www.crcs.cz/rsa @CRoCS_MUNI
PV204 Security technologies
Authentication: passwords, OTP, FIDO U2F
Petr Švenda svenda@fi.muni.cz @rngsec
Centre for Research on Cryptography and Security, Masaryk University
Please report any inaccuracies or suggestions for improvements here:
https://drive.google.com/file/d/1qspWBELzanOFIu2AYdtfZvwN0bOmnRv-/view?usp=sharing
IS,1998 2021
www.crcs.cz/rsa @CRoCS_MUNI2 PV204 Authentication and passwords
• Place/upvote questions in slido
while listening to lecture video
• We will together discuss these
during every week lecture Q&A#pv204_2022
www.crcs.cz/rsa @CRoCS_MUNI
COURSE TRIVIA:
PV204_00_COURSEOVERVIEW_2022.PDF
PV204 Authentication and passwords3
www.crcs.cz/rsa @CRoCS_MUNI
Basic terms
• Identification
– Establish what the (previously unknown) entity is
• Authentication
– Verify if entity is really what it claims to be
• Authorization (access control)
– Define an access policy to use specified resource
– Check if entity is allowed (authorized) to use resource
• Authentication may be required before an entity allowed to use
resource to which is authorized
PV204 Authentication and passwords4
www.crcs.cz/rsa @CRoCS_MUNI
Options for authentication
• Something you:
1. Know (password, key)
2. Have (token, smartcard)
3. Are (biometrics)
• Combination of multiple options – two-factor authentication (or more)
1. Registration phase (how is new user added)
2. Verification phase (how is user’s claimed identity verified)
3. Recovery phase (what if user forgot/lost authentication credentials)
5 PV204 Authentication and passwords
www.crcs.cz/rsa @CRoCS_MUNI
PASSWORDS
PV204 Authentication and passwords6
www.crcs.cz/rsa @CRoCS_MUNI
Mode of usage for passwords
• Verify by direct match (provided_password == expected_password?)
– Example: HTTP basic access authentication
– Be aware of plaintext storage on server
– Be aware of potential side-channels (mismatch on Xth character)
• Verify by match of derived value (hash(password | salt))
– Be aware of rainbow tables and brute-force crackers
• Derive key: Password → cryptographic key
– Example: key = PBKDF2(password)
• Used to establish authenticated key
– Example: Password + Diffie-Hellman → authenticated key…
7 PV204 Authentication and passwords
www.crcs.cz/rsa @CRoCS_MUNI
Problems associated with passwords
• How to create strong password?
• How to use password securely?
• How to store password securely?
• Same value is used for the long time (exposure)
• Value of password is independent from the target operation (e.g.,
authorization of bank transfer request)
• …
8 PV204 Authentication and passwords
www.crcs.cz/rsa @CRoCS_MUNI
Where the passwords can be compromised?
1. Client side (malware on user computer)
2. Database storage
– Cleartext storage
– Backup data (“tapes”)
– Server compromise, misconfiguration
3. Host machine (memory, history, cache)
4. Network transmission (network sniffer, proxy logs)
5. Hardcoded secrets (inside app binary)
• Difficult to detect compromise and change after the exposure
PV204 Authentication and passwords9
www.crcs.cz/rsa @CRoCS_MUNI
https://haveibeenpwned.com/ (Troy Hunt)
10 PV204 Authentication and passwords
Total pwned accounts: 9,490,577,236
Collection #1: 772,904,991 accounts!
www.crcs.cz/rsa @CRoCS_MUNI
https://haveibeenpwned.com/Passwords
• Check how many times was given password found in leaked datasets
11 PV204 Authentication and passwords
password
www.crcs.cz/rsa @CRoCS_MUNI
Password “hardening” ideas
1. Hash password by one-way function (shall be hard to invert)
2. Slowdown cracking attempts (less potential passwords tried)
3. Enable users to have long, random and unique passwords
4. Have unique password for every authentication attempt
5. Replace/complement passwords with something else (e.g.,
smartcard)
6. Bind response to server domain name (to prevent phishing)
12 PV204 Authentication and passwords
In follow-up slides, we will
discuss these ideas one by one
www.crcs.cz/rsa @CRoCS_MUNI
IDEA: HASH PASSWORDS
13 PV204 Authentication and passwords
www.crcs.cz/rsa @CRoCS_MUNI14 PV204 Authentication and passwords
Joe; insecure
www.crcs.cz/rsa @CRoCS_MUNI
(Hashed-)Password cracking
• Scenario: dump of database with password hashes, find original password
• Password cracking attacks
– Brute-force attack (up to 8 characters)
– Dictionary attack (inputs with higher probability tried first)
– Patterns: Dictionary + brute-force (Password[0-9]*)
– Rainbow tables (time-memory trade-off)
– Parallelization (many parallel cores)
– GPU/FPGA/ASIC speedup of cracking
• Tools
– Generic: John the Ripper, Brutus, RainbowCrack…
– Targeted to application: TrueCrack, Aircrack-NG…
PV204 Authentication and passwords15
www.crcs.cz/rsa @CRoCS_MUNI
Password reality (from many breaches + pwd cracking)
• User has usually weak password
– >60% were (dictionary) brute-forced
• Server/service is frequently compromised
– Server-side compromises are now very frequent
• Users do not use unique passwords
– Gawker/root.com leak: 76% had the exact same password
• Different authentication channels may not be independent
– Web-browsing + SMS on smart phones?
• Account recovery is often easier to guess than original password
16 PV204 Authentication and passwords
www.crcs.cz/rsa @CRoCS_MUNI
Insecure password handling … what is the attack?
• Verify by direct match (provided_password == expected_password?)
– Attack: compromise plain passwords on server
• pwdTagi = SHA-2(“password”)
– Same passwords from multiple users => same resulting pwdTag
– Attack: Large pre-computed “rainbow” tables allow for very quick check common passwords
• pwdTagi = SHA-2(“password” | salt)
– Use of rainbow tables “prevented” by addition of random (and potentially public) salt
– Attack: dictionary-based brute-force still possible
• pwdTagi = AES(“password”, secret_key)
– Attack: If secret_key is leaked => direct decryption of all stored pwdTags => passwords
PV204 Authentication and passwords17
Some issues addressed by PAKE (Password
Authenticated Key Exchange) protocols – future lecture
www.crcs.cz/rsa @CRoCS_MUNI
IDEA: SLOWDOWN CRACKING ATTEMPTS
18 PV204 Authentication and passwords
www.crcs.cz/rsa @CRoCS_MUNI
Derivation of secrets from passwords
• PBKDF2 function, widely used
– Password is key for HMAC
– Salt added
– Many iterations to slow derivation
• Problem with custom-build hardware (GPU, ASIC)
– Repeated iterations not enough to prevent bruteforce
– (or would be too slow on standard CPU – user experience)
• Solution: function which requires large amount of memory
PV204 Authentication and passwords
Source: https://nakedsecurity.sophos.com
19
www.crcs.cz/rsa @CRoCS_MUNI
scrypt – memory hard function
• Design as a protection against cracking hardware (usable against
PBKDF2)
– GPU, FPGA, ASICs…
– https://github.com/wg/scrypt/blob/master/src/main/java/com/lambdaworks/crypto
/SCrypt.java
• Memory-hard function
– Force computation to hold r (parameter) blocks in memory
– Uses PBKDF2 as outer interface
• Improved version: NeoScrypt (uses full Salsa20)
PV204 Authentication and passwords20
www.crcs.cz/rsa @CRoCS_MUNI
Reuse of external PBKDF2 structure
PV204 Authentication and passwords
https://www.reddit.com/r/crypto/comments/3dz285/password_hashing_competition_phc_has_selected/
21
www.crcs.cz/rsa @CRoCS_MUNI
Argon2
• Password hashing competition (PHC) winner, 2013
PV204 Authentication and passwords
https://www.reddit.com/r/crypto/comments/3dz285/password_hashing_competition_phc_has_selected/
22
www.crcs.cz/rsa @CRoCS_MUNI
Problem solved?
23
PV204 Authentication and passwords
https://www.ietf.org/mail-archive/web/cfrg/current/msg08439.html
Problem: situation with PHC winner
still unclear in 2019 
PV204 Authentication and passwords
www.crcs.cz/rsa @CRoCS_MUNI
IDEA: LONG, RANDOM AND UNIQUE
PASSWORDS
24 PV204 Authentication and passwords
www.crcs.cz/rsa @CRoCS_MUNI
PASSWORD MANAGERS
25 PV204 Authentication and passwords
www.crcs.cz/rsa @CRoCS_MUNI
Evolution of password (managers)
1. Human memory only
2. Write it down on paper
3. Write it into file
4. Use local password manager
26 PV204 Authentication and passwords
Pαs$w0rd
Pαs$w0rd01
Google:
Sfdlk2c&
Skype:
*(&21mefd
Google:
Sfdlk2c&432mo%
Skype:
*(&21mefd872!&
Google:
Sfdlk2c&432mo%
Skype:
*(&21mefd872!&
www.crcs.cz/rsa @CRoCS_MUNI
Remote password managers
Google:
Sfdlk2c&432mo%
Skype:
*(&21mefd872!&
KeePass+Dropbox
LastPass
1Password
MozillaSync
Firefox Lockwise
…
PV204 Authentication and passwords27
www.crcs.cz/rsa @CRoCS_MUNI
• Firefox Lockwise https://www.mozilla.org/en-US/firefox/lockwise/
– Part of the standard Firefox installation, sync between devices
– Automatically checks for password leakage (Firefox Monitor)
28 PV204 Authentication and passwords
www.crcs.cz/rsa @CRoCS_MUNI
But passwords are encrypted, right?
PV204 Authentication and passwords29
www.crcs.cz/rsa @CRoCS_MUNI
PASSWORD MANAGER FOR MULTIPLE
DEVICES
Case study
PV204 Authentication and passwords30
www.crcs.cz/rsa @CRoCS_MUNI
Functional and security assumptions
• Functional
– User stores fixed secrets (passwords…)
– User has multiple connected devices
– Easy to use ☺
• Security
– Service can’t be trusted
– User chooses weak password
– Devices can be lost (and later revoked)
– User has independent channel (phone)
PV204 Authentication and passwords31
www.crcs.cz/rsa @CRoCS_MUNI
Main security design principles
• Treat storage service as untrusted and perform security sensitive
operations on client
• Make necessary trusted component as small as possible
• Prevent offline brute-force, but don’t expect strong password from
user
– add entropy from other source
• Make transmitted sensitive values short-lived
• Trusted hardware can provide additional support
PV204 Authentication and passwords32
www.crcs.cz/rsa @CRoCS_MUNI
Public-key cryptography indirection
Google:
Sfdlk2c&432mo%
Skype:
*(&21mefd872!&
K = H(‘Password’)
K
Google:
Sfdlk2c&432mo%
K
Password
Priv_U
KEK
K
Pub_U
Password
KEK = H(‘Password’)
PV204 Authentication and passwords33
www.crcs.cz/rsa @CRoCS_MUNI
Public-key crypto indirection
Google:
Sfdlk2c&432mo%
K
Priv_U
KEK
K
Pub_U
Password
KEK = H(‘Password’)
Public-key crypto
indirection allows for
asynchronous change of K
Long private key can be
also stored on Service
K’,K’’,K’’’…
[K’]Pub_U
PV204 Authentication and passwords34
www.crcs.cz/rsa @CRoCS_MUNI
Weak password?
Google:
Sfdlk2c&432mo%
K
Priv_U
KEK
K
Pub_U
Password
KEK = H(‘Password’)
Password
KEK = H(‘Password’)
KEK
Priv_UK
K
Google:
Sfdlk2c&432mo%
Attacker has motivation
for attacking the Service!
Users tend to have
weak passwords…
PV204 Authentication and passwords35
www.crcs.cz/rsa @CRoCS_MUNI
Trusted server/element
Google:
Sfdlk2c&432mo%
K
Priv_U
KEK
K
Pub_U
Password
KEK = H(‘Password’
User1:SecretData
User2:SecretData’
…
Separate trusted entities
provide additional data
| SecretData)
PV204 Authentication and passwords36
www.crcs.cz/rsa @CRoCS_MUNI
Google:
Sfdlk2c&432mo%
K
Priv_U
KEK
K
Pub_U
Password
KEK = H(‘Password’ | SecretData)
User1:SecretData
User2:SecretData’
…
SMS:
SecretData
SecretData
PV204 Authentication and passwords37
www.crcs.cz/rsa @CRoCS_MUNI
Multiple devices
Google:
Sfdlk2c&432mo%
K
Priv_U
KEK
K
Pub_U
KEK
Dev1
KEK
Dev2
KEK
Dev3
Dev1 Dev2
Dev3
PV204 Authentication and passwords38
Dev1 = H(‘Password1’|SecretData1)
www.crcs.cz/rsa @CRoCS_MUNI
• Device management (new, remove, revoke)
• Device authentication
• Group management (users, boards, secrets)
• Password change, private key change
• Access recovery
• …
39 PV204 Authentication and passwords
Devil is in the details…
Other operations
www.crcs.cz/rsa @CRoCS_MUNI
Do we have some implementations?
• Apple’s service showcased in 2013
• Lack of details until iOS Security report 02/2014
– https://www.apple.com/business/docs/iOS_Security_Guide.pdf
• https://blog.cryptographyengineering.com/2016/08/13/is-apples-cloudkey-vault-crypto/
(M.Green)
40 PV204 Authentication and passwords
www.crcs.cz/rsa @CRoCS_MUNI
Apple’s iCloud Keychain
• Multiple similarities to the described example
– Layer of indirection via asymmetric cryptography
– Support for multiple devices
– Asynchronous operations via application tickets
– Authorization and signature of additional devices
– User phone registered and required
• Still reliance on user’s (potentially weak) password
– But limited number of tries allowed
• Trusted component of iCloud realized via internal HSM
– Recovery mode with 4-digit code (default, can be set longer)
– HSM will decrypt recovery key only after code validation
– Note: only 4 digits is not an issue here – HSM enforce limited # retries
PV204 Authentication and passwords41
www.crcs.cz/rsa @CRoCS_MUNI
IDEA: HAVE UNIQUE PASSWORD FOR
EVERY AUTHENTICATION ATTEMPT
42 PV204 Authentication and passwords
www.crcs.cz/rsa @CRoCS_MUNI
ONE-TIME PASSWORDS
PV204 Authentication and passwords43
www.crcs.cz/rsa @CRoCS_MUNI
Recall: Problems associated with passwords
• How to create secure password?
• How to use password securely?
• How to store password securely?
• Same value is used for the long time (exposure)
• Value of password is independent from target operation (e.g.,
authorization of request)
• …
44 PV204 Authentication and passwords
One-time passwords tries
to address these issues
www.crcs.cz/rsa @CRoCS_MUNI
HMAC-based One-time Password Algorithm (RFC 4226)
• HMAC-based One-time Password Algorithm (HOTP)
– Secret key K
– Counter (challenge) C
– HMAC(K,C) = SHA1(K ⊕ 0x5c5c… ∥ SHA1(K ⊕ 0x3636… ∥ C))
– HOTP(K,C) = Truncate(HMAC(K,C)) & 0x7FFFFFFF
– 0x7FFFFFFF mask to drop most significant bit (portability)
– HOTP-Value = HOTP(K,C) mod 10d (d … # of digits)
• Many practical implementations
– E.g., Google Authenticator
• https://en.wikipedia.org/wiki/HOTP
PV204 Authentication and passwords45
www.crcs.cz/rsa @CRoCS_MUNI
HOTP – items, operations
• Logical operations
1. Generate initial state for new user and distribute key
2. Generate HOTP code and update state (user)
3. Verify HOTP code and update state (auth. server)
• Security considerations of HOTP
– Client compromise
– Server compromise
– Repeat of counter/challenge
– Counter mismatch tolerance window
PV204 Authentication and passwords46
www.crcs.cz/rsa @CRoCS_MUNI
Sylvain Maret
Time-based One-time Password Algorithm
• Very similar to HOTP
– Time used instead of counter
• Requires synchronized clocks
– In practice realized as time window
• Tolerance to gradual desynchronization possible
– Server keeps device’s desynchronization offset
– Updates with every successful login
PV204 Authentication and passwords47
www.crcs.cz/rsa @CRoCS_MUNI
OCRA: OATH Challenge-Response Algorithm
• Initiative for Open Authentication (OATH)
• OCRA is authentication algorithm based on HOTP
• OCRA code = CryptoFunction(K, DataInput)
– K: a shared secret key known to both parties
– DataInput: concatenation of the various input data values
• Counter, challenges, H(PIN/Passwd), session info, H(time)
– Default CryptoFunction is HOTP-SHA1-6
– https://tools.ietf.org/html/rfc6287
• Don’t confuse with Oauth (delegation of authentication)
– The OAuth 2.0 Authorization Framework (RFC6749)
– TLS-based security protocol for accessing HTTP service
PV204 Authentication and passwords48
www.crcs.cz/rsa @CRoCS_MUNIPV204 Authentication and passwords49
www.crcs.cz/rsa @CRoCS_MUNI
Increased risk at *OTP verification server
• More secure against client compromise
– Using OTP instead of passwords, KDF(time|key),
• But what if server is compromised?
– database hacks, temporal attacker presence
– E.g., Heartbleed – dump of OTP keys
• Possible solution
– Trusted hardware on the server
– OTP code verified inside trusted environment
– OTP key never leaves the hardware
PV204 Authentication and passwords50
www.crcs.cz/rsa @CRoCS_MUNIPV204 Authentication and passwords51
Problems:
1. Is OTP code fresh?
2. Is OTP generated for correct
domain (not phishing)?
www.crcs.cz/rsa @CRoCS_MUNI
Possible password replacements
• Cambridge’s TR – wide range of possibilities listed
– The quest to replace passwords: a framework for comparative evaluation of
Web authentication schemes
– https://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-817.pdf
• Many different possibilities, but passwords are cheap to start with, a
lot of legacy code exists and no mechanism offers all benefits
• Mandatory reading: UCAM-CL-817
– At least chapters: II. Benefits, V. Discussion
– Whole report is highly recommended
PV204 Authentication and passwords52
www.crcs.cz/rsa @CRoCS_MUNI
IDEA: REPLACE PASSWORD BY
SMARTCARD WITH ASYMMETRIC KEYPAIR,
CHALLENGE-RESPONSE PROTOCOL AND
PREVENT PHISHING
53 PV204 Authentication and passwords
www.crcs.cz/rsa @CRoCS_MUNI
FIDO U2F PROTOCOL
54 PV204 Authentication and passwords
www.crcs.cz/rsa @CRoCS_MUNI
Revision 1: ECC-based challenge-response
55 PV204 Authentication and passwords
https://developers.yubico.com/U2F/Protocol_details/Overview.html
Problems: phishing, MiTM…
www.crcs.cz/rsa @CRoCS_MUNI
Revision 2: URI + TLS channel id added
56 PV204 Authentication and passwords
https://developers.yubico.com/U2F/Protocol_details/Overview.html
Problem: using same device =>
detectable by services (same kpub)
https://accounts.google.com/ServiceLogin
www.crcs.cz/rsa @CRoCS_MUNI
Revision 3: Application-specific key added
57 PV204 Authentication and passwords
https://developers.yubico.com/U2F/Protocol_details/Overview.html
Problem: Undetectable device cloning
new key pair and key
handle for each
registration
www.crcs.cz/rsa @CRoCS_MUNI
Revision 4: Authentication counter added
58 PV204 Authentication and passwords
https://developers.yubico.com/U2F/Protocol_details/Overview.html
Option: What if server wants to verify
device properties before register?
Incremental counter
www.crcs.cz/rsa @CRoCS_MUNI
Revision 5: Device attestation added
59 PV204 Authentication and passwords
https://developers.yubico.com/U2F/Protocol_details/Overview.html
Attestation certificate
signed with TTP
ECDSA NIST secp256r1 used
www.crcs.cz/rsa @CRoCS_MUNI
FIDO U2F – current state
• FIDO alliance of major companies
• U2F → FIDO2 project (more than “just” U2F)
• Original U2F protocol extended and moved under W3 as WebAuthn
– https://www.w3.org/TR/webauthn/
• Large selection of tokens now available (including open-hardware)
• Android added systematic support for FIDO U2F (02/2019)
– Android phone acts as U2F token
– https://www.wired.com/story/android-passwordless-login-fido2
• Google Smart Lock app on iOS uses secure enclave and acts as FIDO token
• Since iOS 13.3. USB, NFC, and Lightning FIDO2-compliant security keys in
Safari browser
60 PV204 Authentication and passwords
www.crcs.cz/rsa @CRoCS_MUNI
FIDO U2F devices
• Why have button? Is missing display problem?
• Recent problem: direct WebUSB API in Chrome
– Malware bypass U2F API checking the URL
– Legitimate URL is send from malicious page
– https://www.wired.com/story/chrome-yubikey-phishing-webusb/
– APDU-level communication: https://npmccallum.gitlab.io/post/u2f-protocol-
overview/
• Well known is Yubikey, but open-source hardware and/or softwareonly
implementations also possible
– https://github.com/conorpp/u2f-zero
– https://github.com/solokeys/solo
61 PV204 Authentication and passwords
www.crcs.cz/rsa @CRoCS_MUNI
Always dig for implementation details
• How are ECC keys generated and stored?
• Yubikey saves storage memory by deriving ECC private keys from
master secret instead of randomly generating new one
– Possible as the ECC private key is random value
• Device secret generated during manufacturing
• What is the possible attack
62 PV204 Authentication and passwords
https://developers.yubico.com/U2F/Protocol_details/Key_generation.html
www.crcs.cz/rsa @CRoCS_MUNI
True2F FIDO U2F token
• Yubikey 4 has single master key
– To efficiently derive keypairs for separate Relying parties (Google, GitHub…)
– Inserted during manufacturing phase (what if compromised?)
• Additional SMPC protocols (protection against backdoored token)
– Secure Multi-Party Computation (SMPC) will be covered later
– Verifiable insertion of browser randomness into final keypairs
– Prevention of private key leakage via ECDSA padding
• Backward-compatible (Relying party, HW)
• Efficient: 57ms vs. 23ms to authenticate
63 PV204 Authentication and passwords
https://arxiv.org/pdf/1810.04660.pdf
www.crcs.cz/rsa @CRoCS_MUNI
WebAuthn
• An API for accessing Public Key Credentials Level 1
• https://www.w3.org/TR/webauthn/
• Similar, but more complex standard than U2F => expect additional
problems (not yet scrutinized enough)
64 PV204 Authentication and passwords
www.crcs.cz/rsa @CRoCS_MUNI
Summary
• Passwords have multiple issues, but are hard to be replaced
• Major server-side breaches now very common
• Important to use passwords securely (guidelines)
• One-time passwords and tokens getting more used
• Password manager with synchronization over multiple devices is not
straightforward, but doable (e.g., Apple’s iCloud Keychain)
• Mandatory reading: UCAM-CL-817
– At least chapters: II. Benefits, V. Discussion
– Whole report is highly recommended
PV204 Authentication and passwords65
www.crcs.cz/rsa @CRoCS_MUNI66 PV204 Authentication and passwords
• Place/upvote questions in slido
while listening to lecture video
• We will together discuss these
during every week lecture Q&A
(every Monday, 17-18:00)
www.crcs.cz/rsa @CRoCS_MUNI67 PV204 Authentication and passwords
www.crcs.cz/rsa @CRoCS_MUNI
Hierarchy of authentication and
key establishment goals
PV204 Authentication and passwords
Protocols for Authentication and Key Establishment By Colin Boyd, Anish Mathuria
68
www.crcs.cz/rsa @CRoCS_MUNI
Common (mis-)Assumptions
1. User has strong password
2. Server/service is hard to compromise
3. User have unique passwords
4. Different authentication channels are independent
5. Recovery
69 PV204 Authentication and passwords
www.crcs.cz/rsa @CRoCS_MUNI
Human is still the weakest link
Google:
Sfdlk2c&432mo%
Skype:
*(&21mefd872!&
More than 60% of users
have weak passwords
password123
Google:
Sfdlk2c&432mo%
Skype:
*(&21mefd872!&
PV204 Authentication and passwords70
www.crcs.cz/rsa @CRoCS_MUNI
Hardware tokens
Hack-a-Day’s Mooltipass
Price, usability,
compatibility…
PV204 Authentication and passwords71
www.crcs.cz/rsa @CRoCS_MUNI
User has strong password
PV204 Authentication and passwords72
www.crcs.cz/rsa @CRoCS_MUNI
Study: Gawker vs. root.com passwords leak
“…[from successfully cracked passwords] 76% used the
exact same password. A further 6% used passwords differing
by only capitalisation or a small suffix (e.g. ‘password’ and
‘password1′).”, J. Bonneau
http://www.lightbluetouchpaper.org/2011/02/09/measuring-password-re-use-empirically/
User have unique
passwords…
PV204 Authentication and passwords73
www.crcs.cz/rsa @CRoCS_MUNI
Service is hard to
compromise?
PV204 Authentication and passwords74
www.crcs.cz/rsa @CRoCS_MUNI
Services follow the best security
principles
Service implementation is correct and bug-free
PV204 Authentication and passwords75
www.crcs.cz/rsa @CRoCS_MUNI
Different authentication
channels are independent
PV204 Authentication and passwords76
www.crcs.cz/rsa @CRoCS_MUNI
Security can be maintained “forever”
Allow for some form of risk management
PV204 Authentication and passwords77
www.crcs.cz/rsa @CRoCS_MUNI
Recovery info shared over multiple
services…PV204 Authentication and passwords78
Access recovery is as secure as primary one
www.crcs.cz/rsa @CRoCS_MUNI
Password cracking defenses
• Don’t transmit or store in plaintext
• Process password on client, transmit only digest
• Don’t encrypt, hash instead
• Use salt to prevent rainbow tables attack
• Use memory-hard KDF algorithms
– To slow down custom build hardware
– Use strong KDF to derive keys (PBKDF2→Argon2)
• Use password-authenticated key exchange instead of password check
PV204 Authentication and passwords79
www.crcs.cz/rsa @CRoCS_MUNI
Handling passwords in source code
• Limiting memory exposure
– Load only when needed
– Erase right after use
– Pass by reference / pointer to prevent copy in memory
– Derive session keys
• Don’t hardcode password into application binary
• Nice presentation (K. Kohli, examples how NOT to):
http://www.slideshare.net/amiable_indian/insecure-implementation-of-security-
best-practices-of-hashing-captchas-and-caching-presentation
PV204 Authentication and passwords80
www.crcs.cz/rsa @CRoCS_MUNI
Hard-coded password might be visible both in
application binary and memory
PV204 Authentication and passwords81
www.crcs.cz/rsa @CRoCS_MUNI
Alternative to hardcoded passwords/keys
• Don’t use passwords ☺
• Ask the user for a password
• Keep secrets in a separate file
• Encrypt stored secrets
• Store secrets in protected database
• Use already existing authentication credentials
• CERN guidelines
– https://security.web.cern.ch/security/recommendations/en/password_alternative
s.shtml
PV204 Authentication and passwords82
www.crcs.cz/rsa @CRoCS_MUNI
Group activity
• Form group of 3-4 members (mix, not your neighbours)
– Introduce yourself with your name
• Discuss and write down on paper:
– What method(s) you use for authentication (password…)
– Is server using other authentication factor?
– How you store the authentication secret? (brain-only…)
• Time limit: 5 minutes
• Now return back to your original seat (if you wish ☺)
83 PV204 Authentication and passwords
www.crcs.cz/rsa @CRoCS_MUNI
Activity:
• Think about one or two surprising things from this lecture
• I want to hear at least 5 of these, tell me please ☺
84 PV204 Authentication and passwords