Network Security - Authentication - Computer Science
Published on IST 554 (https://online.ist.psu.edu/ist554)
Lesson 2: Passwords The early approach to identity authentication was to use user-login systems that used usernames, identifiers (IDs), and passwords. This system has been used for quite a while because it provides a basic level of security against intruders. Almost every application today comes with an integrated password system. For example, most Web sites now issue an ID and password to their registered users for data security purposes.
Password systems are so ubiquitous that they have become the target of most security attacks. Poor password choices are often easily guessed, stolen, or compromised. Moreover, hackers are trying ways to identify the limitations of a target system in order to break the password system. Therefore, more adequate security measures are being built into password systems. This lesson reviews a general password system, various password-hacking techniques and corresponding mitigation skills, and methods for strong password integrity.
Lesson objectives:
Define password authentication and explain basic concepts and terminologies. Discuss different password attacks and corresponding mitigation methods. Describe techniques for strong password integrity.
ID and Passwords
Figure 5.3: Authentication Across a Network
By now, everyone working with computers is used to using ID and passwords. The first step in beginning computer work most often begins by logging on to the laptop or desktop computer, logging on to the Web e-mail server such as Yahoo, Hotmail, and so on with a user ID and password.
Figure 5.3 shows an example where a user, Alice, needs to work on her computer. The first thing she
Contact Webmaster
© Copyright 2013 College of IST
Page 1 of 8
Published on IST 554 (https://online.ist.psu.edu/ist554)
does is log in to her local computer by entering her user ID and password. If she entered the correct ID and password, the computer will approve her identity and permit her access. This is the simplest way to confirm the user's identity, and is called one-way authentication.
On some occasions, after Alice logs on to the computer she is physically using, she needs to log in to a remote computer system that is connected with her computer through a network such as the Internet. Authentication runs across the network in such a situation. The computer Alice physically uses is the client, and the system she wishes to access is the server. Alice's ID and password will be transmitted through the Internet to the server for authentication.
The user's ID is considered to be a public identity and determines if the user is authorized to gain access to a system. Usually, a system only allows those who have their ID registered with the system to gain access. The ID also determines what activities a user is authorized to perform on the system. The password should generally only be known to the user or to servers with which the user interacts, but there are exceptions to this.
Computer systems normally store users' IDs and passwords in a password file, (e.g., /etc/passwd in a UNIX system). When the password is stored in a clear-text form that people can read or in a form that can be easily figured out, anyone within the system could access the password file and later log in as another user. Similarly, hackers can easily capture an unprotected password when it travels across a network to the server for authentication.
ID and Passwords: Secure One-way Hash Function
A common approach to password protection is the use of a secure one-way hash function to digest passwords and then store these digested passwords in the password file. If we denote the hash function as F, the system stores F(password) instead of the password itself.
Generally speaking, with a one-way hash function F, it is easy to compute F(password) for a given password, but computationally difficult to reconstruct the original password from F(password) or to perform infinite retires to get the correct password.
With secure hashing protection, when a user logs in and presents a password, say p, the system applies the hash function F to p and computes F(p). It then compares the calculated value with the
Contact Webmaster
© Copyright 2013 College of IST
Page 2 of 8
Published on IST 554 (https://online.ist.psu.edu/ist554)
stored value in the password file. If the two values match, login succeeds and the user is authenticated. If the values do not match, login fails.
Related Link Wikipedia-Hash Function entry [1]: Provides a description of hash functions, applications, properties, and further information regarding algorithms and more.
Example A user, Alice, attempts to log in. She enters her user ID and password. The login program applies the hash function to the password she entered, and then compares the result with the entry stored in the password file for user Alice.
If the two values match, Alice can successfully log on to the computer system.
When a first login attempt fails, the login screen usually diplays again for a second attempt. A system with more sophisticated security protection keeps a count of failed login attempts and locks a user's account when a certain threshold has been reached. Some other systems require authentication not only at the start of a new session but also at certain intervals so that attackers cannot keep using an unattended machine where another user has logged on. Other systems will close a session automatically if a user is idle for too long.
Scenario Security policies are very important for every organization. Depending upon the size and type of organization, security policies should be considered very carefully. Some IT professionals create very strict policies that will lock a user out upon one or two failed login attempts. Be sure that the security policy established for the organization matches the type of data and knowledge the security policy is in place to protect. When dealing with human error, there are times when a user will simply forget a password or have a finger slip and press a wrong key. If that user is then locked out, the user might not be able to access work files for a certain period of time while the help desk resets the password. This represents lost time in productivity for both the help desk and the individual who is locked out of the system.
Password Attacks Password attacks are malicious attempts to get a system's password to break into the system or jeopardize its security.
There are many easily accessible password attack techniques to get user passwords or decipher them with certain knowledge of the encryption methods used. We will discuss a few common ones in this topic.
Brute-force Attack
A brute-force attack exhaustively tries every possible combination of valid symbols until the real password is discovered.
Contact Webmaster
© Copyright 2013 College of IST
Page 3 of 8
Published on IST 554 (https://online.ist.psu.edu/ist554)
Although a brute-force attack will find a password eventually, it is normally very time-consuming to complete. The amount of time it takes depends on how complicated a password is. The more complicated a password is, the longer it takes a brute-force tool to break it. For instance, for a four- digit password, there are a maximum of 10,000 possible password combinations. Brute-force attacks against a long password may require many years to complete.
A simple method of protection against brute-force attacks is to change passwords frequently. In the case when a hacker does guess a password, the amount of time the hacker can access the system under fake authorization is limited.
Dictionary Attack
A dictionary attack searches for possible passwords through a special dictionary full of common words that people use as passwords. These dictionaries are created by hackers, using normal dictionaries, in addition to special software programs to create password combinations. A typical dictionary used by hackers may contain the entire Webster dictionary or words like popular first names, street names, phone numbers, repeating letters (e.g., PPPP) or a combination of words, letters, and names.
Because people tend to use simple passwords that they can easily remember, dictionary attacks are often sufficient to break an application and would take much less time than trying various passwords to find the right one in brute-force attack. Also, because people tend to use one password for several different applications, compromising one password often leads to the breakthrough of more than one application.
A dictionary attack works generally more efficiently than a brute-force attack, but cannot guarantee results like a brute-force attack.
To conduct a dictionary attack against a digested password system:
Attackers compute the hash results of all words that they think might be passwords and compare them against entries stored in the password file. If a match is found, the attacker will know he/she has the password. For every word in the dictionary, attackers check to see if F(word) = F(password). A match gives the attacker the password, which is the word.
As shown in Table 5.1, for a given word in the dictionary, "may576," the hash result is "3efttd;" for word, "august2380," hash result is "k368ktj." If the attacker found "k368ktj" in the password file, the attacker knows "august2380" is the password.
Table 5.1
Password guess F(password)
may576 3efttd
august2380 k368ktj
In the past, such attacks could take days, weeks or even months; however, because of increased computer processing power in recent years, dictionary attacks can compromise a password system in just minutes. Even brute-force attacks can be completed much faster. Table 5.2 describes the speed for a brute force attack using a PDP 11/70 computer:
Table 5.2
Contact Webmaster
© Copyright 2013 College of IST
Page 4 of 8
Published on IST 554 (https://online.ist.psu.edu/ist554)
Length of password (26 chars to use) Speed
1 30 msec
2 800 msec
3 22 sec
4 10 min
Sniffing, Spoofing, and Phishing Attacks
Sniffing (eavesdropping) covertly searches or grabs individual packets of data as they pass across a network. This is also known as packet-sniffing and is very effective in collecting user login sessions. When a user ID and password pair travels over networks in clear-text, it can be easily eavesdropped by a hacker's sniffing tool working on the same network.
Methods to address sniffing attacks include the Kerberos system and OTP technology. The Kerberos system encrypts account information going over the network, while OTP technology makes sniffing account information useless, as a password is only used once.
In a spoofing password attack, attackers play a camouflage technique to emulate a trusted host inviting users to enter their IDs and passwords.
A spoofing attack may be launched as follows:
1. An attacker runs a spoofing program that presents a fake login screen. 2. If unsuspecting users attempt to log in using this fake screen, the attacker captures their
login information. 3. The fake login session is aborted with an error message and execution is handed over to the
real login session without the users realizing it.
Phishing is a type of spoofing attack most often performed through email. Phishing attempts to acquire sensitive information such as passwords, credit card numbers, and bank account information
Contact Webmaster
© Copyright 2013 College of IST
Page 5 of 8
Published on IST 554 (https://online.ist.psu.edu/ist554)
by fraud such as pretending to be an established legitimate enterprise or institution.
Example Users may receive a seemingly official email with a link directing them to an enterprise's Web site (e.g., a "bank") where they are asked to provide personal information, such as passwords or bank account numbers. The Web site mimics the real enterprise's Web site and tricks people into thinking they have been contacted by an enterprise they trust, so they unwittingly volunteer information to unauthorized parties.
Mutual authentication is an effective method to mitigate spoofing or phishing attacks. It requires the authentication of a system's identity to users before users send out critical information.
To avoid false logins, users should communicate using trusted paths to known entities.
Example Users can press CTRL+ALT+DEL to invoke an authentic login dialog in Windows NT, even if a login dialog is already displayed.
Systems can also be configured to display the number of failed logins. If the system does not indicate an unsuccessful login when a user knows there has been a failed attempt, then the user knows that something is wrong.
Scenario One must learn the different types of spoofing attacks and what to look for in each. A user needs to defend their computer against spoofing by using a few simple techniques, such as filtering the router and encryption/authentication.
Here is a useful site to learn more information... http://www.securityfocus.com/infocus/1674 [2]
Social Engineering
Social engineering is a tactic used to obtain confidential information by exploiting the natural human tendency to trust others. For instance, unsuspecting employees can give valuable information over the phone, such as passwords, to people who claim to be administrators or colleagues they trust.
Password File Compromising
Systems verify a user's identify by comparing the password entered by the user against the value stored in the password file. The password file therefore becomes an extremely attractive target for attacks.
In the past, password files were relatively easy to access. Now most systems use cryptographic protection and access control imposed by the operating system.
Cryptographic protection prevents the contents of a password file from being directly disclosed. Hackers can still perform a brute-force attack or dictionary attack against the compromised password file, but if complicated passwords are used, it will take too long to run these attacks to make finding the password feasible. One-way hash functions are also used to slow down these two types of attacks.
Contact Webmaster
© Copyright 2013 College of IST
Page 6 of 8
Published on IST 554 (https://online.ist.psu.edu/ist554)
The access control method limits the exposure of a password file to all users on the system.
Example UNIX systems store enciphered passwords in a shadow password file that is not publicly available, and Windows NT stores enciphered passwords in a proprietary binary format.
Strong Password Authentication When a password is encrypted or digested, attackers cannot directly obtain the clear-text password. However, a poorly chosen password can be easily cracked by a dictionary attack or brute-force attack. A password structured with a few complexities makes the process of password guessing more difficult or time consuming.
Strong Password Integrity
For convenience, people tend to use passwords that are easy to remember, particularly if they have several to remember. As a result, they can often be easy to guess. In addition, when passwords are generated randomly, people tend to write them down as they are difficult to remember. These factors make password systems vulnerable to a much more sophisticated hacker/cracker community.
Passwords need to be "un-guessable" for the password system to be strong. Users must be trained to create strong passwords, and password management policy should be monitored and enforced to include the following rules:
Choose more complex passwords; Enforce rules for good passwords; Change passwords periodically; and Use machine-generated passwords.
Un-guessable, good passwords are not simple words or phrases used in common language. They should have a combination of upper and lower case letters, digits and special symbols such as punctuation marks, and should be at least eight characters or longer.
For instance, a good password can look like this: kEd*0s-&y.
A good password is less susceptible to dictionary attacks and strengthens the authentication system in terms of the number of attempts the attacker has to make before he can discover passwords using brute-force attack. Nowadays, even good passwords can be cracked because hackers have become smarter and developed utilities capable of breaking even the most complex passwords. For example, hackers regularly add numbers or symbols when conducting a dictionary attack. For this reason, passwords should also be changed regularly so that an attacker who manages to learn a password can only use it for a limited time period. In addition, breaking one password will not lead to the compromise of all systems if different passwords are required to be used for each system.
Password Salt
The password file contains passwords that are protected by a secure hash function; therefore, an intruder cannot directly use the information in the file. However, dictionary attacks are still possible because everyone can access the password file and know the secure hash function F.
Contact Webmaster
© Copyright 2013 College of IST
Page 7 of 8
Published on IST 554 (https://online.ist.psu.edu/ist554)
One solution is to use password salt to make a dictionary attack a bit more difficult. Password salt normally is a 12-bit number between 0 and 4095. Rather than computing F(password), F(password + salt) is computed and both salt and F(password + salt) are stored in the password file.
When a user enters the password, the system fetches the salt for the user and computes F(password + salt) to check for a match. With salt, the same password (in the dictionary) needs to be computed in 212= 4,096 different ways.
One-time Password (OTP) Authentication
The One-Time Password (OTP) system is a good method for countering password attacks because a password is allowed to be used only once. Even if a hacker manages to obtain the password (e.g., through a packet sniffer), the password is useless because it has expired by the time the hacker tries to use it. We will discuss OTP in detail in the next lesson.
Lesson Wrap-Up User IDs and passwords are common authentication methods used by most computer systems today. But predictable, easily-breakable or unchanging passwords are the single weakest point in a system's security model. Authentication that simply relies on standard passwords alone often fails to provide adequate defense against network attacks, of which the majority are achieved through breaking passwords. The compromise of a password authentication system can lead to other valuable information leakage and cause major damage to not only individuals but companies providing services.
Today's applications require better methods for verifying the identity of attempted users and authorizing or denying access.
After reading this lesson, you should be able to:
Define password authentication and explain basic concepts and terminologies. Discuss different password attacks and corresponding mitigation methods. Describe techniques for strong password integrity.
Source URL: https://online.ist.psu.edu/ist554/lesson2passwords
Links: [1] http://en.wikipedia.org/wiki/Hash_function [2] http://www.securityfocus.com/infocus/1674
Powered by TCPDF (www.tcpdf.org)
Contact Webmaster
© Copyright 2013 College of IST
Page 8 of 8