Download - Password Strength
Thng 11-2009
PASSWORD V CC VN LIN QUAN
HC VIN CNG NGH BU CHNH VIN THNG C S TI TP.H CH MINH N MN HC:
BO MT THNG TIN
TM HIU V PASSWORD V CC VN LIN QUAN
GVHD:Thy L Phc Nhm sinh vin thc hin: 1. Trng nh Hong 2. Nguyn Th Thanh Minh 3. V Thanh Tho1
Thng 11-2009
PASSWORD V CC VN LIN QUAN
M u
Lc u khi xut hin mng my tnh, ny sinh vn nhiu ngi cng s dng h thng v bo mt thng tin, nn pht sinh ra password. Password lc u ch n gin l ngi ta dng mt chui k t ngn cn s truy cp ca nhng ngi khc. Khi vn password cracking ang ngy mt tng ln, cng vi s tng tc v tc ca my tnh v s r dn ca b nh, kh nng crack password ca hacker ngy cng cao v thi gian ngy cng ngn li. Cng vi l yu cu i vi ngi dng khi s dng password cng ngy cng cao: password phi c thay i theo chu k, phi chn password c mnh theo quy nh, v phi nh password ca mnh cng nh gi b mt n. T cc vn trn,ta thy: password l vn nhy cm trong mt my tnh, trong mt mng nh cho n mng internet rng ln. V vy, ni dung n ny s trnh by tng qut v password v cc vn lin quan nh: xc thc, cracking password, cng nh nh gi mnh ca mt password. T chng ta s rt ra nhng kinh nghim bo v thng tin ca mnh trc cc cuc tn cng.
2
Thng 11-2009
PASSWORD V CC VN LIN QUAN
I.S LC V VN XC THC:Ni mt cch n gin, xc thc l mt qu trnh nhn dng ngi dng. Trong mi trng mng pht trin ngy cng mnh m, vic xc nhn chnh xc quyn truy cp hp l ca ngi dng c ngha rt ln trong bo mt thng tin. Hin nay, c kh nhiu phng php xc thc, hu ht cc phng thc xc thc u da trn: o Nhng g bn bit (Username Password) o Nhng g bn c (Smart Card, Certificate) o Nhng g l bn (Sinh trc hc) A.Xc thc bng username v password:1.HTTP Authentications
a.Basic Authentication
L mt phng thc xc thc ph thng c trn nn tng ng dng Web.N s xut hin khi Client yu cu nhng thng tin phi c xc thc. Gii hn nhng giao thc, cho php nhng k tn cng khai thc.
3
Thng 11-2009
PASSWORD V CC VN LIN QUAN S dng SSL m ha d liu Username Password truyn gia Client v Server. b. Degest Authentication
c thit k nng cao bo mt hn phng thc Basic Authentication c da trn nn tng xc thc Challenge-Response Nng cao bo bo mt hn phng thc Basic Authentication, h thng s m ha Username Password trc khi truyn i trn mng.2.Kt hp vi phng thc xc thc NTLM ca Windows:
S dng cng ngh xc thc NT LAN Manager (NTLM) cho HTTP Ch lm vic vi IE v trn nn tng Web server l IIS. Kt hp vi xc thc trn Windows s thch hp cho mi trng mng cc b ca doanh nghip
4
Thng 11-2009
PASSWORD V CC VN LIN QUAN N l mt phng thc xc thc m khng phi truyn bt k thng tin no v Username password trn mng.
3.Negotiate Authentication Tha thun xc thc:
y l mt phng thc xc thc m rng cho NTLM Authentication Cung cp xc thc da trn nn tng Kerberos S dng qu trnh thng lng quyt nh mc bo mt c s dng. N c cu hnh v s dng khng ch cho mng cc b.
5
Thng 11-2009
PASSWORD V CC VN LIN QUAN B.Xc thc da vo smartcard v cirtificate:1. Xc thc da vo Certificate:
S dng Public Key m ha v chng ch s (Digital Certificate) xc thc ngi dng. N c quan tm v kt hp vi phng thc xc thc two-factor. Khi mt ngi dng bit c Username Password ngi cn phi cung cp Certificate na th mi c xc thc. Ngi dng c th b nh cp Certtificate. Rt nhiu phn mm hin nay h tr xc thc qua chng ch s.
6
Thng 11-2009
PASSWORD V CC VN LIN QUAN2.Xc thc da vo Forms:
N khng c h tr trn nn tng HTTP v SSL. N l mt la chn cao cp cho phng thc xc thc s dng mt Form, v thng tch hp dng HTML. L mt phng thc xc thc rt ph bit trn Internet.
7
Thng 11-2009
PASSWORD V CC VN LIN QUAN3.Xc thc da vo RSA Secure Token:
Phng thc xc thc SecureID s dng mt "token V, card). C mt thit b phn cng s sinh ra cc m xc thc sau mi 60 giy v s dng mt tm Card gii m key. Mt ngi dng thc hin qu trnh xc thc v ti nguyn mng s phi in m PIN v s hin th cho SecureID cho mi thi gian .
8
Thng 11-2009
PASSWORD V CC VN LIN QUAN C.Xc thc da vo Sinh trc hc:
Mt h thng xc thc da vo Sinh trc hc s phi c nhng thit b nhn din c ngi dng da vo cc yu t sinh hc nh: Vn tay, mt, mt, bn tay. y l mt phng thc xc thc c tnh bo mt rt cao v thun tin cho ngi s dng khng phi nh mt khu hay mang theo mt tm Card. T nhng iu va trnh by trn, ta c th nhn thy, cc phng php xc thc bng sinh trc hc hay s dng smart card c u im l c tnh bo mt rt cao, hacker kh c th tn cng c h thng v hacker kh c th c c smartcard v cng khng th c c c im sinh hc ging vi users. Th nhng trin khai iu ny ta cn mt chi ph rt ln c bit l chi ph lp t h thng xc thc ny ti cc thit b ca h thng thng tin. T s phn tch trn cho ta thy rng gii php s dng password lun l mt gii php hiu qu khi chi ph thp v d dng s dng vi bo mt chp nhn c, c th n s rt hiu qu nu chng ta c nhng chnh sch hp l. Do vy, chng ta s tp trung tho lun v nghin cu v password v nhng vn bo mt lin quan.9
Thng 11-2009
PASSWORD V CC VN LIN QUAN
II. PASSWORD v VN CRACKING PASSWORD:Ngy nay, vi s pht trin khng ngng ca k thut my tnh, nguy c b hacker tn cng vo h thng thng tin ngy cng gia tng, vn password ngy cng tr nn phc tp, gi y password khng ch n thun l mt chui k t b mt ca ring users, m n lun trong nguy c b cracking cao , do i hi ngi dng cn c nhng kin thc mi v password. Vy password l g? Password ( tm dch l m xc nhn), l mt t hoc mt chui k t b mt, c s dng xc thc, chng minh hoc nhn dng ngi s dng truy cp ti nguyn. Ti sao password li cn thit? o Password gip ta ngn chn vic xm nhp tri php vo h thng, bo v thng tin, v gip ta xc nhn duy nht c nhn ng nhp h thng cng nh ghi vt li nhng hnh ng ca h trn d liu. o Bt c h thng no, mt vi ngi dng nht nh c nhng c quyn m nhng ngi khc khng c. Bng cch nhn dng chnh bn trn chnh my tnh ca bn hoc cc website, bn c tip cn mi trng lm vic ca ring bn v cc d liu cc nhn ca bn, nhng ti liu ny l cc d liu nhy cm v khng mun cng khai. Cc him ha n t password: o Trong khi phn ln cc t chc v 99% ngi dng ti gia vn ph thuc vo passwords nh l mt hnh thc nhn dng c bn i vi cc d liu nhy cm v ring t, th cc mng c c ch bo
10
Thng 11-2009
PASSWORD V CC VN LIN QUAN mt thp v hnh chung to ra cc l hng cho hacker tip cn ti nguyn ca cng ty v ti sn ngi dng. o Mc d passwords l phng tin cn thit, thn thin vi ngi dng nht nhn dng ngi dng khi tip cn mng hoc c s d liu ca h, nhng s tht ngi dng rt l l vi nhng yu cu l h cn thay i password, cn to ra mt password c tnh bo mt v lm theo nhng ch dn gi n cng b mt cng tt. Kt qu l mt s lng ln cc password c th d c, cc passwords ging nhau trn nhiu h thng, v ngi dng phi ghi ch ng nhp gm password v c tn ng nhp. Nhng nguy him khi password bi l: o Identity theft (trm thng tin nhn dng): identity theft xy ra khi d liu ti khon ca bn b mt ngi no khc s dng. iu ny a n nhng tn hi v ti chnh, cng nh l tn hi c nhn (dng ti khon ca bn rt tin, v.v.) o Sensitive data exposure (l d liu nhy cm): ni dung ca th in t , cc d n, ti liu, nh b phi by trc cc hacker, hay cc c nhn nhm n bn vi mc ch xu. o Company data exposure (l d liu cng ty): cc hot ng gin ip ly cc thng tin nhy cm ni b thng qua d liu ti khon c duy tr v gi gn thiu cn thn dn n s nh hng v cng to ln n cng ty bn ang lm vic. o S dng cho cc hot ng ti phm: ti khon ca bn s b s dng cho mc ch ti phm nu khng gi n cn thn. ng qun rng du vt s ln li ti khon ca bn v do bn khng trnh khi lin quan.
Vy tn cng password l gi? Tn cng password l ta tm cch c c password ca mt userID no xm nhp vo h thng ca h. Mt password c th b tn cng vi rt nhiu hnh thc khc nhau:
11
Thng 11-2009
PASSWORD V CC VN LIN QUAN o L hng bo mt vt l: mt l hng vt l ca my tnh s hon ton b khai thc ngay c khi phng php nhn dng phc tp nht, phng php m ha bo mt nht. V d: mt chng trnh theo di cc thao tc trn bn phm (keylogger), c phn mm ln phn cng c ci t,kha ca bn s b l, do mi d liu m ha v ti khon b tn hi. Bt chp password ca bn di v bo mt n u th l hng bo mt vt l l mt trong nhng trng hp nguy him nht. o Packet sniffers: bt mt khu trn mi trng khng m ha tt, t bit trong mi trng mng Lan khi cc my ra Net bt buc phi i ra default gateway. Cc h thng truyn t thng tin qua mng i khi khng chc chn lm v li dng iu ny, hacker c th truy cp vo data paths nghe trm hoc c trm lung d liu truyn qua.Hacker nghe trm s truyn t thng tin, d liu s chuyn n sniffing hoc snooping. N s thu thp nhng thng tin qu gi v h thng nh mt packet cha password v username ca mt ai . Cc chng trnh nghe trm cn c gi l cc sniffing. Cc sniffing ny c nhim v lng nghe cc cng ca mt h thng m hacker mun nghe trm. N s thu thp d liu trn cc cng ny v chuyn v cho hacker. o Trojan horse programs: xut hin nh dng link trn cc trang web lm chi ngi dng tin tng click vo, bt ci activex khi ngi dng mun logon vo mt trang web, trong cc phn mm ci t, emailSau khi Trojan v my ngi dng th n c th ly password khi ngi dng nhp v gi v kh ch. o Tn cng dng Cookies :Cookie l nhng phn t d liu nh c cu trc c chia s gia website v trnh duyt ca ngi dng. Cookies c lu tr di nhng file d liu nh dng text (size di 4KB). Chng c cc site to ra lu tr, truy tm, nhn bit cc thng tin v ngi dng gh thm site v nhng vng m h i qua trong site. Nhng thng tin ny c th bao gm tn, nh danh ngi dng, mt khu, s thch, thi quen, Cookies c Browser ca ngi dng chp nhn lu trn a cng ca my tnh, khng phi Browser no cng h tr cookies.
12
Thng 11-2009
PASSWORD V CC VN LIN QUAN o B kha: c hai phng php l b kha bng tay v b kha t ng B kha bng tay: s dng mt userID hp l ( hacker c th d dng tm c bng cch s dng war dailer ), d on mt khu m user c th s dng. Sau th tng mt khu cho n khi thnh cng. B kha t ng: tm file m ha password, sau tin hnh gii m c c file password dng plantext.
tm hiu v vn ny, trc ht ta phi tm hiu v c ch m ha v xc nhn password. M ha password: hin nay, a s password c bm mt chiu bng cc hm bm v d nh SHA hoc MD5. Do d trn cc ng dng tt, password ch c lu di dng chui k t c bm ch khng bao gi c lu di dng plaintext. Xc nhn password: Gi s user A c password l a, password ny c application "hash" n thnh 0cc175b9c0f1b6a831c399e269772661 ri cha vo CSDL. Khi user A login v dng password a ng nhp, application s hash a v so snh gi tr va hash xong vi gi tr lu trong CSDL. Nu chng trng nhau, user A c vo. Khi cc h thng bi nhn nhng, cc hacker ch c th c c file m ha password, khng th c c file password dng plaintext, do c tnh mt chiu ca hm bm, cc hacker mun c c password dang plaintext ch c th brute force n. Brute-force attack: Dng t in: Tn cng t in l to ra mt file cha hu ht cc t c ngha trong t in, sau bm ra v so snh vi mt khu ngi dng, s dng n on ra password ca user. Trn thc t cc users thng dng nhng t c ngha t cho password ca mnh, do phng php tn cng bng t in l mt phng php n gin m mc thnh cng li cao. Trn hu
13
Thng 11-2009
PASSWORD V CC VN LIN QUAN ht cc h thng, tn cng t in c th hon thnh trong thi gian ngn so snh vi cc t hp t c th. Vic lp file t in kh n gin, nht l khi bn bit kh r v user ny. V d: mt thut ng thng xuyn c s dng trong cng vic ca user, hoc tn mt ngi quan trng i vi user cng c th c a vo t in. Dng brute-force: y l phng php b password bng cch vt cn tt c cc trng hp ghp ni cc k t c th c, bt u t nhng k t n gin thng thng cho n nhng k t c bit, sau bm ra so snh vi password ngi dng. Do , vi mt my tnh mnh c kh nng ghp ni cc k t li vi nhau, hacker c th b c tt c nhng password nu c thi gian. Dng tng hp: L s kt hp gia tn cng bng t in v brute force. Tn cng bng t in s qut cc t c ngha, tn cng brute force s qut cc k t cn li nh k t c bit, k t s V d: user s dng password l intertainment111. Khi khng th dng phng php t in v khng c t no cha s, nu dng phng php brute force th qu lu. Ta s dng phng php tn cng tng hp, bng cch s dng phng php t in ly ra mt t c ngha, sau dng phng php brute force ghp thm 2 con s vo sau t v d tm password. Phng php ny s hiu qu hn nhiu. Di y ta s kho st mt vi chng trnh minh ha tiu biu: 1. Tn cng brute_force: Windows l h iu hnh ph bin nht trn th gii, n lun tim n nhng li bo mt. Trong phn ny ti s trnh by phng thc tn cng mt my tnh ci h iu hnh Windows. T nhng kin thc v kh nng tn cng vo my tnh ci h iu hnh Windows ti s a ra cc gii php bo mt cho h thng. Tn cng Password ca ti khon trong Windows.
14
Thng 11-2009
PASSWORD V CC VN LIN QUAN
a. Trn my Local
Gi s bn khng bit mt khu ca mt my tnh trong h thng, nhng bn li nh ngi g mt khu ca h v cho bn mn my tnh dng tm. V bn gi y l lm th no bit c Password trn my bn ang logon. Rt nhiu phn mm c th Exports on m ho ca Password ra thnh mt File in hnh l PasswordDump, WinPasswordPro, trong bi vit ny ti trnh by vi cc bn s dng WinPasswordPro. Bt chng trnh WinPasswordPro ln Import Password t my Local
Sau Khi Import Password t file SAM vo s c
15
Thng 11-2009
PASSWORD V CC VN LIN QUAN
Sau ta Export danh sch User v Password c m ho ra mt file .txt v gi vo Mail ca chng ta, sang my chng ta cng dung phn mm ny gii m ngc li.
M file TXT exports ra ta c d liu password c m ho
16
Thng 11-2009
PASSWORD V CC VN LIN QUAN
Sau khi ly c d liu User Password m ho ta Uninstall chng trnh ny trn my nn nhn khi l - ri gi file vo Mail v my ca ta Gii m y l cng on tn thi gian. i vi mt khu di 10 k t mt khong 1 ting. Bt chng trnh WinPasswordPro trn my ca chng ta chn File -> Import PWDUMP file ri chn ng dn ti file password c m ho. Sau khi Import t file PWDUMP ta c - Nhn vo Start ta s c 3 phng thc tn cng Password + Brute Force + Dictionary + Smart Table
17
Thng 11-2009
PASSWORD V CC VN LIN QUAN Ti chn phng thc tn cng Brute Force
i khong 15 pht (y l password do ti khng t k t c bit, khng s, khng hoa v 9 k t) Kt thc qu trnh ti gii m c file Password c m ho vi: user administrator v Password l vnexperts
18
Thng 11-2009
PASSWORD V CC VN LIN QUANb. Tn cng my t xa.
- Khi chng ta c ngi trn my nn nhn Exports Password c m ho l n gin nhng thc t s rt t khi thc hin c phng thc ny. - Dng Password Dump chng ta s ly c d liu c m ho t mt my t xa. - y ti dng PasswordDump Version 6.1.6
trn ti s ly d liu m ho Username v Password t my tnh 192.168.1.156 dung PWDump v out d liu ra file: vnehack.txt ti C: dng lnh Type xem d li ca file . Sau Khi c d liu ny ta li s dng WinPasswordPro gii m. V sau khi ta c ti khon User Administrator v Password ca n th vic lm g l tu thuc vo chng ta. Gii php phng chng hnh thc tn cng ny: + phng nhng ngi truy cp vo my tnh ca chng ta.
19
Thng 11-2009
PASSWORD V CC VN LIN QUAN + t Password di trn 14 k t v c y cc k t: c bit, hoa, s, thng + Enable Firewall ln chng PasswordDUMP, Ci t v cp nht cc bn v li mi nht t nh sn xut + Ci t ti thiu mt chng trnh dit Virus mnh.
V hiu ho PWdump nhng lu khi k tn cng c mt ti khon trong h thng th li hon ton khc chng s vt qua hu ht cc phng chng bo mt: trong trng hp ny ti c mt User bnh thng vi tn vne ti c th Exports ton b d liu Username Password c m ho my ch.
2.Tm Password bng phng php gii m Cookies: Chng trnh CT cookie Spy 2.0. Cookies thng lu li rt nhiu thng tin quan trng ca ngi dng khi truy cp vo Internet nh Username v Password truy cp vo mt
20
Thng 11-2009
PASSWORD V CC VN LIN QUAN Website.Vi phn mm ny bn c th tm kim cc Cookies c lu d trong h thng v gii m chng tm Username Password.
T nhng phng thc tn cng c trnh by trn, ta c th rt ra nhng nguyn tc thit lp v s dng password kh d gip ta t bo v password ca mnh trc hu ht cc kiu tn cng thng dng. s l vn tip theo m ta nghin cu.
III. PASSWORD v VN BO MT PASSWORD:1. mnh yu ca password:a.Th no l password yu?
Mt password yu l mt password ngn, ph bin, mt mc nh ca h thng cung cp, hoc mt th g c th b on ra nhanh chng bng cch thc thi tn cng vt cn s dng mt tp con ca tt c cc mt khu kh d, nh cc t trong t in, tn ring, nhng t da trn tn ngi
21
Thng 11-2009
PASSWORD V CC VN LIN QUAN dng hoc nhng bin th thng thng ca cc t . Password c th b d dng on c da trn nhng hiu bit v ngi dng , nh ngy thng nm sinh v tn th nui, cng b xem l yu. Cc v d v password yu:
Admin -- qu d on 1234 -- qu d on abc123 -- qu d d tm minh -- tn ring thng thng password -- on ra d dng, rt thng dng, mt t trong t in p@$$\/\/0rd -- leet v mt m bng k t n gin u c lp trnh trc trong cc cng c b kha rover -- tn th nui thng thng, cng l mt t trong t in 12/3/75 -- ngy thng, c th quan trng i vi c nhn December12 -- S dng ngy bt buc phi i mt khu l rt ph bin nbusr123 -- c th l mt tn ngi dng, v nu vy, cc k d on asdf -- chui k t k nhau trong nhiu loi bn phm qwerty -- mt chui k t k nhau trong nhiu loi bn phm aaaa -- k t lp i lp li, d on ra
Theo thng k s b, 3,8 phn trm s lng mt khu l nhng t n tm thy trong t in, v 12 phn trm khc l mt t cng thm mt con s cui; hai phn ba trong s l s 1. Nhiu ngi dng khng i mt khu mc nh i km vi nhiu h thng bo mt my tnh. Danh sch cc mt khu mc nh y ry trn Internet. Mt mt khu c th tr nn d on nu ngi dng chn mt mu thng tin c nhn d khm ph (nh m s sinh vin, tn mt ngi bn, sinh nht, s in thoi, hoc bin s xe). D liu c nhn v mt ngi no hin ph bin nhiu ngun, nhiu khi cn a ln mng, v thng c th ly c bi ngi khc khi s dng cc k thut la bp, nh a ra mt bn ly kin hoc mt bn kim tra vic qun l an ninh. Nguy c cao nht ca vic s dng mt khu ngn hoc d on l tip cn hoc tn cng t nhng bn b ca ngi dng. Trong khi tn
22
Thng 11-2009
PASSWORD V CC VN LIN QUAN khng ph bin lm ca mt con vt nui hoc mt nhn vt a thch trong tr chi in t rt kh on i vi mt ngi hon ton xa l v kh tm thy trong t in, th mt ngi bn khi c iu g bt bnh r rng s c t la chn on hn hn v cng chng cn n s tr gip ca my tnh on c. Mt v d ca mt mt khu ngho nn chng li nhng k tn cng "bit mt" ny c th l "19YaleLaw78", ly t thng tin ngi ny tt nghip trng Lut Yale vo nm 1978. Trong khi vi di n mi mt k t v kh nng chng li tn cng vt cn rt tt, nm tt nghip t mt trng danh gi l mt iu m k tn cng chc chn s bit nu bit r nn nhn. Do , trong khi c th khin cho mt my tnh mnh chy mt vi thng on c ra mt khu ny, mt ng nghip ang ghen t c th on ra iu ny ch cn vi pht vi mt cy vit v t giy d cc bin th. Mt mt khu thng d b tn thng nu n b tm thy trong danh sch. T in dng my c c c rt nhiu nhiu ngn ng khc nhau, v tn ti nhng danh sch cc mt khu thng c chn. Trong cc th nghim i vi h thng ang hot ng, tn cng t in d thnh cng ti mc phn mm hin thc kiu tn cng ny hin nay ph bin vi nhiu h thng. Mt mt khu qu ngn, c l c chn d g, d b tn thng nu k tn cng c th ly c bng mt m ca mt khu. Cc my tnh hin nay nhanh th tt c cc mt khu ton ch ci ngn hn 7 k t. Nhng nhn vin, lp trnh vin v ngi qun tr h thng khi ngh vic thng bit kh r nhng mt khu m him khi b i. Cc mt khu d on nh vy c th dn n tn hi nng n nu b nghch, gian ln hoc tr th.b.Th no l password mnh:
Mt mt khu mnh l mt mt khu di, mang tnh ngu nhin, hoc nu khng ch c ngi chn n mi ngh ra c, sao cho vic on c ra n s phi cn nhiu thi gian hn l thi gian m mt k b kha mt khu sn sng b ra on n. Thi gian c cho l qu di s thay i ty thuc vo k tn cng, ti nguyn ca k tn cng, s d dng tip cn vi nhng mt khu c th th, v gi tr ca mt khu i vi k tn cng. Mt mt khu ca sinh vin chng ng my tnh b ra vi giy on, trong khi mt khu qun l vic truy xut n h thng chuyn tin
23
Thng 11-2009
PASSWORD V CC VN LIN QUAN in t ca mt ngn hng ln c th ng b ra nhiu tun hoc thm ch nhiu thng on. S l mt iu sai lm khi dng nhng mt khu lit k di y: chng c ghi ra cng khai, do chng yu. Tt c nhng bnh lun v sc mnh mt khu u gi thit rng chng cha c bit n v cha c ghi ra. Trong khi cc mt khu tng t nh th, hoc da trn cng nguyn l nh th, s mnh, vi gi s l bn khng c chng. Cc v d v mt khu mnh l: t3wahSetyeT4 -- phn bit ch thng ch hoa v ch s xen k 4pRte!ai@3 -- phn bit ch thng ch hoa, ch s xen k, du cu v mt k t "c bit" MoOoOfIn245679 -- phn bit ch thng ch hoa, ch s xen k Convert_100 to Euros! -- cm t c th di, d nh v c cha k hiu m rng tng sc mnh, nhng mt s phng php bm mt khu yu hn c th ph thuc vo phn tch tn s 1382465304H -- mt chui s kt thc bng mt k t Tp4tci2s4U2g! -- S pha trn ca cc k t c kiu ch khc nhau, s, v du cu. N d nh v l cc ch bt u ca t "The password for this computer is too strong for you to guess!" 5:*35pm&8/30 --Thi gian v ngy thng in thoi vi hai k t "c bit" ngu nhin EPOcsoRYG5%[email protected] -- s dng nhiu yu t bao gm vit hoa v k t c bit BBslwys90! -- gm ch hoa, s, v du cu. Cng d nh, v n i din cho "Big Brother is always right (90)!" Mt cch k thut th nhng v d trn u c tnh hn lon thng tin (v bit) l ln hn 3 trong khi cc v d yu c hn lon thng tin di 3. Nhng l mt vn k thut, mnh mt khu c th tha mn mt mc ch sc mnh ca n nu thi gian cn thit ph v mt khu vt qu
24
Thng 11-2009
PASSWORD V CC VN LIN QUAN thi gian c th b ra ph v n v/hoc nu thng tin c bo v s c trc khi nhng n lc b kha hon thnh. Mt khu cng di v la chn k hiu cng rng, th n lc b mt mt khu (hoc so trng vi bng cu vng) cng phi mnh m mi c th nh bi mt khu, gi thit rng bng bm mt khu v cc phng php bo v ph hp nm ng ch ca n. Hn na, khng s dng t n s khin cho tn cng vt cn v cng km hiu qu. Ch rng mt s h thng khng cho php k hiu hoc nhng k t gi l "k t c bit" nh #, @ v } trong mt khu, v hn na chng c th kh tm trong nhng kiu bn phm khc nhau. Trong trng hp , ch cn thm mt s ch hoc s cng c th t c bo mt tng ng: va ch va s vi ch mt kiu vit in hoc vit thng cho ra 36 ch kh d, nhng vit c hoa c thng cng vi s c th cho ra 62 ch kh d. Ngoi ra, nhng v d trn, c in ra trong bi vit ny nh nhng v d v mt khu, th khng cn l la chn tt; nhng v d t nhng cuc bn lun cng cng v mt khu cng l nhng ng vin r rng b a vo t in dng cho tn cng t in. Tuy nhin, nhn thc c rng thm ch mt khu "mnh" (theo nhng tiu chun hn ch trn), v mt khu c bit ca ngi dng, l khng tng ng vi kha m ha mnh, v khng nn dng lm vic , nu khng v mc ch no khc hn l chng khng cha cc k t in c. Phng php cm t thng qua v tha thun kha xc nhn mt khu c dng ni ln hn ch ny. Mt dng mt khu mnh khc l mt t c ngu nhin hon ton hoc mt phn vi ch in thng kh nhau v mt hoc nhiu s hoc k hiu c dng thm vo. Mt khu kiu m trong khi hu nh ton ch v ngi dng d nh, rt di v cn phi c b sinh mt khaa vt cnh kim th tt c cc k t tt c cc kiu ch cng nh tt c cc s v k hiu bn phiu mi k s, v k hiu v con s c th nm bt c u trong mt ch. Nh ni on di, iu ny s nh bi tn cng vt cn vi ti nguyn thc t. Mt khu c th tm thy bng cc s dng mt b my sinh mt khu vt cn nh th. Trong trng hp n gin nht, chng l nhng chng trnh nh ch n gin l th tt c cc t hp c th. Mt b x l 3 GHz c th to ra xp x 3 triu mt khu mt giy. Mt mt khu mi ch ci nh '4pRte!ai@3', v c khong 95 kha tn ti, l mt trong 9510 kh nng, v s phi tn khong 632.860 nm tm ra vi gi s mt khu c to ra ngu nhin. Mt mt khu cha mi lm ch ci vit hoa ngy nhin s ch an ton tng ng (vi iu kin h thng ang bn ti l c phn bit
25
Thng 11-2009
PASSWORD V CC VN LIN QUAN hoa thng v cho php dng k hiu) v c th d hn i vi vi ngi nh v g vo. Tuy nhin, phng php bm mt khu yu no c th phn bi mt mt khu cn nhanh hn bng cch gim s t hp cn thit hoc tng tc m ti s tin on c th b t chi b mt mt khu "mnh" khc. Hn na, nhng bng c tnh trc no nh bng cu vng c th tng tc b kha ng k. Mt hm tnh ton s mt khu kh d l: maximumCombinations = nrAvailableCharsPasswordLength. Ch s dng 26 k t ch thng v mt khu di 7 k t th s t hp kh nh: 267 = 8.03 t t hp. iu c c v ln i vi vi ngi, nhng trong mt thi gian khi nhng my tnh thng thng c th sinh ra 3 triu mt khu mt giy, n s ch mt c 45 pht tm ra mt khu. 2.Vy lm th no c mt mt khu mnh? o p t chnh sch di ti thiu ca mt khu l 8 v tt nht l 15 o Yu cu phi c nhng k t c bit, s, ch hoa, ch thng trong mt mt khu o Khng s dng bt k t kha no trong t in English hay nhng nc khc o Khng s dng Password ging tn Username, v phi thay i thng xuyn o Chn Password bn d dng s dng m ngi khc kh on bit c. 3.Nhng khuyn co khi t password: o ng bao gi ch t mt k t c bit sau mt t kha v d: Khng t password l: vnexperts1 o ng bao gi s dng ghp hai t vi nhau c mt Password v nh: vnevne o Khng t Password d on o Khng t password qu ngn o Khng t Password m t thng xuyn g ng nh: asdf;lkj o Hy thay i mt khu thng xuyn t nht mt thng mt ln.
26
Thng 11-2009
PASSWORD V CC VN LIN QUAN o Hy thay i ngay lp tc khi pht hin ra mt khu ca mnh b ngi khc s dng. o ng bao gi cha Password trn my tnh ca bn nhiu ngi c thi quen vo cc trang web v lu li mt khu ca mnh iu ny khng bo mt bi m ha trong my tnh d dng b gii m. o Cc mt khu trong Windows lu vo cc file .pwl khng c bo mt. o Khng ni cho ngi khc bit mt khu ca mnh. o Khng gi mail v trnh t trng Password trn nhiu ng dng. o Khng ghi Password ca mnh ra cho d nh. o Khi g Password hy cn thn vi cc loi Keyloger v ngi xem trm 4.Mt s thut ton nh gi password:a.KeePass:
1./ Xc nh tp k t: KeePass chia cc k t thnh 7 tp : o Tp k t thng:a z (ascii 97122) o Tp k t hoa:AZ(ascii 6590) o Tp k t s: 09 (ascii 4857) o Tp k t c bit n gin: /(ascii 3247) o Tp k t c bit m rng: :@ (ascii 5864) v [` (ascii 9196) V { ~ (ascii 123126) o Tp k t ln hn cn li: (ascii >126) o Tp k t nh hn cn li (ascii128 th q=100 Ngc li q=bitperchar128100 u im: - Kt hp c nh gi theo khng gian k t (charspace) v tnh entropy. - Khng gian k t c chia tng i chi tit.b.Mozilla:
Nh bit, khng gian k t c nh hng rt ln n mnh ca password. Khng gian k t cng ln th password cng kh ph. Da vo Mozilla nh gi password theo khng gian k t. y l phng php n gin nhng kh hiu. Mozilla nh ngha 4 tp khng gian k t nh hng n mnh ca password: o S k t hoa (upp). o S k t s (dig). o S k t c bit (spe). o di password (len). Nu len=15 th p=p+len*10 Nu len>5 th p=p+50 Nu dig=13 th p=p+dig*1028
Thng 11-2009
PASSWORD V CC VN LIN QUAN Nu dig>3 th p=p+30 Nu spe=13 th p=p+spe*15 Nu spe>3 th p=p+45 Nu upp=13 th p=p+upp*10 Nu upp>3 th p=p+30 Kt qu: p=p-20 (%) Nhn xt: Khc vi Keepass, vi phng php ny di password khng quyt nh hon ton ti mnh ca password. V d: password c 10 k t gm 5 k t hoa, 5 k t thng c mnh bng mt password di 15 k t gm 5 k t hoa v 10 k t thng. u im: - u im ca phng php ny l n gin. - Tnh ton nhanh - Khng tnh ton Entropy, nn khng cn s dng cc php ton phc tp nh logarit. Nhc im: - S tp k t t (4 tp) - nh gi tng i thong.c.PGP:
PGP l phng php nh gi password kh phc tp. Khng gian k t bao gm cc tp c nh ngha kh chi tit. Ascii T 0 32 33 36 37 40 41 42 43 44 45 n 31 32 35 36 39 40 41 42 43 44 45 T 0x000000 0x000020 0x000021 0x000024 0x000025 0x000028 0x000029 0x00002a 0x00002b 0x00002c 0x00002d Hexa n 0x00001F 0x000020 0x000023 0x000024 0x000027 0x000028 0x000029 0x00002a 0x00002b 0x00002c 0x00002d Length 32 1 15 1 15 3 3 15 6 15 1
29
Thng 11-2009
PASSWORD V CC VN LIN QUAN 46 48 58 60 63 65 91 92 93 94 95 96 97 123 124 125 126 127 47 57 59 62 64 90 91 92 93 94 95 96 122 123 124 125 126 160 0x00002e 0x000030 0x00003a 0x00003c 0x00003f 0x000041 0x00005b 0x00005c 0x00005d 0x00005e 0x00005f 0x000060 0x000061 0x00007b 0x00007c 0x00007d 0x00007e 0x00007f 0x00002f 0x000039 0x00003b 0x00003e 0x000040 0x00005a 0x00005b 0x00005c 0x00005d 0x00005e 0x00005f 0x000060 0x00007a 0x00007b 0x00007c 0x00007d 0x00007e 0x0000a0 15 10 15 6 15 26 3 15 3 2 1 2 26 3 6 3 6 33
Nh vy, i vi PGP cc k t trong password phi c m ascii L=length(@)=15. - m s bit ca L: S bit ca L c nh ngha l s bit nh phn ti thiu biu din L. V d: L=15Dec=0000 1111Bin. => numbit (L)=S bit ca L = 4. * Thut ton m s bit ca L. - To mt mt n 1111 1111 ri ln lt and bit vi L, sau dch L sang tri 1 bit cho n khi kt qu php and l 0. - Sau cng cc kt qu thu c. 2. /Tnh Max Entropy: Cng s dng cc phng php ly length v m bit nh tnh Minentropy. - Kim tra k t ch=password[i] c thuc tp nh ngha khng. Nu c nh du.
30
Thng 11-2009
PASSWORD V CC VN LIN QUAN - m s k t khng nm trong tp nh ngha. - Tnh tng Length ca cc k t nh du. - m s bit ca scope. - Tnh Entropy ti a ca chui password: Kt qu: D=MaxEntropy-MinEntropy; Result=MinEntropy+(d/2); Tnh theo %(q) so vi 128 bit: Nu result>128 th result=100 Ngc li result=result128100 u im: - Khng gian k t c chia rt chi tit, nh gia ng mnh ca tng k t. V d k t _ thng dng hn k t ] nn L(_)160 (nh cc k t ting vit)
31
Thng 11-2009
PASSWORD V CC VN LIN QUAN
MC LCI.S LC V VN XC THC: ..................................................... 3 A.XC THC BNG USERNAME V PASSWORD ............................ 3 1.HTTP Authentications ........................................................................... 3 2.Kt hp vi phng thc xc thc NTLM ca Windows...................... 4 3.Negotiate Authentication Tha thun xc thc ................................. 5 B.XC THC DA VO SMARTCARD V CERTIFICATE ............... 6 1. Xc thc da vo Certificate ............................................................... 6 2.Xc thc da vo Forms ....................................................................... 7 3.Xc thc da vo RSA Secure Token.................................................... 8 C.XC THC DA VO SINH TRC HC ........................................... 9 II. PASSWORD V VN CRACKING PASSWORD: ................... 10 VY PASSWORD L G? ....................................................................... 10 TI SAO PASSWORD LI CN THIT? .............................................. 10 CC HIM HA N T PASSWORD ................................................ 10 NHNG NGUY HIM KHI PASSWORD B L ................................... 11 TN CNG PASSWORD L G? ........................................................... 11 1. TN CNG BRUTEFORCE ................................................................ 14 a. Trn my Local .................................................................................. 15 b. Tn cng my t xa. ........................................................................... 19 2.TM PASSWORD BNG PHNG PHP GII M COOKIES ...... 20 III. PASSWORD V VN BO MT PASSWORD: ..................... 21 1. MNH YU CA PASSWORD .................................................... 21 a.Th no l password yu? .................................................................. 21 b.Th no l password mnh ................................................................. 23 2.LM TH NO C MT PASSWORD MNH? ......................... 26 3.NHNG KHUYN CO KHI T PASSWORD ............................... 26 4.MT S THUT TON NH GI PASSWORD ............................ 27 a.KeePass ............................................................................................... 27 b.Mozilla ................................................................................................ 28 c.PGP ..................................................................................................... 29
32
