Introduction - Hiram College

Introduction - Hiram College

Section 2.3 Authentication Technologies 1 Authentication The determination of identity, usually based on a combination of something the person has (like a smart card or a radio key fob storing secret keys), something the person knows (like a password), something the person is (like a human with a fingerprint). password=ucIb()w1V mother=Jones pet=Caesar

human with fingers and eyes Something you are Something you know radio token with secret keys Something you have 2 Barcodes Developed in the 20th century to

improve efficiency in grocery checkout. First-generation barcodes represent data as a series of variable-width, vertical lines of ink, which is essentially a onedimensional encoding scheme. Some more recent barcodes are rendered as two-dimensional patterns using dots, squares, or other symbols that can be read by specialized optical scanners, which translate a specific type of barcode into its encoded information. 3 Authentication via Barcodes

Since 2005, the airline industry has been incorporating two-dimensional barcodes into boarding passes, which are created at flight check-in and scanned before boarding. In most cases, the barcode is encoded with an internal unique identifier that allows airport security to look up the corresponding passengers record with that airline. Staff then verifies that the boarding pass was in fact purchased in that persons name (using the airlines database), and that the person can provide photo identification.

In most other applications, however, barcodes provide convenience but not security. Since barcodes are simply images, they are extremely easy to duplicate. Two-dimensional barcode Public domain image from http://commons.wikimedia.org/wiki/File:Bpass.jpg 4 Magnetic Stripe Cards Plastic card with a magnetic stripe containing personalized information about the card holder. The first track of a magnetic stripe card contains the cardholders full name in addition to an account number, format

information, and other data. The second track may contain the account number, expiration date, information about the issuing bank, data specifying the exact format of the track, and other discretionary data. Public domain image by Alexander Jones from http://commons.wikimedia.org/wiki/File:CCardBack.svg 5 Magnetic Stripe Card Security One vulnerability of the magnetic stripe medium is that it is easy to read and reproduce. Magnetic stripe readers can be purchased at relatively low cost, allowing attackers to read information off cards. When coupled with a magnetic stripe writer, which is only a little

more expensive, an attacker can easily clone existing cards. So, many uses require card holders to enter a PIN to use their cards (e.g., as in ATM and debit cards in the U.S.). Public domain image by Alexander Jones from http://commons.wikimedia.org/wiki/File:CCardBack.svg 6 Smart Cards Smart cards incorporate an integrated circuit, optionally with an on-board microprocessor, which microprocessor features reading and writing capabilities, allowing the data on the card to be both accessed and altered. Smart card technology can provide secure authentication mechanisms that protect the information of the owner and are

extremely difficult to duplicate. Circuit interface Public domain image from http://en.wikipedia.org/wiki/File:Carte_vitale_anonyme.jpg 7 Smart Card Authentication They are commonly employed by large companies and organizations as a means of strong authentication using cryptography. Smart cards may also be used as a sort of electronic wallet, containing funds that can be used for a variety of services, including parking fees, public transport, and other small

retail transactions. 8 SIM Cards Many mobile phones use a special smart card called a subscriber identity module card (SIM card). A SIM card is issued by a network provider. It maintains personal and contact information for a user and allows the user to authenticate to the cellular network of the provider. 9 SIM Card Security

SIM cards contain several pieces of information that are used to identify the owner and authenticate to the appropriate cell network. Each SIM card corresponds to a record in the database of subscribers maintained by the network provider. A SIM card features an integrated circuit card ID (ICCID), which is a unique 18-digit number used for hardware identification. Next, a SIM card contains a unique international mobile subscriber

identity (IMSI), which identifies the owners country, network, and personal identity. SIM cards also contain a 128-bit secret key. This key is used for authenticating a phone to a mobile network. As an additional security mechanism, many SIM cards require a PIN before allowing any access to information on the card. GSM = Global System for Mobile Communications 10 GSM Challenge-Response Protocol 1. 2. 3. 4.

When a cellphone wishes to join a cellular network it connects to a local base station owned by the network provider and transmits its IMSI. If the IMSI matches a subscribers record in the network providers database, the base station transmits a 128-bit random number to the cellphone. This random number is then encoded by the cellphone with the subscribers secret key stored in the SIM card using a proprietary encryption algorithm known as A3, resulting in a ciphertext that is sent back to the base station. The base station then performs the same computation, using its stored value for the subscribers secret key. If the two ciphertexts match, the cellphone is authenticated to the network and is allowed to make and receive calls. IMSI = (this phones ID) R = a 128-bit random number (the challenge) EK(R) = the 128-bit random number encrypted using the subscribers secret key K

(the response) 11 RFIDs Radio frequency identification, or RFID, is a rapidly emerging technology that relies on small transponders to transmit identification information via radio waves. RFID chips feature an integrated circuit for storing information, and a coiled antenna to transmit and receive a radio signal. 12 RFID Technology

RFID tags must be used in conjunction with a separate reader or writer. While some RFID tags require a battery, many are passive and do not. The effective range of RFID varies from a few centimeters to several meters, but in most cases, since data is transmitted via radio waves, it is not necessary for a tag to be in the line of sight of the reader. 13 RFID Technology This technology is being deployed in a wide variety of applications. Many vendors are incorporating RFID for

consumer-product tracking. Car key fobs. Electronic toll transponders. Locating animals and showing ownership. 14 Passports Modern passports of several countries, including the United States, feature an embedded RFID chip that contains information about the owner, including a digital facial photograph that allows airport

officials to compare the passports owner to the person who is carrying the passport. RFID chip and antenna is embedded in the cover e-Passport symbol 15 Passport Security

In order to protect the sensitive information on a passport, all RFID communications are encrypted with a secret key. In many instances, however, this secret key is merely the passport number, the holders date of birth, and the expiration date, in that order. All of this information is printed on the card, either in text or using a barcode or other optical storage method. While this secret key is intended to be only accessible to those with physical access to the passport, an attacker with information on the owner, including when their passport was issued, may be able to easily reconstruct this key, especially since passport numbers are typically issued sequentially. 16

Biometrics 17 Something You Are Biometric You are your key --- Schneier Examples

Fingerprint Handwritten signature Facial recognition Speech recognition Gait (walking) recognition Digital doggie (odor recognition) Many more! Are Know Have

18 Biometrics Biometric refers to any measure used to uniquely identify a person based on biological or physiological traits. Generally, biometric systems incorporate some sort of sensor or scanner to read in biometric information and then compare this information to stored templates of accepted users before granting access.

19 Image from http://commons.wikimedia.org/wiki/File:Fingerprint_scanner_in_Tel_Aviv.jpg used with permission under the Creative Commons Attribution 3.0 Unported license Requirements for Biometric Identification Universality. Almost every person should have this characteristic. Distinctiveness. Each person should have noticeable differences in the characteristic. Permanence. The characteristic should not change significantly over time. Collectability. The characteristic should have the ability to be effectively determined and quantified. Easy and cheap to deploy.

20 Biometric Identification Reader Biometric Feature vector Comparison algorithm Reference vector matches doesnt match

21 Candidates for Biometric IDs Fingerprints Retinal/iris scans DNA

Blue-ink signature Voice recognition Face recognition Gait recognition Let us consider how each of these scores in terms of universality, distinctiveness, permanence, and collectability Public domain image from http://commons.wikimedia.org/wiki/File:Fingerprint_Arch.jpg Public domain image from http://commons.wikimedia.org/wiki/File:Retinal_scan_securimetrics.jpg Public domain image from http://commons.wikimedia.org/wiki/File:CBP_chemist_reads_a_DNA_profile.jpg

22 Examples vs Ideal Universality Fingerprints are (almost) Birthmarks and scars are not. Distinctiveness Retinal images and DNA are Fingerprints almost always are Existing of tonsils is not Permanence is possessed by DNA

Fingerprints (almost) Collectability - depends 23 Why Biometrics? Biometrics are seen by professionals as a desirable replacement for passwords Cheap and reliable biometrics are still needed Today, it is a very active area of research Biometrics are used somewhat in security today

Thumbprint mouse Palm print for secure entry Fingerprint to unlock car door Fingerprint to unlock laptop But biometrics generally not used Has not lived up to its promise (yet?) 24 Biometric Modes Identification --- Who goes there? Compare one to many Example: The FBI fingerprint database

Authentication --- Is that really you? Compare one to only one Example: Thumbprint mouse Identification problem more difficult More random matches since more comparisons We are interested in authentication as identification is another issue 25 Enrollment vs Recognition Enrollment phase

Subjects biometric info put into database Must carefully measure the required info OK if slow and repeated measurement needed Must be very precise for good recognition A weak point of many biometric schemes Recognition phase The biometric detection used in practice Must be quick and simple But must still be accurate

26 Cooperative Subjects We are assuming cooperative subjects In identification problem often have uncooperative subjects For example, facial recognition Proposed for use in Las Vegas casinos to detect known cheats Also as way to detect terrorists in airports, etc. Probably do not have ideal enrollment conditions Subject will try to confuse recognition Cooperative subject makes is much easier!

27 Biometric Errors Fraud rate vs insult rate Fraud --- user A (mis)authenticates as user B Insult --- user A not authenticate as user A For any biometric, can decrease fraud or insult, but other will increase For example 99% voiceprint match low fraud, high insult 30% voiceprint match high fraud, low insult Equal error rate: rate where fraud == insult

The best measure for comparing biometrics 28 Modern History Fingerprints 1823 -- Professor Johannes Evangelist Purkinje discussed 9 fingerprint patterns 1856 -- Sir William Hershel used fingerprint (in India) on contracts 1880 -- Dr. Henry Faulds article in Nature about fingerprints for ID 1883 -- Mark Twain in Life on the Mississippi a murderer IDed by fingerprint 29

Modern History Fingerprints 1888 -- Sir Francis Galton (cousin of Darwin) developed classification system His system of minutia is still in use today Also verified that fingerprints do not change Some countries require a number of points (i.e., minutia) to match in criminal cases In Britian, 15 points In US, no fixed number of points required 30 Passwords

Passwords are widely-used for user authentication Advantages: Easy to use, understood by most users Require no special equipment Offer an adequate degree of security in many environments Disadvantages: Users tend to choose passwords that are easy to guess Many password-cracking tools are available that are excellent at cracking passwords There are many available on the internet. 31 Originally - Using Passwords

User enters username and password The operating system consults its table of passwords: Match = user is assigned the corresponding uid Problem: the table of passwords must be protected 32 Why Passwords? Why is something you know more popular than something you have and something you are? Cost --- passwords are free Convenience --- easier to reset password than to issue new smartcard

33 Fingerprints Comparison Examples of loops, whorls and arches Minutia extracted from these features Loop (double) Whorl Arch 34

Fingerprint Biometric Image of fingerprint captured Image enhanced The minutia are identified 35 Fingerprint Biometric Extracted minutia are compared with the supposed users minutia stored in database Look for a statistical match 36 Hand Geometry

Popular form of biometric Measures shape of hand Width of hand, fingers Length of fingers, etc. Human hand not unique Hand geometry sufficient for many situations Suitable for authentication Not useful for ID problem 37

Hand Geometry Advantages Quick 5 seconds for recognition 1 minute for enrollment Hands symmetric (use other hand backwards) Disadvantages Cannot use on young or old

Relatively high equal error rate 38 Iris Patterns Iris pattern development is chaotic Little or no genetic influence Different even for identical twins Pattern is stable through lifetime

39 Iris Recognition: History 1936 --- suggested by Frank Burch 1980s --- James Bond films 1986 --- first patent appeared 1994 --- John Daugman patented current best approach Patent owned by Iridian Technologies

40 Iris Scan Scanner locates iris Take b/w photo Use polar coordinates Find 2-D wavelet trans Get 256 byte iris code

41 Measuring Iris Similarity Based on Hamming distance Define d(x,y) to be # of non match bits/# of bits compared d(0010,0101) = 3/4 and d(101111,101001) = 1/3 Compute d(x,y) on 2048-bit iris code

Perfect match is d(x,y) = 0 For same iris, expected distance is 0.08 At random, expect distance of 0.50 Accept as match if distance less than 0.32 42 Iris Scan Error Rate distance Fraud rate 0.2 9 1 in

1.31010 0.3 0 1 in 1.5109 0.3 1 1 in 1.8108 0.3 2

1 in 2.6107 0.3 : equal 1 error in rate 4.0106 3 0.3 4 distance 1 in 6.9105

43 Attack on Iris Scan Good photo of eye can be scanned Then attacker can use photo of an eye Afghan woman was authenticated by iris scan of old photo To prevent attack, scanner could use light to be sure it is a live iris 44 Fingerprint Biometrics

Ref for pictures 2-4 to 2-10: Security+ Guide to Network Security Fundamentals, Course Technology 45 Hand Geometry Authentication 46 Retinal Scanning 47 Iris Scanning

48 Signature Verification 49 Equal Error Rate Comparison Equal error rate (EER): rate for fraud == insult Fingerprint biometric has EER of about 5% Hand geometry has EER of about 10-3

In theory, iris scan has EER of about 10-6 But in practice, hard to achieve Enrollment phase must be extremely accurate Most biometrics much worse than fingerprint! ID biometrics are almost useless today 50 Biometrics: The Bottom Line Biometrics are hard to forge But attacker could

Steal Alices thumb Photocopy Bobs fingerprint, eye, etc. Subvert software and/or database and/or trusted path Also, how to revoke a broken biometric? Biometrics are not foolproof! Biometric use is limited today That should change in the future 51

Something You Have Something You Have Something in your possession Many examples including Car key Laptop computer Or specific MAC address Password generator

Well look at this next ATM card, smartcard, etc. 53 Something You Have Something in your possession Many examples including Car key

Laptop computer Or specific MAC address Password generator Well look at this next ATM card, smartcard, etc. 54 Password Generator a ChallengeHandshake Method Im Alice PIN, R

R F(R) Password generator F(R) Alice

Bob Alice gets challenge R from Bob Alice enters R into password generator Alice sends response back to Bob Bob is convinced Alice has pwd generator 55 Password Generators are One-Time Passwords Used only once for limited period of time; then is no longer valid Uses shared keys and challenge-and-response systems, which do not require that the secret be transmitted or revealed

Strategies for generating one-time passwords Counter-based tokens Clock-based tokens 56 Single Sign-on A hassle to enter password(s) repeatedly Users want to authenticate only once Credentials stay with user wherever the user goes Subsequent authentication is transparent to user Single sign-on for the Internet? Microsoft: Passport Everybody else: Liberty Alliance

Security Assertion Markup Language (SAML) 57 Cookies Cookie is provided by a Website and stored on users machine Cookie indexes a database at Website Cookies maintain state across sessions Web uses a stateless protocol: HTTP Cookies also maintain state within a session Like a single sign-on Though a very weak form of authentication Cookies and privacy concerns

58 Digital Signature Digital signatures Encrypted messages independently verified by a central facility (registry) as authentic Digital certificate Electronic document attached to a file certifying that the file is from the organization it claims to be from and has not been modified from the original format

Certificate authority (CA) Agency that manages the issuance of certificates Serves as the electronic notary public to verify certificate origin and integrity 59 How Much Trust Should One Place in a CA? Reputable CAs have several levels of authentication that they issue based on the amount of data collected from applicants Example: VeriSign 60

Certificate-Based Authentication Can use digital certificates to authenticate users Organization sets up a Public Key Infrastructure (PKI) that generates keys to users User receives a code (public key) that is generated using the servers private key and uses the public key to send encrypted information to the server Server receives the public key and can decrypt the information using its private key We will consider this more after we discuss encrypting schemes. 61 Security Tokens

Authentication devices assigned to specific user Small, credit card-sized physical devices Incorporated into two-factor authentication methods discussed shortly Utilize base keys that are much stronger than short, simple passwords a person can remember 62 Cards or Tokens This authentication mechanism makes use of something (a card, key, or token) that user or system possesses One example is a dumb card (such as an ATM

cards) with magnetic stripes Another example is the smart card containing a processor Another device often used is the cryptographic token, a processor in a card that has a display Tokens may be either synchronous or asynchronous 63 Types of Security Tokens Passive Act as a storage device for the base key Do not emit, or otherwise share, base tokens

Active Actively create another form of a base key or encrypted form of a base key that is not subject to attack by sniffing and replay Can provide variable outputs in various circumstances 64 Access Control Tokens 65 Why Use Only One Strategy? 2-factor Authentication

Requires 2 out of 3 of 1. Something you know 2. Something you have 3. Something you are Examples

ATM: Card and PIN Credit card: Card and signature Password generator: Device and PIN Smartcard with password/PIN Multi-factor authentication is being strongly proposed for purchases made by cell phones. 67 Disadvantages of 2-factor Authentication Users dont like to authenticate twice. Do you deny all that fail at one, but not the

other? can cause dissatisfaction Are 2 authentications really more secure? 68 Some Linux Specific Authentication Strategies Managing Linux Passwords Linux includes several facilities for managing passwords and enabling security measures When a new user account is added to the system, a single line is added to the /etc/password file, but the actual encrypted password is stored in /etc/shadow The shadow password file controls the username, the

encrypted password data, last password change date, password expiration date, account expiration date, and more 70 Managing Linux Passwords A user can change their password using the passwd utility When this command is entered, the user is prompted to enter their current password, then their new password two times passwd will perform a few basic checks on the entered password, but it cant prevent the use of poor passwords

The shadow password system is used by default on all major Linux distributions 71 Managing Linux Passwords 72 Managing Linux Passwords 73 Using Pluggable Authentication Modules The Pluggable Authentication Module (PAM)

architecture was developed by Sun and is now used on virtually every Linux distribution PAM provides improved user-level security, flexibility in managing user authentication and smoother Linux to non-Linux data integration To use PAM, select the modules necessary to to control the activity of a program, and list them in the programs configuration file 74 Using Pluggable Authentication Modules PAM is configured using either a single file, etc/pam.conf, or a series of files in /etc/pam.d PAM supports four module types: auth modules are used for identifying a user, normally

by prompting for a password account modules typically restrict account access session modules tend to tasks required before users can work, such as creating a log file password modules are executed when a user needs to change a password 75 Using Pluggable Authentication Modules The control_flag element determines how PAM processes stacked modules, and ultimately to permit or deny access: required means all modules are executed and if one fails, access is denied requisite means that if a module fails, remaining

modules are not executed, and access is denied sufficient means that the final result can be access permitted, even if this module fails optional means that the result of the module does not affect the final result of the stack 76 Using Pluggable Authentication Modules 77 Using Pluggable Authentication Modules

78 Security Tools for Users There are many security utilities and related files that system administrators and users need to be aware of, some PAM controlled Screen locking programs disable keyboard input and hide the screen so that private information is not visible nor accessible vlock is used from a text console to lock the current screen, or all of the virtual consoles xlock is similar to vlock, only it is employed from a graphical interface, and is a feature of X Windows 79

Security Tools for Users 80 Security Tools for Users 81 Security Files and Utilities Linux provides several methods for safeguarding or controlling the login process: The root user can only log in from terminals that are listed in the file /etc/securetty If the /etc/nologin file exists, only root can log in at that time and when this file is deleted, all users can

log in again Executable files can have a special file permission set (the Set UID bit, or SUID) that causes them to take on the permissions of the user who owns the file rather than the user who executed the file 82 Security Files and Utilities More Linux-provided security methods: The Linux file systems support a number of attributes that can be set on any file The PAM module pam_time can be used with the login program to limit when a user can log in If the standard bash shell for Linux is running, an environment variable can be set which will log a user

out after a certain number of idle seconds In the tsch shell, an environment variable accomplishes the same thing, but in a matter of minutes, not seconds 83 Seeing Who Is Using Linux 84 Good and Bad Passwords Bad Goodpasswords Passwords?

frank jfIej,43j-EmmL+y Fido 09864376537263 password P0kem0N 4444 FSa7Yago Pikachu 0nceuP0nAt1m8 102560

PokeGCTall150 AustinStamp 85 Selecting Strong Passwords Passwords must not be written down, especially not anywhere near the computer to which they provide access Passwords must be chosen carefully so they can be remembered without a written aid Passwords should not include easily guessed words or numbers Users should be taught to never to tell anyone their password

86 Selecting Strong Passwords Ideas for creating good passwords: A minimum of eight characters should be sufficient It should include at least one number or symbol It could be one or more words separated by one or more symbols or numbers Multiple words works better if they are foreign or altered so that they do not appear in a dictionary Using a series of numbers or a pattern of altered letters can make it easier to remember your password

87 Selecting Strong Passwords Using strong passwords reduces the possibility of a cracker utilizing social engineering to gain access to your system Crackers can resort to brute force attacks where all possible combinations are tried until one succeeds in guessing a password Some system administrators use password cracking tools to randomly test the strength of users passwords 88 Password Experiment

A passphrase is a plain-language phrase, typically longer than a password, from which a virtual password is derived Example: Alice loves Bob and Bob loves Trudy! AlBaBlT!

Three groups of users --- each group advised to select passwords as follows Group A: At least 6 chars, 1 non-letter Group B: Password based on passphrase Group C: 8 random characters Results winner

Group A: About 30% of pwds easy to crack Group B: About 10% cracked Passwords easy to remember Group C: About 10% cracked Passwords hard to remember 89 Password Experiment

A passphrase is a plain-language phrase, typically longer than a password, from which a virtual password is derived Example: Alice loves Bob and Bob loves Trudy! AlBaBlT!

Three groups of users --- each group advised to select passwords as follows Group A: At least 6 chars, 1 non-letter Group B: Password based on passphrase Group C: 8 random characters Results winner

Group A: About 30% of pwds easy to crack Group B: About 10% cracked Passwords easy to remember Group C: About 10% cracked Passwords hard to remember 90 Password Experiment

User compliance hard to achieve In each case, 1/3rd did not comply (and about 1/3rd of those easy to crack!) Assigned passwords sometimes best If passwords not assigned, best advice is Choose passwords based on passphrase Use pwd cracking tool to test for weak pwds Require periodic password changes? 91 Attacks on Passwords Attacker could

Targeted one particular account Target any account on system Target any account on any system Attempt denial of service (DoS) attack Common attack path Outsider normal user administrator May only require one weak password! 92 Brute Force Tries-Pentium 4 performing 8

million guesses per second 93 Password Retry Suppose system locks after 3 bad passwords. How long should it lock? 5 seconds 5 minutes Until SA restores service What are +s and -s of each? 94

Using Passwords and One-Way Functions Users password is not stored in the table A one-way hash* of the password, h(password), is stored in the table h(dumptruck) = JFNXPEMD h(baseball) = WSAWFFVI * hash is just a fancy word for a function or method that has few collisions and cannot be reversed. i.e. no inverse function exists. 95 Using Passwords and One-Way Functions (cont) User enters username and password

The operating system hashes the password The operating system compares the result to the entry in the table Match = user is assigned the corresponding uid Advantage: password table does not have to be protected Disadvantage: dictionary attacks do work 96 A Dictionary Attack An attacker can compile a dictionary of several thousand common words and compute the hash for each one: Look for matches between the dictionary and the

password table Example: WSAWFFVI tells us Bobs password is baseball 97 Dictionary Attacks (cont) Dictionary attacks are a serious problem: Costs an intruder very little to send tens of thousands of common words through the one-way function and check for matches Between 20 and 40 percent of the passwords on a typical system can be cracked in this way Solution #1: dont allow users to select their own passwords System generates a random password for each user Drawback:

Many people find system-assigned passwords hard to remember and therefore they write them down Example: L8f#n!.5rH You can find huge numbers of post-it notes on screens, under keyboards, and in top drawers of desks that contain passwords! 98 Combating Dictionary Attacks Solution #2: password checking Allow users to choose their own passwords Do not allow them to use passwords that are in a common dictionary Solution #3: salt the password table

A salt is a random string that is concatenated with a password before sending it through the one-way hash function Random salt value chosen by system Example: plre Password chosen by user 99 Example: baseball Salting the Password Table Password table contains: Salt value = plre h(password+salt) = h(baseballplre) = FSXMXFNB 100

Salting the Password Table (cont) User enters username and password The operating system combines the password and the salt and hashes the result The operating system compares the result to the entry in the table Match = user is assigned the corresponding uid Advantages: Password table does not have to be protected Dictionary attacks are much harder 101 A Dictionary Attack

Attacker must now expand the dictionary to contain every possible salt with each possible password: baseballaaaa baseballaaab baseballaaac . baseballaaaz baseballaaba baseballaabb . 264 (about half a million) times more work to check each word in the dictionary (for 4-letter salts) And, how do they know a 4-letter salt is being used?

102 Password Cracking Some More Probabilities Assumptions: Pwds are 8 chars, 128 choices per character Then 1288 = 256 possible passwords There is a password file with 210 pwds Attacker has dictionary of 220 common pwds Probability of 1/4 that a pwd is in dictionary 103 Password Cracking

Attack 1 password without dictionary Must try 256/2 = 255 on average Just like exhaustive key search Attack 1 password with dictionary Work is measured by number of hashes Expected work is about 1/4 (219) + 3/4 (255) = 254.6 But in practice, try all in dictionary and quit if not found --work is at most 220 and probability of success is 1/4 104 Password Cracking Attack any of 1024 passwords in file Without dictionary

Assume all 210 passwords are distinct Need 255 comparisons before expect to find password If no salt, each hash computation gives 210 comparisons the expected work (number of hashes) is 255/210 = 245 If salt is used, expected work is 255 since each comparison requires a new hash computation 105 Password Cracking Attack any of 1024 passwords in file With dictionary Probability at least one password is in dictionary is 1 (3/4)1024 = 1 We ignore case where no pwd is in dictionary If no salt, work is about 219/210 = 29

If salt, expected work is less than 222 Note: If no salt, we can precompute all dictionary hashes and amortize the work 106 Other Password Issues Too many passwords to remember Results in password reuse Why is this a problem? Who suffers from bad password? Login password vs ATM PIN

Failure to change default passwords Social engineering Error logs may contain almost passwords Bugs, keystroke logging, spyware, etc. 107 Packet sniffer Packet Sniffers

Network tool that collects and analyzes packets on a network Can be used to eavesdrop on network traffic Must be connected directly to a local network from an internal location Passwords are often sent in plaintext! To use a packet sniffer legally, you must: Be on a network that the organization owns, not leases Be under the direct authorization of the networks owners Have the knowledge and consent of users

Have a justifiable business reason for doing so 108 Passwords The bottom line Password cracking is too easy! One weak password may break security Users choose bad passwords Social engineering attacks, etc. The bad guy has all of the advantages All of the math favors bad guys Passwords are a big security problem 109

Passwords The bottom line Password cracking is too easy! One weak password may break security Users choose bad passwords Social engineering attacks, etc. The bad hacker has all of the advantages All of the math favors bad hackers Passwords are a big security problem 110 Password Cracking Tools

Popular password cracking tools Password Crackers Password Portal L0phtCrack and LC4 (Windows) John the Ripper (Unix) Admins should use these tools to test for weak passwords since attackers will! Good article on password cracking Passwords - Conerstone of Computer Security

111

Recently Viewed Presentations

  • Gemini Review - IAC

    Gemini Review - IAC

    Gemini as Pathfinder for 21st Century Astronmy Jean-René Roy Gran Telescopio Canarias Symposium - 25-26 July 2009 Multi TAC Gemini does not handle nor control the Time Allocation Process, except in its ultimate steps NINE TACS (six partners/two hosts/one GemStaff...
  • National Literacy Network, 18 June 2019 Education Scotland

    National Literacy Network, 18 June 2019 Education Scotland

    Blackwood Primary School, South Lanarkshire. Greengables Nursery & Family Centre, City of Edinburgh. This is an internal page in . green. and can be duplicated to create additional pages. Always keep the heading and footer as shown. Use the corresponding....
  • Kalimat - Universitas Negeri Yogyakarta

    Kalimat - Universitas Negeri Yogyakarta

    Jenis Kalimat Tunggal Kalimat Nominal Kalimat Ajektival Kalimat Verbal Intransitif Kalimat Ekatransitif Kalimat Dwi Transitif Kalimat Semitransitif Kalimat Pasif Kalimat Preposisional Keraf, Kalimat tunggal dilihat dari segi maknanya, dibagi: Kalimat Berita Kalimat Tanya Kalimat tanya dapat dikelompokkan menurut sifatnya Kalimat...
  • CERNER POWERWORKS WELCOME OVERVIEW Cerner Corporation Headquartered in

    CERNER POWERWORKS WELCOME OVERVIEW Cerner Corporation Headquartered in

    Cerner PowerWorks What is PowerWorks™ Complete ambulatory clinical and practice management solutions Electronic Medical Record Practice Management EDI Services General Laboratory Consumer Portal All-inclusive package Installation Training 24x7x365 support All future software upgrades Deployed via ASP model Cerner takes care...
  • The power of Twitter - WordPress.com

    The power of Twitter - WordPress.com

    The power of Twitter Advantages of being a tweacher by a self confessed geek. @littlestobbsy @hodhist @littlestobbsy @hodhist How it works? What to do?
  • Simplifying Radicals - Miami-Dade County Public Schools

    Simplifying Radicals - Miami-Dade County Public Schools

    Definition: Exponent. The . exponent. of a number says how many times to use that number in a multiplication. It is written as a small number to the right and above the base number.
  • What do young people ask and what do

    What do young people ask and what do

    Insight like this is always valuable, but particularly so when considering using social marketing to communicate key messages to young people (or indeed any population group) about health, including sexual health. One of the uses that NHS Tayside hope to...
  • Scottish Local Government Finance Statistics, 2017-18  Key Facts

    Scottish Local Government Finance Statistics, 2017-18 Key Facts

    Councils in Scotland spent an average of 10% of their General Funding on debt repayments in 2017-18, with values for individual authorities ranging between 6% and 15%. Orkney and Shetland have been excluded from this analysis, as they have large...