Authentication

John C. MitchellStanford University

CS 99j

Computer security

Computer security is concerned with the detection and prevention of unauthorized actions by users of a computer system.

Authentication

Verify identity• Only allow authorized access

Message authentication (different concept)• Confirm source and integrity of message• Message received is the same as message

sent

Fundamental limitation

I am talking to Joe

I am talking to someone who has Joe’s• Password• Private key• Thumbprint

Outline

Password authentication• Unix password scheme• Dictionary attack

Challenge-response mechanisms Authentication protocols Protocol analysis methods

Password authentication

Basic idea• User has a secret password• System checks password to authenticate user

Issues• How is password stored?• How does system check password?• How easy is it to guess a password?

Basic password scheme

Password fileUser

exrygbzyf kgnosfix ggjoklbsz … …

kiwifruit

hash function

Basic password scheme

Hash function h : strings strings• Given h(password), hard to find password• No known algorithm better than trial and error

User password stored as h(password) When user enters password

• System computes h(password)• Compares with entry in password file

No passwords stored on disk

Unix password system

Hash function is 25xDES• Number 25 was meant to make search slow

Password file is publicly readable• Other information in password file …

Any user can try “dictionary attack”• User looks at password file• Computes hash(word) for every word in dictionary

“Salt” makes dictionary attack harder• Otherwise, compare hash(word) to all passwords

Salt [Belgers]

Password lineaccount:crypted-passwd:uid:gid:user-name:homedir:shellwalt:fURfuu4.4hY0U:129:129:Belgers:/home/walt:/bin/csh

Checking with salt

Another password vulnerability

void check_passwd(char *name, passwd) {

char buffer1[2];

char buffer2[2];

/* place password for name in buffer 1 */

strcpy(buffer2,passwd)

if (buffer1[1]==buffer2[1] &&

buffer1[1]==buffer2[1]) {

/* allow login */

};

else { /* disallow login */

};

}

Extra Reading

Find Phrack archives.oO Phrack 49 Oo.

Volume Seven, Issue Forty-Nine

Look for this articleXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Smashing The Stack For Fun And Profit

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

by Aleph One

aleph1@underground.org

Challenge-response

Challenge

f(key,string)

string

Response

Secret keyUser

Challenge-response authentication

Challenge• System presents user with some string

Response• User computes f(key,string)

Authentication• Check property of f(key,string)• Secret data can stay secret: no password is sent

What kind of function will work?

Authentication protocols

Many protocols to confirm identity• Clark-Jacob survey of 50 protocols

Common use• Client and server confirm identity and agree

on secret encryption key

Network connection

TCP syncronize/acknowledgement

Client Server

SYN

SYN-ACK

ACK

sequence numbers omitted ...

Needham-Schroeder Key Exchange

{ A, Na } Kb

{ Na, Nb } Ka

{ Nb} Kb

Result: A and B share two private numbers not known to any observer without Ka

-1, Kb

-1

A B

Anomaly in Needham-Schroeder

A E

B

{ A, Na }

{ A, Na }{ Na, Nb }

{ Na, Nb }

{ Nb }

Ke

KbKa

Ka

Ke

Evil agent E trickshonest A into revealingprivate key Nb from B.

Evil E can then fool B.

[Lowe]

Repaired Needham-Schroeder Protocol

{ A, Na } Kb

{ Na, B, Nb } Ka

{ Nb} Kb

Result: A and B share two private numbers not known to any observer without Ka

-1, Kb

-1

A B

How do we know this is correct?

Think a lot Ask smart people Systematic methods

• Protocol logics– BAN, GNY, SvO, …

• Model checking– Exhaustive testing of finite systems

• Mathematical proof– Prove an abstract form of protocol is correct– Even with simplifications, requires computer

assistance

Explicit Intruder Method

Intruder Model

AnalysisTool

Formal Protocol

Informal Protocol

Description

Gee whiz.Looks OK to me.