security some fun with passwords
play

Security: Some Fun with Passwords How to handle Passwords: the - PDF document

Feb 05, 2023 •308 likes •369 views

CSCE Intro to Computer Systems Security - Passwords Security: Some Fun with Passwords How to handle Passwords: the Basics Rainbow Attacks Not too long ago Hi, I forgot my password! Let me help you. What is your name? My Name is John

  1. CSCE Intro to Computer Systems Security - Passwords Security: Some Fun with Passwords • How to handle Passwords: the Basics • Rainbow Attacks Not too long ago… Hi, I forgot my password! Let me help you. What is your name? My Name is John Doe. I found you in my system. Your password is XXXYYY. Q: What is wrong with this scenario? 1

  2. CSCE Intro to Computer Systems Security - Passwords Password Hashing Instead of storing the password on the server … Alice: XXXYYY Bob: YYYZZZ “ user name: Alice, password: XXXYYY ” Charlie: ZZZAAA Dorothy: AAABBB Alice … Is Alice ’ s password = “ XXXYYY ” ? … we store an encrypted ( hashed ) version of the password. Alice: sX&*Xzy Bob: 78BeBc# “ user name: Alice, password: XXXYYY ” Charlie: wqlkr03 Dorothy: 94pg9s Alice … Is Alice ’ s password hash = Hash( “ XXXYYY ” )? Replay Attacks and Challenge Response Simply encrypting a request does not protect from replays. Alice: sX&*Xzy Bob: 78BeBc# ( “ user:Alice, pw:XXXYYY ” ) kBpub Charlie: wqlkr03 Dorothy: 94pg9s Alice … ( “ user:Alice, pw:XXXYYY ” ) kBpub Solution: Challenge-response. knock knock! Alice: sX&*Xzy 9345 Bob: 78BeBc# ( “ user:alice, pw:XXXYYY, 9345) kBpub Charlie: wqlkr03 Dorothy: 94pg9s Alice knock knock! … 2134560 ?!?! 2

  3. CSCE Intro to Computer Systems Security - Passwords Is Password Hashing Overrated? (or, hacking password files using rainbow tables) Password Hashing: Passwords Hashes Two approaches to “ Decrypt ” passwords: 1. Exhaustively generate and hash passwords and check for match. 2. Generate table for all possible passwords and their hashes. Then just look up. Rainbow Tables: Reduction Functions MD5(483039) = dca12104d04e02176fc6bc9a7fdcaf50 Hash function: MD5() PW = “ 483039 ” hash Passwords Hashes “ reduce ” RED(dca 12104 d 0 4e02176fc6bc9a7fdcaf50) = 121040 Reduction function: RED(arg) := pick first numerical 6 digits of arg. 3

  4. CSCE Intro to Computer Systems Security - Passwords “ Chains ” of Hashes Passwords Hashes start end Simple Hash Chain Table: start end iaisudhiu 4259cc34599c530b1e4a8f225d665802 oxcvioix c744b1716cbf8d4dd0ff4ce31a177151 9da8dasf 3cd696a8571a843cda453a229d741843 […] sodifo8sf 7ad7d6fa6bb4fd28ab98b3dd33261e8f Problems with Hash Chains • Chains can collide : – When hash function or reduction values collide, hash chains merge . – Hash function values are unlikely to collide – Reduction function values are likely to collide • Reduction function should map back to likely subset of passwords. – If not, we are spending time scanning the entire space. 4

  5. CSCE Intro to Computer Systems Security - Passwords How to Counter such Attacks? Salting Instead of storing the hash hash(password) we store the salted hash hash(password + salt) where salt is a very large number. 5

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

User Authentication and Passwords Storing Passwords Selecting Passwords CSS322: Security and

User Authentication and Passwords Storing Passwords Selecting Passwords CSS322: Security and

CSS322 Passwords Authentication Passwords Entropy User Authentication and Passwords Storing Passwords Selecting Passwords CSS322: Security and Cryptography Sirindhorn International Institute of Technology Thammasat University Prepared by

670 views • 28 slides
PASSWORDS CS682: Advanced Security Topics Vasiliki Panteli 3/9/2020 Passwords 1 Passwords

PASSWORDS CS682: Advanced Security Topics Vasiliki Panteli 3/9/2020 Passwords 1 Passwords

PASSWORDS CS682: Advanced Security Topics Vasiliki Panteli 3/9/2020 Passwords 1 Passwords Passwords is a user authentication mechanism that is widely adopted for many years Methods for user authentication: Something you know

901 views • 52 slides
User Authentication Storing Passwords Selecting Passwords ITS335: IT Security Tokens

User Authentication Storing Passwords Selecting Passwords ITS335: IT Security Tokens

ITS335 User Authentication Authentication Passwords User Authentication Storing Passwords Selecting Passwords ITS335: IT Security Tokens Biometrics Sirindhorn International Institute of Technology Summary Thammasat University Prepared

663 views • 40 slides
Passwords in the Wild Passwords in the Wild Who am I...? My blog... SkullSecurity.org Random

Passwords in the Wild Passwords in the Wild Who am I...? My blog... SkullSecurity.org Random

Passwords in the Wild Passwords in the Wild Who am I...? My blog... SkullSecurity.org Random research, rants, etc. Nmap dev news Password database I post updates to Twitter https://twitter.com/iagox86 My job... Tenable Network Security

990 views • 88 slides
Security 1 - Passwords Computer security is a big and kind of dramatic area which lends itself to

Security 1 - Passwords Computer security is a big and kind of dramatic area which lends itself to

Security 1 - Passwords Computer security is a big and kind of dramatic area which lends itself to movie plots and fear. There are real threats our there, but staying safe is not that hard. Computer -- The Castle The computer is like a

416 views • 37 slides
Good Passwords, Bad Passwords, and How to See the Difference David Klaftenegger Department of

Good Passwords, Bad Passwords, and How to See the Difference David Klaftenegger Department of

Good Passwords, Bad Passwords, and How to See the Difference David Klaftenegger Department of Information Technology Uppsala University, Sweden 20. January 2020 Caveat Auditor Background Passwords this talk contains opinions Diceware

447 views • 43 slides
Keys to the Kingdom A presentation to: E-Business 2008 Mike Auty E-Security at WDL Date: 16 th

Keys to the Kingdom A presentation to: E-Business 2008 Mike Auty E-Security at WDL Date: 16 th

Keys to the Kingdom A presentation to: E-Business 2008 Mike Auty E-Security at WDL Date: 16 th October 2008 Overview Securing Systems Passwords Storing Passwords Guessing Passwords What can I do about it?

518 views • 16 slides
Information Security Forum Fall 2018 Gary McCrillis & Jon Vazquez Information Security

Information Security Forum Fall 2018 Gary McCrillis & Jon Vazquez Information Security

Information Security Forum Fall 2018 Gary McCrillis & Jon Vazquez Information Security Analysts, Cal Poly Information Security Office 9/28/18 1 Better Passwords, with 9/28/18 2 Ninjio Video 9/28/18 3 Passwords Are (Still) Hard

387 views • 10 slides
CSE 484 / CSE M 584 Computer Security: Passwords and Lab 3 Prep TA: Thomas Crosley tcrosley@cs

CSE 484 / CSE M 584 Computer Security: Passwords and Lab 3 Prep TA: Thomas Crosley tcrosley@cs

CSE 484 / CSE M 584 Computer Security: Passwords and Lab 3 Prep TA: Thomas Crosley tcrosley@cs Thanks to Franzi for some previous slides LogisIcs / Reminders Lab #2 due 5/20,5pm (tomorrow!) Next office hour: Thomas and Kevin: 2-3pm

382 views • 25 slides
Setting Strong Encrypted Passwords Configuring Password Encryption for Clear Text Passwords Cisco

Setting Strong Encrypted Passwords Configuring Password Encryption for Clear Text Passwords Cisco

Setting Strong Encrypted Passwords Configuring Password Encryption for Clear Text Passwords Cisco IOS stores passwords in clear text in network device configuration files for several features such as passwords for local and remote CLI sessions,

354 views • 13 slides
STUDENT PASSWORDS GUI DEL I NES FOR 2 0 1 9 -2 020 S T U D E N T S , U P D A T E Y O U R P A

STUDENT PASSWORDS GUI DEL I NES FOR 2 0 1 9 -2 020 S T U D E N T S , U P D A T E Y O U R P A

STUDENT PASSWORDS GUI DEL I NES FOR 2 0 1 9 -2 020 S T U D E N T S , U P D A T E Y O U R P A S S W O R D F R O M H O M E ! Students: Update your password this summer from home! Student passwords were reset on 7/3/2019. Please follow the

525 views • 14 slides
secmon Basic Oracle Security Monitoring Basic Oracle Security Monitoring motivation & start

secmon Basic Oracle Security Monitoring Basic Oracle Security Monitoring motivation & start

secmon Basic Oracle Security Monitoring Basic Oracle Security Monitoring motivation & start motivation & start internet security evaluate password cracker to check security of passwords passwords problems problems default

703 views • 27 slides
Computer Security: Passwords TA: Adrian Sham adrsham@cs Thanks to Franzi for slides. Logistics

Computer Security: Passwords TA: Adrian Sham adrsham@cs Thanks to Franzi for slides. Logistics

CSE 484 / CSE M 584 Computer Security: Passwords TA: Adrian Sham adrsham@cs Thanks to Franzi for slides. Logistics / Reminders Class tomorrow at PCAR 290 Lab #2 due 5/20,5pm (next Wednesday) Next office hour: Michael and

574 views • 22 slides
Analyzing Pwned Passwords with Spark Kelley Robinson @kelleyrobinson Developer Evangelist +

Analyzing Pwned Passwords with Spark Kelley Robinson @kelleyrobinson Developer Evangelist +

Analyzing Pwned Passwords with Spark Kelley Robinson @kelleyrobinson Developer Evangelist + @KELLEYROBINSON BIG DATA & SECURITY Spark: then and now The state of passwords Spark in action Big Data Security BIG DATA & SECURITY

606 views • 33 slides
USABLE SECURITY GRAD SEC SEP 28 2017 USER AUTHENTICATION What we know (passwords) What we

USABLE SECURITY GRAD SEC SEP 28 2017 USER AUTHENTICATION What we know (passwords) What we

USABLE SECURITY GRAD SEC SEP 28 2017 USER AUTHENTICATION What we know (passwords) What we have (tokens) What we are (iris, fingerprint) [Accuracy vs. cost trade-off] Other USER AUTHENTICATION INKBLOT AUTHENTICATION Come up with

671 views • 20 slides
Financial Crypto and Data Security Mar. 3, 2011 Mercury: Recovering Forgotten Passwords Using

Financial Crypto and Data Security Mar. 3, 2011 Mercury: Recovering Forgotten Passwords Using

Financial Crypto and Data Security Mar. 3, 2011 Mercury: Recovering Forgotten Passwords Using Personal Devices M. Mannan NSERC PDF, University of Toronto m.mannan@utoronto.ca Collaborators: D. Barrera, C.D. Brown, D. Lie, P.C. van Oorschot

483 views • 24 slides
Computer and Information Security Fall 2020 User Authentication and Access Control Tyler Bletsch

Computer and Information Security Fall 2020 User Authentication and Access Control Tyler Bletsch

ECE560 Computer and Information Security Fall 2020 User Authentication and Access Control Tyler Bletsch Duke University User Authentication Determining if a user is who they say they are before giving them access. 2 The four means of

1.15k views • 70 slides
Lecture 14 Passwords and Authentication Stephen Checkoway University of Illinois at Chicago

Lecture 14 Passwords and Authentication Stephen Checkoway University of Illinois at Chicago

Lecture 14 Passwords and Authentication Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides based on Baileys ECE 422 Major Portions Courtesy Ryan Cunningham AUTHENTICATION Authentication Basics

653 views • 42 slides
Time-Memory Tradeoffs for Short Hash Collisions Akshima University of Chicago Joint work with

Time-Memory Tradeoffs for Short Hash Collisions Akshima University of Chicago Joint work with

Time-Memory Tradeoffs for Short Hash Collisions Akshima University of Chicago Joint work with David Cash, Andrew Drucker, Hoeteck Wee 1 This Talk Inspects time-space tradeo ff s for finding short collisions in Merkle-Damgrd hash

890 views • 55 slides
CSCE 790 Computer Systems Security Entity Authentication Professor Qiang Zeng Spring 2020

CSCE 790 Computer Systems Security Entity Authentication Professor Qiang Zeng Spring 2020

CSCE 790 Computer Systems Security Entity Authentication Professor Qiang Zeng Spring 2020 Previous Class PKI Digital Certificate Certificate Authority Verifying Certificates and Chain of Trust Revoking Certificates

310 views • 30 slides
You are the salt of the earth; but if the salt loses its flavor, how shall it be seasoned? It

You are the salt of the earth; but if the salt loses its flavor, how shall it be seasoned? It

You are the salt of the earth; but if the salt loses its flavor, how shall it be seasoned? It is then good for nothing but to be thrown out and trampled underfoot by men. You are the light of the world. A city that is set on a hill cannot be

1.76k views • 161 slides
WEP/WPA2 WiFi Password Security & Exploiting IP Based Surveillance Cameras By Basiru

WEP/WPA2 WiFi Password Security & Exploiting IP Based Surveillance Cameras By Basiru

WEP/WPA2 WiFi Password Security & Exploiting IP Based Surveillance Cameras By Basiru Mohammed Rajkumar Ramadhin Alexander Martin Introduction With growing advancement in the "Internet of Things" we must take a look at the

468 views • 29 slides
Authentication, vulnerabilities, exploits, and the secure design principles of Saltzer and

Authentication, vulnerabilities, exploits, and the secure design principles of Saltzer and

Authentication, vulnerabilities, exploits, and the secure design principles of Saltzer and Schroeder Authentication in general Bishop: Authentication is the binding of an identity to a principal. Network-based authentication mechanisms

1.6k views • 43 slides
OAuth Hacks A Gentle Introduction to OAuth 2.0 and Apache Oltu Antonio Sanso (@asanso) Software

OAuth Hacks A Gentle Introduction to OAuth 2.0 and Apache Oltu Antonio Sanso (@asanso) Software

OAuth Hacks A Gentle Introduction to OAuth 2.0 and Apache Oltu Antonio Sanso (@asanso) Software Engineer Adobe Research Switzerland Who is this guy, BTW? eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9 .eyJhdWQiOiJjb25uZWN0MjAxNCIsImlzc

869 views • 42 slides

More recommend