How to approach homework I. •What you should specify your configuration (replication) –live vs. dedicated machine ® impact on measurement –list platform configuration, compilation flags used (for replication) •Analysis –Good to print only shape of histogram instead of bars (visibility) –Good to print multiple histograms in single graph - better visibility –Don't compare only original to the protected version. More sense makes to compare different data/exponent for given version (e.g., protected) •Good to test also with medium hamming weight –More spread in histogram with same data ® harder to use Template attacks –Be aware what is included in timing - e.g., generation of masking r? Network jitter (can attacker model and subtract)? Example solution (J. Masarik)

Conclusions for Homework I. •Variability for the same data and key => noise in measurement (=> potentially harder to attack) •Difference between any two measured values => possibility to use template attack •Difference between data with low/mid/high hamming weight => some information is leaking •Dependency of time on HW of private exponent may be possible to detect even for improved or blinded RSA •Compiler can remove inserted protection (releases)

AUTHENTICATION & AUTHORIZATION

Basic terms •Identification –Establish what the (previously unknown) entity is •Authentication –Verify if entity is really what it claims to be •Authorization (access control) –Define an access policy to use specified resource –Check if entity is allowed (authorized) to use resource •Authentication may be required before entity allowed to use resource to which is authorized

Hierarchy of authentication and key establishment goals
Protocols for Authentication and Key Establishment By Colin Boyd, Anish Mathuria

PASSWORDS

> But passwords are encrypted, right? Problems associated with passwords •How to create strong password? •How to use password securely? •How to store password securely? •Same value is used for the long time (exposure) •Value of password is independent from target operation (e.g., authorization of request) •…

Mode of usage for passwords 1.Verify by direct match –provided_password == expected_password? –Example: HTTP basic access authentication –Be aware of potential side-channels 2.Verify by derived value (hash(password | salt)) –Be aware of rainbow tables and brute-force crackers 3.Derive key: Password ® cryptographic key –Example: key = PBKDF2(password) 4.Use to establish authenticated key –Example: Password + Diffie-Hellman ® authenticated key…

Where passwords can be compromised? 1.Database storage –Cleartext storage –Backup data (tapes) –Server compromise 2.Host machine (memory, history, cache) 3.Network transmission (network sniffer, proxy logs) 4.Hardcoded secrets (inside app binary) •Difficult to detect compromise and change after the exposure

Password (hash) cracking •Scenario: dump of passwords hash database •Password cracking attacks –Brute-force attack (up to 7-8 characters) –Dictionary attack (inputs with higher probability) –Dictionary + brute-force (Password[0-9]*) –Rainbow tables (time-memory trade-off) –Parallelization (many parallel cores) –GPU/FPGA/ASIC speedup of cracking •Tools –Generic: John the Ripper, Brutus, RainbowCrack… –Targeted to application: TrueCrack, Aircrack-NG…

Password cracking defenses •Don't transmit or store in plaintext •Process password on client, transmit only digest •Don't encrypt, hash instead •Use salt to prevent rainbow tables attack •Use memory-hard KDF algorithms –To slow down custom build hardware –Use strong KDF to derive keys (PBKDF2®Argon2) –

Handling passwords in source code •Limiting memory exposure –Load only when needed –Erase right after use –Pass by reference / pointer to prevent copy in memory –Derive session keys •Don't hardcode password into application binary •Nice presentation (K. Kohli, examples how NOT to): http://www.slideshare.net/amiable_indian/insecure-implementation-of-security-best-practices-of-hash ing-captchas-and-caching-presentation

Alternative to hardcoded passwords/keys •Don't use passwords J •Ask the user for a password •Keep secrets in a separate file •Encrypt stored secrets •Store secrets in protected database •Use already existing authentication credentials •CERN guidelines –https://security.web.cern.ch/security/recommendations/en/password_alternatives.shtml –

Hard-coded password might be visible both in application binary and memory

Possible password replacements •Cambridge's TR – wide range of possibilities listed –The quest to replace passwords: a framework for comparative evaluation of Web authentication schemes –https://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-817.pdf •Many different possibilities, but passwords are cheap to start with, lot of legacy code exists and no mechanism offers all benefits •Mandatory reading: UCAM-CL-817 –At least chapters: II. Benefits, V. Discussion –Whole report is highly recommended –

ONE-TIME PASSWORDS

Recall: Problems associated with passwords •How to create secure password? •How to use password securely? •How to store password securely? •Same value is used for the long time (exposure) •Value of password is independent from target operation (e.g., authorization of request) •…
One-time passwords tries to address these issues

HMAC-based One-time Password Algorithm •HMAC-based One-time Password Algorithm (HOTP) –Secret key K –Counter (challenge) C –HMAC(K,C) = SHA1(K ⊕ 0x5c5c… ∥ SHA1(K ⊕ 0x3636… ∥ C)) –HOTP(K,C) = Truncate(HMAC(K,C)) & 0x7FFFFFFF –0x7FFFFFFF mask to drop most significant bit (portability) –HOTP-Value = HOTP(K,C) mod 10d (d … # of digits) •Many practical implementations –E.g., Google Authenticator •https://en.wikipedia.org/wiki/HOTP

HOTP – items, operations •Logical operations 1.Generate initial state for new user and distribute key 2.Generate HOTP code and update state (user) 3.Verify HOTP code and update state (auth. server) •Security considerations of HOTP –Client compromise –Server compromise –Repeat of counter/challenge –Counter mismatch tolerance window

Sylvain Maret Time-based One-time Password Algorithm •Very similar to HOTP –Time used instead of counter •Requires synchronized clocks –In practice realized as time window •Tolerance to gradual desynchronization possible –Server keeps device's desynchronization offset –Updates with every successful login

OCRA: OATH Challenge-Response Algorithm •Initiative for Open Authentication (OATH) •OCRA is authentication algorithm based on HOTP •OCRA code = CryptoFunction(K, DataInput) –K: a shared secret key known to both parties –DataInput: concatenation of the various input data values •Counter, challenges, H(PIN/Passwd), session info, H(time) –Default CryptoFunction is HOTP-SHA1-6 –https://tools.ietf.org/html/rfc6287 •Don't confuse with Oauth (delegation of authentication) –The OAuth 2.0 Authorization Framework (RFC6749) –TLS-based security protocol for accessing HTTP service

> Increased risk at *OTP verification server •More secure against client compromise –Using OTP instead of passwords, KDF(time|key), •But what if server is compromised? –database hacks, temporal attacker presence –E.g., Heartbleed – dump of OTP keys •Possible solution –Trusted hardware on the server –OTP code verified inside trusted environment –OTP key never leaves the hardware

PROBLEM: IS OTP CODE FRESH?

FIDO U2F PROTOCOL

Revision 1: ECC-based challenge-response
https://developers.yubico.com/U2F/Protocol_details/Overview.html
> Problems: phishing, MiTM…

Revision 2: URI + TLS channel id added
https://developers.yubico.com/U2F/Protocol_details/Overview.html
> Problem: two users using same device => detectable by service (same kpriv)
•https://accounts.google.com/ServiceLogin

Revision 3: Application-specific key added
https://developers.yubico.com/U2F/Protocol_details/Overview.html
> Problem: Undetectable device cloning
•new key pair and key handle for each registration

Revision 4: Authentication counter added
https://developers.yubico.com/U2F/Protocol_details/Overview.html
> Option: What if server wants to verify device properties before register? •Incremental counter

Revision 5: Device attestation added
https://developers.yubico.com/U2F/Protocol_details/Overview.html
•Attestation certificate signed with TTP
> ECDSA NIST secp256r1 used

FIDO U2F devices •Why have button? Is missing display problem? •Recent problem: direct WebUSB API in Chrome –Malware bypass U2F API checking the URL –Legitimate URL is send from malicious page –https://www.wired.com/story/chrome-yubikey-phishing-webusb/ –APDU-level communication: https://npmccallum.gitlab.io/post/u2f-protocol-overview/ •Well known is Yubikey, but open-source hardware and software-only implementations also possible –https://github.com/conorpp/u2f-zero

Always dig for implementation details •How are ECC keys generated and stored? •Yubikey saves ECC storage place by deriving ECC private keys instead of randomly generating –Possible as the ECC private key is random value •Device secret generated during manufacturing •What is the possible attack
https://developers.yubico.com/U2F/Protocol_details/Key_generation.html

METHODS OF DERIVATION OF SECRETS FROM PASSWORD
H('Password') ®

Problems when password used as a key •Passwords are usually shorter / longer than key •If password as a key => low number of distinct keys •Password does not contain same amount of entropy as binary key (only printable characters…) •K = SHA-2("password") –Same passwords from multiple users => same key –Large pre-computed "rainbow" tables allow for quick check –Solved by addition of random (potentially public) salt •K = SHA-2(pass | salt) •Dictionary-based brute-force still possible

Derivation of secrets from password •PBKDF2 function, widely used –Password is HMAC "key" –Iterations to slow derivation –Salt added •Problem with custom-build hardware (GPU, ASIC) –Repeated iterations not enough to prevent bruteforce –(or would be too slow on standard CPU – user experience)
Source: https://nakedsecurity.sophos.com

scrypt – memory hard function •Design as a protection against cracking hardware (usable against PBKDF2) –GPU, FPGA, ASICs… –https://github.com/wg/scrypt/blob/master/src/main/java/com/lambdaworks/crypto/SCrypt.java •Memory-hard function –Force computation to hold r (parameter) blocks in memory –Uses PBKDF2 as outer interface •Improved version: NeoScrypt (uses full Salsa20)

Reuse of external PBKDF2 structure
https://www.reddit.com/r/crypto/comments/3dz285/password_hashing_competition_phc_has_selected/
>

Argon2 •Password hashing competition (PHC) winner, 2013
https://www.reddit.com/r/crypto/comments/3dz285/password_hashing_competition_phc_has_selected/

Problem solved? https://www.ietf.org/mail-archive/web/cfrg/current/msg08439.html
> Problem: situation with PHC winner still unclear in 2018 L

PASSWORD MANAGERS

Evolution of password (managers) 1.Human memory only 2. 2.Write it down on paper 3. 3.Write it into file 4. 4.Use local password manager 5. 5.

Remote password managers
Google: Sfdlk2c&432mo% Skype: *(&21mefd872!&
KeePass+Dropbox LastPass 1Password MozillaSync …

Common (mis-)Assumptions 1.User has strong password –>60% can be usually brute-forced 2.Server/service is hard to compromise –Server-side compromises are now very frequent 3.User have unique passwords –Gawker/root.com leak: 76% had the exact same password 4.Different authentication channels are independent –Web-browsing + SMS on smart phones? 5.Account recovery often weak(er) 6. 6. 6. 6.

> But passwords are encrypted, right? Human is still the weakest link
Google: Sfdlk2c&432mo% Skype: *(&21mefd872!&
> More than 60% of users have weak passwords
password123 Google: Sfdlk2c&432mo% Skype: *(&21mefd872!&

Hardware tokens
Hack-a-Day's Mooltipass
> Price, usability, compatibility…

Common (mis-)Assumptions 1.User has strong password 2.Server/service is hard to compromise 3.User have unique passwords 4.Different authentication channels are independent 5.Recovery 6. 6. 6. 6.

> User has strong password

> Study: Gawker vs. root.com passwords leak "…[from successfully cracked passwords] 76% used the exact same password. A further 6% used passwords differing by only capitalisation or a small suffix (e.g. 'password' and 'password1′).", J. Bonneau http://www.lightbluetouchpaper.org/2011/02/09/measuring-password-re-use-empirically/
> User have unique passwords…

> Service is hard to compromise? > Services follow the best security principles
> Service implementation is correct and bug-free

> Different authentication channels are independent

> Security can be maintained "forever"
> Allow for some form of risk management

> Recovery info shared over multiple services…
> Access recovery is as secure as primary one

PASSWORD MANAGER FOR MULTIPLE DEVICES •Case study

Assumptions •Functional –User stores fixed secrets (passwords…) –User has multiple connected devices –Easy to use J •Security –Service can't be trusted –User chooses weak password –Devices can be lost (and later revoked) –User has independent channel (phone)

Main security design principles •Treat storage service as untrusted and perform security sensitive operations on client •Make necessary trusted component as small as possible •Prevent offline brute-force, but don't expect strong password from user –add entropy from other source •Make transmitted sensitive values short-lived •Trusted hardware can provide additional support –

> Public-key cryptography indirection
Google: Sfdlk2c&432mo% Skype: *(&21mefd872 Benefits, V. Discussion –Whole report is highly recommended • • • • PV204 Authentication and passwords 71