Authentication attacks,
causes and solutions
Analyzing man in the middle and dictionary
attacks against SSL/TLS and password
based authentication systems
Fletcher Liverance, 16 April 2009
Sources

Password-Based Authentication: Preventing Dictionary
Attacks




Saikat Chakrabarti, University of Kentucky
Mukesh Singhal, University of Kentucky
Computer, IEEE CS Press, June 2007, pp. 68-74
SSL/TLS Session-Aware User Authentication




Rolf Oppliger, eSECURITY Technologies
Ralf Hauser, PrivaSphere AG
David Basin, ETH Zurich
Computer, IEEE CS Press, March 2008, pp. 59-65
Overview





What is authentication?
Two common attacks
Advanced password authentication protocols
Improvements in SSL/TLS
Preventing future attacks
What is Authentication?
Authentication is the binding of
an identity to a subject











Face
Voice
Signature
Birth certificate
Social security number
ID card
Personal knowledge
Key
Password
Name
Phone number
Impersonal Authentication

How do you authenticate over a network?
No direct visual cues
 No direct auditory cues
 No physical connection




Knowledge based authentication
Recreation of human authentication cues
Electronic IDs
Dictionary Attack

Online




Repeated query of
authentication server
Slow
Easy to block
Offline



Repeated computation
and comparison of
password hash
Faster
No interaction required

Top ten passwords:
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
(username)
(username)123
123456
password
1234
12345
passwd
123
test
1
Man in the Middle
“a form of active wiretapping attack in which the
attacker intercepts and selectively modifies
communicated data to masquerade as one or
more of the entities involved in a
communication association.”
RFC 2828 – Internet Security Glossary
Basic Password Authentication
Challenge/Response
EKE Protocol
Plaintext equivalence


User and host must have access to the same
secret password
Attacker can intercept password hash as it is sent
to server
Secure remote-password protocol
Behind the scenes
Alice and Bob agree on finite field F(x)
 Alice gives Bob verifier v = F(Hash(salt, password)) and salt.
Alice sends identity to Bob
Bob sends salt to Alice
 Alice computes K-a = F(Rand-a) and x = Hash(s, pwd)
Alice send K-a to Bob
 Bob computes K-b = v + F(Rand-b)
Bob sends K-b and Rand-r to Alice








Alice sends Cert-a to Bob


Alice computes K-ab = Hash(K-b – F(Hash(salt, pwd))^(Rand-a + Rand-r*Hash(salt,pwd))
Bob computes K-ab = Hash(Rand-b*Key-a*v^Rand-r)
Bob verifies Cert-a is correct
Bob sends Cert-b to Alice

Alice verifies Cert-b is correct
Alternative Solutions




Delayed response
Account locking
Extra computation
Reverse Turing Test

Captcha (Completely Automated Public Turing Test to Tell
Computers and Humans Apart)
SSL/TLS
SSL/TLS Issues

Prone to man in the middle attack
Attacker intercepts server messages
 Attacker replaces server certificate with its own
 Client encrypts all future transmissions using
attacker’s certificate



“the naïve end user usually does SSL/TLS server
authentication poorly if at all”
“developers usually decouple SSL/TLS session
establishment from user authentication”
Preventing MITM attacks

Enforce proper server
authentication





Uneducated users
Forged certificates
Click through
Complicated revocation
policy
Complicated certificate
verification tree
TLS-SA

Combine user authentication with SSL/TLS
session establishment
Provide user authentication code (UAC) that depends on
credentials and TLS session
 Attacker can start session with user and host, but
cannot forward messages between them

TLS-SA Implementation





Normal TLS
Client token generates session key
based on hash of server cert
User enters password
UAC is computed from session key and
password and is transmitted to server
Server authenticates client at any time
by requesting user ID, hash of server
cert and the UAC.
A Formal Approach
“protocols need more than heuristic arguments to
provide security guarantees.”

Provable security via the Standard model

Uses complexity-theoretic hardness assumptions:
Factoring the product of large primes is hard
 Computing the discrete logarithm is hard in certain large
groups.
 AES is a good pseudorandom permutation

A Formal Approach (cont.)

The random oracle model
“A public random function that takes any string as
input and outputs n bits”
 Use heuristically secure algorithms such as SHA


The ideal-cipher model
A standard block cipher, with k-bit key and n-bit
input, chosen uniformly from all block ciphers of this
form.
 Use pseudorandom permutations such as AES

Q&A