Authentication Tools

Modified 5 November 2009

Well-Known Default Passwords

Many systems come with well-known default passwords which go unchanged by lazy admins. Here are lists, do you have any remaining risks?:

• http://phenoelit-us.org/dpl/dpl.html
• http://www.cirt.net/passwords
• http://www.defaultpassword.com/

The page http://www.whatsmypass.com/?p=415 claims to list "The Top 500 Worst Passwords of All Time", but there is no explanation of where they got that data. Since admin isn't even on the list despite being the default password on lots of network gear, I don't think the list is very authoritative. But it's kind of interesting.

Kerberos

• Good documents from the source: http://web.mit.edu/Kerberos/papers.html
• Download Kerberos from: http://web.mit.edu/kerberos/www/dist/
• See my page on how to integrate UNIX hosts into a Kerberos realm based on a Windows Active Directory server. Ugh. But many people want to do this.
• Note very carefully that Microsoft ships something that they label as "Kerberos", although it does not follow the open standard, it actually lowers the security because of Microsoft's design error, and Microsoft considers their alterations to be proprietary. You have been warned — don't complain when it utterly fails to interoperate with everyone else's products, or when an intruder breaks your "Kerberos" authentication.

How does the Microsoft re-design break the security of their "Kerberos"? The initial request for a user identity ticket is the only thing that is supposed to be cleartext. There is no risk in seeing that some user on the network is currently asking to be authenticated as a specific user name. Microsoft includes an extra field in that request, something they call "pre-authentication". It's the current timestamp encrypted with the user's secret key. Since all hosts in a Kerberos realm must have their clocks synchronized, an attacker can capture the initial ticket request and then mount a known-plaintext attack. The free and commonly available package kerbcrack does exactly that.

Password Tools

• If you have too many passwords on multiple systems, you need a secure means to store them on one system:
  • pwsafe is a secure command-line tool for any Unix-like OS: http://nsd.dyndns.org/pwsafe/
  • Password Gorilla is a secure graphical tool for any Unix-like OS, plus Windows: http://www.fpx.de/fp/Software/Gorilla/
  • Password Safe is a secure tool which unfortunately is only available for Windows: http://passwordsafe.sourceforge.net/
• Also see the page on system configuration testing and auditing for several password cracking and password testing packages.
• A general collection of password tools is at: ftp://ftp.cert.dfn.de/pub/tools/password/.
• Stronger replacements for the default Unix password package are:
  • npasswd — http://freshmeat.net/projects/npasswd/ and http://www.utexas.edu/cc/unix/software/npasswd/
  • passwd+ — ftp://ftp.dartmouth.edu/pub/security/
  • anlpasswd — ftp://ftp.mcs.anl.gov/pub/systems
• Use the pam_passwdqc PAM module for enforcing password quality on Solaris, Linux, HP-UX, BSD, and possibly elsewhere: http://www.openwall.com/passwdqc/
• Two one-time password systems are S/KEY and OPIE ("One-Time Passwords in Everything"):
  • OPIE
    • http://www.inner.net/opie
    • ftp://ftp.nrl.navy.mil/pub/security/opie/ (requires that you be in .mil or .gov!)
  • S/KEY
    • ftp://ftp.cert.dfn.de/pub/tools/password/SKey/
• Good static passwords are essential. First, educate your users. Second, validate their actions with Crack. See the system auditing section.
• The Automated Password Generator (APG) is suggested or required on all DoD and Govt. computers without hardware authentication devices. See NIST publication FIPS 181, "Automated Password Generator", 5 Oct 1993. The goal is a random string that is pronouncable and thus rememberable. E.g., "Kla-Nik-Tu", -> klaniktu. An early version is "A Random Word Generator for Pronouncable Passwords", Gasser, M., Mitre report MTR-3006, ESD-TR-75-97, November 1975.

Handheld Password Tokens

See a list of technologies and vendors at the Wikipedia page, or here are some:

• Aladdin Knowledge Systems, http://www.aladdin.com/
• Chrysalis ITS, http://www.chrysalis-its.com/
• CRYPTOCard, +1-800-307-7042, http://www.cryptocard.com/
• Digital Pathways, Inc., +1-415-964-0707
• Entrust, http://www.entrust.com/
• Gemalto, http://www.gemalto.com/
• iButton, http://www.maxim-ic.com/products/ibutton/
• Keyware Technologies, Inc., http://www.keyware.com
• RSA SecurID, http://www.rsa.com/
• Secure Computing Corporation, +1-612-628-2700, http://www.securecomputing.com/
• VASCO Data Security, +1-630-932-8844, http://www.vasco.com
• Verisign, http://www.verisign.com/

Biometric Authentication

• Fingerprints
  • Sony makes fingerprint scanners, see their FIU-600 and FIU-810/PERS units
  • CA and Identix make a fingerprint reader.
  • Fooling fingerprint readers and/or shortcomings of biometric systems:
    • http://www.securityfocus.com/news/6717
    • http://www.optel.pl/top.htm
• Hand Shape
  • Recognition Systems, part of Ingersoll Rand and now working with Schlage, makes fingerprint and hand geometry systems:
    • Access control — http://recognitionsystems.schlage.com/
    • Time & attendance devices — http://recognitionsystems.ingersollrand.com/
• Voice
  • Veritel Corporation: http://www.veritelcorp.com
  • Periphonics and T-Netix (+1-303-705-4552).
  • Truster, by Seem Software Corp., claims to be a voice-based lie detector. My guess is that trusting this product requires some huge assumptions. http://www.truster.com
• Blood vessel pattern recognition — "The technology has been more widely accepted than fingerprinting in Asia mainly for cultural reasons", says Michelle Shen of ePolymath Consulting in Toronto. "In Japan, they are very concerned about hygiene. They're reluctant with fingerprinting because they have to touch the sensor." (quoted in Technology Review, Dec 2003 / Jan 2004, pg 22).
  • Get hardware from Techsphere of Seoul, South Korea, distributed by Identica, of Toronto, Canada. In use at the Toronto and Ottawa airports to authenticate ground crew, who often have dirty hands that don't work with fingerprinting.
  • Hitachi is working on this: "Finger vein authentication, introduced widely by Japanese banks in the last two years [2006-2008], is claimed to be the fastest and most secure biometric method" because blood vessels are invisible to the eye, extremely difficult to forge and simulate. It uses near-IR absorption by hemoglobin. Fujitsu uses a similar approach but on a palm scanner rather than a fingertip, and its system has been installed at Carolina HealthCare System in Charlotte NC. http://technology.timesonline.co.uk/tol/news/tech_and_web/article5129384.ece
• Buttock Pressure Map (yes, really)
  • No idea if they want to apply this to biometrics, but it's intriguing.... http://www.ece.purdue.edu/~hongtan/ResProjects/chair.html

Here's a table from "Beyond Fingerprinting", Anil K Jain and Sharath Pankanti, Scientific American Sep 2008 pp 78-81, drawing from US NIST studies. They bring up an issue I hadn't seen before, technology will be less likely to be used if it is unsuitable as evidence in a court of law. Because iris recognition is based on complicated statistical analysis of subtle image features, "no known human experts can determine whether or not two iris images match. Hence, the data are unsuitable for evidence in a court of law."

Protect Sysadmin Authentication With sudo

Don't just hand out the system administrator's password! Allow certain users to run only certain commands with sysadmin privileges, with the sudo tool. http://www.gratisoft.us/sudo/

TCP Wrappers and xinetd for Host Authentication

• Get tcpd! ftp://ftp.porcupine.org/pub/security/index.html
• An alternative is xinetd — it's more complicated to administer, but you do get finer control over access. It supports time-sensitive access rules, limitations on maximum simultaneous connections, etc. It replaces inetd. Get it at: http://xinetd.org/

Software Authentication/Piracy

Software piracy (kinda) falls under authentication. Authenticate your software, make sure it's legitimate.

Why audit yourself? If your site has pirated software, you may incur huge fines. Disgruntled employees will turn you in for rewards from SPA and BSA (Software Publishers Association and Business Software Alliance), who shows up with federal agents and search warrents. Fines in the $100,000-200,000 range are common, and can go into the millions. Autodesk (http://www.autodesk.com/), maker of AutoCAD, recovered more than US$ 35 million from North American copyright infringers in 1989-1999 (SC Magazine, April 1999, pg 18). The SPAudit tool is available free from http://www.spa.org. It audits what software is installed where, and also inventories hardware and system boot files. Further info is available on software piracy.

Security Page

Home Unix/Linux Networking Infosec Travel Technical Radio Site Map Contact