Passwords Introduction

Cryptography and Protocols Andrei Bulatov

19-2

Cryptography and Protocols – Passwords

Password Authentication Protocol password

password

welcome User

Client

Server Welcome: Usually means generating a session key Security threats - weak passwords - intercepting a password - password database stolen - side channel attacks

Password database

Cryptography and Protocols – Passwords

Side Channel Attacks Targeting the User: - Social engineering, such as phishing - Login spoofing - Shoulder surfing - Dumpster diving - Extortion, rubber-hose cryptanalysis Targeting the Client: - Keystroke logging - Trojan horses - Acoustic cryptanalysis - Identity management system attacks (Self-service passwords)

19-3

Cryptography and Protocols – Passwords

Weak Passwords Dictionary attacks, guessing - Cain and Abel, John the Ripper - Usual entropy of user’s passwords is about 18 – 30 bits Countermeasures: Enforcing stronger passwords, Biometrics Brute force attack Countermeasures: Limiting on-line computation, Making off-line computation impossible

19-4

Cryptography and Protocols – Passwords

Password Database Usual approach to counter unlawful access to password database is to hash passwords kept in the database To make it more difficult to cryptanalyze a hashed database often salt is added to passwords, that is a random string stored separately When a password is received, it is hashed (along with a salt) and the result is compared against the database Weakness: If database is stolen, it allows massive off-line computation over a small set of possibilities Organization of hashing may be non-trivial: early Unix system (short salt), Windows LAN Manager (poor hash function) We’ll discuss some details later

19-5

Cryptography and Protocols – Passwords

Sending a Password Sending password in clear is insecure (weaknesses in early versions of SSH) Sending through secure channels (widely used, HTTPS) - Use SSL/TLS to establish a secure authenticated session - Then send encrypted password - Two layers of encryption Challenge – response Zero-knowledge proofs

19-6

Cryptography and Protocols – Passwords

Challenge – response The idea is to have many passwords, so that the server can send a challenge, asking to use a certain password from the family. In practice random strings and hash functions are used Assumption: Client (User) and Server share a secret password PW

19-7

Cryptography and Protocols – Passwords

Challenge – response: Protocol Protocol: - Server sends a unique challenge value SC to the client - Client generates unique challenge value CC - Client computes CR = hash(CC || SC || PW) - Client sends CR and CC to the server - Server calculates the expected value of CR and ensures the client responded correctly - Server computes SR = hash(SC || CC || PW) - Server sends SR - Client calculates the expected value of SR and ensures the server responded correctly

19-8

19-9

Cryptography and Protocols – Passwords

Secure Remote Password (SRP) We use Diffie-Hellman key exchange protocol Fix prime p and a primitive root g modulo p

gX

Alice

Bob

X ∈ Z*p

Y ∈ Z*p

k = (gY ) X

gY

k = ( g X )Y

Cryptography and Protocols – Passwords

Secure Remote Password (cntd) Client A and Server B share a secret password PW Instead of using PW directly they use: - Client: PWA = hash(A || B || PW), and PWB = g PWA - Server: PWB Server and Client use some symmetric encryption scheme, for example, AES, with encryption algorithm E

19-10

Cryptography and Protocols – Passwords

Secure Remote Password : Encrypted DH Exchange Client A chooses a random X ∈ {1, …, p – 1}, computes g X computes X * = E PWB ( g X ) and sends X * to Server Server B chooses a random Y ∈ {1, …, p – 1}, computes g Y computes Y * = E PWB ( g Y ) and sends Y * to Client Client receives Y * computes Y ' = DPWB (Y * ) computes Diffie-Hellman key DHKeyA = Y ' X Server receives X * * X ' = D ( X ) computes PWB computes Diffie-Hellman key DHKeyB = X 'Y

19-11

Cryptography and Protocols – Passwords

Secure Remote Password: Authentication Client computes MasterKeyA = hash(A || B || DHKeyA) SessionKeyA = hash(MasterKeyA || 0) PWA AuthA = hash(MasterKeyA || Y ' ) AuthBCheck = hash(MasterKeyA || 2) Server computes MasterKeyB = hash(A || B || DHKeyB) SessionKey B= hash(MasterKeyB || 0) AuthACheck = hash(MasterKeyB || PWBY ) AuthB = hash(MasterKeyB || 2)

19-12

Cryptography and Protocols – Passwords

Secure Remote Password: Authentication (cntd) Client sends AuthA to Server Server sends AuthB to Client Client accepts if AuthB = AuthBCheck Server accepts if AuthA = AuthACheck

19-13

19-14

Cryptography and Protocols – Passwords

Unix Password System: Loading a New Password Salt

Password 12 bits

56 bits

User ID

salt

Load crypt(3)

Password: 8 characters in 7-bit ASCII Salt: usually the time of creating the password crypt(3): a DES based encryption system generates a key from the password, salt as an IV encrypts 64-bit 0 block 25 times (!)

EPWD(salt,0)

19-15

Cryptography and Protocols – Passwords

Unix Password System: Verifying a Password User ID

User ID

Password salt

E(pwd,[salt,0])

crypt(3)

Compare

Password is verified in the natural way

Cryptography and Protocols – Passwords

Unix Password System: Pros and Cons Pros: - salt effectively makes password longer - same passwords look differently - many iterations of DES slow down attempts to brute force the password Cons - short password and short salt - 25 iterations of DES is not enough for modern hardware

19-16

Cryptography and Protocols – Passwords

Windows Password System Very similar, but - no salt - uses MD4 hash instead of DES-based encryption - earlier version (LanMan) splits a password into 2 7-bytes chunks and hashes them separately, and is not case-sensitive - later version (NT hash) does better - as it lacks salt, brute-force like attacks can be used (rainbow chains, about a week of preparations and a few seconds to crack 99.9% passwords)

19-17