diff options
Diffstat (limited to 'security')
| -rw-r--r-- | security/basics/Makefile | 1 | ||||
| -rw-r--r-- | security/basics/pres_password_en.tex | 218 |
2 files changed, 219 insertions, 0 deletions
diff --git a/security/basics/Makefile b/security/basics/Makefile index cee6a61..dacfae7 100644 --- a/security/basics/Makefile +++ b/security/basics/Makefile @@ -1 +1,2 @@ obj-$(CONFIG_SECURITY_BASICS_CONCEPT) += pres_concept.pdf +obj-$(CONFIG_SECURITY_BASICS_CONCEPT) += pres_password_en.pdf diff --git a/security/basics/pres_password_en.tex b/security/basics/pres_password_en.tex new file mode 100644 index 0000000..a3a7ca9 --- /dev/null +++ b/security/basics/pres_password_en.tex @@ -0,0 +1,218 @@ +\input{configpres} + +% ---------------------------- +\title{Password Handling} +\maketitle + +% ---------------------------- +\begin{frame} +\frametitle{Overview} +\tableofcontents +\end{frame} + +% ---------------------------- +\subsection{Passwords} + +\begin{frame}[fragile] +\frametitle{Passwords} +\begin{itemize} +\item Authorization +\item Authentication +\item Requirements + \begin{itemize} + \item do not use names, date of birth, ... + \item minimum length + \item mixed case, symbols, numbers + \item rotation + \end{itemize} +\end{itemize} +\end{frame} + +% ---------------------------- +\begin{frame}[fragile] +\frametitle{Password strength I} +\begin{itemize} +\item crypt(3) +\item namespace: \\ + mixed alphanumeric + space +\end{itemize} +{\scriptsize +\begin{tabular}{ r r } + \textbf{length} & \textbf{time} \\ + \hline + 4: & 0d 00:00:39 \\ + 5: & 0d 00:41:29 \\ + 6: & 1d 19:33:37 \\ + 7: & 114d 08:18:47 \\ + 8: & 19 years \\ + 9: & 1000 years \\ + + \hline +\end{tabular} +} +\end{frame} + +% ---------------------------- +\begin{frame}[fragile] +\frametitle{Password strength II} +\begin{itemize} +\item crypt(3) +\item compare length in different namespaces +\end{itemize} +{\scriptsize +\begin{tabular}{ l | r r } + \textbf{namespace} & \textbf{length: 6} & \textbf{length: 7} \\ + \hline + lower alpha & 0d 00:13:13 & 0d 05:43:38 \\ + mixed alpha & 0d 13:49:17 & 29d 22:42:58 \\ + \hline + lower alphanum & 0d 01:32:06 & 2d 07:15:55 \\ + mixed alphanum & 1d 15:35:00 & 102d 06:10:11 \\ + \hline + lower alphanum + symbol + space & 6d 00:47:04 & 1y 99d 06:36:11 \\ + mixed alphanum + symbol + space & 21d 05:22:32 & 5y 190d 01:38:24 \\ + \hline +\end{tabular} +} +\end{frame} + +% ---------------------------- +\subsection{Passphrases} + +\begin{frame}[fragile] +\frametitle{Password vs. Passphrase} +\begin{columns}[onlytextwidth] + \begin{column}[t]{0.5\textwidth} + Password + \begin{itemize} + \item require minimum length and variance + \item large character namespace + \item frequent rotation + \item complex character sequences + \item hard to remember + \item Example: \textbf{meFx\_5} + \item usual consequences: + \begin{itemize} + \item notes with passwords + \item shared passwords + \item password schemata + \end{itemize} + \end{itemize} + \end{column} + \begin{column}[t]{0.5\textwidth} + Passphrase + \begin{itemize} + \item often > 10 characters + \item Mixed characters and spaces + \item complex character sequence (attacker point of view) + \item easy to remember (user point of view) + \item Example: \\ + \textbf{Sicher ist sicher} \\ + (length: 17, mixed alpha, spaces) + \item Better: \\ + \textbf{Th1s IS\_my\_buildserver!} \\ + (length: 23, mixed alpha, space, symbols, non-dictionary) + \end{itemize} + \end{column} +\end{columns} +\end{frame} + +% ---------------------------- +\subsection{Salt and Pepper} + +\begin{frame}[fragile] +\frametitle{Salt} +\begin{itemize} +\item Password Storage Requirements + \begin{itemize} + \item comparable (e.g. Password validation) + \item non-plaintext storage of passwords + \item -> store Hash-Values of Password + \end{itemize} +\item Problem + \begin{itemize} + \item Duplicate Passwords has same Hash + \item Rainbow-Table Attacks + \end{itemize} +\item Solution + \begin{itemize} + \item Append some Random Data to Password + \item Stored Hash: Hash(Password + Salt) + \item Password-Hash and Salts are stored in Database + \end{itemize} +\end{itemize} +\end{frame} + +% ---------------------------- +\begin{frame}[fragile] +\frametitle{Salts in Password Shadow Database (/etc/shadow)} +\begin{itemize} +\item Format: + \begin{itemize} + \item \begin{verbatim} $<ID>$<SALT>$<hashed password> \end{verbatim} + \end{itemize} +\item ID: + \begin{itemize} + \item 1: MD5 + \item 2a: Blowfish + \item 5: SHA-256 + \item 6: SHA-512 + \end{itemize} +\item SALT: + \begin{itemize} + \item 22 characters (MD5) + \item 43 characters (SHA-256) + \item 88 characters (SHA-512) + \end{itemize} +\item Source: man 3 crypt +\end{itemize} +\end{frame} + +% ---------------------------- +\begin{frame}[fragile] +\frametitle{Pepper} +\begin{itemize} +\item random Secret (System-local) +\item Combine with Password before Salt/Hash +\item Not stored in Password-Database +\item usual: HMAC to combine Password and Pepper +\end{itemize} +\end{frame} + +% ---------------------------- +\subsection{Stretching} + +\begin{frame}[fragile] +\frametitle{Key/Password Stretching} +\begin{itemize} +\item Modify (stretch) initial Key/Password +\item Use stretched Key/Password for Authentication +\item Stretch Mechanism: HMAC, Block-/Stream-Cipher, Hash +\item Pros + \begin{itemize} + \item Enhance short initial Keys/Password + \item Brute Force on enhanced Keys/Passwords infeasible + \end{itemize} +\item Cons + \begin{itemize} + \item Knowledge of Stretching Mechanism only slow down Brute Force + \end{itemize} +\end{itemize} +\end{frame} + +% ---------------------------- +\subsection*{Summary} + +\begin{frame}[fragile] +\frametitle{Summary} +\begin{itemize} +\item Strong Passwords: Length and Char Namespace +\item Passphrase vs. Password +\item Salt and Pepper: increase Password Storage Security +\item Stretching makes Brute Force harder +\end{itemize} +\end{frame} + +% ---------------------------- +\subsection*{} +\input{tailpres} |