proactive password checking
play

Proactive Password Checking Analyze proposed password for goodness - PDF document

Apr 26, 2023 •144 likes •363 views

Proactive Password Checking Analyze proposed password for goodness Always invoked Can detect, reject bad passwords for an appropriate definition of bad Discriminate on per-user, per-site basis Needs to do

  1. Proactive Password Checking • Analyze proposed password for “goodness” – Always invoked – Can detect, reject bad passwords for an appropriate definition of “bad” – Discriminate on per-user, per-site basis – Needs to do pattern matching on words – Needs to execute subprograms and use results • Spell checker, for example – Easy to set up and integrate into password selection system May 20, 2004 ECS 235 Slide #1 Example: OPUS • Goal: check passwords against large dictionaries quickly – Run each word of dictionary through k different hash functions h 1 , …, h k producing values less than n – Set bits h 1 , …, h k in OPUS dictionary – To check new proposed word, generate bit vector and see if all corresponding bits set • If so, word is in one of the dictionaries to some degree of probability • If not, it is not in the dictionaries May 20, 2004 ECS 235 Slide #2 1

  2. Example: passwd+ • Provides little language to describe proactive checking – test length(“$p”) < 6 • If password under 6 characters, reject it – test infile(“/usr/dict/words”, “$p”) • If password in file /usr/dict/words, reject it – test !inprog(“spell”, “$p”, “$p”) • If password not in the output from program spell, given the password as input, reject it (because it’s a properly spelled word) May 20, 2004 ECS 235 Slide #3 Salting • Goal: slow dictionary attacks • Method: perturb hash function so that: – Parameter controls which hash function is used – Parameter differs for each password – So given n password hashes, and therefore n salts, need to hash guess n May 20, 2004 ECS 235 Slide #4 2

  3. Examples • Vanilla UNIX method – Use DES to encipher 0 message with password as key; iterate 25 times – Perturb E table in DES in one of 4096 ways • 12 bit salt flips entries 1–11 with entries 25–36 • Alternate methods – Use salt as first part of input to hash function May 20, 2004 ECS 235 Slide #5 Guessing Through L • Cannot prevent these – Otherwise, legitimate users cannot log in • Make them slow – Backoff – Disconnection – Disabling • Be very careful with administrative accounts! – Jailing • Allow in, but restrict activities May 20, 2004 ECS 235 Slide #6 3

  4. Password Aging • Force users to change passwords after some time has expired – How do you force users not to re-use passwords? • Record previous passwords • Block changes for a period of time – Give users time to think of good passwords • Don’t force them to change before they can log in • Warn them of expiration days in advance May 20, 2004 ECS 235 Slide #7 Challenge-Response • User, system share a secret function f (in practice, f is a known function with unknown parameters, such as a cryptographic key) request to authenticate user system random message r system user (the challenge) f(r) system user (the response) May 20, 2004 ECS 235 Slide #8 4

  5. Pass Algorithms • Challenge-response with the function f itself a secret – Example: • Challenge is a random string of characters such as “abcdefg”, “ageksido” • Response is some function of that string such as “bdf”, “gkip” – Can alter algorithm based on ancillary information • Network connection is as above, dial-up might require “aceg”, “aesd” – Usually used in conjunction with fixed, reusable password May 20, 2004 ECS 235 Slide #9 One-Time Passwords • Password that can be used exactly once – After use, it is immediately invalidated • Challenge-response mechanism – Challenge is number of authentications; response is password for that particular number • Problems – Synchronization of user, system – Generation of good random passwords – Password distribution problem May 20, 2004 ECS 235 Slide #10 5

  6. S/Key • One-time password scheme based on idea of Lamport • h one-way hash function (MD5 or SHA-1, for example) • User chooses initial seed k • System calculates: h ( k ) = k 1 , h ( k 1 ) = k 2 , …, h ( k n –1 ) = k n • Passwords are reverse order: p 1 = k n , p 2 = k n –1 , …, p n –1 = k 2 , p n = k 1 May 20, 2004 ECS 235 Slide #11 S/Key Protocol System stores maximum number of authentications n , number of next authentication i , last correctly supplied password p i –1 . { name } user system { i } user system { p i } user system System computes h ( p i ) = h ( k n – i +1 ) = k n – i = p i –1 . If match with what is stored, system replaces p i –1 with p i and increments i . May 20, 2004 ECS 235 Slide #12 6

  7. Hardware Support • Token-based – Used to compute response to challenge • May encipher or hash challenge • May require PIN from user • Temporally-based – Every minute (or so) different number shown • Computer knows what number to expect when – User enters number and fixed password May 20, 2004 ECS 235 Slide #13 C-R and Dictionary Attacks • Same as for fixed passwords – Attacker knows challenge r and response f ( r ); if f encryption function, can try different keys • May only need to know form of response; attacker can tell if guess correct by looking to see if deciphered object is of right form • Example: Kerberos Version 4 used DES, but keys had 20 bits of randomness; Purdue attackers guessed keys quickly because deciphered tickets had a fixed set of bits in some locations May 20, 2004 ECS 235 Slide #14 7

  8. Encrypted Key Exchange • Defeats off-line dictionary attacks • Idea: random challenges enciphered, so attacker cannot verify correct decipherment of challenge • Assume Alice, Bob share secret password s • In what follows, Alice needs to generate a random public key p and a corresponding private key q • Also, k is a randomly generated session key, and R A and R B are random challenges May 20, 2004 ECS 235 Slide #15 EKE Protocol { Alice || E s ( p ) } Alice Bob { E s ( E p ( k )) } Alice Bob Now Alice, Bob share a randomly generated secret session key k { E k ( R A ) } Alice Bob { E k ( R A R B ) } Bob Alice { E k ( R B ) } Alice Bob May 20, 2004 ECS 235 Slide #16 8

  9. Biometrics • Automated measurement of biological, behavioral features that identify a person – Fingerprints, voices, eyes, faces – Keystrokes, timing intervals between commands – Combinations • Cautions: can be fooled! – Assumes biometric device accurate in the environment it is being used in! – Transmission of data to validator is tamperproof, correct May 20, 2004 ECS 235 Slide #17 Location • If you know where user is, validate identity by seeing if person is where the user is – Requires special-purpose hardware to locate user • GPS (global positioning system) device gives location signature of entity • Host uses LSS (location signature sensor) to get signature for entity May 20, 2004 ECS 235 Slide #18 9

  10. Multiple Methods • Example: “where you are” also requires entity to have LSS and GPS, so also “what you have” • Can assign different methods to different tasks – As users perform more and more sensitive tasks, must authenticate in more and more ways (presumably, more stringently) File describes authentication required • Also includes controls on access (time of day, etc .), resources, and requests to change passwords – Pluggable Authentication Modules May 20, 2004 ECS 235 Slide #19 PAM • Idea: when program needs to authenticate, it checks central repository for methods to use • Library call: pam_authenticate – Accesses file with name of program in /etc/pam_d • Modules do authentication checking – sufficient : succeed if module succeeds – required : fail if module fails, but all required modules executed before reporting failure – requisite : like required , but don’t check all modules – optional : invoke only if all previous modules fail May 20, 2004 ECS 235 Slide #20 10

  11. Example PAM File auth sufficient /usr/lib/pam_ftp.so auth required /usr/lib/pam_unix_auth.so use_first_pass auth required /usr/lib/pam_listfile.so onerr=succeed \ item=user sense=deny file=/etc/ftpusers For ftp: 1. If user “anonymous”, return okay; if not, set PAM_AUTHTOK to password, PAM_RUSER to name, and fail 2. Now check that password in PAM_AUTHTOK belongs to that of user in PAM_RUSER; if not, fail 3. Now see if user in PAM_RUSER named in /etc/ftpusers; if so, fail; if error or not found, succeed May 20, 2004 ECS 235 Slide #21 Key Points • Authentication is not cryptography – You have to consider system components • Passwords are here to stay – They provide a basis for most forms of authentication • Protocols are important – They can make masquerading harder • Authentication methods can be combined – Example: PAM May 20, 2004 ECS 235 Slide #22 11

  12. Overview • Access control lists • Capability lists • Locks and keys • Rings-based access control • Propagates access control lists May 20, 2004 ECS 235 Slide #23 Access Control Lists • Columns of access control matrix file1 file2 file3 Andy rx r rwo Betty rwxo r Charlie rx rwo w ACLs: • file1: { (Andy, rx) (Betty, rwxo) (Charlie, rx) } • file2: { (Andy, r) (Betty, r) (Charlie, rwo) } • file3: { (Andy, rwo) (Betty, r) (Charlie, rwo) } May 20, 2004 ECS 235 Slide #24 12

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Making Password Checking Systems Be7er Tom Ristenpart Covering

Making Password Checking Systems Be7er Tom Ristenpart Covering

Making Password Checking Systems Be7er Tom Ristenpart Covering joint work with: Anish Athayle, Devda&lt;a Akawhe, Joseph Bonneau, Rahul Cha&lt;erjee, Adam

414 views • 30 slides
Making Password Checking Systems Better Tom Ristenpart Covering joint work with: Anish Athayle,

Making Password Checking Systems Better Tom Ristenpart Covering joint work with: Anish Athayle,

Making Password Checking Systems Better Tom Ristenpart Covering joint work with: Anish Athayle, Devdatta Akawhe, Joseph Bonneau, Rahul Chatterjee, Anusha Chowdhury, Yevgeniy Dodis, Adam Everspaugh, Ari Juels, Yuval Pnueli, Sam Scott, Joanne

559 views • 43 slides
How to become a True stories to become a proactive developer! proactive developer? PRESENTED

How to become a True stories to become a proactive developer! proactive developer? PRESENTED

How to become a True stories to become a proactive developer! proactive developer? PRESENTED BY Eduardo Telaya Software arquitect Whats Inside What does it mean to be proactive 7 developer? How to find opportunities to be 14

587 views • 21 slides
Transforming Primary Care Proactive Care 13 th April 2016 01 Welcome and Introduction

Transforming Primary Care Proactive Care 13 th April 2016 01 Welcome and Introduction

WiFi Login Details Network: Hospitality Password: ovaltine89 Transforming Primary Care Proactive Care 13 th April 2016 01 Welcome and Introduction Transforming Londons health and care together 2 WELCOME AND INTRODUCTION Liz Wise, Director of

1.12k views • 89 slides
Team Password Manager Password Management Software for Groups http://teampasswordmanager.com

Team Password Manager Password Management Software for Groups http://teampasswordmanager.com

Team Password Manager Password Management Software for Groups http://teampasswordmanager.com What is Team Password Manager - Password manager for groups and projects - Uses projects to group passwords - Secure, fine grained password sharing -

712 views • 9 slides
Cisco Passwords - Enforcing Minimum Password Length Common Types of Password Attacks Brute-Force

Cisco Passwords - Enforcing Minimum Password Length Common Types of Password Attacks Brute-Force

Cisco Passwords - Enforcing Minimum Password Length Common Types of Password Attacks Brute-Force Attack - tries every possible character combination as a password. To recover a single-letter password would require up to 26 combinations. A

415 views • 8 slides
ProActive Architecture of an Open Middleware for the Grid Romain Quilici

ProActive Architecture of an Open Middleware for the Grid Romain Quilici

ProActive Architecture of an Open Middleware for the Grid Romain Quilici www.objectweb.org/ProActive ObjectWeb Architecture meeting July 2nd 2003 1 ProActive A Java API + Tools for Parallel, Distributed Computing A uniform framework: An

921 views • 56 slides
3. Satisfiability Checking 3.1 SAT-Checking Procedures Verification Technology

3. Satisfiability Checking 3.1 SAT-Checking Procedures Verification Technology

Fachgebiet RechnerSysteme Technische Universitt Verification Technology Darmstadt 3. Satisfiability Checking Computer Systems Lab 1 3. Satisfiability Checking 3 3. Satisfiability Checking 3.1 SAT-Checking Procedures Verification

278 views • 11 slides
Is Password InSecurity Inevitable? Cryptographic Enhancements to Password Protocols Hugo

Is Password InSecurity Inevitable? Cryptographic Enhancements to Password Protocols Hugo

Is Password InSecurity Inevitable? Cryptographic Enhancements to Password Protocols Hugo Krawczyk (IBM Research) Works with Stanislaw Jarecki, Jiayu Xu (UC Irvine) Aggelos Kiayas (U Edinburgh) Nitesh Saxena, Maliheh Shirvanian (UA Birmingham)

750 views • 32 slides
Password, Authentication, Password Managers Week 4 Frank Chen | Spring 2017 Frank Chen | Spring

Password, Authentication, Password Managers Week 4 Frank Chen | Spring 2017 Frank Chen | Spring

LastPass, a Password Manager Application CS 88S Password, Authentication, Password Managers Week 4 Frank Chen | Spring 2017 Frank Chen | Spring 2017 Agenda Review last weeks material Some Definitions Password in the Cloud

584 views • 47 slides
LastPass An Introduction to Password Managers Why do I need a Password manager? Email is your

LastPass An Introduction to Password Managers Why do I need a Password manager? Email is your

LastPass An Introduction to Password Managers Why do I need a Password manager? Email is your Master Key When you forget a password, they send a reset link to your email. Anyone with access to your email has the power to reset your other

549 views • 31 slides
Hoare Logic and Model Checking Model Checking Lecture 11: Model checking for Computation Tree

Hoare Logic and Model Checking Model Checking Lecture 11: Model checking for Computation Tree

Hoare Logic and Model Checking Model Checking Lecture 11: Model checking for Computation Tree Logic Dominic Mulligan Based on previous slides by Alan Mycroft and Mike Gordon Programming, Logic, and Semantics Group University of Cambridge

402 views • 25 slides
Checking &amp; Spot-Checking the Correctness of Priority Queues Matthew Chu &amp; Sampath Kannan

Checking &amp; Spot-Checking the Correctness of Priority Queues Matthew Chu &amp; Sampath Kannan

Checking &amp; Spot-Checking the Correctness of Priority Queues Matthew Chu &amp; Sampath Kannan (UPenn) Andrew McGregor (UCSD) Memory Checking Memory Checking Your resources: A lot of cheap unreliable memory and a little expensive reliable

1.11k views • 70 slides
Retain Your Users for Life Proactive We Live in an Age of Instant Gratification Personalized

Retain Your Users for Life Proactive We Live in an Age of Instant Gratification Personalized

Retain Your Users for Life Proactive We Live in an Age of Instant Gratification Personalized Omnichannel Users demand Proactive Information Users Expect Brands to Anticipate Their Needs Proactive 76% 63% o f u s e r s o f u s e r s

292 views • 27 slides
Statistical Statistical Statistical Model Statistical Model Model Checking Model Checking

Statistical Statistical Statistical Model Statistical Model Model Checking Model Checking

Statistical Statistical Statistical Model Statistical Model Model Checking Model Checking Checking Checking for Timed Automata Timed Automata Coll C l C ll b llabora orators: t ors: Peter Bulychev, Alexandre David Axel Legay, Marius

725 views • 59 slides
Day 3 If you are still using the default password that was assigned when your account was

Day 3 If you are still using the default password that was assigned when your account was

Day 3 If you are still using the default password that was assigned when your account was created, CHANGE IT NOW! (It can be the same as your email password.) Day 3 Steps in compiling: (Optional preprocessing) Lexical analysis

483 views • 17 slides
Using Crash Hoare Logic for Certifying the FSCQ File System Haogang Chen, Daniel Ziegler, Tej

Using Crash Hoare Logic for Certifying the FSCQ File System Haogang Chen, Daniel Ziegler, Tej

Using Crash Hoare Logic for Certifying the FSCQ File System Haogang Chen, Daniel Ziegler, Tej Chajed, Adam Chlipala, Frans Kaashoek, and Nickolai Zeldovich MIT CSAIL 1 / 27 File systems are complex and have bugs File systems are complex (e.g.,

1.18k views • 50 slides
Set of Support for Theory Reasoning Giles Reger 1 , Martin Suda 2 1 School of Computer Science,

Set of Support for Theory Reasoning Giles Reger 1 , Martin Suda 2 1 School of Computer Science,

Set of Support for Theory Reasoning Giles Reger 1 , Martin Suda 2 1 School of Computer Science, University of Manchester, UK 2 TU Wien, Vienna, Austria IWIL 2017 Maun, May 7, 2017 1/18 Theory axioms in proofs Consider the following toy

966 views • 53 slides
Lecture 17 - Network Security CMPSC 443 - Spring 2012 Introduction Computer and Network Security

Lecture 17 - Network Security CMPSC 443 - Spring 2012 Introduction Computer and Network Security

Lecture 17 - Network Security CMPSC 443 - Spring 2012 Introduction Computer and Network Security Professor Jaeger www.cse.psu.edu/~tjaeger/cse443-s12/ CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger

206 views • 20 slides
CHOOSING NG M MODES O OF DE DELI LIVERY Dr. Tony Bates Research Associate Contact

CHOOSING NG M MODES O OF DE DELI LIVERY Dr. Tony Bates Research Associate Contact

CHOOSING NG M MODES O OF DE DELI LIVERY Dr. Tony Bates Research Associate Contact North|Contact Nord www.contactnord.ca 1 Webinar F Format Aim of series: Discuss issues raised in Teaching in a Digital Age Draw on your

332 views • 17 slides
Life of a Password

Life of a Password

Life of a Password Arvind Mani Data &amp; Infrastructure

1.05k views • 30 slides
Claim your Baruch accounts before the Baruch Honors Orientation Through this Tutorial, you will

Claim your Baruch accounts before the Baruch Honors Orientation Through this Tutorial, you will

Claim your Baruch accounts before the Baruch Honors Orientation Through this Tutorial, you will learn how to retrieve your: Baruch Username Baruchmail Student Email Account Update the email listed in Blackboard Please note, the default

459 views • 8 slides
Vulnerability Management Spring 2020 Jay Chen What is a vulnerability? A vulnerability is a

Vulnerability Management Spring 2020 Jay Chen What is a vulnerability? A vulnerability is a

Vulnerability Management Spring 2020 Jay Chen What is a vulnerability? A vulnerability is a cybersecurity flaw in a system that leave it open to attack. A vulnerability may also refer to any type of weakness in a computer system

407 views • 16 slides
Databases Databases Software that stores data on disk Runs as a server and is communicated

Databases Databases Software that stores data on disk Runs as a server and is communicated

Databases Databases Software that stores data on disk Runs as a server and is communicated with via TCP sockets Provides an API to store/retrieve data The software handles the low-level file IO Allows us to think about our data,

177 views • 15 slides

More recommend