40 mindset. This might be a mindset that you think is very |
40 mindset. This might be a mindset that you think is very |
41 foreign to you---after all we are all good citizens and not |
41 foreign to you---after all we are all good citizens and not |
42 hack into things. I beg to differ: You have this mindset |
42 hack into things. I beg to differ: You have this mindset |
43 already when in school you were thinking, at least |
43 already when in school you were thinking, at least |
44 hypothetically, about ways in which you can cheat in an exam |
44 hypothetically, about ways in which you can cheat in an exam |
45 (whether it is about hiding notes or looking over the |
45 (whether it is by hiding notes or by looking over the |
46 shoulders of your fellow pupils). Right? To defend a system, |
46 shoulders of your fellow pupils). Right? To defend a system, |
47 you need to have this kind mindset and be able to think like |
47 you need to have this kind mindset and be able to think like |
48 an attacker. This will include understanding techniques that |
48 an attacker. This will include understanding techniques that |
49 can be used to compromise security and privacy in systems. |
49 can be used to compromise security and privacy in systems. |
50 This will many times result in insights where well-intended |
50 This will many times result in insights where well-intended |
106 Chip-and-PIN, as the name suggests, relies on data being |
106 Chip-and-PIN, as the name suggests, relies on data being |
107 stored on a chip on the card and a PIN number for |
107 stored on a chip on the card and a PIN number for |
108 authorisation. Even though the banks involved trumpeted their |
108 authorisation. Even though the banks involved trumpeted their |
109 system as being absolutely secure and indeed fraud rates |
109 system as being absolutely secure and indeed fraud rates |
110 initially went down, security researchers were not convinced |
110 initially went down, security researchers were not convinced |
111 (especially the group around Ross Anderson). To begin with, |
111 (especially not the group around Ross Anderson). To begin with, |
112 the Chip-and-PIN system introduced a ``new player'' into the |
112 the Chip-and-PIN system introduced a ``new player'' into the |
113 system that needed to be trusted: the PIN terminals and their |
113 system that needed to be trusted: the PIN terminals and their |
114 manufacturers. It was claimed that these terminals were |
114 manufacturers. It was claimed that these terminals were |
115 tamper-resistant, but needless to say this was a weak link in |
115 tamper-resistant, but needless to say this was a weak link in |
116 the system, which criminals successfully attacked. Some |
116 the system, which criminals successfully attacked. Some |
120 Chip-and-PIN, you need to be able to vet quite closely the |
120 Chip-and-PIN, you need to be able to vet quite closely the |
121 supply chain of such terminals. This is something that is |
121 supply chain of such terminals. This is something that is |
122 mostly beyond the control of customers who need to use these |
122 mostly beyond the control of customers who need to use these |
123 terminals. |
123 terminals. |
124 |
124 |
125 To make matters worse for Chip-and-PIN, in around 2009 Ross |
125 To make matters worse for Chip-and-PIN, around 2009 Ross |
126 Anderson and his group were able to perform man-in-the-middle |
126 Anderson and his group were able to perform man-in-the-middle |
127 attacks against Chip-and-PIN. Essentially they made the |
127 attacks against Chip-and-PIN. Essentially they made the |
128 terminal think the correct PIN was entered and the card think |
128 terminal think the correct PIN was entered and the card think |
129 that a signature was used. This is a kind of \emph{protocol |
129 that a signature was used. This is a kind of \emph{protocol |
130 failure}. After discovery, the flaw was mitigated by requiring |
130 failure}. After discovery, the flaw was mitigated by requiring |
146 profits too much. |
146 profits too much. |
147 |
147 |
148 Since banks managed to successfully claim that their |
148 Since banks managed to successfully claim that their |
149 Chip-and-PIN system is secure, they were under the new system |
149 Chip-and-PIN system is secure, they were under the new system |
150 able to point the finger at the customer when fraud occurred: |
150 able to point the finger at the customer when fraud occurred: |
151 customers must have been negligent losing their PIN and they |
151 customers must have been negligent losing their PIN and |
152 had almost no way of defending themselves in such situations. |
152 customers had almost no way of defending themselves in such |
153 That is why the work of \emph{ethical} hackers like Ross |
153 situations. That is why the work of \emph{ethical} hackers |
154 Anderson's group was so important, because they and others |
154 like Ross Anderson's group was so important, because they and |
155 established that the bank's claim that their system is secure |
155 others established that the banks' claim that their system is |
156 and it must have been the customer's fault, was bogus. In 2009 |
156 secure and it must have been the customer's fault, was bogus. |
157 the law changed and the burden of proof went back to the |
157 In 2009 the law changed and the burden of proof went back to |
158 banks. They need to prove whether it was really the customer |
158 the banks. They need to prove whether it was really the |
159 who used a card or not. |
159 customer who used a card or not. |
160 |
160 |
161 This is a classic example where a security design principle |
161 This is a classic example where a security design principle |
162 was violated: Namely, the one who is in the position to |
162 was violated: Namely, the one who is in the position to |
163 improve security, also needs to bear the financial losses if |
163 improve security, also needs to bear the financial losses if |
164 things go wrong. Otherwise, you end up with an insecure |
164 things go wrong. Otherwise, you end up with an insecure |
269 tampering with cookies, because the whole purpose of cookies |
269 tampering with cookies, because the whole purpose of cookies |
270 is that they are stored on the client's side, which from the |
270 is that they are stored on the client's side, which from the |
271 the server's perspective is a potentially hostile environment. |
271 the server's perspective is a potentially hostile environment. |
272 What we need to ensure is the integrity of this counter in |
272 What we need to ensure is the integrity of this counter in |
273 this hostile environment. We could think of encrypting the |
273 this hostile environment. We could think of encrypting the |
274 counter. But this has two drawbacks to do with the key for |
274 counter. But this has two drawbacks to do with the keys for |
275 encryption. If you use a single, global key for all the |
275 encryption. If you use a single, global key for all the |
276 clients that visit our site, then we risk that our whole |
276 clients that visit our site, then we risk that our whole |
277 ``business'' might collapse in the event this key gets known |
277 ``business'' might collapse in the event this key gets known |
278 to the outside world. Then all cookies we might have set in |
278 to the outside world. Then all cookies we might have set in |
279 the past, can now be decrypted and manipulated. If, on the |
279 the past, can now be decrypted and manipulated. If, on the |
408 passwords in plain text. The idea behind such plain-text |
408 passwords in plain text. The idea behind such plain-text |
409 passwords is of course that if the user typed in |
409 passwords is of course that if the user typed in |
410 \pcode{foobar} as password, we need to verify whether it |
410 \pcode{foobar} as password, we need to verify whether it |
411 matches with the password that is already stored for this user |
411 matches with the password that is already stored for this user |
412 in the system. Why not doing this with plain-text passwords? |
412 in the system. Why not doing this with plain-text passwords? |
413 But doing this verification in plain text is really a bad |
413 Unfortunately doing this verification in plain text is really |
414 idea. Unfortunately, evidence suggests it is still a |
414 a bad idea. Alas, evidence suggests it is still a |
415 widespread practice. I leave you to think about why verifying |
415 widespread practice. I leave you to think about why verifying |
416 passwords in plain text is a bad idea. |
416 passwords in plain text is a bad idea. |
417 |
417 |
418 Using hash functions, like in our web-application, we can do |
418 Using hash functions, like in our web-application, we can do |
419 better. They allow us to not having to store passwords in |
419 better. They allow us to not having to store passwords in |
479 |
479 |
480 \noindent So an attacker just needs to compile a list as large |
480 \noindent So an attacker just needs to compile a list as large |
481 as possible of such likely candidates of passwords and also |
481 as possible of such likely candidates of passwords and also |
482 compute their hash-values. The difference between a brute |
482 compute their hash-values. The difference between a brute |
483 force attack, where maybe $2^{80}$ many strings need to be |
483 force attack, where maybe $2^{80}$ many strings need to be |
484 considered, a dictionary attack might get away witch checking |
484 considered, is that a dictionary attack might get away with |
485 only 10 Million (remember the language English ``only'' |
485 checking only 10 Million words (remember the language English |
486 contains 600,000 words). This is a drastic simplification for |
486 ``only'' contains 600,000 words). This is a drastic |
487 attackers. Now if the attacker knows the hash-value of a |
487 simplification for attackers. Now, if the attacker knows the |
488 password is |
488 hash-value of a password is |
489 |
489 |
490 \begin{center} |
490 \begin{center} |
491 \pcode{5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8} |
491 \pcode{5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8} |
492 \end{center} |
492 \end{center} |
493 |
493 |
494 \noindent then just a lookup in the dictionary will reveal that the |
494 \noindent then just a lookup in the dictionary will reveal |
495 plain-text password was \pcode{password}. What is good about this |
495 that the plain-text password was \pcode{password}. What is |
496 attack is that the dictionary can be precompiled in the ``comfort of |
496 good about this attack is that the dictionary can be |
497 the hacker's home'' before an actual attack is launched. It just needs |
497 precompiled in the ``comfort of the hacker's home'' before an |
498 sufficient storage space, which nowadays is pretty cheap. A hacker |
498 actual attack is launched. It just needs sufficient storage |
499 might in this way not be able to crack all passwords in our database, |
499 space, which nowadays is pretty cheap. A hacker might in this |
500 but even being able to crack 50\% can be serious damage for a large |
500 way not be able to crack all passwords in our database, but |
501 company (because then you have to think about how to make users to |
501 even being able to crack 50\% can be serious damage for a |
502 change their old passwords---a major hassle). And hackers are very |
502 large company (because then you have to think about how to |
503 industrious in compiling these dictionaries: for example they |
503 make users to change their old passwords---a major hassle). |
504 definitely include variations like \pcode{passw0rd} and also include |
504 And hackers are very industrious in compiling these |
505 rules that cover cases like \pcode{passwordpassword} or |
505 dictionaries: for example they definitely include variations |
506 \pcode{drowssap} (password reversed).\footnote{Some entertaining rules |
506 like \pcode{passw0rd} and also include rules that cover cases |
507 for creating effective dictionaries are described in the book |
507 like \pcode{passwordpassword} or \pcode{drowssap} (password |
508 ``Applied Cryptography'' by Bruce Schneier (in case you can find it |
508 reversed).\footnote{Some entertaining rules for creating |
509 in the library), and also in the original research literature which |
509 effective dictionaries are described in the book ``Applied |
510 can be accessed for free from |
510 Cryptography'' by Bruce Schneier (in case you can find it in |
511 \url{http://www.klein.com/dvk/publications/passwd.pdf}.} |
511 the library), and also in the original research literature |
512 Historically, compiling a list for a dictionary attack is not as |
512 which can be accessed for free from |
513 simple as it might seem. At the beginning only ``real'' dictionaries |
513 \url{http://www.klein.com/dvk/publications/passwd.pdf}.} |
514 were available (like the Oxford English Dictionary), but such |
514 Historically, compiling a list for a dictionary attack is not |
515 dictionaries are not ``optimised'' for the purpose of passwords. The |
515 as simple as it might seem. At the beginning only ``real'' |
516 first real hard data about actually used passwords was obtained when a |
516 dictionaries were available (like the Oxford English |
517 company called RockYou ``lost'' 32 Million plain-text passwords. With |
517 Dictionary), but such dictionaries are not optimised for the |
518 this data of real-life passwords, dictionary attacks took |
518 purpose of cracking passwords. The first real hard data about actually |
519 off. Compiling such dictionaries is nowadays very easy with the help |
519 used passwords was obtained when a company called RockYou |
520 of off-the-shelf tools. |
520 ``lost'' 32 Million plain-text passwords. With this data of |
|
521 real-life passwords, dictionary attacks took off. Compiling |
|
522 such dictionaries is nowadays very easy with the help of |
|
523 off-the-shelf tools. |
521 |
524 |
522 These dictionary attacks can be prevented by using salts. |
525 These dictionary attacks can be prevented by using salts. |
523 Remember a hacker needs to use the most likely candidates |
526 Remember a hacker needs to use the most likely candidates |
524 of passwords and calculate their hash-value. If we add before |
527 of passwords and calculate their hash-value. If we add before |
525 hashing a password a random salt, like \pcode{mPX2aq}, |
528 hashing a password a random salt, like \pcode{mPX2aq}, |
559 possible if each password gets its own salt: since we assume |
562 possible if each password gets its own salt: since we assume |
560 the salt is generated randomly, each version of \pcode{123456} |
563 the salt is generated randomly, each version of \pcode{123456} |
561 will be associated with a different hash-value. This will |
564 will be associated with a different hash-value. This will |
562 make the life harder for an attacker. |
565 make the life harder for an attacker. |
563 |
566 |
564 Note another interesting point. The web-application from the previous |
567 Note another interesting point. The web-application from the |
565 section was only secure when the salt was secret. In the password |
568 previous section was only secure when the salt was secret. In |
566 case, this is not needed. The salt can be public as shown above in the |
569 the password case, this is not needed. The salt can be public |
567 Unix password file where is actually stored as part of the password |
570 as shown above in the Unix password file where it is actually |
568 entry. Knowing the salt does not give the attacker any advantage, but |
571 stored as part of the password entry. Knowing the salt does |
569 prevents that dictionaries can be precompiled. While salts do not |
572 not give the attacker any advantage, but prevents that |
570 solve every problem, they help with protecting against dictionary |
573 dictionaries can be precompiled. While salts do not solve |
571 attacks on password files. It protects people who have the same |
574 every problem, they help with protecting against dictionary |
572 passwords on multiple machines. But it does not protect against a |
575 attacks on password files. It protects people who have the |
573 focused attack against a single password and also does not make poorly |
576 same passwords on multiple machines. But it does not protect |
574 chosen passwords any better. Still the moral is that you should never |
577 against a focused attack against a single password and also |
575 store passwords in plain text. Never ever.\medskip |
578 does not make poorly chosen passwords any better. Still the |
|
579 moral is that you should never store passwords in plain text. |
|
580 Never ever.\medskip |
576 |
581 |
577 \noindent |
582 \noindent |
578 If you want to know more about passwords I recommend viewing some |
583 If you want to know more about passwords I recommend viewing some |
579 youtube videos from the PasswordCon(ference) which takes place each |
584 youtube videos from the PasswordCon(ference) which takes place each |
580 year. The book by Bruce Schneier about Applied Cryptography is also |
585 year. The book by Bruce Schneier about Applied Cryptography is also |