7/27/2019 07 Password Authentication
1/20
Password Authentication
J. Mitchell
CS 259
7/27/2019 07 Password Authentication
2/20
Password fileUser
exrygbzyfkgnosfixggjoklbsz
kiwifruit
hash function
7/27/2019 07 Password Authentication
3/20
Basic password authentication
Setup User chooses password Hash of password stored in password file
Authentication User logs into system, supplies password System computes hash, compares to file
Attacks Online dictionary attack
Guess passwords and try to log in Offline dictionary attack
Steal password file, try to find p with hash(p) in file
7/27/2019 07 Password Authentication
4/20
Dictionary Attack some numbers
Typical password dictionary 1,000,000 entries of common passwords
people's names, common pet names, and ordinary words.
Suppose you generate and analyze 10 guesses per second
This may be reasonable for a web site; offline is muchfaster Dictionary attack in at most 100,000 seconds = 28 hours,
or 14 hours on average
If passwords were random
Assume six-character password Upper- and lowercase letters, digits, 32 punctuation
characters
689,869,781,056 password combinations.
Exhaustive search requires 1,093 years on average
7/27/2019 07 Password Authentication
5/20
Salt
Unix password linewalt:fURfuu4.4hY0U:129:129:Belgers:/home/walt:/bin/csh
25x DES
InputSalt
Key
ConstantPlaintext
Ciphertext
Compare
When password is set, salt is chosen randomly
7/27/2019 07 Password Authentication
6/20
Advantages of salt
Without salt Same hash functions on all machines
Compute hash of all common strings once
Compare hash file with all known password filesWith salt
One password hashed 212 different ways Precompute hash file?
Need much larger file to cover all common strings Dictionary attack on known password file
For each salt found in file, try all common strings
7/27/2019 07 Password Authentication
7/20
Web Authentication
Problems Network sniffing Malicious or weak-security website
Phishing
Common password problem Pharming DNS compromise
Malware on client machine Spyware Session hijacking, fabricated transactions
BrowserServer
password
cookie
next few slides
7/27/2019 07 Password Authentication
8/20
Password Phishing Problem
User cannot reliably identify fake sites
Captured password can be used at target site
Bank A
Fake Site
pwdApwd
A
7/27/2019 07 Password Authentication
9/20
Common Password Problem
Phishing attack or break-in at site B reveals pwd at A Server-side solutions will not keep pwd safe
Solution: Strengthen with client-side support
Bank A
pwdA
pwdB=
pwdA
Site B
7/27/2019 07 Password Authentication
10/20
Defense: Password Hashing
Generate a unique password per site HMACfido:123(banka.com) Q7a+0ekEXb HMACfido:123(siteb.com) OzX2+ICiqc
Hashed password is not usable at any other site Protects against password phishing Protects against common password problem
Bank A
Site B
pwdA
pwdB=
7/27/2019 07 Password Authentication
11/20
Defense: SpyBlock
7/27/2019 07 Password Authentication
12/20
Defense: SpyBlock
Authentication agentcommunicates through
browser agent
Authentication agent
communicates directlyto web site
7/27/2019 07 Password Authentication
13/20
SpyBlock protection
password in trusted client environment
better password-based authentication protocols
trusted environment confirms site transactions
serversupportrequired
7/27/2019 07 Password Authentication
14/20
Goals for password protocol
Authentication relies on password User can remember password, use anywhere
No additional client-side certificates, etc.
Protect against attacks Network does not carry cleartext passwords
Malicious user cannot do offline dictionaryattack
Malicious server (as in phishing) does not learnpassword from communication with honest user
7/27/2019 07 Password Authentication
15/20
Simple approach
Send hashed passwords
Does this work?
Good points? Bad points?
Browser
Server
hash(pwd|0)
hash(pwd|1)
7/27/2019 07 Password Authentication
16/20
Interlock password protocols
(Set-up Phase) Password p known to both parties
(Key Exchange Phase)A B gx
B A gy k = gxy or some function of gxy
(Authentication Phase)A B mack(p, r) for random r
B
A mack(p, s), enck(s) for random sA B enck(r)
[Rivest, Shamir, Bellovin, Merrit, Pederson, Ellison]
7/27/2019 07 Password Authentication
17/20
ESP-KE key exchange protocol
Prime p and generators , known
Generate random a Generate random b
A= a/ Pmod p B= bmod p
A
B
If A=0 Abort
k= Bamod p k= (A P)bmod p
Mb=H(0,k,P)Mb
If H(0,k,P) MbAbort
Ma= H(1,k,P) MaIf H(1,k,P) M
a
Abort[M Scott]
7/27/2019 07 Password Authentication
18/20
SRP protocol
(Set-up Phase)Carol chooses password P
Steve chooses s, computes x = H(s, P) and v = gx(Key Exchange Phase)
C Bob looks up s, vx = H(s, P) s
A = ga A
B,u B = v + gb, random u
S = (B - gx) (a+ux) S = (Avu)b
M1 = H(A,B,S) M1 verify M1verify M2 M2 M2 = H(A,M1,S)
Key = H(S) Key = H(S) [Wu]
7/27/2019 07 Password Authentication
19/20
CMU Phoolproof proposal
Eliminates reliance on perfect user behavior
Protects against keyloggers, spyware.
Uses a trusted mobile device to perform mutual
authentication with the server
password?
7/27/2019 07 Password Authentication
20/20