- Counter Based
- The token and the authentication mechanism share
a base secret. - This secret is used to generate a sequence of
numbers or passwords - The algorithm used to do this is public but the
base secret is only known to the token and the
authentication mechanism
20One Time Passwords
Increment the Counter
One Way Hash
0001031
KEY
Format the result to fit The display
Use a base secret stored inside the token
21One Time password Clocks
CLOCK
One Way Hash
Read the Synchronized clock stored inside the
token
KEY
Format the result to fit The display
Use a base secret stored inside the token
22Smart Cards
- Memory Cards
- They have only memory inbuilt in them
- They may or may not have any security features
inbuilt - Passive Tokens
- Processor Cards
- Miniature computers with an input and a output
port - The processing power of the card is much less
than the computers
23Smart Card Technologies
- PC/SC
- Microsoft Technology
- Is used to interface smart cards to WIN32 based
machines - Not available with other platforms
- Java Card
- A Schlumberger technology
- Java applets run on the card
- May become the de facto standard in the future
24Smart Card Technologies
- Open Card Standard
- Provides inter-operability of smart card
applications across desktops, laptops and other
systems - Uses 100 Java
- Provides a PC/SC interface for use of existing
devices on WIN 32 platform.
25Tokens -Problems
- Tokens can be stolen
- They can be borrowed
- They can be duplicated
- Solutions
- PIN
- Biometrics
- Short Termed Tokens
26Other Authentication Mechanisms
- Public Private Key infrastructures
- Computation Intensive
- Not a panacea
- Secure storage of the Key is the problem
- Certificate Revocation is a problem
- PKI is not intuitive , hence difficult to use.