\input{configpres} % ---------------------------- \title{Password Handling} \maketitle % ---------------------------- \begin{frame} \frametitle{Overview} \tableofcontents \end{frame} % ---------------------------- \subsection{Passwords} \begin{frame}[fragile] \frametitle{Passwords} \begin{itemize} \item Authorization \item Authentication \item Requirements \begin{itemize} \item do not use names, date of birth, ... \item minimum length \item mixed case, symbols, numbers \item rotation \end{itemize} \end{itemize} \end{frame} % ---------------------------- \begin{frame}[fragile] \frametitle{Password strength I} \begin{itemize} \item crypt(3) \item namespace: \\ mixed alphanumeric + space \end{itemize} {\scriptsize \begin{tabular}{ r r } \textbf{length} & \textbf{time} \\ \hline 4: & 0d 00:00:39 \\ 5: & 0d 00:41:29 \\ 6: & 1d 19:33:37 \\ 7: & 114d 08:18:47 \\ 8: & 19 years \\ 9: & 1000 years \\ \hline \end{tabular} } \end{frame} % ---------------------------- \begin{frame}[fragile] \frametitle{Password strength II} \begin{itemize} \item crypt(3) \item compare length in different namespaces \end{itemize} {\scriptsize \begin{tabular}{ l | r r } \textbf{namespace} & \textbf{length: 6} & \textbf{length: 7} \\ \hline lower alpha & 0d 00:13:13 & 0d 05:43:38 \\ mixed alpha & 0d 13:49:17 & 29d 22:42:58 \\ \hline lower alphanum & 0d 01:32:06 & 2d 07:15:55 \\ mixed alphanum & 1d 15:35:00 & 102d 06:10:11 \\ \hline lower alphanum + symbol + space & 6d 00:47:04 & 1y 99d 06:36:11 \\ mixed alphanum + symbol + space & 21d 05:22:32 & 5y 190d 01:38:24 \\ \hline \end{tabular} } \end{frame} % ---------------------------- \subsection{Passphrases} \begin{frame}[fragile] \frametitle{Password vs. Passphrase} \begin{columns}[onlytextwidth] \begin{column}[t]{0.5\textwidth} Password \begin{itemize} \item require minimum length and variance \item large character namespace \item frequent rotation \item complex character sequences \item hard to remember \item Example: \textbf{meFx\_5} \item usual consequences: \begin{itemize} \item notes with passwords \item shared passwords \item password schemata \end{itemize} \end{itemize} \end{column} \begin{column}[t]{0.5\textwidth} Passphrase \begin{itemize} \item often > 10 characters \item Mixed characters and spaces \item complex character sequence (attacker point of view) \item easy to remember (user point of view) \item Example: \\ \textbf{Sicher ist sicher} \\ (length: 17, mixed alpha, spaces) \item Better: \\ \textbf{Th1s IS\_my\_buildserver!} \\ (length: 23, mixed alpha, space, symbols, non-dictionary) \end{itemize} \end{column} \end{columns} \end{frame} % ---------------------------- \subsection{Salt and Pepper} \begin{frame}[fragile] \frametitle{Salt} \begin{itemize} \item Password Storage Requirements \begin{itemize} \item comparable (e.g. Password validation) \item non-plaintext storage of passwords \item -> store Hash-Values of Password \end{itemize} \item Problem \begin{itemize} \item Duplicate Passwords has same Hash \item Rainbow-Table Attacks \end{itemize} \item Solution \begin{itemize} \item Append some Random Data to Password \item Stored Hash: Hash(Password + Salt) \item Password-Hash and Salts are stored in Database \end{itemize} \end{itemize} \end{frame} % ---------------------------- \begin{frame}[fragile] \frametitle{Salts in Password Shadow Database (/etc/shadow)} \begin{itemize} \item Format: \begin{itemize} \item \begin{verbatim} $$$ \end{verbatim} \end{itemize} \item ID: \begin{itemize} \item 1: MD5 \item 2a: Blowfish \item 5: SHA-256 \item 6: SHA-512 \end{itemize} \item SALT: \begin{itemize} \item 22 characters (MD5) \item 43 characters (SHA-256) \item 88 characters (SHA-512) \end{itemize} \item Source: man 3 crypt \end{itemize} \end{frame} % ---------------------------- \begin{frame}[fragile] \frametitle{Pepper} \begin{itemize} \item random Secret (System-local) \item Combine with Password before Salt/Hash \item Not stored in Password-Database \item usual: HMAC to combine Password and Pepper \end{itemize} \end{frame} % ---------------------------- \subsection{Stretching} \begin{frame}[fragile] \frametitle{Key/Password Stretching} \begin{itemize} \item Modify (stretch) initial Key/Password \item Use stretched Key/Password for Authentication \item Stretch Mechanism: HMAC, Block-/Stream-Cipher, Hash \item Pros \begin{itemize} \item Enhance short initial Keys/Password \item Brute Force on enhanced Keys/Passwords infeasible \end{itemize} \item Cons \begin{itemize} \item Knowledge of Stretching Mechanism only slow down Brute Force \end{itemize} \end{itemize} \end{frame} % ---------------------------- \subsection*{Summary} \begin{frame}[fragile] \frametitle{Summary} \begin{itemize} \item Strong Passwords: Length and Char Namespace \item Passphrase vs. Password \item Salt and Pepper: increase Password Storage Security \item Stretching makes Brute Force harder \end{itemize} \end{frame} % ---------------------------- \subsection*{} \input{tailpres}