Massachusetts Institute of Technology. Lecture course # ???. "Security of computer systems." Nikolai Zeldovich, James Mykens. 2014

3r37777.  
Computer Systems Security is a course on the development and implementation of secure computer systems. Lectures cover threat models, attacks that compromise security, and security methods based on the latest scientific work. Topics include operating system (OS) security, capabilities, information flow control, language security, network protocols, hardware protection and security in web applications. 3r37777.  
3r37777.  
Lecture 1: "Introduction: threat models" 3r312. Part 1
/ Part 2 / Part 3 3r37777.  
Lecture 2: "Control of hacker attacks" Part 1 / Part 2 / Part 3 3r37777.  
Lecture 3: "Buffer overflow: exploits and protection" 3r-328. Part 1
/ Part 2 / Part 3 3r37777.  
Lecture 4: "The division of privileges" 3r-336. Part 1
/ Part 2 / Part 3 3r37777.  
Lecture 5: “Where Security Errors Come From” Part 1 / Part 2 3r37777.  
Lecture 6: "Opportunities" 3r350. Part 1
/ Part 2 / Part 3 3r37777.  
Lecture 7: “Sandbox Native Client” Part 1 / Part 2 / Part 3 3r37777.  
Lecture 8: “Network Security Model” 3r3666. Part 1
/ Part 2 / Part 3 3r37777.  
Lecture 9: “Web application security” 3r374. Part 1
/ Part 2 / Part 3 3r37777.  
Lecture 10: “Symbolic Execution” 3r382. Part 1
/ Part 2 / Part 3 3r37777.  
Lecture 11: “Ur /Web programming language” 3r390. Part 1
/ Part 2 / Part 3 3r37777.  
Lecture 12: “Network Security” Part 1 /3r33100. Part 2
/ Part 3 3r37777.  
Lecture 13: “Network Protocols” 3r3106. Part 1
/ Part 2 / Part 3 3r37777.  
Lecture 14: “SSL and HTTPS” 3r3114. Part 1
/ Part 2 / Part 3 3r37777.  
Lecture 15: “Medical Software” 3r3122. Part 1
/ Part 2 / Part 3 3r37777.  
Lecture 16: "Attacks through the side channel" 3r3-33130. Part 1
/ Part 2 / Part 3 3r37777.  
Lecture 17: User Authentication Part 1 / Part 2 / Part 3 3r3144.
3r37777.  
3r37777.  
One of the interesting things mentioned in this article is that if you go through all these authentication schemes, the authors say: “OK, here are the passwords, they seem to suck, and there are other things that provide much better security , but they often fail to deploy, are inconvenient to use, and the like. ” 3r37777.  
3r37777.  
3r3154. 3r37777.  
3r37777.  
This is an interesting and at the same time distressing result of this work, which consists in the fact that even if we have all these tools that provide higher security for the protocols, we cannot use them because of the extreme inconvenience. 3r37777.  
3r37777.  
So Telepathwords is just a fun site, they claim that they do not store your passwords, so you can take their word for it if you want. But it's very interesting to just sit down and think about how good the password I came up with? And then enter it here and see how easy it is to guess. It even allows you to do such things as heuristic analysis of popular phrases from several words, of which only the first letter of each word is selected for a password. So this thing is very useful. 3r37777.  
3r37777.  
Another interesting thing is that your passwords can be guessed offline. This vulnerability, called preauth, or "pre-authentication", was inherent in Kerberos v4 and v5. Anyone could ask the KDC for a ticket that was encrypted with the user's password. 3r37777.  
3r37777.  
Thus, the KDC did not verify the authenticity of requests from the client. The KDC returned, in response to the request, a set of several bits that was encrypted with the client key. This is what was returned to the customer. The problem was that the server did not check who sent this encrypted set of things, so in principle, the attacker could get this thing, and then try to just guess what K_C is. 3r37777.  
3r37777.  
3r33175. 3r37777.  
3r37777.  
Just try to guess the value of K_C, try to encrypt it, see if it looks like, if not, try guessing another K_C, decrypt, see if it looks like the truth, and so on. The reason for allowing an attacker to organize this type of attack is that this thing here, inside the brackets, this TGT actually has a known format. There is something like timestamps and internal consistent reference fields, and all this helps the attacker to solve the password. Because if an attacker guesses K_C and receives the decrypted contents of the brackets, but the internal fields are not checked, the attacker understands that he chose the wrong K_C and is taken for the next one. 3r37777.  
3r37777.  
In Kerberos version ? the client must pass a time stamp to the KDC, after which this tag will be encrypted using K_C. All this is sent to the server, the server looks at this request and checks it before sending something to the client. So any random client can come and just ask for this item from the server. 3r37777.  
3r37777.  
Student: does the timestamp appear in the message? Couldn't an attacker just pick up and hack this message using the brute-force method? 3r37777.  
3r37777.  
Professor: let's get a look. Can an attacker get this message {time stapm} K_C? 3r37777.  
3r37777.  
Student: Yes, this is an encrypted message. 3r37777.  
3r37777.  
3r37777.  
3r37777.  
Professor: that is, do you think that an attacker could, for example, just fake this message? 3r37777.  
3r37777.  
Student: no, he would use brute-force to match K_C. 3r37777.  
3r37777.  
Professor: Understandably, in other words, you are worried that someone might peek at the contents of these brackets. I believe that the content is inside the encrypted thing that belongs to the server, or to the key that belongs to the server, precisely in order to prevent such an attack, but this is just my opinion. But in general, you are right, if an attacker manages to find out the timestamp in the client's request, it will be of great benefit to him. In this case, he can guess in which range neighboring time marks can be, and use this for a similar attack. 3r37777.  
3r37777.  
Student: in this case, the attacker must be a “man in the middle”. 3r37777.  
Professor: so, the attacker must be somewhere on the network between the client and the server in order to “sniff out” such things. 3r37777.  
3r37777.  
Another important thing concerns password recovery. The point is that if you lose your password, you must go to the office and ask for another password. But before you get this password, you must somehow prove that you are you. 3r37777.  
3r37777.  
So how does it work? How can I recover my password? Interestingly, people often focus on the entropy of the password itself. But the problem is that if the questions used to recover the password, or the password recovery scheme has little entropy, this affects the entropy of the overall authentication scheme. In other words, the strength of the general authentication scheme is equal to the minimum password entropy and the minimum question entropy for password recovery. There are many scenarios and rules, there are fairly well-known cases, such as the case of Sarah Palin. Someone was able to recover her password fraudulently, because her password recovery questions were such that any unauthorized person could find an answer to them, for example, by reading a Wikipedia article about her that said which school she went to and etc. 3r37777.  
3r37777.  
3r37777.  
3r37777.  
So often these questions for password recovery are not good enough for several reasons. Sometimes these things just have very low entropy. For example, if your password recovery question is “what's your favorite color”, then the most popular answers are “blue” and “red”. No one will answer "white", "fuchsia" or "purple." Thus, some of these issues for restoration are inherently unable to provide quite a lot of entropy. 3r37777.  
3r37777.  
Another problem is that sometimes answers to password recovery questions may leak through social networks. For example, if one of the password recovery questions is “what's your favorite movie”, then there is a lot more guessing space, for example, I can view your profile on IMDB or Facebook and find the name of your favorite movie that you suggested to me . 3r37777.  
3r37777.  
And another problem, the most ridiculous, is that the users themselves come up with very weak questions for recovery, for example, what will be 2 plus 3? That is, the user thinks that for someone it will be a big problem to give the correct answer to such questions, but most people who pass the Turing test can successfully answer them and use your password. 3r37777.  
3r37777.  
3r37777.  
3r37777.  
Student: Is it possible to use some additional information instead of questions for password recovery, just as we insert our name into the e-mail or briefly describe the content of the letter in the header - can this approach ensure the security of such things? 3r37777.  
3r37777.  
Professor: I do not know of any such research, but in fact these things are much better. I know this because I was trying to help my girlfriend go through this process. She lost control of her Gmail account and tried to prove that it was her account. And the site owners asked her about things like, for example, when exactly she created her account, if she talked to someone about her account, for example, with Hezbollah, before losing control of it, and the like. In fact, this is quite a laborious process, but in the end, additional information is more powerful than questions for password recovery. I do not know any official research on this topic, but it seems that this is obvious. 3r37777.  
3r37777.  
If you have no questions, we can proceed to the topic of today's lecture described in the article. So, the authors propose to consider a bunch of factors that can be used to assess the effectiveness of authentication schemes. What is really cool about this article is that it says that most of us in the security community fight only for aesthetic principles. For example, “we have to choose this because I just like the way the curly brackets look in evidence”, or “we have to choose it because a lot of mathematical methods are used here”. 3r37777.  
3r37777.  
They say, why don't we try to establish some kind of performance evaluation criteria? Maybe some of these criteria will be a bit subjective, but let's just try to systematize ways to evaluate authentication schemes. Let's just see how these different schemes are arranged in separate piles. 3r37777.  
3r37777.  
The authors of the article proposed three high-level parameters for evaluating these schemes. The first parameter is usability. The first requirement in this parameter is ease of learning the authentication method. Its main idea is how easy it is for users to interact with the authentication scheme. Here they mark a couple of characteristic features, for example, is it easy to learn this method, and is this method of identifying a user’s identity easy to learn. 3r37777.  
3r37777.  
Some of these categories are fairly simple, some include some tricks, but there is a lot of sense to it. If you look at the passwords, they meet this requirement, because everyone is accustomed to using passwords, so we will say that it is easy to learn how to use them, and the answer is yes. 3r37777.  
3r37777.  
The second requirement is the rarity of authentication errors. This means that if you are an actual user of the system, then there should be no error when trying to authenticate you. And here, with respect to passwords, the authors say that they conditionally correspond to this parameter. “Conventionally” in this case means that the authors recognize the presence of subjectivity in their assessment. Thus, to the question of whether password authentication errors rarely occur, we cannot definitely answer either “yes” or “no”. 3r37777.  
3r37777.  
As a rule, you can authenticate yourself, but for example, when you try to access the mail server at 3 o'clock in the morning, weakly thinking about it, and repeatedly enter the wrong password, in this case, you can recognize the authentication system error. Therefore, they believe that passwords conditionally meet this requirement. 3r37777.  
3r37777.  
The next requirement is user scalability. The basic idea here is that if a user has a bunch of different services in which he or she wants to authenticate himself, does this scheme scale well? Should the user remember something new for each of the schemes? Here, with respect to passwords, the authors unequivocally say “no”, since password authentication does not satisfy this requirement. Because in practice it is very difficult for users to remember a separate password for each site they visit. On withIn fact, this is one of the reasons why people often use the same password for authentication in different services. 3r37777.  
3r37777.  
Another requirement for ease of use is ease of recovery. That is, what happens if you lose the authentication token, in this case your password, will it be easy to reset it? In this case, the answer for passwords is yes. In fact, it is even too easy to reset them, as we discussed a few minutes ago. 3r37777.  
3r37777.  
The next requirement is to not require anything extra, not to carry with you any additional means for authentication. For example, elaborate authentication protocols require that you run some kind of smartphone application, or have some sort of security token, smart cards, and the like with you. So this is a heavy burden. Maybe there are not so many problems with a smartphone, it is enough to install an application for authentication, but it is rather inconvenient to carry around one of the other gadgets. Therefore, a good quality of passwords is that you have to carry it with you only in your brain, which you should always have with you. 3r37777.  
3r37777.  
3r33333. 3r37777.  
3r37777.  
These are the criteria for usability of an authentication scheme. In a general sense, it is of interest how people in the security community differ in their assessments of the importance of these criteria. For example, they say: “this thing uses a million pieces of entropy, and only a universal catastrophe will be able to crack it,” while forgetting that the above requirements are also essential for authentication schemes. 3r37777.  
3r37777.  
So, the next high-level parameter that the authors of the article use to evaluate the authentication scheme is deployability. He describes how easy it is to implement this authentication system in existing network services. For example, they look at server compatibility, that is, is it easy to integrate this scheme into modern servers, in which authentication is based on the use of text passwords? In this sense, passwords fully comply with this requirement, so we can answer “yes”. 3r37777.  
3r37777.  
The second requirement is browser compatibility, it looks like the previous one and says, can I use this authentication scheme for existing popular browsers without having to install a plugin or something like that? Again, here passwords win by default. 3r37777.  
3r37777.  
Another interesting requirement is accessibility, excessibility. That is, can people with some physical disabilities, for example, blind or hard of hearing, with insufficient motor skills, etc., be able to use this authentication scheme? In fact, this is quite an important requirement. 3r37777.  
3r37777.  
Here, the authors once again say "yes", which is a bit strange, because it is not clear how people with disabilities will be able to use passwords, but the authors say they can. 3r37777.  
3r37777.  
3r33333. 3r37777.  
3r37777.  
These are the requirements that should be considered in relation to the ability to deploy this authentication scheme. The reason for the particular importance of the deployment capability is that it is extremely difficult to upgrade all of these things in order to implement a new scheme, because it can be difficult for people to force something to update. I mean, often people don’t even want to reboot their machines and install a new OS update. Therefore, there are great difficulties if the authentication scheme requires changes on the server that force people servicing the server to perform any additional operations. This is related to your question, why don't we use any additional information or improve password strength. The characteristic of deployability is in many cases very, very important for people. 3r37777.  
3r37777.  
So, the last parameter that we will consider is security, security. What types of attacks can this scheme prevent? I will refer to this characteristic in abbreviated form Res - adaptability to foo, where foo is any impact that could cause harm. 3r37777.  
3r37777.  
For example, the first characteristic indicates the stability of the system to physical observation, “peeping” or “eavesdropping”. The point is that the attacker could not impersonate this user after several times observe his authentication in the system. Imagine that you are in a computer class, and someone is behind you and watching what you are typing. Maybe someone is shooting you on video, maybe someone has a microphone that “takes off” the acoustic signature of your keyboard and is trying to extract something from it, and so on and so forth. 3r37777.  
3r37777.  
The authors of the article say that passwords do not meet this requirement, because an attacker can view the video and quite easily find out which letters you typed. There are attacks that use acoustic fingerprints on the keyboard to determine printable characters. So passwords are not resistant to physical observations. 3r37777.  
3r37777.  
The next requirement is resistance to the target of impersonation for a stranger, or resistance to target impersonation. The basic idea here is that someone - your friend, acquaintance, spouse, lover can impersonate you, using your knowledge of who you are and what you do. The authors of the article write that passwords conditionally correspond to this requirement, because they are not aware of any studies showing that if you know a person, then you will most likely be able to guess his password. Therefore, they say "conditionally - yes." 3r37777.  
Please note that there is a deliberate impersonation, in which protection with password recovery questions fails miserably, because if someone knows something about you, in many cases he will quite easily guess your security questions. 3r37777.  
3r37777.  
The following are two requirements for guessing. The first is resistance to intense guessing. This means that the attacker will not be able to give guesses at the speed of data transmission over the network, for example, when using Antihammering protection. In this sense, passwords are insecure, as they are easily exposed to brute-force guessing, and the authors of the article say no. The reason why they say “no” is that in practice, passwords not only have a low entropy of inheritance, because they are not so long, but also distorted in distribution. Therefore, with a rather intensive search of values, the attacker easily guesses the passwords of many users. 3r37777.  
3r37777.  
Another requirement is resistance to non-intensive guessing. Suppose an attacker can issue an authentication verification request as quickly as he wants. In other words, an attacker is limited only by the speed of his equipment. And here the authentication scheme using passwords also does not meet the requirement, and the authors say "no" for the same reason as in the previous case. 3r37777.  
3r37777.  
Thus, passwords mostly have a very small entropy space and an asymmetric distribution, so everything is simple. 3r37777.  
3r37777.  
The next requirement is resistance to internal observation. This means that the attacker will not be able to impersonate the user by installing a keyboard interceptor on the client machine, fixing a set of each character, and also means that there is no possibility for the attacker to spy on the data that the client sends over the network in order to impersonate user In this case, passwords also do not meet the requirements, because they are static tokens, they do not change, and static tokens are usually vulnerable to replay. 3r37777.  
3r37777.  
So if an attacker somehow installs a keyboard interceptor and gets a password, he can use this password until it expires or it is revoked. He can use it again and again to access the server. So passwords do not pass this test. 3r37777.  
3r37777.  
The next requirement that we talked about a bit in the classroom is phishing resistance. Phishing resistance is another indicator of security. Here, the basic idea is that an attacker can imitate a valid service, for example, attacking the DNS infrastructure or something like that, if he cannot get the authentication data directly from the user in order to pretend to be this user. Here, mostly fake websites are used that directly tell the user: “Hey, I’m exactly the service you need, so you can feel confident and give me your authority.” Passwords also do not pass this check, because phishing sites are very popular and they are not able to protect the user from them. 3r37777.  
3r37777.  
3r33393. 3r37777.  
3r37777.  
The following two requirements are of interest in terms of system scaling. The first is: no trust in a third party. In essence, this means that no one should participate in the authentication protocol except the client and the server. It also means that there can be no third party that, if compromised, can compromise the security of the entire authentication system. In fact, this is an interesting property, because it would be possible to avoid many problems of authentication, if we could store all our information for authentication in one place. 3r37777.  
3r37777.  
We just store it in one place, it is very simple, because we don’t need to remember a lot of customer information, and we always say that any service you want to use is always located at a third party and you have to contact it . This third party will always be able to authenticate you and only then allow you to follow in the direction you need. Of course, the presence of a third party is problematic from the point of view of reliability, because if you turn to one of these global third parties that everyone trusts and it is compromised, then all sites that use it for authentication will potentially be in danger. 3r37777.  
3r37777.  
Therefore, the authors of the article believe that passwords meet this requirement, since they do not use third-party credibility, because each site has its own separate password. 3r37777.  
3r37777.  
A third property has a related feature - resistance to leakage through third-party services, in which authentication takes place. It means that some services are prone to information leakage, which will help an attacker to use your data for authentication in other services. These are mostly fraudulent schemes, where one website can illegally transfer your personal data to another website or service. Here, the same situation occurs with passwords as in the previous requirement - if we do not trust any third parties, then we do not trust third-party authentication systems. 3r37777.  
The problem here is that the resistance of the entire system is equal to the resistance of the weakest link, for example, HTTPS or CA. For example, if a single CA authorization center is compromised, then its certificates can be distributed to multiple sites. If someone erroneously issues a CA certificate to a untrustworthy party, it will damage all system participants. 3r37777.  
3r37777.  
3r31616. 3r37777.  
3r37777.  
The authors of the article believe that passwords do not meet this requirement, so they say no. This is due to the fact that users often use the same password on many different sites. For example, if someone steals my Gmail account password, he will automatically take over my Facebook account password. 3r37777.  
3r37777.  
So, this was a review of the most important categories of evaluation of the authentication scheme, considered by the authors of the article. But all these indicators make sense only if you can compare them with indicators of other authentication systems and give a corresponding assessment. 3r37777.  
3r37777.  
One of the interesting authentication systems is biometrics, or biometric data. We used to think of biometrics as a super cool thing that scans the retina, fingerprint, and so on, and therefore looks very futuristic. In fact, biometrics is simply based on taking into account the unique features inherent only in this individual, for example, bodily properties, peculiarities of gestures and the like. 3r37777.  
3r37777.  
One of the interesting characteristics of biometrics is the dimension of the keys, which determines the degree of entropy. The dimension of the keys is not as large as it should be. For example, for fingerprints, the key dimension is approximately 13.3 bits, for retinal scanning it is 19.9 bits, voice recognition has the key dimension, or the entropy index is about 11.7 bits. 3r37777.  
3r37777.  
54:15 sec.
 
3r37777.  
MIT course "Security of computer systems". Lecture 17: User Authentication, Part 3 3r37777.  
3r37777.  
3r33448.
3r33450. 3r3494. 3r3494. 3r3494. 3r37777.  
The full course is available here is . 3r37777.  
3r37777.  
Thank you for staying with us. Do you like our articles? Want to see more interesting materials? Support us by placing an order or recommending a friend, 30% discount for users of Habr on a unique analogue of entry-level servers, which we invented for you: 3rr3465. The whole truth about VPS (KVM) E5-2650 v4 (6 Cores) 10GB DDR???GB SSD 1Gbps from $ 20 or how to share the server?
(Available options with RAID1 and RAID1? up to 24 cores and up to 40GB DDR4). 3r37777.  
3r37777.  
VPS (KVM) E5-2650 v4 (6 Cores) 10GB DDR???GB SSD 1Gbps until December for free 3r3484. When paying for a period of six months, you can order here 3r3486. . 3r37777.  
3r37777.  
[b] Dell R730xd 2 times cheaper? Only we have
2 x Intel Dodeca-Core Xeon E5-2650v???GB DDR4 6x480GB SSD 1Gbps 100 TV from $ 249 in the Netherlands and the USA! Read about How to build the infrastructure of the building. class c using servers Dell R730xd E5-2650 v4 worth 9000 euros for a penny? 3r3494.
3r3494.