Introduction

CSC 482/582: Computer SecurityPasswordsCSC 482/582: Computer Security1CSC 482/582: Computer SecurityTopicsPassword SystemsPassword AttacksMitigating AttacksGraphical passwordsOne-time passwordsCSC 482/582: Computer SecurityAuthentication SystemA: set of authentication informationinformation used by entities to prove identityC: set of complementary informationinformation stored by system to validate AF: set of complementation functions f : A Cgenerate C from AL: set of authentication functions l: A C{T,F}verify identityS: set of selection functionsenable entity to create or alter A or CCSC 482/582: Computer SecurityPassword System ExampleUser authenticates with 8-character alphanumeric password.System compares against stored cleartext password.

A = [A-Za-z0-9]{8}C = AF = { I }L = { = }

Not a system that anyone should actually use.CSC 482/582: Computer SecurityPasswordsWhat you knowSequence of charactersComplementation FunctionIdentity: requires access control to protect COne-way Hasheasy to compute c = f(a)difficult to compute a = f-1(c)CSC 482/582: Computer SecurityClassic UNIX PasswordsFormat: Up to 8 ASCII charactersA contains 6.9 x 1016 possible passwordsC contains crypt hashes, strings of length 13 chosen from alphabet of 64 characters, 3.0 x 1023 stringsStorage/etc/passwd (0644) was traditionally used/etc/shadow (0600) in modern systems

Attacks on Password SystemsOffline password crackingOnline dictionary attacksObserve passwordsAttacking password infrastructureCSC 482/582: Computer SecurityCSC 482/582: Computer SecurityOffline Password CrackingGet Hashed Password pwhashword = Next word from listwordhash = Hash(word)wordhash == pwhashFalseTrueword is pwList of potentialpasswords.CSC 482/582: Computer SecurityCracking MethodsList of common passwordsList of English/foreign wordsPermutation rulesSubstitute numbers/symbols for lettersChange case, pluralize, reverse words, character shifts, digit/symbol prefix/postfix,joining wordsBrute forceAll possible passwordsOnline Password GuessingUse applications login interfaceMuch slower than offline attack, butAlways possible to do.Two types of attackGuess passwords for a specific known user accountKnow that its a valid accountUse information about user (name, bday) to guessGuess usernames and guess passwords for all accountsDont know if account is validFailures may be due to invalid username or passwordSomeone probably has an easy to guess password

CSC 482/582: Computer SecurityObserve PasswordsSniff passwords off networkMust be able to access a network node in path between source and destination of communicationImpossible if connection is encryptedFind passwords in a file or databaseIdentify files/databases that likely to contain passwordsMay or may not be encryptedShoulder surfWatch for someone to type a passwordDesk searchPasswords may be written down near workspaceCSC 482/582: Computer SecurityCSC 482/582: Computer SecurityAttacking Password InfrastructureWeb sites will e-mail you password if you answer a simple secret question:What is your favorite color?What is your pets name?What is your mothers maiden name?Violation of fail-safe defaults Failover to less secure protocol. How many favorite colors are there?Mitigating Password AttacksEnable system to use long passwords with a large alphabet of possible charactersHash passwords to protect against file attacksSalt passwords to protect against offline crackingSelect hard to guess passwordsMitigating online attacks with backoff and lockoutProtect password management functionsPassword agingOne-time passwords

CSC 482/582: Computer SecurityCSC 482/582: Computer SecurityCountering Password GuessingChoose A, C, and F to select suitably low probability P(T) of guessing in time T.

P(T) >= TG / NG is number of guess per time unit TT is number of time units in attackN is number of possible passwordsCSC 482/582: Computer SecurityCalculating Minimum Password Length Password SystemThere are 96 allowable characters in password.System allows 106 guesses/second.Requirement: probablility of success guess should be 0.5 over 365-day period.What should the minimum password length be?N >= TG/PN >= (365 x 24 x 60 x 60) x 106 / 0.5 = 6.31 x 1013N = S96i, where i ranges from 1 to length of password S96i >= N = 6.31 x 1013 is true when largest i >= 8The minimum required password length is 8.CSC 482/582: Computer SecurityUNIX Password Hashingcrypt() function used for hashingDES encrypts 64-bit block of 0s (25 rounds) using your password for the key.Modified DES incompatible with DES hardware cracking tools.Limited to 8 characters or less.If limited to 95 printable characters, only 253 possible passwords.How to resist dictionary attacks? SaltingCSC 482/582: Computer SecuritySaltingAdds a 2-character (12-bit) random, public data to password to create key.Any word may be encrypted in 4096 possible ways (i.e., there are 4096 f F).Your password always uses same salt.Someone else with same password (a) probably has different salt, and thus different c = f(a).Number of possible keys increased to 266Too small for today; modern UNIX doesnt use crypt.CSC 482/582: Computer SecuritySalting (cont.)Prevents pre-calculated dictionary attack266 passwords requires millions of terabytes crypt() 218 passwords/secondBrute force would require 8000 machines for 48 days.

CSC 482/582: Computer SecurityModern UNIX PasswordsFormat: long ASCII stringHashing techniques:MD5 (unlimited length, 12-48 bit salt)SHA1 (unlimited length, 12-48 bit salt)Bcrypt (55 chars, 128-bit salt, adjustable cost)CSC 482/582: Computer SecurityWindows 2000/XP PasswordsStorage%systemroot%\system32\config\samlocked while NT running%systemroot%\repair\sam_ backup filemay be accessible via remote registry callsFormatLAN Manager (LM) HashNT (MD4) Hash

CSC 482/582: Computer SecurityWindows LM Hash AlgorithmPassword fitted to 14 character length by truncating or padding with 0s. Password converted to upper case.Password divided into two 7-byte halves. Each half used as DES key to encrypt same 8-byte constant.Resultant strings merged to form a 16-byte hash value.CSC 482/582: Computer SecurityWindows LM Hash ProblemsLast 8 bytes of c known if password < 7 chars.Dividing password into halves reducing problem of breaking 14-character password to breaking two 7-character passwords.Conversion to upper case reduces character set.Dictionary of password hashes can be prebuiltNumber of possible passwords much smaller than DES space.No salt is used.CSC 482/582: Computer SecurityWindows NT HashConverts to Unicode, MD4 hashes resultCaveat: Often used in conjunction with LM hash, which is required for backwards compatibility.No salt: identical passwords generate identical hashes.CSC 482/582: Computer SecurityPassword SelectionRandom SelectionPronounceable PasswordsUser SelectionCSC 482/582: Computer SecurityRandom SelectionYields equal distribution of passwords for maximum difficulty in crackingWhat about short passwords?Random passwords arent easy to rememberShort term memory holds 7 +/- 2 itemsPeople have multiple passwordsPrinciple of Psychological AcceptabilityRequires a good PRNGCSC 482/582: Computer SecurityRandom Selection (Bad)ExamplePDP-11 password generator16-bit machine8 upper-case letters and digits|P| = 368 = 2.8 x 1012At 0.00156 sec/encryption, 140 years to brute forcePRNG had period of 216 1Only 65,535 possible passwordsRequires 102 seconds to try all passwordsCSC 482/582: Computer SecurityPronounceable PasswordsGenerate passwords from random phonemes instead of random characters.People can remember password as sequence of audible phonemes instead of characters, allowing easy recall of longer passwords.Fewer pronounceable passwords exist than random passwords.

CSC 482/582: Computer SecurityUser SelectionAllow users to choose passwords.

Reject insecure passwords based on ruleset:Based on account, user, or host namesDictionary wordsPermuted dictionary wordsPatterns from keyboardShorter than 6 charactersDigits, lowercase, or uppercase only passwordsLicense plates or acronymsBased on previously used passwordsCSC 482/582: Computer SecurityHuman Randomness?

Most Common Passwords

CSC 482/582: Computer Securityhttp://www.dragonresearchgroup.org/insight/sshpwauth-cloud.html30CSC 482/582: Computer SecurityHow to Select Good PasswordsLong passwords, consisting of multiple words..Use nth letter of each word if phrase too long.Themes:Word combinations: 3 blind katzE-mail or URL: yoda@strong-this-password-is.netPhone number: (888) 888-eight eightBracketing: Starfleet -> *!-Starfleet-!*Add a word: shopping -> Goin shoppingRepetition: Pirate--PirateShipLetter swapping: Sour Grape -> Gour SrapeCSC 482/582: Computer SecurityMitigating Online AttacksIf complements not accessible, attacker cannot use offline attacks and must use authentication functions.Cannot be prevented.

Increase difficulty of auth function attack:Backoff: increasing wait before reprompting.Disconnection: disconnect after n failures.Disabling: disable account after n failures.Jailing: permit access to limited system, so admins can observe attacker.Protecting Password ManagementAlways send password to a predetermined locationDo not let user change email/phone when requesting a password reset or change.Always notify the user of a password changeUser can be alerted in case an attacker has changed the password.Let user create questions and answersDont provide a list of pre-determined questions.CSC 482/582: Computer SecurityCSC 482/582: Computer SecurityPassword AgingRequirement that password be changed after a period of time or after an event has occurredIf expected time to guess is 180 days, should change password more frequently than 180 daysIf change time too short, users have difficulty recalling passwords.Cannot allow users to change password to current one.Also prevent users from changing passwords too soon.Give notice of impending password change requirement.CSC 482/582: Computer SecurityGraphical PasswordsFace Scheme: Password is sequence of faces, each chosen from a grid of 9 faces.Story Scheme: Password is sequence of images, each chosen from a grid of 9, to form a story.

35Figure 9-4, Security and UsabilityPassword ReuseCSC 482/582: Computer Security

http://xkcd.com/792/http://xkcd.com/792/36CSC 482/582: Computer SecurityChallenge-ResponseProblem: passwords are reusable, and thus subject to replay attacks.

Solution: authenticate in such a way that the transmitted password changes each time.

CSC 482/582: Computer SecurityOne-Time PasswordsA password thats invalidated once used.

Challenge: number of auth attemptResponse: one-time password

ProblemsGeneration of one-time passwordsUse hash or crytographic functionSynchronization of the user and the systemNumber or timestamp passwordsCSC 482/582: Computer SecurityS/KeyOne-time password system based on a hash function h (MD4 or MD5).User initializes with random seed k.Key generator calculates:h(k) = k1, h(k1) = k2, , h(kn-1) = knPasswords, in order used, arep1 = kn, p2 = kn-1, , pn-1= k2, pn= k1CSC 482/582: Computer SecurityS/KeyAttacker cannot derive pi+1 from pi sincepi = kn-i+1, pi+1 = kn-i, and h(kn-i) = kn-i+1which would require inverting h.

Once user has used all passwords, S/Key must be re-initialized with a new seed.

CSC 482/582: Computer SecurityS/Key LoginUser supplies account name to serverServer replies with number i stored in skeykeys fileUser supplies corresponding password piServer computes h(pi) = h(kn-i+1) = kn-i+2 = pi-1 and compares result with stored password. If match, user is authenticated and S/Key updates number in skeykeys file to i-1 and stores piCSC 482/582: Computer SecurityS/Key LoginFreeBSD/i386 (example.com) (ttypa) login: s/key 97 fw13894 Password:

Use S/Key calculator on local system to calculate response:% key 97 fw13894 Enter secret password: WELD LIP ACTS ENDS ME HAAG CSC 482/582: Computer SecurityOther One Time Password SystemsSoftware: OPIEBackwards compatible with S/Key (if same hash used).Hardware: RSA SecurID cardDisplayed password changes every 60sec.Password = constant password + SecurID

CSC 482/582: Computer SecurityKey PointsPasswords can be attacked byOffline crackingOnline guessingObservationAttacking password management functionsStored passwords are secured viaHashing (crypt, MD5, SHA1, bcrypt)SaltingGood passwords need to beComplexUniqueSecretChanged on a regular basisOne-time passwords offer greater security.44CSC 482/582: Computer SecurityReferencesRoss Anderson, Security Engineering, Wiley, 2001.Matt Bishop, Introduction to Computer Security, Addison-Wesley, 2005.Mark Burnett and Dave Kleiman, Perfect Passwords, Syngress, 2006.Lorie Faith Cranor and Simson Garfinkel, Security and Usability, OReilly, 2005.Daswani, Foundations of Security, APress, 2007.Cynthia Kuo et. al., Human Selection of Mnemonic Phrase-based Passwords, SOUPS 2006, http://cups.cs.cmu.edu/soups/2006/proceedings/p67_kuo.pdf, 2006.Neils Provos and David Mazieres, A Future-Adaptable Password Scheme, http://www.openbsd.org/papers/bcrypt-paper.pdf, 2006.Ed Skoudis, Counter Hack Reloaded, Prentice Hall, 2006.Simson Garfinkel, Gene Spafford, and Alan Schwartz, Practical UNIX and Internet Security, 3/e OReilly, 2003.