04_userauthentication

04_userauthentication - User Authentication Peter Sjdin...

Info iconThis preview shows pages 1–11. Sign up to view the full content.

View Full Document Right Arrow Icon
1 User Authentication Peter Sjödin psj@kth.se Based on material by Vitaly Shmatikov, Univ. of Texas, and by the previous course teachers
Background image of page 1

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
2 Basic Problem ? How do you prove to someone that you are who you claim to be? Any system with access control must solve this problem
Background image of page 2
3 Many Ways to Prove Who You Are What you know – Passwords – Secret key Where you are – IP address What you are – Biometrics What you have – Secure tokens
Background image of page 3

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
4 What You Know – Password-Based Authentication User has a secret password. System checks it to authenticate the user. – Vulnerable to eavesdropping when password is communicated from user to system How is the password stored? How does the system check the password? How easy is it to guess the password? – Easy-to-remember passwords tend to be easy to guess – Password file is difficult to keep secret
Background image of page 4
5 UNIX-Style Passwords t4h97t4m43 fa6326b1c2 N53uhjr438 Hgg658n53 user system password file “cypherpunk” hash function
Background image of page 5

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
6 Password Hashing Instead of user password, store H(password) When user enters password, compute its hash and compare with entry in password file – System does not store actual passwords! Hash function H must have some properties – One-way: given H(password), hard to find password • No known algorithm better than trial and error – Collision resistance • It should even be hard to find any pair p1,p2 such that H(p1)=H(p2)
Background image of page 6
7 UNIX Password System Uses DES encryption as if it were a hash function – Encrypt NULL string using password as the key • Truncates passwords to 8 characters! – Artificial slowdown: run DES 25 times – Can instruct modern UNIXes to use MD5 hash function Problem: passwords are not truly random – With 52 upper- and lower-case letters, 10 digits and 32 punctuation symbols, there are 94 8 6 quadrillion possible 8- character passwords – Humans like to use dictionary words, human and pet names 1 million common passwords
Background image of page 7

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
How are Passwords Selected Study performed by CentralNic UK, 1200 users: – family related: 47% (e.g., children, pets, . ..) – fans/cartoons: 32% (e.g., David Beckham, Homer Simpson, . ..) – fantastists: 11% (e.g., goddess, hero, . ..) – cryptics: 10% (selected passwords with care) A dictionary attack is successful if one user has a easy guessable password!
Background image of page 8
9 Dictionary Attack Password file /etc/passwd is world-readable – Contains user IDs and group IDs which are used by many system programs Dictionary attack is possible because many passwords come from a small dictionary – Attacker can compute H(word) for every word in the dictionary and see if the result is in the password file – With 1,000,000-word dictionary and assuming 10 guesses per second, brute-force online attack takes 50,000 seconds (14 hours) on average – Offline attack even faster • Download /etc/passwd • John the Ripper, www.crackpassword.com, . ..
Background image of page 9

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
10 Non-Dictionary Passwords Combination of small and capital letters, digits, special
Background image of page 10
Image of page 11
This is the end of the preview. Sign up to access the rest of the document.

This note was uploaded on 02/16/2011 for the course ICT 2 taught by Professor 2 during the Spring '11 term at Kungliga Tekniska högskolan.

Page1 / 44

04_userauthentication - User Authentication Peter Sjdin...

This preview shows document pages 1 - 11. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online