Authentication • Verifying the identity of another entity • Computer authenticating to another computer CS 4803 • Person authenticating to a local computer Computer and Network Security • Person authenticating to a remote computer • Two issues: • How authentication information is stored (at both ends) Alexandra (Sasha) Boldyreva • Authentication protocol itself Authentication 1 2 Overview Attack taxonomy • Authentication may be based on • Passive attacks • Active attacks • What you know • Impersonation • What you have • Man-in-the-middle • What you are • Server compromise • Examples? • Different attacks may be easier/more difficult in different • Mutual authentication vs. unidirectional authentication settings 3 4
Address-based authentication Password-based protocols • Is sometimes used (e.g., unix) • Password-based authentication • This is generally not very secure • Any system based on low-entropy shared secret (note: • Relatively easy to forge source addresses of network packets different from book definitions!) 5 6 Password selection Better password selection • User selection of passwords is typically very weak • Non-alphanumeric characters • Lower entropy password makes dictionary attacks easier • Longer phrases • Typical passwords: • Can try to enforce good password selection… • Derived from account names or usernames • …but these types of passwords are difficult for people to memorize and type! • Dictionary words, reversed dictionary words, or small modifications of dictionary words • Etc. 7 8
From passwords to keys? Password-based protocols • Can potentially use passwords to derive symmetric or public • Any password-based protocol is vulnerable to an “on- keys line” dictionary attack • What is the entropy of the resulting key? • On-line attacks can be detected and limited • Often allows off-line dictionary attacks on the password • How? • Any password-based protocol is vulnerable to off-line attack if server is compromised 9 10 Password-based protocols Password storage • Best: Use a password-based protocol which is secure against • In the clear… off-line attacks when server is not compromised • Hash of password (done correctly) • Unfortunately, this has not been the case in practice (e.g., • Doesn’t always achieve anything! telnet, cell phones, etc.) • Makes adversary’s job harder • This is a difficult problem! • Potentially protects users who choose good passwords • “Salt”-ed hash of password • Makes bulk dictionary attacks harder, but no harder to attack a particular password • Centralized server stores password • Threshold password storage 11 12
Centralized password storage Basic authentication protocols… • Authentication storage node • Server stores H(pw); user sends pw • Central server stores password; servers request the • “Secure” against server compromise, but not eavesdropping password to authenticate user (or replay attacks) • Auth. facilitator node • Server stores pw, sends R; user sends H(pw,R) • Central server stores password; servers send information • Secure against eavesdropping, but not server compromise from user to be authenticated by the central server (or dictionary attack) • Note that central server must be authenticated! • What if the user sends R also…? • Can we achieve security against both? 13 14 Other techniques for human auth. Biometrics • Tokens • Various possibilities… • Drawbacks • Magnetic stripe cards • Entropy? • Smartcards • Are biometric data secret? • “Standalone” tokens: • Revocation? • Difficult to use securely! • Non-uniform • Errors • Still need a secure auth. protocol! • Still need a secure protocol… 15 16
Public-key protocols Lamport’s hashing protocol • Server stores pk; user stores sk • Server stores Hn(pw); user sends Hn-1(pw) • Server sends R; user signs R • Server updates user’s entry… • Using a secure signature scheme… • Can also add “salt” to hash • Is this secure? • Can use same password on different sites • Potential weaknesses • Protects against off-line attacks • What if we had used encryption instead? • Can use same password (but different salt) when password • Can we achieve security against server compromise and “expires” eavesdropping without using public-key crypto? 17 18 Some attacks… Session key establishment • Secret expires… • There are very few applications for which authentication • No mutual authentication alone is sufficient! • “Small n” attack • What do you do once you are authenticated? • Generally, need to establish a session key • Efficiency advantages to using symmetric-key techniques if public-key auth. is used • Advantages even if a symmetric key is already shared … 19 20
Session keys KDCs • Reduces effectiveness of cryptanalysis • Key Distribution Centers • Advantages of symmetric-key crypto, without O(n2) keys • If a key is compromised, only one conversation is affected • But requires a trusted intermediary • Prevents replay of messages from other conversations • Single point of failure/attack • Better security from un-trusted host 21 22 Multiple intermediaries Basic key exchange • Can use multiple KDCs… • Public-key based… • Can have all pairs of KDCs share a key • Diffie-Hellman key exchange • More likely, there will be a hierarchy of KDCs • Not authenticated (yet)! 23 24
Recommend
More recommend
