crypto passwords and rngs
play

Crypto: Passwords and RNGs CS 642 Guest Lecturer: Adam Everspaugh - PowerPoint PPT Presentation

Nov 23, 2023 •432 likes •726 views

Crypto: Passwords and RNGs CS 642 Guest Lecturer: Adam Everspaugh http://pages.cs.wisc.edu/~ace Topics Password-based Crypto Random Number Generators Symmetric Key Encryption key generation R k Gen K R M Enc C C Dec M

  2. Crypto: Passwords and RNGs CS 642 Guest Lecturer: Adam Everspaugh http://pages.cs.wisc.edu/~ace

  3. Topics � Password-based Crypto � � Random Number Generators

  4. Symmetric Key Encryption key generation R k Gen K R M Enc C C Dec M Correctness: D k ( E k (M,R) ) = M

  5. Password-based Symmetric Encryption pw R Enc C C Dec M M Correctness: D(pw, E(pw,M,R) ) = M

  6. Encrypt-then-MAC with CBC and HMAC M 1 M 2 M 3 IV E K1 E K1 E K1 C 0 C 1 C 2 C 3 K2 ipad || C H T K2 opad || h H Ciphertext is: (C,T) How do we use this with a password?

  7. Password-based Key Derivation (PBKDF) PBKDF(pw, salt): Truncate if needed … pw || salt || 1 K1 H H H … pw || salt || 2 H H H K2 repeat c times

  8. PBKDF + Symmetric Encryption yields 
 PW-Based Encryption Enc(pw,M,R): Here Enc’/Dec’ is a typical salt || R’ = R symmetric encryption K = PBKDF(pw,salt) scheme (CBC+HMAC) C = Enc’(K,M,R’) Return (salt,C) Dec(pw,C): salt || C’ = C K = PBKDF(pw,salt) Attacks? M = Dec’(K,C’) Return M

  9. Password Distribution From an Imperva study of released RockMe.com password database (2010)

  10. Dictionary Attack • Given a (message,ciphertext) pair: • Enumerate a dictionary D of possible passwords, in order of likelihood • Test each candidate password DictionaryAttack(D,M,C): M 1 R || C’ = C IV for pw* in D: E K1 C* = Enc(pw*,M,R) if C* == C’: return pw* C 0 C 1

  11. PBKDF Slows Down Dictionary Attacks … pw || salt || 1 K1 H H H Iterating c times should slow down attacks by factor of c Salts: Different derived keys, even if same password Slows down attacks against multiple users Prevents precomputation attacks, if salts chosen randomly �

  12. How Fast Are Dictionary Attacks? • openssl speed sha1 • Assume: 4 cores @ 2.2M hashes per second Size of Computation time � Computation time � c=1 c=4096 Dictionary 6 digit PIN 10 0.11 seconds 7.8 minutes 6 alphanumerics 36 4.1 minutes 11.7 days (lowercase) 8 alphanumerics � 62 287 days 3,222 years (mixed case)

  13. 802.11 WPA Authentication Wifi AP PMK = PBKDF( pw, ssid || ssidlength ) with c = 4096 PTK = H( PMK || ANonce || SNonce || AP MAC address || STA MAC address ) MIC = HMAC-MD5(PTK, M2) Observe just one handshake by another party, and attacker can mount offline dictionary attack against the password

  14. Attacking WPA Passwords Wifi AP PMK = PBKDF( pw, ssid||ssidlength ) with c = 4096 PTK = H( PMK || ANonce || SNonce || AP MAC address || STA MAC address ) MIC = HMAC-MD5(PTK, M2) DictionaryAttack(D,MIC,ANonce,SNonce,SSID,M2): for pw* in D: PMK* = PBKDF(pw*, ssid||ssidlength) PTK* = H(PMK* || ANonce || … ) MIC* = HMAC-MD5(PTK*, M2) If MIC* == MIC: return pw* return None

  15. Recap: Password-based Crypto … pw || salt || 1 H H H K1 • Allows use of passwords in existing crypto schemes � • Gain: • Increases attackers computations • Prevents precomputation � • Cost: • Increased computation � • Limitation: • Strength of key still limited to strength of password • Don’t make it easy for attacker to mount offline dictionary attacks

  17. Uses for Secure Random Numbers Cryptography � • Keys • Nonces, initial values (IVs), salts � � System Security � • TCP Initial Sequence Numbers (ISNs) • ASLR • Stack Canaries

  18. Where can we get secure random numbers? OSX/Linux � • cat /dev/urandom • xxd -l 1024 -p /dev/urandom • openssl rand 256 -hex � Intel HW RNG � • OSX: sysctl -a | grep RDRAND • Linux: cat /proc/cpuinfo | grep rdrand

  19. Operating System Random Number Generators System Events Random Numbers RNG Statistically Uniform Keyboard Clicks Hard to predict Mouse Movements Hard Disk Event Network Packets Other Interrupts

  20. Linux RNG System Events Random Numbers RNG Linux /dev/(u)random: Random /dev/random Pool Interrupt interrupt events Pool Input Pool disk events URandom keyboard events /dev/urandom Pool mouse events hardware RNGs Cryptographic hash

  21. RNG Failures System Events Random Numbers RNG RNG Failures � Predictable Output Repeated Output Outputs from a small range (not-statistically uniform) � Broken Windows RNG: [DGP 2007] Broken Linux RNG: [GPR 2008], [LRSV 2012], [DPRVW 2013], [EZJSR 2014] Factorable RSA Keys: [HDWH 2012] Taiwan National IDs : [BCCHLS 2013]

  22. Virtual Machine Snapshots Snapshot disk Resumption

  23. Security Problems with VM Resets VM Reset Vulnerabilities [Ristenpart, Yilek 2010] Use key Derives key App Read starts /dev/urandom Snapshot Initialization Use key Firefox and Apache reused random values for TLS � Attacker can read previous TLS sessions, recover private keys from Apache

  24. Linux RNG after VM Reset Not-So-Random Numbers in Virtualized Linux [Everspaugh, et al, 2014] Read RNG Snapshot disk Read RNG Experiment: � • Boot VM in Xen or VMware • Capture snapshot • Resume from snapshot, read from /dev/urandom Repeat: 8 distinct snapshots 20 resumptions/snapshot

  25. /dev/urandom outputs after resumption 21B8BEE4 21B8BEE4 21B8BEE4 Linux RNG is not reset secure: 
 9D27FB83 9D27FB83 9D27FB83 6CD124A6 6CD124A6 6CD124A6 7/8 snapshots produce mostly identical outputs E8734F71 E8734F71 E8734F71 111D337C 111D337C 111D337C 1E6DD331 1E6DD331 1E6DD331 8CC97112 8CC97112 8CC97112 2A2FA7DB 2A2FA7DB 2A2FA7DB DBBF058C DBBF058C DBBF058C 26C334E7 26C334E7 26C334E7 F17D2D20 F17D2D20 45C78AE0 CC10232E CC10232E E678DBB2 ... ... ... Reset 1 Reset 2 Reset 3

  26. Reset insecurity and applications Generate RSA key on resumption: openssl genrsa � 30 snapshots; 2 resets/snapshot (ASLR Off) • 27 trials produced identical private keys • 3 trials produced unique private keys

  27. Why does this happen? if (entropy estimate >= 64) if (count > 64 or elapsed time > 1s ) Random /dev/random Pool Interrupt interrupts Pool Input Pool disk events URandom /dev/urandom Pool if (entropy estimate >= 192) Buffering and thresholds prevent new inputs from impacting outputs Linux /dev/(u)random

  28. What about other platforms? FreeBSD � /dev/random produces identical output stream � Up to 100 seconds after resumption � Microsoft Windows 7 Produces repeated outputs indefinitely � rand_s � � � � (stdlib) � CryptGenRandom � � (Win32) � RngCryptoServices � (.NET)

  29. RNG Recap • RNGs are critical for security � • Keys, nonces, etc � • Building good RNGs is hard � � RNG � • OS provides a strong RNG � /dev/urandom • e.g.: /dev/urandom � • Intel CPUs provide an RNG � • RDRAND instructions

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Crypto with Passwords Lecture 22 Passwords Password or passphrase: Low-entropy shared secret

Crypto with Passwords Lecture 22 Passwords Password or passphrase: Low-entropy shared secret

Crypto with Passwords Lecture 22 Passwords Password or passphrase: Low-entropy shared secret Typical goal: client authenticating to server, without being tied to a device holding a cryptographic key. On authentication, a session key should be

344 views • 11 slides
RNGs for Resource-Constrained Devices Werner Schindler Bundesamt fr Sicherheit in der

RNGs for Resource-Constrained Devices Werner Schindler Bundesamt fr Sicherheit in der

RNGs for Resource-Constrained Devices Werner Schindler Bundesamt fr Sicherheit in der Informationstechnik (BSI), Bonn, Germany Bochum, November 6, 2017 Outline Crypto for IoT: some general thoughts RNGs on resource-constrained

443 views • 22 slides
Financial Crypto and Data Security Mar. 3, 2011 Mercury: Recovering Forgotten Passwords Using

Financial Crypto and Data Security Mar. 3, 2011 Mercury: Recovering Forgotten Passwords Using

Financial Crypto and Data Security Mar. 3, 2011 Mercury: Recovering Forgotten Passwords Using Personal Devices M. Mannan NSERC PDF, University of Toronto m.mannan@utoronto.ca Collaborators: D. Barrera, C.D. Brown, D. Lie, P.C. van Oorschot

483 views • 24 slides
User Authentication and Passwords Storing Passwords Selecting Passwords CSS322: Security and

User Authentication and Passwords Storing Passwords Selecting Passwords CSS322: Security and

CSS322 Passwords Authentication Passwords Entropy User Authentication and Passwords Storing Passwords Selecting Passwords CSS322: Security and Cryptography Sirindhorn International Institute of Technology Thammasat University Prepared by

670 views • 28 slides
Security Evaluation of Physical RNGs Werner Schindler, Workshop on Randomness and Arithmetics for

Security Evaluation of Physical RNGs Werner Schindler, Workshop on Randomness and Arithmetics for

Security Evaluation of Physical RNGs Werner Schindler, Workshop on Randomness and Arithmetics for Cryptography on Hardware Roscoff, April 16, 2019 Overview Introduction and motivation Classification of random number generators (RNGs)

779 views • 49 slides
Good Passwords, Bad Passwords, and How to See the Difference David Klaftenegger Department of

Good Passwords, Bad Passwords, and How to See the Difference David Klaftenegger Department of

Good Passwords, Bad Passwords, and How to See the Difference David Klaftenegger Department of Information Technology Uppsala University, Sweden 20. January 2020 Caveat Auditor Background Passwords this talk contains opinions Diceware

447 views • 43 slides
PASSWORDS CS682: Advanced Security Topics Vasiliki Panteli 3/9/2020 Passwords 1 Passwords

PASSWORDS CS682: Advanced Security Topics Vasiliki Panteli 3/9/2020 Passwords 1 Passwords

PASSWORDS CS682: Advanced Security Topics Vasiliki Panteli 3/9/2020 Passwords 1 Passwords Passwords is a user authentication mechanism that is widely adopted for many years Methods for user authentication: Something you know

901 views • 52 slides
Security: Some Fun with Passwords How to handle Passwords: the Basics Rainbow Attacks Not

Security: Some Fun with Passwords How to handle Passwords: the Basics Rainbow Attacks Not

CSCE Intro to Computer Systems Security - Passwords Security: Some Fun with Passwords How to handle Passwords: the Basics Rainbow Attacks Not too long ago Hi, I forgot my password! Let me help you. What is your name? My Name is John

369 views • 5 slides
CRYPTO HERE, CRYPTO THERE, CRYPTO, CRYPTO EVERYWHERE WORLD AQUATIC HEALTH CONFERENCE

CRYPTO HERE, CRYPTO THERE, CRYPTO, CRYPTO EVERYWHERE WORLD AQUATIC HEALTH CONFERENCE

CRYPTO HERE, CRYPTO THERE, CRYPTO, CRYPTO EVERYWHERE WORLD AQUATIC HEALTH CONFERENCE WILLIAMSBURG, VA THURSDAY, OCTOBER 17 TH , 2019 JOHN KELLY, PE IOWA DEPARTMENT OF PUBLIC HEALTH DISCLAIMER THIS PRESENTATION: IS INTENDED FOR

843 views • 40 slides
Setting Strong Encrypted Passwords Configuring Password Encryption for Clear Text Passwords Cisco

Setting Strong Encrypted Passwords Configuring Password Encryption for Clear Text Passwords Cisco

Setting Strong Encrypted Passwords Configuring Password Encryption for Clear Text Passwords Cisco IOS stores passwords in clear text in network device configuration files for several features such as passwords for local and remote CLI sessions,

354 views • 13 slides
STUDENT PASSWORDS GUI DEL I NES FOR 2 0 1 9 -2 020 S T U D E N T S , U P D A T E Y O U R P A

STUDENT PASSWORDS GUI DEL I NES FOR 2 0 1 9 -2 020 S T U D E N T S , U P D A T E Y O U R P A

STUDENT PASSWORDS GUI DEL I NES FOR 2 0 1 9 -2 020 S T U D E N T S , U P D A T E Y O U R P A S S W O R D F R O M H O M E ! Students: Update your password this summer from home! Student passwords were reset on 7/3/2019. Please follow the

525 views • 14 slides
Passwords in the Wild Passwords in the Wild Who am I...? My blog... SkullSecurity.org Random

Passwords in the Wild Passwords in the Wild Who am I...? My blog... SkullSecurity.org Random

Passwords in the Wild Passwords in the Wild Who am I...? My blog... SkullSecurity.org Random research, rants, etc. Nmap dev news Password database I post updates to Twitter https://twitter.com/iagox86 My job... Tenable Network Security

990 views • 88 slides
User Authentication Storing Passwords Selecting Passwords ITS335: IT Security Tokens

User Authentication Storing Passwords Selecting Passwords ITS335: IT Security Tokens

ITS335 User Authentication Authentication Passwords User Authentication Storing Passwords Selecting Passwords ITS335: IT Security Tokens Biometrics Sirindhorn International Institute of Technology Summary Thammasat University Prepared

663 views • 40 slides
The Long and Short of Passwords Rich Shay November 5, 2009 1 / 34 The Long and Short of

The Long and Short of Passwords Rich Shay November 5, 2009 1 / 34 The Long and Short of

The Long and Short of Passwords The Long and Short of Passwords Rich Shay November 5, 2009 1 / 34 The Long and Short of Passwords Motivation for Studying Passwords Outline Motivation for Studying Passwords 1 2 Overview of Password Failure

373 views • 36 slides
Authentication of People what you know (passwords) what you have (keys) what you are

Authentication of People what you know (passwords) what you have (keys) what you are

people 1 Authentication of People what you know (passwords) what you have (keys) what you are (biometric devices) where you are (physical) October 26, 2000 people 2 Passwords initial password distribution (students)

559 views • 13 slides
Authentication of People what you know (passwords) what you have (keys) what you are

Authentication of People what you know (passwords) what you have (keys) what you are

people 1 Authentication of People what you know (passwords) what you have (keys) what you are (biometric devices) where you are (physical) Slide 1 Passwords initial password distribution (students) limit password guessing

305 views • 7 slides
CS 4803 Person authenticating to a local computer Computer and Network Security Person

CS 4803 Person authenticating to a local computer Computer and Network Security Person

Authentication Verifying the identity of another entity Computer authenticating to another computer CS 4803 Person authenticating to a local computer Computer and Network Security Person authenticating to a remote computer Two

665 views • 6 slides
ISE 331 Fundamentals of Computer Security Authentication and Attacks Agenda User

ISE 331 Fundamentals of Computer Security Authentication and Attacks Agenda User

ISE 331 Fundamentals of Computer Security Authentication and Attacks Agenda User Authentication Authentication process Means of authentication Passwords Vulnerabilities of passwords Password Cracking Dictionary Attacks

471 views • 21 slides
2017 Congressional Update Presented by: Donald R. Cravins, Jr SVP for Policy/ED Washington

2017 Congressional Update Presented by: Donald R. Cravins, Jr SVP for Policy/ED Washington

2017 Congressional Update Presented by: Donald R. Cravins, Jr SVP for Policy/ED Washington Bureau dcravins@nul.org @dcravins Congressional Leadership of the 115 th Congress 2 Senate Majority Leadership Senate Majority Leadership 6. Cory

484 views • 32 slides
TE AM NORTHE ASTE RN PE NNSYLVANIA E NTRE PRE NE URIAL NE TWORK When entrepreneurs

TE AM NORTHE ASTE RN PE NNSYLVANIA E NTRE PRE NE URIAL NE TWORK When entrepreneurs

TE AM NORTHE ASTE RN PE NNSYLVANIA E NTRE PRE NE URIAL NE TWORK When entrepreneurs are successful, they dont just grow the economy, they multiply it. --Ernst & Young LLC Instructions: To advance slides press PgDn , to go

612 views • 39 slides
Passpet Convenient Password Management and Phishing Protection Ka-Ping Yee Kragen Sitaker

Passpet Convenient Password Management and Phishing Protection Ka-Ping Yee Kragen Sitaker

Passpet Convenient Password Management and Phishing Protection Ka-Ping Yee Kragen Sitaker ping@zesty.ca kragen@pobox.com problems: design: solutions: practical matters: evaluation: problems: the big 5 problems: the big 5 1 many

961 views • 51 slides
KEY DISTRIBUTION: PKI and SESSION-KEY EXCHANGE Mihir Bellare UCSD 1 The public key setting

KEY DISTRIBUTION: PKI and SESSION-KEY EXCHANGE Mihir Bellare UCSD 1 The public key setting

KEY DISTRIBUTION: PKI and SESSION-KEY EXCHANGE Mihir Bellare UCSD 1 The public key setting Bobs secret key is sk [ B ] and its associated public key is pk [ B ]. The public key setting assumes Alice is in possession of pk [ B ]. Alice pk [ B

619 views • 48 slides
Applied Cryptography December 2017 ECDLP is the problem of finding an ECC user's secret key,

Applied Cryptography December 2017 ECDLP is the problem of finding an ECC user's secret key,

Applied Cryptography December 2017 ECDLP is the problem of finding an ECC user's secret key, given the user's public key. Unfortunately, there is a gap between ECDLP difficulty and ECC security.There are many attacks that break

527 views • 18 slides
Dragonblood : Weaknesses in WPA3s Dragonfly Handshake Mathy Vanhoef and Eyal Ronen BruCON.

Dragonblood : Weaknesses in WPA3s Dragonfly Handshake Mathy Vanhoef and Eyal Ronen BruCON.

Dragonblood : Weaknesses in WPA3s Dragonfly Handshake Mathy Vanhoef and Eyal Ronen BruCON. Belgium, 11 October 2019. 2 Background: Dragonfly in WPA3 and EAP-pwd = Password Authenticated Key Exchange (PAKE) Negotiate Provide mutual

1.97k views • 56 slides

More recommend