Authentication Authentication attacks, causes and attacks, causes and

solutionssolutionsAnalyzing man in the middle and Analyzing man in the middle and

dictionary attacks against dictionary attacks against SSL/TLS and password based SSL/TLS and password based

authentication systemsauthentication systems

Fletcher Liverance, 16 April 2009

SourcesSources

Password-Based Authentication: Preventing Password-Based Authentication: Preventing Dictionary AttacksDictionary Attacks Saikat Chakrabarti, University of KentuckySaikat Chakrabarti, University of Kentucky Mukesh Singhal, University of KentuckyMukesh Singhal, University of Kentucky ComputerComputer, IEEE CS Press, June 2007, pp. 68-74, IEEE CS Press, June 2007, pp. 68-74

SSL/TLS Session-Aware User AuthenticationSSL/TLS Session-Aware User Authentication Rolf Oppliger, eSECURITY TechnologiesRolf Oppliger, eSECURITY Technologies Ralf Hauser, PrivaSphere AGRalf Hauser, PrivaSphere AG David Basin, ETH ZurichDavid Basin, ETH Zurich ComputerComputer, IEEE CS Press, March 2008, pp. 59-65, IEEE CS Press, March 2008, pp. 59-65

OverviewOverview

What is authentication?What is authentication? Two common attacksTwo common attacks Advanced password authentication Advanced password authentication

protocolsprotocols Improvements in SSL/TLSImprovements in SSL/TLS Preventing future attacksPreventing future attacks

What is What is Authentication?Authentication?

AuthenticationAuthentication is the binding is the binding of an identity to a subjectof an identity to a subject

FaceFace VoiceVoice SignatureSignature Birth certificateBirth certificate Social security Social security

numbernumber ID cardID card Personal knowledgePersonal knowledge KeyKey PasswordPassword NameName Phone numberPhone number

Impersonal Impersonal AuthenticationAuthentication

How do you authenticate over a How do you authenticate over a network?network? No direct visual cuesNo direct visual cues No direct auditory cuesNo direct auditory cues No physical connectionNo physical connection

Knowledge based authenticationKnowledge based authentication Recreation of human authentication Recreation of human authentication

cuescues Electronic IDsElectronic IDs

Dictionary AttackDictionary Attack OnlineOnline

Repeated query of Repeated query of authentication serverauthentication server

SlowSlow Easy to blockEasy to block

OfflineOffline Repeated Repeated

computation and computation and comparison of comparison of password hashpassword hash

FasterFaster No interaction No interaction

requiredrequired

Top ten passwords:Top ten passwords:1.1. (username)(username)2.2. (username)123(username)1233.3. 1234561234564.4. passwordpassword5.5. 123412346.6. 12345123457.7. passwdpasswd8.8. 1231239.9. testtest10.10. 11

Man in the MiddleMan in the Middle

““a form of active wiretapping attack in a form of active wiretapping attack in which the attacker intercepts and which the attacker intercepts and selectively modifies communicated selectively modifies communicated data to masquerade as one or more data to masquerade as one or more

of the entities involved in a of the entities involved in a communication association.”communication association.”

RFC 2828 – Internet Security GlossaryRFC 2828 – Internet Security Glossary

Basic Password Basic Password AuthenticationAuthentication

Challenge/ResponseChallenge/Response

EKE ProtocolEKE Protocol

Plaintext equivalencePlaintext equivalence

User and host must have access to User and host must have access to the same secret passwordthe same secret password

Attacker can intercept password Attacker can intercept password hash as it is sent to serverhash as it is sent to server

Secure remote-password Secure remote-password protocolprotocol

Behind the scenesBehind the scenes Alice and Bob agree on finite field F(x)Alice and Bob agree on finite field F(x) Alice gives Bob verifier v = F(Hash(salt, password)) and salt.Alice gives Bob verifier v = F(Hash(salt, password)) and salt.

Alice sends identity to BobAlice sends identity to Bob Bob sends salt to AliceBob sends salt to Alice

Alice computes K-a = F(Rand-a) and x = Hash(s, pwd)Alice computes K-a = F(Rand-a) and x = Hash(s, pwd) Alice send K-a to BobAlice send K-a to Bob

Bob computes K-b = v + F(Rand-b)Bob computes K-b = v + F(Rand-b) Bob sends K-b and Rand-r to AliceBob sends K-b and Rand-r to Alice

Alice computes K-ab = Hash(K-b – F(Hash(salt, pwd))^(Rand-a + Rand-Alice computes K-ab = Hash(K-b – F(Hash(salt, pwd))^(Rand-a + Rand-r*Hash(salt,pwd))r*Hash(salt,pwd))

Bob computes K-ab = Hash(Rand-b*Key-a*v^Rand-r)Bob computes K-ab = Hash(Rand-b*Key-a*v^Rand-r) Alice sends Cert-a to BobAlice sends Cert-a to Bob

Bob verifies Cert-a is correctBob verifies Cert-a is correct Bob sends Cert-b to AliceBob sends Cert-b to Alice

Alice verifies Cert-b is correctAlice verifies Cert-b is correct

Alternative SolutionsAlternative Solutions Delayed responseDelayed response Account lockingAccount locking Extra Extra

computationcomputation

Reverse Turing TestReverse Turing Test Captcha (Completely Automated Public Captcha (Completely Automated Public

Turing Test to Tell Computers and Humans Turing Test to Tell Computers and Humans Apart)Apart)

SSL/TLSSSL/TLS

SSL/TLS IssuesSSL/TLS Issues Prone to man in the middle attackProne to man in the middle attack

Attacker intercepts server messagesAttacker intercepts server messages Attacker replaces server certificate with its Attacker replaces server certificate with its

ownown Client encrypts all future transmissions using Client encrypts all future transmissions using

attacker’s certificateattacker’s certificate ““the naïve end user usually does SSL/TLS the naïve end user usually does SSL/TLS

server authentication poorly if at all”server authentication poorly if at all” ““developers usually decouple SSL/TLS developers usually decouple SSL/TLS

session establishment from user session establishment from user authentication”authentication”

Preventing MITM attacksPreventing MITM attacks

Enforce proper Enforce proper server server authenticationauthentication Uneducated usersUneducated users Forged certificatesForged certificates Click throughClick through Complicated Complicated

revocation policyrevocation policy Complicated Complicated

certificate certificate verification treeverification tree

TLS-SATLS-SA

Combine user authentication with Combine user authentication with SSL/TLS session establishmentSSL/TLS session establishment Provide Provide user authentication code user authentication code (UAC) (UAC)

that depends on credentials and TLS that depends on credentials and TLS sessionsession

Attacker can start session with user and Attacker can start session with user and host, but cannot forward messages host, but cannot forward messages between thembetween them

TLS-SA ImplementationTLS-SA Implementation Normal TLSNormal TLS Client token generates Client token generates

session key based on hash of session key based on hash of server certserver cert

User enters passwordUser enters password UAC is computed from UAC is computed from

session key and password and session key and password and is transmitted to serveris transmitted to server

Server authenticates client at Server authenticates client at any time by requesting user any time by requesting user ID, hash of server cert and ID, hash of server cert and the UAC.the UAC.

A Formal ApproachA Formal Approach

““protocols need more than heuristic protocols need more than heuristic arguments to provide security arguments to provide security

guarantees.”guarantees.”

Provable security via the Standard modelProvable security via the Standard model Uses complexity-theoretic hardness Uses complexity-theoretic hardness

assumptions:assumptions: Factoring the product of large primes is hardFactoring the product of large primes is hard Computing the discrete logarithm is hard in certain Computing the discrete logarithm is hard in certain

large groups.large groups. AES is a good pseudorandom permutationAES is a good pseudorandom permutation

A Formal Approach A Formal Approach (cont.)(cont.)

The The random oracle modelrandom oracle model ““A public random function that takes any A public random function that takes any

string as input and outputs n bits”string as input and outputs n bits” Use heuristically secure algorithms such as Use heuristically secure algorithms such as

SHASHA The The ideal-cipher modelideal-cipher model

A standard block cipher, with k-bit key and n-A standard block cipher, with k-bit key and n-bit input, chosen bit input, chosen uniformly uniformly from all block from all block ciphers of this form.ciphers of this form.

Use pseudorandom permutations such as AESUse pseudorandom permutations such as AES

Q & AQ & A