Skip to main content

Authentication

  • To allow some access to an asset we must ensure:
    • They are permitted to access that asset
    • They are who they say they are
  • A process of verifying a user's identity
  • Can attempt to verify identity using credentials

TOCTTOU - Time of check to time of use

  • Repeated authentication
  • At the start and during a session

Problems with passwords

  • People forget them
  • Can be guessed
  • Spoofing and Phishing
  • Compromised files
  • Keylogging

Hash Functions

  • Another cryptographic primitive in our toolbox
  • Takes a message of any length, and returns a pseudorandom hash of fixed length
  • h(M):{0,1}n{0,1}128h(M):\{0,1\}^n\to\{0,1\}^{128}
  • Hash functions are used everywhere. Message auth, integrity, passwords
  • Common hash functions - MD5, SHA-1. SHA-256

Strong Hash Functions

  • Output must be indistinguishable from random noise
  • Bit changes must be diffused through the entire output
  • For it to be useful, need to have important properties:
    • Cant be reversed
    • It is impractical to find messages that produce the same hash - hash collision

Storing Passwords

  • Storing encrypted passwords is better, but not perfect
  • Using a one-way hash function is a much better solution

Password/Shadow Files

  • OS have taken steps to stop people reading hashes for offline attacks
  • These files are now read protected

Cracking Passwords

  • Isn't always illegal, though sometimes it is
  • Offline: Have a copy of the password hash locally. (Brute force approach)
  • Online: You do not have the hash, and are instead attempting to gain access to an actual login terminal
  • Online is usually attempted with phishing

Dictionary Attacks

  • Most password cracking is now achieved using dictionary attacks rather than brute force

Password Salting

  • Can improve security by prepending a random "salt" to a password before hashing
  • The salt is stored unencrypted with the hash
  • If use a different random salt for each user, get the following security benefits:
    • Cracking multiple passwords is slower
    • Prevents rainbow table attacks
  • Salting has no effect on the speed of cracking a single password

Hashing Speed

  • When password cracking, the most important factor is the hashing speed
  • New algorithms take longer as they are more complex
  • Iterate to increase complexity - PBKDF2
  • bcrypt cant be used on easily GPUs

Pretexting

  • Offer a pretext as a reason for needing private information
  • Continue to rely on email address, DOB, Mothers maiden name etc