Download de presentatie
De presentatie wordt gedownload. Even geduld aub
1
Het einde van paswoorden: wat nu?
Vincent Naessens MSEC, KAHO Sint-Lieven
2
Bedankt! MAAR…
3
… technologie …
4
… het einde van …
7
Het einde van paswoorden: wat nu?
Vincent Naessens MSEC, KAHO Sint-Lieven
8
Overzicht D1: Terminologie D2: Aanvallen op paswoord systemen
D3: Alternatieve strategieën
9
Terminologie attacker (hacker) communicatie kanaal gebruiker client
service provider (administrator) server
10
1. Social engineering
13
2. Onveilige opslag
16
3. Woordenboek aanval
17
# % # % # % # % # % # % # % # % # % # % # % # % # % # % # % # % # % # % # % # %
18
1. password 2. 123456 3.12345678 4. qwerty 5. abc123 6. monkey
8. letmein 9. trustno1 10. dragon 11. baseball 13. iloveyou 14. master 15. sunshine Worst Passwords List of 2011
19
Oplossingen…
21
4. spoofing/phishing
24
Geachte klant Wij vragen uw aandacht voor het volgende. Het afgelopen jaar is de ING bank en vele andere banken doelwit geworden van grootschalig internet fraude. Om dit te bestrijden zullen wij alle online bankrekeningen koppelen aan een nieuw ontwikkeld beveiligingssysteem, waarmee verdachte bewegingen sneller getraceerd en opgelost worden. Om uw rekening te kunnen updaten met de nieuwe beveiligings software dient u te klikken op de onderstaande link. Na de update zult u worden gecontacteerd door een medewerker van de ING bank. Open de link met uw Internet Explorer-browser om veiligheidsredenen. Gebruik de onderstaande : KLIK HIER Na de update zal er door een van onze medewerkers contact met u worden opgenomen om het gehele proces te voltooien. Wanneer het gehele proces gereed is zal u weer als vanouds gebruik kunnen maken van het online bankieren via ING BANK. Wij willen u alvast bedanken voor uw medewerking. Hoogachtend, ING-BANK ONLINE.
25
5. Sniffing
29
bkmariewpeic435 bkmariewpeic435
31
6. Brute force aanvallen
33
Fast PC, Dual Processor PC. E. 100,000,000 Passwords/sec
D. 10,000,000 Passwords/sec Fast PC, Dual Processor PC. E. 100,000,000 Passwords/sec Workstation, or multiple PC's working together. F. 1,000,000,000 Passwords/sec Typical for medium to large scale distributed computing, Supercomputers. Bron:
34
AaBbCcDdEeFfGgHhIiJjKkLlMmNnOoPpQqRrSsTtUuVvWwXxYyZz
Length Combinations Class D Class E Class F 2 2,704 Instant 3 140,608 4 7.3 Million 5 380 Million 38 Secs 4 Secs 6 19 Billion 33 Mins 3¼ Mins 19 Secs 7 1 Trillion 28½ Hours 3 Hours 17 Mins 8 53 Trillion 62 Days 6 Days 15 Hours 9 2.7 Quadrillion 9 Years 322 Days 32 Days
35
aBbCcDdEeFfGgHhIiJjKkLlMmNnOo PpQqRrSsTtUuVvWwXxYyZz <SP>!“
Length Combinations Class D Class E Class F 2 7,396 Instant 8 2.9 Quadrillion 57 Years 346 Days 34 Days Pwd Combinations Class D Class E Class F darren 308.9 Million 30 Secs 3 Secs Instant Land3rz 3.5 Trillion 4 Days 10 Hours 58 Mins B33r&Mug 7.2 Quadrillion 23 Years 2¼ Years 83½ Days
36
Bad news…
37
Processoren worden steeds krachtiger
Rainbow tables
38
Wat nu?
39
A. Single sign on
41
B. Computer generated passwords
43
Opslag?
45
C. One-time passwords
47
D. biometrie
49
Troubles…
50
INFRASTRUCTUUR is DUUR
51
Stelen van biometrische gegevens
54
Malaysia car thieves steal finger
By Jonathan Kent BBC News, Kuala Lumpur Police in Malaysia are hunting for members of a violent gang who chopped off a car owner's finger to get round the vehicle's hi-tech security system. The car, a Mercedes S-class, was protected by a fingerprint recognition system. Accountant K Kumaran's ordeal began when he was run down by four men in a small car as he was about to get into his Mercedes in a Kuala Lumpur suburb. The gang, armed with long machetes, demanded the keys to his car. It is worth around $75,000 second-hand on the local market, where prices are high because of import duties. Stripped naked The attackers forced Mr Kumaran to put his finger on the security panel to start the vehicle, bundled him into the back seat and drove off. But having stripped the car, the thieves became frustrated when they wanted to restart it. They found they again could not bypass the immobiliser, which needs the owner's fingerprint to disarm it. They stripped Mr Kumaran naked and left him by the side of the road - but not before cutting off the end of his index finger with a machete. Police believe the gang is responsible for a series of thefts in the area.
55
E. Digitale geheime sleutels
56
-----BEGIN RSA PRIVATE KEY----- MIIEpQIBAAKCAQEA3U+R4ygDChkgYJAQfCbNhsOspKH/rjW317qPR5zwFrYwTAjt 3Be3Do6H3XHitEiqhA+HSugTPeyg2w7MWa68nLRCcnB4fgeS25F58KVKeZniYg9g TdM+svggApVjC0p5pgbWRC9bm+gjv4koQU2FidfywYiQDiO5aZfFgWymplOykkM/ zIenaM14REJ5+5nocAB8dg4Vd/7Q3aDnEb+euswct3OxYDB4D2NLaGZDxZFfz7xh 1YahuP8TXqP3wkbp17E/TKSzKKKAfewyC7sAakYpIUBOPIku/StZ1Jq4K5e7lCb3 GlU/C93WhbAc41gL3eRawMO2cjpCQAtaEWW08QIDAQABAoIBAQCl6AKr0dEFfvSg rx9MkyI8RvBjsvYjuS2K0dabjvEFdasbNQ5rknOuu/bqcXfMQzVhLurzoqraH0wv LBbRnIbUyuWNOPd7M15Kr/JEDwWXx17IuFIvxY8ZR51nkmnfiwNLDZEPKJl6dTpn WgENg3n6biMUJrYng2x51kc/0R3VTUBJLzlGBRZ7QWo+3HYukEOysBnvRvjPJP31 Qaq1wkeihRAGcBYUSD0Cg5PY6BE+627UQ+UT7B6EM6x35ZrLvFX6+hJh3ITpZ91H YCmTM8hg7ZYKpSIoBmc7A7P+b0uBfAziH020kzgRakrhaR6F3n1A/UDUT4/vekrI YSqanW4JAoGBAPd9roEqVQ4gqVxSv9dIxsbh92nVtAM9VOwbVpLIk0C8XWhe/dyX sLELt3EQO5SbVtYNMQo9awYKRPP/Uxbmh20LgxpRFe3DWg2PeVcKM981ViP0Yt40 hyT/0Q8clbmGXWbWYuBHRO/8yk1sjrbx6EsUI+V7qgaSd5HcOHpJ2QVzAoGBAOTr dgUrSdNGVAoZw6NsNRxu2G7jwJXcQgINUMJmjmoJabMLpOF8IUUhHnGo3AtIzSLk fkROJDQVGEPuvoyAS3/iyKo1lDenzwlwtTFW7xsDR7XuJK8gXBVMwiVGNjxd7Wtw IvHsVKNdOVez3cueb49ExeDMq12SRtcvX5lCbWMLAoGBAKGZ/l028AzmhM/U9JE1 Yx4wJGaF9SH8ZTw6aaA0ufoWRQPGqwrkPaqNVP3NtKnHeL8SJAhkrEJoaDfOa0nT w3APiU6gzanP2jhqi7eq4M4JvLKDfB9Nu0UMiUzNxHI86zYgHLYHs1rk/I/rp5CL irujbgEFa7MY5lxmqLYpDD1DAoGABANwzURmBfM8s/ShrnLON5Jl7wPFM5tp+Nk8 6jucEZXaqY3xtRZVCv46p2l7eiMrnYn+ALqR/evEwiQkaRgyuqpCNGG+GH+zrImy U4wfowyarEDhmcRqeOEgokCp4MMQz4pmwnEPRtHymGwJ3nEHqa5d/cP42SogXdNx zKESg+MCgYEAuUYu0E2LB+pEzc4GfCH3VqWhxa76FefpcZeGMGqy/2ItN3Pg/SpX ira4dQ6jdhrFq2GNAQ+eRxCbwKlVrEPKp0nQijxvH/8YdjQK/ZUYYNw7Dj2KRBGT 2CtywOLLD3N2kPD8yfNxLQD/Q434nN+ZGuOxEo3EANHyq4vz5EE+TMM= -----END RSA PRIVATE KEY-----
57
Opslag?
60
challenge response
61
Multi factor authenticatie
62
Something you know Something you have Something you are PIN or password
63
Something you know Something you have
64
Something you know Something you have
65
Something you know Something you are
66
Tijd om samen te vatten…
67
Wat hebben we geleerd vandaag?
Steeds grotere paswoorden en sleutels nodig Veilige opslag van paswoorden en digitale sleutels is niet eenvoudig Multi-factor authenticatie verhoogt de veiligheid
Verwante presentaties
