174
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
1 |
\documentclass{article}
|
158
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
2 |
\usepackage{../style}
|
174
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
3 |
\usepackage{../langs}
|
158
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
4 |
|
174
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
5 |
\lstset{language=JavaScript}
|
158
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
6 |
|
366
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
7 |
|
158
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
8 |
\begin{document}
|
446
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
9 |
\fnote{\copyright{} Christian Urban,
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
10 |
King's College London, 2014, 2015, 2016}
|
158
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
11 |
|
431
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
12 |
%Ross anderson
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
13 |
%https://youtu.be/FY2YKxBxOkg
|
453
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
14 |
%http://www.scmagazineuk.com/amazon-launches-open-source-tls-implementation-s2n/article/424360/
|
431
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
15 |
|
457
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
16 |
%Singapurs Behörden gehen offline
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
17 |
|
462
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
18 |
% how to store passwords
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
19 |
%https://nakedsecurity.sophos.com/2013/11/20/serious-security-how-to-store-your-users-passwords-safely/
|
457
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
20 |
|
508
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
21 |
%hashes
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
22 |
%http://web.archive.org/web/20071226014140/http://www.cits.rub.de/MD5Collisions/
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
23 |
%https://blog.codinghorror.com/speed-hashing/
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
24 |
%https://blogs.dropbox.com/tech/2016/09/how-dropbox-securely-stores-your-passwords/
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
25 |
|
509
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
26 |
% Hello Kitty database stolen
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
27 |
% https://nakedsecurity.sophos.com/2017/01/10/stolen-details-of-3-3m-hello-kitty-fans-including-kids-published-online/
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
28 |
%
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
29 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
30 |
% IoT
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
31 |
% https://nakedsecurity.sophos.com/2015/10/26/the-internet-of-things-stop-the-things-i-want-to-get-off/
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
32 |
|
514
|
33 |
% cloning creditc cards and passports
|
|
34 |
%https://www.youtube.com/watch?v=-4_on9zj-zs
|
|
35 |
|
|
36 |
|
167
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
37 |
\section*{Handout 1 (Security Engineering)}
|
158
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
38 |
|
366
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
39 |
|
158
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
40 |
Much of the material and inspiration in this module is taken
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
41 |
from the works of Bruce Schneier, Ross Anderson and Alex
|
159
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
42 |
Halderman. I think they are the world experts in the area of
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
43 |
security engineering. I especially like that they argue that a
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
44 |
security engineer requires a certain \emph{security mindset}.
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
45 |
Bruce Schneier for example writes:
|
158
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
46 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
47 |
\begin{quote}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
48 |
\it ``Security engineers --- at least the good ones --- see
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
49 |
the world differently. They can't walk into a store without
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
50 |
noticing how they might shoplift. They can't use a computer
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
51 |
without wondering about the security vulnerabilities. They
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
52 |
can't vote without trying to figure out how to vote twice.
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
53 |
They just can't help it.''
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
54 |
\end{quote}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
55 |
|
443
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
56 |
\noindent
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
57 |
and
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
58 |
|
158
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
59 |
\begin{quote}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
60 |
\it ``Security engineering\ldots requires you to think
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
61 |
differently. You need to figure out not how something works,
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
62 |
but how something can be made to not work. You have to imagine
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
63 |
an intelligent and malicious adversary inside your system
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
64 |
\ldots, constantly trying new ways to
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
65 |
subvert it. You have to consider all the ways your system can
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
66 |
fail, most of them having nothing to do with the design
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
67 |
itself. You have to look at everything backwards, upside down,
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
68 |
and sideways. You have to think like an alien.''
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
69 |
\end{quote}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
70 |
|
159
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
71 |
\noindent In this module I like to teach you this security
|
174
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
72 |
mindset. This might be a mindset that you think is very
|
446
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
73 |
foreign to you---after all we are all good citizens and do not
|
443
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
74 |
hack into things. However, I beg to differ: You have this
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
75 |
mindset already when in school you were thinking, at least
|
174
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
76 |
hypothetically, about ways in which you can cheat in an exam
|
227
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
77 |
(whether it is by hiding notes or by looking over the
|
174
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
78 |
shoulders of your fellow pupils). Right? To defend a system,
|
443
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
79 |
you need to have this kind of mindset and be able to think
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
80 |
like an attacker. This will include understanding techniques
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
81 |
that can be used to compromise security and privacy in
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
82 |
systems. This will many times result in insights where
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
83 |
well-intended security mechanisms made a system actually less
|
184
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
84 |
secure.\medskip
|
158
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
85 |
|
184
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
86 |
\noindent
|
159
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
87 |
{\Large\bf Warning!} However, don’t be evil! Using those
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
88 |
techniques in the real world may violate the law or King’s
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
89 |
rules, and it may be unethical. Under some circumstances, even
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
90 |
probing for weaknesses of a system may result in severe
|
160
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
91 |
penalties, up to and including expulsion, fines and
|
159
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
92 |
jail time. Acting lawfully and ethically is your
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
93 |
responsibility. Ethics requires you to refrain from doing
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
94 |
harm. Always respect privacy and rights of others. Do not
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
95 |
tamper with any of King's systems. If you try out a technique,
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
96 |
always make doubly sure you are working in a safe environment
|
160
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
97 |
so that you cannot cause any harm, not even accidentally.
|
174
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
98 |
Don't be evil. Be an ethical hacker.\medskip
|
158
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
99 |
|
184
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
100 |
\noindent In this lecture I want to make you familiar with the
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
101 |
security mindset and dispel the myth that encryption is the
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
102 |
answer to all security problems (it is certainly often a part
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
103 |
of an answer, but almost always never a sufficient one). This
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
104 |
is actually an important thread going through the whole
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
105 |
course: We will assume that encryption works perfectly, but
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
106 |
still attack ``things''. By ``works perfectly'' we mean that
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
107 |
we will assume encryption is a black box and, for example,
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
108 |
will not look at the underlying mathematics and break the
|
174
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
109 |
algorithms.\footnote{Though fascinating this might be.}
|
158
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
110 |
|
174
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
111 |
For a secure system, it seems, four requirements need to come
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
112 |
together: First a security policy (what is supposed to be
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
113 |
achieved?); second a mechanism (cipher, access controls,
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
114 |
tamper resistance etc); third the assurance we obtain from the
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
115 |
mechanism (the amount of reliance we can put on the mechanism)
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
116 |
and finally the incentives (the motive that the people
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
117 |
guarding and maintaining the system have to do their job
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
118 |
properly, and also the motive that the attackers have to try
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
119 |
to defeat your policy). The last point is often overlooked,
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
120 |
but plays an important role. To illustrate this lets look at
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
121 |
an example.
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
122 |
|
446
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
123 |
\subsubsection*{Chip-and-PIN is Surely More Secure, No?}
|
180
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
124 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
125 |
The questions is whether the Chip-and-PIN system used with
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
126 |
modern credit cards is more secure than the older method of
|
463
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
127 |
signing receipts at the till? On first glance the answer seems
|
180
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
128 |
obvious: Chip-and-PIN must be more secure and indeed improved
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
129 |
security was the central plank in the ``marketing speak'' of
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
130 |
the banks behind Chip-and-PIN. The earlier system was based on
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
131 |
a magnetic stripe or a mechanical imprint on the cards and
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
132 |
required customers to sign receipts at the till whenever they
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
133 |
bought something. This signature authorised the transactions.
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
134 |
Although in use for a long time, this system had some crucial
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
135 |
security flaws, including making clones of credit cards and
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
136 |
forging signatures.
|
174
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
137 |
|
177
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
138 |
Chip-and-PIN, as the name suggests, relies on data being
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
139 |
stored on a chip on the card and a PIN number for
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
140 |
authorisation. Even though the banks involved trumpeted their
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
141 |
system as being absolutely secure and indeed fraud rates
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
142 |
initially went down, security researchers were not convinced
|
450
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
143 |
(especially not the group around Ross
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
144 |
Anderson).\footnote{Actually, historical data about fraud
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
145 |
showed that first fraud rates went up (while early problems to
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
146 |
do with the introduction of Chip-and-PIN we exploited), then
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
147 |
down, but recently up again (because criminals getting more
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
148 |
familiar with the technology and how it can be exloited).} To begin with, the
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
149 |
Chip-and-PIN system introduced a ``new player'' into the
|
184
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
150 |
system that needed to be trusted: the PIN terminals and their
|
180
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
151 |
manufacturers. It was claimed that these terminals were
|
177
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
152 |
tamper-resistant, but needless to say this was a weak link in
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
153 |
the system, which criminals successfully attacked. Some
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
154 |
terminals were even so skilfully manipulated that they
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
155 |
transmitted skimmed PIN numbers via built-in mobile phone
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
156 |
connections. To mitigate this flaw in the security of
|
184
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
157 |
Chip-and-PIN, you need to be able to vet quite closely the
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
158 |
supply chain of such terminals. This is something that is
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
159 |
mostly beyond the control of customers who need to use these
|
446
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
160 |
terminals.
|
174
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
161 |
|
227
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
162 |
To make matters worse for Chip-and-PIN, around 2009 Ross
|
184
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
163 |
Anderson and his group were able to perform man-in-the-middle
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
164 |
attacks against Chip-and-PIN. Essentially they made the
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
165 |
terminal think the correct PIN was entered and the card think
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
166 |
that a signature was used. This is a kind of \emph{protocol
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
167 |
failure}. After discovery, the flaw was mitigated by requiring
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
168 |
that a link between the card and the bank is established at
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
169 |
every time the card is used. Even later this group found
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
170 |
another problem with Chip-and-PIN and ATMs which did not
|
383
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
171 |
generate random enough numbers (cryptographic nonces) on which
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
172 |
the security of the underlying protocols relies.
|
174
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
173 |
|
381
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
174 |
The overarching problem with all this is that the banks who
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
175 |
introduced Chip-and-PIN managed with the new system to shift
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
176 |
the liability for any fraud and the burden of proof onto the
|
177
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
177 |
customer. In the old system, the banks had to prove that the
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
178 |
customer used the card, which they often did not bother with.
|
381
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
179 |
In effect, if fraud occurred the customers were either
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
180 |
refunded fully or lost only a small amount of money. This
|
174
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
181 |
taking-responsibility-of-potential-fraud was part of the
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
182 |
``business plan'' of the banks and did not reduce their
|
177
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
183 |
profits too much.
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
184 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
185 |
Since banks managed to successfully claim that their
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
186 |
Chip-and-PIN system is secure, they were under the new system
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
187 |
able to point the finger at the customer when fraud occurred:
|
227
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
188 |
customers must have been negligent losing their PIN and
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
189 |
customers had almost no way of defending themselves in such
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
190 |
situations. That is why the work of \emph{ethical} hackers
|
446
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
191 |
like Ross Anderson's group is so important, because they and
|
227
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
192 |
others established that the banks' claim that their system is
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
193 |
secure and it must have been the customer's fault, was bogus.
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
194 |
In 2009 the law changed and the burden of proof went back to
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
195 |
the banks. They need to prove whether it was really the
|
443
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
196 |
customer who used a card or not. The current state of affairs,
|
446
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
197 |
however, is that standing up for your right requires you to be
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
198 |
knowledgeable, potentially having to go to court\ldots{}if
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
199 |
not, the banks are happy to take advantage of you.
|
174
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
200 |
|
177
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
201 |
This is a classic example where a security design principle
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
202 |
was violated: Namely, the one who is in the position to
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
203 |
improve security, also needs to bear the financial losses if
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
204 |
things go wrong. Otherwise, you end up with an insecure
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
205 |
system. In case of the Chip-and-PIN system, no good security
|
184
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
206 |
engineer would dare to claim that it is secure beyond
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
207 |
reproach: the specification of the EMV protocol (underlying
|
180
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
208 |
Chip-and-PIN) is some 700 pages long, but still leaves out
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
209 |
many things (like how to implement a good random number
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
210 |
generator). No human being is able to scrutinise such a
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
211 |
specification and ensure it contains no flaws. Moreover, banks
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
212 |
can add their own sub-protocols to EMV. With all the
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
213 |
experience we already have, it is as clear as day that
|
184
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
214 |
criminals were bound to eventually be able to poke holes into
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
215 |
it and measures need to be taken to address them. However,
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
216 |
with how the system was set up, the banks had no real
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
217 |
incentive to come up with a system that is really secure.
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
218 |
Getting the incentives right in favour of security is often a
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
219 |
tricky business. From a customer point of view, the
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
220 |
Chip-and-PIN system was much less secure than the old
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
221 |
signature-based method. The customer could now lose
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
222 |
significant amounts of money.
|
173
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
223 |
|
445
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
224 |
If you want to watch an entertaining talk about attacking
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
225 |
Chip-and-PIN cards, then this talk from the 2014 Chaos
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
226 |
Computer Club conference is for you:
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
227 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
228 |
\begin{center}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
229 |
\url{https://www.youtube.com/watch?v=XeZbVZQsKO8}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
230 |
\end{center}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
231 |
|
446
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
232 |
\noindent They claim that they are able to clone Chip-and-PINs
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
233 |
cards such that they get all data that was on the Magstripe,
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
234 |
except for three digits (the CVV number). Remember,
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
235 |
Chip-and-PIN cards were introduced exactly for preventing
|
450
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
236 |
this. Ross Anderson also talked about his research at the
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
237 |
BlackHat Conference in 2014:
|
445
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
238 |
|
450
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
239 |
\begin{center}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
240 |
\url{https://www.youtube.com/watch?v=ET0MFkRorbo}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
241 |
\end{center}
|
445
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
242 |
|
455
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
243 |
\noindent An article about reverse-engineering a PIN-number skimmer
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
244 |
is at
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
245 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
246 |
\begin{center}\small
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
247 |
\url{https://trustfoundry.net/reverse-engineering-a-discovered-atm-skimmer/}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
248 |
\end{center}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
249 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
250 |
\noindent
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
251 |
including a scary video of how a PIN-pad overlay is
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
252 |
installed by some crooks.
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
253 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
254 |
|
174
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
255 |
\subsection*{Of Cookies and Salts}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
256 |
|
355
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
257 |
Let us look at another example which will help with understanding how
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
258 |
passwords should be verified and stored. Imagine you need to develop
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
259 |
a web-application that has the feature of recording how many times a
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
260 |
customer visits a page. For example in order to give a discount
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
261 |
whenever the customer has visited a webpage some $x$ number of times
|
381
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
262 |
(say $x$ equals $5$). There is one more constraint: we want to store
|
355
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
263 |
the information about the number of visits as a cookie on the
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
264 |
browser. I think, for a number of years the webpage of the New York
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
265 |
Times operated in this way: it allowed you to read ten articles per
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
266 |
month for free; if you wanted to read more, you had to pay. My best
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
267 |
guess is that it used cookies for recording how many times their pages
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
268 |
was visited, because if I switched browsers I could easily circumvent
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
269 |
the restriction about ten articles.\footnote{Another online media that
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
270 |
works in this way is the Times Higher Education
|
381
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
271 |
\url{http://www.timeshighereducation.co.uk}. It also seems to
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
272 |
use cookies to restrict the number of free articles to five.}
|
174
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
273 |
|
178
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
274 |
To implement our web-application it is good to look under the
|
180
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
275 |
hood what happens when a webpage is displayed in a browser. A
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
276 |
typical web-application works as follows: The browser sends a
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
277 |
GET request for a particular page to a server. The server
|
182
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
278 |
answers this request with a webpage in HTML (for our purposes
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
279 |
we can ignore the details about HTML). A simple JavaScript
|
325
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
280 |
program that realises a server answering with a ``Hello
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
281 |
World'' webpage is as follows:
|
174
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
282 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
283 |
\begin{center}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
284 |
\lstinputlisting{../progs/ap0.js}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
285 |
\end{center}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
286 |
|
178
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
287 |
\noindent The interesting lines are 4 to 7 where the answer to
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
288 |
the GET request is generated\ldots in this case it is just a
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
289 |
simple string. This program is run on the server and will be
|
180
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
290 |
executed whenever a browser initiates such a GET request. You
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
291 |
can run this program on your computer and then direct a
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
292 |
browser to the address \pcode{localhost:8000} in order to
|
443
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
293 |
simulate a request over the internet. You are encouraged
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
294 |
to try this out\ldots{}theory is always good, but practice is
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
295 |
better.
|
180
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
296 |
|
174
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
297 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
298 |
For our web-application of interest is the feature that the
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
299 |
server when answering the request can store some information
|
180
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
300 |
on the client's side. This information is called a
|
178
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
301 |
\emph{cookie}. The next time the browser makes another GET
|
180
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
302 |
request to the same webpage, this cookie can be read again by
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
303 |
the server. We can use cookies in order to store a counter
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
304 |
that records the number of times our webpage has been visited.
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
305 |
This can be realised with the following small program
|
174
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
306 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
307 |
\begin{center}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
308 |
\lstinputlisting{../progs/ap2.js}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
309 |
\end{center}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
310 |
|
178
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
311 |
\noindent The overall structure of this program is the same as
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
312 |
the earlier one: Lines 7 to 17 generate the answer to a
|
174
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
313 |
GET-request. The new part is in Line 8 where we read the
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
314 |
cookie called \pcode{counter}. If present, this cookie will be
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
315 |
send together with the GET-request from the client. The value
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
316 |
of this counter will come in form of a string, therefore we
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
317 |
use the function \pcode{parseInt} in order to transform it
|
178
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
318 |
into an integer. In case the cookie is not present, we default
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
319 |
the counter to zero. The odd looking construction \code{...||
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
320 |
0} is realising this defaulting in JavaScript. In Line 9 we
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
321 |
increase the counter by one and store it back to the client
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
322 |
(under the name \pcode{counter}, since potentially more than
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
323 |
one value could be stored). In Lines 10 to 15 we test whether
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
324 |
this counter is greater or equal than 5 and send accordingly a
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
325 |
specially grafted message back to the client.
|
174
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
326 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
327 |
Let us step back and analyse this program from a security
|
178
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
328 |
point of view. We store a counter in plain text on the
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
329 |
client's browser (which is not under our control). Depending
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
330 |
on this value we want to unlock a resource (like a discount)
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
331 |
when it reaches a threshold. If the client deletes the cookie,
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
332 |
then the counter will just be reset to zero. This does not
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
333 |
bother us, because the purported discount will just not be
|
180
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
334 |
granted. In this way we do not lose any (hypothetical) money.
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
335 |
What we need to be concerned about is, however, when a client
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
336 |
artificially increases this counter without having visited our
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
337 |
web-page. This is actually a trivial task for a knowledgeable
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
338 |
person, since there are convenient tools that allow one to set
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
339 |
a cookie to an arbitrary value, for example above our
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
340 |
threshold for the discount.
|
174
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
341 |
|
182
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
342 |
There seems to be no simple way to prevent this kind of
|
178
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
343 |
tampering with cookies, because the whole purpose of cookies
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
344 |
is that they are stored on the client's side, which from the
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
345 |
the server's perspective is a potentially hostile environment.
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
346 |
What we need to ensure is the integrity of this counter in
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
347 |
this hostile environment. We could think of encrypting the
|
227
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
348 |
counter. But this has two drawbacks to do with the keys for
|
178
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
349 |
encryption. If you use a single, global key for all the
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
350 |
clients that visit our site, then we risk that our whole
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
351 |
``business'' might collapse in the event this key gets known
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
352 |
to the outside world. Then all cookies we might have set in
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
353 |
the past, can now be decrypted and manipulated. If, on the
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
354 |
other hand, we use many ``private'' keys for the clients, then
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
355 |
we have to solve the problem of having to securely store this
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
356 |
key on our server side (obviously we cannot store the key with
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
357 |
the client because then the client again has all data to
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
358 |
tamper with the counter; and obviously we also cannot encrypt
|
182
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
359 |
the key, lest we can solve an impossible chicken-and-egg
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
360 |
problem). So encryption seems to not solve the problem we face
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
361 |
with the integrity of our counter.
|
169
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
362 |
|
336
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
363 |
Fortunately, \emph{cryptographic hash functions} seem to be
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
364 |
more suitable for our purpose. Like encryption, hash functions
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
365 |
scramble data in such a way that it is easy to calculate the
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
366 |
output of a hash function from the input. But it is hard
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
367 |
(i.e.~practically impossible) to calculate the input from
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
368 |
knowing the output. This is often called \emph{preimage
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
369 |
resistance}. Cryptographic hash functions also ensure that
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
370 |
given a message and a hash, it is computationally infeasible to
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
371 |
find another message with the same hash. This is called
|
443
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
372 |
\emph{collusion resistance}. Because of these properties, hash
|
383
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
373 |
functions are often called \emph{one-way functions}: you
|
336
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
374 |
cannot go back from the output to the input (without some
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
375 |
tricks, see below).
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
376 |
|
443
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
377 |
There are several such hashing function. For example SHA-1
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
378 |
would hash the string \pcode{"hello world"} to produce the
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
379 |
hash-value
|
175
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
380 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
381 |
\begin{center}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
382 |
\pcode{2aae6c35c94fcfb415dbe95f408b9ce91ee846ed}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
383 |
\end{center}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
384 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
385 |
\noindent Another handy feature of hash functions is that if
|
178
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
386 |
the input changes only a little, the output changes
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
387 |
drastically. For example \pcode{"iello world"} produces under
|
175
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
388 |
SHA-1 the output
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
389 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
390 |
\begin{center}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
391 |
\pcode{d2b1402d84e8bcef5ae18f828e43e7065b841ff1}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
392 |
\end{center}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
393 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
394 |
\noindent That means it is not predictable what the output
|
178
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
395 |
will be from just looking at input that is ``close by''.
|
175
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
396 |
|
178
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
397 |
We can use hashes in our web-application and store in the
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
398 |
cookie the value of the counter in plain text but together
|
180
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
399 |
with its hash. We need to store both pieces of data in such a
|
184
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
400 |
way that we can extract them again later on. In the code below
|
383
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
401 |
I will just separate them using a \pcode{"-"}. For the
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
402 |
counter \pcode{1} for example
|
184
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
403 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
404 |
\begin{center}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
405 |
\pcode{1-356a192b7913b04c54574d18c28d46e6395428ab}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
406 |
\end{center}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
407 |
|
443
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
408 |
\noindent If we now read back the cookie when the client
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
409 |
visits our webpage, we can extract the counter, hash it again
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
410 |
and compare the result to the stored hash value inside the
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
411 |
cookie. If these hashes disagree, then we can deduce that the
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
412 |
cookie has been tampered with. Unfortunately, if they agree,
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
413 |
we can still not be entirely sure that not a clever hacker has
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
414 |
tampered with the cookie. The reason is that the hacker can
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
415 |
see the clear text part of the cookie, say \pcode{3}, and also
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
416 |
its hash. It does not take much trial and error to find out
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
417 |
that we used the SHA-1 hashing function and then the hacker
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
418 |
can graft a cookie accordingly. This is eased by the fact that
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
419 |
for SHA-1 many strings and corresponding hash-values are
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
420 |
precalculated. Type, for example, into Google the hash value
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
421 |
for \pcode{"hello world"} and you will actually pretty quickly
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
422 |
find that it was generated by input string \pcode{"hello
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
423 |
world"}. Similarly for the hash-value for \pcode{1}. This
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
424 |
defeats the purpose of a hashing function and thus would not
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
425 |
help us with our web-applications and later also not with how
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
426 |
to store passwords properly.
|
175
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
427 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
428 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
429 |
There is one ingredient missing, which happens to be called
|
178
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
430 |
\emph{salts}. Salts are random keys, which are added to the
|
181
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
431 |
counter before the hash is calculated. In our case we must
|
178
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
432 |
keep the salt secret. As can be see in Figure~\ref{hashsalt},
|
184
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
433 |
we need to extract from the cookie the counter value and its
|
181
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
434 |
hash (Lines 19 and 20). But before hashing the counter again
|
178
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
435 |
(Line 22) we need to add the secret salt. Similarly, when we
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
436 |
set the new increased counter, we will need to add the salt
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
437 |
before hashing (this is done in Line 15). Our web-application
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
438 |
will now store cookies like
|
175
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
439 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
440 |
\begin{figure}[p]
|
178
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
441 |
\lstinputlisting{../progs/App4.js}
|
365
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
442 |
\caption{A Node.js web-app that sets a cookie in the client's
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
443 |
browser for counting the number of visits to a page.\label{hashsalt}}
|
175
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
444 |
\end{figure}
|
169
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
445 |
|
179
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
446 |
\begin{center}\tt
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
447 |
\begin{tabular}{l}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
448 |
1 + salt - 8189effef4d4f7411f4153b13ff72546dd682c69\\
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
449 |
2 + salt - 1528375d5ceb7d71597053e6877cc570067a738f\\
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
450 |
3 + salt - d646e213d4f87e3971d9dd6d9f435840eb6a1c06\\
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
451 |
4 + salt - 5b9e85269e4461de0238a6bf463ed3f25778cbba\\
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
452 |
...\\
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
453 |
\end{tabular}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
454 |
\end{center}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
455 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
456 |
\noindent These hashes allow us to read and set the value of
|
181
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
457 |
the counter, and also give us confidence that the counter has
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
458 |
not been tampered with. This of course depends on being able
|
182
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
459 |
to keep the salt secret. Once the salt is public, we better
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
460 |
ignore all cookies and start setting them again with a new
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
461 |
salt.
|
179
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
462 |
|
181
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
463 |
There is an interesting and very subtle point to note with
|
383
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
464 |
respect to the 'New York Times' way of checking the number
|
181
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
465 |
visits. Essentially they have their `resource' unlocked at the
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
466 |
beginning and lock it only when the data in the cookie states
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
467 |
that the allowed free number of visits are up. As said before,
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
468 |
this can be easily circumvented by just deleting the cookie or
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
469 |
by switching the browser. This would mean the New York Times
|
182
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
470 |
will lose revenue whenever this kind of tampering occurs. The
|
443
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
471 |
`quick fix' to require that a cookie must always be present
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
472 |
does not work, because then this newspaper will cut off any
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
473 |
new readers, or anyone who gets a new computer. In contrast,
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
474 |
our web-application has the resource (discount) locked at the
|
182
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
475 |
beginning and only unlocks it if the cookie data says so. If
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
476 |
the cookie is deleted, well then the resource just does not
|
383
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
477 |
get unlocked. No major harm will result to us. You can see:
|
182
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
478 |
the same security mechanism behaves rather differently
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
479 |
depending on whether the ``resource'' needs to be locked or
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
480 |
unlocked. Apart from thinking about the difference very
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
481 |
carefully, I do not know of any good ``theory'' that could
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
482 |
help with solving such security intricacies in any other way.
|
179
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
483 |
|
182
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
484 |
\subsection*{How to Store Passwords Properly?}
|
179
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
485 |
|
181
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
486 |
While admittedly quite silly, the simple web-application in
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
487 |
the previous section should help with the more important
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
488 |
question of how passwords should be verified and stored. It is
|
179
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
489 |
unbelievable that nowadays systems still do this with
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
490 |
passwords in plain text. The idea behind such plain-text
|
182
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
491 |
passwords is of course that if the user typed in
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
492 |
\pcode{foobar} as password, we need to verify whether it
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
493 |
matches with the password that is already stored for this user
|
184
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
494 |
in the system. Why not doing this with plain-text passwords?
|
227
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
495 |
Unfortunately doing this verification in plain text is really
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
496 |
a bad idea. Alas, evidence suggests it is still a
|
184
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
497 |
widespread practice. I leave you to think about why verifying
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
498 |
passwords in plain text is a bad idea.
|
181
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
499 |
|
182
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
500 |
Using hash functions, like in our web-application, we can do
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
501 |
better. They allow us to not having to store passwords in
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
502 |
plain text for verification whether a password matches or not.
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
503 |
We can just hash the password and store the hash-value. And
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
504 |
whenever the user types in a new password, well then we hash
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
505 |
it again and check whether the hash-values agree. Just like
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
506 |
in the web-application before.
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
507 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
508 |
Lets analyse what happens when a hacker gets hold of such a
|
184
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
509 |
hashed password database. That is the scenario we want to
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
510 |
defend against.\footnote{If we could assume our servers can
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
511 |
never be broken into, then storing passwords in plain text
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
512 |
would be no problem. The point, however, is that servers are
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
513 |
never absolutely secure.} The hacker has then a list of user names and
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
514 |
associated hash-values, like
|
181
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
515 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
516 |
\begin{center}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
517 |
\pcode{urbanc:2aae6c35c94fcfb415dbe95f408b9ce91ee846ed}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
518 |
\end{center}
|
179
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
519 |
|
182
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
520 |
\noindent For a beginner-level hacker this information is of
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
521 |
no use. It would not work to type in the hash value instead of
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
522 |
the password, because it will go through the hashing function
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
523 |
again and then the resulting two hash-values will not match.
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
524 |
One attack a hacker can try, however, is called a \emph{brute
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
525 |
force attack}. Essentially this means trying out exhaustively
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
526 |
all strings
|
181
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
527 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
528 |
\begin{center}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
529 |
\pcode{a},
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
530 |
\pcode{aa},
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
531 |
\pcode{...},
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
532 |
\pcode{ba},
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
533 |
\pcode{...},
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
534 |
\pcode{zzz},
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
535 |
\pcode{...}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
536 |
\end{center}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
537 |
|
182
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
538 |
\noindent and so on, hash them and check whether they match
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
539 |
with the hash-values in the database. Such brute force attacks
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
540 |
are surprisingly effective. With modern technology (usually
|
184
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
541 |
GPU graphic cards), passwords of moderate length only need
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
542 |
seconds or hours to be cracked. Well, the only defence we have
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
543 |
against such brute force attacks is to make passwords longer
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
544 |
and force users to use the whole spectrum of letters and keys
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
545 |
for passwords. The hope is that this makes the search space
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
546 |
too big for an effective brute force attack.
|
182
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
547 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
548 |
Unfortunately, clever hackers have another ace up their
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
549 |
sleeves. These are called \emph{dictionary attacks}. The idea
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
550 |
behind dictionary attack is the observation that only few
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
551 |
people are competent enough to use sufficiently strong
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
552 |
passwords. Most users (at least too many) use passwords like
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
553 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
554 |
\begin{center}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
555 |
\pcode{123456},
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
556 |
\pcode{password},
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
557 |
\pcode{qwerty},
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
558 |
\pcode{letmein},
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
559 |
\pcode{...}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
560 |
\end{center}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
561 |
|
184
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
562 |
\noindent So an attacker just needs to compile a list as large
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
563 |
as possible of such likely candidates of passwords and also
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
564 |
compute their hash-values. The difference between a brute
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
565 |
force attack, where maybe $2^{80}$ many strings need to be
|
227
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
566 |
considered, is that a dictionary attack might get away with
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
567 |
checking only 10 Million words (remember the language English
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
568 |
``only'' contains 600,000 words). This is a drastic
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
569 |
simplification for attackers. Now, if the attacker knows the
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
570 |
hash-value of a password is
|
182
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
571 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
572 |
\begin{center}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
573 |
\pcode{5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
574 |
\end{center}
|
179
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
575 |
|
227
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
576 |
\noindent then just a lookup in the dictionary will reveal
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
577 |
that the plain-text password was \pcode{password}. What is
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
578 |
good about this attack is that the dictionary can be
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
579 |
precompiled in the ``comfort of the hacker's home'' before an
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
580 |
actual attack is launched. It just needs sufficient storage
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
581 |
space, which nowadays is pretty cheap. A hacker might in this
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
582 |
way not be able to crack all passwords in our database, but
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
583 |
even being able to crack 50\% can be serious damage for a
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
584 |
large company (because then you have to think about how to
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
585 |
make users to change their old passwords---a major hassle).
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
586 |
And hackers are very industrious in compiling these
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
587 |
dictionaries: for example they definitely include variations
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
588 |
like \pcode{passw0rd} and also include rules that cover cases
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
589 |
like \pcode{passwordpassword} or \pcode{drowssap} (password
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
590 |
reversed).\footnote{Some entertaining rules for creating
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
591 |
effective dictionaries are described in the book ``Applied
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
592 |
Cryptography'' by Bruce Schneier (in case you can find it in
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
593 |
the library), and also in the original research literature
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
594 |
which can be accessed for free from
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
595 |
\url{http://www.klein.com/dvk/publications/passwd.pdf}.}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
596 |
Historically, compiling a list for a dictionary attack is not
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
597 |
as simple as it might seem. At the beginning only ``real''
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
598 |
dictionaries were available (like the Oxford English
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
599 |
Dictionary), but such dictionaries are not optimised for the
|
381
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
600 |
purpose of cracking passwords. The first real hard data about
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
601 |
actually used passwords was obtained when a company called
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
602 |
RockYou ``lost'' at the end of 2009 32 Million plain-text
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
603 |
passwords. With this data of real-life passwords, dictionary
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
604 |
attacks took off. Compiling such dictionaries is nowadays very
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
605 |
easy with the help of off-the-shelf tools.
|
182
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
606 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
607 |
These dictionary attacks can be prevented by using salts.
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
608 |
Remember a hacker needs to use the most likely candidates
|
184
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
609 |
of passwords and calculate their hash-value. If we add before
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
610 |
hashing a password a random salt, like \pcode{mPX2aq},
|
182
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
611 |
then the string \pcode{passwordmPX2aq} will almost certainly
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
612 |
not be in the dictionary. Like in the web-application in the
|
184
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
613 |
previous section, a salt does not prevent us from verifying a
|
182
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
614 |
password. We just need to add the salt whenever the password
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
615 |
is typed in again.
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
616 |
|
184
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
617 |
There is a question whether we should use a single random salt
|
182
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
618 |
for every password in our database. A single salt would
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
619 |
already make dictionary attacks considerably more difficult.
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
620 |
It turns out, however, that in case of password databases
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
621 |
every password should get their own salt. This salt is
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
622 |
generated at the time when the password is first set.
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
623 |
If you look at a Unix password file you will find entries like
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
624 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
625 |
\begin{center}
|
288
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
626 |
\pcode{urbanc:$6$3WWbKfr1$4vblknvGr6FcDeF92R5xFn3mskfdnEn...$...}
|
182
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
627 |
\end{center}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
628 |
|
184
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
629 |
\noindent where the first part is the login-name, followed by
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
630 |
a field \pcode{$6$} which specifies which hash-function is
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
631 |
used. After that follows the salt \pcode{3WWbKfr1} and after
|
227
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
632 |
that the hash-value that is stored for the password (which
|
184
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
633 |
includes the salt). I leave it to you to figure out how the
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
634 |
password verification would need to work based on this data.
|
182
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
635 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
636 |
There is a non-obvious benefit of using a separate salt for
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
637 |
each password. Recall that \pcode{123456} is a popular
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
638 |
password that is most likely used by several of your users
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
639 |
(especially if the database contains millions of entries). If
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
640 |
we use no salt or one global salt, all hash-values will be the
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
641 |
same for this password. So if a hacker is in the business of
|
186
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
642 |
cracking as many passwords as possible, then it is a good idea
|
182
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
643 |
to concentrate on those very popular passwords. This is not
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
644 |
possible if each password gets its own salt: since we assume
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
645 |
the salt is generated randomly, each version of \pcode{123456}
|
184
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
646 |
will be associated with a different hash-value. This will
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
647 |
make the life harder for an attacker.
|
182
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
648 |
|
227
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
649 |
Note another interesting point. The web-application from the
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
650 |
previous section was only secure when the salt was secret. In
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
651 |
the password case, this is not needed. The salt can be public
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
652 |
as shown above in the Unix password file where it is actually
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
653 |
stored as part of the password entry. Knowing the salt does
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
654 |
not give the attacker any advantage, but prevents that
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
655 |
dictionaries can be precompiled. While salts do not solve
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
656 |
every problem, they help with protecting against dictionary
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
657 |
attacks on password files. It protects people who have the
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
658 |
same passwords on multiple machines. But it does not protect
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
659 |
against a focused attack against a single password and also
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
660 |
does not make poorly chosen passwords any better. Still the
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
661 |
moral is that you should never store passwords in plain text.
|
262
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
662 |
Never ever.
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
663 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
664 |
\subsubsection*{Further Reading}
|
174
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
665 |
|
379
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
666 |
A readable article by Bruce Schneier on ``How Security Companies Sucker Us with
|
312
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
667 |
Lemons''
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
668 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
669 |
\begin{center}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
670 |
\url{http://archive.wired.com/politics/security/commentary/securitymatters/2007/04/securitymatters_0419}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
671 |
\end{center}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
672 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
673 |
\noindent
|
443
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
674 |
A recent research paper about surveillance using cookies is
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
675 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
676 |
\begin{center}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
677 |
\url{http://randomwalker.info/publications/cookie-surveillance-v2.pdf}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
678 |
\end{center}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
679 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
680 |
\noindent
|
291
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
681 |
A slightly different point of view about the economies of
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
682 |
password cracking:
|
288
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
683 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
684 |
\begin{center}
|
325
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
685 |
\url{http://xkcd.com/538/}
|
288
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
686 |
\end{center}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
687 |
|
365
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
688 |
\noindent If you want to know more about passwords, the book
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
689 |
by Bruce Schneier about Applied Cryptography is recommendable,
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
690 |
though quite expensive. There is also another expensive book
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
691 |
about penetration testing, but the readable chapter about
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
692 |
password attacks (Chapter 9) is free:
|
262
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
693 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
694 |
\begin{center}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
695 |
\url{http://www.nostarch.com/pentesting}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
696 |
\end{center}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
697 |
|
379
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
698 |
\noindent Even the government recently handed out some
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
699 |
advice about passwords
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
700 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
701 |
\begin{center}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
702 |
\url{http://goo.gl/dIzqMg}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
703 |
\end{center}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
704 |
|
381
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
705 |
\noindent Here is an interesting blog-post about how a group
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
706 |
``cracked'' efficiently millions of bcrypt passwords from the
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
707 |
Ashley Madison leak.
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
708 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
709 |
\begin{center}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
710 |
\url{http://goo.gl/83Ho0N}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
711 |
\end{center}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
712 |
|
459
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
713 |
\noindent Or the passwords from eHarmony
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
714 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
715 |
\begin{center}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
716 |
\url{https://goo.gl/W63Xhw}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
717 |
\end{center}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
718 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
719 |
\noindent The attack used dictionaries with up to 15 Billion
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
720 |
entries.\footnote{Compare this with the full brute-force space
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
721 |
of $62^8$} If eHarmony had properly salted their passwords,
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
722 |
the attack would have taken 31 years.
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
723 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
724 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
725 |
Clearly, passwords are a technology that comes to
|
262
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
726 |
the end of its usefulness, because brute force attacks become
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
727 |
more and more powerful and it is unlikely that humans get any
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
728 |
better in remembering (securely) longer and longer passwords.
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
729 |
The big question is which technology can replace
|
288
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
730 |
passwords\ldots
|
358
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
731 |
\medskip
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
732 |
|
288
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
733 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
734 |
\end{document}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
735 |
|
370
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
736 |
%%% fingerprints vs. passwords (what is better)
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
737 |
https://www.youtube.com/watch?v=VVxL9ymiyAU&feature=youtu.be
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
738 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
739 |
%%% cookies
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
740 |
http://randomwalker.info/publications/cookie-surveillance-v2.pdf
|
288
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
741 |
|
158
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
742 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
743 |
%%% Local Variables:
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
744 |
%%% mode: latex
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
745 |
%%% TeX-master: t
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
746 |
%%% End:
|