P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\titulka.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\titulka.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\titulka.jpg PV204 Security technologies Authentication: passwords, OTP, FIDO U2F Petr Švenda svenda@fi.muni.cz @rngsec Centre for Research on Cryptography and Security, Masaryk University P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI COURSE TRIVIA: PV204_00_COURSEOVERVIEW_2019.PPT • PV204 Authentication and passwords 2 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI AUTHENTICATION & AUTHORIZATION • 3 PV204 Authentication and passwords P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI Basic terms •Identification –Establish what the (previously unknown) entity is •Authentication –Verify if entity is really what it claims to be •Authorization (access control) –Define an access policy to use specified resource –Check if entity is allowed (authorized) to use resource •Authentication may be required before an entity allowed to use resource to which is authorized PV204 Authentication and passwords 4 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI Options for authentication •Something you: 1.Know (password, key) 2.Have (token, smartcard) 3.Are (biometrics) •Combination of multiple options – two-factor authentication (or more) • 1.Registration phase (how is new user added) 2.Verification phase (how is user’s claimed identity verified) 3.Recovery phase (what if user forgot/lost authentication credentials) 5 PV204 Authentication and passwords P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI Group activity •Form group of 3-4 members (mix, not your neighbours) –Introduce yourself with your name •Discuss and write down on paper: –What you use for authentication (password…) –How you store the authentication secret? (brain-only…) •Time limit: 5 minutes • •Now return back to your original seat (if you wish J) 6 PV204 Authentication and passwords P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI PASSWORDS • PV204 Authentication and passwords 7 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI Mode of usage for passwords •Verify by direct match (provided_password == expected_password?) –Example: HTTP basic access authentication –Be aware of plaintext storage on server –Be aware of potential side-channels (mismatch on Xth character) •Verify by match of derived value (hash(password | salt)) –Be aware of rainbow tables and brute-force crackers •Derive key: Password ® cryptographic key –Example: key = PBKDF2(password) •Used to establish authenticated key –Example: Password + Diffie-Hellman ® authenticated key… 8 PV204 Authentication and passwords P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI Problems associated with passwords •How to create strong password? •How to use password securely? •How to store password securely? •Same value is used for the long time (exposure) •Value of password is independent from the target operation (e.g., authorization of bank transfer request) •… 9 PV204 Authentication and passwords P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI Where the passwords can be compromised? 1.Client side (malware on user computer) 2.Database storage –Cleartext storage –Backup data (“tapes”) –Server compromise, misconfiguration 3.Host machine (memory, history, cache) 4.Network transmission (network sniffer, proxy logs) 5.Hardcoded secrets (inside app binary) •Difficult to detect compromise and change after the exposure • PV204 Authentication and passwords 10 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI https://haveibeenpwned.com/ (Troy Hunt) 11 PV204 Authentication and passwords Collection #1: 772,904,991 accounts! P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI https://haveibeenpwned.com/Passwords •Check how many times was given password found in leaked datasets 12 PV204 Authentication and passwords Textové pole: password password P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI 13 PV204 Authentication and passwords Joe; insecure P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI (Hashed-)Password cracking •Scenario: dump of database with password hashes, find original password •Password cracking attacks –Brute-force attack (up to 8 characters) –Dictionary attack (inputs with higher probability tried first) –Patterns: Dictionary + brute-force (Password[0-9]*) –Rainbow tables (time-memory trade-off) –Parallelization (many parallel cores) –GPU/FPGA/ASIC speedup of cracking •Tools –Generic: John the Ripper, Brutus, RainbowCrack… –Targeted to application: TrueCrack, Aircrack-NG… PV204 Authentication and passwords 14 D:\Documents\Obrázky\is2\johntheripper1_10_design.png P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI Passwords reality (from many breaches + pwd cracking) •User has usually weak password –>60% were (dictionary) brute-forced •Server/service is frequently compromised –Server-side compromises are now very frequent •Users do not use unique passwords –Gawker/root.com leak: 76% had the exact same password •Different authentication channels may not be independent –Web-browsing + SMS on smart phones? •Account recovery is often easier to guess than original password • • • • 15 PV204 Authentication and passwords D:\Documents\Obrázky\is2\johntheripper1_10_design.png D:\Documents\Obrázky\is2\mothermaidens.png P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI Insecure password handling •Verify by direct match (provided_password == expected_password?) –Attack: compromise plain passwords on server •pwdTagi = SHA-2(“password”) –Same passwords from multiple users => same resulting pwdTag –Attack: Large pre-computed “rainbow” tables allow for very quick check common passwords •pwdTagi = SHA-2(“password” | salt) –Use of rainbow tables “prevented” by addition of random (and potentially public) salt –Attack: dictionary-based brute-force still possible •pwdTagi = AES(“password”, secret_key) –Attack: If secret_key is leaked => direct decryption of all stored pwdTags => passwords – PV204 Authentication and passwords 16 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI Password “hardening” ideas 1.Slowdown cracking attempts (less potential passwords tried) 2.Have long, random and unique passwords 3.Have unique password for every authentication attempt 4.Replace passwords with something else (e.g., smartcard) 5.Bind response to server domain name (to prevent phishing) • • • • • 17 PV204 Authentication and passwords P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI IDEA: SLOWDOWN CRACKING ATTEMPTS • 18 PV204 Authentication and passwords P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI D:\Documents\Obrazky\pbkdf2-5002.png Derivation of secrets from passwords •PBKDF2 function, widely used –Password is key for HMAC –Salt added –Many iterations to slow derivation • • •Problem with custom-build hardware (GPU, ASIC) –Repeated iterations not enough to prevent bruteforce –(or would be too slow on standard CPU – user experience) •Solution: function which requires large amount of memory • PV204 Authentication and passwords Source: https://nakedsecurity.sophos.com 19 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI scrypt – memory hard function •Design as a protection against cracking hardware (usable against PBKDF2) –GPU, FPGA, ASICs… –https://github.com/wg/scrypt/blob/master/src/main/java/com/lambdaworks/crypto/SCrypt.java •Memory-hard function –Force computation to hold r (parameter) blocks in memory –Uses PBKDF2 as outer interface •Improved version: NeoScrypt (uses full Salsa20) • PV204 Authentication and passwords 20 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI Reuse of external PBKDF2 structure PV204 Authentication and passwords https://www.reddit.com/r/crypto/comments/3dz285/password_hashing_competition_phc_has_selected/ 21 > P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI Argon2 •Password hashing competition (PHC) winner, 2013 • • PV204 Authentication and passwords https://www.reddit.com/r/crypto/comments/3dz285/password_hashing_competition_phc_has_selected/ 22 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI Problem solved? • 23 PV204 Authentication and passwords https://www.ietf.org/mail-archive/web/cfrg/current/msg08439.html > Problem: situation with PHC winner still unclear in 2019 L PV204 Authentication and passwords P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI IDEA: LONG, RANDOM AND UNIQUE PASSWORDS • 24 PV204 Authentication and passwords P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI PASSWORD MANAGERS • 25 PV204 Authentication and passwords P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI Evolution of password (managers) 1.Human memory only 2. 2.Write it down on paper 3. 3.Write it into file 4. 4.Use local password manager 5. 5. 26 PV204 Authentication and passwords D:\Documents\Obrázky\is2\Body-Brain-icon.png Pαs$w0rd Pαs$w0rd01 Google: Sfdlk2c& Skype: *(&21mefd D:\Documents\Obrázky\is2\NotepadRv1.png devil Google: Sfdlk2c&432mo% Skype: *(&21mefd872!& Google: Sfdlk2c&432mo% Skype: *(&21mefd872!& devil D:\Documents\Obrázky\is2\Key-icon.png D:\Documents\Obrazky\is2\synchronization.png P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI D:\Documents\Obrázky\is2\Plain-Blue-icon.png Remote password managers Google: Sfdlk2c&432mo% Skype: *(&21mefd872!& D:\Documents\Obrázky\is2\Lock-icon.png D:\Documents\Obrázky\is2\Phone-icon.png D:\Documents\Obrázky\is2\ipad-black-icon.png D:\Documents\Obrázky\is2\Computer_Icon.png D:\Documents\Obrázky\is2\Key-icon.png D:\Documents\Obrázky\is2\Key-icon.png D:\Documents\Obrázky\is2\Key-icon.png KeePass+Dropbox LastPass 1Password MozillaSync … PV204 Authentication and passwords 27 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI • D:\Documents\Obrázky\is2\lastpasshack.png > But passwords are encrypted, right? D:\Documents\Obrázky\is2\lastpass_usersshouldbesafe.png PV204 Authentication and passwords 28 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI PASSWORD MANAGER FOR MULTIPLE DEVICES •Case study PV204 Authentication and passwords 29 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI Functional and security assumptions •Functional –User stores fixed secrets (passwords…) –User has multiple connected devices –Easy to use J •Security –Service can’t be trusted –User chooses weak password –Devices can be lost (and later revoked) –User has independent channel (phone) • • PV204 Authentication and passwords 30 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI Main security design principles •Treat storage service as untrusted and perform security sensitive operations on client •Make necessary trusted component as small as possible •Prevent offline brute-force, but don’t expect strong password from user –add entropy from other source •Make transmitted sensitive values short-lived •Trusted hardware can provide additional support – PV204 Authentication and passwords 31 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI > Public-key cryptography indirection D:\Documents\Obrázky\is2\Plain-Blue-icon.png Google: Sfdlk2c&432mo% Skype: *(&21mefd872!& D:\Documents\Obrázky\is2\Lock-icon.png D:\Documents\Obrázky\is2\Computer_Icon.png D:\Documents\Obrázky\is2\Body-Brain-icon.png D:\Documents\Obrázky\is2\Key-icon.png K = H(‘Password’) K D:\Documents\Obrázky\is2\Plain-Blue-icon.png Google: Sfdlk2c&432mo% K Password Priv_U KEK K Pub_U D:\Documents\Obrázky\is2\Computer_Icon.png D:\Documents\Obrázky\is2\Body-Brain-icon.png D:\Documents\Obrázky\is2\Key-icon.png Password KEK = H(‘Password’) PV204 Authentication and passwords 32 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI D:\Documents\Obrázky\is2\Computer_Icon.png D:\Documents\Obrázky\is2\ipad-black-icon.png D:\Documents\Obrázky\is2\Phone-icon.png > Public-key crypto indirection D:\Documents\Obrázky\is2\Plain-Blue-icon.png Google: Sfdlk2c&432mo% K Priv_U KEK K Pub_U D:\Documents\Obrázky\is2\Computer_Icon.png D:\Documents\Obrázky\is2\Key-icon.png Password KEK = H(‘Password’) > Public-key crypto indirection allows for asynchronous change of K > Long private key can be also stored on Service D:\Documents\Obrázky\is2\User-Group-icon.png K’,K’’,K’’’… [K’]Pub_U PV204 Authentication and passwords 33 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI > Weak password? D:\Documents\Obrázky\is2\Plain-Blue-icon.png D:\Documents\Obrázky\is2\Plain-Blue-icon.png • Google: Sfdlk2c&432mo% K Priv_U KEK K Pub_U D:\Documents\Obrázky\is2\Computer_Icon.png D:\Documents\Obrázky\is2\Key-icon.png Password KEK = H(‘Password’) Password KEK = H(‘Password’) KEK Priv_U K K Google: Sfdlk2c&432mo% > Attacker has motivation for attacking the Service! > Users tend to have weak passwords… PV204 Authentication and passwords 34 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI D:\Documents\Obrázky\is2\Home-Server-icon.png D:\Documents\Obrázky\is2\Home-Server-icon.png > Trusted element • D:\Documents\Obrázky\is2\Plain-Blue-icon.png Google: Sfdlk2c&432mo% K Priv_U KEK K Pub_U D:\Documents\Obrázky\is2\Computer_Icon.png D:\Documents\Obrázky\is2\Body-Brain-icon.png D:\Documents\Obrázky\is2\Key-icon.png Password KEK = H(‘Password’ D:\Documents\Obrázky\is2\Home-Server-icon.png User1:SecretData User2:SecretData’ … > Separate trusted entities provide additional data | SecretData) devil PV204 Authentication and passwords 35 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI • D:\Documents\Obrázky\is2\Plain-Blue-icon.png Google: Sfdlk2c&432mo% K Priv_U KEK K Pub_U D:\Documents\Obrázky\is2\Computer_Icon.png D:\Documents\Obrázky\is2\Body-Brain-icon.png D:\Documents\Obrázky\is2\Key-icon.png Password KEK = H(‘Password’ | SecretData) D:\Documents\Obrázky\is2\Home-Server-icon.png User1:SecretData User2:SecretData’ … D:\Documents\Obrázky\is2\nokia_7.jpg SMS: D:\Documents\Obrázky\is2\Key-icon.png SecretData D:\Documents\Obrázky\is2\Key-icon.png SecretData PV204 Authentication and passwords 36 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI > Multiple devices • D:\Documents\Obrázky\is2\Plain-Blue-icon.png Google: Sfdlk2c&432mo% K Priv_U KEK K Pub_U KEK Dev1 KEK Dev2 KEK Dev3 D:\Documents\Obrázky\is2\Phone-icon.png D:\Documents\Obrázky\is2\ipad-black-icon.png D:\Documents\Obrázky\is2\Computer_Icon.png Dev1 Dev2 Dev3 PV204 Authentication and passwords 37 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI • •Device management (new, remove, revoke) •Device authentication •Group management (users, boards, secrets) •Password change, private key change •Access recovery •… 38 PV204 Authentication and passwords > Devil is in the details… > Other operations devil P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI Do we have some implementations? •Apple’s service showcased in 2013 •Lack of details until iOS Security report 02/2014 –https://www.apple.com/business/docs/iOS_Security_Guide.pdf •https://blog.cryptographyengineering.com/2016/08/13/is-apples-cloud-key-vault-crypto/ (M.Green) • • 39 PV204 Authentication and passwords D:\Documents\Obrázky\is2\24591_icloud-keychain-660x350.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI Apple’s iCloud Keychain •Multiple similarities to the described example –Layer of indirection via asymmetric cryptography –Support for multiple devices –Asynchronous operations via application tickets –Authorization and signature of additional devices –User phone registered and required •Still reliance on user’s (potentially weak) password –But limited number of tries allowed •Trusted component of iCloud realized via internal HSM –Recovery mode with 4 digit code (default, can be set longer) –HSM will decrypt recovery key only after code validation –4 digits length is not an issue here – HSM enforce limited # retries PV204 Authentication and passwords 40 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI IDEA: HAVE UNIQUE PASSWORD FOR EVERY AUTHENTICATION ATTEMPT • 41 PV204 Authentication and passwords P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI ONE-TIME PASSWORDS • PV204 Authentication and passwords 42 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI Recall: Problems associated with passwords •How to create secure password? •How to use password securely? •How to store password securely? •Same value is used for the long time (exposure) •Value of password is independent from target operation (e.g., authorization of request) •… 43 PV204 Authentication and passwords One-time passwords tries to address these issues P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI HMAC-based One-time Password Algorithm (RFC 4226) •HMAC-based One-time Password Algorithm (HOTP) –Secret key K –Counter (challenge) C –HMAC(K,C) = SHA1(K ⊕ 0x5c5c… ∥ SHA1(K ⊕ 0x3636… ∥ C)) –HOTP(K,C) = Truncate(HMAC(K,C)) & 0x7FFFFFFF –0x7FFFFFFF mask to drop most significant bit (portability) –HOTP-Value = HOTP(K,C) mod 10d (d … # of digits) •Many practical implementations –E.g., Google Authenticator •https://en.wikipedia.org/wiki/HOTP • PV204 Authentication and passwords 44 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI HOTP – items, operations •Logical operations 1.Generate initial state for new user and distribute key 2.Generate HOTP code and update state (user) 3.Verify HOTP code and update state (auth. server) •Security considerations of HOTP –Client compromise –Server compromise –Repeat of counter/challenge –Counter mismatch tolerance window • • • PV204 Authentication and passwords 45 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI Sylvain Maret Time-based One-time Password Algorithm •Very similar to HOTP –Time used instead of counter •Requires synchronized clocks –In practice realized as time window •Tolerance to gradual desynchronization possible –Server keeps device’s desynchronization offset –Updates with every successful login PV204 Authentication and passwords 46 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI OCRA: OATH Challenge-Response Algorithm •Initiative for Open Authentication (OATH) •OCRA is authentication algorithm based on HOTP •OCRA code = CryptoFunction(K, DataInput) –K: a shared secret key known to both parties –DataInput: concatenation of the various input data values •Counter, challenges, H(PIN/Passwd), session info, H(time) –Default CryptoFunction is HOTP-SHA1-6 –https://tools.ietf.org/html/rfc6287 •Don’t confuse with Oauth (delegation of authentication) –The OAuth 2.0 Authorization Framework (RFC6749) –TLS-based security protocol for accessing HTTP service PV204 Authentication and passwords 47 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI PV204 Authentication and passwords 48 > P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI Increased risk at *OTP verification server •More secure against client compromise –Using OTP instead of passwords, KDF(time|key), •But what if server is compromised? –database hacks, temporal attacker presence –E.g., Heartbleed – dump of OTP keys •Possible solution –Trusted hardware on the server –OTP code verified inside trusted environment –OTP key never leaves the hardware PV204 Authentication and passwords 49 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI PV204 Authentication and passwords 50 Problems: 1. Is OTP code fresh? 2. Is OTP generated for correct domain (not phishing)? P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI Possible password replacements •Cambridge’s TR – wide range of possibilities listed –The quest to replace passwords: a framework for comparative evaluation of Web authentication schemes –https://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-817.pdf •Many different possibilities, but passwords are cheap to start with, a lot of legacy code exists and no mechanism offers all benefits •Mandatory reading: UCAM-CL-817 –At least chapters: II. Benefits, V. Discussion –Whole report is highly recommended – • PV204 Authentication and passwords 51 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI IDEA: REPLACE PASSWORD BY SMARTCARD WITH ASYMMETRIC KEYPAIR, CHALLENGE-RESPONSE PROTOCOL AND PREVENT PHISHING • 52 PV204 Authentication and passwords P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI FIDO U2F PROTOCOL • 53 PV204 Authentication and passwords P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI Revision 1: ECC-based challenge-response 54 PV204 Authentication and passwords https://developers.yubico.com/U2F/Protocol_details/Overview.html > Problems: phishing, MiTM… P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI Revision 2: URI + TLS channel id added • 55 PV204 Authentication and passwords https://developers.yubico.com/U2F/Protocol_details/Overview.html > Problem: using same device => detectable by services (same kpub) https://accounts.google.com/ServiceLogin P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI Revision 3: Application-specific key added 56 PV204 Authentication and passwords https://developers.yubico.com/U2F/Protocol_details/Overview.html > Problem: Undetectable device cloning new key pair and key handle for each registration P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI Revision 4: Authentication counter added 57 PV204 Authentication and passwords https://developers.yubico.com/U2F/Protocol_details/Overview.html > Option: What if server wants to verify device properties before register? Incremental counter P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI Revision 5: Device attestation added 58 PV204 Authentication and passwords https://developers.yubico.com/U2F/Protocol_details/Overview.html Attestation certificate signed with TTP • > ECDSA NIST secp256r1 used P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI FIDO U2F devices •Why have button? Is missing display problem? •Recent problem: direct WebUSB API in Chrome –Malware bypass U2F API checking the URL –Legitimate URL is send from malicious page –https://www.wired.com/story/chrome-yubikey-phishing-webusb/ –APDU-level communication: https://npmccallum.gitlab.io/post/u2f-protocol-overview/ •Well known is Yubikey, but open-source hardware and software-only implementations also possible –https://github.com/conorpp/u2f-zero 59 PV204 Authentication and passwords P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI Always dig for implementation details •How are ECC keys generated and stored? •Yubikey saves storage memory by deriving ECC private keys from master secret instead of randomly generating new one –Possible as the ECC private key is random value •Device secret generated during manufacturing •What is the possible attack 60 PV204 Authentication and passwords https://developers.yubico.com/U2F/Protocol_details/Key_generation.html P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI True2F FIDO U2F token •Yubikey 4 has single master key –To efficiently derive keypairs for separate Relying parties (Google, GitHub…) –Inserted during manufacturing phase (what if compromised?) •Additional SMPC protocols (protection against backdoored token) –Secure Multi-Party Computation (SMPC) will be covered later –Verifiable insertion of browser randomness into final keypairs –Prevention of private key leakage via ECDSA padding • •Backward-compatible (Relying party, HW) •Efficient: 57ms vs. 23ms to authenticate 61 PV204 Authentication and passwords https://arxiv.org/pdf/1810.04660.pdf P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI WebAuthn •An API for accessing Public Key Credentials Level 1 •https://www.w3.org/TR/webauthn/ •Similar, but more complex standard than U2F => expect additional problems (not yet scrutinized enough) 62 PV204 Authentication and passwords P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI Activity: •Think about one or two surprising things from this lecture • •I want to hear at least 5 of these, tell me please J 63 PV204 Authentication and passwords P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI Summary •Passwords have multiple issues, but are hard to be replaced •Major server-side breaches now very common •Important to use passwords securely (guidelines) •One-time passwords and tokens getting more used •Password manager with synchronization over multiple devices is not straightforward, but doable (e.g., Apple’s iCloud Keychain) •Mandatory reading: UCAM-CL-817 –At least chapters: II. Benefits, V. Discussion –Whole report is highly recommended • • • • PV204 Authentication and passwords 64 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI • 65 PV204 Authentication and passwords P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI Hierarchy of authentication and key establishment goals PV204 Authentication and passwords D:\Documents\Obrazky\keystablish_goals.png Protocols for Authentication and Key Establishment By Colin Boyd, Anish Mathuria 66 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI Common (mis-)Assumptions 1.User has strong password 2.Server/service is hard to compromise 3.User have unique passwords 4.Different authentication channels are independent 5.Recovery 6. 6. 6. 6. 67 PV204 Authentication and passwords P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI D:\Documents\Obrázky\is2\Plain-Blue-icon.png D:\Documents\Obrázky\is2\Places-server-database-icon.png Human is still the weakest link Google: Sfdlk2c&432mo% Skype: *(&21mefd872!& D:\Documents\Obrázky\is2\Lock-icon.png D:\Documents\Obrázky\is2\Computer_Icon.png > More than 60% of users have weak passwords D:\Documents\Obrázky\is2\Body-Brain-icon.png D:\Documents\Obrázky\is2\Key-icon.png D:\Documents\Obrázky\is2\Key-icon.png devil D:\Documents\Obrázky\is2\Places-server-database-icon.png D:\Documents\Obrázky\is2\Lock-icon.png D:\Documents\Obrázky\is2\Plain-Blue-icon.png password123 Google: Sfdlk2c&432mo% Skype: *(&21mefd872!& D:\Documents\Obrázky\is2\johntheripper1_10_design.png PV204 Authentication and passwords 68 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI D:\Documents\Obrázky\is2\12240458-password-scrib.jpg Hardware tokens • D:\Documents\Obrázky\is2\gcr-smart-card.png D:\Documents\Obrázky\is2\multipass.JPG D:\Documents\Obrázky\is2\passwordlockusb2.jpg Hack-a-Day’s Mooltipass > Price, usability, compatibility… PV204 Authentication and passwords 69 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI D:\Documents\Obrázky\is2\linkedin_hack.png • > User has strong password D:\Documents\Obrázky\is2\linkedin_badpasswd.png PV204 Authentication and passwords 70 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI D:\Documents\Obrázky\is2\passwod_reuse.png D:\Documents\Obrázky\is2\infoworld_passwordreuse.png > Study: Gawker vs. root.com passwords leak “…[from successfully cracked passwords] 76% used the exact same password. A further 6% used passwords differing by only capitalisation or a small suffix (e.g. ‘password’ and ‘password1′).”, J. Bonneau http://www.lightbluetouchpaper.org/2011/02/09/measuring-password-re-use-empirically/ > User have unique passwords… PV204 Authentication and passwords 71 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI • D:\Documents\Obrázky\is2\password breaches.png D:\Documents\Obrázky\is2\password breaches.png D:\Documents\Obrázky\is2\password breaches.png > Service is hard to compromise? PV204 Authentication and passwords 72 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI • > Services follow the best security principles D:\Documents\Obrázky\is2\starbucks_plaintextpass.png > Service implementation is correct and bug-free D:\Documents\Obrázky\is2\Heartbleed.svg.png PV204 Authentication and passwords 73 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI • • > Different authentication channels are independent D:\Documents\Obrázky\is2\Computer_Icon.png D:\Documents\Obrázky\is2\Backup-IBM-Server-icon.png D:\Documents\Obrázky\is2\nokia_7.jpg D:\Documents\Obrázky\is2\Apps-firefox-icon.png D:\Documents\Obrázky\is2\SMS-icon.png D:\Documents\Obrázky\is2\iPhone-icon.png D:\Documents\Obrázky\is2\Apps-firefox-icon.png D:\Documents\Obrázky\is2\Mail-icon.png D:\Documents\Obrázky\is2\SMS-icon.png PV204 Authentication and passwords 74 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI • • • • > Security can be maintained “forever” D:\Documents\Obrázky\is2\basket-empty-icon.png > Allow for some form of risk management D:\Documents\Obrázky\is2\Key-icon3.png D:\Documents\Obrázky\is2\System-Key-icon.png D:\Documents\Obrázky\is2\key-icon2.png D:\Documents\Obrázky\is2\Key-icon.png PV204 Authentication and passwords 75 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI D:\Documents\Obrázky\is2\mothermaidens.png • D:\Documents\Obrázky\is2\questions_guess.png D:\Documents\Obrázky\is2\lost_N_twitter.png > Recovery info shared over multiple services… > PV204 Authentication and passwords 76 Access recovery is as secure as primary one P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI Password cracking defenses •Don’t transmit or store in plaintext •Process password on client, transmit only digest •Don’t encrypt, hash instead •Use salt to prevent rainbow tables attack •Use memory-hard KDF algorithms –To slow down custom build hardware –Use strong KDF to derive keys (PBKDF2®Argon2) •Use password-authenticated key exchange instead of password check • PV204 Authentication and passwords 77 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI Handling passwords in source code •Limiting memory exposure –Load only when needed –Erase right after use –Pass by reference / pointer to prevent copy in memory –Derive session keys •Don’t hardcode password into application binary •Nice presentation (K. Kohli, examples how NOT to): http://www.slideshare.net/amiable_indian/insecure-implementation-of-security-best-practices-of-hash ing-captchas-and-caching-presentation • – PV204 Authentication and passwords 78 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI Hard-coded password might be visible both in application binary and memory PV204 Authentication and passwords 79 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI Alternative to hardcoded passwords/keys •Don’t use passwords J •Ask the user for a password •Keep secrets in a separate file •Encrypt stored secrets •Store secrets in protected database •Use already existing authentication credentials •CERN guidelines –https://security.web.cern.ch/security/recommendations/en/password_alternatives.shtml – • PV204 Authentication and passwords 80