biometrics in network security - CiteSeerX

Published in: Kišasondi, Tonimir; Bača, Miroslav; Schatten, Markus: IMPROVING COMPUTER AUTHENTICATION SYSTEMS WITH BIOMETRIC TECHNOLOGIES // Information Systems Security, MIPRO 2006, 29th International Convention / Čišić, Dragan ; Hutinski, Željko ; Baranović, Mirta ; Sandri, Roberto (ur.). Rijeka : Croatian Society for Information and Communication Technology, 2006. 166-171

IMPROVING COMPUTER AUTHENTICATION SYSTEMS WITH BIOMETRIC TECHNOLOGIES Tonimir Kišasondi, Miroslav Bača, Ph. D., Senior Lecturer, Markus Schatten, BSc University of Zagreb Faculty of Organization and Informatics Pavlinska 2, 42000 Varaždin, Croatia Telephone: ++385 42 213 777 Fax:++385 42 213 413 E-mail: {tonimir.kisasondi;miroslav.baca;markus.schatten}@foi.hr

Abstract – In this paper we describe that user authentication methods based on hash functions like MD5, NT / NTLM and SHA-1 can be easily compromised. We used methods that utilize cryptanalytic tables based on time memory tradeoff procedures (TMTO) and we analyzed certain limitations on this approach. We suggest improvements to this technique and additional concepts like parallelized creation and querying of tables which improve speed and memory efficiency of the entire procedure. With those modifications a new concept for TMTO procedures is created. We also describe vulnerabilities based on physical access to a segment of a computer network infrastructure that can compromise almost any quasi secure system. Regarding those vulnerabilities we present a number of biometric authentication methods that can minimize or nullify this security risks.

1. INTRODUCTION Hash functions present a method for creating digital “fingerprints” or so called message abstracts. That means that cryptographic functions are supposed to be irreversible, and cannot be reverse engineered. Various cryptographic hash functions (See [10] and [11] for more information) are used for secure storage of passwords, file integrity checking in some IDS systems and for validation or tamper proofing of files that are sent trough various networks. Password authentication with hashed functions is done by comparison of two hashed passwords. Hashing of passwords is done for security reasons because hashed passwords can be transferred trough insecure communication channels and they can be stored on insecure storages, since hash functions are irreversible. The authentication uses the following scheme on figure1.

Plaintext Password

Hashed Password

Hash function

Comparison and authentification Figure 1. Hash function operation There are two ways of compromising a cryptographic hash function. The most basic cryptanalytic attack is collision finding. Collision finding is a method in which we want to find two different plaintexts which hashed give the same hash. If a collision is found in a hash function that means that the system is considered weakened or insecure and a never and stronger system for use is advised. Several works and “exploits” are made for MD5 and other systems. (See [6], [5] and [2] respectively for more information on finding attacks on cryptographic hashes). The second attack on a cryptographic hash function is reverse engineering in which we want to obtain a plaintext password from a cryptographic hash. The first method of reverse engineering a hash is a bruteforce attack on a hash in which we start and check all possible combinations of our hashed plaintexts against our obtained hash. That attack is

inefficient and takes an extreme length of time for strong, untrivial passwords. Bruteforce attacks are only feasible for birthday attacks in which we only hash possible plaintext numerics in hope that the user has a date, PIN or some weak numeric of about 8 characters for his chosen password. The second attack uses special cryptanalytic tables based on designs from Oechslin (See [2] and [5] for more details on the original works). Those tables are based on the time-memory tradeoff concept. As an overall simplification, rainbow tables store plaintext and hash combinations which speeds-up the cracking process because of the hashes lookup. There are 2 main factors that are in a proportion: The bigger table we create, the less time it will be needed to crack a hash. The less memory we want to allocate the slower the cracking process will be. The third attack is with the usage of CRC (Cyclic redundancy check) tables developed by [2]. This is a newer attack and we present some modifications in order to speed-up the table creation time and reduce the space needed for combination storing. Most popular cryptographic hash functions today are: MD5, SHA1, SHA256, SHA512, Tiger, Whirlpool, LM, NTLM, Cisco Pix hashes and RIPEMD. (See [10] and [11] for more info on these hash functions or refer to other RFC’s). All hashed passwords that utilize these methods can be reversed to their plaintext form in a short time span, depending on the disk space allocated. For example, the authors cracked a 6 length strong Windows XP NTLM password hash with upper and lower case alpha characters and numerics in approximately 3.04 seconds. 2. CRYPTOANALITIC ATTACKS CRYPTOANALITIC TABLES

USING

The original method [2] uses a classical database for storing of plaintext and CRC-ed hashes. The plaintext’s are in their normal form because they cannot be reduced. The reduction is made in CRCing the cryptographic hash. They use 32 bit CRC to reduce the 128 bit MD5 hash. They have a plaintext set of 1-5 length upper and lowercase alphas with numerics and special characters, 6-7 length upper and lowercase alphas with numerics, and 8-10 length numerics only. The database is about 416 GB big and a hash can be found in 0.20 seconds with 100% success if the hash is in the cryptanalytic interval. An approximated rainbow table of that database can be created with about 99.1 % success and about 0.19 seconds of cryptanalysis time on the first 1-5 segment. But as we want to get closer to those performance measures on the 6-7 segment of mix alpha and numerics the proportion of time / memory is getting into infeasible regions. Smaller tables require enormous total computation times measured in about 100 or more days and fast tables require a ridiculous amount of disk space. In Table 1 we

show some statistics of rainbow cracking methods and their respective total precomputational times that are needed to generate a table. Len 1-6 1-7 1-8 1-8 6-8

Dataset Success Time aA0 99,21%@2,3 GB 4 days aA0 99,37%@113,3 GB 176 days aA0 92,53%@3,5 TB 17 years aA0 92,46%@1,7 TB 38 years A0 97,59%@32 Gb 116 days Table 1. Rainbow table effectiveness

From this table we can conclude that there is no sense in creating a full length character set table for absolutely all combinations from a certain dataset, and that smaller tables can be generated with intelligent design of tables and non overlapping tables. CRC tables, on the other hand have an advantage over rainbow tables. Since rainbow tables are a probabilistic approach, CRC tables have a 100% chance of finding a hash if that hash is in its dataset. A CRC table has a simple construction. There are only two attributes in that relation. One is a simple “fingerprint” of a hash which is a reduced CRC value of a full length hash and the second attribute is the plaintext value of the CRC-ed hash in the original implementation. For small character sets CRC tables are infeasible, because rainbow tables have a better space / time ratio then CRC tables, but with longer plaintext lengths, CRC tables have certain advantages like 100% accuracy and speed of cryptanalysis which is less than a few seconds. An example table from the original implementation is shown in Table 1. 3: IMPROVING AND OPTIMISING CRYPTOANALITIC ATTACKS Since we think that the original implementation of CRC tables is inefficient, we present a number of improvements. The first one is the fingerprint of the hash. The original implementation uses a 32 bit CRC for the fingerprint. Since CRCs are a reduction, certain collisions will occur. By our calculations, on 92*109 rows, 23 collisions will occur. We suggest that the collision space must be expanded since with a larger collision space the fingerprint is smaller, and the table size is reduced. Since modern computers can fairly quickly calculate most of the common hash functions, a larger collision domain is a good way to reduce disk space consumption of the classical CRC tables. In this procedure there will be a lot of collisions, and the searching process can be shown with a simple pseudocode. ReverseMD5() {

The forth improvement is based on table distribution and droning. For this process the whole table will be distributed over a set of clients, in which each client holds a fraction of the entire table. Droning is a process in which a certain machine is used without the owner’s knowledge or consent. Since original CRC tables are a simple database table a DBMS can be exploited and a table can be created on that host. A simple SQL injection attack can be also used to drone a DBMS, or a database can be created with a compromised root account. If a certain host is droned, the only thing except table searching or disk space analysis can compromise this system. The tables and all hosts can be created and controlled like a botnet with a simple rootkit or a trojan horse. On the other hand, an organization that has a lot of computing resources, like a high number of client computers and servers can be easily aggregated into a computing grid without complicated installs with open source Linux live cd distributions like

Iris Thermogram DNA Smell Retina Palm-vein pattern Ear Gait Fingerprint Face Signature Palm geometry Voice Keystroke dynamics

Circumvention

Durability

Features

Acceptability

Secure authentication of user with biometric characteristics can give a large scale of possible uses and combinations. For that purpose we used a table for choosing the best biometric characteristic for network security. Researchers found that the best biometric characteristic for network security is an iris characteristic, so we will use it for our future model development.

Collectibility

The third improvement will focus on the fingerprint function. The classic implementation focuses on the use of CRC to fingerprint a segment of the hash function. We think that this is not necessary because the only feature the finished fingerprint should have is a high level of information entropy per byte. And since cryptographic hash functions have a high level of entropy, a simple reduction of each output from the hash function. For example, a fingerprint reduction on an MD5 algorithm can be done by taking a first byte of each of it’s A, B, C and D output segments. This optimization is not mandatory, because its impact is only on the preprocessing time of the table, but a high entropy fingerprint function is preferable.

4. SECURE AUTHENTICATION WITH BIOMETRIC TECHNOLOGIES

Permanence

The second improvement can be done for the power of cryptanalytic possibilities. We can easily add another attribute which will be a fingerprint for a second cryptographic hash. For example a MD5, SHA-256 and LM table can be created in the same database! Classical rainbow tables are made only for a certain cryptographic hash, and our modified CRC tables can be created for any number of cryptographic hash systems, if the user can allocate enough storage space.

Universality

}

“Clusterix” that enable grid computing without installing an auxiliary operating system like Linux “ROCKS” distribution. Another viable option is to create a custom client side application that will control a small DBMS on each client that the organization has. Each hash must be sent to all bots or clients on the network, and that client responds if it can reverse the hash using its table. For example, a 500 computer organization, if about 5 gigabytes is allocated for each table per client, that is about 2,44 TB of allocated cryptanalysis space which with our improvements can crack a good part of today’s hashes.

Characteristic

hash = Fingerprint(acquired); Set = Obtain_matching_plaintexts_of(hash); foreach(plaintext from Set) { If(acquired == fingerprint(HashFunction(plaintext))) { Output_plaintext(plaintext); } }

H H H H H

H H H H M

M H L L L

L H L M L

H M H L H

H L H H M

L L L L L

M

M

M

M

M

M

L

M M M H L

H L H L L

M H M H H

H H M H H

M L H L L

H L H M L

M M M H H

M

M

H

M

M

M

M

M

L

M

H

L

L

H

L

L

M

M

L

L

M

Table 2. Biometric features in network security process We can also use thermograms or DNA extraction but the hardware expenses for that type of equipment are much bigger then hardware expenses for iris scanners. 5. LOSS OF SECURITY DUE TO PHYSICAL ACCESS TO COMPONENTS OF A COMPUTER NETWORK INFRASTRUCTURE

Physical access to components of computer infrastructure can be devastating from a security viewpoint. There are several physical devices that can compromise security of any network if we exclude physical access to computers or network components. Most physical security vulnerabilities rest on the fact that users don’t lock their workstation desktops, or from the fact that harddiscs and other persistent storage devices can be simply stolen or altered on any authorized workstation in the computer system if they aren’t fully encrypted. Devices that can compromise physical security of any complex are physical keyloggers, rouge clients and rouge wireless access points. Back-doors aren’t devices but can also easily compromise physical security. 5.1 Physical keyloggers Physical keyloggers are devices that are directly connected between the communication port of the computer and the input connector of the keyboard which is mostly a PS/2 port, but also USB versions exist. Keyloggers intercept all keyboard traffic that is sent to the computer, and they can capture all data that is entered with the keyboard. That means that all user passwords, e-mails and other entered data can be recovered by the attacker. Unfortunately differing from software based keyloggers, physical keyloggers must be physically retrieved which is a problem in some cases. Keyloggers simply have a microprocessor for interaction trough a text editor and a memory chip (from 64Kb and up). Most popular freely available keyloggers today are KeyKatcher and KeyGhost. Those devices look like a small cylinder that is attached on one end of a keyboard cable. Since those devices can be found with a through examination of the client, there are versions of that are concealed inside the keyboard casing. They can be simply defeated with a use of our proposed method. Since keyboards encode each keypress with a specific code, the microprocessor of the keyboard can be scrambled to encode the keystrokes in one codepage, and the system can decode the keypresses in its own codepage (or with a custom built codepage for the client computer). Another simple trick is to use a different codepage or keyboard layout on the client computer. For example, a sniffing of the phrase „There are no secrets“ from a QWERY keyboard in DVORAK codepage is „Yd.p. ap. br o.jp.yo“. That effectively means that hardware keystroke loggers can be defeated with simple swaps or scrambles. The downside of this approach is that if we do not want to scramble the keyboard microprocessors and we want to utilize the cheapest alternative, we must utilize another codepage (for example DVORAK) which will be mostly rejected by users, despite the superiority of the layout compared to classical

QWERTY. Also, statistical attacks can be used on this method, or attacks on described in [9] 5.2 Rouge Clients Rouge clients are computers that are introduced into a computer network and are not sufficiently secured or contain unauthorized software. Those clients are mostly used by attackers to employ APR (ARP poison routing) and sniffing measures to collect network traffic from networks (like passwords, VOIP conversations, URL's, emails and other interesting data), or simply to access to the computer network via SSH or some other secure remote connection. Rouge clients are usually laptops which are mostly 10 inch or 12 inch models because of their size or some sort of embedded clients that use 802.11 or GPRS / EDGE for communication with the attacker. Rouge clients are difficult to conceal but present the attacker with near-to physical access to the computer network and they present a serious security liability. Rogue clients can be found if a network subnet is sweeped for detection of active clients. Also careful subnetting and IP configurations without DHCP can internally harden any network. As for more drastic measures, hardcoding ARP tables into network components can also be implemented with MAC filtering which is also best applied in 802.11 networks. 5.3 Rouge wireless access points Rouge wireless access points are a security liability because a linked AP to a network segment virtually gives the attacker physical network access. Since 802.11 is transparent for the attacker as if he is on a wired network, any attacks on the network can be realized remotely. Rouge AP's are mostly associated with rouge clients or can be implemented without a client. Since AP's today are cheap and can utilize WPA which is more secure than WEP which can be cracked with use of replay based attacks with traffic collection in about 10 to 20 minutes. This level of security is also a problem for any administrator which wants to shutdown a rouge AP. If an AP uses WPA or WPA2, it must be physically located. Most popular methods for physical location include warwalking or wardriving. Warwalking or wardriving methods utilize wireless enabled devices for scanning of wireless networks and collection of information about those networks like SSID names; signal strength; encryption schemes etc. Since the only way to locate an AP is by its signal strength such scans present a difficulty without GPS enabled devices for triangulation or mapping of signal locations. All methods of security against rouge clients can be employed against rouge AP's, with additional methods of discovery by warwalking or wardriving.

5.4. Backdoors “A backdoor is a mechanism surreptitiously introduced into a computer system to facilitate unauthorized access to the system” [7]. It is possible to install them for a variety of different services, but the most interesting for computer security are those which provide interactive access to a potential attacker. Intruders often install them to ease their subsequent return into the system after they once compromised it. These mechanisms most often run over protocols such as Telnet, Rlogin, SSH for interactive access, or use servers such as SMTP, FTP or even Napster for non interactive access. Once installed, backdoors are often difficult to detect, masked in non-suspicious traffic (stenography), on nonsuspicious ports or perhaps on well known ports but associated with a different service. Intruders can, beside compromise the system on which the backdoor is installed, use backdoors to install so called “stepping stones” to attack other computer systems while staying completely anonymous.[8] Intrusion detection systems (IDS) try to distinguish between legitimate and illegitimate traffic in the computer system (see [7] and [8]), they observe activities on the particular host or network (see [4]). With several methods it tries to find out if the security of the host is threatened (if there is an attack) to initiate counteractive measures afterwards. In the majority, one of the main issues is to analyze log files and react on the indication of an intrusion or an illegal attempt of a user to augment his rights. Because of the extensive possibilities to attack a PC or a network there are different kinds of IDS (which can be combined systems) and they basically differ in the points where they control and what they control (information sources). Often the following categories are considered: (1) Host Based Intrusion Detection, (2) Network Intrusion Detection, (3) Network Node Intrusion Detection, (4) Application Based Intrusion Detection, (5) Stack Based Intrusion Detection, (6) Honeypot, and (7) Padded Cell Systems (see [2] for a detailed description). Timing analysis of keystrokes (see [3] and [9]) is another interesting way of detecting backdoors which use stenographed communication channels. The idea is to augment traffic and analyze the possibility of keystrokes or typed messages, which could be an indication of a backdoor. Still, due to the unpredictable creativity of intruders there's no such thing as a secure mechanism of detecting and destroying backdoors. Thus we present biometric technologies which are a more secure way of backdoor prevention

6. IMPROVING PHYSICAL SECURITY WITH USE OF BIOMETRIC TECHNOLOGIES As we said in 4th chapter, model for improving physical security with biometric characteristics must be preferably developed with iris recognition, but for the most secure model we suggest a multimodal environment which has to include some traditional soft biometric features (like weight or height) and some strong biometric characteristics (fingerprint and iris for example). In that context we will create a multi tiered security system. We will use iris characteristics to produce iris codes in combination with weight or any other soft biometric characteristic that are easily acquired. Given value we will implement into a strong hash function [12] to produce a better (stronger) security model. Two or more characteristics simply present a salting model for our biometrically strengthened hash. Also a primary “hard” characteristic is fixed in our hash, and the salt value is the one that rotated and each time a different salt is used. That means that the database has to have all possible combinations of salts and hashes generated (given for up to 3 to 4 biometric characteristics for salts, this is not a problem). Values produced on that way can be used in passwords or can be used in transmission protection process in physical security biometric models, and can me simply extracted and cannot be easily compromised with rainbow tables, CRC tables and other civilian cryptanalysis methods. 7. CONCLUSION AND FUTURE RESEARCH In our conclusion we can say that today’s modern information systems depend on security, dependability and quality. Since the most weakest link in information system security are passwords and vulnerable network systems, we tried to emphasize some modern ways of exploitation and suggested some corrections for those exploits that can better aid penetration testers. Also we suggested some security measures that can drastically reduce vulnerability risks associated with weak passwords. Since a hashed biometric characteristic can be easily acquired and cannot be forgotten, and thus it is extremely difficult to reproduce, we think that in the future, biometrics will be effectively used to protect our information systems. BIBLIOGRAPHY [1] Bača, M., Čubrilo, M., Rabuzin, K. (2005): Biometric in ITS security, IIS'05 Conference proceedings of 16th International Conference „Information and intelligent systems“, Varaždin, Croatia, pp. 285-291. [2] Davis, Jason, Hisoka. Application of CRCs to TMTO. On-line:
acquired: 21.1.2006 [3] Dawn, L, Song, D, Wagner, X. TIAN: Timing analysis of keystrokes and timing attacks on SSH, online: http://www.waycrest.co.uk/information/infose c/info/encryption/ssh-timing.pdf acquired 25.1.2006 [4] Müller, K.: IDS - Intrusion Detection System, on-line [5] Hellman, M.E. (1980): A cryptanalytical timememory trade off. IEEE Transactions on Information theory IT-26 [6] Oechslin, Philippe (2003): Making a Faster Cryptanalytic Time-Memory Trade-Off, Laboratorie de Securite et de Cryptographie (LASEC), Ecole Polytechnique Federale de Lausanne [7] Zhang, Y., V. Paxson: Detecting Backdoors, on-line , acquired: 21.1.2006 [8] Zhang, Y., V. Paxson: Detecting Stepping Stones, on-line: , acquired: 25.1.2006 [9] Zalewski, Michal. Silence on the wire, a field guide to passive reconnaissance and indirect attacks. 2005, No Starch press. [10] RFC 1321: The MD5 Message Digest algorithm [11] RFC 3174: US Secure Hash Algorithm 1 [12] FIPS PUB – 180-2: SHA-512