Entity Authentication. Authentication Protocols. Authentication Tokens. Password Problems. Authentication of people, processes, etc

Entity Authentication • Authentication of people, processes, etc. • Non-cryptographic – Address-based (E-mail, IP, etc.) – Passwords – Biometrics Aut...
3 downloads 1 Views 161KB Size
Entity Authentication • Authentication of people, processes, etc. • Non-cryptographic – Address-based (E-mail, IP, etc.) – Passwords – Biometrics

Authentication Protocols

• Cryptographic

CS 470 Introduction to Applied Cryptography

– Symmetric key – Public key

Ali Aydın Selçuk

CS470, A.A.Selçuk

Authentication Protocols

1

CS470, A.A.Selçuk

Authentication Tokens

Authentication Protocols

2

Password Problems

• What you know (password schemes) • What you have (keys, smart cards, etc.) • What you are (fingerprints, retinal scans, etc.)

• • • •

Eavesdropping Stealing password files On-line password guessing Off-line guessing attacks – Dictionary attacks – Exhaustive search

• Two-factor authentication: Identification of users by two different components • Many examples:

• Careless users writing down passwords

– ATM card & PIN – password & mobile phone (by SMS-OTP) – fingerprint & PIN CS470, A.A.Selçuk

Authentication Protocols

3

CS470, A.A.Selçuk

Authentication Protocols

4

1

Eavesdropping

On-line Password Guessing

• Watching the screen • Watching the keyboard • Login Trojan horses. Solutions:

Careless choices (first names, initials, etc.); poor initial passwords Defenses: After wrong guesses, • Lock the account

– Different appearance – Interrupt command for login

• Keyboard sniffers. Solutions:

– Not desirable, can be used for DoS

– Good system administration

• Slow down • Alert users about unsuccessful login attempts • Don’t allow short or guessable passwords

• Network sniffers. Solutions: – Cryptographic protection – One-time passwords CS470, A.A.Selçuk

Authentication Protocols

5

CS470, A.A.Selçuk

Off-line Password Guessing

• Salting: Mixing a random number to each hash • Store and use rand to hash the input password at each login. – Why? How does this help to slow down the attack?

– Exhaustive search – Dictionary attacks

• Several target passwords cannot be tried at once. (Say, there are 20,000 entries in the password file of a university…) • Also, precomputed password tables cannot be used.

• Defenses: Don’t allow short/guessable passwords Don’t make password files readable Salting: Mix a random number to each hash More complex hash functions (Normal users will not notice the difference, but attackers will be slowed down significantly.)

CS470, A.A.Selçuk

Authentication Protocols

6

Salting

• Stealing & using password files • Passwords should not be stored in clear. Typically, they’re hashed and stored. • Attacks:

– – – –

Authentication Protocols

7

CS470, A.A.Selçuk

Authentication Protocols

8

2

More Complex Hash Functions

More Complex Hash Functions

• PBKDF2

• scrypt

– Standard by RSA Labs, PKCS #5 v2.0. – Repeats a given hash function for a given number of times (minimum 1000, as recommended in year 2000) – Used in WPA/WPA2 (with 4096 iterations). – Can be attacked efficiently by GPU or FPGA.

• bcrypt – Based on Blowfish cipher (has a slow key schedule). – Uses a large internal table, needs 4 KB of fast RAM. – Resilient against GPUs, which are not good at making a lot of memory accesses in parallel. CS470, A.A.Selçuk

Authentication Protocols

9

Cryptographic Authentication

– bcrypt is resilient against GPUs but not so much against FPGAs. FPGA chips have a lot of small embedded RAM blocks. – scrypt allows to increase the memory usage as desired. – Resilient against FPGAs as well as GPUs.

• http://security.stackexchange.com/questions/211/ how-to-securely-hash-passwords?lq=1 CS470, A.A.Selçuk

Authentication Protocols

10

Symmetric Key Challenge-Response

• Password authentication subject to eavesdropping

An example protocol:

• Alternative: Cryptographic challenge-response

a challenge R

Bob

Alice

I’m Alice

F(KAB,R)

– Symmetric key – Public key

• F is either: – block cipher (how?) – hash function (how?)

• What about a stream cipher?! (As in WEP) CS470, A.A.Selçuk

Authentication Protocols

11

CS470, A.A.Selçuk

Authentication Protocols

12

3

Mutual Authentication Both Alice and Bob authenticate each other Some saving:

An example protocol: I’m Alice, R2

F(KAB,R1)

R1, F(KAB,R2) F(KAB,R1)

Bob

Alice

R1

Bob

Alice

I’m Alice

R2 F(KAB,R2)

CS470, A.A.Selçuk

Authentication Protocols

13

CS470, A.A.Selçuk

Authentication Protocols

14

Reflection attack:

• Solutions:

R1, F(KAB,R2)

– Different keys for Alice and Bob – Formatted challenges, different for Alice and Bob

Bob

Trudy

I’m Alice, R2

F(KAB,R1)

• Principle: Initiator should be the first to prove its identity

CS470, A.A.Selçuk

R3, F(KAB,R1)

Authentication Protocols

Bob

Trudy

I’m Alice, R1

15

CS470, A.A.Selçuk

Authentication Protocols

16

4

Public Key Challenge-Response Another weakness: Trudy can do dictionary attack against K AB acting as Alice, without eavesdropping. By signature: Solution against both problems: I’m Alice

I’m Alice Alice

Alice

Bob

F(KAB,R1), R2

R

Bob

R1

[R]A

F(KAB,R2)

(Dictionary attack still possible if Trudy can impersonate Bob.) CS470, A.A.Selçuk

Authentication Protocols

17

CS470, A.A.Selçuk

Public Key Challenge-Response

18

Public Key C-R Pitfalls • Problem: How can the public/private keys be remembered by ordinary users?

By decryption:

– Keys can be stored in an electronic token (USB), or can be retrieved from a server with password-based authentication & encryption.

I’m Alice {R}A

Bob

Alice

Authentication Protocols

• Problem: Bob (or Trudy) can get Alice to sign/decrypt any text he chooses!

R

– Never use the same key for different purposes (e.g., for login and signature) – Have formatted challenges CS470, A.A.Selçuk

Authentication Protocols

19

CS470, A.A.Selçuk

Authentication Protocols

20

5

Nonces • Nonce: Something created for one particular occasion • Nonce types: – Random numbers – Timestamps – Sequence numbers

• Random nonces: if unpredictability is needed • Timestamps: require syn. clocks • Obtaining random nonces from timestamps: Encrypt/hash the timestamp with a secret key. • Seq.no.: Fine if predictability is not a problem CS470, A.A.Selçuk

Authentication Protocols

21

6