Passwords Topics
Total Page:16
File Type:pdf, Size:1020Kb
CIT 480: Securing Computer Systems Passwords Topics 1. Password Systems 2. Threat Models: Online, Offline, Side Channel 3. Storing Passwords: Hashing and Salting 4. Examples: UNIX, Windows, Kerberos 5. Password Selection 6. Graphical Passwords 7. One-Time Passwords Authentication System A: set of authentication information – information used by entities to prove identity C: set of complementary information – information stored by system to validate A F: set of complementation functions f : A → C – generate C from A L: set of authentication functions l: A × C→{T,F} – verify identity S: set of selection functions – enable entity to create or alter A or C Password System Example Authenticate with 8-character alphanumeric password. System compares against stored cleartext password. A = [A-Za-z0-9]{8} C = A F = { I } L = { = } Security problem: a threat who gains access to password file knows password for every user. Password Storage Solution: We should store complementary information instead of passwords, so threat doesn’t get every password by stealing one file. Idea #1: Encrypt passwords. – Encrypt passwords with secret key. – Store ciphertext. – Problem: what if attacker finds secret key? Idea #2: Hash passwords. – Store hash value of password. – No Problem: hashes can’t be turned back into passwords. Password System Example #2 Authenticate with 8-character alphanumeric password. System compares with stored MD5 hash of password. A = [A-Za-z0-9]{8} C = 128-bit numbers F = { MD5 } L = { MD5(a)=c } Password Leaks are Common Threat Models 1. Online Attacks – Threat has access to login user interface. – Attack is attempts to guess passwords using the user interface. Slow but always possible. 2. Offline Attacks – Threat has access to hashed passwords. – Attack is to guess words, hash words, then compare with hashed passwords. Fast but needs hashes first. 3. Side Channel Attacks – Threat has access to account management UI. – Attack by using password reset or update functionality. Online Password Cracking Offline Password Cracking Password word = Next dictionary word dictionary wordhash = Hash(word) Usernames for each (username, hash) word == hash + Hashed hash False Passwords True Store(usernames, word) Side-Channel Attacks Web sites will e-mail you password if you answer a simple “secret” question: – What is your favorite color? – What is your pet’s name? – What is your mother’s maiden name? Violation of fail-safe defaults – Failover to less secure protocol. – How many favorite colors exist? Cracking Methods 1. List of candidate passwords 2. Permutation rules – Append or prepend symbols or numbers – Substitute numbers/symbols for letters – Change case, pluralize, reverse words, character shifts, joining words 3. Brute force – Try all possible passwords in length range – Only feasible for offline cracking of passwords less than 10 characters long. Cracking Tools Online Tools – Hydra – Medusa – NSE brute force scripts – Brutus (Windows) Offline Tools – John the Ripper – oclHashcat (GPU) – Cain and Abel (Windows) – Ophcrack (rainbow table) Parallel Cracking This $12,000 computer, dubbed Project Erebus v2.5 by creator d3ad0ne, contains eight AMD Radeon HD7970 GPU cards. Running oclHashcat, it requires just 12 hours to brute force all 8 char passwords. Brute Force Attack Performance http://blog.erratasec.com/2012/06/linkedin-vs-password-cracking.html Countering Password Guessing Choose A, C, and F to select suitably low probability P(T) of guessing in time T. – Improve A with longer, complex passwords. – Improve C + F by choosing better hash algorithm. – Require users to change password after T. P(T) >= TG / N – G is number of guesses per time unit T. – T is number of time units in attack. – N is number of possible passwords. Example Password Length Calc Password System – 96 allowable characters for passwords. – Attackers can guess 106 passwords/second. – Users must change passwords each year, so we want probability of a successful guess to be no more than 50% in a year. To find minimum password length, we start by – Finding number of passwords needed (N). – N = Σ96i, where i ranges from 1 to length of password p – N = 96 + 962 + 963 + … + 96p – Each term in series is almost 100X as big as previous terms, so we can let N=96p with an error of only about 1%. Example Password Length Calc Solve P(T) >= TG / N for N N >= TG/P Known values P(T) = 0.5 G = 107 passwords/second. T = 365 days = 365 days x 24 hours/day x 60 min/hour x 60 sec/min = 31,536,000 seconds Solve N >= TG/P – N >= 31,536,000 x 107 ÷ 0.5 – 96p >= 6.31 x 1014 14 – p >= log96(6.31 x 10 ) = 7.47 – We must round up to meet the security requirements, which means – The minimum password length for the system is 8 characters. Password Aging Requirement that password be changed after a period of time or after an event has occurred If expected time to guess is 180 days, should change password more frequently than 180 days 1. If change time too short, users have difficulty recalling passwords. 2. Cannot allow users to change password to current one. 3. Also prevent users from changing passwords too soon. 4. Give notice of impending password change requirement. Rainbow Tables We can speedup cracking by using a hash table – Dictionary of passwords with associated hashes. – Contains passwords from char set within length range. Problem: hash tables require huge storage space. Solution: Rainbow table algorithm reduces storage. – MD5 table of lc + numeric passwords <= 9 needs 80GB. – Adding uc + symbols would increase size to about 10TB. – Success rate around 99.9% (some passwords missing.) Salts Add random, public data to password to create key. Any word may be hashed in 2n possible ways: – Your password always uses same n-bit salt. – Someone else with same password a probably has different salt, and thus different c = f(a). – Multiplies size of rainbow table by 2n. – Doesn’t significantly slow down other cracking techniques. Classic UNIX crypt hashes had a 12-bit salt: – Number of possible keys increased to 266 – Rainbow table needs to be 4096 times bigger due to salt. Password Storage and Use Classic UNIX Passwords Passwords are up to 8 ASCII characters – A contains 6.9 x 1016 possible passwords. – C contains crypt hashes with 12-bit salts, strings of length 13 chosen from alphabet of 64 characters, 3.0 x 1023 strings. – Hashes stored publicly in /etc/passwd. Modern Format – A is unlimited, as there is no maximum length. – C contains 512-bit hash values + 128-bit salt. – Hashes stored in /etc/shadow. Modern Storage: Iterated Hash + Salt Password security basics – Hashes prevent direct access to cleartext passwords. – Salts make rainbow tables too expensive to use. How can we make cracking too expensive? Solution: slower hashing via – Use slower hash algorithms. – Run the hash function multiple times, passing output of one iteration as input to next. Modern Hashing Schemes SHA512crypt (Linux, Mac OS X) – Unlimited password length. – 5000 iterations of SHA-512 hash function. – 16 character salt. Bcrypt (OpenBSD, 55 chars, 128-bit salt) – Based on modified (slower) Blowfish encryption algorithm. – Configurable iteration count for hashing. – Increases cost of guessing on a per-account basis. PBKDF2 (Password-Based Key Derivation Function 2) (.NET) – Framework with configurable hash, iterations, salt. Scrypt – Sequential, memory-hard hashing algorithm. – Defense against specialized hardware (GPUs, ASICs, FPGAs) Windows Passwords Storage – %systemroot%\system32\config\sam – Locked while OS running so other programs can’t open. Retrieval – Boot system with Ophcrack or Kon-boot USB drive. – Tool will copy SAM to USB drive for cracking. Format – Classic: LAN Manager (LM) Hash – Modern: NTLM (MD4) Hash – Many systems use both for backwards compatibility. Windows LM Hash Algorithm 1. Password fitted to 14 character length by truncating or padding with 0s. 2. Password converted to upper case. 3. Password divided into two 7-byte halves. 4. Each half used as DES key to encrypt same 8-byte constant. 5. Resultant strings merged to form a 16-byte hash value. Windows LM Hash Problems The Problems 1. Last 8 bytes of c known if password < 7 chars. 2. Conversion to upper case reduces character set. 3. Two 7-character passwords are much, much easier to crack than a 14-character password. Let’s say there are only 10 allowed chars, 0-9, then 14 chars: 1014 = 100,000,000,000,000 possible passwords 7 chars: 107 = 10,000,000 possible passwords Worse, it’s possible to build a rainbow table of all LM passwords since there’s no salt and adversary only needs a table of passwords up to 7 chars long. NTLM Passwords NTLM is a replacement for LM hashes. – LM authentication disabled by default as of Windows Server 2008 (and Vista on desktop.) NTLM Hash Algorithm – Convert password to Unicode. – Hash with MD4 Algorithm. NTLM Security Problems – No salt. – Passwords cached on client. – Pass-the-hash vulnerabilities. Obtaining Hashed Passwords Physical Attacks – Reboot system with Kali Linux USB drive. – UNIX: cp /etc/{passwd,shadow} – Windows: Run bkhive to obtain bootkey. – Windows: Run samdump2 to decrypt & copy SAM. Network Attacks – Compromise network service with exploitation framework like Metasploit to run Meterpreter. – Use Meterpreter’s hashdump command. Kerberos Kerberos is a challenge/response protocol – Passwords are never sent over network. – Passwords are never stored on client. – Users authenticate via tickets, not passwords or hashes. Open standard based on symmetric cryptography – Created by MIT for internal use. – Open source and commercial versions exist. – Microsoft Active Directory = Kerberos + LDAP. Password storage – Multiple allowed hashing techniques. Random Password Selection Yields equal distribution of passwords for maximum difficulty in cracking. Random passwords aren’t easy to remember – Short term memory holds 7 +/- 2 items – People have multiple passwords – Principle of Psychological Acceptability Requires a secure PRNG to be effective.