proving who you are
play

Proving who you are Passwords and TLS Basic, fundamental problem - PowerPoint PPT Presentation

Mar 27, 2024 •247 likes •702 views

Proving who you are Passwords and TLS Basic, fundamental problem Client Server (user) How do you prove to someone that you are who you claim to be? Any system with access control must solve this Users and servers prove themselves in

  1. Proving who you are Passwords and TLS

  2. Basic, fundamental problem Client Server (“user”) How do you prove to someone that you are who you claim to be? Any system with access control must solve this Users and servers prove themselves in different ways - Different attack models - Different assumptions about what they can feasibly do

  3. User authentication Attack model Attacker can eavesdrop and tamper with 
 1. communication between client and server 
 (or cut the server or client out altogether) Client Server Attacker (“user”) Attacker can subsequently compromise the server, 
 2. gaining access to all of its data and secret keys Attacker’s goal: 
 Learn a targeted (or any ) user’s password Our goal: prove to the server we are the user 
 without compromising our password after server compromise

  4. (see notes for details of 
 how passwords are stored)

  5. Storing passwords in Linux Stored in /etc/shadow username hash salt seed:$6$5MfvmFOaDU$CVt7…:14400:0:99999:7:: last changed (days since 1/1/1970 : 
 algorithm min #days until must change : 
 - 1: MD5-based max #days until must change : - 2: Blowfish #days before expire to warn : - 5: SHA-256 (#days to wait from expire to disable) : - 6: SHA-512 (#days this has been expired)

  6. Thought experiment: Do we need good passwords? • Is the attack: • Online : attacker can only guess by trying to log in • Offline : the attacker has access to /etc/shadow • Does the attack target: • A single targeted user • Any user: the attacker just wants a way to log in

  7. Thought experiment: Do we need good passwords? • Is the attack: • Online : attacker can only guess by trying to log in • Offline : the attacker has access to /etc/shadow • Does the attack target: • A single targeted user • Any user: the attacker just wants a way to log in Online attack

  8. Thought experiment: Do we need good passwords? • Is the attack: • Online : attacker can only guess by trying to log in • Offline : the attacker has access to /etc/shadow • Does the attack target: • A single targeted user • Any user: the attacker just wants a way to log in Online attack Passwords are 6-digit numbers (bad!) After 3 bad login attempts, wait 24hrs Give the attacker 10 years to guess

  9. Thought experiment: Do we need good passwords? • Is the attack: • Online : attacker can only guess by trying to log in • Offline : the attacker has access to /etc/shadow • Does the attack target: • A single targeted user • Any user: the attacker just wants a way to log in Online attack Passwords are 6-digit numbers (bad!) 3*365*10 attempts ≈ 10 4 After 3 bad login attempts, wait 24hrs Give the attacker 10 years to guess

  10. Thought experiment: Do we need good passwords? • Is the attack: • Online : attacker can only guess by trying to log in • Offline : the attacker has access to /etc/shadow • Does the attack target: • A single targeted user • Any user: the attacker just wants a way to log in Online attack Passwords are 6-digit numbers (bad!) 3*365*10 attempts ≈ 10 4 After 3 bad login attempts, wait 24hrs Chance of success: Give the attacker 10 years to guess 10 4 /10 6 ≈ 1%

  11. Passwords and Computer Security • In 2012, 76% of network intrusions exploited weak or stolen credentials (username/password) • Source: Verizon data breach investigations report • First step after any successful intrusion: install sniffer or keylogger to steal more passwords • Second step: run cracking tools on password files • Cracking needed because passwords are not (or at least should not be ) stored in the clear

  12. Gary McKinnon • 2001 and 2002: hacked into 97 US military and NASA computers searching for evidence of free energy suppression and UFO coverups “… shut down the entire US Army’s Military District of • Washington network of over 2000 computers for 24 hrs” “… rendered [US Naval Weapons Station Earle]’s • entire network of over 300 computers inoperable at a critical time immediately following 11 September 2001” Method: Perl script randomly looking for blank and • default passwords to administrator accounts

  13. Old password surveys • Klein (1990) and Spafford (1992) • 2.7% guessed in 15 minutes, 21% in a week • Much more computing power is available now • Univ. of Michigan: 5% of passwords were “goblue” • Zviran and Haga (1999) • Password usage at DoD facility in California • 80% of passwords were 4-7 characters in length; 80% used alphabetic characters only; 80% of the users had never changed their password

  14. RockYou Hack (2009) • Social gaming company • Database with 32 million user passwords from partner social networks • Passwords stored in the clear • December 2009: entire database hacked using a SQL injection attack and posted on the Internet

  15. Passwords in RockYou database

  16. 2010 - Gawker 
 Stored passwords encrypted 188,279 decrypted & released

  17. 2010 - Gawker 
 Stored passwords encrypted 188,279 decrypted & released trustno1

  18. Gawker Passwords (2010)

  19. Server authentication Attack model Attacker can eavesdrop and tamper with 
 1. communication between client and server 
 (or cut the server or client out altogether) Client Server Attacker (“user”) 2. Attacker does not have access to the server’s private key Attacker’s goal: Convince the Client that he is the ‘Server’ Our goal: Establish a session (symmteric) key 
 between the client and server

  20. Server authentication: Certificates PK, SK Client Server Attacker (“user”) Certificate 
 [identity = PK] Attacker does not have access to the server’s private key Recall : A certificate attests “the only person who knows 
 the corresponding secret key is <identity>”

  21. Server authentication: Certificates PK, SK Client Server Attacker (“user”) Certificate 
 [identity = PK] Attacker does not have access to the server’s private key Recall : A certificate attests “the only person who knows 
 the corresponding secret key is <identity>” Challenge 
 How does the server prove it knows its 
 secret key without giving away its secret key? #1

  22. Server authentication: Certificates PK, SK Client Server Attacker (“user”) Certificate 
 [identity = PK] Attacker does not have access to the server’s private key Recall : A certificate attests “the only person who knows 
 the corresponding secret key is <identity>” Challenge 
 How does the server prove it knows its 
 secret key without giving away its secret key? #1 Challenge-response protocols: The client issues a challenge that only someone with the secret knowledge could correctly react to

  23. Server authentication with certificates Browser Server Attacker (initiates connection) (authenticates itself) Ahead of time: 
 Ahead of time: 
 has a list of trusted root certs generate keys and get cert PK, SK Certificate 
 [identity = PK]

  24. Server authentication with certificates Browser Server Attacker (initiates connection) (authenticates itself) Ahead of time: 
 Ahead of time: 
 has a list of trusted root certs generate keys and get cert PK, SK Hello (let’s communicate) Certificate 
 [identity = PK]

  25. Server authentication with certificates Browser Server Attacker (initiates connection) (authenticates itself) Ahead of time: 
 Ahead of time: 
 has a list of trusted root certs generate keys and get cert PK, SK Hello (let’s communicate) Certificate 
 [identity = PK] Certificate 
 [identity = PK]

  26. Server authentication with certificates Browser Server Attacker (initiates connection) (authenticates itself) Ahead of time: 
 Ahead of time: 
 has a list of trusted root certs generate keys and get cert PK, SK Hello (let’s communicate) Certificate 
 [identity = PK] Certificate 
 Verify cert 
 [identity = PK] using the 
 root certs

  27. Server authentication with certificates Browser Server Attacker (initiates connection) (authenticates itself) Ahead of time: 
 Ahead of time: 
 has a list of trusted root certs generate keys and get cert PK, SK Hello (let’s communicate) Certificate 
 [identity = PK] Certificate 
 Verify cert 
 [identity = PK] using the 
 root certs Generate 
 session 
 key k

  28. Server authentication with certificates Browser Server Attacker (initiates connection) (authenticates itself) Ahead of time: 
 Ahead of time: 
 has a list of trusted root certs generate keys and get cert PK, SK Hello (let’s communicate) Certificate 
 [identity = PK] Certificate 
 Verify cert 
 [identity = PK] using the 
 root certs Generate 
 E(PK, k ) session 
 key k

  29. Server authentication with certificates Browser Server Attacker (initiates connection) (authenticates itself) Ahead of time: 
 Ahead of time: 
 has a list of trusted root certs generate keys and get cert PK, SK Hello (let’s communicate) Certificate 
 [identity = PK] Certificate 
 Verify cert 
 [identity = PK] using the 
 root certs Generate 
 E(PK, k ) Decrypt to 
 session 
 obtain k key k

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

On Theorem Proving for Program Checking Historical perspective and recent developments Maria

On Theorem Proving for Program Checking Historical perspective and recent developments Maria

Outline Introduction Where is theorem proving in program checking Inside theorem proving Big and little engines together: a new theorem proving style Decision procedures with speculative inferences Current and future challenges On Theorem

944 views • 69 slides
Visual theorem proving with the Incredible Proof Machine The idea Theorem Proving without

Visual theorem proving with the Incredible Proof Machine The idea Theorem Proving without

Interactive Theorem Proving, Nancy August 22, 2016 Joachim Breitner Karlsruhe Institute of Technology University of Pennsylvania, Philadelphia Visual theorem proving with the Incredible Proof Machine The idea Theorem Proving without Syntax

579 views • 43 slides
Learning theorem proving through self-play Stanisaw Purga Overview AlphaZero Proving

Learning theorem proving through self-play Stanisaw Purga Overview AlphaZero Proving

Learning theorem proving through self-play Stanisaw Purga Overview AlphaZero Proving game adjusting MCTS for proving game some results 2019-10 1 Neural black box game state S move policy expected outcome R n v

455 views • 45 slides
4.5: Proving the Correctness of Grammars In this section, we consider techniques for proving the

4.5: Proving the Correctness of Grammars In this section, we consider techniques for proving the

4.5: Proving the Correctness of Grammars In this section, we consider techniques for proving the correctness of grammars, i.e., for proving that grammars generate the languages we want them to. 1 / 21 Definition of Suppose G is a grammar and

324 views • 21 slides
Groundwater Contamination Litigation: Proving Groundwater Contamination Litigation: Proving And

Groundwater Contamination Litigation: Proving Groundwater Contamination Litigation: Proving And

Presenting a live 90 minute webinar with interactive Q&amp;A Groundwater Contamination Litigation: Proving Groundwater Contamination Litigation: Proving And Defending Against Liability for Clean Up Costs Demonstrating Nexus, Causation and

940 views • 62 slides
Proving In fi nite Satis fi ability Peter Baumgartner Joshua Bax Goal Theorem Proving in

Proving In fi nite Satis fi ability Peter Baumgartner Joshua Bax Goal Theorem Proving in

Proving In fi nite Satis fi ability Peter Baumgartner Joshua Bax Goal Theorem Proving in Hierarchic Combinations of Speci fi cations Dis Background theory linear integer arithmetic Data structures ? Conjecture list axioms/arrays

443 views • 15 slides
Automated Theorem Proving 1/4: Introduction and Propositional Theorem Proving A.L. Lamprecht

Automated Theorem Proving 1/4: Introduction and Propositional Theorem Proving A.L. Lamprecht

Automated Theorem Proving 1/4: Introduction and Propositional Theorem Proving A.L. Lamprecht Course Program Semantics and Verfication 2020, Utrecht University September 21, 2020 Lecture Notes Automated Reasoning by Gerard A.W. Vreeswijk.

609 views • 40 slides
Automated Theorem Proving 2/4: First-Order Theorem Proving A.L. Lamprecht Course Program

Automated Theorem Proving 2/4: First-Order Theorem Proving A.L. Lamprecht Course Program

Automated Theorem Proving 2/4: First-Order Theorem Proving A.L. Lamprecht Course Program Semantics and Verfication 2020, Utrecht University September 23, 2020 Lecture Notes Automated Reasoning by Gerard A.W. Vreeswijk. Available for

1.03k views • 54 slides
Proving that Artinian implies Noetherian without proving that Artinian implies finite length

Proving that Artinian implies Noetherian without proving that Artinian implies finite length

Proving that Artinian implies Noetherian without proving that Artinian implies finite length Chris Conidis University of Waterloo April 1, 2012 Chris Conidis Proving that Artinian implies Noetherian without proving that Artinian Background

1.01k views • 76 slides
Proving the Equivalence of Higher-Order Terms by Means of Supercompilation Ilya Klyuchnikov and

Proving the Equivalence of Higher-Order Terms by Means of Supercompilation Ilya Klyuchnikov and

Introduction Proving properties of programs Proving equality and equivalence Applications Summary Proving the Equivalence of Higher-Order Terms by Means of Supercompilation Ilya Klyuchnikov and Sergei Romanenko Keldysh Institute of Applied

588 views • 31 slides
Theorem-Proving Environments Nathan Ng CSC2547: Learning to Search Theorem Proving What is a

Theorem-Proving Environments Nathan Ng CSC2547: Learning to Search Theorem Proving What is a

Theorem-Proving Environments Nathan Ng CSC2547: Learning to Search Theorem Proving What is a theorem? Statement proven based on basis of previously established statements Premise: If I attend UofT, I am a student Premise: I attend

375 views • 25 slides
Artificial Intelligence in Theorem Proving Cezary Kaliszyk VTSA Overview Last Lecture theorem

Artificial Intelligence in Theorem Proving Cezary Kaliszyk VTSA Overview Last Lecture theorem

Artificial Intelligence in Theorem Proving Cezary Kaliszyk VTSA Overview Last Lecture theorem proving problems premise selection deep learning for theorem proving state estimation Today automated reasoning learning in classical ATPs

1.18k views • 97 slides
Symbolic Computation and Theorem Proving in Program Analysis Laura Kov acs Chalmers

Symbolic Computation and Theorem Proving in Program Analysis Laura Kov acs Chalmers

Symbolic Computation and Theorem Proving in Program Analysis Laura Kov acs Chalmers Specification Program Loop Assertions Verification Conditions Proving Proving Specification Program Loop Assertions Theorem Proving Computer Algebra

916 views • 90 slides
Saturation-based Theorem Proving and ML Course Machine Learning and Reasoning 2020 MLR 2020 1 1

Saturation-based Theorem Proving and ML Course Machine Learning and Reasoning 2020 MLR 2020 1 1

First-order Logic and Theorem Proving Saturation-based Proving Further Tuning and the Role of Strategies Summary Saturation-based Theorem Proving and ML Course Machine Learning and Reasoning 2020 MLR 2020 1 1 Czech Technical Univeristy in

913 views • 64 slides
Using Cognitive Traits for I m proving the Using Cognitive Traits for I m proving the Detection

Using Cognitive Traits for I m proving the Using Cognitive Traits for I m proving the Detection

Using Cognitive Traits for I m proving the Using Cognitive Traits for I m proving the Detection of Learning Styles Sabine Graf and Kinshuk Athabasca University Canada Canada Why detecting learning styles? Why shall we consider learning

484 views • 20 slides
Artificial Intelligence in Theorem Proving Cezary Kaliszyk VTSA 2019 Computer Theorem Proving

Artificial Intelligence in Theorem Proving Cezary Kaliszyk VTSA 2019 Computer Theorem Proving

Artificial Intelligence in Theorem Proving Cezary Kaliszyk VTSA 2019 Computer Theorem Proving Computer used to automate reasoning in a logic Traditionally part of artificial intelligence (not machine learning) Field of research since the

1.25k views • 101 slides
ECE 3060 VLSI and Advanced Digital Design Lecture 19 Testing Test Cost A large percentage

ECE 3060 VLSI and Advanced Digital Design Lecture 19 Testing Test Cost A large percentage

ECE 3060 VLSI and Advanced Digital Design Lecture 19 Testing Test Cost A large percentage (5-40%) of the manufacturing cost of a VLSI chip is due to test Cost is larger for larger circuits more functionality in a

425 views • 19 slides
Application Compatibility Framework - Building Software Synergy Shishira Rao Amrita Desai

Application Compatibility Framework - Building Software Synergy Shishira Rao Amrita Desai

Application Compatibility Framework - Building Software Synergy Shishira Rao Amrita Desai Ashish Khandelwal ~McAfee Inc. Agendum Setting the Context What, Why and Importance of Compatibility Testing ? Application Compatibility

747 views • 21 slides
NOCoE Peer Exchange Performance-Based Contracting Detroit, Michigan June 18, 2018 Michael

NOCoE Peer Exchange Performance-Based Contracting Detroit, Michigan June 18, 2018 Michael

Florida Department of TRANSPORTATION NOCoE Peer Exchange Performance-Based Contracting Detroit, Michigan June 18, 2018 Michael Washburn Floridas Turnpike Incident Management Program Manager Florida Department of Transportation Florida

409 views • 36 slides
Thank you for joining the conversation today. Send us your questions and comments! Food

Thank you for joining the conversation today. Send us your questions and comments! Food

Food Systems Finance Webinar Series: Neighborhood Revitalization Through Food Systems Finance Thank you for joining the conversation today. Send us your questions and comments! Food Systems Finance Webinar Series: Neighborhood Revitalization

774 views • 60 slides
Lung Cancer : Lung Cancer : Lung Cancer : Lung Cancer : Improving the Cure Rate Improving the

Lung Cancer : Lung Cancer : Lung Cancer : Lung Cancer : Improving the Cure Rate Improving the

Lung Cancer : Lung Cancer : Lung Cancer : Lung Cancer : Improving the Cure Rate Improving the Cure Rate with Radiation with Radiation ith R di ti ith R di ti Andrea Andrea Bezjak Bezjak , MDCM, MSc, FRCPC The Addie MacNaughton Chair in

649 views • 54 slides
Discussions in this presentaXon o Context of the workshop o

Discussions in this presentaXon o Context of the workshop o

1 ECFA High Luminosity LHC Experiments Workshop Report to ECFA session Nov. 21 2013 h@ps://cms-docdb.cern.ch/cgi-bin/PublicDocDB//ShowDocument?docid=12141 D.

376 views • 23 slides
The phase III study INTERCEPTOR in locally advanced head and neck cancer (LA-HNC). Preliminary

The phase III study INTERCEPTOR in locally advanced head and neck cancer (LA-HNC). Preliminary

The phase III study INTERCEPTOR in locally advanced head and neck cancer (LA-HNC). Preliminary safety report A.Bacigalupo, S.Vecchio, L.Belgioia, R. Corv, M.Merlano* on behalf of INTERCEPTOR study Group IRCCS AOU San Martino IST- Genova;

634 views • 13 slides
Lec03: Writing Exploits Taesoo Kim 2 Scoreboard 3 Administrivia Survey: how many hours

Lec03: Writing Exploits Taesoo Kim 2 Scoreboard 3 Administrivia Survey: how many hours

1 Lec03: Writing Exploits Taesoo Kim 2 Scoreboard 3 Administrivia Survey: how many hours did you spend? (&lt;3h, 6h, 10h, &gt;20h) Join Piazza! An optional recitation on every Wed 5:00-6:00pm (in Klaus 1447)

617 views • 34 slides

More recommend