User authentication

Tuomas Aura

T-110.4206 Information security technology

User authentication

Aalto University, autumn 2012

Outline

1. Passwords

2. Physical security tokens and two-method authentication 3. Biometrics

 Common mantra:

User authentication can be based on

– something you know

– something you have

– something you are

PASSWORDS

Username and password

 Passwords are used for entity authentication

– Needed for access control and auditing:

access control = authentication + authorization – Entity authentication vs. message authentication

 Password is a shared secret between the user and computer system

– Limitations arise from the reliance on of human memory and input

 What attacks are there against passwords?

Sniffing and key loggers

 Password sniffing on the local network used to be a major problem; mostly solved by

cryptographic authentication:

– SSH, SSL, HTTP Digest Authentication, MS-CHAPv2

 Key logger: software or hardware that stores all key strokes typed on a computer

– Used to be a problem in public-access computers e.g. at libraries and cafes – Now can be malware on any computer

– Why do some bank web sites ask you to use the

mouse to enter the PIN code?

Password recovery

 Humans are prone to forget things  need a process for recovering from password loss

 Recovery mechanisms often enable new attacks

 What are the advantages and disadvantages of the following recovery mechanisms?

– Security question or memorable secret, e.g. birth place, mother’s maiden name, pet’s name

– Emailing password to another user account – Physical visit to helpdesk

– Yellow sticker on the back of the keyboard

– USB memory stick with a password recovery file

Password reuse



How many different user accounts and passwords do you have?

Ever used the same password on two accounts?



Using the same or related passwords on multiple accounts means that one compromised system or account can lead to compromise of the other accounts

 Administrative countermeasures:

–

Passwords chosen by the service, not set by users

Exotic password format requirements

–

Single sign-on to enable just one password

 Personal countermeasures:

–

Generating service-specific passwords from one master password

Password wallet (e.g. on phone) encrypted with a master

password

Shoulder surfing

 Keyboards and screens are highly visible

 others may see what you are typing

 Password and PIN prompts usually do not show the characters

– Does this make sense for all secrets input?

*******

Password guessing

 Dictionary attack and other intelligent guessing vs. brute-force trials

 Countermeasures against guessing

– Limit the number or rate of login attempts – Minimum password length and complexity,

password quality check

– Preventing reuse of old passwords

– System-generated random passwords

– Password aging i.e. mandatory periodic password

changes (typically every three months)

Measuring password strength

 Many possible metrics:

– Number of possible passwords

– Entropy = amount of missing information

– Average/median time to crack a specific password – Average/median time to crack any one password

– Probability of success as a function of time or number of trials

– etc.

 Metrics are important to consider when designing new types of passwords

– Graphical passwords

– Requirements to use special characters

Password entropy

 Entropy = the amount of missing information

Entropy H = - ∑ x passwords∈ (P(x) ⋅ log2 P(x))

≤ log2(number of possible passwords)

 Examples:

– Random 8-character alphanumeric passwords have H = 8 log⋅ ₂(26+26+10) = 47.6 bits

– Random 4-digit PIN codes have about H = 13.3 bits of entropy

 For even probability distribution, one-bit increase in entropy doubles the cost of guessing attacks

 Human-selected passwords have less entropy than random ones because some are chosen more often than other

 Should banks allow the customer to choose the PIN?

 Do password quality checks increase entropy?

 Passwords rely on human memory  password entropy cannot grow over time  human memory cannot compete with computer speed

Online and offline guessing attacks

 Offline attack: cracking the password from a know hash (or other function) of the password

– E.g. MS-CHAPv2 or HTTP digest authentication without SSL

– Unlimited number of guesses  attacker can perform an exhaustive brute-force search

 Online guessing: attacker tries to login many times

– E.g. PIN code entry on a phone

– E.g. network login to an authenticated server over SSH or SSL – System can limit the number or rate of guesses

 Big difference in the required password strength:

– Online guessing success probability

≈ number of allowed guesses / number of possible passwords

– Offline attack requires cryptographic strength from the password, e.g. 128-bit entropy, to prevent exhaustive search

Storing passwords on server

 Assume that the password database becomes public

– Unix /etc/password is traditionally world readable

– Attackers often manage to read files or database tables on a web server e.g. with SQL injection

 How to store passwords in a public file?

– Store a hash i.e. one-way function of the password – When user enters a password, hash and compare

– Use a slow hash (many iterations of a hash function) to make brute- force cracking more difficult

– Include random account-specific “salt”:

slow_hash( password | salt)

to prevent simultaneous brute-force cracking of many passwords, pre-computation attacks, and equality comparison between

passwords

Password hashing



Password-based key derivation function PBKDF2 [PKCS#5,RFC2898]

*

– Good practical function; uses any standard hash function, at least 64-bit salt, any number of iterations



Unix crypt(3) [Morris and Thompson 1978]*

– Historical function for storing passwords in /etc/passwd

aura:lW90gEpaf4wuk:19057:100:Tuomas Aura:/home/aura:/bin/zsh

– Password = eight 7-bit characters = 56-bit DES key – Encrypt a zero block 25 times with modified DES – 12-bit salt used to modify DES key schedule

– Stored value includes the salt and encryption result – Too short salt enables e.g. rainbow table attacks

– Replaced by more modern hash functions and encrypted, read-protected shadow passwords

DF2PBK

 PBKDF2 (P, S, c, dkLen)

P = password S = salt

c = iteration count

dkLen = length of the result

PRF = keyed pseudorandom function

F (P, S, c, i) = U

xor U

xor ... xor U

U

= PRF (P, S || i) U

= PRF (P, U

)

...

U

= PRF (P, U

)

Repeat for i=1,2,3... until dkLen output bytes produced

Function for slow hashing of passwords

Many iterations to make the computation slower Used in WPA2-Personal for deriving keys from password (makes offline cracking more difficult) Could also be used for hashing stored

passwords on a server Function for

slow hashing of passwords

Many iterations to make the computation slower Used in WPA2-Personal for deriving keys from password (makes offline cracking more difficult) Could also be used for hashing stored

passwords on a server

Botnets and online guessing

 10 banks, each with 10

customer accounts

– Public or easy-to-guess user ID

– 4-digit PIN or one-time code required to log in

– Client IP address blocked after 3 failed logins per day

 Attacker has a botnet of 10

computers

– Each bot makes one login attempt to one account in each bank every day  10⁶ login attempts in a day

 ~100 successful break-ins in a day

 Countermeasures:

– Make user IDs hard to guess: long, randomly selected, and different from account numbers

– Ask a “salt” question, e.g. memorable word, in addition to user ID and PIN

 increased entropy reduces attacker success rate

One-time passwords

 Use each password only once to thwart password sniffers and key loggers

 Lamport hash chain:

H₁ = hash (secret seed); H_i+1= hash (Hi)

– Server stores initially H100 and asks user to enter H99. Next, stores H99 and ask for H₉₈, and so on

 Unix S/KEY or OTP [RFC1760,RFC1938]

1: HOLM BONG VARY TIP JUT ROSY 2: LAIR MEMO BERG DARN ROWE RIG 3: FLEA BOP HAUL CLAD DARK ITS 4: MITT HUM FADE CREW SLOG HAST

 Hash-based one-time passwords HOTP [RFC4226]

HOTP(K,i) = HMAC-SHA-1(K,i) mod 10^D

– Produces a one-time PIN code of D decimal digits

 Time-based one-time passwords

– Many commercial products such as RSA SecurID

Spoofing attacks

 Attacker could spoof the login dialog; how do you

know when it is safe to type in the password?

│

Trusted path

 Attacker could spoof the login dialog; how do you know when it is safe to type in the password?

 Trusted path is a mechanism that ensures direct and secure communication between the user and a specific part of the system (with the TCB)

– Crtl+Alt+Del in Windows opens a security screen that is difficult to spoof

– Web browser shows the URL in the address bar in a way that cannot be spoofed by a web server

 With malware and virtualization, it is increasingly

hard to know what is real

Other threats

 No system is perfectly secure:

system designers have a specific threat model in mind, but the attacker can break these rules

– “The attacker does not agree with the threat model.” (Bruce Christianson)

 Some other attacks against PINs and passwords:

– Phishing and social engineering

– User mistakes: using wrong password – Heat camera to detect pressed keys

– Acoustic emanations from the keyboard

PHYSICAL SECURITY TOKENS AND

TWO-METHOD AUTHENTICATION

Physical security tokens

 Smart card is a typical physical security token

– Holds cryptographic keys to prove its identity – Tamperproof: secret keys will stay inside

 Used for door keys, computer login, ATM

 Other security token implementations: smart button, USB dongle, mobile phone

 Two-method authentication: require also PIN

– Attacker needs to both steal the card and learn

the PIN  clear qualitative increase in security

Issues with security tokens

 Physical tokens require distribution

 Computers (or doors etc.) must have readers

 It is not easy to integrate cryptographic tokens to all systems

–

E.g. how to use a physical token if the application requires

cached credentials (password) on the client or on a proxy server

 Process needed for recovering from the loss of tokens

 Are smart card + PIN really two factors?

 One alternative is two-channel authentication:

–

Confirmation via telephone: callback

–

Sending a second secret to a known address: text message,

email, post

BIOMETRICS

Biometric authentication

 Biometric authentication means verifying some physical feature of the user

– Physiological characteristic: photo, signature, face geometry, fingerprint, iris scan, DNA

– Behavioral characteristic: voice, typing, gait

 Biometrics are not 100% reliable:

– False acceptance rate FAR – False rejection rate FRR – Equal error rate EER

FAR FRR

50%

EER

Issues with biometrics

 Biometrics require enrollment and readers

 Big difference in the security of unsupervised vs.

supervised readers

– E.g. fingerprint reader on computer vs. iris scanner at immigration

 Suitability for security architectures:

– Are biometric characteristics secrets?

– Can they be copied?

– How to revoke biometrics?

 What if enrollment fails?

– Some people have no fingerprints, or no fingers

Reading material

 Dieter Gollmann: Computer Security, 2nd ed., chapter 3; 3rd ed. chapter 4

 Matt Bishop: Introduction to computer security, chapter 11

 Ross Anderson: Security Engineering, 2nd ed., chapters 2, 15

 Edward Amoroso: Fundamentals of Computer

Security Technology, chapters 18-19

Exercises

 Why do you need both the username and password? Would not just one secret identifier (password) be sufficient for logging in?

 What effect do strict guidelines for password format (e.g. 8 characters, at least 2 capitals, at least 2 digits, at least 1 special symbol) have on the password entropy?

 What is the probability of guessing the code for a phone that allows 3 attempts to guess a 4-digit PIN code, then 10 attempts to guess an 8-digit PUK code?

 In what respects is PBKDF2 better for password hashing than crypt(3)?

 How do mandatory periodical password changes increase security? What is the optimal interval?

 How to limit the number of login attempts without creating a DoS vulnerability?

 Learn about graphical passwords and compare their entropy to different-length passwords and PIN codes.

 Learn about HTTP Digest Authentication [RFC2617] and MS-Chap-V2 [RFC2759].

Explain how to perform an offline password guessing attack after sniffing a login.

 In a social network, could authentication be based on who you know (or who knows you), or where you are?

 What advantages and disadvantages might a fingerprint reader have in a car lock?