jones_72hadGKHHA%

1、Foundations of Network and Computer SecurityJohn BlackLecture #31Nov 28th 2007CSCI 6268/TLEN 5831, Fall 2007Password CrackersUnix approach: store one-way hash of password in a public fileSince hash is one-way, there is no risk in showing the digest, right?This assumes there are enough inputs to make

2、 exhaustive search impossible (recall IP example from the midterm)There are enough 10-char passwords, but they are NOT equally likely to be usedHelloThere is more likely than H7%$a3#.4 because were humanPassword Crackers (cont)Idea is simple: try hashing all common words and scan for matching digest

3、Original Unix algorithm for hash is to iterate DES 25 times using the password to derive the DES keyDES25(pass, 064) = digestNote: this was proved secure by noticing that this is the CBCMAC of (064)25 under key pass and then appealing to known CBCMAC resultsWhy is DES iterated so many times?Password

4、 Crackers (cont)Note: Actually uses a variant of DES to defeat hardware-based approachesNote: Modern implementations often use md5 instead of this DES-based hashBut we can still launch a dictionary attackTake large list of words, names, birthdays, and variants and hash themIf your password is in thi

5、s list, it will be crackedPassword Crackers: exampleworddigestalabasterxf5yhae1&trh23GfhadHj68aan4%417%1j2labdGHalbacorealkalinewont4getPasword file/etc/passwdjones:72hadGKHHA%smith:HWjh234h*!j!jackl:UwuhWuhf12132taylor:Hj68aan4%41bradt:&sdf29jhabdjajK22knuth:ih*22882h*F*8haawirth:8w92h28fh*(Hh98Hri

6、vest:&shsdg&hsgDGH2Making Things Harder: SaltIn reality, Unix systems always add a two-character “salt” before hashing your passwordThere are 4096 possible saltsOne is randomly chosen, appended to your password, then the whole thing is hashedPassword file contains the digest and the salt (in the cle

7、ar)This prevents attacking all passwords in /etc/passwd in parallelPassword Crackers: with Saltworddigestalabasterxf5yhae1&trh23GfhadU8&H*127%1j2labdGHalbacorealkalinewont4getPasword file/etc/passwdjones:72hadGKHHA%H7smith:HWjh234h*!j!YYjackl:UwuhWuhf12132a$taylor:Hj68aan4%41y$bradt:&sdf29jhabdjajK2

8、2Jaknuth:ih*22882h*F*8haaU%wirth:8w92h28fh*(Hh98H1&rivest:&shsdg&hsgDGH2*1Table for Salt Value: A6no matchFighting the Salt: 4096 TablesCrackers build 4096 tables, one for each salt valueBuild massive databases, on-line, for each salt100s of GB was a lot of storage a few years ago, but not any longe

9、r!Indexed for fast look-upMost any common password is found quickly by such a programUsed by miscreants, but also by sysadmins to find weak passwords on their systemGetting the /etc/passwd FilePublic file, but only if you have an acctThere have been tricks for remotely fetching the /etc/passwd file

10、using ftp and other vulnerabilitiesOften this is all an attacker is afterVery likely to find weak passwords and get on the machineOf course if you are a local user, no problemRemoving the /etc/passwd from global view creates too many problemsShadowed PasswordsOne common approach is to put just the p

11、assword digests into /etc/shadow/etc/passwd still has username, userid, groupid, home dir, shell, etc., but the digests are missing/etc/shadow has only the username and digests (and a couple of other things)/etc/shadow is readable and writeable for root onlyMakes it a bit harder to get a hold ofBrea

12、ks some software that wants to authenticate users with their passwordsOne might argue that non-root software shouldnt be asking for user passwords anyhowBSD does things a little differentlyLast Example: Ingres Authorization StringsIngres, 19902nd largest database company behind OracleAuthorization S

13、tringsEncoded what products and privileges the user had purchasedEasier to maintain this way: ship entire productEasier to sell upgrades: just change the stringDocumentation guysNeeded an example auth string for the manualMoralTheres no defending against stupiditySocial engineering is almost always

14、the easiest way to break inDoesnt work on savvy types or sys admins, but VERY effective on the common userI can almost guarantee I could get the password of most CU students easily“Hi this is Jack Stevens from ITS and we need to change your password for security reasons; can you give me your current

15、 password?”Social Engineering: PhishingSending authentic looking email saying “need you to confirm your PayPal account information”Email looks authenticURL is often disguisedRolling over the link might even pop-up a valid URL in a yellow box!Clicking takes you to attackers site, howeverThis site wan

16、ts your login infoDisguising URLsURI specAnything is supposed to send you to Can be used to disguise a URL:-SECURITYCHECKw8grHGAkdjjd7788AccountMaintenace-4957725-s5982ut-aw-ebayconfirm-secure-23985225howf8shfMHHIUBd889yKNotice feel-good wordsLength of URI exceeds width of browser, so you may not se

17、e the end could be hex encoded for more deception%77%77%77%2e%65%76%69%6c%2e%63%6f%6d = Disguising URLs (cont)This no longer works on IEStill works on MozillaIn IE 5.x and older, there was another trick where you could get the toolbar and URL window to show “” even though you had been sent to a diff

18、erent siteVery scaryMoral: dont click on email links; type in URL manuallyDigression: Character EncodingsNormally web servers dont allow things like this:http:/jrblack/././etc/passwdThe “.” is filtered outCharacter encodings can sometimes bypass the filterUnicode is a code for representing various a

19、lphabets. = C0 AE/ = C0 AF = C1 9CIn Oct 2000, a hacker revealed that IIS failed to filter these encodings/jrblack/%C0AE/%C0AE/%C0AE/%C0AE/etc/passwdSegue to Web SecurityThe web started out simple, but now is vastly complexMostly because of client-side scriptingJavascript, Java applets, Flash, Shock

20、wave, VBScript, and moreAnd server-side scriptingCGIs (sh, C, perl, python, almost anything), Java servlets, PHP, ASP, JSPAll of these are security-sensitiveUghWe Cant Hope to Survey all Possible Web Security IssuesToo many to countGoal: look at a few thematic onesCataloguing all of them would not b

21、e very instructive, most likelyTypical Server-Side VulnerabilityPHP: Personal HomePage (?!)An easy-to-use and Perl-like server-side scripting languageA “study in poor security” Gary McGrawVariables are dynamically declared, initialized, and global by default; this can be dangerous:if(isset($page) in

22、clude($page); Now we call this script with:script.php?page=/etc/passwdJavascriptJavascript (and VBScript) can do bad thingsGet your cookies, for one, which may include sensitive informationYou dont want to run scripts unless the site you are visiting is “trustworthy”Javascript has had a large number

23、 of security problems in the past; dubious sites might take advantage of theseIf you set your security level high in IE, it turns off Javascript; that should tell you somethingJavascript (cont)Turning it off in your browser is one solutionBut often you lose a bunch of functionalityHow can an attacke

24、r get you to run his malicious Javascript code?Gets you to visit his websiteBut you might know betterOld trick: post something to a bulletin board with in itWhen you view his post, you run his script!FilteringTo prevent this, a correct bulletin board implementation always filters stuff that others h

25、ave postedYou can post YES! but not evil stuff But until recently we didnt worry about filtering stuff from you to yourself! XSS AttacksXSS: Cross Server ScriptingNot CSS (Cascading Style Sheets)Idea: you open a website, passing a value, and the site echoes back that valueWhat if that value has a sc

26、ript embedded?!Example: 404 Not FoundSuppose you see a link (in email, on IRC, on the web) saying, “Click here to search Google” The link really does go to google, so what the heckHowever the link is /badurl%0a%5C.Above contains an embedded, hidden scriptGoogle says, “badurl%0a%5C” not foundJust dis

27、playing this to you, executes the scriptXSS VulnerabilitiesTheyve been found all over the webFairly new problemLots of examples still exist in the wildVery tricky to find them allSolution is to filter, of courseNeed to filter inputs from users that server will be echoing back to the userPhishing Rev

28、isitedDear Amazon User,During our regular update and verification of the accounts, we could not verify your current information. Either your information has changed or it is incomplete.As a result, your access to buy on Amazon has been restricted. To continue using your Amazon account again, please

29、update and verify your information by clicking the link below :/exec/obidos/subst/home/?EnterConfirm&UsingSSL=0&pUserId=&us=445&ap=0&dz=1&Lis=10&ref=br_bx_c_2_2Thank you very much for your cooperation!Amazon Customer SupportPlease note: This e-mail message was sent from a notification-only addressth

30、at cannot accept incoming e-mail. Please do not reply to this message.AEarths Biggest SelectionWhere does the info go? maps to IP 55% whois 55OrgName: Yahoo!OrgID: YAOOAddress: 701 First AvenueCity: SunnyvaleStateProv: CANetRange: - 55Defenses Against PhishingSpoofguardProduct out of StanfordDoesnt

31、work for me (ugh!)Detects various suspicious behaviors and flags themRed light, green light depending on thresholdThere are others as wellBottom line: Dont believe emails from “l(fā)egitimate companies”This is frustrating for companies!Wireless SecurityWhy is wireless security essentially different from

32、 wired security?Almost impossible to achieve physical security on the networkYou can no longer assume that restricting access to a building restricts access to a networkThe “parking lot attack”Wireless Security ChallengesFurther challenges:Many wireless devices are resource-constrainedLaptops are pr

33、etty powerful these days but PDAs are notSensors are even more constrainedRFIDs are ridiculously constrainedParadox: the more resource-constrained we get, the more ambitious our security goals tend to getIEEE 802.11a/b/gA standard ratified by IEEE and the most widely-used in the worldOk, PCS might b

34、e a close contenderAlso called “Wi-Fi” 802.11 products certified by WECA (Wireless Ethernet Compatibility Alliance)Bluetooth is fairly commonplace but not really used for LANsMore for PANs (the size of a cubicle)Connect PDA to Cell Phone to MP3, etc.Wireless Network ArchitectureAd HocSeveral compute

35、rs form a LANInfrastructureAn access point (AP) acts as a gateway for wireless clientsThis is the model were most used toAvailable all through the EC, for exampleMy Access PointWar DrivingThe inherent physical insecurity of wireless networks has led to the “sport” of war-drivingGet in your car, driv

36、e around, look for open access points with you laptopName comes from the movie “War Games”Some people get obsessed with this stuffYou can buy “war driving kits” on lineSpecial antennas, GPS units to hook to you laptop, mapping softwareMore War DrivingPeople use special antennas on their carsIt used

37、to be Pringles cans, but weve moved up in the worldPeople distribute AP mapsWar driving contest at BlackHat each yearNext Time Youre in LAWhats the Big Deal?My home access point is wide-openPeople could steal bandwidthIm not that worried about itPeople could see what Im doingIm not that worried abou

38、t itThere are ways to lock-down your access pointMAC filteringNon-signalling APs and non-default SSIDsWired Equivalent Privacy (WEP)MAC FilteringAllow only certain MACs to associateIdea: you must get permission before joining the LANPain: doesnt scale well, but for home users not a big dealDrawback:

39、 people can sniff traffic, figure out what MACs are being used on your AP, then spoof their MAC address to get onNon-Signalling APs802.11 APs typically send a “beacon” advertising their existence (and some other stuff)Without this, you dont know theyre thereCan be turned offIf SSID is default, war d

40、rivers might find you anywaySSID is the “name” of the LANDefaults are “LinkSYS”, NETGEAR, D-Link, etcSavvy people change the SSID and turn off beaconsSSIDs can still be sniffed when the LAN is active however, so once again doesnt help muchLets Use Crypto!WEP (Wired Equivalent Privacy)A modern study

41、in how not to do thingsThe good news: it provides a wonderful pedagogical example for usA familiar theme:WEP was designed by non-cryptographers who knew the basics onlyThats enough to blow itWEP ProtocolOne shared key k, per LANAll clients and APs have a copy of kWe are therefore in the symmetric ke

42、y setting Very convenient: no public key complexities neededHas drawbacks, as well see laterIn the symmetric key model, what do we do (minimally) for data security?Authentication and Privacy!(MAC and encrypt)WEP ProtocolFor message M, P = (M, c(M)c() is an unkeyed CRC (cyclic redundancy check)Comput

43、e C = P RC4(v, k)RC4 is a stream cipherThink of a stream cipher as a “randomness stretcher”: give it n random bits and it produces (essentially) infinite pseudo-random bitsThe input is variously called the “seed” or the “key”Seems a lot like a pseudo-random number generator!We will look at RC4 in mo

44、re detail laterv is an IVAs usual, the IV should never be repeated over the life of the keySender transmits (v, C)WEP DecryptionReceiver obtains (v, C) and knows kComputes C RC4(v, k) = (P RC4(v,k) RC4(v,k) = PThen checks integrity with P = (M, c) and asking whether c = c(M)If not, reject the frame

45、as inauthenticLooks familiar, but we should be suspicious: a keyless function is not a MAC!GoalsSecurity Goals of WEP:PrivacyIntegrityWhat we also have called “authenticity”It should be “hard” to tamper with ciphertexts without being detectedIt should be “hard” to forge packetsAccess ControlDiscard

46、all packets not properly encrypted with WEP (optional part of the 802.11 standard)WEP Document:Security “relies on the difficult of discovering the secret key through a brute-force attack”WEP Keys802.11 was drafted when 40 bits were all we could exportThis restriction was lifted in 1998, but the sta

47、ndard was already in draft formSome manufacturers extended the key to an optional 128-bit formThis is misleading: the 128 form uses a 104 bit key because the IV is 24 bitsWEP KeysTwo forms: the 40 bit keyThe “128” bit keykIV40 bits24 bitskIV104 bits24 bitsRecall: IV is public, so shouldnt count as “

48、key”Entering WEP KeysNote: Four keys allowed to encourage key-rotation, but this has to all be synchronizedamong all users of the WLAN. Goals Achieved: ;Lets start with the Privacy goalWEP is using an encryption pad; what is the cardinal rule of encryption pads?So how might a pad be re-used?If the I

49、V repeats, the pad will repeat:Pad is RC4(v, k)k is fixed for all communicationsSince IV is public, an attack sees when the IV repeatsIV repeatsIts bad:Some cards fix IV=0, end of story(This is 802.11 compliant, by the way!)Some cards re-initialize IV to 0 each time they are powered upSo each time y

50、ou insert a PCMCIA card into your laptop, or power up your laptopIV repeats in the lower range far more likely hereThe IV is only 24 bits, so eventually it will wrap around1500-byte packets, 5Mbps, IV wraps in less than 12 hoursWith random IVs, the birthday effect says we expect a repeat within 5000 packets (a few mins in the scenario above)What to do with repeated IVs?Build a “decryption dictionary”O(jiān)nce we figure out the plaintextBecause its broadcast in the clear and encryptedBecause its part of a standard transmissionBecause you injec