1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
|
\input{configpres}
% ----------------------------
\title{Password Handling}
\maketitle
% ----------------------------
\begin{frame}
\frametitle{Overview}
\tableofcontents
\end{frame}
% ----------------------------
\subsection{Passwords}
\begin{frame}[fragile]
\frametitle{Passwords}
\begin{itemize}
\item Authorization
\item Authentication
\item Requirements
\begin{itemize}
\item do not use names, date of birth, ...
\item minimum length
\item mixed case, symbols, numbers
\item rotation
\end{itemize}
\end{itemize}
\end{frame}
% ----------------------------
\begin{frame}[fragile]
\frametitle{Password strength I}
\begin{itemize}
\item crypt(3)
\item namespace: \\
mixed alphanumeric + space
\end{itemize}
{\scriptsize
\begin{tabular}{ r r }
\textbf{length} & \textbf{time} \\
\hline
4: & 0d 00:00:39 \\
5: & 0d 00:41:29 \\
6: & 1d 19:33:37 \\
7: & 114d 08:18:47 \\
8: & 19 years \\
9: & 1000 years \\
\hline
\end{tabular}
}
\end{frame}
% ----------------------------
\begin{frame}[fragile]
\frametitle{Password strength II}
\begin{itemize}
\item crypt(3)
\item compare length in different namespaces
\end{itemize}
{\scriptsize
\begin{tabular}{ l | r r }
\textbf{namespace} & \textbf{length: 6} & \textbf{length: 7} \\
\hline
lower alpha & 0d 00:13:13 & 0d 05:43:38 \\
mixed alpha & 0d 13:49:17 & 29d 22:42:58 \\
\hline
lower alphanum & 0d 01:32:06 & 2d 07:15:55 \\
mixed alphanum & 1d 15:35:00 & 102d 06:10:11 \\
\hline
lower alphanum + symbol + space & 6d 00:47:04 & 1y 99d 06:36:11 \\
mixed alphanum + symbol + space & 21d 05:22:32 & 5y 190d 01:38:24 \\
\hline
\end{tabular}
}
\end{frame}
% ----------------------------
\subsection{Passphrases}
\begin{frame}[fragile]
\frametitle{Password vs. Passphrase}
\begin{columns}[onlytextwidth]
\begin{column}[t]{0.5\textwidth}
Password
\begin{itemize}
\item require minimum length and variance
\item large character namespace
\item frequent rotation
\item complex character sequences
\item hard to remember
\item Example: \textbf{meFx\_5}
\item usual consequences:
\begin{itemize}
\item notes with passwords
\item shared passwords
\item password schemata
\end{itemize}
\end{itemize}
\end{column}
\begin{column}[t]{0.5\textwidth}
Passphrase
\begin{itemize}
\item often > 10 characters
\item Mixed characters and spaces
\item complex character sequence (attacker point of view)
\item easy to remember (user point of view)
\item Example: \\
\textbf{Sicher ist sicher} \\
(length: 17, mixed alpha, spaces)
\item Better: \\
\textbf{Th1s IS\_my\_buildserver!} \\
(length: 23, mixed alpha, space, symbols, non-dictionary)
\end{itemize}
\end{column}
\end{columns}
\end{frame}
% ----------------------------
\subsection{Salt and Pepper}
\begin{frame}[fragile]
\frametitle{Salt}
\begin{itemize}
\item Password Storage Requirements
\begin{itemize}
\item comparable (e.g. Password validation)
\item non-plaintext storage of passwords
\item -> store Hash-Values of Password
\end{itemize}
\item Problem
\begin{itemize}
\item Duplicate Passwords has same Hash
\item Rainbow-Table Attacks
\end{itemize}
\item Solution
\begin{itemize}
\item Append some Random Data to Password
\item Stored Hash: Hash(Password + Salt)
\item Password-Hash and Salts are stored in Database
\end{itemize}
\end{itemize}
\end{frame}
% ----------------------------
\begin{frame}[fragile]
\frametitle{Salts in Password Shadow Database (/etc/shadow)}
\begin{itemize}
\item Format:
\begin{itemize}
\item \begin{verbatim} $<ID>$<SALT>$<hashed password> \end{verbatim}
\end{itemize}
\item ID:
\begin{itemize}
\item 1: MD5
\item 2a: Blowfish
\item 5: SHA-256
\item 6: SHA-512
\end{itemize}
\item SALT:
\begin{itemize}
\item 22 characters (MD5)
\item 43 characters (SHA-256)
\item 88 characters (SHA-512)
\end{itemize}
\item Source: man 3 crypt
\end{itemize}
\end{frame}
% ----------------------------
\begin{frame}[fragile]
\frametitle{Pepper}
\begin{itemize}
\item random Secret (System-local)
\item Combine with Password before Salt/Hash
\item Not stored in Password-Database
\item usual: HMAC to combine Password and Pepper
\end{itemize}
\end{frame}
% ----------------------------
\subsection{Stretching}
\begin{frame}[fragile]
\frametitle{Key/Password Stretching}
\begin{itemize}
\item Modify (stretch) initial Key/Password
\item Use stretched Key/Password for Authentication
\item Stretch Mechanism: HMAC, Block-/Stream-Cipher, Hash
\item Pros
\begin{itemize}
\item Enhance short initial Keys/Password
\item Brute Force on enhanced Keys/Passwords infeasible
\end{itemize}
\item Cons
\begin{itemize}
\item Knowledge of Stretching Mechanism only slow down Brute Force
\end{itemize}
\end{itemize}
\end{frame}
% ----------------------------
\subsection*{Summary}
\begin{frame}[fragile]
\frametitle{Summary}
\begin{itemize}
\item Strong Passwords: Length and Char Namespace
\item Passphrase vs. Password
\item Salt and Pepper: increase Password Storage Security
\item Stretching makes Brute Force harder
\end{itemize}
\end{frame}
% ----------------------------
\subsection*{}
\input{tailpres}
|
