User authentication
Tuomas Aura
CSE-C3400 Information security
Aalto University, autumn 2014
Outline
1. Passwords
2. Physical security tokens and two-method authentication 3. Biometrics
Common mantra:
User authentication can be based on
– something you know
– something you have
– something you are
PASSWORDS
Username and password
Passwords are used for entity authentication
– Needed for access control and auditing:
access control = authentication + authorization – Entity authentication vs. message authentication
Password is a shared secret between the user and computer system
– Limitations arise from the reliance on of human memory and input methods (and from the lack of cryptographic computing capability)
What attacks are there against passwords?
Sniffing and key loggers
Password sniffing on the local network used to be a major problem; mostly solved by
cryptographic authentication:
– SSH, SSL, HTTP Digest Authentication, MS-CHAPv2
Key logger: software or hardware that stores all key strokes typed on a computer
– Used to be a problem in public-access computers e.g. at libraries and cafes – Now can be malware on any computer
– Why do some bank web sites ask you to use the
mouse to enter the PIN code?
Password recovery
Humans are prone to forget things need a process for recovering from password loss
Recovery mechanisms often enable new attacks
What are the advantages and disadvantages of the following recovery mechanisms?
– Security question or memorable secret, e.g. birth place, mother’s maiden name, pet’s name
– Emailing password to another user account – Physical visit to helpdesk
– Yellow sticker on the back of the keyboard
– USB memory stick with a password recovery file
Password reuse
How many different user accounts and passwords do you have? Ever used the same or similar password on two accounts?
Using the same or related passwords on multiple accounts means that one compromised system or account can lead to compromise of the other accounts
Administrative countermeasures:
– Passwords chosen by the service, not set by users – Exotic password format requirements
– Single sign-on to enable just one password
Personal countermeasures:
– Generating service-specific passwords from one master password
– Password wallet (e.g. on phone) encrypted with a master
password (e.g. F-Secure Key)
Shoulder surfing
Keyboards and screens are highly visible
others may see what you are typing
Password and PIN prompts usually do not show the characters
– Does this make sense for all secrets input?
Increasingly, showing the characters is a UI option
*******
Password guessing
Dictionary attack and other intelligent guessing vs. brute-force trials
Countermeasures against guessing
– Limit the number or rate of login attempts – Minimum password length and complexity,
password quality check
– Preventing reuse of old passwords
– System-generated random passwords
– Password aging i.e. mandatory periodic password
changes (typically every three months)
Online vs. offline guessing attacks
Offline attack: cracking the password from a know hash (or other value computed from) of the password
– E.g. MS-CHAPv2, Kerberos, HTTP digest authentication without SSL
– Unlimited number of guesses attacker can perform an exhaustive brute-force search
Online guessing: attacker tries to login many times
– E.g. PIN code entry on a phone
– E.g. network login to an authenticated server over SSH or SSL – System can limit the number or rate of guesses
Big difference in the required password strength:
– Online guessing success probability
≈ number of allowed guesses / number of possible passwords – Offline attack requires cryptographic strength from the
password, e.g. 128-bit entropy, to prevent exhaustive search
Authentication protocols that are vulnerable to network
sniffing and offline guessing are simply outdated
Measuring password strength
Many possible metrics:
– Number of possible passwords
– Entropy = amount of missing information
– Average/median time to crack a specific password – Average/median time to crack any one password
– Probability of success as a function of time or number of trials
– etc.
When the user is allowed to choose the password, measuring its strength accurately is impossible
Metrics are important to consider when designing new types of passwords
– Graphical passwords
– Password complexity requirements
Password entropy
Entropy = the amount of missing information
Entropy H = - ∑
x ∈passwords(P(x) ⋅ log
2P(x))
≤ log
2(number of possible passwords)
Examples:
– Random 8-character alphanumeric passwords have H = 8 ⋅ log
2(26+26+10) = 47.6 bits
– Random 4-digit PIN codes have about H = 13.3 bits of entropy
One-bit increase in entropy approximately doubles the cost of guessing attacks (exactly so for even probability distribution)
Human-selected passwords have less entropy than random ones because some are chosen more often than other
Should banks allow the customer to choose the PIN?
Do password quality checks increase entropy?
Passwords rely on human memory password entropy
cannot grow over time human memory cannot compete
with computer speed
PIN entropy examples
PIN entropy examples:
– Random 4-digit PIN:
H = -∑ 1…10000(1/10000⋅log2(1/10000)) = log2(10000) = 13.3 bits
– PIN chosen based on a date (format DDMM): H = log
2(365) = 8.5 bits – Assume only 30% of users replace the random PIN with a date:
P
date= 30%⋅1/365 + 70%⋅1/10000 = 0.00089 P
other= 70%⋅1/10000 = 0.00007
H = - 365⋅P
date⋅log
2(P
date) - (10000-365) ⋅P
other⋅log
2(P
other) = 12.6 bits
Password entropy examples:
– Random 8-character (printable ASCII) passwords: H = log2(958) = 52.6 bits – Random 8-character alphanumeric passwords: H = log2(628) = 47.6 bits – Random eight lower-case characters: H = log2(268) = 37.6 bits
– Random six lower-case characters + two digits (e.g. okwrsn91): H = log2(266⋅102) = 34.8 bits
– Random 6-character English word + two digits (e.g. banana28): H = log2(15222⋅102) = 20.5 bits
Note: Entropy is not always the best measure of password strength.
Nevertheless, the concept should be part of the BSc math courses, and you should learn to calculate basic
examples. (Please point out any errors.)
Password entropy examples
Random 8-character (printable ASCII) passwords: H = log2(958) = 52.6 bits
Random 8-character passwords with exactly two upper case, two lower case, two digits, two special characters:
– 26 capitals, 26 non-capitals, 10 digits, 33 other – Orderings 8!/(2!⋅2!⋅2!⋅2!) = 2520
– Different passwords: 262⋅262⋅102⋅332⋅2520 – H = log2(262⋅262⋅102⋅332⋅2520) = 46.8 bits
Random 8-character alphanumeric password with at least one upper case and at least one digit:
– All 8-character alphanumeric passwords: 628 – Those with no upper case: (62-26)8 = 368 – Those with no digit: (62-10)8 = 528
– Those with with no upper case and no digit: (62-26-10)8 = 268
– Allowed passwords: 628 – (368 + 528) + 268 (inclusion exclusion principle) – H = log2(628 – (368 + 528) + 268) = 47.2 bits
Random alphanumeric passwords with one special character:
– 7-character alphanumeric passwords: 627
– 33 special characters to choose from, 8 possible locations to insert it
H = log2(627 ⋅33 ⋅ 8) = 49.7 bits
What conclusion should we make? Not any strong one. The rules have
different effect on human-chosen passwords and random ones
Botnets and parallel online guessing
10 banks, each with 10
6customer accounts
– Public or easy-to-guess user ID
– 4-digit PIN or one-time code required to log in
– Client IP address blocked after 3 failed logins per day
Attacker has a botnet of 10
5computers
– Each bot makes one login attempt to one account in each bank every day 10
6login attempts in a day
~100 successful break-ins in a day
Countermeasures:
– Make user IDs hard to guess: long, randomly selected, and different from account numbers
– Ask a “salt” question, e.g. memorable word, in addition to user ID and PIN
increased entropy reduces attacker success rate
Storing passwords on server
It is prudent to assume that your password database is public
– Unix /etc/password is traditionally world readable
– Attackers often manage to read files or database tables on a web server e.g. with SQL injection
How to store passwords in a public file?
– Store a hash i.e. one-way function of the password – When user enters a password, hash and compare
– Use a slow hash (many iterations of a standard hash function) to make brute-force cracking more difficult
– Include random account-specific “salt”:
slow_hash( password | salt)
to prevent simultaneous brute-force cracking of many
passwords, pre-computation attacks, and equality comparison between passwords
!
Password hashing
Password-based key derivation function PBKDF2 [PKCS#5,RFC2898]*
– Good practical function; uses any standard hash function, at least 64-bit salt, any number of iterations
Unix crypt(3) [Morris and Thompson 1978]*
– Historical function for hashing passwords stored in /etc/passwd
aura:lW90gEpaf4wuk:19057:100:Tuomas Aura:/home/aura:/bin/zsh
– Password = eight 7-bit characters = 56-bit DES key – Encrypt a zero block 25 times with modified DES – 12-bit salt used to modify DES key schedule
– Stored value includes the salt and encryption result – Too short salt enables e.g. rainbow table attacks
– Replaced by more modern hash functions and encrypted, read-
protected shadow passwords (why?)
PBKDF2
PBKDF2 (P, S, c, dkLen)
P = password S = salt
c = iteration count
dkLen = length of the result
PRF = keyed pseudorandom function
F (P, S, c, i) = U
1xor U
2xor ... xor U
cU
1= PRF (P, S || i)
U
2= PRF (P, U
1) ... U
c= PRF (P, U
c-1)
Repeat for i=1,2,3... until dkLen output bytes produced
Function for slow hashing of passwords
Many iterations to make the computation slower Used in WPA2-Personal for deriving keys from password (makes offline cracking more difficult) Could also be used for hashing stored
passwords on a server
One-time passwords
Use each password only once to thwart password sniffers and key loggers
Lamport hash chain:
H
1= hash (secret seed); H
i+1= hash (H
i)
– Server stores initially H
100and asks user to enter H
99. Next, stores H
99and ask for H
98, and so on
Unix S/KEY or OTP [RFC1760,RFC1938]
1: HOLM BONG VARY TIP JUT ROSY 2: LAIR MEMO BERG DARN ROWE RIG 3: FLEA BOP HAUL CLAD DARK ITS 4: MITT HUM FADE CREW SLOG HAST
Hash-based one-time passwords HOTP [RFC4226]
HOTP(K,i) = HMAC-SHA-1(K,i) mod 10
D– Produces a one-time PIN code of D decimal digits
Time-based one-time passwords
– Many commercial products such as RSA SecurID
Which attacks do one-time passwords prevent and which not?
Spoofing attacks
Attacker could spoof the login dialog; how do you
know when it is safe to type in the password?
│
Trusted path
Attacker could spoof the login dialog; how do you know when it is safe to type in the password?
Trusted path is a mechanism that ensures direct and secure communication between the user and a specific part of the system (with the TCB)
– Crtl+Alt+Del in Windows opens a security screen that is difficult to spoof
– Web browser shows the URL in the address bar in a way that cannot be spoofed by a web server
With malware and virtualization, it is increasingly
hard to know what is real
Other threats
No system is perfectly secure:
system designers have a specific threat model in mind, but the attacker can
break these rules
– “The attacker does not agree with the threat model. ” (Bruce Christianson)
Some other attacks against PINs and passwords:
– Phishing and social engineering
– User mistakes: using wrong password – Camera to record key presses
– Heat camera to detect pressed keys
– Acoustic emanations from the keyboard
– etc.
PHYSICAL SECURITY TOKENS AND
TWO-METHOD AUTHENTICATION
Physical security tokens
Smart card is a typical physical security token
– Holds cryptographic keys to prove its identity – Tamperproof: secret keys will stay inside
Used for door keys, computer login, bank card
Other security token implementations: smart button, USB dongle, mobile phone
Two-method authentication: require both physical token and a PIN
– Attacker needs to both steal the physical device and
learn the PIN clear qualitative increase in security
Issues with physical tokens
Physical tokens require distribution
Computers (or doors etc.) must have readers
It is not easy to integrate cryptographic tokens to all systems
– E.g. how to use a physical token if the application requires cached credentials (password) on the
client or on a proxy server
Process needed for recovering from the loss of tokens
Are smart card + PIN really two factors?
Authentication with mobile phone
Two-channel authentication used by major online services:
– Confirmation via telephone: callback, text msg
– Sending a second secret to a known address: text message, email, post
– Alerting user to potentially malicious events
Secure element in the mobile phone can be used as a login token
– The SIM is a smart card and could also act as the
authentication token
BIOMETRICS
Biometric authentication
Biometric authentication means verifying some physical feature of the user
– Physiological characteristic: photo, signature, face geometry, fingerprint, iris scan, DNA
– Behavioral characteristic: voice, typing, gait
Biometrics are not 100% reliable:
– False acceptance rate FAR – False rejection rate FRR – Equal error rate EER
(less informative)
FAR FRR
50%
EER
Issues with biometrics
Biometrics require enrollment and readers
Typically not usable for online users (over the Internet)
Big difference in the security of unsupervised vs.
supervised readers
– E.g. fingerprint reader on computer vs. iris scanner at immigration
Suitability for security architectures:
– Are biometric characteristics secrets?
– Can they be copied? E.g. fingerprints on iPhone – How to revoke biometrics?
What if enrollment fails?
– Some people have no fingerprints, or no fingers
Reading material
Dieter Gollmann: Computer Security, 2nd ed., chapter 3; 3rd ed. chapter 4
Matt Bishop: Introduction to computer security, chapter 11
Ross Anderson: Security Engineering, 2nd ed., chapters 2, 15
Edward Amoroso: Fundamentals of Computer
Security Technology, chapters 18-19
Exercises
Why do you need both the username and password? Would not just one secret identifier (password) be sufficient for logging in?
What effect do strict guidelines for password format (e.g. 8 characters, at least 2 capitals, at least 2 digits, at least 1 special symbol) have on the password entropy?
What is the probability of guessing the code for a phone that allows 3 attempts to guess a 4-digit PIN code, then 10 attempts to guess an 8-digit PUK code?
In what respects is PBKDF2 better for password hashing than crypt(3)?
How many hash values van a brute-force attacker test in second with a new GPU?
Hint: Check the BitCoin mining speeds.
How do mandatory periodical password changes increase security? What is the optimal interval?
How to limit the number of login attempts without creating a DoS vulnerability?
Learn about graphical passwords and compare their entropy to different-length passwords and PIN codes.
Learn about HTTP Digest Authentication [RFC2617] and MS-Chap-V2 [RFC2759].
Explain how to perform an offline password guessing attack after sniffing a login.
In a social network, could authentication be based on who you know (or who knows you), or where you are?
What advantages and disadvantages might a fingerprint reader have in a car lock?