User authentication Tuomas Aura T-110.4206 Information security technology

Outline 1. Passwords 2. Physical security tokens and two-method authentication 3. Biometrics  User authentication can be based on – something you know – something you have – something you are 2

PASSWORDS

3

Username and password  Passwords are used for entity authentication – Needed for access control and auditing: access control = authentication + authorization – Entity authentication vs. message authentication

 Password is a shared secret between the user and computer system – Limitations arise from the reliance on of human memory and input

 What attacks are there against passwords? 4

Sniffing and key loggers  Password sniffing on the local network used to be a major problem; mostly solved by cryptographic authentication: – SSH, SSL, HTTP Digest Authentication, MS-CHAPv2

 Key logger: software or hardware that stores all key strokes (including passwords) typed on a computer – Particular danger in public-access computers e.g. at libraries and cafes – Why do some bank web sites ask you to use the mouse to enter the PIN code? 5

Password recovery  Humans are prone to forget things  need a process for recovering from password loss  What the advantages and disadvantages of the following recovery mechanisms? – Security question or memorable secret, e.g. birth place, mother’s maiden name, pet’s name – Emailing password to another user account – Physical visit to customer support – Yellow sticky on the back of the keyboard – USB key or CD with a password recovery file 6

Password reuse  How many different user accounts and passwords do you have? Ever used the same password on two accounts?  Using the same or related passwords on multiple accounts means that one corrupt sysadmin or compromised account can lead to compromise of the other accounts

 Adminsitrative countermeasures: – Passwords chosen by the service, not set by users – Exotic password format requirements

 Personal countermeasures: – Generating service-specific passwords from one master password – Password wallet that helps the memory, encrypted with a master password 7

Shoulder surfing  Keyboards and screens are highly visible  others may see what you are typing  Password and PIN prompts usually do not show the characters ******* – Does this make sense for all secrets?

8

Password guessing  Intelligent vs. brute-force guessing – dictionary attack

 Countermeasures – Limit the number or rate of login attempts – Minimum password length and complexity, passwrod quality check – Preventing reuse of old passwords – System-generated random passwords – Password aging i.e. mandatory periodic password changes (typically every three months) 9

Password entropy  Entropy = the amount of information the attacker is missing about the password Entropy ≤ log2(number of possible passwords)

 Examples:

– Random 8-character 7-bit passwords have 56 bits of entropy – 8-character alphanumeric passwords have at most 8 × log2(26+26+10) ≈ 48 bits – 4-digit PIN codes have about 13 bits of entropy

 Passwords rely on human memory  entropy cannot grow over time  any system that relies on high password entropy to beat brute-force attacks will eventually fail 10

Password database storage  Safer to assume that the database is public

– Unix /etc/password is traditionally world readable – Attacks on web servers often manage to dump any file or database on the server; e.g. SQL injection

 How to store passwords in a public file?

– Store a hash (i.e. one-way function) of the password – When user enters a password, hash and compare – Use a slow hash (many iterations of a hash function) to make brute-force cracking more difficult – Include random account-specific “salt”: show_hash( password | salt) to prevent simultaneous brute-force cracking of many passwords, precomputation attacks and equality comparison between passwords 11

Password hashing  Password-based key derivation function PBKDF2 [PKCS#5,RFC2898]*

– Good practical guide; uses any standard hash function, at least 64-bit salt, any number of iterations

 Unix crypt(3) [Morris and Thompson 1978]*

– Historical function for storing passwords in /etc/passwd aura:lW90gEpaf4wuk:19057:100:Tuomas Aura:/home/aura:/bin/zsh

– – – – –

Eight 7-bit characters = 56-bit DES key, e.g. ½=( Encrypt a zero block 25 times with modified DES 12-bit salt used to make slight modifications to DES Stored value includes the salt and encryption result Very slowly replaced with more modern hash functions and shadow passwords (stored in /etc/shadow, which is only readable to root)

12

Online and offline guessing attacks  In an online attack, target system can limit the number of guesses – – – –

Login prompt at the console PIN code on a phone Network login to an authenticated server over SSH or SSL Firewall to block client IP address after some failed attempts

 In an offline attack, the attacker can perform an exhaustive brute-force search – Attacker who has the hash values from the password database – Older challenge-response network authentication, e.g. MSCHAPv2 or HTTP digest authentication without SSL

 Big difference in the required password entropy:

– Online attack success probability ≈ number of allowed guesses / number of possible passwords – Offline attack requires cryptographic password strength, e.g. 128-bit entropy 13

Botnets and online guessing  10 banks, each with 106 customer accounts

– 4-digit PIN or one-time code required to log in – Client IP address blocked after 3 failed login attempts

 Attacker has a botnet of 105 computers

– Each bot makes one login attempt to one account in each bank every day  106 login attempts in a day  ~100 successful break-ins in a day

 Countermeasures:

– Make user IDs hard to guess; long, different from account numbers, and not assigned sequentially – Ask a “salt” question, e.g. memorable word, in addition to user ID and PIN  increased entropy reduces attacker success rate 14

One-time passwords  Use each password only once to thwart password sniffers and key loggers  Lamport hash chain:

H1 = hash (secret seed); Hi+1= hash (Hi) – Server stores initially H100 and requires user to enter H99. Next stores H99 and requires H98, and so on.

 Unix S/KEY or OTP [RFC1938]

1: HOLM BONG VARY TIP JUT ROSY 2: LAIR MEMO BERG DARN ROWE RIG 3: FLEA BOP HAUL CLAD DARK ITS 4: MITT HUM FADE CREW SLOG HAST

 Hash-based one-time passwords HOTP [RFC4226] HOTP(K,C) = HMAC-SHA-1(K,C) mod 10D – Produces a one-time PIN code of D decimal digits

 Time-based one-time passwords

– E.g. RSA SecurID: one of many commercial products

 Which attacks are prevented by one-time passwords and which are not? 15

Spoofing attacks  Attacker could spoof the login dialog; how do you know when it is safe to type in the password?

16

│

Trusted path  Attacker could spoof the login dialog; how do you know when it is safe to type in the password?  Trusted path is a mechanism that ensures direct and secure communication between the user and a specific part of the system – Crtl+Alt+Del in Windows takes to a security screen that cannot be spoofed – Web browser window shows the URL in the address bar in a way that cannot be spoofed by the web server

 With malware and virtualization, it is increasingly hard to know what is real 18

Other threats  No system is perfectly secure: system designers have a specific threat model in mind, but the attacker can break these rules – “The attacker does not agree with the threat model.” (Bruce Christinson)

 Examples of unexpected attacks: – Phishing and social engineering – Heat camera can detect recently pressed keys – Acoustic emanations from the keyboard 19

PHYSICAL SECURITY TOKENS AND TWO-METHOD AUTHENTICATION

20

Physical security tokens  Smart card is a typical physical security token – Holds cryptographic keys to prove its identity – Tamperproof: secret keys will stay inside

 Used for door keys, computer login, ATM  PIN entry is often also required  twomethod authentication – Attacker needs to both steal the card and learn the PIN  clear qualitative increase in security

 Other form factors: button, USB stick, mobile phone 21

Issues with security tokens  Physical tokes require distribution and recovery process when tokens are lost  Computers (or doors etc.) must have readers  Some systems and protocols not compatible with cryptographic tokens – E.g. applications that depend on a cached password

 Process needed for recovering from the loss of tokens  Are smart card+PIN really two factors?  One alternative is two-channel authentication: – Confirmation via telephone: callback – Sending a second secret to a known address: text message, email, post 22

BIOMETRICS

23

Biometric authentication  Biometric authentication means verifying some physical feature of the user – Physiological characteristic: photo, signature, face geometry, fingerprint, iris scan, DNA – Behavioral characteristic: voice, typing, gait

 Biometrics are not 100% reliable: – False acceptance rate FAR – False rejection rate FRR

FAR

FRR

50%

EER

24

Issues with biometrics  Biometrics require enrollment and readers  Unsupervised vs. supervised readers have a big difference in security – E.g. fingerprints, face recognition

 Suitability for security architectures: – Are biometric characteristics secrets? – Can they be copied? – How to revoke biometrics?

 What if enrollment fails? – Some people have no fingerprints, or no fingers 25

Reading material  Dieter Gollmann: Computer Security, 2nd ed., chapter 3  Matt Bishop: Introduction to computer security, chapter 11  Ross Anderson: Security Engineering, 2nd ed., chapters 2, 15  Edward Amoroso: Fundamentals of Computer Security Technology, chapters 18-19

26

Exercises  Why do you need both the username and password? Wouldn’t just one secret identifier (password) be sufficient for logging in?  What effect do strict guidelines for password format (e.g. eight characters, use at least two capitals, at least two digits, at least one special symbol) have on the password entropy?  What is the success probability of guessing a 4-digit PIN code on a phone that locks up after three failed login attempts?  Why may mandatory password changes increase security? What is the optimal interval?  How to limit the number of login attempts without creating a DoS vulnerability?  Learn about graphical passwords and compare their entropy to different length passwords and PIN codes.  In a social network, could authentication be based on who you know (or who knows you), or where you are?  What advantages and disadvantages might a fingerprint reader have in a car lock? 27