5. The Sibyl: another layer of security
a hashed copy of your password has
been compromised
what is the common pattern?
6. The Sibyl: another layer of security
a hashed copy of your password has been
compromised
7. The Sibyl: another layer of security
a hashed copy of your password has been
compromised
⇓
if your password is “easy”, it has been discovered
8. The Sibyl: another layer of security
a hashed copy of your password has been
compromised
⇓
if your password is “easy”, it has been discovered
“your password is YOUR PROBLEM”
15. The Sibyl: another layer of security
hashes are bad for passwords
mantra
16. The Sibyl: another layer of security
hashes are bad for passwords
mantra
hashes are bad for passwords
17. The Sibyl: another layer of security
hashes are bad for passwords
mantra
hashes are bad for passwords
hashes are bad for passwords
18. The Sibyl: another layer of security
hashes are bad for passwords
mantra
hashes are bad for passwords
hashes are bad for passwords
hashes are bad for passwords
19. The Sibyl: another layer of security
hashes are bad for passwords
mantra
hashes are bad for passwords
hashes are bad for passwords
hashes are bad for passwords
hashes are bad for passwords
20. The Sibyl: another layer of security
hashes are bad for passwords
mantra
hashes are bad for passwords
hashes are bad for passwords
hashes are bad for passwords
hashes are bad for passwords
hashes are bad for passwords
21. The Sibyl: another layer of security
hashes are bad for passwords
mantra
hashes are bad for passwords
hashes are bad for passwords
hashes are bad for passwords
hashes are bad for passwords
hashes are bad for passwords
no, really: hashes are bad for passwords
22. The Sibyl: another layer of security
hashes are bad for passwords
mantra
hashes are bad for passwords
hashes are bad for passwords
hashes are bad for passwords
hashes are bad for passwords
hashes are bad for passwords
no, really: hashes are bad for passwords
because users
choose
bad
passwords
23. The Sibyl: another layer of security
passwordlogy [Troy Hunt]
in brief (the Sony/Gawker hack):
24. The Sibyl: another layer of security
passwordlogy [Troy Hunt]
in brief (the Sony/Gawker hack):
99% alphanumeric
25. The Sibyl: another layer of security
passwordlogy [Troy Hunt]
in brief (the Sony/Gawker hack):
93% ≤ 10 chars
99% alphanumeric
26. The Sibyl: another layer of security
passwordlogy [Troy Hunt]
in brief (the Sony/Gawker hack):
93% ≤ 10 chars
99% alphanumeric
82% are ≤ 9 chars long
27. The Sibyl: another layer of security
passwordlogy [Troy Hunt]
in brief (the Sony/Gawker hack):
93% ≤ 10 chars
99% alphanumeric
92% reuse
82% are ≤ 9 chars long
28. The Sibyl: another layer of security
passwordlogy [Troy Hunt]
in brief (the Sony/Gawker hack):
93% ≤ 10 chars
99% alphanumeric
36% in English dictionary...
92% reuse
82% are ≤ 9 chars long
39. 1-store hash(password) in login server
2-fetch login+pwd
The Sibyl: another layer of security
today’s authentication
40. 1-store hash(password) in login server
2-fetch login+pwd
3-hash(pwd) == hash(password)
The Sibyl: another layer of security
today’s authentication
41. 1-store hash(password) in login server
2-fetch login+pwd
3-hash(pwd) == hash(password)
4-grant/deny access
The Sibyl: another layer of security
today’s authentication
42. 1-store hash(password) in login server
2-fetch login+pwd
3-hash(pwd) == hash(password)
4-grant/deny access
The Sibyl: another layer of security
today’s authentication
the login server
is
overburdened
43. 1-store hash(password) in login server
2-fetch login+pwd
3-hash(pwd) == hash(password)
4-grant/deny access
The Sibyl: another layer of security
today’s authentication
+ hashes are bad for passwords (mantra)
the login server
is
overburdened
45. The Sibyl: another layer of security
modern ideas (2011)
1-randomize the authentication token:
[rand:easy] ~ [rand:difficult]*
* analogue to random salt but better
46. The Sibyl: another layer of security
modern ideas (2011)
2-delegate the authentication step
1-randomize the authentication token:
[rand:easy] ~ [rand:difficult]*
* analogue to random salt but better
48. The Sibyl: another layer of security
2-delegate the authentication step
delegation allows use of
Public Key Crypto (RSA)
49. The Sibyl: another layer of security
2-delegate the authentication step
delegation allows use of
Public Key Crypto (RSA)
oh!
50. The Sibyl: another layer of security
1-randomize the authentication token
51. The Sibyl: another layer of security
1-randomize the authentication token
RSA-OAEP padding:“add 160 random bits”
+ encrypt
52. The Sibyl: another layer of security
1-randomize the authentication token
RSA-OAEP padding:“add 160 random bits”
+ encrypt
compare:
53. The Sibyl: another layer of security
1-randomize the authentication token
RSA-OAEP padding:“add 160 random bits”
+ encrypt
hash(salt+easy) = a little complicated
compare:
54. The Sibyl: another layer of security
1-randomize the authentication token
RSA-OAEP padding:“add 160 random bits”
+ encrypt
hash(salt+easy) = a little complicated
RSA(easy+160 rand bits) ~ RSA(160 rand bits)
[volunteers?]
compare:
57. delegated authentication
The Sibyl: another layer of security
2-fetch login+pwd
1-store OAEP-RSA(hash(password)) in server
[only needs public key]
58. delegated authentication
The Sibyl: another layer of security
2-fetch login+pwd
1-store OAEP-RSA(hash(password)) in server
[only needs public key]
3-compute OAEP-RSA(hash(pwd))
[only needs public key]
59. delegated authentication
The Sibyl: another layer of security
2-fetch login+pwd
1-store OAEP-RSA(hash(password)) in server
[only needs public key]
3-compute OAEP-RSA(hash(pwd))
[only needs public key]
3.5- ask someone else
[the owner of the private key]
60. delegated authentication
The Sibyl: another layer of security
2-fetch login+pwd
4-grant/deny access
1-store OAEP-RSA(hash(password)) in server
[only needs public key]
3-compute OAEP-RSA(hash(pwd))
[only needs public key]
3.5- ask someone else
[the owner of the private key]
61. delegated authentication
The Sibyl: another layer of security
2-fetch login+pwd
4-grant/deny access
yeah, the server is
still overburdened...
1-store OAEP-RSA(hash(password)) in server
[only needs public key]
3-compute OAEP-RSA(hash(pwd))
[only needs public key]
3.5- ask someone else
[the owner of the private key]
63. The Sibyl: another layer of security
3.5- ask someone else
the Sibyl: dummy computer,
[like an Oracle (Sibyl)]
64. The Sibyl: another layer of security
3.5- ask someone else
the Sibyl: dummy computer,
[like an Oracle (Sibyl)]
computer: can decrypt RSA messages
(owns the private key)
65. The Sibyl: another layer of security
3.5- ask someone else
the Sibyl: dummy computer,
[like an Oracle (Sibyl)]
computer: can decrypt RSA messages
(owns the private key)
dummy: can only do that
(and answer yes/no to queries)
66. The Sibyl: another layer of security
3.5- ask someone else
the Sibyl: dummy computer,
[like an Oracle (Sibyl)]
computer: can decrypt RSA messages
(owns the private key)
dummy: can only do that
(and answer yes/no to queries)
the UNIX
way of life
67. The Sibyl: another layer of security
the data is secure
(server)
the Sibyl is secure
68. The Sibyl: another layer of security
the data is secure
(server)
the Sibyl is secure
-RSA(random)
[no brute force]
69. The Sibyl: another layer of security
the data is secure
(server)
the Sibyl is secure
-RSA(random)
[no brute force]
-public RSA Key
[can’t decrypt]
70. The Sibyl: another layer of security
the data is secure
(server)
the Sibyl is secure
-RSA(random)
[no brute force]
-public RSA Key
[can’t decrypt]
dummy
protocol
~
unhackable
71. The Sibyl: another layer of security
the data is secure
(server)
the Sibyl is secure
[...I’ll deny ever having said this...]
-RSA(random)
[no brute force]
-public RSA Key
[can’t decrypt]
dummy
protocol
~
unhackable
72. The Sibyl: another layer of security
why OAEP-RSA is safer than salt?
salt
OAEP
73. The Sibyl: another layer of security
why OAEP-RSA is safer than salt?
SHA-1(salt$m) = SHA-1(salt$m) [obvious]
salt
OAEP
74. The Sibyl: another layer of security
why OAEP-RSA is safer than salt?
SHA-1(salt$m) = SHA-1(salt$m) [obvious]
m~8 chars brute force feasible
salt
OAEP
75. The Sibyl: another layer of security
why OAEP-RSA is safer than salt?
crypt() adds 160 random bits each time
SHA-1(salt$m) = SHA-1(salt$m) [obvious]
m~8 chars brute force feasible
salt
OAEP
76. The Sibyl: another layer of security
why OAEP-RSA is safer than salt?
crypt() adds 160 random bits each time
OAEP-crypt(m) ≠ OAEP-crypt(m)
SHA-1(salt$m) = SHA-1(salt$m) [obvious]
m~8 chars brute force feasible
salt
OAEP
77. The Sibyl: another layer of security
why OAEP-RSA is safer than salt?
crypt() adds 160 random bits each time
OAEP-crypt(m) ≠ OAEP-crypt(m)
SHA-1(salt$m) = SHA-1(salt$m) [obvious]
m~8 chars brute force feasible
cannot be brute-forced: 160 unknown bits
salt
OAEP
78. The Sibyl: another layer of security
why OAEP-RSA is safer than salt?
crypt() adds 160 random bits each time
OAEP-crypt(m) ≠ OAEP-crypt(m)
SHA-1(salt$m) = SHA-1(salt$m) [obvious]
m~8 chars brute force feasible
cannot be brute-forced: 160 unknown bits
length(pwd) irrelevant
salt
OAEP
79. mypera:~$
for
i
in
1
2
3
4
5
6
;
do
echo
“-‐-‐-‐-‐-‐-‐-‐-‐
round
$i”
;
echo
'patata'
|
openssl
rsautl
-‐encrypt
-‐inkey
trial
-‐oaep
-‐hexdump
;
done
-‐-‐-‐-‐-‐-‐-‐-‐
round
1
0000
-‐
63
ef
c7
10
bd
23
90
85-‐f1
27
bf
58
b6
b2
ad
1a
c....#...'.X....
0010
-‐
e5
9e
ce
9e
89
3d
d9
eb-‐f3
35
fc
dc
e9
a4
f6
b1
.....=...5......
0020
-‐
b1
a3
c6
95
e6
d5
6e
e9-‐4f
0f
59
0c
a1
81
1e
7d
......n.O.Y....}
0030
-‐
ad
36
25
5f
96
b7
b9
6e-‐84
96
7d
db
53
26
8d
bd
.6%_...n..}.S&..
-‐-‐-‐-‐-‐-‐-‐-‐
round
2
0000
-‐
43
fc
d4
ce
b0
8a
ad
f7-‐c8
61
24
d6
41
1e
bb
70
C........a$.A..p
0010
-‐
25
e7
0c
ed
9c
a4
7c
34-‐d9
c7
d2
ad
44
da
ee
01
%.....|4....D...
0020
-‐
6d
00
12
55
6d
35
44
87-‐70
64
2a
8a
80
9b
ae
df
m..Um5D.pd*.....
0030
-‐
03
1c
1f
ee
74
3b
f1
b6-‐62
88
ec
3b
85
cc
9a
15
....t;..b..;....
-‐-‐-‐-‐-‐-‐-‐-‐
round
3
0000
-‐
9b
2c
34
e2
99
e0
78
82-‐6a
c6
38
38
ac
36
c6
bf
.,4...x.j.88.6..
0010
-‐
2d
56
9f
17
0a
ef
c9
1f-‐94
60
49
d7
eb
68
a3
53
-‐V.......`I..h.S
0020
-‐
29
7b
60
b8
2c
13
cf
43-‐4a
9b
86
d5
3d
48
66
50
){`.,..CJ...=HfP
0030
-‐
59
30
89
28
22
09
a8
1e-‐ed
f8
f6
22
3d
c7
0d
81
Y0.("......"=...
-‐-‐-‐-‐-‐-‐-‐-‐
round
4
0000
-‐
b3
76
1a
7c
01
ea
78
68-‐ff
b9
fe
fe
80
21
e6
c5
.v.|..xh.....!..
0010
-‐
2c
97
17
e2
36
5f
30
5b-‐60
b3
69
0b
aa
ba
50
a3
,...6_0[`.i...P.
0020
-‐
b2
f3
ac
f4
ed
6c
bd
9f-‐29
33
0e
2f
1c
58
1d
7a
.....l..)3./.X.z
0030
-‐
07
3f
68
d8
b2
7f
f7
d8-‐7e
76
de
d7
a4
8d
ae
d8
.?h.....~v......
-‐-‐-‐-‐-‐-‐-‐-‐
round
5
0000
-‐
46
22
8e
9b
3d
af
d6
56-‐e5
f4
55
29
5d
98
e5
43
F"..=..V..U)]..C
0010
-‐
b3
55
6a
96
5a
57
1b
3f-‐0b
fa
6a
a0
d5
65
93
f0
.Uj.ZW.?..j..e..
0020
-‐
c2
ae
3b
6d
7c
ad
56
16-‐c2
82
e2
e6
96
79
be
77
..;m|.V......y.w
0030
-‐
52
1c
0b
e1
95
a4
dd
99-‐46
7a
e2
51
69
87
58
42
R.......Fz.Qi.XB
-‐-‐-‐-‐-‐-‐-‐-‐
round
6
0000
-‐
56
77
d7
bc
32
2f
39
f8-‐86
06
68
74
3d
54
8f
ae
Vw..2/9...ht=T..
0010
-‐
cf
b3
e5
fc
fc
50
78
98-‐88
a4
cd
8d
e9
cd
86
48
.....Px........H
0020
-‐
b1
46
af
8e
28
de
59
5a-‐96
81
53
36
5f
f4
ef
b1
.F..(.YZ..S6_...
0030
-‐
12
bd
e1
a3
39
1c
00
94-‐a1
14
3a
0b
3d
30
af
d6
....9.....:.=0..
sameencryption
differentresults(2160)
90. The Sibyl: another layer of security
request nonce
nonce [n]
server sibyl
91. The Sibyl: another layer of security
request nonce
nonce [n]
v1=RSAE(pwd:n)
v2=[stored]
m=nonce
server sibyl
92. The Sibyl: another layer of security
request nonce
nonce [n]
v1=RSAE(pwd:n)
v2=[stored]
m=nonce
(m,v1,v2)
server sibyl
93. The Sibyl: another layer of security
request nonce
nonce [n]
v1=RSAE(pwd:n)
v2=[stored]
m=nonce
(m,v1,v2)
decryptE(v1)
==
decryptE(v2)
server sibyl
94. The Sibyl: another layer of security
request nonce
nonce [n]
v1=RSAE(pwd:n)
v2=[stored]
m=nonce
(m,v1,v2)
decryptE(v1)
==
decryptE(v2)
u=signS(m,OK/NOOK)
server sibyl
95. The Sibyl: another layer of security
request nonce
nonce [n]
v1=RSAE(pwd:n)
v2=[stored]
m=nonce
(m,v1,v2)
decryptE(v1)
==
decryptE(v2)
u=signS(m,OK/NOOK)
u
server sibyl
96. The Sibyl: another layer of security
request nonce
nonce [n]
v1=RSAE(pwd:n)
v2=[stored]
m=nonce
(m,v1,v2)
decryptE(v1)
==
decryptE(v2)
u=signS(m,OK/NOOK)
uverifyS(u)
server sibyl
97. The Sibyl: another layer of security
request nonce
nonce [n]
v1=RSAE(pwd:n)
v2=[stored]
m=nonce
(m,v1,v2)
decryptE(v1)
==
decryptE(v2)
u=signS(m,OK/NOOK)
uverifyS(u)
server sibyl
two keys, two nonces [this is important]
100. The Sibyl: another layer of security
what we have
· device: bifferboard (essentially POC)
· sibyl server
· pam client: pam_sibyl.so
· demo client
· scripts [shadow file]⟹[sibyl file]
101. The Sibyl: another layer of security
what we have
· device: bifferboard (essentially POC)
· sibyl server
· pam client: pam_sibyl.so
· demo client
will have: sql library, php module
· scripts [shadow file]⟹[sibyl file]
102. Thanks
The Sibyl: another layer of security
demo time: welcome rafacas
www.thesibyl.net
Pedro Fortuny Ayuso (Uniovi)
Rafael Casado Sánchez (Freelance)
2011 - september - No cON Name