passwords lecture 18a - auckland · passwords the fundamental issue is those passwords might be...
TRANSCRIPT
Slide title
In CAPITALS
50 pt
Slide subtitle
32 pt
Muhammad Rizwan Asghar
September 4, 2020
PASSWORDS
Lecture 18a
COMPSCI 316
Cyber Security
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
2
FOCUS OF THIS LECTURE
Understand identification and authentication
Learn how passwords are protected
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
3
IDENTIFICATION & AUTHENTICATION
Identification
– The process in which a system entity provides its
claimed identity
– For instance, UPI
Authentication
– The process of verifying an identity claimed by a
system entity
– For example, PIN or password
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
4
PASSWORD VULNERABILITIES
Offline dictionary attack
Specific account attack
Popular password attack
Password guessing against single user
Workstation hijacking
Exploiting user mistakes
Exploiting same password use
Electronic monitoring
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
5
OFFLINE DICTIONARY ATTACK
Strong access control are used to protect password
files
However, determined attackers can gain access to
password files
Comparing password hashes against hashes of
commonly used passwords
Countermeasures
– Prevent unauthorised access to password files
– Intrusion detection measures to identify a compromise
– Rapid reissuance of passwords
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
6
SPECIFIC ACCOUNT ATTACK
An attacker targets a specific account
Submits password guesses until successful
Countermeasures
– Lockout mechanism after a certain number of
failed attempts
– Alternate is to progressively delay each
subsequent try
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
7
POPULAR PASSWORD ATTACK
Users tend to choose easily remembered passwords
– E.g., “123456”
This makes passwords easy to guess
Attackers can try commonly used password(s) against
a wide range of user IDs
Countermeasures
– Enforcing complex password policies
– Scanning IP addresses and client cookies for submission
patterns
– Intrusion detection
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
8
PASSWORD GUESSING
AGAINST SINGLE USER
Gaining knowledge about an individual user
Knowing system password policies
Using both to guess a password
Countermeasures
– Educating users
– Enforcing complex password policies
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
9
WORKSTATION HIJACKING
The attacker waits until a logged-in workstation
is unattended
Countermeasures
– Logging out after a certain period of inactivity
– Intrusion detection schemes can be used to
detect changes in user behaviour
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
10
EXPLOITING USER MISTAKES
Users are likely to write down the system assigned
passwords
The fundamental issue is those passwords might be
difficult to remember
Attackers can use social engineering tricks that trick
the user into revealing a password
Second, many systems shipped with default passwords
for admins
Countermeasures
– Changing default passwords
– Educating users
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
11
EXPLOITING SAME PASSWORD USE
Users intend to choose the same password for
different services
Attackers can learn password from one source
They can try the same password for other
services that might be used by the user
Countermeasures
– Choose different passwords
– Educating users
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
12
ELECTRONIC MONITORING
Communicating a password in plaintext is
vulnerable to eavesdropping
Countermeasures
– Never send a password in plaintext
– Technical solutions for secure transfer of
passwords
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
13
LOADING PASSWORD:
SALT WITH HASH
To mitigate some password
vulnerabilities, salt can be used
Salt can be a random number
Salt can increase attacker’s
workload
At the time of registration, the
server can store
– UserID
– Salt
– Salted password hash
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
14
VERIFYING PASSWORD:
SALT WITH HASH
The user provides UserID and
password
Lookup the corresponding salt
and hash
Re-compute the hash based on
the retrieved salt and entered
password
If the result matches, the
password is accepted
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
15
RANDOM SALT BENEFITS
Difficult to guess if one user chooses the same
password for multiple services
Difficult to guess if multiple users choose the
same password for a single service (or more)
Makes offline dictionary attack difficult
An attacker can use rainbow tables for pre-
computing a dictionary with salted hashes
– The solution is to use a large salt
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
16
MULTI-FACTOR AUTHENTICATION
Different factors or means of authentication
– Something you know
E.g., PIN or password
– Something you have (token)
E.g., smartcard
– Something you are (static biometrics)
E.g., fingerprint
– Something you do (dynamic biometrics)
E.g., voice pattern or behaviour analysis
Use two or more factors to enable 2-factor or
multi-factor authentication
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
17
PASSWORD RESET [Gelernter-SP17]:
MAN-IN-THE-MIDDLE (MITM) ATTACK
The victim believes she is registering when in fact the
password is being reset by the attacker’s site
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
18
SITES VULNERABLE TO THIS
PASSWORD RESET MITM ATTACK
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
19
COUNTERMEASURES
Educate users
Use multi-factor authentication
Better notifications to users for password reset
Phone call and reply by voice in case of
password reset
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
20
SAMPLE QUESTION
Which one of the following is the best choice for
protecting passwords?
a) Educate users
b) Do not allow simple password policy
c) Use multi-factor authentication
d) All of the above
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
21
SAMPLE QUESTION: ANSWER
Which one of the following is the best choice for
protecting passwords?
a) Educate users
b) Do not allow simple password policy
c) Use multi-factor authentication
d) All of the above
Answer) d
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
22
RESOURCES
Read Chapter 3 of
Computer Security: Principles and Practice
Fourth Edition
William Stallings and Lawrie Brown
Pearson Higher Ed USA
ISBN 1292220635
Gelernter, Nethanel, Senia Kalma, Bar Magnezi, and
Hen Porcilan, The Password Reset MitM Attack, In
2017 IEEE Symposium on Security and Privacy (SP),
pp. 251-267. IEEE, 2017 [Download link]
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
23
Questions?
Thanks for your attention!