CEG3900 Passwords

Table of Contents

Abstract: This chapter is about how computer systems authenticate users. We focus on the password system of Linux in detail and that of Windows briefly. Cryptography forms the backbone of any password system. We sketch the password cracking procedures and describe lab experiments that use well-known cracking tools.

In CEG 3900 Mobile Cloud Computing course, our focus is on using the mobile device as a front end to heavy computing and large data sets in the cloud. We use password cracking as an example.

1 Educational Objectives

Students should be able to

  1. Recognize the limitations of the typical password schemes
  2. Sketch the cracking algorithms, and use cracking tools

2 Passwords, Hashing, Salting

2.1 User Authentication Approaches

  1. Authentication of Users, Services, Servers, Documents, …
  2. User Authentication Approaches
  3. What You Know
  4. What You Have
  5. What You Are
  6. Password Verification Services
  7. One Time Password (OTP) Authentication
  8. Two Factor Authentication
  9. Choosing good passwords, What are weak passwords?
  10. ./passwords.html all the above

2.2 Linux Passwords Overview

  1. Cryptography, MD5, SHA1 Digests
  2. DES Encoding of Passwords
  3. The Linux Password Shadow System
  4. Pluggable Authentication Modules (PAM)
  5. ./passwords-linux.html All the above

2.3 Windows Passwords Overview

2.4 Concepts Behind Password Storage

  1. ./hash-functions.html Hash Functions
  2. ./salted-hashes.html Salted Hashes

3 Password Cracking

3.1 Password Cracking Ideas

  1. Social Engineering
  2. Causing a Password Reset
  3. Fooling Finger Prints
  4. Dictionary Attack
  5. Cracking Services
  6. ./cracking-tools.html All the above

3.2 Rainbow Tables

4 Password Labs

4.1 Some Well Known Cracking Tools

  1. John-the-Ripper
  2. hashcat
  3. RainbowCrack
  4. Hydra
  5. CrackStation
  6. Medusa
  7. L0phtCrack
  8. Cain-and-Able
  9. Word lists and Password Hashes
  10. ./cracking-tools.html All the above

4.2 Labs

  1. https://haveibeenpwned.com/ Check if you have an account that has been compromised in a data breach.
  2. Cloud Storage of Past collections of broken password databases
  3. Lab #1 Password Cracking Locally
  4. Lab #2 Generating and Storing Rainbow Tables
  5. Lab #3 Password Cracking Using Cloud Services
  6. Crack #1 Three User Names and Passwords
  7. Crack #2 from a Real Linux Machine Setup
  8. Crack #3: SHA512 Password Hashes
  9. ./password-labs.html

5 References

  1. Lorrie Faith Cranor, What's wrong with your pa$$w0rd?, TEDxCMU, video 17:41, Mar 2014. Required Watch.
  2. Prabhaker Mateti, Cryptography, A lecture from Computer Security course. 2013. For 4xxx: Required Reading. For 3900: Recommended Reading.
  3. http://www.piotrbania.com/all/kon-boot/ "Kon-boot is a chain loader that boots into Windows or Linux and sets up "hooks" at the kernel level that bypasses password checking." Recommended Visit.
  4. Joseph Bonneau, Cormac Herley, Paul C. van Oorschot, and Frank Stajano, "The quest to replace passwords: a framework for comparative evaluation of Web authentication schemes", IEEE Security and Privacy Symposium, May 2012. Recommended Reading
  5. Fred B. Schneider, "Something You Know, Have, or Are", http://www.cs.cornell.edu/ courses/ cs513/ 2005fa/ nnlauthpeople.html, 2005. Recommended Reading

6 End

Copyright © 2017 www.wright.edu/~pmateti • 2017-02-06