Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme Chapter 2: Security Techniques Background • Secret Key Cryptography 2.4: Authentication • Public Key Cryptography • Authentication types • Hash Functions • Authentication schemes: • Authentication RSA, Lamport’s Hash Chapter 3: Security on • Mutual Authentication Network and Transport Layer • Session Keys • Trusted Intermediaries Chapter 4: Security on the Application Layer Chapter 5: Security Concepts for Networks Chapter 2.4: Authentication Page 1 Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme Authentication Types Authentication can be the process of reliably verifying the identity of • a user, • a computer, or • both computer and user. Forms of authentication (combinations are possible): • password-based • address-based • cryptographic Chapter 2.4: Authentication Page 2 Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme Password-based Authentication Simple: people log into a computer by typing a user name and a password Problems with using passwords for authentication: • The user himself/herself Eavesdroppers might see the password when careless users log in The password might be easy to guess (on-line attack) because users choose passwords they can remember easily Attempts to force users to choose unguessable passwords might render the system so inconvenient that users write down passwords • Password management For login, the system has to “know” the valid passwords – they are stored in an own file. An attacker might read the system file with the password information • Thus: encrypt stored password information Store hashes of passwords Encrypt the stored passwords Combination: Encrypt a database of hashed passwords Chapter 2.4: Authentication Page 3 Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme Off-Line Password Guessing But: the password may be cracked by an off-line attack • A common approach is to store a hash of the password (as e.g. within UNIX) • An attacker can obtain a cryptographic hash of the password through either eavesdropping or reading a database • The attacker can guess a password calculating the same hash and comparing it with the stolen value (e.g. ‘Dictionary’ attack) • Approach to slow down an attacker: When choosing a password, the system chooses a random number (salt) The system stores the salt and a hash of the combination of the stored salt and the chosen password userID salt value password hash alice 2758 hash(2758|passwordAlice) Chapter 2.4: Authentication Page 4 Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme Address-based Authentication Computers are identified by hierarchical IP addresses: Network Subnet Computer Possible forms of authentication: • Maintain list of network addresses of “equivalent” machines, i.e., give users who have access to machine X the same access rights for machine Y • Problem: user must have identical account names on all systems • Extension: store entry: 〈remote address, remote account name, local account name〉 • Implementation e.g. in UNIX: /etc/hosts.equiv file contains list of computers that have identical user account assignments .rhosts file in a user’s home directory contains a list of tuples 〈computer, account〉 that are granted access to this user’s account • But: if someone gains privileged access to a node, he can access all users’ resources on this node. He can also get access to other machines accessable by users of the current node. Chapter 2.4: Authentication Page 5 Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme Cryptographic Authentication Protocols Cryptographic authentication is much more secure than password-based or address- based authentication • Alice proves her identity to Bob by performing a cryptographic operation on a quantity provided by Bob • The cryptographic operation is based on Alice’s secret A computer can do cryptographic operations on behalf of its user: • The user only has to remember a password • The system has to obtain a cryptographic key based on the password by: doing a hash of the password using the password to decrypt a higher-quality key (e.g. DES key, RSA private key) • Keys and cryptographic algorithms e.g. can be stored on a smart card (authentication token) Chapter 2.4: Authentication Page 6 Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme How to do Secure Authentication? Problems: eavesdropping and server database reading (reading password files) • Protocol 1: protect against server database reading by only storing a hash Knows hash h* of Alice‘s password e Alice, fiddlesticks b c i o l Computes hash(fiddlesticks) B A Compares it with stored value h* But: eavesdropping of Alice’s password • Protocol 2: protect against eavesdropping by sending encrypted password I‘m Alice Picks random R e R b c i Computes X = cryptographic o l Knows Alice‘s secret, computes B function of her secret and R: A same function and compares it X X = encr(secr, R) to X But: server database reading of Alice’s secret at Bob’s machine Chapter 2.4: Authentication Page 7 Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme Authentication with RSA Public key technology protects authentication against eavesdropping and server database reading Widely used: challenge/response Example: Alice authenticates herself to Bob • Using her private key privAlice, Alice performs a cryptographic operation on a value (challenge) R supplied by Bob: Knows Alice‘s public key I‘m Alice (in clear text) e R (in clear) b Picks random R c i o l B A or publAlice(R) Checks result using = ? R signed with Alice‘s private key Alice‘s public key privAlice(R) publAlice(privAlice(R)) = R Chapter 2.4: Authentication Page 8 Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme Nonce Important: use the challenge R only once! •A nonce is a challenge only used once • Use e.g. a random number, a timestamp, … • The unpredictability of R is important: I’m Alice I’m Alice KAB{R} R Bob Bob Alice Alice R KAB{R} If sequence numbers would be used If sequence numbers would be used for R, for R, an attacker needs only to a man-in-the-middle attacker could send observe R and use R+1 to R+1 to Alice and use the response to “authenticate” with Bob! authenticate with Bob → use unpredictable numbers! Chapter 2.4: Authentication Page 9 Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme Lamport‘s Hash Other possibility for authentication: Lamport‘s Hash One-time password scheme: • Allows Bob to authenticate Alice in a way that neither eavesdropping reading Bob’s database enables someone to impersonate Alice • No need for public key cryptograph Requirements: • Alice remembers a password, Alice is a human • Bob (the server) has a database; for each user it stores: username n, decremented each time the user authenticates herself hashn(Password), i.e. hash(hash(...(hash(Password))...))) Chapter 2.4: Authentication Page 10 Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme Lamport‘s Hash - Initialization Alice, password n Database xn=hash (password), n n Bob x =hash (password), n Alice n Alice‘s Workstation Initialization of a password: • Alice chooses a password • The workstation of Alice chooses the number n and computes x1=hash(password) x2=hash(x1), ..., n xn=hash(xn-1)=hash (password) and sends it to Bob together with n Chapter 2.4: Authentication Page 11 Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme Lamport‘s Hash - Authentication Alice, password Alice knows <n,hashn(password)> n Bob Alice x=hashn-1(password) compare hash(x) to hashn(password) if equal, replace <n, hashn(password)> with <n-1,x> Alice‘s Workstation Authentication of a user: • Alice enters her username and password • Her workstation sends the name to Bob which returns n • The workstation computes hashn-1(password) and sends the result to Bob • Bob takes the received value, hashes it once, and compares it with its database • In case of a match, Bob considers the response as valid, replaces the stored quantity with the received quantity, and replaces n by n-1 Chapter 2.4: Authentication Page 12 Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme Lamport‘s Hash Setting up a new password: •Ifn = 1 Alice needs to set her password again • In many situations it is sufficient to choose a new password, compute hashn(new password), and transmit hashn(new password) and n to Bob • An enhancement is to add a salt value to the password, with the same advantages as in password storage like e.g. in UNIX • Another advantage of salt is that Alice will not need to change her password if n = 1 Properties: • Similar to public key schemes regarding database reading • But: user can only log-in a finite number of times before having to re-install the password at the server • Problem: small n attack Chapter 2.4: Authentication Page 13 Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme Small n Attack Worst weakness of Lamport‘s Hash: • Oscar, who is able to impersonate Bob’s network address, waits for Alice’s log-in • When Alice attempts to log in, Oscar returns a small value for n, e.g. 50 • When Alice responds with hash50(password), Oscar has enough information to impersonate Alice for some time, if the actual value of n at Bob is greater than 50 Two possible solutions: • Human and Paper environment: When <n, hashn(password)> is installed at the server, all values of hashi(password) for i < n are computed, encoded into a typeable string, printed on paper, and given to Alice When Alice logs in, she uses the string at the top of the page, crosses that value, and uses the next value the next time • Workstation environment: Alice’s workstation displays n to the human Alice If Alice remembers approximately what n should be she can at least do a rough probability check on n Chapter 2.4: Authentication Page 14 Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme Mutual Authentication Often required: each of both communication partners has to identify the other one (mutual authentication), e.g.