SlideShare ist ein Scribd-Unternehmen logo

Password based cryptography

I
Ishraq Al Fataftah
Technologie
1 von 20
Password-based Cryptography 1 PRESENTED BY ISHRAQ FATAFTAH
Agenda 2  Introduction.  Security attacks.  Password-based cryptography.  Common countermeasures against dictionary attacks.  Conclusion.
Introduction 3  Passwords are the most common method of authentication.  Consists of a string of characters to gain access to resources.  Usually, passwords are human memorable that considered as a vulnerability in security.  Passwords are derived from a small domain.
Introduction 4  Password creation rules have been enforced to increase the quality of passwords like:  Letters and numeric.  Non-alphanumeric characters.  Passphrases.  Symbols.  Increased password length.
Well Known Passwords attacks 5  Guessing attacks.  Brute force attack (Rainbow).  Dictionary attacks.  Online dictionary attacks.  Offline dictionary attacks.  Resetting attacks.  Replay attacks.  Syllable attacks.  Social engineering and shoulder surfing.
Password based Cryptography 6  Attempt to derive security key directly from passwords.  Some processing are needed to turn passwords into security keys.  Password based authentication techniques.  The use of iteration count.  Construct key derivation function.
Password based Authentication 7  System and user agree on a list of passwords.
Password based Authentication using Hashes 8  A hash function is any well-defined procedure or mathematical function that converts a large, possibly variable-sized amount of data into a small datum.  Hash functions should be:  Easy to compute the hash value for any given message.  Infeasible to find a message that has a given hash.  Infeasible to modify a message without changing its hash.  Infeasible to find two different messages with the same hash.
Password based Authentication using Hashes 9  System hashes user password.
Password based Authentication using Hashes 10  Using Dictionary attacks that uses hashes of dictionary words.  Attacker might not know the exact hash function used, which means they must attempt each dictionary word for each hash function they’re considering.
Password based Authentication using Salts 11  8 Byte random number.  DK = KDF (P, S)  Producing a large set of keys corresponding to a given password.  Benefits:  Difficult to pre compute all keys corresponding to a dictionary of password by attacker.  It is unlikely to select the same key twice.
Password based Authentication using Salts 12  System salts user password.
Password based Authentication using Salts 13  What if passwords+salt was input to a hash function?  Not one hash for a given dictionary word.  There are as many different hashes as there are possible values for the salt.
Password based cryptography using Iteration count 14  Increasing the cost of producing keys from a password.  Using fixed number C with Password Random Function (PRF).  As number of iteration increases, as the cost of exhaustive search for passwords increases.  Minimum of 1000 iteration is recommended.
Password-based key derivation 15  A key derivation function produces a derived key from a base key and other parameters.  The base key is a password and the other parameters are a salt value and an iteration count.
Password-based key derivation 16  Key derivation algorithm:  Select a salt S and an iteration count c.  Select a length in octets for the derived key.  Apply the key derivation function to the password, the salt, the iteration count and the key length to produce a derived key.  Output the derived key.  y = F(p, s, c)
Common countermeasures against online dictionary attacks 17  Delayed response.  Prevent attacker from checking many passwords in a short time.  Account locking.  Both insufficient in network environment.  Pricing via processing.  Use of Captcha.
Common countermeasures against offline dictionary attacks 18  Can be easily prevented using Public key cryptography.  First password based authentication protocol secure against offline dictionary attacks, called EKE.  Encrypted Key Exchange , one party encrypts a (one- time) public key using a password, and sends it to a second party, who decrypts it and uses it to negotiate a shared key with the first party.
Common countermeasures against offline dictionary attacks 19  Password authenticated key exchange (PAKE) is where two or more parties, based only on their knowledge of a password, establish a cryptographic key using an exchange of messages, such that an unauthorized party cannot participate in the method and is constrained as much as possible from guessing the password.  Zero-Knowledge Concepts.
Conclusion 20  Data has nowadays become our most valuable asset which needs to be protected at any cost.  Most common authentication techniques are passwords.  Human-memorable passwords are vulnerable to attacks.  Authentication techniques requires substantial change in their infrastructure.  There is no satisfactory means to counter password attacks.

Empfohlen

Hash Function
Hash Function Hash Function
Hash Function ssuserdfb2da
 
symmetric key encryption algorithms
symmetric key encryption algorithms symmetric key encryption algorithms
symmetric key encryption algorithmsRashmi Burugupalli
 
RSA Algorithm
RSA AlgorithmRSA Algorithm
RSA AlgorithmSrinadh Muvva
 
Password Cracking
Password CrackingPassword Cracking
Password CrackingHajer alriyami
 
DES
DESDES
DESNaga Srimanyu Timmaraju
 
Cryptography and Network Security William Stallings Lawrie Brown
Cryptography and Network Security William Stallings Lawrie BrownCryptography and Network Security William Stallings Lawrie Brown
Cryptography and Network Security William Stallings Lawrie BrownInformation Security Awareness Group
 
Ch03
Ch03Ch03
Ch03Joe Christensen
 
Cryptography
CryptographyCryptography
Cryptographysubodh pawar
 

Empfohlen

Hash Function
Hash Function Hash Function
Hash Function ssuserdfb2da
 
symmetric key encryption algorithms
symmetric key encryption algorithms symmetric key encryption algorithms
symmetric key encryption algorithmsRashmi Burugupalli
 
RSA Algorithm
RSA AlgorithmRSA Algorithm
RSA AlgorithmSrinadh Muvva
 
Password Cracking
Password CrackingPassword Cracking
Password CrackingHajer alriyami
 
DES
DESDES
DESNaga Srimanyu Timmaraju
 
Cryptography and Network Security William Stallings Lawrie Brown
Cryptography and Network Security William Stallings Lawrie BrownCryptography and Network Security William Stallings Lawrie Brown
Cryptography and Network Security William Stallings Lawrie BrownInformation Security Awareness Group
 
Ch03
Ch03Ch03
Ch03Joe Christensen
 
Cryptography
CryptographyCryptography
Cryptographysubodh pawar
 
Block Ciphers Modes of Operation
Block Ciphers Modes of OperationBlock Ciphers Modes of Operation
Block Ciphers Modes of OperationRoman Oliynykov
 
Introduction to Cryptography
Introduction to CryptographyIntroduction to Cryptography
Introduction to CryptographySeema Goel
 
Cryptography
CryptographyCryptography
CryptographyDarshini Parikh
 
RSA algorithm
RSA algorithmRSA algorithm
RSA algorithmArpana shree
 
Block cipher modes of operation
Block cipher modes of operation Block cipher modes of operation
Block cipher modes of operation harshit chavda
 
AES-Advanced Encryption Standard
AES-Advanced Encryption StandardAES-Advanced Encryption Standard
AES-Advanced Encryption StandardPrince Rachit
 
Ch03 block-cipher-and-data-encryption-standard
Ch03 block-cipher-and-data-encryption-standardCh03 block-cipher-and-data-encryption-standard
Ch03 block-cipher-and-data-encryption-standardtarekiceiuk
 
Cryptography
CryptographyCryptography
CryptographyJens Patel
 
Cryptography
CryptographyCryptography
Cryptographyprasham95
 
Introduction to Cryptography
Introduction to CryptographyIntroduction to Cryptography
Introduction to CryptographyPopescu Petre
 
Classical Encryption Techniques
Classical Encryption TechniquesClassical Encryption Techniques
Classical Encryption Techniquesuniversity of education,Lahore
 
Computer Security Lecture 1: Overview
Computer Security Lecture 1: OverviewComputer Security Lecture 1: Overview
Computer Security Lecture 1: OverviewMohamed Loey
 
Introduction to Cryptography
Introduction to CryptographyIntroduction to Cryptography
Introduction to CryptographyMd. Afif Al Mamun
 
Computer Security Lecture 7: RSA
Computer Security Lecture 7: RSAComputer Security Lecture 7: RSA
Computer Security Lecture 7: RSAMohamed Loey
 
RSA ALGORITHM
RSA ALGORITHMRSA ALGORITHM
RSA ALGORITHMShashank Shetty
 
Password Cracking
Password CrackingPassword Cracking
Password CrackingSagar Verma
 
Symmetric encryption
Symmetric encryptionSymmetric encryption
Symmetric encryptionDR RICHMOND ADEBIAYE
 
cryptography
cryptographycryptography
cryptographyAbhijeet Singh
 
Cryptography.ppt
Cryptography.pptCryptography.ppt
Cryptography.pptUday Meena
 
CRYPTOGRAPHY AND NETWORK SECURITY
CRYPTOGRAPHY AND NETWORK SECURITYCRYPTOGRAPHY AND NETWORK SECURITY
CRYPTOGRAPHY AND NETWORK SECURITYKathirvel Ayyaswamy
 
Password Cracking using dictionary attacks
Password Cracking using dictionary attacksPassword Cracking using dictionary attacks
Password Cracking using dictionary attackslord
 
Improving password-based authentication
Improving password-based authenticationImproving password-based authentication
Improving password-based authenticationFrank Denis
 

Weitere ähnliche Inhalte

Was ist angesagt?

Block Ciphers Modes of Operation
Block Ciphers Modes of OperationBlock Ciphers Modes of Operation
Block Ciphers Modes of OperationRoman Oliynykov
 
Introduction to Cryptography
Introduction to CryptographyIntroduction to Cryptography
Introduction to CryptographySeema Goel
 
Block cipher modes of operation
Block cipher modes of operation Block cipher modes of operation
Block cipher modes of operation harshit chavda
 
AES-Advanced Encryption Standard
AES-Advanced Encryption StandardAES-Advanced Encryption Standard
AES-Advanced Encryption StandardPrince Rachit
 
Ch03 block-cipher-and-data-encryption-standard
Ch03 block-cipher-and-data-encryption-standardCh03 block-cipher-and-data-encryption-standard
Ch03 block-cipher-and-data-encryption-standardtarekiceiuk
 
Cryptography
CryptographyCryptography
Cryptographyprasham95
 
Introduction to Cryptography
Introduction to CryptographyIntroduction to Cryptography
Introduction to CryptographyPopescu Petre
 
Computer Security Lecture 1: Overview
Computer Security Lecture 1: OverviewComputer Security Lecture 1: Overview
Computer Security Lecture 1: OverviewMohamed Loey
 
Introduction to Cryptography
Introduction to CryptographyIntroduction to Cryptography
Introduction to CryptographyMd. Afif Al Mamun
 
Computer Security Lecture 7: RSA
Computer Security Lecture 7: RSAComputer Security Lecture 7: RSA
Computer Security Lecture 7: RSAMohamed Loey
 
Password Cracking
Password CrackingPassword Cracking
Password CrackingSagar Verma
 
Cryptography.ppt
Cryptography.pptCryptography.ppt
Cryptography.pptUday Meena
 
CRYPTOGRAPHY AND NETWORK SECURITY
CRYPTOGRAPHY AND NETWORK SECURITYCRYPTOGRAPHY AND NETWORK SECURITY
CRYPTOGRAPHY AND NETWORK SECURITYKathirvel Ayyaswamy
 

Was ist angesagt? (20)

Block Ciphers Modes of Operation
Block Ciphers Modes of OperationBlock Ciphers Modes of Operation
Block Ciphers Modes of Operation
 
Introduction to Cryptography
Introduction to CryptographyIntroduction to Cryptography
Introduction to Cryptography
 
Cryptography
CryptographyCryptography
Cryptography
 
RSA algorithm
RSA algorithmRSA algorithm
RSA algorithm
 
Block cipher modes of operation
Block cipher modes of operation Block cipher modes of operation
Block cipher modes of operation
 
AES-Advanced Encryption Standard
AES-Advanced Encryption StandardAES-Advanced Encryption Standard
AES-Advanced Encryption Standard
 
Ch03 block-cipher-and-data-encryption-standard
Ch03 block-cipher-and-data-encryption-standardCh03 block-cipher-and-data-encryption-standard
Ch03 block-cipher-and-data-encryption-standard
 
Cryptography
CryptographyCryptography
Cryptography
 
Cryptography
CryptographyCryptography
Cryptography
 
Introduction to Cryptography
Introduction to CryptographyIntroduction to Cryptography
Introduction to Cryptography
 
Classical Encryption Techniques
Classical Encryption TechniquesClassical Encryption Techniques
Classical Encryption Techniques
 
Computer Security Lecture 1: Overview
Computer Security Lecture 1: OverviewComputer Security Lecture 1: Overview
Computer Security Lecture 1: Overview
 
Introduction to Cryptography
Introduction to CryptographyIntroduction to Cryptography
Introduction to Cryptography
 
Computer Security Lecture 7: RSA
Computer Security Lecture 7: RSAComputer Security Lecture 7: RSA
Computer Security Lecture 7: RSA
 
RSA ALGORITHM
RSA ALGORITHMRSA ALGORITHM
RSA ALGORITHM
 
Password Cracking
Password CrackingPassword Cracking
Password Cracking
 
Symmetric encryption
Symmetric encryptionSymmetric encryption
Symmetric encryption
 
cryptography
cryptographycryptography
cryptography
 
Cryptography.ppt
Cryptography.pptCryptography.ppt
Cryptography.ppt
 
CRYPTOGRAPHY AND NETWORK SECURITY
CRYPTOGRAPHY AND NETWORK SECURITYCRYPTOGRAPHY AND NETWORK SECURITY
CRYPTOGRAPHY AND NETWORK SECURITY
 

Ähnlich wie Password based cryptography

Password Cracking using dictionary attacks
Password Cracking using dictionary attacksPassword Cracking using dictionary attacks
Password Cracking using dictionary attackslord
 
Improving password-based authentication
Improving password-based authenticationImproving password-based authentication
Improving password-based authenticationFrank Denis
 
Thesis presentation 14023164
Thesis presentation 14023164Thesis presentation 14023164
Thesis presentation 14023164Thivya Devaraj
 
Encrypted Negative Password using for Authentication
Encrypted Negative Password using for AuthenticationEncrypted Negative Password using for Authentication
Encrypted Negative Password using for Authenticationijtsrd
 
Cryptography summary
Cryptography summaryCryptography summary
Cryptography summaryNi
 
Crypto failures every developer should avoid
Crypto failures every developer should avoidCrypto failures every developer should avoid
Crypto failures every developer should avoidOwaspCzech
 
Crypto failures every developer should avoid
Crypto failures every developer should avoidCrypto failures every developer should avoid
Crypto failures every developer should avoidFilip Šebesta
 
08 MK-PPT Advanced Topic 2.ppt
08 MK-PPT Advanced Topic 2.ppt08 MK-PPT Advanced Topic 2.ppt
08 MK-PPT Advanced Topic 2.pptajajkhan16
 
08 MK-PPT Advanced network security Topic 2.ppt
08 MK-PPT Advanced network security Topic 2.ppt08 MK-PPT Advanced network security Topic 2.ppt
08 MK-PPT Advanced network security Topic 2.pptLavkushGupta12
 
Basic Cryptography unit 4 CSS
Basic Cryptography unit 4 CSSBasic Cryptography unit 4 CSS
Basic Cryptography unit 4 CSSSURBHI SAROHA
 
Using Cryptography Properly in Applications
Using Cryptography Properly in ApplicationsUsing Cryptography Properly in Applications
Using Cryptography Properly in ApplicationsGreat Wide Open
 
A comparative study of symmetric key algorithm des, aes and blowfish for vide...
A comparative study of symmetric key algorithm des, aes and blowfish for vide...A comparative study of symmetric key algorithm des, aes and blowfish for vide...
A comparative study of symmetric key algorithm des, aes and blowfish for vide...pankaj kumari
 
How to Use Cryptography Properly: The Common Mistakes People Make When Using ...
How to Use Cryptography Properly: The Common Mistakes People Make When Using ...How to Use Cryptography Properly: The Common Mistakes People Make When Using ...
How to Use Cryptography Properly: The Common Mistakes People Make When Using ...POSSCON
 
Kieon secure passwords theory and practice 2011
Kieon secure passwords theory and practice 2011Kieon secure passwords theory and practice 2011
Kieon secure passwords theory and practice 2011Kieon
 
Introduction To PKI Technology
Introduction To PKI TechnologyIntroduction To PKI Technology
Introduction To PKI TechnologySylvain Maret
 
What's new in​ CEHv11?
What's new in​ CEHv11?What's new in​ CEHv11?
What's new in​ CEHv11?EC-Council
 
Security via Java
Security via JavaSecurity via Java
Security via JavaBahaa Zaid
 
Why is password protection a fallacy a point of view
Why is password protection a fallacy a point of viewWhy is password protection a fallacy a point of view
Why is password protection a fallacy a point of viewYury Chemerkin
 

Ähnlich wie Password based cryptography (20)

Password Cracking using dictionary attacks
Password Cracking using dictionary attacksPassword Cracking using dictionary attacks
Password Cracking using dictionary attacks
 
Improving password-based authentication
Improving password-based authenticationImproving password-based authentication
Improving password-based authentication
 
Thesis presentation 14023164
Thesis presentation 14023164Thesis presentation 14023164
Thesis presentation 14023164
 
Encrypted Negative Password using for Authentication
Encrypted Negative Password using for AuthenticationEncrypted Negative Password using for Authentication
Encrypted Negative Password using for Authentication
 
Cryptography summary
Cryptography summaryCryptography summary
Cryptography summary
 
Crypto failures every developer should avoid
Crypto failures every developer should avoidCrypto failures every developer should avoid
Crypto failures every developer should avoid
 
Crypto failures every developer should avoid
Crypto failures every developer should avoidCrypto failures every developer should avoid
Crypto failures every developer should avoid
 
is 2.pptx
is 2.pptxis 2.pptx
is 2.pptx
 
08 MK-PPT Advanced Topic 2.ppt
08 MK-PPT Advanced Topic 2.ppt08 MK-PPT Advanced Topic 2.ppt
08 MK-PPT Advanced Topic 2.ppt
 
08 MK-PPT Advanced network security Topic 2.ppt
08 MK-PPT Advanced network security Topic 2.ppt08 MK-PPT Advanced network security Topic 2.ppt
08 MK-PPT Advanced network security Topic 2.ppt
 
Basic Cryptography unit 4 CSS
Basic Cryptography unit 4 CSSBasic Cryptography unit 4 CSS
Basic Cryptography unit 4 CSS
 
Using Cryptography Properly in Applications
Using Cryptography Properly in ApplicationsUsing Cryptography Properly in Applications
Using Cryptography Properly in Applications
 
A comparative study of symmetric key algorithm des, aes and blowfish for vide...
A comparative study of symmetric key algorithm des, aes and blowfish for vide...A comparative study of symmetric key algorithm des, aes and blowfish for vide...
A comparative study of symmetric key algorithm des, aes and blowfish for vide...
 
How to Use Cryptography Properly: The Common Mistakes People Make When Using ...
How to Use Cryptography Properly: The Common Mistakes People Make When Using ...How to Use Cryptography Properly: The Common Mistakes People Make When Using ...
How to Use Cryptography Properly: The Common Mistakes People Make When Using ...
 
Kieon secure passwords theory and practice 2011
Kieon secure passwords theory and practice 2011Kieon secure passwords theory and practice 2011
Kieon secure passwords theory and practice 2011
 
Introduction To PKI Technology
Introduction To PKI TechnologyIntroduction To PKI Technology
Introduction To PKI Technology
 
What's new in​ CEHv11?
What's new in​ CEHv11?What's new in​ CEHv11?
What's new in​ CEHv11?
 
Security via Java
Security via JavaSecurity via Java
Security via Java
 
Why is password protection a fallacy a point of view
Why is password protection a fallacy a point of viewWhy is password protection a fallacy a point of view
Why is password protection a fallacy a point of view
 
Cryptography
CryptographyCryptography
Cryptography
 

Mehr von Ishraq Al Fataftah

Towards scalable locationaware
Towards scalable locationawareTowards scalable locationaware
Towards scalable locationawareIshraq Al Fataftah
 
Publish subscribe model overview
Publish subscribe model overviewPublish subscribe model overview
Publish subscribe model overviewIshraq Al Fataftah
 
Requirement engineering evaluation
Requirement engineering evaluationRequirement engineering evaluation
Requirement engineering evaluationIshraq Al Fataftah
 
Packet sniffing in switched LANs
Packet sniffing in switched LANsPacket sniffing in switched LANs
Packet sniffing in switched LANsIshraq Al Fataftah
 

Mehr von Ishraq Al Fataftah (9)

Towards scalable locationaware
Towards scalable locationawareTowards scalable locationaware
Towards scalable locationaware
 
Optimizing spatial database
Optimizing spatial databaseOptimizing spatial database
Optimizing spatial database
 
Malicious traffic
Malicious trafficMalicious traffic
Malicious traffic
 
Edge detection
Edge detectionEdge detection
Edge detection
 
Peer to-peer mobile payments
Peer to-peer mobile paymentsPeer to-peer mobile payments
Peer to-peer mobile payments
 
Publish subscribe model overview
Publish subscribe model overviewPublish subscribe model overview
Publish subscribe model overview
 
Requirement engineering evaluation
Requirement engineering evaluationRequirement engineering evaluation
Requirement engineering evaluation
 
Packet sniffing in switched LANs
Packet sniffing in switched LANsPacket sniffing in switched LANs
Packet sniffing in switched LANs
 
Presentation skills
Presentation skillsPresentation skills
Presentation skills
 

Kürzlich hochgeladen

GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGSujit Pal
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 

Kürzlich hochgeladen (20)

GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAG
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 

Password based cryptography

  • 1. Password-based Cryptography 1 PRESENTED BY ISHRAQ FATAFTAH
  • 2. Agenda 2  Introduction.  Security attacks.  Password-based cryptography.  Common countermeasures against dictionary attacks.  Conclusion.
  • 3. Introduction 3  Passwords are the most common method of authentication.  Consists of a string of characters to gain access to resources.  Usually, passwords are human memorable that considered as a vulnerability in security.  Passwords are derived from a small domain.
  • 4. Introduction 4  Password creation rules have been enforced to increase the quality of passwords like:  Letters and numeric.  Non-alphanumeric characters.  Passphrases.  Symbols.  Increased password length.
  • 5. Well Known Passwords attacks 5  Guessing attacks.  Brute force attack (Rainbow).  Dictionary attacks.  Online dictionary attacks.  Offline dictionary attacks.  Resetting attacks.  Replay attacks.  Syllable attacks.  Social engineering and shoulder surfing.
  • 6. Password based Cryptography 6  Attempt to derive security key directly from passwords.  Some processing are needed to turn passwords into security keys.  Password based authentication techniques.  The use of iteration count.  Construct key derivation function.
  • 7. Password based Authentication 7  System and user agree on a list of passwords.
  • 8. Password based Authentication using Hashes 8  A hash function is any well-defined procedure or mathematical function that converts a large, possibly variable-sized amount of data into a small datum.  Hash functions should be:  Easy to compute the hash value for any given message.  Infeasible to find a message that has a given hash.  Infeasible to modify a message without changing its hash.  Infeasible to find two different messages with the same hash.
  • 9. Password based Authentication using Hashes 9  System hashes user password.
  • 10. Password based Authentication using Hashes 10  Using Dictionary attacks that uses hashes of dictionary words.  Attacker might not know the exact hash function used, which means they must attempt each dictionary word for each hash function they’re considering.
  • 11. Password based Authentication using Salts 11  8 Byte random number.  DK = KDF (P, S)  Producing a large set of keys corresponding to a given password.  Benefits:  Difficult to pre compute all keys corresponding to a dictionary of password by attacker.  It is unlikely to select the same key twice.
  • 12. Password based Authentication using Salts 12  System salts user password.
  • 13. Password based Authentication using Salts 13  What if passwords+salt was input to a hash function?  Not one hash for a given dictionary word.  There are as many different hashes as there are possible values for the salt.
  • 14. Password based cryptography using Iteration count 14  Increasing the cost of producing keys from a password.  Using fixed number C with Password Random Function (PRF).  As number of iteration increases, as the cost of exhaustive search for passwords increases.  Minimum of 1000 iteration is recommended.
  • 15. Password-based key derivation 15  A key derivation function produces a derived key from a base key and other parameters.  The base key is a password and the other parameters are a salt value and an iteration count.
  • 16. Password-based key derivation 16  Key derivation algorithm:  Select a salt S and an iteration count c.  Select a length in octets for the derived key.  Apply the key derivation function to the password, the salt, the iteration count and the key length to produce a derived key.  Output the derived key.  y = F(p, s, c)
  • 17. Common countermeasures against online dictionary attacks 17  Delayed response.  Prevent attacker from checking many passwords in a short time.  Account locking.  Both insufficient in network environment.  Pricing via processing.  Use of Captcha.
  • 18. Common countermeasures against offline dictionary attacks 18  Can be easily prevented using Public key cryptography.  First password based authentication protocol secure against offline dictionary attacks, called EKE.  Encrypted Key Exchange , one party encrypts a (one- time) public key using a password, and sends it to a second party, who decrypts it and uses it to negotiate a shared key with the first party.
  • 19. Common countermeasures against offline dictionary attacks 19  Password authenticated key exchange (PAKE) is where two or more parties, based only on their knowledge of a password, establish a cryptographic key using an exchange of messages, such that an unauthorized party cannot participate in the method and is constrained as much as possible from guessing the password.  Zero-Knowledge Concepts.
  • 20. Conclusion 20  Data has nowadays become our most valuable asset which needs to be protected at any cost.  Most common authentication techniques are passwords.  Human-memorable passwords are vulnerable to attacks.  Authentication techniques requires substantial change in their infrastructure.  There is no satisfactory means to counter password attacks.

Hinweis der Redaktion

  1. The reasons for its wide use are easy to understand: it is mainly its user-friendliness that makes it an attractive choice. Users must remember just a password of their choice and store no other complicated data like long random keys or certificates.
  2. “rainbow” technique which employs precomputation to speed upthe process of cracking individual passwords.Dictionary attacks work on the assumption that most passwords consist of whole words, dates, or numbers taken from a dictionary.(1)On-line password guessing attacks: An attacker tries to use a guessed password to pass the verification of theauthentication server in an on-line manner. Generally, the authentication server can detect such an attack bynoticing continuous authentication failures.(2) Off-line password guessing attacks: An attacker eavesdrops communication messages during a protocol andstores them locally. Then he/she tries to find out the weak password by repeatedly guessing a possible passwordand verifying the correctness of the guess via the captured information in an off-line manner. In general,such an attack can be prevented only by carefully designing the protocol such that no verifiable informationcan be used by the attack to verify the correctness of one guess on password.Replay attacks:In this attack, an adversary tries to replay messages partially or completely obtained in previous communications.If he can impersonate other users or expose other secret that is sensitive and useful for further deceptions, byguessing attacks, known-plaintext attacks or other cryptographic analysis methods, then the protocol is said to bevulnerable to replay attacks.Syllable attack is combination of both brute force and dictionary attack. This cracking technique is used when the password is not an existing word.Rule Based Attack:This type of attack is used when attacker gets some information about the password. This is the most powerful attack because the cracker knows about the type of password. This technique involves use of brute force, dictionary and syllable attacks
  3. If they don’t compute those hashes on-the-fly, but keep a dictionary of precomputed hashes, then nothing is gained.
  4. Psedue random function
  5. If you don’t keep it a secret, at the very least you force the attacker to compute hashes on-the-fly rather than keeping a dictionary of precomputed hashes, which even for cheap hash functions will severely increase the amount of time required to get at your encrypted data.
  6. DOS attacks, customer services and server can handle a lot of parallel access.(Completely Automated Public Turing Test to tell Computers and Humans Apartrequires the party that makes the attempt to send a proofthat it invested some non-trivial computation time in constructingits request.As a specific examplein the context of preventing dictionary attacks, theserver could require that a login attempt is accompanied bya value x that satisfies the requirement, say, that the last20 bits of H(x,username,password,time-of-day) are all 0,where H is a hash function such as SHA. If we assume thatSHA behaves as a random function, then the attacker wouldneed to check on the average 219 values for x before it findsa value that satisfies the test. that The computation of xadds a relatively negligible overhead to a single login attempt,but can significantly slow down the operation of adictionary attack.