The Sibyl

Another layer of security [for authentication]
The Sibyl
Pedro Fortuny Ayuso (Uniovi)
Rafael Casado Sánchez (Freelance)
16/17 September 2011

The Sibyl: another layer of security
the burden of security

[I stopped collecting logos after Military Meltdown Monday]

what is the common pattern?

a hashed copy of your password has
been compromised
what is the common pattern?

a hashed copy of your password has been
compromised

compromised
⇓
if your password is “easy”, it has been discovered

compromised
⇓
if your password is “easy”, it has been discovered
“your password is YOUR PROBLEM”

is this reasonable?

is this reasonable?
login: pfortuny
password: 02Mustremembermyd@*!*dpassword

honestly

honestly
is it reasonable?

hashes are bad for passwords

mantra

mantra
no, really: hashes are bad for passwords

mantra
no, really: hashes are bad for passwords
because users
choose
bad
passwords

passwordlogy [Troy Hunt]
in brief (the Sony/Gawker hack):

99% alphanumeric

93% ≤ 10 chars
99% alphanumeric

93% ≤ 10 chars
99% alphanumeric
82% are ≤ 9 chars long

93% ≤ 10 chars
99% alphanumeric
92% reuse

93% ≤ 10 chars
99% alphanumeric
36% in English dictionary...
92% reuse

can be done

security
CAN
be done
easy secret code

axiom 0:
do NOT allow
INFINITE
login attempts
[we are assuming this in the remainder]

can be done
2011

can be done
2011ever heard of distributed computing?

can be done
Software as a Service?

can be done
Software as a Service?
outsourcing??????

today’s authentication

1-store hash(password) in login server

2-fetch login+pwd

2-fetch login+pwd
3-hash(pwd) == hash(password)

2-fetch login+pwd
4-grant/deny access

2-fetch login+pwd
4-grant/deny access
the login server
is
overburdened

2-fetch login+pwd
4-grant/deny access
+ hashes are bad for passwords (mantra)
the login server
is
overburdened

modern ideas (2011)

modern ideas (2011)
1-randomize the authentication token:
[rand:easy] ~ [rand:difﬁcult]*
* analogue to random salt but better

modern ideas (2011)
2-delegate the authentication step
1-randomize the authentication token:
[rand:easy] ~ [rand:difﬁcult]*
* analogue to random salt but better

delegation allows use of
Public Key Crypto (RSA)

delegation allows use of
Public Key Crypto (RSA)
oh!

1-randomize the authentication token

RSA-OAEP padding:“add 160 random bits”
+ encrypt

+ encrypt
compare:

+ encrypt
hash(salt+easy) = a little complicated
compare:

+ encrypt
hash(salt+easy) = a little complicated
RSA(easy+160 rand bits) ~ RSA(160 rand bits)
[volunteers?]
compare:

delegated authentication

1-store OAEP-RSA(hash(password)) in server
[only needs public key]

2-fetch login+pwd

2-fetch login+pwd
3-compute OAEP-RSA(hash(pwd))

2-fetch login+pwd
3.5- ask someone else
[the owner of the private key]

2-fetch login+pwd
4-grant/deny access

2-fetch login+pwd
4-grant/deny access
yeah, the server is
still overburdened...

the Sibyl: dummy computer,
[like an Oracle (Sibyl)]

computer: can decrypt RSA messages
(owns the private key)

dummy: can only do that
(and answer yes/no to queries)

dummy: can only do that
(and answer yes/no to queries)
the UNIX
way of life

the data is secure
(server)
the Sibyl is secure

the data is secure
(server)
the Sibyl is secure
-RSA(random)
[no brute force]

the data is secure
(server)
the Sibyl is secure
-RSA(random)
[no brute force]
-public RSA Key
[can’t decrypt]

the data is secure
(server)
the Sibyl is secure
-RSA(random)
[no brute force]
-public RSA Key
[can’t decrypt]
dummy
protocol
~
unhackable

the data is secure
(server)
the Sibyl is secure
[...I’ll deny ever having said this...]
-RSA(random)
[no brute force]
-public RSA Key
[can’t decrypt]
dummy
protocol
~
unhackable

why OAEP-RSA is safer than salt?
salt
OAEP

SHA-1(salt$m) = SHA-1(salt$m) [obvious]
salt
OAEP

m~8 chars brute force feasible
salt
OAEP

crypt() adds 160 random bits each time
salt
OAEP

OAEP-crypt(m) ≠ OAEP-crypt(m)
salt
OAEP

cannot be brute-forced: 160 unknown bits
salt
OAEP

cannot be brute-forced: 160 unknown bits
length(pwd) irrelevant
salt
OAEP

mypera:~$
for
i
in
1
2
3
4
5
6
;
do
echo
“-‐-‐-‐-‐-‐-‐-‐-‐
round
$i”
;
echo
'patata'
|

openssl
rsautl
-‐encrypt
-‐inkey
trial
-‐oaep
-‐hexdump
;
done
-‐-‐-‐-‐-‐-‐-‐-‐
round
1
0000
-‐
63
ef
c7
10
bd
23
90
85-‐f1
27
bf
58
b6
b2
ad
1a

c....#...'.X....
0010
-‐
e5
9e
ce
9e
89
3d
d9
eb-‐f3
35
fc
dc
e9
a4
f6
b1

.....=...5......
0020
-‐
b1
a3
c6
95
e6
d5
6e
e9-‐4f
0f
59
0c
a1
81
1e
7d

......n.O.Y....}
0030
-‐
ad
36
25
5f
96
b7
b9
6e-‐84
96
7d
db
53
26
8d
bd

.6%_...n..}.S&..
-‐-‐-‐-‐-‐-‐-‐-‐
round
2
0000
-‐
43
fc
d4
ce
b0
8a
ad
f7-‐c8
61
24
d6
41
1e
bb
70

C........a$.A..p
0010
-‐
25
e7
0c
ed
9c
a4
7c
34-‐d9
c7
d2
ad
44
da
ee
01

%.....|4....D...
0020
-‐
6d
00
12
55
6d
35
44
87-‐70
64
2a
8a
80
9b
ae
df

m..Um5D.pd*.....
0030
-‐
03
1c
1f
ee
74
3b
f1
b6-‐62
88
ec
3b
85
cc
9a
15

....t;..b..;....
-‐-‐-‐-‐-‐-‐-‐-‐
round
3
0000
-‐
9b
2c
34
e2
99
e0
78
82-‐6a
c6
38
38
ac
36
c6
bf

.,4...x.j.88.6..
0010
-‐
2d
56
9f
17
0a
ef
c9
1f-‐94
60
49
d7
eb
68
a3
53

-‐V.......`I..h.S
0020
-‐
29
7b
60
b8
2c
13
cf
43-‐4a
9b
86
d5
3d
48
66
50

){`.,..CJ...=HfP
0030
-‐
59
30
89
28
22
09
a8
1e-‐ed
f8
f6
22
3d
c7
0d
81

Y0.("......"=...
-‐-‐-‐-‐-‐-‐-‐-‐
round
4
0000
-‐
b3
76
1a
7c
01
ea
78
68-‐ff
b9
fe
fe
80
21
e6
c5

.v.|..xh.....!..
0010
-‐
2c
97
17
e2
36
5f
30
5b-‐60
b3
69
0b
aa
ba
50
a3

,...6_0[`.i...P.
0020
-‐
b2
f3
ac
f4
ed
6c
bd
9f-‐29
33
0e
2f
1c
58
1d
7a

.....l..)3./.X.z
0030
-‐
07
3f
68
d8
b2
7f
f7
d8-‐7e
76
de
d7
a4
8d
ae
d8

.?h.....~v......
-‐-‐-‐-‐-‐-‐-‐-‐
round
5
0000
-‐
46
22
8e
9b
3d
af
d6
56-‐e5
f4
55
29
5d
98
e5
43

F"..=..V..U)]..C
0010
-‐
b3
55
6a
96
5a
57
1b
3f-‐0b
fa
6a
a0
d5
65
93
f0

.Uj.ZW.?..j..e..
0020
-‐
c2
ae
3b
6d
7c
ad
56
16-‐c2
82
e2
e6
96
79
be
77

..;m|.V......y.w
0030
-‐
52
1c
0b
e1
95
a4
dd
99-‐46
7a
e2
51
69
87
58
42

R.......Fz.Qi.XB
-‐-‐-‐-‐-‐-‐-‐-‐
round
6
0000
-‐
56
77
d7
bc
32
2f
39
f8-‐86
06
68
74
3d
54
8f
ae

Vw..2/9...ht=T..
0010
-‐
cf
b3
e5
fc
fc
50
78
98-‐88
a4
cd
8d
e9
cd
86
48

.....Px........H
0020
-‐
b1
46
af
8e
28
de
59
5a-‐96
81
53
36
5f
f4
ef
b1

.F..(.YZ..S6_...
0030
-‐
12
bd
e1
a3
39
1c
00
94-‐a1
14
3a
0b
3d
30
af
d6

....9.....:.=0..
sameencryption
differentresults(2160)

internals

client server sibyl

client server sibyl
login+pwd (TLS)

client server sibyl
login+pwd (TLS)
v1=RSA(pwd)
v2=RSA(pass) [stored]

client server sibyl
login+pwd (TLS)
(v1,v2)
v1=RSA(pwd)

client server sibyl
login+pwd (TLS)
(v1,v2)
v1=RSA(pwd)
decrypt(v1)
==
decrypt(v2)

client server sibyl
login+pwd (TLS)
(v1,v2)
v1=RSA(pwd)
decrypt(v1)
==
decrypt(v2)
reply (OK/NOOK)

client server sibyl
login+pwd (TLS)
(v1,v2)
v1=RSA(pwd)
decrypt(v1)
==
decrypt(v2)
reply (OK/NOOK)
grant/not login

server sibyl

request nonce
server sibyl

request nonce
nonce [n]
server sibyl

request nonce
nonce [n]
v1=RSAE(pwd:n)
v2=[stored]
m=nonce
server sibyl

request nonce
nonce [n]
v1=RSAE(pwd:n)
v2=[stored]
m=nonce
(m,v1,v2)
server sibyl

request nonce
nonce [n]
v1=RSAE(pwd:n)
v2=[stored]
m=nonce
(m,v1,v2)
decryptE(v1)
==
decryptE(v2)
server sibyl

request nonce
nonce [n]
v1=RSAE(pwd:n)
v2=[stored]
m=nonce
(m,v1,v2)
decryptE(v1)
==
decryptE(v2)
u=signS(m,OK/NOOK)
server sibyl

request nonce
nonce [n]
v1=RSAE(pwd:n)
v2=[stored]
m=nonce
(m,v1,v2)
decryptE(v1)
==
decryptE(v2)
u=signS(m,OK/NOOK)
u
server sibyl

request nonce
nonce [n]
v1=RSAE(pwd:n)
v2=[stored]
m=nonce
(m,v1,v2)
decryptE(v1)
==
decryptE(v2)
u=signS(m,OK/NOOK)
uverifyS(u)
server sibyl

request nonce
nonce [n]
v1=RSAE(pwd:n)
v2=[stored]
m=nonce
(m,v1,v2)
decryptE(v1)
==
decryptE(v2)
u=signS(m,OK/NOOK)
uverifyS(u)
server sibyl
two keys, two nonces [this is important]

a call to all developers

stop
the
nonsense

what we have
· device: bifferboard (essentially POC)
· sibyl server
· pam client: pam_sibyl.so
· demo client
· scripts [shadow ﬁle]⟹[sibyl ﬁle]

what we have
· device: bifferboard (essentially POC)
· sibyl server
· pam client: pam_sibyl.so
· demo client
will have: sql library, php module
· scripts [shadow ﬁle]⟹[sibyl ﬁle]

Thanks
demo time: welcome rafacas
www.thesibyl.net
Pedro Fortuny Ayuso (Uniovi)
Rafael Casado Sánchez (Freelance)
2011 - september - No cON Name

The Sibyl

Recommandé

Recommandé

Contenu connexe

En vedette

En vedette (6)

Similaire à The Sibyl

Similaire à The Sibyl (10)

Dernier

Dernier (20)

The Sibyl