CNT4406/5412 Network Security Authentication

Authentication

Zhi Wang

Florida State University

Fall 2014

Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 1 / 43 Authentication mechanisms « password-based authentication « address-based authentication « cryptographic authentication protocols

Authentication Introduction Introduction

Authentication is the process of reliably verifying an entity’s identity « e.g., user/computer authentication, message authentication...

Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 2 / 43 « password-based authentication « address-based authentication « cryptographic authentication protocols

Authentication Introduction Introduction

Authentication is the process of reliably verifying an entity’s identity « e.g., user/computer authentication, message authentication... Authentication mechanisms

Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 2 / 43 Authentication Introduction Introduction

Authentication is the process of reliably verifying an entity’s identity « e.g., user/computer authentication, message authentication... Authentication mechanisms « password-based authentication « address-based authentication « cryptographic authentication protocols

Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 2 / 43 Threats: eavesdropping, password guessing (dictionary attack)

Authentication Introduction Password-based Authentication

Password-based authentication uses a secret quantity that you state to prove you know it « “It’s not who you know. It’s what you know.”

I’m Alice, the password is ﬁddlesticks Bob Alice

Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 3 / 43 Authentication Introduction Password-based Authentication

Password-based authentication uses a secret quantity that you state to prove you know it « “It’s not who you know. It’s what you know.” Threats: eavesdropping, password guessing (dictionary attack)

I’m Alice, the password is ﬁddlesticks Bob Alice

Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 3 / 43 It was adopted in early UNIX systems such as Berkeley rtools « /etc/hosts.equiv: computers with identical user accounts « Per-user .rhosts: a list of pairs allowed to access the user’s account Threats: network address spooﬁng

Authentication Introduction Address-based Authentication

Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 4 / 43 « /etc/hosts.equiv: computers with identical user accounts « Per-user .rhosts: a list of pairs allowed to access the user’s account Threats: network address spooﬁng

Authentication Introduction Address-based Authentication

Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 4 / 43 Threats: network address spooﬁng

Authentication Introduction Address-based Authentication

Address-based authentication assumes the identity of the source can be inferred based on the address (network address/email address) from which messages arrive « “It’s not what you know. It’s where you are.” It was adopted in early UNIX systems such as Berkeley rtools « /etc/hosts.equiv: computers with identical user accounts « Per-user .rhosts: a list of pairs allowed to access the user’s account

Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 4 / 43 Authentication Introduction Address-based Authentication

Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 4 / 43 Threats: brute-force, eavesdropping, server database breach

R picks random R

R signed with Alice’s private key checks result using Alice’s public key

Authentication Introduction Cryptographic Authentication Protocol

Cryptographic authentication proves one’s identity by performing a cryptographic operation on a quantity the veriﬁer supplies « secret key cryptography, public key cryptography, hash function

I’m Alice knows Alice’s public key Bob Alice

Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 5 / 43 Threats: brute-force, eavesdropping, server database breach

R signed with Alice’s private key checks result using Alice’s public key

Authentication Introduction Cryptographic Authentication Protocol

Cryptographic authentication proves one’s identity by performing a cryptographic operation on a quantity the veriﬁer supplies « secret key cryptography, public key cryptography, hash function

I’m Alice knows Alice’s public key

R picks random R Bob Alice

Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 5 / 43 Threats: brute-force, eavesdropping, server database breach

Authentication Introduction Cryptographic Authentication Protocol

Cryptographic authentication proves one’s identity by performing a cryptographic operation on a quantity the veriﬁer supplies « secret key cryptography, public key cryptography, hash function

I’m Alice knows Alice’s public key

R picks random R Bob Alice R signed with Alice’s private key checks result using Alice’s public key

Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 5 / 43 Authentication Introduction Cryptographic Authentication Protocol

Cryptographic authentication proves one’s identity by performing a cryptographic operation on a quantity the veriﬁer supplies « secret key cryptography, public key cryptography, hash function Threats: brute-force, eavesdropping, server database breach

I’m Alice knows Alice’s public key

R picks random R Bob Alice R signed with Alice’s private key checks result using Alice’s public key

Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 5 / 43 What the user has (possession factor) « ATM card, keys, USB token What the user is (inherence factor) « bio-metrics such as voice, ﬁngerprint, iris pattern « beneﬁts and problems?

Authentication User Authentication User Authentication

User authentication can be based on: What the user knows (knowledge factor) « passwords, personal information, credit card numbers...

Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 6 / 43 What the user is (inherence factor) « bio-metrics such as voice, ﬁngerprint, iris pattern « beneﬁts and problems?

Authentication User Authentication User Authentication

Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 6 / 43 Authentication User Authentication User Authentication

User authentication can be based on: What the user knows (knowledge factor) « passwords, personal information, credit card numbers... What the user has (possession factor) « ATM card, keys, USB token What the user is (inherence factor) « bio-metrics such as voice, ﬁngerprint, iris pattern « beneﬁts and problems?

Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 6 / 43 Threats to password-based authentication? « eavesdropping, leaking of stored passwords, online/oﬄine password guessing, memorizing user-unfriendly passwords, password reuse

Authentication Passwords Password-based User Authentication

Password-based authentication uses a secret quantity that you state to prove you know it « most command method of user authentication

I’m Alice

challenge Bob Alice response based on passwords

Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 7 / 43 « eavesdropping, leaking of stored passwords, online/oﬄine password guessing, memorizing user-unfriendly passwords, password reuse

Authentication Passwords Password-based User Authentication

Password-based authentication uses a secret quantity that you state to prove you know it « most command method of user authentication Threats to password-based authentication?

I’m Alice

challenge Bob Alice response based on passwords

Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 7 / 43 Authentication Passwords Password-based User Authentication

Password-based authentication uses a secret quantity that you state to prove you know it « most command method of user authentication Threats to password-based authentication? « eavesdropping, leaking of stored passwords, online/oﬄine password guessing, memorizing user-unfriendly passwords, password reuse

I’m Alice

challenge Bob Alice response based on passwords

Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 7 / 43 Passwords should be securely stored « always assume stored passwords can and will be leaked!! Passwords shall not be reused among accounts « bad idea for services to use email address as user name!

Authentication Passwords Issues for Password-based Systems

Passwords should be easy to remember but hard to guess, so « users can memorize their passwords (instead of writing them down) « online/oﬄine password guessing won’t be eﬀective

Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 8 / 43 Passwords shall not be reused among accounts « bad idea for services to use email address as user name!

Authentication Passwords Issues for Password-based Systems

Passwords should be easy to remember but hard to guess, so « users can memorize their passwords (instead of writing them down) « online/oﬄine password guessing won’t be eﬀective Passwords should be securely stored « always assume stored passwords can and will be leaked!!

Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 8 / 43 Authentication Passwords Issues for Password-based Systems

Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 8 / 43 « flexible in the authentication protocol design « capturing stored passwords enables impersonating any user Better idea: encrypting the password database « as flexible as storing plaintext passwords « The key to decrypt the database and/or decrypted passwords may be stored as plaintext in the memory at run-time Better idea 2: storing the cryptographic hash of the password « less flexible than storing plaintext passwords (why?) « capturing stored passwords allows for offline password guessing

Authentication Passwords Password Storage

Storing unencrypted passwords is high risk

Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 9 / 43 Better idea: encrypting the password database « as flexible as storing plaintext passwords « The key to decrypt the database and/or decrypted passwords may be stored as plaintext in the memory at run-time Better idea 2: storing the cryptographic hash of the password « less flexible than storing plaintext passwords (why?) « capturing stored passwords allows for offline password guessing

Authentication Passwords Password Storage

Storing unencrypted passwords is high risk « ﬂexible in the authentication protocol design « capturing stored passwords enables impersonating any user

Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 9 / 43 « as flexible as storing plaintext passwords « The key to decrypt the database and/or decrypted passwords may be stored as plaintext in the memory at run-time Better idea 2: storing the cryptographic hash of the password « less flexible than storing plaintext passwords (why?) « capturing stored passwords allows for offline password guessing

Authentication Passwords Password Storage

Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 9 / 43 Better idea 2: storing the cryptographic hash of the password « less ﬂexible than storing plaintext passwords (why?) « capturing stored passwords allows for oﬄine password guessing

Authentication Passwords Password Storage

Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 9 / 43 « less ﬂexible than storing plaintext passwords (why?) « capturing stored passwords allows for oﬄine password guessing

Authentication Passwords Password Storage

Storing unencrypted passwords is high risk « ﬂexible in the authentication protocol design « capturing stored passwords enables impersonating any user Better idea: encrypting the password database « as ﬂexible as storing plaintext passwords « The key to decrypt the database and/or decrypted passwords may be stored as plaintext in the memory at run-time Better idea 2: storing the cryptographic hash of the password

Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 9 / 43 Authentication Passwords Password Storage

Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 9 / 43 The pre-deﬁned list used to come from words in real dictionaries + simple transformations (e.g., appending digits) Millions of leaked passwords (plaintext) have provided both a comprehensive real-world list and patterns of password construction « A SQL injection exposed 32M RockYou.com passwords in 2009

Authentication Dictionary Attack Dictionary Attack

Dictionary attack is a technique to determine decryption key or pass-phrase by exhaustively searching a pre-deﬁned list of values.

Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 10 / 43 Millions of leaked passwords (plaintext) have provided both a comprehensive real-world list and patterns of password construction « A SQL injection exposed 32M RockYou.com passwords in 2009

Authentication Dictionary Attack Dictionary Attack

Dictionary attack is a technique to determine decryption key or pass-phrase by exhaustively searching a pre-deﬁned list of values.

The pre-deﬁned list used to come from words in real dictionaries + simple transformations (e.g., appending digits)

Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 10 / 43 « A SQL injection exposed 32M RockYou.com passwords in 2009

Authentication Dictionary Attack Dictionary Attack

Dictionary attack is a technique to determine decryption key or pass-phrase by exhaustively searching a pre-deﬁned list of values.

The pre-deﬁned list used to come from words in real dictionaries + simple transformations (e.g., appending digits) Millions of leaked passwords (plaintext) have provided both a comprehensive real-world list and patterns of password construction

Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 10 / 43 Authentication Dictionary Attack Dictionary Attack

Dictionary attack is a technique to determine decryption key or pass-phrase by exhaustively searching a pre-deﬁned list of values.

Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 10 / 43 123456 1666 0.38% password 1373 0.31% password 780 0.18% welcome 534 0.12% welcome 436 0.1% qwerty 464 0.1% ninja 333 0.08% monkey 430 0.1% abc123 250 0.06% jesus 429 0.1% 123456789 222 0.05% love 421 0.1% 12345678 208 0.05% money 407 0.09% sunshine 205 0.05% freedom 385 0.09% princess 202 0.05% ninja 380 0.09% qwerty 172 0.04% writer 367 0.08% top 10 passwords top 10 base words

Authentication Dictionary Attack Example: Leaked Yahoo Passwords (Hashed)

442, 773 passwords were leaked, 342, 478 of them were unique, 100, 295 (22.65%) passwords were used by more than one person

Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 11 / 43 password 1373 0.31% welcome 534 0.12% qwerty 464 0.1% monkey 430 0.1% jesus 429 0.1% love 421 0.1% money 407 0.09% freedom 385 0.09% ninja 380 0.09% writer 367 0.08% top 10 base words

Authentication Dictionary Attack Example: Leaked Yahoo Passwords (Hashed)

442, 773 passwords were leaked, 342, 478 of them were unique, 100, 295 (22.65%) passwords were used by more than one person

123456 1666 0.38% password 780 0.18% welcome 436 0.1% ninja 333 0.08% abc123 250 0.06% 123456789 222 0.05% 12345678 208 0.05% sunshine 205 0.05% princess 202 0.05% qwerty 172 0.04% top 10 passwords

Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 11 / 43 Authentication Dictionary Attack Example: Leaked Yahoo Passwords (Hashed)

442, 773 passwords were leaked, 342, 478 of them were unique, 100, 295 (22.65%) passwords were used by more than one person

123456 1666 0.38% password 1373 0.31% password 780 0.18% welcome 534 0.12% welcome 436 0.1% qwerty 464 0.1% ninja 333 0.08% monkey 430 0.1% abc123 250 0.06% jesus 429 0.1% 123456789 222 0.05% love 421 0.1% 12345678 208 0.05% money 407 0.09% sunshine 205 0.05% freedom 385 0.09% princess 202 0.05% ninja 380 0.09% qwerty 172 0.04% writer 367 0.08% top 10 passwords top 10 base words

Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 11 / 43 Authentication Dictionary Attack IEEE Data Leak (2012)

Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 12 / 43 « limit number of retries (e.g., ATM card) « process the password really s l o w l y

is password 12345678 limit number of retries

no Bob Trudy response slowly

Authentication Dictionary Attack Online Dictionary Attack

Try the passwords from the list online one-by-one Easy to prevent, how?

Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 13 / 43 Authentication Dictionary Attack Online Dictionary Attack

Try the passwords from the list online one-by-one Easy to prevent, how? « limit number of retries (e.g., ATM card) « process the password really s l o w l y

is password 12345678 limit number of retries

no Bob Trudy response slowly

Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 13 / 43 Hashes of the dictionary can be pre-computed, then used to match one or many password hashes (design challenges?) « need eﬃcient ways to store and search pre-computed hash « hash chain and rainbow table are used to reduce storage space

Authentication Dictionary Attack Oﬄine Dictionary Attack

Obtain the hash(es) of the password(s), compute the hashes of the dictionary, then look for matches

H password dictionary compare hash

Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 14 / 43 « need eﬃcient ways to store and search pre-computed hash « hash chain and rainbow table are used to reduce storage space

Authentication Dictionary Attack Oﬄine Dictionary Attack

H password dictionary compare hash

Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 14 / 43 Authentication Dictionary Attack Oﬄine Dictionary Attack

Obtain the hash(es) of the password(s), compute the hashes of the dictionary, then look for matches Hashes of the dictionary can be pre-computed, then used to match one or many password hashes (design challenges?) « need eﬃcient ways to store and search pre-computed hash « hash chain and rainbow table are used to reduce storage space

H password dictionary compare hash

Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 14 / 43 To create a hash chain: « starts with an initial passwords (start point) « successively apply the hash and reduction function (n times) « a hash chain is stored as < startpoint, endpoint >

H R H R R H 123456 0x873D 2@kdu 0x6CE7 ... jStn4 0x854D

Authentication Hash Chain and Rainbow Table Hash Chains

A hash chain is the successive application of a cryptographic hash function (H) and a reduction function (R) to a piece of data

Reduction function maps a hash value to a (diﬀerent) password

Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 15 / 43 « starts with an initial passwords (start point) « successively apply the hash and reduction function (n times) « a hash chain is stored as < startpoint, endpoint >

H R H R R H 123456 0x873D 2@kdu 0x6CE7 ... jStn4 0x854D

Authentication Hash Chain and Rainbow Table Hash Chains

A hash chain is the successive application of a cryptographic hash function (H) and a reduction function (R) to a piece of data

Reduction function maps a hash value to a (diﬀerent) password To create a hash chain:

Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 15 / 43 « successively apply the hash and reduction function (n times) « a hash chain is stored as < startpoint, endpoint >

H R H R R H 123456 0x873D 2@kdu 0x6CE7 ... jStn4 0x854D

Authentication Hash Chain and Rainbow Table Hash Chains

A hash chain is the successive application of a cryptographic hash function (H) and a reduction function (R) to a piece of data

Reduction function maps a hash value to a (diﬀerent) password To create a hash chain: « starts with an initial passwords (start point)

Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 15 / 43 « a hash chain is stored as < startpoint, endpoint >

H R H R R H 123456 0x873D 2@kdu 0x6CE7 ... jStn4 0x854D

Authentication Hash Chain and Rainbow Table Hash Chains

A hash chain is the successive application of a cryptographic hash function (H) and a reduction function (R) to a piece of data

Reduction function maps a hash value to a (diﬀerent) password To create a hash chain: « starts with an initial passwords (start point) « successively apply the hash and reduction function (n times)

Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 15 / 43 H R H R R H 123456 0x873D 2@kdu 0x6CE7 ... jStn4 0x854D

Authentication Hash Chain and Rainbow Table Hash Chains

A hash chain is the successive application of a cryptographic hash function (H) and a reduction function (R) to a piece of data

Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 15 / 43 Authentication Hash Chain and Rainbow Table Hash Chains

A hash chain is the successive application of a cryptographic hash function (H) and a reduction function (R) to a piece of data

H R H R R H 123456 0x873D 2@kdu 0x6CE7 ... jStn4 0x854D

Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 15 / 43 « starts with the hash of a password « successively apply the reduction and hash function until hitting an end point, assume its < sn, en > « start from sn, successively apply the hash and reduction function until the original hash of the password is reached. « The last password is the answer.

Authentication Hash Chain and Rainbow Table Hash Chains...

To match against hash chains:

H R H R R H 123456 0x873D 2@kdu 0x6CE7 ... jStn4 0x854D

Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 16 / 43 « successively apply the reduction and hash function until hitting an end point, assume its < sn, en > « start from sn, successively apply the hash and reduction function until the original hash of the password is reached. « The last password is the answer.

Authentication Hash Chain and Rainbow Table Hash Chains...

To match against hash chains: « starts with the hash of a password

H R H R R H 123456 0x873D 2@kdu 0x6CE7 ... jStn4 0x854D

Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 16 / 43 « start from sn, successively apply the hash and reduction function until the original hash of the password is reached. « The last password is the answer.

Authentication Hash Chain and Rainbow Table Hash Chains...

To match against hash chains: « starts with the hash of a password « successively apply the reduction and hash function until hitting an end point, assume its < sn, en >

H R H R R H 123456 0x873D 2@kdu 0x6CE7 ... jStn4 0x854D

Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 16 / 43 « The last password is the answer.

Authentication Hash Chain and Rainbow Table Hash Chains...

To match against hash chains: « starts with the hash of a password « successively apply the reduction and hash function until hitting an end point, assume its < sn, en > « start from sn, successively apply the hash and reduction function until the original hash of the password is reached.

H R H R R H 123456 0x873D 2@kdu 0x6CE7 ... jStn4 0x854D

Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 16 / 43 Authentication Hash Chain and Rainbow Table Hash Chains...

H R H R R H 123456 0x873D 2@kdu 0x6CE7 ... jStn4 0x854D

Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 16 / 43 Rainbow table uses multiple reduction functions (like colors in a rainbow) to mitigate hash chain collision∗

Authentication Hash Chain and Rainbow Table Rainbow Table

If two hash chains collide, they will merge thus reducing the passwords covered

∗ image from Cryptohaze.com Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 17 / 43 Authentication Hash Chain and Rainbow Table Rainbow Table

If two hash chains collide, they will merge thus reducing the passwords covered Rainbow table uses multiple reduction functions (like colors in a rainbow) to mitigate hash chain collision∗

∗ image from Cryptohaze.com Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 17 / 43 Authentication Hash Chain and Rainbow Table Rainbow Table

If two hash chains collide, they will merge thus reducing the passwords covered Rainbow table uses multiple reduction functions (like colors in a rainbow) to mitigate hash chain collision∗

∗ image from Cryptohaze.com Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 17 / 43 Salt is a per-user random value append to the password « password ﬁle contains (username, salt, H(password|salt))* « to verify the password, retrieve the salt from the password ﬁle

Authentication Password Salt Password Salt

Pre-computed rainbow table makes dictionary attack more eﬀective, to mitigate it, apply salt

password|salt

H(password|salt)

Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 18 / 43 « password ﬁle contains (username, salt, H(password|salt))* « to verify the password, retrieve the salt from the password ﬁle

Authentication Password Salt Password Salt

Pre-computed rainbow table makes dictionary attack more eﬀective, to mitigate it, apply salt Salt is a per-user random value append to the password

password|salt

H(password|salt)

Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 18 / 43 Authentication Password Salt Password Salt

Pre-computed rainbow table makes dictionary attack more effective, to mitigate it, apply salt Salt is a per-user random value append to the password « password file contains (username, salt, H(password|salt))* « to verify the password, retrieve the salt from the password file

password|salt

H(password|salt)

Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 18 / 43 offline dictionary attack without a rainbow table? offline dictionary attack against one account with a rainbow table? offline dictionary attack against many accounts with a rainbow table?

Authentication Password Salt Password Salt...

Does password salt help to mitigate...? online dictionary attack?

Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 19 / 43 oﬄine dictionary attack against one account with a rainbow table? oﬄine dictionary attack against many accounts with a rainbow table?

Authentication Password Salt Password Salt...

Does password salt help to mitigate...? online dictionary attack? oﬄine dictionary attack without a rainbow table?

Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 19 / 43 oﬄine dictionary attack against many accounts with a rainbow table?

Authentication Password Salt Password Salt...

Does password salt help to mitigate...? online dictionary attack? oﬄine dictionary attack without a rainbow table? oﬄine dictionary attack against one account with a rainbow table?

Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 19 / 43 Authentication Password Salt Password Salt...

Does password salt help to mitigate...? online dictionary attack? offline dictionary attack without a rainbow table? offline dictionary attack against one account with a rainbow table? offline dictionary attack against many accounts with a rainbow table?

Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 19 / 43 « id identiﬁes the hash function used id algorithm 1 MD5 2a Blowﬁsh 5 SHA-256 6 SHA-512 « salt is the salt, a random string up to 16 characters « encrypted is the hash of password|salt

Authentication Linux Password Example: Linux Password

A Linux password has the format of username:$id$salt$encrypted

Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 20 / 43 « salt is the salt, a random string up to 16 characters « encrypted is the hash of password|salt

Authentication Linux Password Example: Linux Password

A Linux password has the format of username:$id$salt$encrypted « id identiﬁes the hash function used id algorithm 1 MD5 2a Blowﬁsh 5 SHA-256 6 SHA-512

Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 20 / 43 « encrypted is the hash of password|salt

Authentication Linux Password Example: Linux Password

A Linux password has the format of username:$id$salt$encrypted « id identiﬁes the hash function used id algorithm 1 MD5 2a Blowﬁsh 5 SHA-256 6 SHA-512 « salt is the salt, a random string up to 16 characters

Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 20 / 43 Authentication Linux Password Example: Linux Password

Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 20 / 43 ﬁle uid gid permissions /etc/passwd root root -rw-r--r-- /etc/shadow root shadow -rw-r-----

Example (crack it!): test:$6$Rtp8odu0$/wklQb4fmKvRQVPbAOx2UHJrjfQSxeBF8f yLqMhxgmqZTGFQNiBG5LqyRDJ9MNoqRC0Vq3gIHIGUHkTIPhVCb.

Authentication Linux Password Example: Linux Password...

Linux passwords are shadowed in /etc/shadow « They used to be stored in /etc/passwd and universally readable

Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 21 / 43 Example (crack it!): test:$6$Rtp8odu0$/wklQb4fmKvRQVPbAOx2UHJrjfQSxeBF8f yLqMhxgmqZTGFQNiBG5LqyRDJ9MNoqRC0Vq3gIHIGUHkTIPhVCb.

Authentication Linux Password Example: Linux Password...

Linux passwords are shadowed in /etc/shadow « They used to be stored in /etc/passwd and universally readable ﬁle uid gid permissions /etc/passwd root root -rw-r--r-- /etc/shadow root shadow -rw-r-----

Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 21 / 43 Authentication Linux Password Example: Linux Password...

Example (crack it!): test:$6$Rtp8odu0$/wklQb4fmKvRQVPbAOx2UHJrjfQSxeBF8f yLqMhxgmqZTGFQNiBG5LqyRDJ9MNoqRC0Vq3gIHIGUHkTIPhVCb.

Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 21 / 43 Man-in-the-middle network attack Key logger on the password entry system Phishing password entry programs Social engineering

Authentication Other Password-Related Other Attacks to Passwords

Eavesdropping on traﬃc that may contain unencrypted passwords

Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 22 / 43 Key logger on the password entry system Phishing password entry programs Social engineering

Authentication Other Password-Related Other Attacks to Passwords

Eavesdropping on traﬃc that may contain unencrypted passwords Man-in-the-middle network attack

Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 22 / 43 Phishing password entry programs Social engineering

Authentication Other Password-Related Other Attacks to Passwords

Eavesdropping on traﬃc that may contain unencrypted passwords Man-in-the-middle network attack Key logger on the password entry system

Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 22 / 43 Social engineering

Authentication Other Password-Related Other Attacks to Passwords

Eavesdropping on traﬃc that may contain unencrypted passwords Man-in-the-middle network attack Key logger on the password entry system Phishing password entry programs

Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 22 / 43 Authentication Other Password-Related Other Attacks to Passwords

Eavesdropping on traﬃc that may contain unencrypted passwords Man-in-the-middle network attack Key logger on the password entry system Phishing password entry programs Social engineering

Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 22 / 43 Periodically change the passwords Never reuse the same passwords on multiple sites « accounts have diﬀerent importance, news < email < bank Reject passwords vulnerable to dictionary attacks « remember the top 10 leaked Yahoo passwords? What else?

Authentication Other Password-Related Password Guidelines

Generate initial passwords randomly by the system

Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 23 / 43 Never reuse the same passwords on multiple sites « accounts have diﬀerent importance, news < email < bank Reject passwords vulnerable to dictionary attacks « remember the top 10 leaked Yahoo passwords? What else?

Authentication Other Password-Related Password Guidelines

Generate initial passwords randomly by the system Periodically change the passwords

Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 23 / 43 Reject passwords vulnerable to dictionary attacks « remember the top 10 leaked Yahoo passwords? What else?

Authentication Other Password-Related Password Guidelines

Generate initial passwords randomly by the system Periodically change the passwords Never reuse the same passwords on multiple sites « accounts have diﬀerent importance, news < email < bank

Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 23 / 43 What else?

Authentication Other Password-Related Password Guidelines

Generate initial passwords randomly by the system Periodically change the passwords Never reuse the same passwords on multiple sites « accounts have diﬀerent importance, news < email < bank Reject passwords vulnerable to dictionary attacks « remember the top 10 leaked Yahoo passwords?

Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 23 / 43 Authentication Other Password-Related Password Guidelines

Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 23 / 43 Authentication: Bob challenges Alice with n; Alice responds with Hn−1(pwd)

Alice

x = Hn−1(pwd) compares H(x) to Hn(pwd), if equal,

replace (n, Hn(pwd)) with (n − 1, x)

Authentication Lamport’s Hash Lamport’s Hash

Lamport’s hash is a one-time password scheme

Initialization: Alice picks her password and a number n◦ (e.g., 1000); n◦ Bob stores (n◦, H (pwd))

Alice, pwd

knows Alice’s (n, Hn(pwd)) Bob Alice Alice’s Computer

Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 24 / 43 Alice

x = Hn−1(pwd) compares H(x) to Hn(pwd), if equal,

replace (n, Hn(pwd)) with (n − 1, x)

Authentication Lamport’s Hash Lamport’s Hash

Lamport’s hash is a one-time password scheme

Initialization: Alice picks her password and a number n◦ (e.g., 1000); n◦ Bob stores (n◦, H (pwd)) Authentication: Bob challenges Alice with n; Alice responds with Hn−1(pwd)

Alice, pwd

knows Alice’s (n, Hn(pwd)) Bob Alice Alice’s Computer

Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 24 / 43 n

x = Hn−1(pwd) compares H(x) to Hn(pwd), if equal,

replace (n, Hn(pwd)) with (n − 1, x)

Authentication Lamport’s Hash Lamport’s Hash

Lamport’s hash is a one-time password scheme

Initialization: Alice picks her password and a number n◦ (e.g., 1000); n◦ Bob stores (n◦, H (pwd)) Authentication: Bob challenges Alice with n; Alice responds with Hn−1(pwd)

Alice, pwd Alice knows Alice’s (n, Hn(pwd)) Bob Alice Alice’s Computer

Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 24 / 43 x = Hn−1(pwd) compares H(x) to Hn(pwd), if equal,

replace (n, Hn(pwd)) with (n − 1, x)

Authentication Lamport’s Hash Lamport’s Hash

Lamport’s hash is a one-time password scheme

Initialization: Alice picks her password and a number n◦ (e.g., 1000); n◦ Bob stores (n◦, H (pwd)) Authentication: Bob challenges Alice with n; Alice responds with Hn−1(pwd)

Alice, pwd Alice knows Alice’s (n, Hn(pwd))

n Bob Alice Alice’s Computer

Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 24 / 43 compares H(x) to Hn(pwd), if equal,

replace (n, Hn(pwd)) with (n − 1, x)

Authentication Lamport’s Hash Lamport’s Hash

Lamport’s hash is a one-time password scheme

Initialization: Alice picks her password and a number n◦ (e.g., 1000); n◦ Bob stores (n◦, H (pwd)) Authentication: Bob challenges Alice with n; Alice responds with Hn−1(pwd)

Alice, pwd Alice knows Alice’s (n, Hn(pwd))

n Bob Alice x = Hn−1(pwd) Alice’s Computer

Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 24 / 43 Authentication Lamport’s Hash Lamport’s Hash

Lamport’s hash is a one-time password scheme

Initialization: Alice picks her password and a number n◦ (e.g., 1000); n◦ Bob stores (n◦, H (pwd)) Authentication: Bob challenges Alice with n; Alice responds with Hn−1(pwd)

Alice, pwd Alice knows Alice’s (n, Hn(pwd))

n Bob Alice x = Hn−1(pwd) compares H(x) to Hn(pwd), if equal,

replace (n, Hn(pwd)) with (n − 1, x) Alice’s Computer

Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 24 / 43 « what is the impact of eavesdropping and compromised servers? New password has to be installed after authenticating Alice?? times Lamport’s hash does not authenticate the server! « man-in-the-middle attack

Authentication Lamport’s Hash Lamport’s Hash...

Lamport’s hash relies on the one-way property of the hash function « it is computationally diﬃcult to ﬁnd Hn−1(pwd) from Hn(pwd)

Alice, pwd Alice

n Bob Alice x = Hn−1(pwd) Alice’s Computer

Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 25 / 43 New password has to be installed after authenticating Alice?? times Lamport’s hash does not authenticate the server! « man-in-the-middle attack

Authentication Lamport’s Hash Lamport’s Hash...

Alice, pwd Alice

n Bob Alice x = Hn−1(pwd) Alice’s Computer

Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 25 / 43 Lamport’s hash does not authenticate the server! « man-in-the-middle attack

Authentication Lamport’s Hash Lamport’s Hash...

Lamport’s hash relies on the one-way property of the hash function « it is computationally diﬃcult to ﬁnd Hn−1(pwd) from Hn(pwd) « what is the impact of eavesdropping and compromised servers? New password has to be installed after authenticating Alice?? times

Alice, pwd Alice

n Bob Alice x = Hn−1(pwd) Alice’s Computer

Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 25 / 43 Authentication Lamport’s Hash Lamport’s Hash...

Alice, pwd Alice

n Bob Alice x = Hn−1(pwd) Alice’s Computer

Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 25 / 43 Alice connects to Trudy to authenticate herself Trudy sends a small n to Alice Alice responses with Hn−1(pwd) « Trudy can now response to any challenge n ≥ 50

Alice

x = H49(pwd) Trudy can now impersonate

Alice for 549 times

Authentication Lamport’s Hash Lamport’s Hash: Small n Attack

Trudy impersonates Bob and waits for Alice to connect

Alice, pwd

Alice’s n on Bob is 599 Alice Trudy Alice’s Computer

Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 26 / 43 Trudy sends a small n to Alice Alice responses with Hn−1(pwd) « Trudy can now response to any challenge n ≥ 50

x = H49(pwd) Trudy can now impersonate

Alice for 549 times

Authentication Lamport’s Hash Lamport’s Hash: Small n Attack

Trudy impersonates Bob and waits for Alice to connect Alice connects to Trudy to authenticate herself

Alice, pwd Alice Alice’s n on Bob is 599 Alice Trudy Alice’s Computer

Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 26 / 43 Alice responses with Hn−1(pwd) « Trudy can now response to any challenge n ≥ 50

x = H49(pwd) Trudy can now impersonate

Alice for 549 times

Authentication Lamport’s Hash Lamport’s Hash: Small n Attack

Trudy impersonates Bob and waits for Alice to connect Alice connects to Trudy to authenticate herself Trudy sends a small n to Alice

Alice, pwd Alice Alice’s n on Bob is 599

50 Alice Trudy Alice’s Computer

Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 26 / 43 Trudy can now impersonate

Alice for 549 times

Authentication Lamport’s Hash Lamport’s Hash: Small n Attack

Trudy impersonates Bob and waits for Alice to connect Alice connects to Trudy to authenticate herself Trudy sends a small n to Alice Alice responses with Hn−1(pwd) « Trudy can now response to any challenge n ≥ 50

Alice, pwd Alice Alice’s n on Bob is 599

50 Alice Trudy x = H49(pwd) Alice’s Computer

Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 26 / 43 Authentication Lamport’s Hash Lamport’s Hash: Small n Attack

Alice, pwd Alice Alice’s n on Bob is 599

50 Alice Trudy x = H49(pwd) Trudy can now impersonate

Alice for 549 times Alice’s Computer

Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 26 / 43 Knowledge factor is a password or PIN Possession factor has many forms « tokens with a display (disconnected token): RSA Secure ID token « connected tokens: a USB token, smart cards... « mobile phones: Google authenticator Inherence factor is biometrics Is it considered a TFA if two passwords are required??

Authentication Two Factor Authentication Two Factor Authentication (TFA)

TFA requires the presentation of at least two of the three authentication factors: a knowledge factor, a possession factor, and an inherence factor

Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 27 / 43 Possession factor has many forms « tokens with a display (disconnected token): RSA Secure ID token « connected tokens: a USB token, smart cards... « mobile phones: Google authenticator Inherence factor is biometrics Is it considered a TFA if two passwords are required??

Authentication Two Factor Authentication Two Factor Authentication (TFA)

TFA requires the presentation of at least two of the three authentication factors: a knowledge factor, a possession factor, and an inherence factor Knowledge factor is a password or PIN

Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 27 / 43 Inherence factor is biometrics Is it considered a TFA if two passwords are required??

Authentication Two Factor Authentication Two Factor Authentication (TFA)

TFA requires the presentation of at least two of the three authentication factors: a knowledge factor, a possession factor, and an inherence factor Knowledge factor is a password or PIN Possession factor has many forms « tokens with a display (disconnected token): RSA Secure ID token « connected tokens: a USB token, smart cards... « mobile phones: Google authenticator

Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 27 / 43 Is it considered a TFA if two passwords are required??

Authentication Two Factor Authentication Two Factor Authentication (TFA)

Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 27 / 43 Authentication Two Factor Authentication Two Factor Authentication (TFA)

Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 27 / 43 Passcodes are derived from a shared secret, and « sequence-based token: times that a button has been pushed « time-based token: current time of a wall clock « keypad token: a keypad to input the challenge Mobile-phone based token: It turns a mobile phone into a token using SMS messaging or downloadable apps « Google authenticator

Authentication Two Factor Authentication Two Factor Authentication...

Disconnected token: It usually has a display to show a changing passcode

Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 28 / 43 « sequence-based token: times that a button has been pushed « time-based token: current time of a wall clock « keypad token: a keypad to input the challenge Mobile-phone based token: It turns a mobile phone into a token using SMS messaging or downloadable apps « Google authenticator

Authentication Two Factor Authentication Two Factor Authentication...

Disconnected token: It usually has a display to show a changing passcode Passcodes are derived from a shared secret, and

Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 28 / 43 « time-based token: current time of a wall clock « keypad token: a keypad to input the challenge Mobile-phone based token: It turns a mobile phone into a token using SMS messaging or downloadable apps « Google authenticator

Authentication Two Factor Authentication Two Factor Authentication...

Disconnected token: It usually has a display to show a changing passcode Passcodes are derived from a shared secret, and « sequence-based token: times that a button has been pushed

Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 28 / 43 « keypad token: a keypad to input the challenge Mobile-phone based token: It turns a mobile phone into a token using SMS messaging or downloadable apps « Google authenticator

Authentication Two Factor Authentication Two Factor Authentication...

Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 28 / 43 Mobile-phone based token: It turns a mobile phone into a token using SMS messaging or downloadable apps « Google authenticator

Authentication Two Factor Authentication Two Factor Authentication...

Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 28 / 43 It turns a mobile phone into a token using SMS messaging or downloadable apps « Google authenticator

Authentication Two Factor Authentication Two Factor Authentication...

Disconnected token: It usually has a display to show a changing passcode Passcodes are derived from a shared secret, and « sequence-based token: times that a button has been pushed « time-based token: current time of a wall clock « keypad token: a keypad to input the challenge Mobile-phone based token:

Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 28 / 43 « Google authenticator

Authentication Two Factor Authentication Two Factor Authentication...

Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 28 / 43 Authentication Two Factor Authentication Two Factor Authentication...

Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 28 / 43 Biometric authentication should be... « uniquely identifying with high accuracy « diﬃcult to forge/mimic « simply and fast to use Example biometric devices « retinal scanner, ﬁngerprint reader, face recognition, iris scanner, handprint reader, voiceprints, keystroke timing, signatures

Authentication Two Factor Authentication Biometrics

Biometric authenticates people by measuring their physical characteristics and matching them against a proﬁle

Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 29 / 43 « uniquely identifying with high accuracy « diﬃcult to forge/mimic « simply and fast to use Example biometric devices « retinal scanner, ﬁngerprint reader, face recognition, iris scanner, handprint reader, voiceprints, keystroke timing, signatures

Authentication Two Factor Authentication Biometrics

Biometric authenticates people by measuring their physical characteristics and matching them against a proﬁle Biometric authentication should be...

Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 29 / 43 Example biometric devices « retinal scanner, ﬁngerprint reader, face recognition, iris scanner, handprint reader, voiceprints, keystroke timing, signatures

Authentication Two Factor Authentication Biometrics

Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 29 / 43 Authentication Two Factor Authentication Biometrics

Biometric authenticates people by measuring their physical characteristics and matching them against a profile Biometric authentication should be... « uniquely identifying with high accuracy « difficult to forge/mimic « simply and fast to use Example biometric devices « retinal scanner, fingerprint reader, face recognition, iris scanner, handprint reader, voiceprints, keystroke timing, signatures

Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 29 / 43 Biometric information may be mechanically copied and cannot be as easily replaced « using a picture to bypass face recognition! Biometric information leads to privacy concerns

Authentication Two Factor Authentication Biometrics...

Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 30 / 43 « using a picture to bypass face recognition! Biometric information leads to privacy concerns

Authentication Two Factor Authentication Biometrics...

Biometrics work by turning physical characteristics into a string of data, then match it against a proﬁle « Accuracy, security, and speed depend on the algorithm « the strength of biometric devices is diﬃcult to quantify Biometric information may be mechanically copied and cannot be as easily replaced

Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 30 / 43 Biometric information leads to privacy concerns

Authentication Two Factor Authentication Biometrics...

Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 30 / 43 Authentication Two Factor Authentication Biometrics...

Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 30 / 43 Initial setup Smart phone based two factor authentication « what if the user lost his phone? Apps that don’t support 2-step veriﬁcation

Authentication Two Factor Authentication Google 2-Step Veriﬁcation

Google allows 2-step veriﬁcation (TFA) to add an extra layer of security to Google Accounts. Many real-world design considerations:

Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 31 / 43 Smart phone based two factor authentication « what if the user lost his phone? Apps that don’t support 2-step veriﬁcation

Authentication Two Factor Authentication Google 2-Step Veriﬁcation

Google allows 2-step veriﬁcation (TFA) to add an extra layer of security to Google Accounts. Many real-world design considerations: Initial setup

Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 31 / 43 « what if the user lost his phone? Apps that don’t support 2-step veriﬁcation

Authentication Two Factor Authentication Google 2-Step Veriﬁcation

Google allows 2-step veriﬁcation (TFA) to add an extra layer of security to Google Accounts. Many real-world design considerations: Initial setup Smart phone based two factor authentication

Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 31 / 43 Apps that don’t support 2-step veriﬁcation

Authentication Two Factor Authentication Google 2-Step Veriﬁcation

Google allows 2-step veriﬁcation (TFA) to add an extra layer of security to Google Accounts. Many real-world design considerations: Initial setup Smart phone based two factor authentication « what if the user lost his phone?

Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 31 / 43 Authentication Two Factor Authentication Google 2-Step Veriﬁcation

Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 31 / 43 « web: link your Google account to a phone number « phone: receive the initial code by the phone via SMS or voice « web: verify the code to enable 2-setup veriﬁcation

Authentication Two Factor Authentication Google 2-Step Veriﬁcation...

Initial SMS/voice setup:

Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 32 / 43 « phone: receive the initial code by the phone via SMS or voice « web: verify the code to enable 2-setup veriﬁcation

Authentication Two Factor Authentication Google 2-Step Veriﬁcation...

Initial SMS/voice setup: « web: link your Google account to a phone number

Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 32 / 43 « web: verify the code to enable 2-setup veriﬁcation

Authentication Two Factor Authentication Google 2-Step Veriﬁcation...

Initial SMS/voice setup: « web: link your Google account to a phone number « phone: receive the initial code by the phone via SMS or voice

Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 32 / 43 Authentication Two Factor Authentication Google 2-Step Veriﬁcation...

Initial SMS/voice setup: « web: link your Google account to a phone number « phone: receive the initial code by the phone via SMS or voice « web: verify the code to enable 2-setup veriﬁcation

Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 32 / 43 « Google Authenticator is an app for Android/iOS/BlackBerry « it is a time-based token that works w/o Internet access « you can have only one active Google Authenticator app « use a backup phone or printable one-time passwords if phone is lost

Authentication Two Factor Authentication Google 2-Step Veriﬁcation...

Smart-phone based two factor authentication

Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 33 / 43 « it is a time-based token that works w/o Internet access « you can have only one active Google Authenticator app « use a backup phone or printable one-time passwords if phone is lost

Authentication Two Factor Authentication Google 2-Step Veriﬁcation...

Smart-phone based two factor authentication « Google Authenticator is an app for Android/iOS/BlackBerry

Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 33 / 43 « you can have only one active Google Authenticator app « use a backup phone or printable one-time passwords if phone is lost

Authentication Two Factor Authentication Google 2-Step Veriﬁcation...

Smart-phone based two factor authentication « Google Authenticator is an app for Android/iOS/BlackBerry « it is a time-based token that works w/o Internet access

Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 33 / 43 « use a backup phone or printable one-time passwords if phone is lost

Authentication Two Factor Authentication Google 2-Step Veriﬁcation...

Smart-phone based two factor authentication « Google Authenticator is an app for Android/iOS/BlackBerry « it is a time-based token that works w/o Internet access « you can have only one active Google Authenticator app

Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 33 / 43 Authentication Two Factor Authentication Google 2-Step Veriﬁcation...

Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 33 / 43 Mark a computer/device as trusted to avoid further 2-step veriﬁcation

Authentication Two Factor Authentication Google 2-Step Veriﬁcation...

Generate app-specific keys for apps that don’t support 2-step verification « lots of apps: Google+, Google Chrome, third-party email clients... « most painful part of 2-step verification experience

Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 34 / 43 Authentication Two Factor Authentication Google 2-Step Veriﬁcation...

Mark a computer/device as trusted to avoid further 2-step veriﬁcation

Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 34 / 43 n new keys need to be installed if a new node joins the network n(n−1) in total, 2 keys need to be securely distributed!

Authentication Trusted Intermediaries Key Explosion

Number of keys for pair-wise authentication explodes in large networks: Each node needs to know n − 1 keys

γ δ β

α n = 8, 28 shared keys

η ε ζ

Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 35 / 43 n(n−1) in total, 2 keys need to be securely distributed!

Authentication Trusted Intermediaries Key Explosion

Number of keys for pair-wise authentication explodes in large networks: Each node needs to know n − 1 keys n new keys need to be installed if a new node joins the network

γ δ β

α n = 8, 28 shared keys

η ε ζ

Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 35 / 43 Authentication Trusted Intermediaries Key Explosion

Number of keys for pair-wise authentication explodes in large networks: Each node needs to know n − 1 keys n new keys need to be installed if a new node joins the network n(n−1) in total, 2 keys need to be securely distributed!

γ δ β

α n = 8, 28 shared keys

η ε ζ

Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 35 / 43 KDC knows the master key for each node « master key is used for communication between KDC and the node « adding a new node only need to install its master key on KDC KDC creates and distributes session keys for communications between nodes (how?)

Authentication Trusted Intermediaries Key Distribution Center (KDC)

KDC is a trusted node that manages secret keys for the network

γ δ β

KDC α

η ε ζ

Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 36 / 43 KDC creates and distributes session keys for communications between nodes (how?)

Authentication Trusted Intermediaries Key Distribution Center (KDC)

KDC is a trusted node that manages secret keys for the network KDC knows the master key for each node « master key is used for communication between KDC and the node « adding a new node only need to install its master key on KDC

γ δ β

KDC α

η ε ζ

Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 36 / 43 Authentication Trusted Intermediaries Key Distribution Center (KDC)

γ δ β

KDC α

η ε ζ

Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 36 / 43 KDC generates the session key Rαβ and a ticket for β, send them to α

α forwards the ticket to β, β decrypts it with Kβ and get Rαβ

Kα{β, Rαβ }, Kβ {α, Rαβ }

Kβ {α, Rαβ }

Authentication Trusted Intermediaries Key Distribution Center: Session Key

α talks to KDC (securely) to request a key with β

α wants β β α KDC

Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 37 / 43 α forwards the ticket to β, β decrypts it with Kβ and get Rαβ

Kβ {α, Rαβ }

Authentication Trusted Intermediaries Key Distribution Center: Session Key

α talks to KDC (securely) to request a key with β

KDC generates the session key Rαβ and a ticket for β, send them to α

α wants β

Kα{β, Rαβ }, Kβ {α, Rαβ } β α KDC

Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 37 / 43 Authentication Trusted Intermediaries Key Distribution Center: Session Key

α talks to KDC (securely) to request a key with β

KDC generates the session key Rαβ and a ticket for β, send them to α

α forwards the ticket to β, β decrypts it with Kβ and get Rαβ

α wants β

Kα{β, Rαβ }, Kβ {α, Rαβ } β α KDC Kβ {α, Rαβ }

Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 37 / 43 KDC is a single point of failure KDC might be a performance bottleneck « replicate KDCs?

Authentication Trusted Intermediaries Key Distribution Center: Limitations

KDC is security critical, it can impersonate any node to any node

γ δ β KDC α η ε ζ

Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 38 / 43 KDC might be a performance bottleneck « replicate KDCs?

Authentication Trusted Intermediaries Key Distribution Center: Limitations

KDC is security critical, it can impersonate any node to any node KDC is a single point of failure

γ δ β KDC α η ε ζ

Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 38 / 43 Authentication Trusted Intermediaries Key Distribution Center: Limitations

KDC is security critical, it can impersonate any node to any node KDC is a single point of failure KDC might be a performance bottleneck « replicate KDCs?

γ δ β KDC α η ε ζ

Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 38 / 43 Break the world into domains, and let each domain have its own KDC « communication in the same domain remains unchanged « each KDC has a shared key with KDCs it’s willing to talk to « communication cross domains require KDC’s involvement

Authentication Trusted Intermediaries Multiple KDC Domains

No single KDC will be trusted by all principles in the world « e.g., KGB and CIA, Apple and Google

b γ c a δ β

d KDCA KDCB α

e g ζ f ε

Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 39 / 43 « each KDC has a shared key with KDCs it’s willing to talk to « communication cross domains require KDC’s involvement

Authentication Trusted Intermediaries Multiple KDC Domains

b γ c a δ β

d KDCA KDCB α

e g ζ f ε

Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 39 / 43 Authentication Trusted Intermediaries Multiple KDC Domains

No single KDC will be trusted by all principles in the world « e.g., KGB and CIA, Apple and Google Break the world into domains, and let each domain have its own KDC « communication in the same domain remains unchanged « each KDC has a shared key with KDCs it’s willing to talk to « communication cross domains require KDC’s involvement

b γ c a δ β

d KDCA KDCB α

e g ζ f ε

Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 39 / 43 a requests KDC1 to create a session key with KDC2

a requests KDC2 to create a session key with β a can now securely talk to β

Authentication Trusted Intermediaries Multiple KDC Domains: Cross-domain Key Distribution

For node a in KDC1 to communicate with β in KDC2:

Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 40 / 43 a requests KDC2 to create a session key with β a can now securely talk to β

Authentication Trusted Intermediaries Multiple KDC Domains: Cross-domain Key Distribution

For node a in KDC1 to communicate with β in KDC2:

a requests KDC1 to create a session key with KDC2

Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 40 / 43 a can now securely talk to β

Authentication Trusted Intermediaries Multiple KDC Domains: Cross-domain Key Distribution

For node a in KDC1 to communicate with β in KDC2:

a requests KDC1 to create a session key with KDC2

a requests KDC2 to create a session key with β

Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 40 / 43 Authentication Trusted Intermediaries Multiple KDC Domains: Cross-domain Key Distribution

For node a in KDC1 to communicate with β in KDC2:

a requests KDC1 to create a session key with KDC2

a requests KDC2 to create a session key with β a can now securely talk to β

Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 40 / 43 CA is the public key equivalent of KDC « it solves the problem of how to securely distribute public keys Compared to KDC: « all nodes only need to be pre-conﬁgured with CA’s public key « CA does not need to be on-line: more secure « network won’t be disabled if CA were to crash « certiﬁcates are not security-sensitive, they can be stored anywhere « a compromised CA cannot decrypt conversations (why?)

Authentication Trusted Intermediaries Certiﬁcation Authorities (CAs)

CA is a trusted node to generate (sign) certiﬁcates that speciﬁes a name and its public key

Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 41 / 43 Compared to KDC: « all nodes only need to be pre-conﬁgured with CA’s public key « CA does not need to be on-line: more secure « network won’t be disabled if CA were to crash « certiﬁcates are not security-sensitive, they can be stored anywhere « a compromised CA cannot decrypt conversations (why?)

Authentication Trusted Intermediaries Certiﬁcation Authorities (CAs)

Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 41 / 43 « CA does not need to be on-line: more secure « network won’t be disabled if CA were to crash « certiﬁcates are not security-sensitive, they can be stored anywhere « a compromised CA cannot decrypt conversations (why?)

Authentication Trusted Intermediaries Certiﬁcation Authorities (CAs)

Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 41 / 43 « network won’t be disabled if CA were to crash « certiﬁcates are not security-sensitive, they can be stored anywhere « a compromised CA cannot decrypt conversations (why?)

Authentication Trusted Intermediaries Certiﬁcation Authorities (CAs)

Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 41 / 43 « certiﬁcates are not security-sensitive, they can be stored anywhere « a compromised CA cannot decrypt conversations (why?)

Authentication Trusted Intermediaries Certiﬁcation Authorities (CAs)

CA is a trusted node to generate (sign) certificates that specifies a name and its public key CA is the public key equivalent of KDC « it solves the problem of how to securely distribute public keys Compared to KDC: « all nodes only need to be pre-configured with CA’s public key « CA does not need to be on-line: more secure « network won’t be disabled if CA were to crash

Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 41 / 43 « a compromised CA cannot decrypt conversations (why?)

Authentication Trusted Intermediaries Certiﬁcation Authorities (CAs)

Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 41 / 43 Authentication Trusted Intermediaries Certiﬁcation Authorities (CAs)

Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 41 / 43 Certificates are distributed and not easy to revoke (unlike KDC) Certificate Revocation List (CRL) contains a list of unexpired but revoked certificates « CRL has an issue time, do not honor old CRLs

Authentication Trusted Intermediaries Certiﬁcate Revocation

A certiﬁcate has an expiration date, early revocation may be needed « never honor an expired certiﬁcate « e.g., an ex-employee

Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 42 / 43 Certiﬁcate Revocation List (CRL) contains a list of unexpired but revoked certiﬁcates « CRL has an issue time, do not honor old CRLs

Authentication Trusted Intermediaries Certiﬁcate Revocation

A certificate has an expiration date, early revocation may be needed « never honor an expired certificate « e.g., an ex-employee Certificates are distributed and not easy to revoke (unlike KDC)

Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 42 / 43 « CRL has an issue time, do not honor old CRLs

Authentication Trusted Intermediaries Certiﬁcate Revocation

A certificate has an expiration date, early revocation may be needed « never honor an expired certificate « e.g., an ex-employee Certificates are distributed and not easy to revoke (unlike KDC) Certificate Revocation List (CRL) contains a list of unexpired but revoked certificates

Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 42 / 43 Authentication Trusted Intermediaries Certiﬁcate Revocation

Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 42 / 43 Authentication Trusted Intermediaries Summary

Authentication Passwords: storage, dictionary attack, rainbow table, salt Lamport’s hash Two factor authentication Biometrics Trusted intermediaries: KDC and CA

Next lecture: Security Handshake

Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 43 / 43