Human authentication Haipeng Dai haipengdai@nju.edu.cn 313 CS Building Department of Computer Science and Technology Nanjing University
Human Authentication Haipeng Dai haipengdai@nju.edu.cn 313 CS Building Department of Computer Science and Technology Nanjing University
Human Authentication How do you prove to someone that you are who you claim to be? -Any system with access control must solve this problem Mechanisms: -Something the user is e.g.,fingerprint or retinal pattern,DNA sequence,unique bio-electric signals produced by the living body,or other biometric identifier ●IP address -Something the user has e.g.,ID card,security token,software token or cell phone -Something the user knows e.g.,a password,a pass phrase or a personal identification number(PIN) -Something the user does e.g.,voice recognition,signature,or gait CSE825 2
2 Human Authentication How do you prove to someone that you are who you claim to be? ─ Any system with access control must solve this problem Mechanisms: ─ Something the user is ● e.g., fingerprint or retinal pattern, DNA sequence, unique bio-electric signals produced by the living body, or other biometric identifier ● IP address ─ Something the user has ● e.g., ID card, security token, software token or cell phone ─ Something the user knows ● e.g., a password, a pass phrase or a personal identification number (PIN) ─ Something the user does ● e.g., voice recognition, signature, or gait CSE825
Basic password authentication Setup -User chooses password -Hash of password stored in password file ■Authentication -User logs into system,supplies password 一 System computes hash,compares with the hash in password file Attacks -Online dictionary attack Guess passwords and try to log in -Offline dictionary attack Steal password file,try to find p with hash(p)in file CSE825 3
3 Basic Password Authentication Setup ─ User chooses password ─ Hash of password stored in password file Authentication ─ User logs into system, supplies password ─ System computes hash, compares with the hash in password file Attacks ─ Online dictionary attack ● Guess passwords and try to log in ─ Offline dictionary attack ● Steal password file, try to find p with hash(p) in file CSE825
UNIX Password System Uses DES encryption as if it were a hash function 一 Encrypt NULL string using password as the key Truncates passwords to 8 characters! low-order 7 bits of each character is used to form the 56-bit DES key -Artificial slowdown:run DES 25 times Problem:passwords are not truly random -With 52 upper-and lower-case letters,10 digits and 32 punctuation symbols,there are 948~6 quadrillion possible 8-character passwords -Humans like to use dictionary words,human and pet names 1 million common passwords 4
4 UNIX Password System Uses DES encryption as if it were a hash function ─ Encrypt NULL string using password as the key ● Truncates passwords to 8 characters! ● low-order 7 bits of each character is used to form the 56-bit DES key ─ Artificial slowdown: run DES 25 times Problem: passwords are not truly random ─ With 52 upper- and lower-case letters, 10 digits and 32 punctuation symbols, there are 948 ≈ 6 quadrillion possible 8-character passwords ─ Humans like to use dictionary words, human and pet names ≈ 1 million common passwords
Dictionary Attack-some numbers Typical password dictionary -1,000,000 entries of common passwords people's names,common pet names,and ordinary words -Suppose you generate and analyze 10 guesses per second This may be reasonable for a web site;offline is much faster -Dictionary attack in at most 100,000 seconds =28 hours,or 14 hours on average If passwords were random -Assume six-character password Upper-and lowercase letters,digits,32 punctuation characters 689,869,781,056 password combinations. Exhaustive search requires 1,093 years on average To prevent using one dictionary to crack many passwords,Unix uses the idea of salt:usernamelsaltMD(salt,password) CSE825 5
5 Dictionary Attack – some numbers Typical password dictionary ─ 1,000,000 entries of common passwords ● people's names, common pet names, and ordinary words. ─ Suppose you generate and analyze 10 guesses per second ● This may be reasonable for a web site; offline is much faster ─ Dictionary attack in at most 100,000 seconds = 28 hours, or 14 hours on average If passwords were random ─ Assume six-character password ● Upper- and lowercase letters, digits, 32 punctuation characters ● 689,869,781,056 password combinations. ● Exhaustive search requires 1,093 years on average To prevent using one dictionary to crack many passwords, Unix uses the idea of salt: username|salt|MD(salt, password). CSE825