Access Control. Authentication
CS 3IS3
Ryszard Janicki
Department of Computing and Software, McMaster University, Hamilton, Ontario, Canada
Acknowledgments: Material based on Information Security by Mark Stamp (Chapter 7)
Ryszard Janicki
Access Control. Authentication 1/26
Access Control
Two parts to access control. . . Authentication: Are you who you say you are?
Determine whether access is allowed or not Authenticate human to machine
Or, possibly, machine to machine
Authorization: Are you allowed to do that? Once you have access, what can you do? Enforces limits on actions
Note: “access control” often used as synonym for authorization
Ryszard Janicki
Access Control. Authentication 2/26
Are You Who You Say You Are?
Authenticate a human to a machine? Can be based on…
Something you know
For example, a password
Something you have
For example, a smartcard
Something you are
For example, your fingerprint
Why Passwords?
Why is “something you know” more popular than “something you have” and “something you are”?
Cost: passwords are free
Convenience: easier for sysadminto reset pwdthan to issue a new thumb
Ryszard Janicki
Access Control. Authentication 3/26
Something You Know: Passwords
Lots of things act as passwords! PIN
Social security/insurance number Mother’s maiden name
Date of birth
Name of your pet, etc.
Trouble with Passwords:
“Passwords are one of the biggest practical problems facing
security engineers today.”
“Humans are incapable of securely storing high-quality cryptographic keys, and they have unacceptable speed and accuracy when performing cryptographic operations. (They are also large, expensive to maintain, difficult to manage, and they pollute the environment. It is astonishing that these devices continue to be manufactured and deployed.)”
Ryszard Janicki
Access Control. Authentication 4/26
Keys vs Passwords
Crypto keys
Suppose key is 64 bits Then 264 keys
Choose key at random. . .
. . . then attacker must try about 263 keys
Passwords
Suppose passwords are 8 characters, and 256 different characters
Then 2568 = 264 passwords
Users do not select passwords at random
Attacker has far less than 263 passwords to try (dictionary attack)
Ryszard Janicki
Access Control. Authentication 5/26
Good and Bad Passwords
Bad passwords
frank
Fido Password incorrect Pikachu 102560 AustinStamp
Good Passwords?
jfIej,43j-EmmL+y 09864376537263 P0kem0N FSa7Yago 0nceuP0nAt1m8 PokeGCTall150
Ryszard Janicki
Access Control. Authentication 6/26
Easy to Guess Passwords (1)
Ryszard Janicki
Access Control. Authentication 7/26
Easy to Guess Passwords (2)
Ryszard Janicki
Access Control. Authentication 8/26
Easy to Guess Passwords (3)
Ryszard Janicki
Access Control. Authentication 9/26
Easy to Guess Passwords – Examples
Example
HELLO, MYCOMPUTER – violate criteria 4 and 18 IPLK107 – California license plate number, violate 15 311t3$p32k – corresponds to ‘elitespeak’ modified as in 9
Ryszard Janicki
Access Control. Authentication 10/26
Password Experiment
Three groups of users – each group advised to select passwords as follows
Group A: At least 6 chars, 1 non-letter
Group B: Password based on passphrase ← winner Group C: 8 random characters
Results
Group A: About 30% of passwords easy to crack
Group B: About 10% cracked: Passwords easy to remember Group C: About 10% cracked Passwords hard to remember
Assigned passwords sometimes best
If passwords not assigned, best advice is. . .
Choose passwords based on passphrase
Use password cracking tool to test for weak passwords
Require periodic password changes? Controversial!
Popular password cracking tools:
Password Crackers, Password Portal,
L0phtCrack and LC4 (Windows), John the Ripper(Unix).
Ryszard Janicki
Access Control. Authentication 11/26
Password Retry
Suppose system locks after 3 bad passwords. How long should it lock?
5 seconds
5 minutes
Until SA restores service Bad idea in each case
Ryszard Janicki
Access Control. Authentication 12/26
Password File?
Bad idea to store (plaintext) passwords in a file
But we need to verify passwords (banks, Amazon, etc.) Solution? Hash passwords
Store y = h(password)
Can verify entered password by hashing
If Trudy (an attacker) obtains the password file, she does not (directly) obtain passwords
But Trudy can try a forward search, i.e. : Guess x and check whether y = h(x)
Ryszard Janicki
Access Control. Authentication 13/26
Dictionary Attack and “Salt”
Trudy pre-computes h(x) for all x in a dictionary of common passwords
Suppose Trudy gets access to password file containing hashed passwords
She only needs to compare hashes to her pre-computed dictionary
After one-time work of computing hashes in dictionary, actual attack is trivial
Can we prevent this forward search attack? Or at least make it more difficult?
Hash password with salt
Choose random salt sand compute
y = h(password,s) and store (s,y) in the password file
Note that the salt s is not secret – analogous to IV
Still easy to verify salted password
But lots more work for Trudy, as salt is different for each user, say sa for Alice and sb for Bob, etc.
Ryszard Janicki
Access Control. Authentication 14/26
Password Cracking 1
Assumptions:
Passwords are 8 chars, 128 choices per character. Then 1288 = 256 possible passwords
There is a password file with 210 passwords Attacker has dictionary of 220 common passwords Probability 1/4 that password is in dictionary Work is measured by number of hashes
Case 1: Attack one specific password without using a dictionary E.g., administrator’s password.
One must try 256/2 = 255 on average
Like exhaustive key search. Salt does not help.
Ryszard Janicki
Access Control. Authentication 15/26
Password Cracking 2
Case 2: Attack one specific password with a dictionary With salt
Expected work: 1 219 + 3 255 ≈ 254.6 44
In practice, try all passwords in dictionary. . .
. . . then work is at most 220 and probability of success is 1/4
What if no salt is used?
One-time work to compute dictionary: 220
Expected work is of same order as above
But with precomputed dictionary hashes, the “in practice” attack is essentially free. . .
Ryszard Janicki
Access Control. Authentication 16/26
Password Cracking 3
Any of 1024 passwords in file, without dictionary Assume all 210 passwords are distinct
Need 255 comparisons before expect to find password
If no salt is used
Each computed hash yields 210 comparisons So expected work (hashes) is 255/210 = 245
If salt is used
Expected work is 255
Each comparison requires a hash computation
Ryszard Janicki
Access Control. Authentication 17/26
Password Cracking 4
Any of 1024 passwords in file, with dictionary Probability of one or more passwords in dictionary:
1–(3)1024 ≈1 4
So, we ignore case where no password is in dictionary
If salt is used, expected work less than 222, see textbook for
details. Moreover
Work ≈ size of dictionary P(password in dictionary)
What if no salt is used?
If dictionary hashes not precomputed, work is about 219/210 = 29.
Ryszard Janicki
Access Control. Authentication 18/26
Password Issues
Too many passwords to remember – it results in password reuse
Failure to change default passwords
Password attacks are too easy
Often, one weak password will break security Users choose bad passwords
Social engineering attacks, etc.
Trudy (an attacker) has (almost) all of the advantages All of the math favors bad guys
Passwords are a BIG security problem – and will continue to be a problem
Ryszard Janicki
Access Control. Authentication 19/26
Resetting your Password – A Story
Resetting your Password (1)
Sorry, your password has been in use for 30 days and has expired – you must register a new one.
Ryszard Janicki
Access Control. Authentication 20/26
Resetting your Password – A Story
Resetting your Password (1)
Sorry, your password has been in use for 30 days and has expired – you must register a new one.
roses
Ryszard Janicki
Access Control. Authentication 20/26
Resetting your Password – A Story
Resetting your Password (1)
Sorry, your password has been in use for 30 days and has expired – you must register a new one.
roses
Sorry, too few characters.
Ryszard Janicki
Access Control. Authentication 20/26
Resetting your Password – A Story
Resetting your Password (1)
Sorry, your password has been in use for 30 days and has expired – you must register a new one.
roses
Sorry, too few characters.
pretty roses
Ryszard Janicki
Access Control. Authentication 20/26
Resetting your Password – A Story
Resetting your Password (1)
Sorry, your password has been in use for 30 days and has expired – you must register a new one.
roses
Sorry, too few characters.
pretty roses
Sorry, you must use at least one numerical character.
Ryszard Janicki
Access Control. Authentication 20/26
Resetting your Password – A Story
Resetting your Password (1)
Sorry, your password has been in use for 30 days and has expired – you must register a new one.
roses
Sorry, too few characters.
pretty roses
Sorry, you must use at least one numerical character.
1 pretty rose
Ryszard Janicki
Access Control. Authentication 20/26
Resetting your Password – A Story
Resetting your Password (1)
Sorry, your password has been in use for 30 days and has expired – you must register a new one.
roses
Sorry, too few characters.
pretty roses
Sorry, you must use at least one numerical character.
1 pretty rose
Sorry, you cannot use blank spaces.
Ryszard Janicki
Access Control. Authentication 20/26
Resetting your Password – A Story
Resetting your Password (1)
Sorry, your password has been in use for 30 days and has expired – you must register a new one.
roses
Sorry, too few characters.
pretty roses
Sorry, you must use at least one numerical character.
1 pretty rose
Sorry, you cannot use blank spaces.
1prettyrose
Ryszard Janicki
Access Control. Authentication 20/26
Resetting your Password – A Story
Resetting your Password (1)
Sorry, your password has been in use for 30 days and has expired – you must register a new one.
roses
Sorry, too few characters.
pretty roses
Sorry, you must use at least one numerical character.
1 pretty rose
Sorry, you cannot use blank spaces.
1prettyrose
Ryszard Janicki
Access Control. Authentication 20/26
Resetting your Password – A Story
Resetting your Password (2)
Sorry, you must use at least 10 different characters.
Ryszard Janicki
Access Control. Authentication 21/26
Resetting your Password – A Story
Resetting your Password (2)
Sorry, you must use at least 10 different characters.
1fuckingprettyrose
Ryszard Janicki
Access Control. Authentication 21/26
Resetting your Password – A Story
Resetting your Password (2)
Sorry, you must use at least 10 different characters.
1fuckingprettyrose
Sorry, you must use at least one upper case character.
Ryszard Janicki
Access Control. Authentication 21/26
Resetting your Password – A Story
Resetting your Password (2)
Sorry, you must use at least 10 different characters.
1fuckingprettyrose
Sorry, you must use at least one upper case character.
1FUCKINGprettyrose
Ryszard Janicki
Access Control. Authentication 21/26
Resetting your Password – A Story
Resetting your Password (2)
Sorry, you must use at least 10 different characters.
1fuckingprettyrose
Sorry, you must use at least one upper case character.
1FUCKINGprettyrose
Sorry, you cannot use more than one upper case character consecutively.
Ryszard Janicki
Access Control. Authentication 21/26
Resetting your Password – A Story
Resetting your Password (2)
Sorry, you must use at least 10 different characters.
1fuckingprettyrose
Sorry, you must use at least one upper case character.
1FUCKINGprettyrose
Sorry, you cannot use more than one upper case character consecutively.
1FuckingPrettyRose
Ryszard Janicki
Access Control. Authentication 21/26
Resetting your Password – A Story
Resetting your Password (2)
Sorry, you must use at least 10 different characters.
1fuckingprettyrose
Sorry, you must use at least one upper case character.
1FUCKINGprettyrose
Sorry, you cannot use more than one upper case character consecutively.
1FuckingPrettyRose
Ryszard Janicki
Access Control. Authentication 21/26
Resetting your Password – A Story
Resetting your Password (3)
Sorry, you must use no fewer than 20 total characters.
Ryszard Janicki
Access Control. Authentication 22/26
Resetting your Password – A Story
Resetting your Password (3)
Sorry, you must use no fewer than 20 total characters.
1FuckingPrettyRoseShovedUpYourAssIfYouDon’tGiveMeAccessRightNow!
Ryszard Janicki
Access Control. Authentication 22/26
Resetting your Password – A Story
Resetting your Password (3)
Sorry, you must use no fewer than 20 total characters.
1FuckingPrettyRoseShovedUpYourAssIfYouDon’tGiveMeAccessRightNow!
Sorry, you cannot use punctuation.
Ryszard Janicki
Access Control. Authentication 22/26
Resetting your Password – A Story
Resetting your Password (3)
Sorry, you must use no fewer than 20 total characters.
1FuckingPrettyRoseShovedUpYourAssIfYouDon’tGiveMeAccessRightNow!
Sorry, you cannot use punctuation.
1FuckingPrettyRoseShovedUpYourAssIfYouDontGiveMeAccessRightNow
Ryszard Janicki
Access Control. Authentication 22/26
Resetting your Password – A Story
Resetting your Password (3)
Sorry, you must use no fewer than 20 total characters.
1FuckingPrettyRoseShovedUpYourAssIfYouDon’tGiveMeAccessRightNow!
Sorry, you cannot use punctuation.
1FuckingPrettyRoseShovedUpYourAssIfYouDontGiveMeAccessRightNow
Sorry, that password is already in use.
Ryszard Janicki
Access Control. Authentication 22/26
Biometric: Something You Are
Examples: Fingerprint
Handwritten signature
Facial recognition
Speech recognition
Gait (walking) recognition
“Digital doggie” (odor recognition) Many more!
Why Biometrics
May be better than passwords
But, cheap and reliable biometrics needed – today, an active area of research
Biometrics are used in security today
Thumbprint mouse
Palm print for secure entry Fingerprint to unlock car door, etc.
But biometrics not really that popular – it has not lived up to its promise/hype (yet?)
Ryszard Janicki
Access Control. Authentication 23/26
Something You Have
Something in your possession Examples include following. . .
Car key
Laptop computer (orMAC address) Password generator (next)
ATM card, smartcard, etc.
Ryszard Janicki
Access Control. Authentication 24/26
Password Generator
Password Generator
1. “I’m Alice” 2. R
3. PIN, R
Bob, K Password generator hashes symmetric key K with R
password 4. h(K,R) generator
K
Alice
Alice enters PIN and R in password generator
5. h(K,R) AlicAelircecerievceesivraensdroamndo“mch“acllheanlglen”geR” fRrofmroBmoBbob
Alice enters PIN and R in password generator Password generator hashes symmetric key K with R
Alice sends “response” h(K,R) back to Bob Alice sends “response” h(K,R) back to Bob
Bob verifies response Bob verifies response
Note: Alice has pwd generator and knows PIN
Note: Alice has password generator and knows PIN Part 2 Access Control 49
Ryszard Janicki
Access Control. Authentication 25/26
2-factor Authentication
Requires any 2 out of 3 of Something you know
Something you have Something you are
Examples
ATM: Card and PIN
Credit card: Card and signature Password generator: Device and PIN Smartcard with password/PIN
Ryszard Janicki
Access Control. Authentication 26/26