Post on 12-May-2015
1
Het einde van paswoorden: wat nu?
Vincent NaessensMSEC, KAHO Sint-Lieven
www.msec.be
2
BEDANKT! MAAR…
3
… technologie …
4
… het einde van …
5
6
7
Het einde van paswoorden: wat nu?
Vincent NaessensMSEC, KAHO Sint-Lieven
www.msec.be
8
Overzicht
• D1: Terminologie
• D2: Aanvallen op paswoord systemen
• D3: Alternatieve strategieën
9
Terminologie
serverclientgebruiker service provider
(administrator)
communicatie kanaal
attacker(hacker)
10
1. SOCIAL ENGINEERING
11
12
13
2. ONVEILIGE OPSLAG
14
15
16
3. WOORDENBOEK AANVAL
17#1 1234 10.713%#2 1111 6.016%#3 0000 1.881%#4 1212 1.197%#5 7777 0.745%#6 1004 0.616%#7 2000 0.613%#8 4444 0.526%#9 2222 0.516%#10 6969 0.512%#11 9999 0.451%#12 3333 0.419%#13 5555 0.395%#14 6666 0.391%#15 1122 0.366%#16 1313 0.304%#17 8888 0.303%#18 4321 0.293%#19 2001 0.290%#20 1010 0.285%
18
1. password 2. 123456 3.12345678 4. qwerty 5. abc123 6. monkey 7. 1234567 8. letmein 9. trustno1 10. dragon 11. baseball 12. 111111 13. iloveyou 14. master 15. sunshine
Wor
st P
assw
ords
List
of 2
011
19
OPLOSSINGEN…
20
21
4. SPOOFING/PHISHING
22
23
24
Geachte klant
Wij vragen uw aandacht voor het volgende. Het afgelopen jaar is de ING bank en vele andere banken doelwit geworden van grootschalig internet fraude. Om dit te bestrijden zullen wij alle online bankrekeningen koppelen aan een nieuw ontwikkeld beveiligingssysteem, waarmee verdachte bewegingen sneller getraceerd en opgelost worden. Om uw rekening te kunnen updaten met de nieuwe beveiligings software dient u te klikken op de onderstaande link. Na de update zult u worden gecontacteerd door een medewerker van de ING bank. Open de link met uw Internet Explorer-browser om veiligheidsredenen.
Gebruik de onderstaande : KLIK HIER
Na de update zal er door een van onze medewerkers contact met u worden opgenomen om het gehele proces te voltooien. Wanneer het gehele proces gereed is zal u weer als vanouds gebruik kunnen maken van het online bankieren via ING BANK. Wij willen u alvast bedanken voor uw medewerking.
Hoogachtend,ING-BANK ONLINE.
25
5. SNIFFING
26
27
28
29
bkmariewpeic435
bkmariewpeic435
30
31
6. BRUTE FORCE AANVALLEN
32
33
D. 10,000,000 Passwords/secFast PC, Dual Processor PC.
E. 100,000,000 Passwords/secWorkstation, or multiple PC's working together.
F. 1,000,000,000 Passwords/secTypical for medium to large scale distributed computing, Supercomputers.
Bron: 2009 - http://www.lockdown.co.uk/
34
Length Combinations Class D Class E Class F
2 2,704 Instant Instant Instant3 140,608 Instant Instant Instant
4 7.3 Million Instant Instant Instant
5 380 Million 38 Secs 4 Secs Instant
6 19 Billion 33 Mins 3¼ Mins 19 Secs
7 1 Trillion 28½ Hours 3 Hours 17 Mins
8 53 Trillion 62 Days 6 Days 15 Hours
9 2.7 Quadrillion 9 Years 322 Days 32 Days
AaBbCcDdEeFfGgHhIiJjKkLlMmNnOoPpQqRrSsTtUuVvWwXxYyZz
35
Length Combinations Class D Class E Class F2 7,396 Instant Instant Instant8 2.9 Quadrillion 57 Years 346 Days 34 Days
aBbCcDdEeFfGgHhIiJjKkLlMmNnOoPpQqRrSsTtUuVvWwXxYyZz <SP>!“#$%&'()*+,-./:;<=>?@[\]^_`{|}~
Pwd Combinations Class D Class E Class F
darren 308.9 Million 30 Secs 3 Secs Instant
Land3rz 3.5 Trillion 4 Days 10 Hours 58 Mins
B33r&Mug 7.2 Quadrillion 23 Years 2¼ Years 83½ Days
36
BAD NEWS…
37
Rainbow tables
Processoren worden steeds krachtiger
38
WAT NU?
39
A. SINGLE SIGN ON
40
41
B. COMPUTER GENERATED PASSWORDS
42
43
OPSLAG?
44
45
C. ONE-TIME PASSWORDS
46
47
D. BIOMETRIE
48
49
TROUBLES…
50
INFRASTRUCTUUR is DUUR
51
STELEN VAN BIOMETRISCHE GEGEVENS
52
53
54
Malaysia car thieves steal finger
By Jonathan Kent BBC News, Kuala Lumpur
Police in Malaysia are hunting for members of a violent gang who chopped off a car owner's finger to get round the vehicle's hi-tech security system.
The car, a Mercedes S-class, was protected by a fingerprint recognition system. Accountant K Kumaran's ordeal began when he was run down by four men in a small car as he was about to get into his Mercedes in a Kuala Lumpur suburb. The gang, armed with long machetes, demanded the keys to his car. It is worth around $75,000 second-hand on the local market, where prices are high because of import duties.
Stripped naked
The attackers forced Mr Kumaran to put his finger on the security panel to start the vehicle, bundled him into the back seat and drove off. But having stripped the car, the thieves became frustrated when they wanted to restart it. They found they again could not bypass the immobiliser, which needs the owner's fingerprint to disarm it. They stripped Mr Kumaran naked and left him by the side of the road - but not before cutting off the end of his index finger with a machete. Police believe the gang is responsible for a series of thefts in the area.
55
E. DIGITALE GEHEIME SLEUTELS
56
-----BEGIN RSA PRIVATE KEY-----MIIEpQIBAAKCAQEA3U+R4ygDChkgYJAQfCbNhsOspKH/rjW317qPR5zwFrYwTAjt3Be3Do6H3XHitEiqhA+HSugTPeyg2w7MWa68nLRCcnB4fgeS25F58KVKeZniYg9gTdM+svggApVjC0p5pgbWRC9bm+gjv4koQU2FidfywYiQDiO5aZfFgWymplOykkM/zIenaM14REJ5+5nocAB8dg4Vd/7Q3aDnEb+euswct3OxYDB4D2NLaGZDxZFfz7xh1YahuP8TXqP3wkbp17E/TKSzKKKAfewyC7sAakYpIUBOPIku/StZ1Jq4K5e7lCb3GlU/C93WhbAc41gL3eRawMO2cjpCQAtaEWW08QIDAQABAoIBAQCl6AKr0dEFfvSgrx9MkyI8RvBjsvYjuS2K0dabjvEFdasbNQ5rknOuu/bqcXfMQzVhLurzoqraH0wvLBbRnIbUyuWNOPd7M15Kr/JEDwWXx17IuFIvxY8ZR51nkmnfiwNLDZEPKJl6dTpnWgENg3n6biMUJrYng2x51kc/0R3VTUBJLzlGBRZ7QWo+3HYukEOysBnvRvjPJP31Qaq1wkeihRAGcBYUSD0Cg5PY6BE+627UQ+UT7B6EM6x35ZrLvFX6+hJh3ITpZ91HYCmTM8hg7ZYKpSIoBmc7A7P+b0uBfAziH020kzgRakrhaR6F3n1A/UDUT4/vekrIYSqanW4JAoGBAPd9roEqVQ4gqVxSv9dIxsbh92nVtAM9VOwbVpLIk0C8XWhe/dyXsLELt3EQO5SbVtYNMQo9awYKRPP/Uxbmh20LgxpRFe3DWg2PeVcKM981ViP0Yt40hyT/0Q8clbmGXWbWYuBHRO/8yk1sjrbx6EsUI+V7qgaSd5HcOHpJ2QVzAoGBAOTrdgUrSdNGVAoZw6NsNRxu2G7jwJXcQgINUMJmjmoJabMLpOF8IUUhHnGo3AtIzSLkfkROJDQVGEPuvoyAS3/iyKo1lDenzwlwtTFW7xsDR7XuJK8gXBVMwiVGNjxd7WtwIvHsVKNdOVez3cueb49ExeDMq12SRtcvX5lCbWMLAoGBAKGZ/l028AzmhM/U9JE1Yx4wJGaF9SH8ZTw6aaA0ufoWRQPGqwrkPaqNVP3NtKnHeL8SJAhkrEJoaDfOa0nTw3APiU6gzanP2jhqi7eq4M4JvLKDfB9Nu0UMiUzNxHI86zYgHLYHs1rk/I/rp5CLirujbgEFa7MY5lxmqLYpDD1DAoGABANwzURmBfM8s/ShrnLON5Jl7wPFM5tp+Nk86jucEZXaqY3xtRZVCv46p2l7eiMrnYn+ALqR/evEwiQkaRgyuqpCNGG+GH+zrImyU4wfowyarEDhmcRqeOEgokCp4MMQz4pmwnEPRtHymGwJ3nEHqa5d/cP42SogXdNxzKESg+MCgYEAuUYu0E2LB+pEzc4GfCH3VqWhxa76FefpcZeGMGqy/2ItN3Pg/SpXira4dQ6jdhrFq2GNAQ+eRxCbwKlVrEPKp0nQijxvH/8YdjQK/ZUYYNw7Dj2KRBGT2CtywOLLD3N2kPD8yfNxLQD/Q434nN+ZGuOxEo3EANHyq4vz5EE+TMM=-----END RSA PRIVATE KEY-----
57
OPSLAG?
58
59
60
challenge
response
61
MULTI FACTOR AUTHENTICATIE
62
Something you know
Something you have
Something you are
PIN or password
63
Something you knowSomething you have
64
Something you knowSomething you have
65
Something you knowSomething you are
66
TIJD OM SAMEN TE VATTEN…
67
WAT HEBBEN WE GELEERD VANDAAG?
1. Steeds grotere paswoorden en sleutels nodig
2. Veilige opslag van paswoorden en digitale sleutels is niet eenvoudig
3.Multi-factor authenticatie verhoogt de veiligheid