47 you need to have this kind mindset and be able to think like |
47 you need to have this kind mindset and be able to think like |
48 an attacker. This will include understanding techniques that |
48 an attacker. This will include understanding techniques that |
49 can be used to compromise security and privacy in systems. |
49 can be used to compromise security and privacy in systems. |
50 This will many times result in insights where well-intended |
50 This will many times result in insights where well-intended |
51 security mechanisms made a system actually less |
51 security mechanisms made a system actually less |
52 secure.\smallskip |
52 secure.\medskip |
53 |
53 |
|
54 \noindent |
54 {\Large\bf Warning!} However, don’t be evil! Using those |
55 {\Large\bf Warning!} However, don’t be evil! Using those |
55 techniques in the real world may violate the law or King’s |
56 techniques in the real world may violate the law or King’s |
56 rules, and it may be unethical. Under some circumstances, even |
57 rules, and it may be unethical. Under some circumstances, even |
57 probing for weaknesses of a system may result in severe |
58 probing for weaknesses of a system may result in severe |
58 penalties, up to and including expulsion, fines and |
59 penalties, up to and including expulsion, fines and |
62 tamper with any of King's systems. If you try out a technique, |
63 tamper with any of King's systems. If you try out a technique, |
63 always make doubly sure you are working in a safe environment |
64 always make doubly sure you are working in a safe environment |
64 so that you cannot cause any harm, not even accidentally. |
65 so that you cannot cause any harm, not even accidentally. |
65 Don't be evil. Be an ethical hacker.\medskip |
66 Don't be evil. Be an ethical hacker.\medskip |
66 |
67 |
67 \noindent |
68 \noindent In this lecture I want to make you familiar with the |
68 In this lecture I want to make you familiar with the security mindset |
69 security mindset and dispel the myth that encryption is the |
69 and dispel the myth that encryption is the answer to all security |
70 answer to all security problems (it is certainly often a part |
70 problems (it is certainly often part of an answer, but almost always |
71 of an answer, but almost always never a sufficient one). This |
71 never a sufficient one). This is actually an important thread going |
72 is actually an important thread going through the whole |
72 through the whole course: We will assume that encryption works |
73 course: We will assume that encryption works perfectly, but |
73 perfectly, but still attack ``things''. By ``works perfectly'' we mean |
74 still attack ``things''. By ``works perfectly'' we mean that |
74 that we will assume encryption is a black box and, for example, will |
75 we will assume encryption is a black box and, for example, |
75 not look at the underlying mathematics and break the |
76 will not look at the underlying mathematics and break the |
76 algorithms.\footnote{Though fascinating this might be.} |
77 algorithms.\footnote{Though fascinating this might be.} |
77 |
78 |
78 For a secure system, it seems, four requirements need to come |
79 For a secure system, it seems, four requirements need to come |
79 together: First a security policy (what is supposed to be |
80 together: First a security policy (what is supposed to be |
80 achieved?); second a mechanism (cipher, access controls, |
81 achieved?); second a mechanism (cipher, access controls, |
106 stored on a chip on the card and a PIN number for |
107 stored on a chip on the card and a PIN number for |
107 authorisation. Even though the banks involved trumpeted their |
108 authorisation. Even though the banks involved trumpeted their |
108 system as being absolutely secure and indeed fraud rates |
109 system as being absolutely secure and indeed fraud rates |
109 initially went down, security researchers were not convinced |
110 initially went down, security researchers were not convinced |
110 (especially the group around Ross Anderson). To begin with, |
111 (especially the group around Ross Anderson). To begin with, |
111 the Chip-and-PIN system introduced a ``new player'' that |
112 the Chip-and-PIN system introduced a ``new player'' into the |
112 needed to be trusted: the PIN terminals and their |
113 system that needed to be trusted: the PIN terminals and their |
113 manufacturers. It was claimed that these terminals were |
114 manufacturers. It was claimed that these terminals were |
114 tamper-resistant, but needless to say this was a weak link in |
115 tamper-resistant, but needless to say this was a weak link in |
115 the system, which criminals successfully attacked. Some |
116 the system, which criminals successfully attacked. Some |
116 terminals were even so skilfully manipulated that they |
117 terminals were even so skilfully manipulated that they |
117 transmitted skimmed PIN numbers via built-in mobile phone |
118 transmitted skimmed PIN numbers via built-in mobile phone |
118 connections. To mitigate this flaw in the security of |
119 connections. To mitigate this flaw in the security of |
119 Chip-and-PIN, you need to vet quite closely the supply chain |
120 Chip-and-PIN, you need to be able to vet quite closely the |
120 of such terminals. |
121 supply chain of such terminals. This is something that is |
121 |
122 mostly beyond the control of customers who need to use these |
122 Later on Ross Anderson and his group were able to perform |
123 terminals. |
123 man-in-the-middle attacks against Chip-and-PIN. Essentially |
124 |
124 they made the terminal think the correct PIN was entered and |
125 To make matters worse for Chip-and-PIN, in around 2009 Ross |
125 the card think that a signature was used. This is a kind of |
126 Anderson and his group were able to perform man-in-the-middle |
126 \emph{protocol failure}. After discovery, the flaw was |
127 attacks against Chip-and-PIN. Essentially they made the |
127 mitigated by requiring that a link between the card and the |
128 terminal think the correct PIN was entered and the card think |
128 bank is established at every time the card is used. Even later |
129 that a signature was used. This is a kind of \emph{protocol |
129 this group found another problem with Chip-and-PIN and ATMs |
130 failure}. After discovery, the flaw was mitigated by requiring |
130 which did not generate random enough numbers (nonces) on which |
131 that a link between the card and the bank is established at |
131 the security of the underlying protocols relies. |
132 every time the card is used. Even later this group found |
|
133 another problem with Chip-and-PIN and ATMs which did not |
|
134 generate random enough numbers (nonces) on which the security |
|
135 of the underlying protocols relies. |
132 |
136 |
133 The problem with all this is that the banks who introduced |
137 The problem with all this is that the banks who introduced |
134 Chip-and-PIN managed with the new system to shift the |
138 Chip-and-PIN managed with the new system to shift the |
135 liability for any fraud and the burden of proof onto the |
139 liability for any fraud and the burden of proof onto the |
136 customer. In the old system, the banks had to prove that the |
140 customer. In the old system, the banks had to prove that the |
142 profits too much. |
146 profits too much. |
143 |
147 |
144 Since banks managed to successfully claim that their |
148 Since banks managed to successfully claim that their |
145 Chip-and-PIN system is secure, they were under the new system |
149 Chip-and-PIN system is secure, they were under the new system |
146 able to point the finger at the customer when fraud occurred: |
150 able to point the finger at the customer when fraud occurred: |
147 customers must have been negligent loosing their PIN and they |
151 customers must have been negligent losing their PIN and they |
148 had almost no way of defending themselves in such situations. |
152 had almost no way of defending themselves in such situations. |
149 That is why the work of \emph{ethical} hackers like Ross |
153 That is why the work of \emph{ethical} hackers like Ross |
150 Anderson's group was so important, because they and others |
154 Anderson's group was so important, because they and others |
151 established that the bank's claim that their system is secure |
155 established that the bank's claim that their system is secure |
152 and it must have been the customer's fault, was bogus. In 2009 |
156 and it must have been the customer's fault, was bogus. In 2009 |
153 for example the law changed and the burden of proof went back |
157 the law changed and the burden of proof went back to the |
154 to the banks. They need to prove whether it was really the |
158 banks. They need to prove whether it was really the customer |
155 customer who used a card or not. |
159 who used a card or not. |
156 |
160 |
157 This is a classic example where a security design principle |
161 This is a classic example where a security design principle |
158 was violated: Namely, the one who is in the position to |
162 was violated: Namely, the one who is in the position to |
159 improve security, also needs to bear the financial losses if |
163 improve security, also needs to bear the financial losses if |
160 things go wrong. Otherwise, you end up with an insecure |
164 things go wrong. Otherwise, you end up with an insecure |
161 system. In case of the Chip-and-PIN system, no good security |
165 system. In case of the Chip-and-PIN system, no good security |
162 engineer would dare claim that it is secure beyond reproach: |
166 engineer would dare to claim that it is secure beyond |
163 the specification of the EMV protocol (underlying |
167 reproach: the specification of the EMV protocol (underlying |
164 Chip-and-PIN) is some 700 pages long, but still leaves out |
168 Chip-and-PIN) is some 700 pages long, but still leaves out |
165 many things (like how to implement a good random number |
169 many things (like how to implement a good random number |
166 generator). No human being is able to scrutinise such a |
170 generator). No human being is able to scrutinise such a |
167 specification and ensure it contains no flaws. Moreover, banks |
171 specification and ensure it contains no flaws. Moreover, banks |
168 can add their own sub-protocols to EMV. With all the |
172 can add their own sub-protocols to EMV. With all the |
169 experience we already have, it is as clear as day that |
173 experience we already have, it is as clear as day that |
170 criminals were eventually able to poke holes into it and |
174 criminals were bound to eventually be able to poke holes into |
171 measures need to be taken to address them. However, with how |
175 it and measures need to be taken to address them. However, |
172 the system was set up, the banks had no real incentive to come |
176 with how the system was set up, the banks had no real |
173 up with a system that is really secure. Getting the incentives |
177 incentive to come up with a system that is really secure. |
174 right in favour of security is often a tricky business. From a |
178 Getting the incentives right in favour of security is often a |
175 customer point of view the system was much less secure than |
179 tricky business. From a customer point of view, the |
176 the old signature-based method. |
180 Chip-and-PIN system was much less secure than the old |
|
181 signature-based method. The customer could now lose |
|
182 significant amounts of money. |
177 |
183 |
178 \subsection*{Of Cookies and Salts} |
184 \subsection*{Of Cookies and Salts} |
179 |
185 |
180 Lets look at another example which will help with |
186 Lets look at another example which will help with |
181 understanding how passwords should be verified and stored. |
187 understanding how passwords should be verified and stored. |
308 will be from just looking at input that is ``close by''. |
314 will be from just looking at input that is ``close by''. |
309 |
315 |
310 We can use hashes in our web-application and store in the |
316 We can use hashes in our web-application and store in the |
311 cookie the value of the counter in plain text but together |
317 cookie the value of the counter in plain text but together |
312 with its hash. We need to store both pieces of data in such a |
318 with its hash. We need to store both pieces of data in such a |
313 way that we can extract them again later on (in the code below |
319 way that we can extract them again later on. In the code below |
314 I will just separate them using a \pcode{"-"}). If we now read |
320 I will just separate them using a \pcode{"-"}, for example |
315 back the cookie when the client visits our webpage, we can |
321 |
316 extract the counter, hash it again and compare the result to |
322 \begin{center} |
317 the stored hash value inside the cookie. If these hashes |
323 \pcode{1-356a192b7913b04c54574d18c28d46e6395428ab} |
318 disagree, then we can deduce that the cookie has been tampered |
324 \end{center} |
319 with. Unfortunately, if they agree, we can still not be |
325 |
320 entirely sure that not a clever hacker has tampered with the |
326 \noindent for the counter \pcode{1}. If we now read back the |
321 cookie. The reason is that the hacker can see the clear text |
327 cookie when the client visits our webpage, we can extract the |
322 part of the cookie, say \pcode{3}, and also its hash. It does |
328 counter, hash it again and compare the result to the stored |
323 not take much trial and error to find out that we used the |
329 hash value inside the cookie. If these hashes disagree, then |
324 SHA-1 hashing function and then the hacker can graft a cookie |
330 we can deduce that the cookie has been tampered with. |
|
331 Unfortunately, if they agree, we can still not be entirely |
|
332 sure that not a clever hacker has tampered with the cookie. |
|
333 The reason is that the hacker can see the clear text part of |
|
334 the cookie, say \pcode{3}, and also its hash. It does not take |
|
335 much trial and error to find out that we used the SHA-1 |
|
336 hashing function and then the hacker can graft a cookie |
325 accordingly. This is eased by the fact that for SHA-1 many |
337 accordingly. This is eased by the fact that for SHA-1 many |
326 strings and corresponding hash-values are precalculated. Type, |
338 strings and corresponding hash-values are precalculated. Type, |
327 for example, into Google the hash value for \pcode{"hello |
339 for example, into Google the hash value for \pcode{"hello |
328 world"} and you will actually pretty quickly find that it was |
340 world"} and you will actually pretty quickly find that it was |
329 generated by input string \pcode{"hello world"}. This defeats |
341 generated by input string \pcode{"hello world"}. Similarly for |
330 the purpose of a hashing function and thus would not help us |
342 the hash-value for \pcode{1}. This defeats the purpose of a |
331 with our web-applications and later also not with how to store |
343 hashing function and thus would not help us with our |
|
344 web-applications and later also not with how to store |
332 passwords properly. |
345 passwords properly. |
333 |
346 |
334 |
347 |
335 There is one ingredient missing, which happens to be called |
348 There is one ingredient missing, which happens to be called |
336 \emph{salts}. Salts are random keys, which are added to the |
349 \emph{salts}. Salts are random keys, which are added to the |
337 counter before the hash is calculated. In our case we must |
350 counter before the hash is calculated. In our case we must |
338 keep the salt secret. As can be see in Figure~\ref{hashsalt}, |
351 keep the salt secret. As can be see in Figure~\ref{hashsalt}, |
339 we need to extract from the cookie the counter value and the |
352 we need to extract from the cookie the counter value and its |
340 hash (Lines 19 and 20). But before hashing the counter again |
353 hash (Lines 19 and 20). But before hashing the counter again |
341 (Line 22) we need to add the secret salt. Similarly, when we |
354 (Line 22) we need to add the secret salt. Similarly, when we |
342 set the new increased counter, we will need to add the salt |
355 set the new increased counter, we will need to add the salt |
343 before hashing (this is done in Line 15). Our web-application |
356 before hashing (this is done in Line 15). Our web-application |
344 will now store cookies like |
357 will now store cookies like |
394 unbelievable that nowadays systems still do this with |
407 unbelievable that nowadays systems still do this with |
395 passwords in plain text. The idea behind such plain-text |
408 passwords in plain text. The idea behind such plain-text |
396 passwords is of course that if the user typed in |
409 passwords is of course that if the user typed in |
397 \pcode{foobar} as password, we need to verify whether it |
410 \pcode{foobar} as password, we need to verify whether it |
398 matches with the password that is already stored for this user |
411 matches with the password that is already stored for this user |
399 in the system. But doing this verification in plain text is |
412 in the system. Why not doing this with plain-text passwords? |
400 really a bad idea. Unfortunately, evidence suggests, however, |
413 But doing this verification in plain text is really a bad |
401 it is still a widespread practice. I leave you to think about |
414 idea. Unfortunately, evidence suggests it is still a |
402 why verifying passwords in plain text is a bad idea. |
415 widespread practice. I leave you to think about why verifying |
|
416 passwords in plain text is a bad idea. |
403 |
417 |
404 Using hash functions, like in our web-application, we can do |
418 Using hash functions, like in our web-application, we can do |
405 better. They allow us to not having to store passwords in |
419 better. They allow us to not having to store passwords in |
406 plain text for verification whether a password matches or not. |
420 plain text for verification whether a password matches or not. |
407 We can just hash the password and store the hash-value. And |
421 We can just hash the password and store the hash-value. And |
408 whenever the user types in a new password, well then we hash |
422 whenever the user types in a new password, well then we hash |
409 it again and check whether the hash-values agree. Just like |
423 it again and check whether the hash-values agree. Just like |
410 in the web-application before. |
424 in the web-application before. |
411 |
425 |
412 Lets analyse what happens when a hacker gets hold of such a |
426 Lets analyse what happens when a hacker gets hold of such a |
413 hashed password database. The hacker has then a list of user |
427 hashed password database. That is the scenario we want to |
414 names and associated hash-values, like |
428 defend against.\footnote{If we could assume our servers can |
|
429 never be broken into, then storing passwords in plain text |
|
430 would be no problem. The point, however, is that servers are |
|
431 never absolutely secure.} The hacker has then a list of user names and |
|
432 associated hash-values, like |
415 |
433 |
416 \begin{center} |
434 \begin{center} |
417 \pcode{urbanc:2aae6c35c94fcfb415dbe95f408b9ce91ee846ed} |
435 \pcode{urbanc:2aae6c35c94fcfb415dbe95f408b9ce91ee846ed} |
418 \end{center} |
436 \end{center} |
419 |
437 |
436 \end{center} |
454 \end{center} |
437 |
455 |
438 \noindent and so on, hash them and check whether they match |
456 \noindent and so on, hash them and check whether they match |
439 with the hash-values in the database. Such brute force attacks |
457 with the hash-values in the database. Such brute force attacks |
440 are surprisingly effective. With modern technology (usually |
458 are surprisingly effective. With modern technology (usually |
441 GPU graphic cards), passwords of moderate length only needs |
459 GPU graphic cards), passwords of moderate length only need |
442 seconds or hours to be cracked. Well the only defence we have |
460 seconds or hours to be cracked. Well, the only defence we have |
443 is to make passwords longer and force users to use the whole |
461 against such brute force attacks is to make passwords longer |
444 spectrum of letters and keys for passwords in order to make |
462 and force users to use the whole spectrum of letters and keys |
445 the search space to big for an effective brute force attack. |
463 for passwords. The hope is that this makes the search space |
|
464 too big for an effective brute force attack. |
446 |
465 |
447 Unfortunately, clever hackers have another ace up their |
466 Unfortunately, clever hackers have another ace up their |
448 sleeves. These are called \emph{dictionary attacks}. The idea |
467 sleeves. These are called \emph{dictionary attacks}. The idea |
449 behind dictionary attack is the observation that only few |
468 behind dictionary attack is the observation that only few |
450 people are competent enough to use sufficiently strong |
469 people are competent enough to use sufficiently strong |
473 precompiled in the ``comfort of the hacker's home'' before an |
497 precompiled in the ``comfort of the hacker's home'' before an |
474 actual attack is launched. It just needs sufficient storage |
498 actual attack is launched. It just needs sufficient storage |
475 space, which nowadays is pretty cheap. A hacker might in this |
499 space, which nowadays is pretty cheap. A hacker might in this |
476 way not be able to crack all passwords in our database, but |
500 way not be able to crack all passwords in our database, but |
477 even being able to crack 50\% can be serious damage for a |
501 even being able to crack 50\% can be serious damage for a |
478 large company (because then you have to think how to make |
502 large company (because then you have to think about how to |
479 users to change their old passwords). And hackers are very |
503 make users to change their old passwords---a major hassle). |
480 industrious in compiling these dictionaries: for example they |
504 And hackers are very industrious in compiling these |
481 definitely include variations like \pcode{passw0rd} and also |
505 dictionaries: for example they definitely include variations |
482 includes rules that cover cases like \pcode{passwordpassword} |
506 like \pcode{passw0rd} and also include rules that cover cases |
483 or \pcode{drowssap} (password reversed). Historically, |
507 like \pcode{passwordpassword} or \pcode{drowssap} (password |
484 compiling a list for a dictionary attack is not as simple as |
508 reversed). Historically, compiling a list for a dictionary |
485 it might seem. At the beginning only ``real'' dictionaries |
509 attack is not as simple as it might seem. At the beginning |
486 were available (like the Oxford English Dictionary), but such |
510 only ``real'' dictionaries were available (like the Oxford |
487 dictionaries are not ``optimised'' for the purpose of passwords. |
511 English Dictionary), but such dictionaries are not |
488 The first real hard date was obtained when a company called |
512 ``optimised'' for the purpose of passwords. The first real |
489 RockYou ``lost'' 32 Million plain-text password. With this |
513 hard data about actually used passwords was obtained when a |
490 data of real-life passwords, dictionary attacks took off. |
514 company called RockYou ``lost'' 32 Million plain-text |
|
515 passwords. With this data of real-life passwords, dictionary |
|
516 attacks took off. Compiling such dictionaries is nowadays very |
|
517 easy with the help of off-the-shelf tools. |
491 |
518 |
492 These dictionary attacks can be prevented by using salts. |
519 These dictionary attacks can be prevented by using salts. |
493 Remember a hacker needs to use the most likely candidates |
520 Remember a hacker needs to use the most likely candidates |
494 of passwords and calculate their has-value. If we add before |
521 of passwords and calculate their hash-value. If we add before |
495 hashing a password with a random salt, like \pcode{mPX2aq}, |
522 hashing a password a random salt, like \pcode{mPX2aq}, |
496 then the string \pcode{passwordmPX2aq} will almost certainly |
523 then the string \pcode{passwordmPX2aq} will almost certainly |
497 not be in the dictionary. Like in the web-application in the |
524 not be in the dictionary. Like in the web-application in the |
498 previous section a salt does not prevent us from verifying a |
525 previous section, a salt does not prevent us from verifying a |
499 password. We just need to add the salt whenever the password |
526 password. We just need to add the salt whenever the password |
500 is typed in again. |
527 is typed in again. |
501 |
528 |
502 There is a question whether we should us a single random salt |
529 There is a question whether we should use a single random salt |
503 for every password in our database. A single salt would |
530 for every password in our database. A single salt would |
504 already make dictionary attacks considerably more difficult. |
531 already make dictionary attacks considerably more difficult. |
505 It turns out, however, that in case of password databases |
532 It turns out, however, that in case of password databases |
506 every password should get their own salt. This salt is |
533 every password should get their own salt. This salt is |
507 generated at the time when the password is first set. |
534 generated at the time when the password is first set. |
509 |
536 |
510 \begin{center} |
537 \begin{center} |
511 \pcode{urbanc:$6$3WWbKfr1$4vblknvGr6FcDeF92R5xFn3mskfdnEn...:...} |
538 \pcode{urbanc:$6$3WWbKfr1$4vblknvGr6FcDeF92R5xFn3mskfdnEn...:...} |
512 \end{center} |
539 \end{center} |
513 |
540 |
514 \noindent where the first part is the login-name, followed |
541 \noindent where the first part is the login-name, followed by |
515 by a field \pcode{$6$} which specifies which hash-function |
542 a field \pcode{$6$} which specifies which hash-function is |
516 is used. After that follows the salt \pcode{3WWbKfr1} and |
543 used. After that follows the salt \pcode{3WWbKfr1} and after |
517 after that the hash-value that is stored for the password plus |
544 that the hash-value that is stored for the password ( which |
518 salt. I leave it to you to figure out how the password |
545 includes the salt). I leave it to you to figure out how the |
519 verification would need to work based on this data. |
546 password verification would need to work based on this data. |
520 |
547 |
521 There is a non-obvious benefit of using a separate salt for |
548 There is a non-obvious benefit of using a separate salt for |
522 each password. Recall that \pcode{123456} is a popular |
549 each password. Recall that \pcode{123456} is a popular |
523 password that is most likely used by several of your users |
550 password that is most likely used by several of your users |
524 (especially if the database contains millions of entries). If |
551 (especially if the database contains millions of entries). If |
526 same for this password. So if a hacker is in the business of |
553 same for this password. So if a hacker is in the business of |
527 cracking as much passwords as possible, then it is a good idea |
554 cracking as much passwords as possible, then it is a good idea |
528 to concentrate on those very popular passwords. This is not |
555 to concentrate on those very popular passwords. This is not |
529 possible if each password gets its own salt: since we assume |
556 possible if each password gets its own salt: since we assume |
530 the salt is generated randomly, each version of \pcode{123456} |
557 the salt is generated randomly, each version of \pcode{123456} |
531 will be associated with a different hash-value. |
558 will be associated with a different hash-value. This will |
|
559 make the life harder for an attacker. |
532 |
560 |
533 Note another interesting point. The web-application from the |
561 Note another interesting point. The web-application from the |
534 previous section was only secure when the salt was secret. In |
562 previous section was only secure when the salt was secret. In |
535 the password case, this is not needed. The salt can be public |
563 the password case, this is not needed. The salt can be public |
536 as shown above and is actually stored as part of the password |
564 as shown above in the Unix password file where is actually |
537 entry. Knowing the salt does not give the attacker any |
565 stored as part of the password entry. Knowing the salt does |
538 advantage, but prevents that dictionaries can be precompiled. |
566 not give the attacker any advantage, but prevents that |
539 The moral is that you should never store passwords in plain |
567 dictionaries can be precompiled. The moral is that you should |
540 text. Never ever. |
568 never store passwords in plain text. Never ever. |
541 |
569 |
542 \end{document} |
570 \end{document} |
543 |
571 |
544 %%% Local Variables: |
572 %%% Local Variables: |
545 %%% mode: latex |
573 %%% mode: latex |