King Mongkut’s University of Technology Network Security 8. Password Authentication Methods Prof. Reuven Aviv, Jan. 2009 Password Authentication1.

King Mongkut’s University of Technology

Network Security

8. Password Authentication Methods

Prof. Reuven Aviv, Jan. 2009

Password Authentication 1

Contents

• Local Authentication (User at a PC)

• User authentication over a network

• One time password

• Strong password authentication

Prof. Reuven Aviv, Dec. 2006




Local Authentication of User(Using passwords)



Password fileUser

exrygbzyf kgnosfix ggjoklbsz … …

kiwifruit

hash function

User authentication on local PC



User authentication to local PC

• Setup– User chooses password– What is stored in the password file?

• Authentication– User logs into system, supplies password– PC computes hash, compares to file

• Dictionary attacks– Online: guess a password, try to log in– Offline: copy set of passwd files, guess passwds



Dictionary Attacks – some numbers

• Typical password dictionary: ???? entries– names, pet names, … ordinary words.

• Suppose you generate & analyze 10 guesses/sec– reasonable for online; offline is much faster– at most 100,000 sec = 28 hours; average 14 hrs

• BUT: If passwords were random– Assume six-character password – all possible printable chars: how many?

• 689,869,781,056 password combinations– Exhaustive search: 1,093 years on average



Authentication a User/ClientOver a networkUsing Passwords



1. Simple password authentication over a network

• User sits at a PC; trustworthy Client software

• User and Authentication Server share password

– W = hash(password) stored in server

• Authentication Server authenticates client

• How?• Client sends Username, W = hash(password)

– Server compare W with stored W

• What can an attacker do?



Attacks on simple password authentication

• 1. W might be sniffed by attacker, or

• 2. DB of Server stolen/copied by attacker, or

• 3. M.I.M: what is that?• Server & User impersonated by attacker

• In all cases: attacker reveals W

• Then it does dictionary attack meaning?• Try a password, then tries W = hash(password)

– Compare with revealed W



Method 2: Passwd + Anonymous Diffie Hellman

• Client & Server create shared secret, K

– Sides agree on g, p

– Sides calculate random private keys a and b

– Sides exchange gamodp, gbmodp

– Sides calculate K = gabmodp

• Client sends password encrypted by K why?• Server decrypts password

– Calculate its hash, compares with stored W



Method 2: Using Anonymous Diffie Hellman

Client

Servergamodp

gbmodp

K = gabmodp

Username, K{password}

What can an attacker do?



Attacking method 2

• K cannot be revealed by sniffing why not?

• Hence can’t find passwd by offline dictionary att.

• M.I.M: Attacker impersonates the Auth Server

– Sending its DH parameters as if it is the Server

– Hence reveal K how?

– Then dictionary attack on K{ password} how?

• Try a password, then K{password}



Method 3: Passwd + Server’s certificate

• Server sends its Certificate to Client

– Client verifies server’s certificate how?• Client sends Username & EKU(passwd)

– password encrypted by server pub. Key. Why?• Server decrypts password, then:

– Server calculate hash of password

– compare with value stored in its database, W

• Note: Client needs a list of trusted CAs why?



Method 3

Client

ServerCertificate(Server, KU)

Username, EKU{password}




Attacking method 3:

• Attacker can sniff the encrypted password

– then do an offline dictionary attack

• Try a password, then EKU{password}

• Since KU is known to attacker

• Attacker can steal/copy Server DB, reveal W

– then do a offline dictionary attack

• Try a password, then W= hash(password)

• Attacker cannot do M.I.M why?



Method 4: Passwd + Challenge Response

• Server sends a random challenge, R, to client.

• Client gets password from User, calculates W

• Client encrypts R with f(W) as a key: f(W){R}

– Using an agreed f(W)

– Client sends Username and the f(W){R}

• Server calculates f(W), decrypts R

– Compares with the value it sent



Method 4

Client

ServerR (random number)

Username, f(W){R}




Attack method 4

• Attacker might sniff

– get both messages (R and f(W){R})

• M.I.M: attacker impersonate the server

• In both cases, R is known to attacker

– Password is found via dictionary attack

• Try a password, then W, then f(W){R}



One Time Password



Lamport Hash – One time password

• Fast, no encryption. Implemented (S/Key)

• sniffing or stealing server’s database does not

enable impersonating the Client.

• User picks passwd, and n (≈1000 )

– registers at Server using its Client software:

• calculates hashn(passwd), sends to Server

– Server DB: [Username, n, y = hashn(passwd)]



Lamport hash: authenticating User by Server• User provides its Client: Username, passwd

– Client sends Username, gets back current n

– Client sends yn-1 = hashn-1(passwd)

• Server: calculates hash(yn-1) (one more hash)

– compares with yn in DB. if OK Client is authenticated

– decrement n n-1

– Replaces current yn by yn-1 = hashn-1(passwd)

– Can attacker calculate yn-1 from yn ?



Lamport Algorithm

•calculates

•Server knows [UserName, n, yn = hashn(passwd)]

•Compares hash(yn-1) to yn. If equal, replace record

with new [UserName, n-1, yn-1= hashn-1(passwd)]

Client

User

passwd

ServerUser Name

n

yn-1 = hashn-1(passwd)

UserName



Dictionary attack on Lamport hash

• Is that possible?

• Attacker will need to try all powers of hash (up to some number) to all dictionary words as password

• Feasible. Why?

• Hashing is quite fast (unlike encryption)

• Note: if attacker knows ym, he knows yn, for n>m

• How can we increase the num of guesses?



Enhanced Lamport Hash: Salt

• User picks a passwd. Client creates extended password with random salt: Expass=passwd|salt

• Lamport algorithm is then used with Expass• Dictionary attack now not feasible why not?• Expass is any string, not a dictionary word• User can use same passwd on different Servers

– With different salts• When n is 1, same passwd may be re-used for new

registration, with different salt• Who knows the salt?



Enhanced Lamport Algorithm

•calculatesC

lient

User

UserName Server

User Name

n

yn-1 = hashn-1(Expass)

•Server knows [UserName, n, yn = hashn(Expass)]

•Compares hash(yn-1) to yn. If equal, replace record

with new [UserName, n-1, yn-1= hashn-1(Expass)]

salt

passwd



Analysis of Lamport hash scheme

• Data base at server can be stolen/copied

– Similar to certificate database

• Server is not authenticated to client

• (i.e. No mutual authentication)

– No shared secret was established so what?• Data cannot be encrypted

• Attacker can impersonate User after Lamport authentication



Lamport authentication + session key

• 1. First Client is authenticated by Lamport hash– Now Diffie Hellman to establish session key– Attacker can replace client just in between

• 2. First Diffie hellman, get session key– Now Lamport hash to authenticate Client

• Lamport hash encrypted by session key– Attacker can get in the middle during D.H.

• What is the source of the problem?



Lamport hash: the small n attack

• Attacker impersonate Server, wait for client• Client connects, expecting n

– Attacker sends small m (and salt)– m is a guess by attacker, hoping it is smaller

then the current real n– Attacker knows salt from previous sniffing

• Client sends hashm-1(passwd)– attacker learns hashm-1(passwd)

• Attacker now impersonate the client – he can calculate hashn(passwd) for any n>m-1



Using OTP (Lamport hash) in Internet cafe

• Assume PC does not calculate hash– The PC does not have the appropriate client– The PC is public, not trusted

• hashi(passwd), for all i<n stored in server– Also encoded by typeable strings– Strings printed on paper

• given to User before travel– User logs in: decrease n, send corresponding

string, scrap that line from the paper– Small n attack not possible



Strong Password Protocols



Strong Password Protocols: Design goal

• Attacker who listens to authentication exchanges, or impersonating either end would not have enough information to do off-line verification of password guesses

• Observing any number of exchanges would not help the attacker

• Impersonating one end will be able to do a single on-line password guess– Unavoidable

• (Several on-line guess failures create an alarm)



Basic Form of Strong Password Protocol

• Encrypted Key Exchange (EKE)

• Client has passwd; Server has W= hash(passwd)

• 1. Do Diffie Hellman to get strong, shared secret

– Each side calculates x, gxmodp

• 2. Sides exchange their gxmodp, encrypted by W

• 3. Incorporate challenge response together with

the D.H. exchanges



EKE Protocol

Client

Server“UesrName”, W{gamodp}

W{gbmodp, C1}

K = gabmodp

K{C1, C2}

K{C2}

Can an attacker guess W?



Attack on EKE

• 1. Attacker listens; tries to guess W offline

– get random numbers; can’t identify the W

• 2. Attacker impersonates one side

– can try 1 guess only; need to guess W and D.H. parameters. Extremely unlikely

• 3. Attacker steal/copy Server data base, gets W

– Attacker do dictionary attack to find password

• Enhancement: make g(W) p(W) depend on W

• Server stores gW(modp), not W.

King Mongkut’s University of Technology Network Security 8. Password Authentication Methods Prof. Reuven Aviv, Jan. 2009 Password Authentication1.

Documents