Password based cryptographyPresentation Transcript
Password-based Cryptography 1 PRESENTED BY ISHRAQ FATAFTAH
Agenda 2 Introduction. Security attacks. Password-based cryptography. Common countermeasures against dictionary attacks. Conclusion.
Introduction 3 Passwords are the most common method of authentication. Consists of a string of characters to gain access to resources. Usually, passwords are human memorable that considered as a vulnerability in security. Passwords are derived from a small domain.
Introduction 4 Password creation rules have been enforced to increase the quality of passwords like: Letters and numeric. Non-alphanumeric characters. Passphrases. Symbols. Increased password length.
Well Known Passwords attacks 5 Guessing attacks. Brute force attack (Rainbow). Dictionary attacks. Online dictionary attacks. Offline dictionary attacks. Resetting attacks. Replay attacks. Syllable attacks. Social engineering and shoulder surfing.
Password based Cryptography 6 Attempt to derive security key directly from passwords. Some processing are needed to turn passwords into security keys. Password based authentication techniques. The use of iteration count. Construct key derivation function.
Password based Authentication 7 System and user agree on a list of passwords.
Password based Authentication using Hashes 8 A hash function is any well-defined procedure or mathematical function that converts a large, possibly variable-sized amount of data into a small datum. Hash functions should be: Easy to compute the hash value for any given message. Infeasible to find a message that has a given hash. Infeasible to modify a message without changing its hash. Infeasible to find two different messages with the same hash.
Password based Authentication using Hashes 9 System hashes user password.
Password based Authentication using Hashes 10 Using Dictionary attacks that uses hashes of dictionary words. Attacker might not know the exact hash function used, which means they must attempt each dictionary word for each hash function they’re considering.
Password based Authentication using Salts 11 8 Byte random number. DK = KDF (P, S) Producing a large set of keys corresponding to a given password. Benefits: Difficult to pre compute all keys corresponding to a dictionary of password by attacker. It is unlikely to select the same key twice.
Password based Authentication using Salts 12 System salts user password.
Password based Authentication using Salts 13 What if passwords+salt was input to a hash function? Not one hash for a given dictionary word. There are as many different hashes as there are possible values for the salt.
Password based cryptography using Iteration count 14 Increasing the cost of producing keys from a password. Using fixed number C with Password Random Function (PRF). As number of iteration increases, as the cost of exhaustive search for passwords increases. Minimum of 1000 iteration is recommended.
Password-based key derivation 15 A key derivation function produces a derived key from a base key and other parameters. The base key is a password and the other parameters are a salt value and an iteration count.
Password-based key derivation 16 Key derivation algorithm: Select a salt S and an iteration count c. Select a length in octets for the derived key. Apply the key derivation function to the password, the salt, the iteration count and the key length to produce a derived key. Output the derived key. y = F(p, s, c)
Common countermeasures against online dictionary attacks 17 Delayed response. Prevent attacker from checking many passwords in a short time. Account locking. Both insufficient in network environment. Pricing via processing. Use of Captcha.
Common countermeasures against offline dictionary attacks 18 Can be easily prevented using Public key cryptography. First password based authentication protocol secure against offline dictionary attacks, called EKE. Encrypted Key Exchange , one party encrypts a (one- time) public key using a password, and sends it to a second party, who decrypts it and uses it to negotiate a shared key with the first party.
Common countermeasures against offline dictionary attacks 19 Password authenticated key exchange (PAKE) is where two or more parties, based only on their knowledge of a password, establish a cryptographic key using an exchange of messages, such that an unauthorized party cannot participate in the method and is constrained as much as possible from guessing the password. Zero-Knowledge Concepts.
Conclusion 20 Data has nowadays become our most valuable asset which needs to be protected at any cost. Most common authentication techniques are passwords. Human-memorable passwords are vulnerable to attacks. Authentication techniques requires substantial change in their infrastructure. There is no satisfactory means to counter password attacks.