Password Authentication - PowerPoint PPT Presentation

About This Presentation
Title:

Password Authentication

Description:

CS 259 Password Authentication J. Mitchell Basic password authentication Setup User chooses password Hash of password stored in password file Authentication User logs ... – PowerPoint PPT presentation

Number of Views:218
Avg rating:3.0/5.0
Slides: 21
Provided by: JohnM219
Learn more at: https://web.stanford.edu
Category:

less

Transcript and Presenter's Notes

Title: Password Authentication


1
Password Authentication
CS 259
  • J. Mitchell

2
  • Password file

User
kiwifruit
exrygbzyf kgnosfix ggjoklbsz
hash function
3
Basic password authentication
  • Setup
  • User chooses password
  • Hash of password stored in password file
  • Authentication
  • User logs into system, supplies password
  • System computes hash, compares to file
  • Attacks
  • Online dictionary attack
  • Guess passwords and try to log in
  • Offline dictionary attack
  • Steal password file, try to find p with hash(p)
    in file

4
Dictionary Attack some numbers
  • Typical password dictionary
  • 1,000,000 entries of common passwords
  • people's names, common pet names, and ordinary
    words.
  • Suppose you generate and analyze 10 guesses per
    second
  • This may be reasonable for a web site offline is
    much faster
  • Dictionary attack in at most 100,000 seconds 28
    hours, or 14 hours on average
  • If passwords were random
  • Assume six-character password
  • Upper- and lowercase letters, digits, 32
    punctuation characters
  • 689,869,781,056 password combinations.
  • Exhaustive search requires 1,093 years on average

5
Salt
  • Unix password line
  • waltfURfuu4.4hY0U129129Belgers/home/walt/bin
    /csh

Compare
Salt
Input
Key
Constant
Ciphertext
25x DES
Plaintext
When password is set, salt is chosen randomly
6
Advantages of salt
  • Without salt
  • Same hash functions on all machines
  • Compute hash of all common strings once
  • Compare hash file with all known password files
  • With salt
  • One password hashed 212 different ways
  • Precompute hash file?
  • Need much larger file to cover all common strings
  • Dictionary attack on known password file
  • For each salt found in file, try all common
    strings

7
Web Authentication
Server
password
Browser
cookie
  • Problems
  • Network sniffing
  • Malicious or weak-security website
  • Phishing
  • Common password problem
  • Pharming DNS compromise
  • Malware on client machine
  • Spyware
  • Session hijacking, fabricated transactions

next few slides
8
Password Phishing Problem
Bank A
pwdA
pwdA
Fake Site
  • User cannot reliably identify fake sites
  • Captured password can be used at target site

9
Common Password Problem
Bank A
high security site
pwdA
Site B
  • Phishing attack or break-in at site B reveals pwd
    at A
  • Server-side solutions will not keep pwd safe
  • Solution Strengthen with client-side support

10
Defense Password Hashing
hash(pwdA, BankA)
Bank A
hash(pwdB, SiteB)
Site B
  • Generate a unique password per site
  • HMACfido123(banka.com) ? Q7a0ekEXb
  • HMACfido123(siteb.com) ? OzX2ICiqc
  • Hashed password is not usable at any other site
  • Protects against password phishing
  • Protects against common password problem

11
Defense SpyBlock
12
Defense SpyBlock
Authentication agent communicates through browser
agent
Authentication agent communicates directly to web
site
13
SpyBlock protection
password in trusted client environment
server support required
better password-based authentication protocols
trusted environment confirms site transactions
14
Goals for password protocol
  • Authentication relies on password
  • User can remember password, use anywhere
  • No additional client-side certificates, etc.
  • Protect against attacks
  • Network does not carry cleartext passwords
  • Malicious user cannot do offline dictionary
    attack
  • Malicious server (as in phishing) does not learn
    password from communication with honest user

15
Simple approach
  • Send hashed passwords
  • Does this work?
  • Good points?
  • Bad points?

Server
hash(pwd0)
Browser
hash(pwd1)
16
Interlock password protocols
  • (Set-up Phase) Password p known to both parties
  • (Key Exchange Phase)
  • A ? B gx
  • B ? A gy k gxy or some function of
    gxy
  • (Authentication Phase)
  • A ? B mack(p, r) for random r
  • B ? A mack(p, s), enck(s) for random s
  • A ? B enck(r)

Rivest, Shamir, Bellovin, Merrit, Pederson,
Ellison
17
ESP-KE key exchange protocol
Prime p and generators ?, ß known Generate
random a Generate random
b A ?a / ßP mod p B
?b mod p
A B

If A0 Abort k Ba mod p
k (A ßP)b mod p
MbH(0,k,P)
Mb If H(0,k,P)
? Mb Abort Ma H(1,k,P) Ma

If H(1,k,P) ? Ma Abort
M Scott
18
SRP protocol
  • (Set-up Phase)
  • Carol chooses password P
  • Steve chooses s, computes x H(s, P) and
    v gx
  • (Key Exchange Phase)
  • C
    Bob looks up s, v
  • x H(s, P) s
  • A ga A
  • B,u
    B v gb, random u
  • S (B - gx) (aux)
    S (Avu)b
  • M1 H(A,B,S) M1 verify
    M1
  • verify M2 M2 M2
    H(A,M1,S)
  • Key H(S)
    Key H(S)

Wu
19
CMU Phoolproof proposal
  • Eliminates reliance on perfect user behavior
  • Protects against keyloggers, spyware.
  • Uses a trusted mobile device to perform mutual
    authentication with the server

20
(No Transcript)
Write a Comment
User Comments (0)
About PowerShow.com