1

Het einde van paswoorden: wat nu?

Vincent NaessensMSEC, KAHO Sint-Lieven

www.msec.be

2

BEDANKT! MAAR…

3

… technologie …

4

… het einde van …

5

6

7

Het einde van paswoorden: wat nu?

Vincent NaessensMSEC, KAHO Sint-Lieven

www.msec.be

8

Overzicht

• D1: Terminologie

• D2: Aanvallen op paswoord systemen

• D3: Alternatieve strategieën

9

Terminologie

serverclientgebruiker service provider

(administrator)

communicatie kanaal

attacker(hacker)

10

1. SOCIAL ENGINEERING

11

12

13

2. ONVEILIGE OPSLAG

14

15

16

3. WOORDENBOEK AANVAL

17#1 1234 10.713%#2 1111 6.016%#3 0000 1.881%#4 1212 1.197%#5 7777 0.745%#6 1004 0.616%#7 2000 0.613%#8 4444 0.526%#9 2222 0.516%#10 6969 0.512%#11 9999 0.451%#12 3333 0.419%#13 5555 0.395%#14 6666 0.391%#15 1122 0.366%#16 1313 0.304%#17 8888 0.303%#18 4321 0.293%#19 2001 0.290%#20 1010 0.285%

18

1. password 2. 123456 3.12345678 4. qwerty 5. abc123 6. monkey 7. 1234567 8. letmein 9. trustno1 10. dragon 11. baseball 12. 111111 13. iloveyou 14. master 15. sunshine

Wor

st P

assw

ords

List

of 2

011

19

OPLOSSINGEN…

20

21

4. SPOOFING/PHISHING

22

23

24

Geachte klant

Wij vragen uw aandacht voor het volgende. Het afgelopen jaar is de ING bank en vele andere banken  doelwit geworden van grootschalig internet fraude. Om dit te bestrijden zullen wij alle online bankrekeningen koppelen aan een nieuw ontwikkeld beveiligingssysteem, waarmee verdachte bewegingen sneller getraceerd en opgelost worden. Om uw rekening te kunnen updaten met de nieuwe beveiligings software dient u te klikken op de onderstaande link. Na de update zult u worden gecontacteerd door een medewerker van de ING bank. Open de link met uw Internet Explorer-browser om veiligheidsredenen.

Gebruik de onderstaande : KLIK HIER

Na de update zal er door een van onze medewerkers contact met u worden opgenomen om het gehele proces te voltooien. Wanneer het gehele proces gereed is zal u weer als vanouds gebruik kunnen maken van het online bankieren via ING BANK. Wij willen u alvast bedanken voor uw medewerking.

Hoogachtend,ING-BANK ONLINE.

25

5. SNIFFING

26

27

28

29

bkmariewpeic435

bkmariewpeic435

30

31

6. BRUTE FORCE AANVALLEN

32

33

D. 10,000,000 Passwords/secFast PC, Dual Processor PC.

E. 100,000,000 Passwords/secWorkstation, or multiple PC's working together.

F. 1,000,000,000 Passwords/secTypical for medium to large scale distributed computing, Supercomputers.

Bron: 2009 - http://www.lockdown.co.uk/

34

Length Combinations Class D Class E Class F

2 2,704 Instant Instant Instant3 140,608 Instant Instant Instant

4 7.3 Million Instant Instant Instant

5 380 Million 38 Secs 4 Secs Instant

6 19 Billion 33 Mins 3¼ Mins 19 Secs

7 1 Trillion 28½ Hours 3 Hours 17 Mins

8 53 Trillion 62 Days 6 Days 15 Hours

9 2.7 Quadrillion 9 Years 322 Days 32 Days

AaBbCcDdEeFfGgHhIiJjKkLlMmNnOoPpQqRrSsTtUuVvWwXxYyZz

35

Length Combinations Class D Class E Class F2 7,396 Instant Instant Instant8 2.9 Quadrillion 57 Years 346 Days 34 Days

aBbCcDdEeFfGgHhIiJjKkLlMmNnOoPpQqRrSsTtUuVvWwXxYyZz <SP>!“#$%&'()*+,-./:;<=>?@[\]^_`{|}~

Pwd Combinations Class D Class E Class F

darren 308.9 Million 30 Secs 3 Secs Instant

Land3rz 3.5 Trillion 4 Days 10 Hours 58 Mins

B33r&Mug 7.2 Quadrillion 23 Years 2¼ Years 83½ Days

36

BAD NEWS…

37

Rainbow tables

Processoren worden steeds krachtiger

38

WAT NU?

39

A. SINGLE SIGN ON

40

41

B. COMPUTER GENERATED PASSWORDS

42

43

OPSLAG?

44

45

C. ONE-TIME PASSWORDS

46

47

D. BIOMETRIE

48

49

TROUBLES…

50

INFRASTRUCTUUR is DUUR

51

STELEN VAN BIOMETRISCHE GEGEVENS

52

53

54

Malaysia car thieves steal finger

By Jonathan Kent BBC News, Kuala Lumpur

Police in Malaysia are hunting for members of a violent gang who chopped off a car owner's finger to get round the vehicle's hi-tech security system.

The car, a Mercedes S-class, was protected by a fingerprint recognition system. Accountant K Kumaran's ordeal began when he was run down by four men in a small car as he was about to get into his Mercedes in a Kuala Lumpur suburb. The gang, armed with long machetes, demanded the keys to his car. It is worth around $75,000 second-hand on the local market, where prices are high because of import duties.

Stripped naked

The attackers forced Mr Kumaran to put his finger on the security panel to start the vehicle, bundled him into the back seat and drove off. But having stripped the car, the thieves became frustrated when they wanted to restart it. They found they again could not bypass the immobiliser, which needs the owner's fingerprint to disarm it. They stripped Mr Kumaran naked and left him by the side of the road - but not before cutting off the end of his index finger with a machete. Police believe the gang is responsible for a series of thefts in the area.

55

E. DIGITALE GEHEIME SLEUTELS

56

-----BEGIN RSA PRIVATE KEY-----MIIEpQIBAAKCAQEA3U+R4ygDChkgYJAQfCbNhsOspKH/rjW317qPR5zwFrYwTAjt3Be3Do6H3XHitEiqhA+HSugTPeyg2w7MWa68nLRCcnB4fgeS25F58KVKeZniYg9gTdM+svggApVjC0p5pgbWRC9bm+gjv4koQU2FidfywYiQDiO5aZfFgWymplOykkM/zIenaM14REJ5+5nocAB8dg4Vd/7Q3aDnEb+euswct3OxYDB4D2NLaGZDxZFfz7xh1YahuP8TXqP3wkbp17E/TKSzKKKAfewyC7sAakYpIUBOPIku/StZ1Jq4K5e7lCb3GlU/C93WhbAc41gL3eRawMO2cjpCQAtaEWW08QIDAQABAoIBAQCl6AKr0dEFfvSgrx9MkyI8RvBjsvYjuS2K0dabjvEFdasbNQ5rknOuu/bqcXfMQzVhLurzoqraH0wvLBbRnIbUyuWNOPd7M15Kr/JEDwWXx17IuFIvxY8ZR51nkmnfiwNLDZEPKJl6dTpnWgENg3n6biMUJrYng2x51kc/0R3VTUBJLzlGBRZ7QWo+3HYukEOysBnvRvjPJP31Qaq1wkeihRAGcBYUSD0Cg5PY6BE+627UQ+UT7B6EM6x35ZrLvFX6+hJh3ITpZ91HYCmTM8hg7ZYKpSIoBmc7A7P+b0uBfAziH020kzgRakrhaR6F3n1A/UDUT4/vekrIYSqanW4JAoGBAPd9roEqVQ4gqVxSv9dIxsbh92nVtAM9VOwbVpLIk0C8XWhe/dyXsLELt3EQO5SbVtYNMQo9awYKRPP/Uxbmh20LgxpRFe3DWg2PeVcKM981ViP0Yt40hyT/0Q8clbmGXWbWYuBHRO/8yk1sjrbx6EsUI+V7qgaSd5HcOHpJ2QVzAoGBAOTrdgUrSdNGVAoZw6NsNRxu2G7jwJXcQgINUMJmjmoJabMLpOF8IUUhHnGo3AtIzSLkfkROJDQVGEPuvoyAS3/iyKo1lDenzwlwtTFW7xsDR7XuJK8gXBVMwiVGNjxd7WtwIvHsVKNdOVez3cueb49ExeDMq12SRtcvX5lCbWMLAoGBAKGZ/l028AzmhM/U9JE1Yx4wJGaF9SH8ZTw6aaA0ufoWRQPGqwrkPaqNVP3NtKnHeL8SJAhkrEJoaDfOa0nTw3APiU6gzanP2jhqi7eq4M4JvLKDfB9Nu0UMiUzNxHI86zYgHLYHs1rk/I/rp5CLirujbgEFa7MY5lxmqLYpDD1DAoGABANwzURmBfM8s/ShrnLON5Jl7wPFM5tp+Nk86jucEZXaqY3xtRZVCv46p2l7eiMrnYn+ALqR/evEwiQkaRgyuqpCNGG+GH+zrImyU4wfowyarEDhmcRqeOEgokCp4MMQz4pmwnEPRtHymGwJ3nEHqa5d/cP42SogXdNxzKESg+MCgYEAuUYu0E2LB+pEzc4GfCH3VqWhxa76FefpcZeGMGqy/2ItN3Pg/SpXira4dQ6jdhrFq2GNAQ+eRxCbwKlVrEPKp0nQijxvH/8YdjQK/ZUYYNw7Dj2KRBGT2CtywOLLD3N2kPD8yfNxLQD/Q434nN+ZGuOxEo3EANHyq4vz5EE+TMM=-----END RSA PRIVATE KEY-----

57

OPSLAG?

58

59

60

challenge

response

61

MULTI FACTOR AUTHENTICATIE

62

Something you know

Something you have

Something you are

PIN or password

63

Something you knowSomething you have

64

Something you knowSomething you have

65

Something you knowSomething you are

66

TIJD OM SAMEN TE VATTEN…

67

WAT HEBBEN WE GELEERD VANDAAG?

1. Steeds grotere paswoorden en sleutels nodig

2. Veilige opslag van paswoorden en digitale sleutels is niet eenvoudig

3.Multi-factor authenticatie verhoogt de veiligheid