P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\titulka.jpg PV204 Security technologies Authentication and passwords •Petr Švenda svenda@fi.muni.cz •Faculty of Informatics, Masaryk University P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg Organizational – points per homework •Incorrect penalization was listed last week •Every additional day (24h) after soft deadline means 1.5 points penalization (instead of 3 points ) •Homework points: 5 points per homework –6x5 points => 30 –+ Bonus assignment(s) – 2 PV204 Authentication and passwords P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg How to approach homework I. •What you should listed about your configuration (replication) –live vs. dedicated machine -> impact on measurement –list platform configuration, compilation flags used (for replication) •Analysis –good to print only shape of histogram (or KDE) instead of bars (visibility) –good to print multiple histograms in single graph - better visibility –don't compare only non-blinded to blinded version. More sense makes to compare different data/exponent for given version •Good to test also with medium hamming weight –more spread of histogram with same data => harder to use Template attacks –but be aware what is included in timing - e.g., generation of masking r? Network jitter (attacker can model and subtract)? • 3 PV204 Authentication and passwords P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg Example solution (O. Mosnacek) 4 PV204 Authentication and passwords P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg Example solution (L. Obratil) 5 PV204 Authentication and passwords P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg Conclusions for homework I. •Variability for same data and key => noise in measurement (=> potentially harder to attack) •Difference between any measured values => possibility to use template attack •Difference between data with low/mid/high hamming weight => some information is leaking •Dependency of time on HW of private exponent may be possible to detect even for blinded RSA • 6 PV204 Authentication and passwords P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg AUTHENTICATION & AUTHORIZATION • 7 PV204 Authentication and passwords P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg Basic terms •Identification –Establish what the (previously unknown) entity is •Authentication –Verify if entity is really what it claims to be •Authorization (access control) –Define an access policy to use specified resource –Check if entity is allowed (authorized) to use resource •Authentication may be required before entity allowed to use resource to which is authorized PV204 Authentication and passwords 8 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg Hierarchy of authentication and key establishment goals • PV204 Authentication and passwords D:\Documents\Obrazky\keystablish_goals.png Protocols for Authentication and Key Establishment By Colin Boyd, Anish Mathuria 9 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg PASSWORDS • PV204 Authentication and passwords 10 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg Mode of usage for passwords 1.Verify by direct match –provided_password == expected_password? –Example: HTTP basic access authentication –Be aware of potential side-channels 2.Verify by derived value (hash(password)) 3.Derive key: Password ® cryptographic key –Example: key = PBKDF2(password) 4.Use to establish authenticated key –Example: Password + Diffie-Hellman ® authenticated key •… 11 PV204 Authentication and passwords P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg Problems associated with passwords •How to create secure password? •How to use password securely? •How to store password securely? •Same value is used for the long time (exposure) •Value of password is independent from target operation (e.g., authorization of request) •… 12 PV204 Authentication and passwords P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg Where passwords can be compromised? 1.Database storage –Cleartext storage –Backup data (tapes) –Server compromise 2.Host machine (memory, history, cache) 3.Network transmission (network sniffer, proxy logs) 4.Hardcoded secrets (inside app binary) –Difficult to change after exposure PV204 Authentication and passwords 13 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg Password (hash) cracking •Scenario: dump of passwords hash database •Password cracking attacks –Brute-force attack (up to 7-8 characters) –Dictionary attack (inputs with higher probability) –Dictionary + brute-force (Password[0-9]*) –Rainbow tables (time-memory trade-off) –Parallelization (many parallel cores) –GPU/FPGA/ASIC speedup of cracking •Tools –Generic: John the Ripper, Brutus, RainbowCrack… –Targeted to application: TrueCrack, Aircrack-NG… PV204 Authentication and passwords 14 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg Password cracking defenses •Don’t transmit or store in plaintext •Process password on client, transmit only digest •Don’t encrypt, hash instead •Use salt to prevent rainbow tables attack •Use memory-hard KDF algorithms –To slow down custom build hardware –Use strong KDF to derive keys (PBKDF2/Argon2) – • PV204 Authentication and passwords 15 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg Handling passwords in source code •Limiting memory exposure –Load only when needed –Erase right after use –Pass by reference / pointer to prevent copy in memory –Derive session keys •Don’t hardcode password into application binary •Nice presentation (K. Kohli, examples how not to): http://www.slideshare.net/amiable_indian/insecure-implementation-of-security-best-practices-of-hash ing-captchas-and-caching-presentation • – PV204 Authentication and passwords 16 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg Hard-coded password might be visible both in application binary and memory | PV204: Reverse engineering of binary applications P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg Alternatives to hardcoded passwords •Don’t use passwords J •Ask the user for a password •Keep secrets in a separate file •Encrypt stored secrets •Store secrets in protected database •Use already existing authentication credentials •Cern guidelines –https://security.web.cern.ch/security/recommendations/en/password_alternatives.shtml – • PV204 Authentication and passwords 18 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg Possible password replacements •Cambridge’s TR – wide range of possibilities listed –The quest to replace passwords: a framework for comparative evaluation of Web authentication schemes –https://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-817.pdf •Many different possibilities, but passwords are cheap to start with, lot of legacy code exists and no mechanism offers all benefits •Mandatory reading: UCAM-CL-817 –At least chapters: II. Benefits, V. Discussion –Whole report is highly recommended – • PV204 Authentication and passwords 19 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg ONE-TIME PASSWORDS • PV204 Authentication and passwords 20 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg Recall: Problems associated with passwords •How to create secure password? •How to use password securely? •How to store password securely? •Same value is used for the long time (exposure) •Value of password is independent from target operation (e.g., authorization of request) •… 21 PV204 Authentication and passwords One-time passwords tries to address these issues P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg HMAC-based One-time Password Algorithm •HMAC-based One-time Password Algorithm (HOTP) –Secret key K –Counter (challenge) C –HMAC(K,C) = SHA1(K ⊕ 0x5c5c… ∥ SHA1(K ⊕ 0x3636… ∥ C)) –HOTP(K,C) = Truncate(HMAC(K,C)) & 0x7FFFFFFF –0x7FFFFFFF mask to drop most significant bit (portability) –HOTP-Value = HOTP(K,C) mod 10d (d … # of digits) •Many practical implementations –E.g., Google authenticator •https://en.wikipedia.org/wiki/HOTP • PV204 Authentication and passwords 22 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg HOTP – items, operations •Logical operations 1.Generate initial state for new user and distribute key 2.Generate HOTP code and update state (user) 3.Verify HOTP code and update state (auth. server) •Security considerations of HOTP –Client compromise –Server compromise –Repeat of counter –Counter mismatch tolerance window • • • PV204 Authentication and passwords 23 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg PV204 Authentication and passwords 24 > P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg Sylvain Maret Time-based One-time Password Algorithm •Very similar to HOTP –Time used instead of counter •Requires synchronized clocks –In practice realized as time window •Tolerance to gradual desynchronization possible –Server keeps device’s desynchronization offset –Updates with every successful login PV204 Authentication and passwords 25 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg OCRA: OATH Challenge-Response Algorithm •Initiative for Open Authentication (OATH) •OCRA is authentication algorithm based on HOTP •OCRA code = CryptoFunction(K, DataInput) –K: a shared secret key known to both parties –DataInput: concatenation of the various input data values •Counter, challenges, H(PIN/Passwd), session info, H(time) –Default CryptoFunction is HOTP-SHA1-6 –https://tools.ietf.org/html/rfc6287 •Don’t confuse with OAuth –The OAuth 2.0 Authorization Framework (RFC6749) –TLS-based security protocol for accessing HTTP service PV204 Authentication and passwords 26 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg Increased risk at *OTP verification server •Better authentication –Using OTP instead of passwords, KDF(time|key), •But what if server is compromised? –database hacks, temporal attacker presence –E.g., Heartbleed – dump of OTP keys •Possible solution –Trusted hardware on the server –OTP code verified inside trusted environment –OTP key never leaves the hardware PV204 Authentication and passwords 27 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg PV204 Authentication and passwords 28 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg METHODS OF DERIVATION OF SECRETS FROM PASSWORD • PV204 Authentication and passwords 29 D:\Documents\Obrázky\is2\Key-icon.png H(‘Password’) ® P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg Problems when password used as a key •Passwords are usually shorter / longer than key •If password as a key => low number of distinct keys •Password does not contain same amount of entropy as binary key (only printable characters…) •K = SHA-2(“password”) –Same passwords from multiple users => same key –Large pre-computed “rainbow” tables allow for quick check –Solved by addition of random (potentially public) salt •K = SHA-2(pass | salt) •Dictionary-based brute-force still possible • PV204 Authentication and passwords 30 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg D:\Documents\Obrazky\pbkdf2-5002.png Derivation of secrets from password •PBKDF2 function, widely used –Password is HMAC “key” –Iterations to slow derivation –Salt added • • • •Problem with custom-build hardware (GPU, ASIC) –Repeated iterations not enough to prevent bruteforce –(or would be too slow on standard CPU – user experience) • PV204 Authentication and passwords Source: https://nakedsecurity.sophos.com 31 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg scrypt – memory hard function •Design as a protection against cracking hardware (usable against PBKDF2) –GPU, FPGA, ASICs… –https://github.com/wg/scrypt/blob/master/src/main/java/com/lambdaworks/crypto/SCrypt.java •Memory-hard function –Force computation to hold r (parameter) blocks in memory –Uses PBKDF2 as outer interface •Improved version: NeoScrypt (uses full Salsa20) • PV204 Authentication and passwords 32 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg Reuse of external PBKDF2 structure PV204 Authentication and passwords https://www.reddit.com/r/crypto/comments/3dz285/password_hashing_competition_phc_has_selected/ 33 > P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg Argon2 •Password hashing competition (PHC) winner, 2013 • • PV204 Authentication and passwords https://www.reddit.com/r/crypto/comments/3dz285/password_hashing_competition_phc_has_selected/ 34 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg PASSWORD MANAGERS • 35 PV204 Authentication and passwords P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg Evolution of password (managers) 1.Human memory only 2. 2.Write it down on paper 3. 3.Write it into file 4. 4.Use local password manager 5. 5. 36 PV204 Authentication and passwords D:\Documents\Obrázky\is2\Body-Brain-icon.png Pαs$w0rd Pαs$w0rd01 Google: Sfdlk2c& Skype: *(&21mefd D:\Documents\Obrázky\is2\NotepadRv1.png devil Google: Sfdlk2c&432mo% Skype: *(&21mefd872!& Google: Sfdlk2c&432mo% Skype: *(&21mefd872!& devil D:\Documents\Obrázky\is2\Key-icon.png D:\Documents\Obrazky\is2\synchronization.png P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg D:\Documents\Obrázky\is2\Plain-Blue-icon.png Remote password managers Google: Sfdlk2c&432mo% Skype: *(&21mefd872!& D:\Documents\Obrázky\is2\Lock-icon.png D:\Documents\Obrázky\is2\Phone-icon.png D:\Documents\Obrázky\is2\ipad-black-icon.png D:\Documents\Obrázky\is2\Computer_Icon.png D:\Documents\Obrázky\is2\Key-icon.png D:\Documents\Obrázky\is2\Key-icon.png D:\Documents\Obrázky\is2\Key-icon.png KeePass+Dropbox LastPass 1Password MozillaSync … PV204 Authentication and passwords 37 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg • D:\Documents\Obrázky\is2\lastpasshack.png > But passwords are encrypted, right? D:\Documents\Obrázky\is2\lastpass_usersshouldbesafe.png PV204 Authentication and passwords 38 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg D:\Documents\Obrázky\is2\Plain-Blue-icon.png D:\Documents\Obrázky\is2\Places-server-database-icon.png Human is still the weakest link Google: Sfdlk2c&432mo% Skype: *(&21mefd872!& D:\Documents\Obrázky\is2\Lock-icon.png D:\Documents\Obrázky\is2\Computer_Icon.png > More than 60% of users have weak passwords D:\Documents\Obrázky\is2\Body-Brain-icon.png D:\Documents\Obrázky\is2\Key-icon.png D:\Documents\Obrázky\is2\Key-icon.png devil D:\Documents\Obrázky\is2\Places-server-database-icon.png D:\Documents\Obrázky\is2\Lock-icon.png D:\Documents\Obrázky\is2\Plain-Blue-icon.png password123 Google: Sfdlk2c&432mo% Skype: *(&21mefd872!& D:\Documents\Obrázky\is2\johntheripper1_10_design.png PV204 Authentication and passwords 39 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg D:\Documents\Obrázky\is2\12240458-password-scrib.jpg Hardware tokens • D:\Documents\Obrázky\is2\gcr-smart-card.png D:\Documents\Obrázky\is2\multipass.JPG D:\Documents\Obrázky\is2\passwordlockusb2.jpg Hack-a-Day’s Mooltipass > Price, usability, compatibility… PV204 Authentication and passwords 40 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg Common (mis-)Assumptions 1.User has strong password 2.Server/service is hard to compromise 3.User have unique passwords 4.Different authentication channels are independent 5.Recovery 6. 6. 6. 6. 41 PV204 Authentication and passwords P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg D:\Documents\Obrázky\is2\linkedin_hack.png • > User has strong password D:\Documents\Obrázky\is2\linkedin_badpasswd.png PV204 Authentication and passwords 42 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg D:\Documents\Obrázky\is2\passwod_reuse.png D:\Documents\Obrázky\is2\infoworld_passwordreuse.png > Study: Gawker vs. root.com passwords leak “…[from successfully cracked passwords] 76% used the exact same password. A further 6% used passwords differing by only capitalisation or a small suffix (e.g. ‘password’ and ‘password1′).”, J. Bonneau http://www.lightbluetouchpaper.org/2011/02/09/measuring-password-re-use-empirically/ > User have unique passwords… PV204 Authentication and passwords 43 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg • D:\Documents\Obrázky\is2\password breaches.png D:\Documents\Obrázky\is2\password breaches.png D:\Documents\Obrázky\is2\password breaches.png > Service is hard to compromise? PV204 Authentication and passwords 44 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg • > Services follow the best security principles D:\Documents\Obrázky\is2\starbucks_plaintextpass.png > Service implementation is correct and bug-free D:\Documents\Obrázky\is2\Heartbleed.svg.png PV204 Authentication and passwords 45 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg • • > Different authentication channels are independent D:\Documents\Obrázky\is2\Computer_Icon.png D:\Documents\Obrázky\is2\Backup-IBM-Server-icon.png D:\Documents\Obrázky\is2\nokia_7.jpg D:\Documents\Obrázky\is2\Apps-firefox-icon.png D:\Documents\Obrázky\is2\SMS-icon.png D:\Documents\Obrázky\is2\iPhone-icon.png D:\Documents\Obrázky\is2\Apps-firefox-icon.png D:\Documents\Obrázky\is2\Mail-icon.png D:\Documents\Obrázky\is2\SMS-icon.png PV204 Authentication and passwords 46 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg • • • • > Security can be maintained “forever” D:\Documents\Obrázky\is2\basket-empty-icon.png > Allow for some form of risk management D:\Documents\Obrázky\is2\Key-icon3.png D:\Documents\Obrázky\is2\System-Key-icon.png D:\Documents\Obrázky\is2\key-icon2.png D:\Documents\Obrázky\is2\Key-icon.png PV204 Authentication and passwords 47 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg D:\Documents\Obrázky\is2\mothermaidens.png • D:\Documents\Obrázky\is2\questions_guess.png D:\Documents\Obrázky\is2\lost_N_twitter.png > Recovery info shared over multiple services… > PV204 Authentication and passwords 48 Access recovery is as secure as primary one P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg PASSWORD MANAGER FOR MULTIPLE DEVICES •Case study PV204 Authentication and passwords 49 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg Assumptions •Functional –User stores fixed secrets (passwords…) –User has multiple connected devices –Easy to use J •Security –Service can’t be trusted –User chooses weak password –Devices can be lost (and later revoked) –User has independent channel (phone) • • PV204 Authentication and passwords 50 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg Main security design principles •Treat storage service as untrusted and perform security sensitive operations on client •Make necessary trusted component as small as possible •Prevent offline brute-force, but don’t expect strong password from user –add entropy from other source •Make transmitted sensitive values short-lived – PV204 Authentication and passwords 51 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg > Public-key cryptography indirection D:\Documents\Obrázky\is2\Plain-Blue-icon.png Google: Sfdlk2c&432mo% Skype: *(&21mefd872!& D:\Documents\Obrázky\is2\Lock-icon.png D:\Documents\Obrázky\is2\Computer_Icon.png D:\Documents\Obrázky\is2\Body-Brain-icon.png D:\Documents\Obrázky\is2\Key-icon.png K = H(‘Password’) K D:\Documents\Obrázky\is2\Plain-Blue-icon.png Google: Sfdlk2c&432mo% K Password Priv_U KEK K Pub_U D:\Documents\Obrázky\is2\Computer_Icon.png D:\Documents\Obrázky\is2\Body-Brain-icon.png D:\Documents\Obrázky\is2\Key-icon.png Password KEK = H(‘Password’) PV204 Authentication and passwords 52 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg D:\Documents\Obrázky\is2\Computer_Icon.png D:\Documents\Obrázky\is2\ipad-black-icon.png D:\Documents\Obrázky\is2\Phone-icon.png > Public-key crypto indirection D:\Documents\Obrázky\is2\Plain-Blue-icon.png Google: Sfdlk2c&432mo% K Priv_U KEK K Pub_U D:\Documents\Obrázky\is2\Computer_Icon.png D:\Documents\Obrázky\is2\Key-icon.png Password KEK = H(‘Password’) > Public-key crypto indirection allows for asynchronous change of K > Long private key can be also stored on Service D:\Documents\Obrázky\is2\User-Group-icon.png K’,K’’,K’’’… [K’]Pub_U PV204 Authentication and passwords 53 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg > Weak password? D:\Documents\Obrázky\is2\Plain-Blue-icon.png D:\Documents\Obrázky\is2\Plain-Blue-icon.png • Google: Sfdlk2c&432mo% K Priv_U KEK K Pub_U D:\Documents\Obrázky\is2\Computer_Icon.png D:\Documents\Obrázky\is2\Key-icon.png Password KEK = H(‘Password’) Password KEK = H(‘Password’) KEK Priv_U K K Google: Sfdlk2c&432mo% > Attacker has motivation for attacking the Service! > Users tend to have weak passwords… PV204 Authentication and passwords 54 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg D:\Documents\Obrázky\is2\Home-Server-icon.png D:\Documents\Obrázky\is2\Home-Server-icon.png > Trusted element • D:\Documents\Obrázky\is2\Plain-Blue-icon.png Google: Sfdlk2c&432mo% K Priv_U KEK K Pub_U D:\Documents\Obrázky\is2\Computer_Icon.png D:\Documents\Obrázky\is2\Body-Brain-icon.png D:\Documents\Obrázky\is2\Key-icon.png Password KEK = H(‘Password’ D:\Documents\Obrázky\is2\Home-Server-icon.png User1:SecretData User2:SecretData’ … > Separate Trusted entities provide additional data | SecretData) devil PV204 Authentication and passwords 55 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg • D:\Documents\Obrázky\is2\Plain-Blue-icon.png Google: Sfdlk2c&432mo% K Priv_U KEK K Pub_U D:\Documents\Obrázky\is2\Computer_Icon.png D:\Documents\Obrázky\is2\Body-Brain-icon.png D:\Documents\Obrázky\is2\Key-icon.png Password KEK = H(‘Password’ | SecretData) D:\Documents\Obrázky\is2\Home-Server-icon.png User1:SecretData User2:SecretData’ … D:\Documents\Obrázky\is2\nokia_7.jpg SMS: D:\Documents\Obrázky\is2\Key-icon.png SecretData D:\Documents\Obrázky\is2\Key-icon.png SecretData PV204 Authentication and passwords 56 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg > Multiple devices • D:\Documents\Obrázky\is2\Plain-Blue-icon.png Google: Sfdlk2c&432mo% K Priv_U KEK K Pub_U KEK Dev1 KEK Dev2 KEK Dev3 D:\Documents\Obrázky\is2\Phone-icon.png D:\Documents\Obrázky\is2\ipad-black-icon.png D:\Documents\Obrázky\is2\Computer_Icon.png Dev1 Dev2 Dev3 PV204 Authentication and passwords 57 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg • •Device management (new, remove, revocate) •Device authentication •Group management (users, boards, secrets) •Password change, private key change •Access recovery •… > Devil is in the details… > Other operations devil PV204 Authentication and passwords 58 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg Do we have some implementations? • •New Apple’s service showcased in 2013 •Lack of details until iOS Security report 02/2014 –https://www.apple.com/business/docs/iOS_Security_Guide.pdf – • D:\Documents\Obrázky\is2\24591_icloud-keychain-660x350.jpg PV204 Authentication and passwords 59 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg Apple’s iCloud Keychain •Multiple similarities to described example –Layer of indirection via asymmetric cryptography –Support for multiple devices –Asynchronous operations via application tickets –Authorization and signature of additional devices –User phone registered and required •Still reliance on user’s (potentially weak) password –But limited number of tries (recall recent FBI 10 password attempts) •Trusted component of iCloud realized via internal HSM –Recovery mode with 4 digit code (default, can be longer) –HSM will decrypt recovery key only after –4 digits length is not an issue – HSM enforce limited # retries PV204 Authentication and passwords 60 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg Summary •Passwords have multiple issues, but are hard to be replaced •Important to use passwords securely (guidelines) •One-time passwords getting more used •Password manager with synchronization over multiple devices is not straightforward •Mandatory reading: UCAM-CL-817 –At least chapters: II. Benefits, V. Discussion –Whole report is highly recommended • • • • PV204 Authentication and passwords 61