CIT 480: Securing Computer Systems

Passwords Topics

1. Systems 2. Threat Models: Online, Offline, Side Channel 3. Storing : Hashing and Salting 4. Examples: , Windows, 5. Password Selection 6. Graphical Passwords 7. One-Time Passwords System

A: set of authentication information – information used by entities to prove identity C: set of complementary information – information stored by system to validate A F: set of complementation functions f : A → C – generate C from A L: set of authentication functions l: A × C→{T,F} – verify identity S: set of selection functions – enable entity to create or alter A or C Password System Example

Authenticate with 8-character alphanumeric password. System compares against stored cleartext password.

A = [A-Za-z0-9]{8} C = A F = { I } L = { = }

Security problem: a threat who gains access to password file knows password for every user.

Password Storage

Solution: We should store complementary information instead of passwords, so threat doesn’t get every password by stealing one file.

Idea #1: Encrypt passwords. – Encrypt passwords with secret . – Store . – Problem: what if attacker finds secret key? Idea #2: Hash passwords. – Store hash value of password. – No Problem: hashes can’t be turned back into passwords. Password System Example #2

Authenticate with 8-character alphanumeric password. System compares with stored MD5 hash of password.

A = [A-Za-z0-9]{8} C = 128-bit numbers F = { MD5 } L = { MD5(a)=c }

Password Leaks are Common Threat Models

1. Online Attacks – Threat has access to login user interface. – Attack is attempts to guess passwords using the user interface. Slow but always possible. 2. Offline Attacks – Threat has access to hashed passwords. – Attack is to guess words, hash words, then compare with hashed passwords. Fast but needs hashes first. 3. Side Channel Attacks – Threat has access to account management UI. – Attack by using password reset or update functionality. Online Offline Password Cracking

Password word = Next dictionary word dictionary

wordhash = Hash(word)

Usernames for each (username, hash) word == hash + Hashed hash False Passwords

True Store(usernames, word) Side-Channel Attacks

Web sites will e-mail you password if you answer a simple “secret” question: – What is your favorite color? – What is your pet’s name? – What is your mother’s maiden name? Violation of fail-safe defaults – Failover to less secure protocol. – How many favorite colors exist? Cracking Methods

1. List of candidate passwords 2. Permutation rules – Append or prepend symbols or numbers – Substitute numbers/symbols for letters – Change case, pluralize, reverse words, character shifts, joining words 3. Brute force – Try all possible passwords in length range – Only feasible for offline cracking of passwords less than 10 characters long. Cracking Tools

Online Tools – Hydra – Medusa – NSE brute force scripts – Brutus (Windows) Offline Tools – – oclHashcat (GPU) – (Windows) – () Parallel Cracking

This $12,000 computer, dubbed Project Erebus v2.5 by creator d3ad0ne, contains eight AMD Radeon HD7970 GPU cards. Running oclHashcat, it requires just 12 hours to brute force all 8 char passwords. Brute Force Attack Performance

http://blog.erratasec.com/2012/06/linkedin-vs-password-cracking.html Countering Password Guessing

Choose A, C, and F to select suitably low probability P(T) of guessing in time T. – Improve A with longer, complex passwords. – Improve C + F by choosing better hash algorithm. – Require users to change password after T. P(T) >= TG / N – G is number of guesses per time unit T. – T is number of time units in attack. – N is number of possible passwords.

Example Password Length Calc

Password System – 96 allowable characters for passwords. – Attackers can guess 106 passwords/second. – Users must change passwords each year, so we want probability of a successful guess to be no more than 50% in a year. To find minimum password length, we start by – Finding number of passwords needed (N).

– N = Σ96i, where i ranges from 1 to length of password p – N = 96 + 962 + 963 + … + 96p – Each term in series is almost 100X as big as previous terms, so we can let N=96p with an error of only about 1%. Example Password Length Calc

Solve P(T) >= TG / N for N N >= TG/P Known values P(T) = 0.5 G = 107 passwords/second. T = 365 days = 365 days x 24 hours/day x 60 min/hour x 60 sec/min = 31,536,000 seconds Solve N >= TG/P – N >= 31,536,000 x 107 ÷ 0.5 – 96p >= 6.31 x 1014 14 – p >= log96(6.31 x 10 ) = 7.47 – We must round up to meet the security requirements, which means – The minimum password length for the system is 8 characters.

Password Aging Requirement that password be changed after a period of time or after an event has occurred If expected time to guess is 180 days, should change password more frequently than 180 days 1. If change time too short, users have difficulty recalling passwords. 2. Cannot allow users to change password to current one. 3. Also prevent users from changing passwords too soon. 4. Give notice of impending password change requirement. Rainbow Tables

We can speedup cracking by using a hash table – Dictionary of passwords with associated hashes. – Contains passwords from char set within length range. Problem: hash tables require huge storage space.

Solution: Rainbow table algorithm reduces storage. – MD5 table of lc + numeric passwords <= 9 needs 80GB. – Adding uc + symbols would increase size to about 10TB. – Success rate around 99.9% (some passwords missing.) Salts

Add random, public data to password to create key. Any word may be hashed in 2n possible ways: – Your password always uses same n-bit . – Someone else with same password a probably has different salt, and thus different c = f(a). – Multiplies size of rainbow table by 2n. – Doesn’t significantly slow down other cracking techniques. Classic UNIX hashes had a 12-bit salt: – Number of possible keys increased to 266 – Rainbow table needs to be 4096 times bigger due to salt. Password Storage and Use Classic UNIX Passwords

Passwords are up to 8 ASCII characters – A contains 6.9 x 1016 possible passwords. – C contains crypt hashes with 12-bit salts, strings of length 13 chosen from alphabet of 64 characters, 3.0 x 1023 strings. – Hashes stored publicly in /etc/. Modern Format – A is unlimited, as there is no maximum length. – C contains 512-bit hash values + 128-bit salt. – Hashes stored in /etc/shadow. Modern Storage: Iterated Hash + Salt

Password security basics – Hashes prevent direct access to cleartext passwords. – Salts make rainbow tables too expensive to use. How can we make cracking too expensive? Solution: slower hashing via – Use slower hash algorithms. – Run the hash function multiple times, passing output of one iteration as input to next. Modern Hashing Schemes

SHA512crypt (, Mac OS X) – Unlimited password length. – 5000 iterations of SHA-512 hash function. – 16 character salt. (OpenBSD, 55 chars, 128-bit salt) – Based on modified (slower) Blowfish algorithm. – Configurable iteration count for hashing. – Increases cost of guessing on a per-account basis. PBKDF2 (Password-Based 2) (.NET) – Framework with configurable hash, iterations, salt. – Sequential, memory-hard hashing algorithm. – Defense against specialized hardware (GPUs, ASICs, FPGAs) Windows Passwords

Storage – %systemroot%\system32\config\sam – Locked while OS running so other programs can’t open. Retrieval – Boot system with Ophcrack or Kon-boot USB drive. – Tool will copy SAM to USB drive for cracking. Format – Classic: LAN Manager (LM) Hash – Modern: NTLM (MD4) Hash – Many systems use both for backwards compatibility. Windows LM Hash Algorithm

1. Password fitted to 14 character length by truncating or padding with 0s. 2. Password converted to upper case. 3. Password divided into two 7-byte halves. 4. Each half used as DES key to encrypt same 8-byte constant. 5. Resultant strings merged to form a 16-byte hash value. Windows LM Hash Problems

The Problems 1. Last 8 bytes of c known if password < 7 chars. 2. Conversion to upper case reduces character set. 3. Two 7-character passwords are much, much easier to crack than a 14-character password. Let’s say there are only 10 allowed chars, 0-9, then 14 chars: 1014 = 100,000,000,000,000 possible passwords 7 chars: 107 = 10,000,000 possible passwords Worse, it’s possible to build a rainbow table of all LM passwords since there’s no salt and adversary only needs a table of passwords up to 7 chars long.

NTLM Passwords NTLM is a replacement for LM hashes. – LM authentication disabled by default as of Windows Server 2008 (and Vista on desktop.) NTLM Hash Algorithm – Convert password to Unicode. – Hash with MD4 Algorithm. NTLM Security Problems – No salt. – Passwords cached on client. – Pass-the-hash vulnerabilities.

Obtaining Hashed Passwords Physical Attacks – Reboot system with Kali Linux USB drive. – UNIX: cp /etc/{passwd,shadow} – Windows: Run bkhive to obtain bootkey. – Windows: Run samdump2 to decrypt & copy SAM. Network Attacks – Compromise network service with exploitation framework like Metasploit to run Meterpreter. – Use Meterpreter’s hashdump command. Kerberos

Kerberos is a challenge/response protocol – Passwords are never sent over network. – Passwords are never stored on client. – Users authenticate via tickets, not passwords or hashes. Open standard based on symmetric cryptography – Created by MIT for internal use. – Open source and commercial versions exist. – Microsoft Active Directory = Kerberos + LDAP. Password storage – Multiple allowed hashing techniques. Random Password Selection

Yields equal distribution of passwords for maximum difficulty in cracking. Random passwords aren’t easy to remember – Short term memory holds 7 +/- 2 items – People have multiple passwords – Principle of Psychological Acceptability Requires a secure PRNG to be effective.

User Password Selection Then reject insecure passwords based on ruleset: 1. Shorter than X characters 2. Does not contain digits, upper case, special chars, etc. 3. Previously used passwords Human Randomness? Online Cracking Defenses

If complements (hashes) not accessible, adversary must use authentication functions to do an online attack. You can’t stop threats from trying to login.

To increase difficulty of online attacks: Backoff: add wait time before asking for username and password again, increasing with each login failure. Disconnection: disconnect after n failures. Disabling: disable account after n failures.

Graphical Passwords

Face Scheme: Password is sequence of faces, each chosen from a grid of 9 faces. Story Scheme: Password is sequence of images, each chosen from a grid of 9, to form a story. One Time Passwords (OTP)

OTPs are valid for only one use. – Even if a threat obtains password, cannot use it. Generating OTPs – Time-synchronized – Algorithm based Delivering OTPs to user – Security tokens – Text messages – Hardcopy Key Points

1. Password threat models: 1. Online: use regular login form. 2. Offline: obtain and crack password hashes. 3. Side-Channel: bypass using account management functions like password reset. 2. Stored passwords secured vs. offline attacks by – Hashing (possibly with multiple iterations) – Salting 3. Cracking techniques – Dictionary based – Rule based – Brute-force (try every possible password) – Rainbow tables Key Points

4. Designing a password policy P(T) >= TG / N 1. Password complexity (length, character set) 2. Password aging (how often to change) 5. Selecting passwords 1. Random selection 2. Human selection 6. One-time passwords offer greater security. 1. Since passwords can’t be reused, it does not matter if an attacker obtains a previously used password. References

1. Ross Anderson, Security Engineering, 2nd edition, Wiley, 2008. 2. Matt Bishop, Introduction to Computer Security, Addison-Wesley, 2005. 3. Mark Burnett and Dave Kleiman, Perfect Passwords, Syngress, 2006. 4. Lorie Faith Cranor and Simson Garfinkel, Security and Usability, O’Reilly, 2005. 5. Dan Goodin, Why passwords have never been weaker—and crackers have never been stronger, Ars Technica, http://arstechnica.com/security/2012/08/passwords-under-assault/, 2012. 6. Goodrich and Tammasia, Introduction to Computer Security, Pearson, 2011. 7. Cynthia Kuo et. al., Human Selection of Mnemonic Phrase-based Passwords. SOUPS 2006, http://cups.cs.cmu.edu/soups/2006/proceedings/p67_kuo.pdf. 8. Solar Designer, Password hashing at scale, YaC 2012, http://www.openwall.com/presentations/YaC2012-Password- Hashing-At-Scale/, 2012. Released under CC BY-SA 3.0

. This presentation is released under the Creative Commons Attribution-ShareAlike 3.0 Unported (CC BY-SA 3.0) license . You are free: . to Share — to copy and redistribute the material in any medium . to Adapt— to remix, build, and transform upon the material . to use part or all of this presentation in your own classes . Under the following conditions: . Attribution — You must attribute the work to James Walden, but cannot do so in a way that suggests that he endorses you or your use of these materials. . Share Alike — If you remix, transform, or build upon this material, you must distribute the resulting work under this or a similar open license. . Details and full text of the license can be found at https://creativecommons.org/licenses/by-nc-sa/3.0/