SlideShare ist ein Scribd-Unternehmen logo

Password based cryptography

I
Ishraq Al Fataftah
Technologie
1 von 20
Password-based Cryptography 1 PRESENTED BY ISHRAQ FATAFTAH
Agenda 2  Introduction.  Security attacks.  Password-based cryptography.  Common countermeasures against dictionary attacks.  Conclusion.
Introduction 3  Passwords are the most common method of authentication.  Consists of a string of characters to gain access to resources.  Usually, passwords are human memorable that considered as a vulnerability in security.  Passwords are derived from a small domain.
Introduction 4  Password creation rules have been enforced to increase the quality of passwords like:  Letters and numeric.  Non-alphanumeric characters.  Passphrases.  Symbols.  Increased password length.
Well Known Passwords attacks 5  Guessing attacks.  Brute force attack (Rainbow).  Dictionary attacks.  Online dictionary attacks.  Offline dictionary attacks.  Resetting attacks.  Replay attacks.  Syllable attacks.  Social engineering and shoulder surfing.
Password based Cryptography 6  Attempt to derive security key directly from passwords.  Some processing are needed to turn passwords into security keys.  Password based authentication techniques.  The use of iteration count.  Construct key derivation function.
Password based Authentication 7  System and user agree on a list of passwords.
Password based Authentication using Hashes 8  A hash function is any well-defined procedure or mathematical function that converts a large, possibly variable-sized amount of data into a small datum.  Hash functions should be:  Easy to compute the hash value for any given message.  Infeasible to find a message that has a given hash.  Infeasible to modify a message without changing its hash.  Infeasible to find two different messages with the same hash.
Password based Authentication using Hashes 9  System hashes user password.
Password based Authentication using Hashes 10  Using Dictionary attacks that uses hashes of dictionary words.  Attacker might not know the exact hash function used, which means they must attempt each dictionary word for each hash function they’re considering.
Password based Authentication using Salts 11  8 Byte random number.  DK = KDF (P, S)  Producing a large set of keys corresponding to a given password.  Benefits:  Difficult to pre compute all keys corresponding to a dictionary of password by attacker.  It is unlikely to select the same key twice.
Password based Authentication using Salts 12  System salts user password.
Password based Authentication using Salts 13  What if passwords+salt was input to a hash function?  Not one hash for a given dictionary word.  There are as many different hashes as there are possible values for the salt.
Password based cryptography using Iteration count 14  Increasing the cost of producing keys from a password.  Using fixed number C with Password Random Function (PRF).  As number of iteration increases, as the cost of exhaustive search for passwords increases.  Minimum of 1000 iteration is recommended.
Password-based key derivation 15  A key derivation function produces a derived key from a base key and other parameters.  The base key is a password and the other parameters are a salt value and an iteration count.
Password-based key derivation 16  Key derivation algorithm:  Select a salt S and an iteration count c.  Select a length in octets for the derived key.  Apply the key derivation function to the password, the salt, the iteration count and the key length to produce a derived key.  Output the derived key.  y = F(p, s, c)
Common countermeasures against online dictionary attacks 17  Delayed response.  Prevent attacker from checking many passwords in a short time.  Account locking.  Both insufficient in network environment.  Pricing via processing.  Use of Captcha.
Common countermeasures against offline dictionary attacks 18  Can be easily prevented using Public key cryptography.  First password based authentication protocol secure against offline dictionary attacks, called EKE.  Encrypted Key Exchange , one party encrypts a (one- time) public key using a password, and sends it to a second party, who decrypts it and uses it to negotiate a shared key with the first party.
Common countermeasures against offline dictionary attacks 19  Password authenticated key exchange (PAKE) is where two or more parties, based only on their knowledge of a password, establish a cryptographic key using an exchange of messages, such that an unauthorized party cannot participate in the method and is constrained as much as possible from guessing the password.  Zero-Knowledge Concepts.
Conclusion 20  Data has nowadays become our most valuable asset which needs to be protected at any cost.  Most common authentication techniques are passwords.  Human-memorable passwords are vulnerable to attacks.  Authentication techniques requires substantial change in their infrastructure.  There is no satisfactory means to counter password attacks.

Empfohlen

Elliptic curve cryptography
Elliptic curve cryptographyElliptic curve cryptography
Elliptic curve cryptographyCysinfo Cyber Security Community
 
symmetric key encryption algorithms
symmetric key encryption algorithms symmetric key encryption algorithms
symmetric key encryption algorithmsRashmi Burugupalli
 
RSA ALGORITHM
RSA ALGORITHMRSA ALGORITHM
RSA ALGORITHMShashank Shetty
 
Elgamal Digital Signature
Elgamal Digital SignatureElgamal Digital Signature
Elgamal Digital SignatureSou Jana
 
Cryptography
CryptographyCryptography
CryptographyDarshini Parikh
 
Cryptography and Network Security
Cryptography and Network SecurityCryptography and Network Security
Cryptography and Network SecurityPa Van Tanku
 
public key infrastructure
public key infrastructurepublic key infrastructure
public key infrastructurevimal kumar
 
MAC-Message Authentication Codes
MAC-Message Authentication CodesMAC-Message Authentication Codes
MAC-Message Authentication CodesDarshanPatil82
 

Empfohlen

Elliptic curve cryptography
Elliptic curve cryptographyElliptic curve cryptography
Elliptic curve cryptographyCysinfo Cyber Security Community
 
symmetric key encryption algorithms
symmetric key encryption algorithms symmetric key encryption algorithms
symmetric key encryption algorithmsRashmi Burugupalli
 
RSA ALGORITHM
RSA ALGORITHMRSA ALGORITHM
RSA ALGORITHMShashank Shetty
 
Elgamal Digital Signature
Elgamal Digital SignatureElgamal Digital Signature
Elgamal Digital SignatureSou Jana
 
Cryptography
CryptographyCryptography
CryptographyDarshini Parikh
 
Cryptography and Network Security
Cryptography and Network SecurityCryptography and Network Security
Cryptography and Network SecurityPa Van Tanku
 
public key infrastructure
public key infrastructurepublic key infrastructure
public key infrastructurevimal kumar
 
MAC-Message Authentication Codes
MAC-Message Authentication CodesMAC-Message Authentication Codes
MAC-Message Authentication CodesDarshanPatil82
 
Digital signature
Digital signatureDigital signature
Digital signatureMohanasundaram Nattudurai
 
Cryptography and applications
Cryptography and applicationsCryptography and applications
Cryptography and applicationsthai
 
Key management
Key managementKey management
Key managementSujata Regoti
 
Advanced cryptography and implementation
Advanced cryptography and implementationAdvanced cryptography and implementation
Advanced cryptography and implementationAkash Jadhav
 
Key Management and Distribution
Key Management and DistributionKey Management and Distribution
Key Management and DistributionSyed Bahadur Shah
 
Basic cryptography
Basic cryptographyBasic cryptography
Basic cryptographyPerfect Training Center
 
Authentication techniques
Authentication techniquesAuthentication techniques
Authentication techniquesIGZ Software house
 
History of cryptography
History of cryptographyHistory of cryptography
History of cryptographyFarah Shaikh
 
X.509 Certificates
X.509 CertificatesX.509 Certificates
X.509 CertificatesSou Jana
 
Cryptography
CryptographyCryptography
Cryptographyjayashri kolekar
 
Introduction to Cryptography
Introduction to CryptographyIntroduction to Cryptography
Introduction to CryptographyBharat Kumar Katur
 
Ch13
Ch13Ch13
Ch13Joe Christensen
 
Caesar cipher
Caesar cipherCaesar cipher
Caesar cipherRamadhi Irawan
 
Message digest 5
Message digest 5Message digest 5
Message digest 5Tirthika Bandi
 
Digital Signatures
Digital SignaturesDigital Signatures
Digital SignaturesEhtisham Ali
 
Topic20 The RC4 Algorithm.pptx
Topic20 The RC4 Algorithm.pptxTopic20 The RC4 Algorithm.pptx
Topic20 The RC4 Algorithm.pptxUrjaDhabarde
 
Hash Function
Hash FunctionHash Function
Hash FunctionSiddharth Srivastava
 
Cryptographic algorithms
Cryptographic algorithmsCryptographic algorithms
Cryptographic algorithmsAnamika Singh
 
Kerberos
KerberosKerberos
KerberosRafatSamreen
 
Message Authentication Code & HMAC
Message Authentication Code & HMACMessage Authentication Code & HMAC
Message Authentication Code & HMACKrishna Gehlot
 
Password Cracking using dictionary attacks
Password Cracking using dictionary attacksPassword Cracking using dictionary attacks
Password Cracking using dictionary attackslord
 
Improving password-based authentication
Improving password-based authenticationImproving password-based authentication
Improving password-based authenticationFrank Denis
 

Weitere ähnliche Inhalte

Was ist angesagt?

Cryptography and applications
Cryptography and applicationsCryptography and applications
Cryptography and applicationsthai
 
Advanced cryptography and implementation
Advanced cryptography and implementationAdvanced cryptography and implementation
Advanced cryptography and implementationAkash Jadhav
 
Key Management and Distribution
Key Management and DistributionKey Management and Distribution
Key Management and DistributionSyed Bahadur Shah
 
History of cryptography
History of cryptographyHistory of cryptography
History of cryptographyFarah Shaikh
 
X.509 Certificates
X.509 CertificatesX.509 Certificates
X.509 CertificatesSou Jana
 
Digital Signatures
Digital SignaturesDigital Signatures
Digital SignaturesEhtisham Ali
 
Topic20 The RC4 Algorithm.pptx
Topic20 The RC4 Algorithm.pptxTopic20 The RC4 Algorithm.pptx
Topic20 The RC4 Algorithm.pptxUrjaDhabarde
 
Cryptographic algorithms
Cryptographic algorithmsCryptographic algorithms
Cryptographic algorithmsAnamika Singh
 
Message Authentication Code & HMAC
Message Authentication Code & HMACMessage Authentication Code & HMAC
Message Authentication Code & HMACKrishna Gehlot
 

Was ist angesagt? (20)

Digital signature
Digital signatureDigital signature
Digital signature
 
Cryptography and applications
Cryptography and applicationsCryptography and applications
Cryptography and applications
 
Key management
Key managementKey management
Key management
 
Advanced cryptography and implementation
Advanced cryptography and implementationAdvanced cryptography and implementation
Advanced cryptography and implementation
 
Key Management and Distribution
Key Management and DistributionKey Management and Distribution
Key Management and Distribution
 
Basic cryptography
Basic cryptographyBasic cryptography
Basic cryptography
 
Authentication techniques
Authentication techniquesAuthentication techniques
Authentication techniques
 
History of cryptography
History of cryptographyHistory of cryptography
History of cryptography
 
X.509 Certificates
X.509 CertificatesX.509 Certificates
X.509 Certificates
 
Cryptography
CryptographyCryptography
Cryptography
 
Introduction to Cryptography
Introduction to CryptographyIntroduction to Cryptography
Introduction to Cryptography
 
Ch13
Ch13Ch13
Ch13
 
Caesar cipher
Caesar cipherCaesar cipher
Caesar cipher
 
Message digest 5
Message digest 5Message digest 5
Message digest 5
 
Digital Signatures
Digital SignaturesDigital Signatures
Digital Signatures
 
Topic20 The RC4 Algorithm.pptx
Topic20 The RC4 Algorithm.pptxTopic20 The RC4 Algorithm.pptx
Topic20 The RC4 Algorithm.pptx
 
Hash Function
Hash FunctionHash Function
Hash Function
 
Cryptographic algorithms
Cryptographic algorithmsCryptographic algorithms
Cryptographic algorithms
 
Kerberos
KerberosKerberos
Kerberos
 
Message Authentication Code & HMAC
Message Authentication Code & HMACMessage Authentication Code & HMAC
Message Authentication Code & HMAC
 

Ähnlich wie Password based cryptography

Password Cracking using dictionary attacks
Password Cracking using dictionary attacksPassword Cracking using dictionary attacks
Password Cracking using dictionary attackslord
 
Improving password-based authentication
Improving password-based authenticationImproving password-based authentication
Improving password-based authenticationFrank Denis
 
Thesis presentation 14023164
Thesis presentation 14023164Thesis presentation 14023164
Thesis presentation 14023164Thivya Devaraj
 
Encrypted Negative Password using for Authentication
Encrypted Negative Password using for AuthenticationEncrypted Negative Password using for Authentication
Encrypted Negative Password using for Authenticationijtsrd
 
Cryptography summary
Cryptography summaryCryptography summary
Cryptography summaryNi
 
Crypto failures every developer should avoid
Crypto failures every developer should avoidCrypto failures every developer should avoid
Crypto failures every developer should avoidOwaspCzech
 
Crypto failures every developer should avoid
Crypto failures every developer should avoidCrypto failures every developer should avoid
Crypto failures every developer should avoidFilip Šebesta
 
08 MK-PPT Advanced Topic 2.ppt
08 MK-PPT Advanced Topic 2.ppt08 MK-PPT Advanced Topic 2.ppt
08 MK-PPT Advanced Topic 2.pptajajkhan16
 
08 MK-PPT Advanced network security Topic 2.ppt
08 MK-PPT Advanced network security Topic 2.ppt08 MK-PPT Advanced network security Topic 2.ppt
08 MK-PPT Advanced network security Topic 2.pptLavkushGupta12
 
Basic Cryptography unit 4 CSS
Basic Cryptography unit 4 CSSBasic Cryptography unit 4 CSS
Basic Cryptography unit 4 CSSSURBHI SAROHA
 
Using Cryptography Properly in Applications
Using Cryptography Properly in ApplicationsUsing Cryptography Properly in Applications
Using Cryptography Properly in ApplicationsGreat Wide Open
 
A comparative study of symmetric key algorithm des, aes and blowfish for vide...
A comparative study of symmetric key algorithm des, aes and blowfish for vide...A comparative study of symmetric key algorithm des, aes and blowfish for vide...
A comparative study of symmetric key algorithm des, aes and blowfish for vide...pankaj kumari
 
How to Use Cryptography Properly: The Common Mistakes People Make When Using ...
How to Use Cryptography Properly: The Common Mistakes People Make When Using ...How to Use Cryptography Properly: The Common Mistakes People Make When Using ...
How to Use Cryptography Properly: The Common Mistakes People Make When Using ...POSSCON
 
Kieon secure passwords theory and practice 2011
Kieon secure passwords theory and practice 2011Kieon secure passwords theory and practice 2011
Kieon secure passwords theory and practice 2011Kieon
 
Introduction To PKI Technology
Introduction To PKI TechnologyIntroduction To PKI Technology
Introduction To PKI TechnologySylvain Maret
 
What's new in​ CEHv11?
What's new in​ CEHv11?What's new in​ CEHv11?
What's new in​ CEHv11?EC-Council
 
Security via Java
Security via JavaSecurity via Java
Security via JavaBahaa Zaid
 
Why is password protection a fallacy a point of view
Why is password protection a fallacy a point of viewWhy is password protection a fallacy a point of view
Why is password protection a fallacy a point of viewYury Chemerkin
 

Ähnlich wie Password based cryptography (20)

Password Cracking using dictionary attacks
Password Cracking using dictionary attacksPassword Cracking using dictionary attacks
Password Cracking using dictionary attacks
 
Improving password-based authentication
Improving password-based authenticationImproving password-based authentication
Improving password-based authentication
 
Thesis presentation 14023164
Thesis presentation 14023164Thesis presentation 14023164
Thesis presentation 14023164
 
Encrypted Negative Password using for Authentication
Encrypted Negative Password using for AuthenticationEncrypted Negative Password using for Authentication
Encrypted Negative Password using for Authentication
 
Cryptography summary
Cryptography summaryCryptography summary
Cryptography summary
 
Crypto failures every developer should avoid
Crypto failures every developer should avoidCrypto failures every developer should avoid
Crypto failures every developer should avoid
 
Crypto failures every developer should avoid
Crypto failures every developer should avoidCrypto failures every developer should avoid
Crypto failures every developer should avoid
 
is 2.pptx
is 2.pptxis 2.pptx
is 2.pptx
 
08 MK-PPT Advanced Topic 2.ppt
08 MK-PPT Advanced Topic 2.ppt08 MK-PPT Advanced Topic 2.ppt
08 MK-PPT Advanced Topic 2.ppt
 
08 MK-PPT Advanced network security Topic 2.ppt
08 MK-PPT Advanced network security Topic 2.ppt08 MK-PPT Advanced network security Topic 2.ppt
08 MK-PPT Advanced network security Topic 2.ppt
 
Basic Cryptography unit 4 CSS
Basic Cryptography unit 4 CSSBasic Cryptography unit 4 CSS
Basic Cryptography unit 4 CSS
 
Using Cryptography Properly in Applications
Using Cryptography Properly in ApplicationsUsing Cryptography Properly in Applications
Using Cryptography Properly in Applications
 
A comparative study of symmetric key algorithm des, aes and blowfish for vide...
A comparative study of symmetric key algorithm des, aes and blowfish for vide...A comparative study of symmetric key algorithm des, aes and blowfish for vide...
A comparative study of symmetric key algorithm des, aes and blowfish for vide...
 
How to Use Cryptography Properly: The Common Mistakes People Make When Using ...
How to Use Cryptography Properly: The Common Mistakes People Make When Using ...How to Use Cryptography Properly: The Common Mistakes People Make When Using ...
How to Use Cryptography Properly: The Common Mistakes People Make When Using ...
 
Kieon secure passwords theory and practice 2011
Kieon secure passwords theory and practice 2011Kieon secure passwords theory and practice 2011
Kieon secure passwords theory and practice 2011
 
Introduction To PKI Technology
Introduction To PKI TechnologyIntroduction To PKI Technology
Introduction To PKI Technology
 
What's new in​ CEHv11?
What's new in​ CEHv11?What's new in​ CEHv11?
What's new in​ CEHv11?
 
Security via Java
Security via JavaSecurity via Java
Security via Java
 
Why is password protection a fallacy a point of view
Why is password protection a fallacy a point of viewWhy is password protection a fallacy a point of view
Why is password protection a fallacy a point of view
 
Cryptography
CryptographyCryptography
Cryptography
 

Mehr von Ishraq Al Fataftah

Towards scalable locationaware
Towards scalable locationawareTowards scalable locationaware
Towards scalable locationawareIshraq Al Fataftah
 
Publish subscribe model overview
Publish subscribe model overviewPublish subscribe model overview
Publish subscribe model overviewIshraq Al Fataftah
 
Requirement engineering evaluation
Requirement engineering evaluationRequirement engineering evaluation
Requirement engineering evaluationIshraq Al Fataftah
 
Packet sniffing in switched LANs
Packet sniffing in switched LANsPacket sniffing in switched LANs
Packet sniffing in switched LANsIshraq Al Fataftah
 

Mehr von Ishraq Al Fataftah (9)

Towards scalable locationaware
Towards scalable locationawareTowards scalable locationaware
Towards scalable locationaware
 
Optimizing spatial database
Optimizing spatial databaseOptimizing spatial database
Optimizing spatial database
 
Malicious traffic
Malicious trafficMalicious traffic
Malicious traffic
 
Edge detection
Edge detectionEdge detection
Edge detection
 
Peer to-peer mobile payments
Peer to-peer mobile paymentsPeer to-peer mobile payments
Peer to-peer mobile payments
 
Publish subscribe model overview
Publish subscribe model overviewPublish subscribe model overview
Publish subscribe model overview
 
Requirement engineering evaluation
Requirement engineering evaluationRequirement engineering evaluation
Requirement engineering evaluation
 
Packet sniffing in switched LANs
Packet sniffing in switched LANsPacket sniffing in switched LANs
Packet sniffing in switched LANs
 
Presentation skills
Presentation skillsPresentation skills
Presentation skills
 

Kürzlich hochgeladen

MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsNanddeep Nachan
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Victor Rentea
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontologyjohnbeverley2021
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamUiPathCommunity
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Victor Rentea
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfOrbitshub
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxRemote DBA Services
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024The Digital Insurer
 

Kürzlich hochgeladen (20)

MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 

Password based cryptography

  • 1. Password-based Cryptography 1 PRESENTED BY ISHRAQ FATAFTAH
  • 2. Agenda 2  Introduction.  Security attacks.  Password-based cryptography.  Common countermeasures against dictionary attacks.  Conclusion.
  • 3. Introduction 3  Passwords are the most common method of authentication.  Consists of a string of characters to gain access to resources.  Usually, passwords are human memorable that considered as a vulnerability in security.  Passwords are derived from a small domain.
  • 4. Introduction 4  Password creation rules have been enforced to increase the quality of passwords like:  Letters and numeric.  Non-alphanumeric characters.  Passphrases.  Symbols.  Increased password length.
  • 5. Well Known Passwords attacks 5  Guessing attacks.  Brute force attack (Rainbow).  Dictionary attacks.  Online dictionary attacks.  Offline dictionary attacks.  Resetting attacks.  Replay attacks.  Syllable attacks.  Social engineering and shoulder surfing.
  • 6. Password based Cryptography 6  Attempt to derive security key directly from passwords.  Some processing are needed to turn passwords into security keys.  Password based authentication techniques.  The use of iteration count.  Construct key derivation function.
  • 7. Password based Authentication 7  System and user agree on a list of passwords.
  • 8. Password based Authentication using Hashes 8  A hash function is any well-defined procedure or mathematical function that converts a large, possibly variable-sized amount of data into a small datum.  Hash functions should be:  Easy to compute the hash value for any given message.  Infeasible to find a message that has a given hash.  Infeasible to modify a message without changing its hash.  Infeasible to find two different messages with the same hash.
  • 9. Password based Authentication using Hashes 9  System hashes user password.
  • 10. Password based Authentication using Hashes 10  Using Dictionary attacks that uses hashes of dictionary words.  Attacker might not know the exact hash function used, which means they must attempt each dictionary word for each hash function they’re considering.
  • 11. Password based Authentication using Salts 11  8 Byte random number.  DK = KDF (P, S)  Producing a large set of keys corresponding to a given password.  Benefits:  Difficult to pre compute all keys corresponding to a dictionary of password by attacker.  It is unlikely to select the same key twice.
  • 12. Password based Authentication using Salts 12  System salts user password.
  • 13. Password based Authentication using Salts 13  What if passwords+salt was input to a hash function?  Not one hash for a given dictionary word.  There are as many different hashes as there are possible values for the salt.
  • 14. Password based cryptography using Iteration count 14  Increasing the cost of producing keys from a password.  Using fixed number C with Password Random Function (PRF).  As number of iteration increases, as the cost of exhaustive search for passwords increases.  Minimum of 1000 iteration is recommended.
  • 15. Password-based key derivation 15  A key derivation function produces a derived key from a base key and other parameters.  The base key is a password and the other parameters are a salt value and an iteration count.
  • 16. Password-based key derivation 16  Key derivation algorithm:  Select a salt S and an iteration count c.  Select a length in octets for the derived key.  Apply the key derivation function to the password, the salt, the iteration count and the key length to produce a derived key.  Output the derived key.  y = F(p, s, c)
  • 17. Common countermeasures against online dictionary attacks 17  Delayed response.  Prevent attacker from checking many passwords in a short time.  Account locking.  Both insufficient in network environment.  Pricing via processing.  Use of Captcha.
  • 18. Common countermeasures against offline dictionary attacks 18  Can be easily prevented using Public key cryptography.  First password based authentication protocol secure against offline dictionary attacks, called EKE.  Encrypted Key Exchange , one party encrypts a (one- time) public key using a password, and sends it to a second party, who decrypts it and uses it to negotiate a shared key with the first party.
  • 19. Common countermeasures against offline dictionary attacks 19  Password authenticated key exchange (PAKE) is where two or more parties, based only on their knowledge of a password, establish a cryptographic key using an exchange of messages, such that an unauthorized party cannot participate in the method and is constrained as much as possible from guessing the password.  Zero-Knowledge Concepts.
  • 20. Conclusion 20  Data has nowadays become our most valuable asset which needs to be protected at any cost.  Most common authentication techniques are passwords.  Human-memorable passwords are vulnerable to attacks.  Authentication techniques requires substantial change in their infrastructure.  There is no satisfactory means to counter password attacks.

Hinweis der Redaktion

  1. The reasons for its wide use are easy to understand: it is mainly its user-friendliness that makes it an attractive choice. Users must remember just a password of their choice and store no other complicated data like long random keys or certificates.
  2. “rainbow” technique which employs precomputation to speed upthe process of cracking individual passwords.Dictionary attacks work on the assumption that most passwords consist of whole words, dates, or numbers taken from a dictionary.(1)On-line password guessing attacks: An attacker tries to use a guessed password to pass the verification of theauthentication server in an on-line manner. Generally, the authentication server can detect such an attack bynoticing continuous authentication failures.(2) Off-line password guessing attacks: An attacker eavesdrops communication messages during a protocol andstores them locally. Then he/she tries to find out the weak password by repeatedly guessing a possible passwordand verifying the correctness of the guess via the captured information in an off-line manner. In general,such an attack can be prevented only by carefully designing the protocol such that no verifiable informationcan be used by the attack to verify the correctness of one guess on password.Replay attacks:In this attack, an adversary tries to replay messages partially or completely obtained in previous communications.If he can impersonate other users or expose other secret that is sensitive and useful for further deceptions, byguessing attacks, known-plaintext attacks or other cryptographic analysis methods, then the protocol is said to bevulnerable to replay attacks.Syllable attack is combination of both brute force and dictionary attack. This cracking technique is used when the password is not an existing word.Rule Based Attack:This type of attack is used when attacker gets some information about the password. This is the most powerful attack because the cracker knows about the type of password. This technique involves use of brute force, dictionary and syllable attacks
  3. If they don’t compute those hashes on-the-fly, but keep a dictionary of precomputed hashes, then nothing is gained.
  4. Psedue random function
  5. If you don’t keep it a secret, at the very least you force the attacker to compute hashes on-the-fly rather than keeping a dictionary of precomputed hashes, which even for cheap hash functions will severely increase the amount of time required to get at your encrypted data.
  6. DOS attacks, customer services and server can handle a lot of parallel access.(Completely Automated Public Turing Test to tell Computers and Humans Apartrequires the party that makes the attempt to send a proofthat it invested some non-trivial computation time in constructingits request.As a specific examplein the context of preventing dictionary attacks, theserver could require that a login attempt is accompanied bya value x that satisfies the requirement, say, that the last20 bits of H(x,username,password,time-of-day) are all 0,where H is a hash function such as SHA. If we assume thatSHA behaves as a random function, then the attacker wouldneed to check on the average 219 values for x before it findsa value that satisfies the test. that The computation of xadds a relatively negligible overhead to a single login attempt,but can significantly slow down the operation of adictionary attack.