passwords have major problems Passwords can be eavesdropped facilitates replay attacks Passwords are reusable facilitates impersonation attacks by verifier Passwords usually come from a small keyspace facilitates brute force attacks Extremely low entropy English only has w1. 3bits/byte of real information dictionary attacks are possible note dictionary attacks today allow 1M guesses/second+ Humans are extremely poor random number generators makes dictionary attacks even easier (or unnecessary) Humans are pathetic at remembering passwords and often reuse or alternate between)old passwords Even years late 16
16 passwords have major problems • Passwords can be eavesdropped – facilitates replay attacks • Passwords are reusable – facilitates impersonation attacks by verifier • Passwords usually come from a small keyspace – facilitates brute force attacks • Extremely low entropy – English only has ~1.3bits/byte of real information – dictionary attacks are possible • note dictionary attacks today allow 1M guesses/second+ ! • Humans are extremely poor random number generators – makes dictionary attacks even easier (or unnecessary) • Humans are pathetic at remembering passwords and often reuse (or alternate between) old passwords – Even years later
salting passwords Adding a t-bit salt to passwords strengthens them against dictionary and brute force attacks Public salt(e.g. UNIX passwords) saltA h(password I saltA) user B salt h(password I saltB) salt is chosen at random an adversary must hash a guessed password p 2t times to find if p is a valid password when password cracking) only works if there are enough users so the salts are all used e. g under UnIX there 4096 possible salts but most systems have much less than 4096 users does not protect against an eavesdropper or evil sysadmin 17
17 salting passwords • Adding a t-bit salt to passwords strengthens them against dictionary and brute force attacks. • Public salt (e.g. UNIX passwords) userA saltA h(passwordA | saltA) userB saltB h(passwordB | saltB) – salt is chosen at random – an adversary must hash a guessed password p 2t times to find if p is a valid password (when password cracking) – only works if there are enough users so the salts are all used • e.g under UNIX there 4096 possible salts but most systems have much less than 4096 users – does not protect against an eavesdropper or evil sysadmin
one time passwords Each password is only used once an attempt to foil eavesdroppers and replay attacks Many variations shared list of one-time passwords tick each password off the list as used challenge response table system has a list of questions, picks one at random sequentially updated one-time passwords during authentication under key i, the user creates and transmits to the system the key to use next time(i+1) one-time sequences based upon a one-way function e. g. Lamport's one-time scheme
18 one time passwords • Each password is only used once – an attempt to foil eavesdroppers and replay attacks • Many variations – shared list of one-time passwords • tick each password off the list as used – challenge response table • system has a list of questions, picks one at random – sequentially updated one-time passwords • during authentication under key i, the user creates and transmits to the system the key to use next time (i+1) – one-time sequences based upon a one-way function • e.g. Lamport’s one-time scheme
lamport's one time passwords (S/key) Setup: User Alice picks a random generator g and computes a hash chain: W=h(g)=h(h(h(…h(g)) Alice sends w to the server Alice sets count←n-1 Authentication Alice sends x= hcount (g to the server Alice sets count count-1 The server verifies h(x)=w · The server sets w←X 19
19 lamport’s one time passwords (s/key) Setup: • User Alice picks a random generator g and computes a hash chain: w = hn(g) = h(h(h(….h(g)))) • Alice sends w to the server. • Alice sets count ← n-1 Authentication: • Alice sends x = hcount(g) to the server • Alice sets count ← count - 1 • The server verifies h(x) = w • The server sets w ← x
lamport's one time passwords (S/key) auh1↑h auth 2 ho auth n h g Advantages Prevents eavesdropping No secrets are stored on the server Disadvantages A limited number of authentications before a new hash chain must be set up Vulnerable to a pre-play attack if unused passwords are compromised
20 lamport’s one time passwords (s/key) • Advantages – Prevents eavesdropping – No secrets are stored on the server • Disadvantages – A limited number of authentications before a new hash chain must be set up – Vulnerable to a pre-play attack if unused passwords are compromised w g h() h() auth 1 h() auth 2 auth n