By Jeff Kabachinski, MS-T, BS-ETE, MCNE
Sit, Fido, sit! Fido, roll over! FIDO, authenticate my connection with the relying party!
Fido won’t understand that last one, but FIDO will. Fast IDentity Online (FIDO) is a way to do away with passwords. It is a standards-based, open protocol supported by an alliance of companies that will be making use of the FIDO authentication process instead of the old, tired-out password process.1
“Down with passwords” is the catchphrase of the Petition Against Passwords group. Its objective is to raise awareness that the legacy system of hashed passwords is outdated and easily hacked. It also encourages plans and proposals for the next generation of password-free authentication options.2 In this column, we’ll take a look at password hashing and FIDO’s process.
To improve security, passwords are often stored in a database not as plain text but as hashed values. A hashing sequence or algorithm takes the plain-text password of any length and converts it into a (usually longer) fixed-length bit string. These cryptographic hashes are generally one-way processes, in that trying to reverse the hashing scheme to get to the password is not feasible based on currently available computing power. The hashing process also has the property of being very fast.
While reverse hashing cannot be achieved, a hacker can use the same very fast hashing function to rifle through a password search space with many iterations of possible passwords to see if a match is found.3
GPU-Based Rainbow Tables
Hacking passwords has become easier recently with the advent of the new and more powerful graphics processing units (GPUs) and rainbow tables. The TFLOPS range (tera floating-point operations per second) used to be exclusive to supercomputers.4 Now, readily available GPUs can crunch numbers on the order of a TFLOPS, whereas a modern Core 2 Duo processor is in the 20 to 30 GFLOPS range (giga floating-point operations per second). In other words, newer GPUs are well suited to rapidly processing integer operations like hashing.
When you log onto a website (AKA, relying party), it will hash your password to see if the hashed value resides in its password hashing table. Since a hash value will always relate to a specific password, this practice becomes a significant flaw in the system. And with today’s processing power, the several billion hash computations needed to guess hashed passwords are certainly achievable. However, salted passwords, which include a random set of extra characters, are more difficult to crack because they tend to make the password longer. That increases the processing and time needed to guess the password to a point beyond the capabilities of most current computers.
As mentioned above, hackers can use rainbow tables of hashed values that have been precomputed for a specified password search space, such as street names with other letters, symbols, and numbers, or pet names with similar added alphanumerics. Using a rainbow table further reduces the time and memory space needed to divine passwords from hashing tables. Hackers using the tools are not guaranteed to find the right password, but they can get closer by taking advantage of probability concepts like the birthday paradox.
The concept behind the birthday paradox involves the chances that at least two people in a given group will have the same birthday. The probability is 100% if the number of people is 367, since there are 366 possible birthdays (including February 29). However, the probability only drops to 99% for a group of just 57 people, and to 50% for just 23 people.
Using similar cryptographic concepts can help hackers to decrease the time and processing power needed for guessing hashed passwords. Combining such fast-search concepts with rainbow tables of precomputed hashing tables makes determining passwords from hashing tables even more feasible.3
Passwords Coming Out of My Ears!
How many passwords do you have? I have a secret list I keep with all of my passwords. As I was writing this column I checked (while no one was looking) and was a little shocked when I counted over a hundred—most of them still valid. Almost every time you want to get a copy of an article or white paper these days, you must first register and create yet another password. And it has to be a “good password,” or it will not be accepted! I know that you shouldn’t reuse passwords or write them down, but I don’t have the memory bandwidth to remember them all.
Once one of your passwords is breached, consider any other online accounts that use the same password also breached. Change them often, especially your banking and financial online passwords. Don’t use any streets that you lived on or any pet’s names (like Fido), as they can be fodder for creating password search space in rainbow tables.5
Here Comes FIDO
Now FIDO comes along promising to get rid of passwords—or at least most of them. FIDO has several component parts. For the browser side, you’ll have a FIDO plug-in that interfaces the browser to your authenticator token. The authenticator accomplishes this by first connecting to the device-specific module, a driver, that in turn connects to the FIDO browser plug-in. The authenticator can come in a number of forms. It might be a USB memory drive or SD card, voice-recognition software, a fingerprint scanner, or even a chip embedded into your mother board called a trusted platform module. Even face recognition and iris-scanning are possible.6
Your PIN or biometric information is never sent over the Internet, because you are verified with FIDO locally. The relying party (the website) has a verification cache that contains the information needed for each authenticator token. The FIDO server enrolls the user and issues a symmetric key. Half of the key resides with the relying party, and the other half resides with the user. The user’s half of the key is unlocked by the authentication token.7
The verification cache is fed by a FIDO repository that contains the encrypted information from the token manufacturer. Each relying party has a unique connection to each user. Therefore, if one connection is breached or hacked, the rest of the authenticated connections remain unscathed. Similarly, if any of your verified connections is hacked, the rest of them for other websites remain safe.
One of the main aspects of the process is the authenticator device on your PC or smartphone, which has the FIDO-specific “secret” that’s part of the nonspoofable identifier. Your authenticator is verified by the FIDO-compliant relying party or website where you have an account. For most websites, this single-factor authentication will be all that’s needed: You’re logged in normally at this point. Two-factor authentication is when FIDO asks you to perform an action to verify that you’re the owner of the device. This can be a PIN or fingerprint scan. The two factors include something you know (such as a PIN), and either something you have (the token or authenticator device) or something you are—the biometric. Again, all of this is performed locally rather than negotiated online.
Will passwords go away someday? Not soon enough for the petitioners at www.petitionagainstpasswords.com. The hashing of passwords is an older process that continues to get easier to hack and needs updating. FIDO is just one of a number of initiatives to update, upgrade, or overhaul the process that are backed by the petitioners. They also recommend other alternative next-generation authentication technologies, including Clef, LaunchKey, Mozilla Persona, OneID, Rublon, and Yubico. There is a lot of online information to search out if you, too, are interested in doing away with passwords! 24×7 September 2013 Networking
1. Leddy W. (2013, April 29). Run, FIDO, run: Alliance works on non-Proprietary authentication. Available at: http://www.tmcnet.com/voip/departments/articles/336051-run-fido-run-alliance-works-non-proprietary-authentication.htm. Accessed July 17, 2013.
2. Higgins KJ. (2013, July 24). Campaign launched to kill off the password. Available at: http://www.darkreading.com/vulnerability/campaign-launched-to-kill-off-the-passwo/240158879?cid=NL_DR_Weekly_240158879&elq=5d37e58ab39d4936ab810f59bfae7927. Accessed August 2, 2013.
3. Wikipedia. (2013, Aug 4). Rainbow tables. Available at: en.wikipedia.com: http://en.wikipedia.org/wiki/Rainbow_table. Accessed August 6, 2013.
4. Graves RE. High Performance Password Cracking by Implementing Rainbow Tables on nVidia. [Master’s thesis] Ames, Iowa: Iowa State University; 2008
5. Chickowski E. (2013, May 3). Giving FIDO a longer leash to eliminate web passwords. Available at: http://www.darkreading.com/identity-access/giving-fido-a-longer-leash-to-eliminate/240154155. Accessed August 2, 2013.
6. The FIDO Alliance. (2013). How FIDO works. Available at: http://www.fidoalliance.org/how-it-works.html. Accessed July 22, 2013.
7. Wilson T. (2013, February 13). New security industry alliance, startup company promise revolution in authentication. Available at: http://www.darkreading.com/end-user/new-security-industry-alliance-startup-c/240148450. Accessed July 18, 2013.
Jeff Kabachinski, MS-T, BS-ETE, MCNE, has more than 20 years of experience as an organizational development and training professional. He is the director of technical development for Aramark Healthcare Technologies in Charlotte, NC. For more information, contact [email protected].