Data Protection and Security

VII

Identification and Entity Authentication

VII.II

Passwords

We have already mentioned one simple example of passive network attacks. In systems where the password is transmitted in an encrypted channel, this attack is still possible if the encrypted channel has not been designed carefully. Active network attacks are more sophisticated attacks in which the attacker does not only listen to the network but also he has the capability to delete, change or insert the authentication packets in real time. Examples are "man-in-the-middle" attacks, "hijacking connection" attacks etc. Active attacks are mostly beyond the capabilities of most attackers and one needs to use more advanced methods like SSH to safeguard against. We will see Secure Shell (SSH) later.

The applicability of the remaining two attacks depends on the authentication method in use therefore we would like to first group software authentication methods into two major groups:

• Authentication methods based on shared secret between the server and the user.
• Authentication methods, which do not need shared secrets.

In the first group, the server and the user shares a secret and that secret is mostly called the password. The secret is unknown to anybody else and the user needs to prove that he knows the secret in order to be authenticated. The procedure how the user proves that he knows the secret differentiates with respect to method in use. In telnet and SSH's current password authentication method, for instance, the user proves by simply sending it (across the open or
encrypted channel). Today, more sophisticated methods are available in which the user does not need to send the secret but in a number of rounds both sides exchange some messages serving the purpose of proving that both sides know the secret without revealing it. These methods are usually called "zero-knowledge proofs". We do not go into the details of these more advanced methods but as stated next, in all of these methods there are two properties in common and two corresponding attacks are possible:

• The user should enter the same password in each authentication.
• The server requires to store the secret information in a protected file to authenticate its users.

Let's turn back to our discussion on the types of attack:

Attacks to the Client Machine: There are several ways in which your password may be snooped directly on the client machine e.g., someone with root access may maliciously have installed a "wiretap" device driver in the kernel, or a trojan horse version of an application program. If a system administrator installing the software is not malicious but careless enough
not to check that he has an unmodified version of software distribution, a keyboard-trapping" routine inside the modified version of authentication software can again capture the password when you are typing and forward it to the attacker's machine. Since the password used in each authentication is the same one, the password stolen can easily be used later for impersonation.

Attacks to the Server Machine: The second property above, storing the password in a file causes another serious vulnerability. The server can leak that secret to third parties accidentally or maliciously. For instance if the server is also a web server, the attacker can utilize the CGI vulnerabilities to steal the password file. We have already learned that the passwords are not listed in plaintext in the password file where password is hashed and the hash value is stored but since it is not practical for a user to choose a difficult-to-guess (high entropy) password, (off-line) dictionary attacks are generally powerful to compute the password from its hash value. So this method is practically same as storing the password.