authentication authentication
play

Authentication Authentication September 11, 2020 Administrative - PDF document

Authentication Authentication September 11, 2020 Administrative new VM new VM Administrative for this lab exercise for this lab exercise import, then don't forget to create a snapshot named "base" 1 Administrative


  1. Authentication Authentication September 11, 2020 Administrative – – new VM new VM Administrative for this lab exercise for this lab exercise import, then don't forget to create a snapshot named "base" 1

  2. Administrative – – VM login credentials VM login credentials Administrative fedora30-fall20 student/c$l@bLinuX root /c$l@bLinuX ( mnemonic: compter science lab linux ) kali-linux1.0.7 root/c$l@bLinuX Administrative – Administrative – submittal instructions submittal instructions � answer the lab assignment’s questions in written report form, as a text, pdf, or Word document file (no obscure formats please) � email to csci530l@usc.edu � exact subject title must be “authenticationlab” � deadline is start of your lab session the following week � reports not accepted (zero for lab) if – late – you did not attend the lab (except DEN or prior arrangement) – email subject title deviates 2

  3. Authentication definition Authentication definition � binding an identity to a subject – withdrawing money at a bank counter verifying a bank customer (subject) is the person/name (identity) on a savings account (e.g., by driver's license evaluation) – logging in verifying a keyboard user (subject) is the person/name (identity) on a user account (e.g., by password evaluation) – using a secure website verifying the web server (subject) is that of an organization (identity) (e.g., by digital signature evaluation) “Auth “ Auth” ”entication entication vs vs “ “auth auth” ”orization orization � authentication != authorization – authorization establishes what user can do once authenticated � authentication happens first � authorization comes later – employing the information established during authentication 3

  4. Usage of a login ID Usage of a login ID � user account’s ID number (UID) gets “embedded” in its human user (if any) ’s shell/gui process and other processes they then spawn (which is their job) � user accounts in/of processes are revealed by ps (process status) command in linux the users in/of 3 processes Bigger picture - - how we think of it Bigger picture how we think of it reads user file 4

  5. Bigger picture - Bigger picture - how it actually works how it actually works users don’t read files, processes do UID runs reads user process file program that copies one file to another #include <unistd.h> #include <sys/stat.h> note system calls “open” “read” “write” #include <fcntl.h> They do the file access int main() user? isn’t even mentioned in the calls { char c; int in, out; in = open("file.in", O_RDONLY); out = open("file.out", O_WRONLY|O_CREAT, S_IRUSR|S_IWUSR); while(read(in,&c,1) == 1) write(out,&c,1); exit(0); } Bigger picture - - how it actually works Bigger picture how it actually works AUTHENTICATION HERE up front, determines account same account, carried forward by inheritance from shell process to this spawned one for first (shell) process UID runs reads user process file #include <unistd.h> #include <sys/stat.h> note system calls “open” “read” “write” #include <fcntl.h> They do the file access int main() user? isn’t even mentioned in the calls { char c; int in, out; in = open("file.in", O_RDONLY); out = open("file.out", O_WRONLY|O_CREAT, S_IRUSR|S_IWUSR); while(read(in,&c,1) == 1) write(out,&c,1); exit(0); } 5

  6. Bases for authentication Bases for authentication � something people know � something they have � password � smart card � pin number � sim (subscriber identity module) card � something about them � hardware token � somewhere they are � retina/iris � fingerprint � login only works at certain terminals � DNA � voice � ear � face Extent of authentication Extent of authentication � one or a combination of methods may be used – depending on needed degree of protection – “single-factor” “multi-factor” � examples – system login � for user account, the matching password (single-factor) – system with fingerprint reader (e.g. modern laptop) � for user account, the matching password and finger (2-factor) – ATM transaction � for bank account, the card and matching pin (2-factor) 6

  7. TFA at myviterbi.usc.edu TFA at myviterbi.usc.edu Step 1, 1 st factor Step 2, 2 nd factor Example: passwords Example: passwords � something people know � most common, familiar basis for authentication 7

  8. What’ What ’s makes bad ones? s makes bad ones? � only letters or only numbers (hackme, 09112002) � recognizable words (john1, R2D2) � foreign language words (bonjour1, hastalavistababy) � hacker terminology (H4XOR, 1337) � personal info (names, birthdates, addresses) � reverse words (nauj, esrever) � what do these all have in common? they are predictable What’ ’s makes good ones? s makes good ones? What � at least 8 characters (conventionally, but why 8?? still “enough” today? no) � mixed case � mixed letters and numerals � punctuation/non-alphanumeric symbols included � something you can remember 8

  9. Making a good one Making a good one � think of a memorable phrase – “wasn’t that a dainty dish to set before the king” – “in the beginning god created the heavens and the earth” � make it an acronym – wtaddtsbtk – itbgcthate � substitute non-letters for letters ("leetspeak") – w7@dd7$b7k – i7bgcth@te � capitalize something – w7@DD7$b7k – i7BGCTH@te Forcing strong passwords Forcing strong passwords � create them for users, don’t let users choose them � use PAM’s pam_cracklib module – enforces a password strength policy at creation time � or other PAM password evaluation modules – pam_passwdqc (http://www.openwall.com/passwdqc) 9

  10. PAM architecture ( PAM architecture (“ “pluggable authentication modules pluggable authentication modules” ”) ) 1 2 PAM /etc/pam.d 4 3 PAM-aware applications (e.g., /bin/login /bin/su /bin/ssh /bin/passwd, etc ) per-application configuration files (text) PAM modules (executable) Operation sequence Operation sequence � app calls PAM (1) � PAM reads app’s PAM config file (2) � PAM calls PAM modules as listed in the file (3) – each succeeds or fails independently � PAM itself succeeds or fails, depending on the modules’ outcomes – returns its overall outcome to app (4) � app proceeds (if success) or terminates (if failure) 10

  11. Password crackers Password crackers � John the Ripper (http://www.openwall.com/) � Cain and Abel � hashcat (http://hashcat.net/hashcat/) Is guesswork easy or hard? Is guesswork easy or hard? � an alphabet is a set of symbols � how many words of a certain length can you compose from an alphabet? � depends on – the number of symbols in the alphabet – the particular wordlength 11

  12. Two password strength determinants Two password strength determinants � the number of possible characters it contains – its character set � its length – its character count Is guesswork easy or hard? Is guesswork easy or hard? � a 10-symbol alphabet has � a 2-symbol alphabet has – 10 one-letter words – 2 one-letter words – 100 two-letter words – 4 two-letter words – 1000 three-letter words – 8 three-letter words � a 3-symbol alphabet has � an � -symbol alphabet has – 3 one-letter words – � one-letter words – � 2 two-letter words – 9 two-letter words – � 3 three-letter words – 27 three-letter words – � p p-letter words (alphabet length raised to password length) 12

  13. How many words are there? How many words are there? � 26-letter alphabet, wordlength 3: 26 3 = 17576 � 52-letter alphabet, wordlength 3: 52 3 = 140,608 – double alphabet length yields 8 times as many words � 26-letter alphabet, wordlength 6: 26 6 = 308,915,776 – double word length yields 17576 times as many words � 52-letter alphabet, wordlength 6: 52 6 = 19,770,609,660 � a fish is in a pond – harder to catch in a bigger pond How many words are there? * How many words are there? * Password space: 16-character alphabet 16 64 = 10 77 94-character alphabet comparatively IPv6 94 63 = 10 124 address space, considered 62-character alphabet “really really big” - 10 38 62 63 = 10 112 https://www.grc.com/passwords.htm * i.e. * i.e. “ “What What’ ’s the password space? s the password space?” ” 13

  14. Password strength determinants Password strength determinants � the number of possible characters it contains � its length � the randomness of character selection a 3 rd criterion!! human-dependent! (arguably, the most important factor these days) 2013 dynamic attack, my UCLA server * 2013 dynamic attack, my UCLA server * *but real-world attacks are not “dynamic” they are in-situ at attacker’s place upon an exfiltrated user/password file log file, victim machine � about 700000 login attempts from about 2100 remote IPs � � from several to 53000 login attempts each � using about 26000 user name guesses with unknown password guesses � – but no doubt predicable ones 14

Recommend


More recommend