174
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
1 |
\documentclass{article}
|
158
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
2 |
\usepackage{../style}
|
174
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
3 |
\usepackage{../langs}
|
158
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
4 |
|
174
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
5 |
\lstset{language=JavaScript}
|
158
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
6 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
7 |
\begin{document}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
8 |
|
167
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
9 |
\section*{Handout 1 (Security Engineering)}
|
158
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
10 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
11 |
Much of the material and inspiration in this module is taken
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
12 |
from the works of Bruce Schneier, Ross Anderson and Alex
|
159
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
13 |
Halderman. I think they are the world experts in the area of
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
14 |
security engineering. I especially like that they argue that a
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
15 |
security engineer requires a certain \emph{security mindset}.
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
16 |
Bruce Schneier for example writes:
|
158
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
17 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
18 |
\begin{quote}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
19 |
\it ``Security engineers --- at least the good ones --- see
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
20 |
the world differently. They can't walk into a store without
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
21 |
noticing how they might shoplift. They can't use a computer
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
22 |
without wondering about the security vulnerabilities. They
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
23 |
can't vote without trying to figure out how to vote twice.
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
24 |
They just can't help it.''
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
25 |
\end{quote}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
26 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
27 |
\begin{quote}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
28 |
\it ``Security engineering\ldots requires you to think
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
29 |
differently. You need to figure out not how something works,
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
30 |
but how something can be made to not work. You have to imagine
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
31 |
an intelligent and malicious adversary inside your system
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
32 |
\ldots, constantly trying new ways to
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
33 |
subvert it. You have to consider all the ways your system can
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
34 |
fail, most of them having nothing to do with the design
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
35 |
itself. You have to look at everything backwards, upside down,
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
36 |
and sideways. You have to think like an alien.''
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
37 |
\end{quote}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
38 |
|
159
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
39 |
\noindent In this module I like to teach you this security
|
174
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
40 |
mindset. This might be a mindset that you think is very
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
41 |
foreign to you---after all we are all good citizens and not
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
42 |
hack into things. I beg to differ: You have this mindset
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
43 |
already when in school you were thinking, at least
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
44 |
hypothetically, about ways in which you can cheat in an exam
|
227
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
45 |
(whether it is by hiding notes or by looking over the
|
174
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
46 |
shoulders of your fellow pupils). Right? To defend a system,
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
47 |
you need to have this kind mindset and be able to think like
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
48 |
an attacker. This will include understanding techniques that
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
49 |
can be used to compromise security and privacy in systems.
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
50 |
This will many times result in insights where well-intended
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
51 |
security mechanisms made a system actually less
|
184
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
52 |
secure.\medskip
|
158
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
53 |
|
184
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
54 |
\noindent
|
159
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
55 |
{\Large\bf Warning!} However, don’t be evil! Using those
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
56 |
techniques in the real world may violate the law or King’s
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
57 |
rules, and it may be unethical. Under some circumstances, even
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
58 |
probing for weaknesses of a system may result in severe
|
160
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
59 |
penalties, up to and including expulsion, fines and
|
159
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
60 |
jail time. Acting lawfully and ethically is your
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
61 |
responsibility. Ethics requires you to refrain from doing
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
62 |
harm. Always respect privacy and rights of others. Do not
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
63 |
tamper with any of King's systems. If you try out a technique,
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
64 |
always make doubly sure you are working in a safe environment
|
160
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
65 |
so that you cannot cause any harm, not even accidentally.
|
174
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
66 |
Don't be evil. Be an ethical hacker.\medskip
|
158
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
67 |
|
184
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
68 |
\noindent In this lecture I want to make you familiar with the
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
69 |
security mindset and dispel the myth that encryption is the
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
70 |
answer to all security problems (it is certainly often a part
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
71 |
of an answer, but almost always never a sufficient one). This
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
72 |
is actually an important thread going through the whole
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
73 |
course: We will assume that encryption works perfectly, but
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
74 |
still attack ``things''. By ``works perfectly'' we mean that
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
75 |
we will assume encryption is a black box and, for example,
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
76 |
will not look at the underlying mathematics and break the
|
174
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
77 |
algorithms.\footnote{Though fascinating this might be.}
|
158
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
78 |
|
174
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
79 |
For a secure system, it seems, four requirements need to come
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
80 |
together: First a security policy (what is supposed to be
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
81 |
achieved?); second a mechanism (cipher, access controls,
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
82 |
tamper resistance etc); third the assurance we obtain from the
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
83 |
mechanism (the amount of reliance we can put on the mechanism)
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
84 |
and finally the incentives (the motive that the people
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
85 |
guarding and maintaining the system have to do their job
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
86 |
properly, and also the motive that the attackers have to try
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
87 |
to defeat your policy). The last point is often overlooked,
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
88 |
but plays an important role. To illustrate this lets look at
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
89 |
an example.
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
90 |
|
180
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
91 |
\subsubsection*{Chip-and-PIN is Surely More Secure?}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
92 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
93 |
The questions is whether the Chip-and-PIN system used with
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
94 |
modern credit cards is more secure than the older method of
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
95 |
signing receipts at the till. On first glance the answer seems
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
96 |
obvious: Chip-and-PIN must be more secure and indeed improved
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
97 |
security was the central plank in the ``marketing speak'' of
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
98 |
the banks behind Chip-and-PIN. The earlier system was based on
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
99 |
a magnetic stripe or a mechanical imprint on the cards and
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
100 |
required customers to sign receipts at the till whenever they
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
101 |
bought something. This signature authorised the transactions.
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
102 |
Although in use for a long time, this system had some crucial
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
103 |
security flaws, including making clones of credit cards and
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
104 |
forging signatures.
|
174
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
105 |
|
177
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
106 |
Chip-and-PIN, as the name suggests, relies on data being
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
107 |
stored on a chip on the card and a PIN number for
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
108 |
authorisation. Even though the banks involved trumpeted their
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
109 |
system as being absolutely secure and indeed fraud rates
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
110 |
initially went down, security researchers were not convinced
|
227
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
111 |
(especially not the group around Ross Anderson). To begin with,
|
184
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
112 |
the Chip-and-PIN system introduced a ``new player'' into the
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
113 |
system that needed to be trusted: the PIN terminals and their
|
180
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
114 |
manufacturers. It was claimed that these terminals were
|
177
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
115 |
tamper-resistant, but needless to say this was a weak link in
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
116 |
the system, which criminals successfully attacked. Some
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
117 |
terminals were even so skilfully manipulated that they
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
118 |
transmitted skimmed PIN numbers via built-in mobile phone
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
119 |
connections. To mitigate this flaw in the security of
|
184
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
120 |
Chip-and-PIN, you need to be able to vet quite closely the
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
121 |
supply chain of such terminals. This is something that is
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
122 |
mostly beyond the control of customers who need to use these
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
123 |
terminals.
|
174
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
124 |
|
227
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
125 |
To make matters worse for Chip-and-PIN, around 2009 Ross
|
184
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
126 |
Anderson and his group were able to perform man-in-the-middle
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
127 |
attacks against Chip-and-PIN. Essentially they made the
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
128 |
terminal think the correct PIN was entered and the card think
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
129 |
that a signature was used. This is a kind of \emph{protocol
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
130 |
failure}. After discovery, the flaw was mitigated by requiring
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
131 |
that a link between the card and the bank is established at
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
132 |
every time the card is used. Even later this group found
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
133 |
another problem with Chip-and-PIN and ATMs which did not
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
134 |
generate random enough numbers (nonces) on which the security
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
135 |
of the underlying protocols relies.
|
174
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
136 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
137 |
The problem with all this is that the banks who introduced
|
177
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
138 |
Chip-and-PIN managed with the new system to shift the
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
139 |
liability for any fraud and the burden of proof onto the
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
140 |
customer. In the old system, the banks had to prove that the
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
141 |
customer used the card, which they often did not bother with.
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
142 |
In effect, if fraud occurred the customers were either refunded
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
143 |
fully or lost only a small amount of money. This
|
174
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
144 |
taking-responsibility-of-potential-fraud was part of the
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
145 |
``business plan'' of the banks and did not reduce their
|
177
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
146 |
profits too much.
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
147 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
148 |
Since banks managed to successfully claim that their
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
149 |
Chip-and-PIN system is secure, they were under the new system
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
150 |
able to point the finger at the customer when fraud occurred:
|
227
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
151 |
customers must have been negligent losing their PIN and
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
152 |
customers had almost no way of defending themselves in such
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
153 |
situations. That is why the work of \emph{ethical} hackers
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
154 |
like Ross Anderson's group was so important, because they and
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
155 |
others established that the banks' claim that their system is
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
156 |
secure and it must have been the customer's fault, was bogus.
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
157 |
In 2009 the law changed and the burden of proof went back to
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
158 |
the banks. They need to prove whether it was really the
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
159 |
customer who used a card or not.
|
174
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
160 |
|
177
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
161 |
This is a classic example where a security design principle
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
162 |
was violated: Namely, the one who is in the position to
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
163 |
improve security, also needs to bear the financial losses if
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
164 |
things go wrong. Otherwise, you end up with an insecure
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
165 |
system. In case of the Chip-and-PIN system, no good security
|
184
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
166 |
engineer would dare to claim that it is secure beyond
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
167 |
reproach: the specification of the EMV protocol (underlying
|
180
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
168 |
Chip-and-PIN) is some 700 pages long, but still leaves out
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
169 |
many things (like how to implement a good random number
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
170 |
generator). No human being is able to scrutinise such a
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
171 |
specification and ensure it contains no flaws. Moreover, banks
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
172 |
can add their own sub-protocols to EMV. With all the
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
173 |
experience we already have, it is as clear as day that
|
184
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
174 |
criminals were bound to eventually be able to poke holes into
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
175 |
it and measures need to be taken to address them. However,
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
176 |
with how the system was set up, the banks had no real
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
177 |
incentive to come up with a system that is really secure.
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
178 |
Getting the incentives right in favour of security is often a
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
179 |
tricky business. From a customer point of view, the
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
180 |
Chip-and-PIN system was much less secure than the old
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
181 |
signature-based method. The customer could now lose
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
182 |
significant amounts of money.
|
173
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
183 |
|
174
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
184 |
\subsection*{Of Cookies and Salts}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
185 |
|
227
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
186 |
Let us look at another example which will help with
|
178
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
187 |
understanding how passwords should be verified and stored.
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
188 |
Imagine you need to develop a web-application that has the
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
189 |
feature of recording how many times a customer visits a page.
|
180
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
190 |
For example in order to give a discount whenever the customer
|
182
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
191 |
has visited a webpage some $x$ number of times (say $x$ equal
|
180
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
192 |
$5$). There is one more constraint: we want to store the
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
193 |
information about the number of visits as a cookie on the
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
194 |
browser. I think, for a number of years the webpage of the New
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
195 |
York Times operated in this way: it allowed you to read ten
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
196 |
articles per month for free; if you wanted to read more, you
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
197 |
had to pay. My best guess is that it used cookies for
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
198 |
recording how many times their pages was visited, because if I
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
199 |
switched browsers I could easily circumvent the restriction
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
200 |
about ten articles.
|
174
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
201 |
|
178
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
202 |
To implement our web-application it is good to look under the
|
180
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
203 |
hood what happens when a webpage is displayed in a browser. A
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
204 |
typical web-application works as follows: The browser sends a
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
205 |
GET request for a particular page to a server. The server
|
182
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
206 |
answers this request with a webpage in HTML (for our purposes
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
207 |
we can ignore the details about HTML). A simple JavaScript
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
208 |
program that realises a server answering with a ``hello
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
209 |
world'' webpage is as follows:
|
174
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
210 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
211 |
\begin{center}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
212 |
\lstinputlisting{../progs/ap0.js}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
213 |
\end{center}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
214 |
|
178
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
215 |
\noindent The interesting lines are 4 to 7 where the answer to
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
216 |
the GET request is generated\ldots in this case it is just a
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
217 |
simple string. This program is run on the server and will be
|
180
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
218 |
executed whenever a browser initiates such a GET request. You
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
219 |
can run this program on your computer and then direct a
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
220 |
browser to the address \pcode{localhost:8000} in order to
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
221 |
simulate a request over the internet.
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
222 |
|
174
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
223 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
224 |
For our web-application of interest is the feature that the
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
225 |
server when answering the request can store some information
|
180
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
226 |
on the client's side. This information is called a
|
178
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
227 |
\emph{cookie}. The next time the browser makes another GET
|
180
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
228 |
request to the same webpage, this cookie can be read again by
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
229 |
the server. We can use cookies in order to store a counter
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
230 |
that records the number of times our webpage has been visited.
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
231 |
This can be realised with the following small program
|
174
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
232 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
233 |
\begin{center}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
234 |
\lstinputlisting{../progs/ap2.js}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
235 |
\end{center}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
236 |
|
178
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
237 |
\noindent The overall structure of this program is the same as
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
238 |
the earlier one: Lines 7 to 17 generate the answer to a
|
174
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
239 |
GET-request. The new part is in Line 8 where we read the
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
240 |
cookie called \pcode{counter}. If present, this cookie will be
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
241 |
send together with the GET-request from the client. The value
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
242 |
of this counter will come in form of a string, therefore we
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
243 |
use the function \pcode{parseInt} in order to transform it
|
178
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
244 |
into an integer. In case the cookie is not present, we default
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
245 |
the counter to zero. The odd looking construction \code{...||
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
246 |
0} is realising this defaulting in JavaScript. In Line 9 we
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
247 |
increase the counter by one and store it back to the client
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
248 |
(under the name \pcode{counter}, since potentially more than
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
249 |
one value could be stored). In Lines 10 to 15 we test whether
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
250 |
this counter is greater or equal than 5 and send accordingly a
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
251 |
specially grafted message back to the client.
|
174
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
252 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
253 |
Let us step back and analyse this program from a security
|
178
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
254 |
point of view. We store a counter in plain text on the
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
255 |
client's browser (which is not under our control). Depending
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
256 |
on this value we want to unlock a resource (like a discount)
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
257 |
when it reaches a threshold. If the client deletes the cookie,
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
258 |
then the counter will just be reset to zero. This does not
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
259 |
bother us, because the purported discount will just not be
|
180
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
260 |
granted. In this way we do not lose any (hypothetical) money.
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
261 |
What we need to be concerned about is, however, when a client
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
262 |
artificially increases this counter without having visited our
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
263 |
web-page. This is actually a trivial task for a knowledgeable
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
264 |
person, since there are convenient tools that allow one to set
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
265 |
a cookie to an arbitrary value, for example above our
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
266 |
threshold for the discount.
|
174
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
267 |
|
182
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
268 |
There seems to be no simple way to prevent this kind of
|
178
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
269 |
tampering with cookies, because the whole purpose of cookies
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
270 |
is that they are stored on the client's side, which from the
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
271 |
the server's perspective is a potentially hostile environment.
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
272 |
What we need to ensure is the integrity of this counter in
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
273 |
this hostile environment. We could think of encrypting the
|
227
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
274 |
counter. But this has two drawbacks to do with the keys for
|
178
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
275 |
encryption. If you use a single, global key for all the
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
276 |
clients that visit our site, then we risk that our whole
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
277 |
``business'' might collapse in the event this key gets known
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
278 |
to the outside world. Then all cookies we might have set in
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
279 |
the past, can now be decrypted and manipulated. If, on the
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
280 |
other hand, we use many ``private'' keys for the clients, then
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
281 |
we have to solve the problem of having to securely store this
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
282 |
key on our server side (obviously we cannot store the key with
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
283 |
the client because then the client again has all data to
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
284 |
tamper with the counter; and obviously we also cannot encrypt
|
182
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
285 |
the key, lest we can solve an impossible chicken-and-egg
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
286 |
problem). So encryption seems to not solve the problem we face
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
287 |
with the integrity of our counter.
|
169
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
288 |
|
178
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
289 |
Fortunately, \emph{hash functions} seem to be more suitable
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
290 |
for our purpose. Like encryption, hash functions scramble data
|
180
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
291 |
in such a way that it is easy to calculate the output of a
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
292 |
hash function from the input. But it is hard (i.e.~practically
|
175
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
293 |
impossible) to calculate the input from knowing the output.
|
178
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
294 |
Therefore hash functions are often called \emph{one-way
|
182
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
295 |
functions}\ldots you cannot go back from the output to the
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
296 |
input (without some tricks, see below). There are several such
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
297 |
hashing function. For example SHA-1 would hash the string
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
298 |
\pcode{"hello world"} to produce the hash-value
|
175
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
299 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
300 |
\begin{center}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
301 |
\pcode{2aae6c35c94fcfb415dbe95f408b9ce91ee846ed}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
302 |
\end{center}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
303 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
304 |
\noindent Another handy feature of hash functions is that if
|
178
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
305 |
the input changes only a little, the output changes
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
306 |
drastically. For example \pcode{"iello world"} produces under
|
175
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
307 |
SHA-1 the output
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
308 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
309 |
\begin{center}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
310 |
\pcode{d2b1402d84e8bcef5ae18f828e43e7065b841ff1}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
311 |
\end{center}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
312 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
313 |
\noindent That means it is not predictable what the output
|
178
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
314 |
will be from just looking at input that is ``close by''.
|
175
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
315 |
|
178
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
316 |
We can use hashes in our web-application and store in the
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
317 |
cookie the value of the counter in plain text but together
|
180
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
318 |
with its hash. We need to store both pieces of data in such a
|
184
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
319 |
way that we can extract them again later on. In the code below
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
320 |
I will just separate them using a \pcode{"-"}, for example
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
321 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
322 |
\begin{center}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
323 |
\pcode{1-356a192b7913b04c54574d18c28d46e6395428ab}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
324 |
\end{center}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
325 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
326 |
\noindent for the counter \pcode{1}. If we now read back the
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
327 |
cookie when the client visits our webpage, we can extract the
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
328 |
counter, hash it again and compare the result to the stored
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
329 |
hash value inside the cookie. If these hashes disagree, then
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
330 |
we can deduce that the cookie has been tampered with.
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
331 |
Unfortunately, if they agree, we can still not be entirely
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
332 |
sure that not a clever hacker has tampered with the cookie.
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
333 |
The reason is that the hacker can see the clear text part of
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
334 |
the cookie, say \pcode{3}, and also its hash. It does not take
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
335 |
much trial and error to find out that we used the SHA-1
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
336 |
hashing function and then the hacker can graft a cookie
|
180
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
337 |
accordingly. This is eased by the fact that for SHA-1 many
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
338 |
strings and corresponding hash-values are precalculated. Type,
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
339 |
for example, into Google the hash value for \pcode{"hello
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
340 |
world"} and you will actually pretty quickly find that it was
|
184
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
341 |
generated by input string \pcode{"hello world"}. Similarly for
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
342 |
the hash-value for \pcode{1}. This defeats the purpose of a
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
343 |
hashing function and thus would not help us with our
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
344 |
web-applications and later also not with how to store
|
181
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
345 |
passwords properly.
|
175
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
346 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
347 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
348 |
There is one ingredient missing, which happens to be called
|
178
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
349 |
\emph{salts}. Salts are random keys, which are added to the
|
181
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
350 |
counter before the hash is calculated. In our case we must
|
178
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
351 |
keep the salt secret. As can be see in Figure~\ref{hashsalt},
|
184
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
352 |
we need to extract from the cookie the counter value and its
|
181
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
353 |
hash (Lines 19 and 20). But before hashing the counter again
|
178
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
354 |
(Line 22) we need to add the secret salt. Similarly, when we
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
355 |
set the new increased counter, we will need to add the salt
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
356 |
before hashing (this is done in Line 15). Our web-application
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
357 |
will now store cookies like
|
175
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
358 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
359 |
\begin{figure}[p]
|
178
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
360 |
\lstinputlisting{../progs/App4.js}
|
176
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
361 |
\caption{\label{hashsalt}}
|
175
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
362 |
\end{figure}
|
169
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
363 |
|
179
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
364 |
\begin{center}\tt
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
365 |
\begin{tabular}{l}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
366 |
1 + salt - 8189effef4d4f7411f4153b13ff72546dd682c69\\
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
367 |
2 + salt - 1528375d5ceb7d71597053e6877cc570067a738f\\
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
368 |
3 + salt - d646e213d4f87e3971d9dd6d9f435840eb6a1c06\\
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
369 |
4 + salt - 5b9e85269e4461de0238a6bf463ed3f25778cbba\\
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
370 |
...\\
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
371 |
\end{tabular}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
372 |
\end{center}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
373 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
374 |
\noindent These hashes allow us to read and set the value of
|
181
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
375 |
the counter, and also give us confidence that the counter has
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
376 |
not been tampered with. This of course depends on being able
|
182
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
377 |
to keep the salt secret. Once the salt is public, we better
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
378 |
ignore all cookies and start setting them again with a new
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
379 |
salt.
|
179
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
380 |
|
181
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
381 |
There is an interesting and very subtle point to note with
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
382 |
respect to the New York Times' way of checking the number
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
383 |
visits. Essentially they have their `resource' unlocked at the
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
384 |
beginning and lock it only when the data in the cookie states
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
385 |
that the allowed free number of visits are up. As said before,
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
386 |
this can be easily circumvented by just deleting the cookie or
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
387 |
by switching the browser. This would mean the New York Times
|
182
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
388 |
will lose revenue whenever this kind of tampering occurs. The
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
389 |
quick fix to require that a cookie must always be present does
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
390 |
not work, because then this newspaper will cut off any new
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
391 |
readers, or anyone who gets a new computer. In contrast, our
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
392 |
web-application has the resource (discount) locked at the
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
393 |
beginning and only unlocks it if the cookie data says so. If
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
394 |
the cookie is deleted, well then the resource just does not
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
395 |
get unlocked. No mayor harm will result to us. You can see:
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
396 |
the same security mechanism behaves rather differently
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
397 |
depending on whether the ``resource'' needs to be locked or
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
398 |
unlocked. Apart from thinking about the difference very
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
399 |
carefully, I do not know of any good ``theory'' that could
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
400 |
help with solving such security intricacies in any other way.
|
179
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
401 |
|
182
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
402 |
\subsection*{How to Store Passwords Properly?}
|
179
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
403 |
|
181
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
404 |
While admittedly quite silly, the simple web-application in
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
405 |
the previous section should help with the more important
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
406 |
question of how passwords should be verified and stored. It is
|
179
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
407 |
unbelievable that nowadays systems still do this with
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
408 |
passwords in plain text. The idea behind such plain-text
|
182
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
409 |
passwords is of course that if the user typed in
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
410 |
\pcode{foobar} as password, we need to verify whether it
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
411 |
matches with the password that is already stored for this user
|
184
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
412 |
in the system. Why not doing this with plain-text passwords?
|
227
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
413 |
Unfortunately doing this verification in plain text is really
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
414 |
a bad idea. Alas, evidence suggests it is still a
|
184
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
415 |
widespread practice. I leave you to think about why verifying
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
416 |
passwords in plain text is a bad idea.
|
181
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
417 |
|
182
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
418 |
Using hash functions, like in our web-application, we can do
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
419 |
better. They allow us to not having to store passwords in
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
420 |
plain text for verification whether a password matches or not.
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
421 |
We can just hash the password and store the hash-value. And
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
422 |
whenever the user types in a new password, well then we hash
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
423 |
it again and check whether the hash-values agree. Just like
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
424 |
in the web-application before.
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
425 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
426 |
Lets analyse what happens when a hacker gets hold of such a
|
184
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
427 |
hashed password database. That is the scenario we want to
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
428 |
defend against.\footnote{If we could assume our servers can
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
429 |
never be broken into, then storing passwords in plain text
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
430 |
would be no problem. The point, however, is that servers are
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
431 |
never absolutely secure.} The hacker has then a list of user names and
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
432 |
associated hash-values, like
|
181
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
433 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
434 |
\begin{center}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
435 |
\pcode{urbanc:2aae6c35c94fcfb415dbe95f408b9ce91ee846ed}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
436 |
\end{center}
|
179
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
437 |
|
182
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
438 |
\noindent For a beginner-level hacker this information is of
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
439 |
no use. It would not work to type in the hash value instead of
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
440 |
the password, because it will go through the hashing function
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
441 |
again and then the resulting two hash-values will not match.
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
442 |
One attack a hacker can try, however, is called a \emph{brute
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
443 |
force attack}. Essentially this means trying out exhaustively
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
444 |
all strings
|
181
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
445 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
446 |
\begin{center}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
447 |
\pcode{a},
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
448 |
\pcode{aa},
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
449 |
\pcode{...},
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
450 |
\pcode{ba},
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
451 |
\pcode{...},
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
452 |
\pcode{zzz},
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
453 |
\pcode{...}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
454 |
\end{center}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
455 |
|
182
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
456 |
\noindent and so on, hash them and check whether they match
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
457 |
with the hash-values in the database. Such brute force attacks
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
458 |
are surprisingly effective. With modern technology (usually
|
184
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
459 |
GPU graphic cards), passwords of moderate length only need
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
460 |
seconds or hours to be cracked. Well, the only defence we have
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
461 |
against such brute force attacks is to make passwords longer
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
462 |
and force users to use the whole spectrum of letters and keys
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
463 |
for passwords. The hope is that this makes the search space
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
464 |
too big for an effective brute force attack.
|
182
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
465 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
466 |
Unfortunately, clever hackers have another ace up their
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
467 |
sleeves. These are called \emph{dictionary attacks}. The idea
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
468 |
behind dictionary attack is the observation that only few
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
469 |
people are competent enough to use sufficiently strong
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
470 |
passwords. Most users (at least too many) use passwords like
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
471 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
472 |
\begin{center}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
473 |
\pcode{123456},
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
474 |
\pcode{password},
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
475 |
\pcode{qwerty},
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
476 |
\pcode{letmein},
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
477 |
\pcode{...}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
478 |
\end{center}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
479 |
|
184
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
480 |
\noindent So an attacker just needs to compile a list as large
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
481 |
as possible of such likely candidates of passwords and also
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
482 |
compute their hash-values. The difference between a brute
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
483 |
force attack, where maybe $2^{80}$ many strings need to be
|
227
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
484 |
considered, is that a dictionary attack might get away with
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
485 |
checking only 10 Million words (remember the language English
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
486 |
``only'' contains 600,000 words). This is a drastic
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
487 |
simplification for attackers. Now, if the attacker knows the
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
488 |
hash-value of a password is
|
182
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
489 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
490 |
\begin{center}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
491 |
\pcode{5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
492 |
\end{center}
|
179
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
493 |
|
227
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
494 |
\noindent then just a lookup in the dictionary will reveal
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
495 |
that the plain-text password was \pcode{password}. What is
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
496 |
good about this attack is that the dictionary can be
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
497 |
precompiled in the ``comfort of the hacker's home'' before an
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
498 |
actual attack is launched. It just needs sufficient storage
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
499 |
space, which nowadays is pretty cheap. A hacker might in this
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
500 |
way not be able to crack all passwords in our database, but
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
501 |
even being able to crack 50\% can be serious damage for a
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
502 |
large company (because then you have to think about how to
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
503 |
make users to change their old passwords---a major hassle).
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
504 |
And hackers are very industrious in compiling these
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
505 |
dictionaries: for example they definitely include variations
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
506 |
like \pcode{passw0rd} and also include rules that cover cases
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
507 |
like \pcode{passwordpassword} or \pcode{drowssap} (password
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
508 |
reversed).\footnote{Some entertaining rules for creating
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
509 |
effective dictionaries are described in the book ``Applied
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
510 |
Cryptography'' by Bruce Schneier (in case you can find it in
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
511 |
the library), and also in the original research literature
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
512 |
which can be accessed for free from
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
513 |
\url{http://www.klein.com/dvk/publications/passwd.pdf}.}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
514 |
Historically, compiling a list for a dictionary attack is not
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
515 |
as simple as it might seem. At the beginning only ``real''
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
516 |
dictionaries were available (like the Oxford English
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
517 |
Dictionary), but such dictionaries are not optimised for the
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
518 |
purpose of cracking passwords. The first real hard data about actually
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
519 |
used passwords was obtained when a company called RockYou
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
520 |
``lost'' 32 Million plain-text passwords. With this data of
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
521 |
real-life passwords, dictionary attacks took off. Compiling
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
522 |
such dictionaries is nowadays very easy with the help of
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
523 |
off-the-shelf tools.
|
182
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
524 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
525 |
These dictionary attacks can be prevented by using salts.
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
526 |
Remember a hacker needs to use the most likely candidates
|
184
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
527 |
of passwords and calculate their hash-value. If we add before
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
528 |
hashing a password a random salt, like \pcode{mPX2aq},
|
182
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
529 |
then the string \pcode{passwordmPX2aq} will almost certainly
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
530 |
not be in the dictionary. Like in the web-application in the
|
184
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
531 |
previous section, a salt does not prevent us from verifying a
|
182
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
532 |
password. We just need to add the salt whenever the password
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
533 |
is typed in again.
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
534 |
|
184
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
535 |
There is a question whether we should use a single random salt
|
182
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
536 |
for every password in our database. A single salt would
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
537 |
already make dictionary attacks considerably more difficult.
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
538 |
It turns out, however, that in case of password databases
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
539 |
every password should get their own salt. This salt is
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
540 |
generated at the time when the password is first set.
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
541 |
If you look at a Unix password file you will find entries like
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
542 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
543 |
\begin{center}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
544 |
\pcode{urbanc:$6$3WWbKfr1$4vblknvGr6FcDeF92R5xFn3mskfdnEn...:...}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
545 |
\end{center}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
546 |
|
184
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
547 |
\noindent where the first part is the login-name, followed by
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
548 |
a field \pcode{$6$} which specifies which hash-function is
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
549 |
used. After that follows the salt \pcode{3WWbKfr1} and after
|
227
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
550 |
that the hash-value that is stored for the password (which
|
184
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
551 |
includes the salt). I leave it to you to figure out how the
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
552 |
password verification would need to work based on this data.
|
182
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
553 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
554 |
There is a non-obvious benefit of using a separate salt for
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
555 |
each password. Recall that \pcode{123456} is a popular
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
556 |
password that is most likely used by several of your users
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
557 |
(especially if the database contains millions of entries). If
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
558 |
we use no salt or one global salt, all hash-values will be the
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
559 |
same for this password. So if a hacker is in the business of
|
186
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
560 |
cracking as many passwords as possible, then it is a good idea
|
182
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
561 |
to concentrate on those very popular passwords. This is not
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
562 |
possible if each password gets its own salt: since we assume
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
563 |
the salt is generated randomly, each version of \pcode{123456}
|
184
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
564 |
will be associated with a different hash-value. This will
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
565 |
make the life harder for an attacker.
|
182
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
566 |
|
227
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
567 |
Note another interesting point. The web-application from the
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
568 |
previous section was only secure when the salt was secret. In
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
569 |
the password case, this is not needed. The salt can be public
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
570 |
as shown above in the Unix password file where it is actually
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
571 |
stored as part of the password entry. Knowing the salt does
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
572 |
not give the attacker any advantage, but prevents that
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
573 |
dictionaries can be precompiled. While salts do not solve
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
574 |
every problem, they help with protecting against dictionary
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
575 |
attacks on password files. It protects people who have the
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
576 |
same passwords on multiple machines. But it does not protect
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
577 |
against a focused attack against a single password and also
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
578 |
does not make poorly chosen passwords any better. Still the
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
579 |
moral is that you should never store passwords in plain text.
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
580 |
Never ever.\medskip
|
174
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
581 |
|
185
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
582 |
\noindent
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
583 |
If you want to know more about passwords I recommend viewing some
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
584 |
youtube videos from the PasswordCon(ference) which takes place each
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
585 |
year. The book by Bruce Schneier about Applied Cryptography is also
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
586 |
recommendable, though quite expensive. Clearly, passwords are a
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
587 |
technology that comes to the end of its usefulness, because brute
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
588 |
force attacks become more and more powerful and it is unlikely that
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
589 |
humans get any better in remembering (securely) longer and longer
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
590 |
passwords. The big question is which technology can replace
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
591 |
passwords\ldots
|
158
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
592 |
\end{document}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
593 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
594 |
%%% Local Variables:
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
595 |
%%% mode: latex
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
596 |
%%% TeX-master: t
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
597 |
%%% End:
|