Authentication slide 1 Topics today Background: Hash Functions Password Graphical passwords Challenge-Response Biometrics slide 2 HASH FUNCTIONS slide 3 Hash Functions: Main Idea hash function H message “message x. digest” .y x’’. .y’ x’. bit strings of any length n-bit bit strings Hash function H is a lossy compression function H(x) should look “random” • Every bit (almost) equally likely to be 0 or 1 slide 4 Collisions Collision: H(x)=H(x’) for some inputs x≠x’ Collisions must happen • Length of x unlimited, length of H(x) is n-bits ! • Even if length of x is bounded |x| = b, and b > n, there will be collisions "עקרון שובך היונים" ”Pigeonhole principle“ • A hash function cannot be 1-to-1 Cryptographic hash function must have certain properties slide 5 Property 1: One-Way Intuition: hash should be hard to invert • “Preimage resistance” • Given random y, it should be “hard” to find any x such that h(x)=y How hard? • Brute-force: try every possible x, see if h(x)=y • SHA-1 (common hash function) has 160-bit output – Suppose have hardware that’ll do 230 trials a pop – Assuming 234 trials per second, can do 289 trials per year – Will take 271 years to invert SHA-1 on a random image slide 6 Probability background: “Birthday Paradox” How likely is it that some people have the same birthday in a class of T students? If there are T=366 people in class then • Prob(not all different birthdays | T people) = 0 How big should T be so • Prob(not all different birthdays | T people) >= ½ ?? Let’s experiment ! “Birthday Paradox” analysis How many possibilities that are all different? • (K)T = K(K-1)…(K-T+1) - samples without replacement Probability of no repetition? 푘 ∗ 푘 − 1 ∗ 푘 − 2 ∗ ⋯ (푘 − 푡 + 1) = 푘 ∗ 푘 ∗ 푘 … ∗ 푘 푘 푘 − 1 푘 − 푡 + 1 1 2 푡 − 1 ∗ ∗ ⋯ ∗ = 1 ∗ 1 − ∗ 1 − ∗ ⋯ ∗ 1 − ≤ 푘 푘 푘 푘 푘 푘 1 2 3 푡−1 푡2 푒−푘 ∗ 푒−푘 ∗ 푒−푘 ∗ ⋯ ∗ 푒− 푘 ≅ 푒−2푘 Birthday Paradox continued 푡2 2 − 1 푡 푒 2푘 ≤ ≥ ln 2 2 2푘 푡2 ≥ 2 (ln 2)푘 = 1.38푘 푡 ≥ 1.38푘 Bottom line: For k=365, t=23 suffices In general 푡 = 훀( 푘) suffices slide 9 Property 2: Collision Resistance Hard to find some x≠x’ such that h(x)=h(x’) Brute-force collision search is O(2n/2), not O(2n) • n = number of bits in the output of hash function • For SHA-1, this means O(280) vs. O(2160) Reason: birthday paradox • Let T be the number of values x1, x2, x3, … we need to look at before finding the first pair xi≠xj s.t. h(xi)=h(xj) • Assuming h is random, how big should T be so the probability of finding a repetition >= ½ ? • Total number of possible values? K=2n • Conclusion: T 2n/2 slide 10 Property 3: Weak Collision Resistance Given a randomly chosen x, hard to find x’ such that h(x)=h(x’) • Attacker must find collision for a specific x… • by contrast, to break collision resistance, enough to find any collision • Brute-force attack requires O(2n) time Weak collision resistance does not imply collision resistance (why?) slide 11 Hashing vs. Encryption Hashing is one-way. There is no “uh-hashing”! • In contrast, encryption is two-way: can decrypt a ciphertext with the decryption key • Hashes have no equivalent of “decryption” Hash(x) looks “random”… but can be compared for equality with Hash(x’) Hashes are also known as “cryptographic checksums” slide 12 Application: Password Hashing Instead of user password, store H(password) When user enters password, compute its hash and compare with entry in password file • System does not store actual passwords! • Difficult to go from hash to password! System cannot “restore” your password! slide 13 Application: Software Integrity VIRUS badFile goodFile The Times BigFirm™ hash(goodFile) User Software manufacturer wants to ensure that the executable file is received by users without modification… Sends out the file to users and publishes its hash in the NY Times The goal is integrity, not secrecy Idea: given goodFile and hash(goodFile), very hard to find badFile such that hash(goodFile)=hash(badFile) slide 14 Which Property Do We Need? UNIX passwords stored as hash(password) • One-wayness: hard to recover entire password • Are passwords random? Integrity of software distribution • Weak collision resistance • But software images are not really random… maybe need full collision resistance slide 15 Common Hash Functions MD5 • 128-bit output • Still used very widely • Completely broken by now RIPEMD-160 • 160-bit variant of MD-5 SHA-1 (Secure Hash Algorithm) • 160-bit output • US government (NIST) standard as of 1993-95 – Also the hash algorithm for Digital Signature Standard (DSS) slide 16 Overview of MD5 Designed in 1991 by Ron Rivest Iterative design using compression function M1 M2 M3 M4 IHV0 Com- Com- Com- Com- press press press press IHV4 slide 17 History of MD5 Collisions 2004: first collision attack • Only difference between colliding messages is 128 random-looking bytes 2007: chosen-prefix collisions • For any prefix, can find colliding messages have this prefix and differ up to 716 random-looking bytes 2008: rogue certificates • End of MD5 • Talk about this in more detail when discussing PKI slide 18 Basic Structure of SHA-1 Against padding attacks Split message into 512-bit blocks 160-bit buffer (5 registers) Compression function initialized with magic values • Applied to each 512-bit block and current 160-bit buffer • This is the heart of SHA-1 slide 19 How Strong Is SHA-1? Every bit of output depends on every bit of input • Very important property for collision-resistance Brute-force inversion requires 2160 ops, birthday attack on collision resistance requires 280 ops • Some recent weaknesses (2005) • Collisions can be found in 263 ops slide 20 AUTHENTICATION: PASSWORDS AND SECURITY QUESTIONS slide 21 Basic Problem ? How do you prove to someone that you are who you claim to be? Any system with access control must solve this problem slide 22 Many Ways to Prove Who You Are What you know • Passwords • Answers to questions that only you know Where you are • IP address What you are • Biometrics What you have • Secure tokens slide 23 Password-Based Authentication User has a secret password. System checks it to authenticate the user. How is the password communicated? • Eavesdropping risk How is the password stored? • In the clear? Encrypted? Hashed? How does the system check the password? How easy is it to guess the password? • Easy-to-remember passwords tend to be easy to guess • Password file is difficult to keep secret slide 24 Passwords and Computer Security Physical intrusion: install sniffer or keylogger to steal passwords Run cracking tools on password files • Cracking needed because modern systems usually do not store passwords in the clear (how are they stored?) In Mitnick’s “Art of Intrusion”, 8 out of 9 exploits involve password stealing and/or cracking slide 25 Default Passwords Pennsylvania ice cream shop phone scam • Voicemail PIN defaults to last 4 digits of phone number; criminals change message to “I accept collect call”, make $8600 on a 35-hour call to Saudi Arabia Examples from Mitnick’s “Art of Intrusion” • U.S. District Courthouse server: “public” / “public” • NY Times employee database: pwd = last 4 SSN digits • “Dixie bank”: break into router (pwd=“administrator”), then into IBM AS/400 server (pwd=“administrator”), install keylogger to snarf other passwords – “99% of people there used ‘password123’ as their password” slide 26 Storing Passwords “cypherpunk” user system password file t4h97t4m43 hash fa6326b1c2 function N53uhjr438 Hgg658n53 … slide 27 Password Hashing Instead of user password, store Hash(password) When user enters password, compute its hash and compare with entry in password file • System does not store actual passwords! • Difficult to go from hash from password! Hash function H must have some properties • Given H(password), hard to find string X such that H(X)=H(password) - why? slide 28 UNIX Password System Uses DES encryption as if it were a hash function • Encrypt NULL string using password as the key – Truncates passwords to 8 characters! • Artificial slowdown: run DES 25 times (why?) • Can instruct modern UNIXes to use MD5 hash function Problem: passwords are not truly random • With 52 upper- and lower-case letters, 10 digits and 32 punctuation symbols, there are 948 6 quadrillion possible 8-character passwords • Humans like to use dictionary words, human and pet names 1 million common passwords slide 29 Dictionary Attack Password file /etc/passwd is world-readable • Contains user IDs and group IDs which are used by many system programs Dictionary attack is possible because many passwords come from a small dictionary • Attacker can pre-compute H(word) for every word in the dictionary – this only needs to be done once!! – This is an offline attack – Once password file is obtained, cracking is instantaneous • With 1,000,000-word dictionary and assuming 10 guesses per second, brute-force online attack takes 50,000 seconds (14 hours) on average slide 30 Old Password Surveys Klein (1990) and Spafford (1992) • 2.7% guessed in 15 minutes, 21% in a week • Much more computing power is available now! U. of Michigan: 5% of passwords were “goblue” • (cheer for their football team) Zviran and Haga (1999) • Password usage at a DoD facility in California • 80% of passwords were 4-7 characters in length, 80% used alphabetic characters only, 80% of the users had never changed their password slide 31 Password Guessing Techniques Dictionary with words spelled backwards First and last names, streets, cities Same with upper-case initials All valid license plate numbers in your state Room numbers, telephone numbers, etc.