You are on page 1of 20

CS 259

Password Authentication

J. Mitchell

User
kiwifruit

Password file
exrygbzyf kgnosfix ggjoklbsz

hash function

Basic password authentication


Setup
User chooses password Hash of password stored in password file
User logs into system, supplies password System computes hash, compares to file Online dictionary attack
Guess passwords and try to log in Steal password file, try to find p with hash(p) in file

Authentication Attacks

Offline dictionary attack

Dictionary Attack some numbers


Typical password dictionary
1,000,000 entries of common passwords
people's names, common pet names, and ordinary words.

Suppose you generate and analyze 10 guesses per second

This may be reasonable for a web site; offline is much faster

Dictionary attack in at most 100,000 seconds = 28 hours, or 14 hours on average

If passwords were random


Assume six-character password
Upper- and lowercase letters, digits, 32 punctuation characters 689,869,781,056 password combinations. Exhaustive search requires 1,093 years on average

Salt
Unix password line
walt:fURfuu4.4hY0U:129:129:Belgers:/home/walt:/bin/csh

Compare

Input
Constant
Plaintext

Salt
Key

25x DES

Ciphertext

When password is set, salt is chosen randomly

Advantages of salt
Without salt
Same hash functions on all machines
Compute hash of all common strings once Compare hash file with all known password files

With salt
One password hashed 212 different ways
Precompute hash file?
Need much larger file to cover all common strings

Dictionary attack on known password file


For each salt found in file, try all common strings

Web Authentication
Browser password cookie

Server

Problems

Network sniffing Malicious or weak-security website


Phishing Common password problem Pharming DNS compromise next few slides

Malware on client machine

Spyware Session hijacking, fabricated transactions

Password Phishing Problem


Bank A

pwdA

pwdA
Fake Site

User cannot reliably identify fake sites Captured password can be used at target site

Common Password Problem


Bank A

pwdA pwdB
=

pwdA
Site B

Phishing attack or break-in at site B reveals pwd at A


Server-side solutions will not keep pwd safe Solution: Strengthen with client-side support

Defense: Password Hashing


Bank A

pwdA

pwdB
Site B

Generate a unique password per site

Hashed password is not usable at any other site


Protects against password phishing Protects against common password problem

HMACfido:123(banka.com) Q7a+0ekEXb HMACfido:123(siteb.com) OzX2+ICiqc

Defense: SpyBlock

Defense: SpyBlock

Authentication agent communicates through browser agent

Authentication agent communicates directly to web site

SpyBlock protection

password in trusted client environment better password-based authentication protocols trusted environment confirms site transactions server support required

Goals for password protocol


Authentication relies on password
User can remember password, use anywhere No additional client-side certificates, etc.

Protect against attacks


Network does not carry cleartext passwords Malicious user cannot do offline dictionary attack Malicious server (as in phishing) does not learn password from communication with honest user

Simple approach
Send hashed passwords
Browser hash(pwd|0) hash(pwd|1)

Server

Does this work?


Good points? Bad points?

Interlock password protocols


(Set-up Phase) Password p known to both parties (Key Exchange Phase) AB gx BA gy k = gxy or some function of gxy (Authentication Phase) AB mack(p, r) BA mack(p, s), enck(s) AB enck(r) for random r for random s

[Rivest, Shamir, Bellovin, Merrit, Pederson, Ellison]

ESP-KE key exchange protocol


Prime p and generators , known Generate random a A= a / P mod p A B Generate random b B= b mod p

k = Ba mod p
Mb
Ma

If A=0 Abort k = (A P)b mod p Mb=H(0,k,P)

If H(0,k,P) Mb Abort Ma = H(1,k,P)

If H(1,k,P) Ma Abort

[M Scott]

SRP protocol
(Set-up Phase)
Carol chooses password P Steve chooses s, computes x = H(s, P) and v = gx

(Key Exchange Phase)

x = H(s, P) A = ga S = (B - gx) (a+ux) M1 = H(A,B,S) verify M2 Key = H(S)

C s A B,u M1 M2

Bob looks up s, v

B = v + gb, random u S = (Avu)b verify M1 M2 = H(A,M1,S) Key = H(S) [Wu]

CMU Phoolproof proposal


Eliminates reliance on perfect user behavior Protects against keyloggers, spyware. Uses a trusted mobile device to perform mutual authentication with the server

password?

You might also like