Learning Objectives: The goal of this project is to harden password-based authentication by including information obtained from a second factor (two-factor Authentication or 2FA). We will use the Linux login command implementation to explore this. Although somewhat contrived, the motivation for the 2FA scheme explored in this project is similar to the password hardening paper discussed in course lectures. More specifically, information maintained by the system to check the validity of a login request is updated after each login request to limit the effectiveness of offline guessing attacks. The following are the learning objectives of this project.
To keep it simple, this project focuses only on hardening the basic login scheme for a desktop/laptop system. However, this scheme can be extended to provide password hardening for remote logins.
Project Setup:
Note: The link to the VM will be posted on an Ed Discussion pinned post.
For this project, you will be provided with an Ubuntu-based Virtual Machine (VM). This VM was tested on Oracle VM Virtual box 7.0 and can be directly imported to it[1]. This VM has a default account “cs6238” setup with normal user access privileges. You will use root, to access a file as root, open a terminal, type “sudo su”, enter the “cs6238” password, and then access the file.
Password for the “cs6238” account is “cs6238”. You should not include “” while entering the password. When you log into account “cs6238”, follow these instructions:
As you can see from Fig 1., the file ‘/etc/shadow’ can be accessed as a root user.
Fig 1. Reading file ‘/etc/shadow’ from root
Fig2. Desktop folder This folder contains:
Additional details of these code files and the executable will be described later.
IMPORTANT NOTE: We have observed that students tend to erase or delete the /etc/passwd and /etc/shadow file while working on this project and lose access for login into the VM. It would be safe to take snapshots of your VM before starting the project and while progressing through the project.
We have also created a copy of the files namely /etc/passwd.cs6238 and /etc/shadow.cs6238 on the VM in case you delete or erase or modify them. Since you have root access it would be safe to have your own copy and exercise caution while updating these files.
Prior to starting on the project, you should familiarize yourself with the working of the login command in Linux. In particular, you should be able to answer the following questions.
There are plenty of online resources for finding answers to these questions. To help you get started, see the section “GETTING STARTED ON LINUX LOGIN/PASSWORDS” in the Appendix
Section.
Getting Started: To help you get started, we have provided two Python code files to help you better understand the inner working of the system while creating and logging in users.
After understanding the code of create_user.py and check_login.py, you are ready to work on this project.
In this task, you need to implement 2FA using the provided token generator (TG) executable, which serves as a second factor. The 2FA method uses the tokens generated by TG to harden the login mechanism used in Linux.
Typically, a unique second factor source/device is associated with a user (i.e., your phone for Duo 2FA used by Georgia Tech) but in this project, the same TG will serve as a second factor source for all accounts you create. For this to be possible, a user must be registered with TG along with a PIN.
Thus, each user has two accounts:
The Token Generator and the 2FA Method are described first. Details regarding what you must implement are provided in Implementation of 2FA.
Before moving to the 2FA method, it is important to know the working of TG. It gives a user three options – ‘1’ for registering a new user, ‘2’ for generating token for the current/registered user and ‘3’ for deleting an existing user account.
NOTE: You have been provided with the Token Generator (TG) executable. You only have to understand how it works so that you can use it as a black box in your project. You do not have to implement the Token Generator.
If user enters:
‘1’ then
‘2’ then
‘3’ then
NOTE (Very Important!!!): After execution of each option in TG, the user will be prompted for confirmation of the requested task in the 2FA method. If the task in 2FA method, for which tokens are generated using TG is completed successfully, the user must enter ‘y’ or ‘Y’. If the user enters some other character, then the TG will revert itself to the previously known state for the user.
First, when user U tries to create an account, 2FA login method requires a user to provide three things, username U, password P (confirm password), salt, and the initial token IT generated by the TG when registering a user account for user.
NOTE: The PIN for the TG and the password for 2FA system should be different. But the username for the 2FA system and the user-id for the TG should be the same.
The 2FA login method will take this token IT, concatenate it with the provided password P and this will be the hardened password (P+IT) that goes into the password hashing algorithm to generate an entry in the shadow file. With this entry, the new user will be successfully created. The whole process can be visualized as shown in Figure 2[Appendix Section]:
After a user U is created, he/she can log into his/her account. For login, a user must provide username U, password P, current token CT from the token generator and next token NT from the token generator[2].
2FA method first checks if the user U exists. If yes, it will then concatenate the password P and current token CT to construct the hardened password(P+CT), as done above in user creation. This hardened password will be used for validating against the hash value in the user entry in /etc/shadow. After successful validation, the user entered password P will be concatenated with the next token NT to create the new hardened password (P+NT). This new password is then hashed, and this new hashed value is used to update the corresponding field in the /etc/shadow file. Based on successful or failed execution of above request, the user will enter the response in the TG, which will decide whether the changes will be saved or discarded. The full functionality of 2FA is visualized in Figure 3[Appendix Section].
2FA should be able to update the user’s password. This deals with the situation when a user’s password is compromised, or a certain amount of time has elapsed since the password was created. For update, a user must provide username U, password P, new password NP (confirm new password), new salt NS, current token CT and next token NT from the token generator.
2FA should also be able to delete user’s account. For delete, user must provide username U, password P and current token CT.
Update and delete functionality should be extrapolated from login functionality.
IMPORTANT: Follow the prompts exactly as the instructions below. We will not accept regrade requests based on incorrect prompt order.
After becoming familiar with the working of the 2FA method and TG, you must create a standalone program based on the functionality of 2FA method. Please start from the python code that we have provided. Your code must implement the prompt below in the exact order.
Your program should be capable of handling the following steps:
Select an action:
Also, prompting the user for appropriate inputs such as username, password, salt, and tokens is also needed.
Prompt for action number 1 (create user):
Username: Alice
Password: Alice123
Confirm Password: Alice123
Salt: salt0123
Initial Token: eYKCaN0kLB7T0.3Q.vPs40
Prompt for action number 2:
Username: Alice
Password: Alice123
Current Token: eYKCaN0kLB7T0.3Q.vPs40 Next Token: iGxl329/ugOeSnhOzYE1B/
Prompt for action number 3:
Username: Alice
Password: Alice123
New Password: New-Password
Confirm New Password: New-Password
New Salt: salt3210
Current Token: eYKCaN0kLB7T0.3Q.vPs40 Next Token: iGxl329/ugOeSnhOzYE1B/
Prompt for action number 4:
Username: Alice
Password: Alice123
Current Token: Gxl329/ugOeSnhOzYE1B/
NOTE: The salt will be same for a user account unless the user updates the password or deletes it and then creates it again.
Username: Alice
Password: Alice123
Current Token: eYKCaN0kLB7T0.3Q.vPs40
Next Token: iGxl329/ugOeSnhOzYE1B/
Deleted”.
Please keep the following in mind as you work on the project.
Complete a security analysis for the implemented 2FA method. More specifically,
o Your answers for Task2 under section “Task2”
FIGURES
Figure 2: Creating an Account
Figure 3: Logging into an Account
GETTING STARTED ON LINUX LOGIN/PASSWORDS
When the Linux system creates a user, it prompts the user for a password. Then, based on the version of Linux, one of six algorithms are chosen for password encryption. The system generates a random salt and uses that salt to generate a one-way hash and store that hash with user details in /etc/shadow file. The user entry looks like the below-given example:
As you can see the user entry consists of 9 fields, each separated by the “:”. The first field is the username and the second is hash. The hash contains 3 other fields separated with the dollar sign (“$”). The first field tells us about the hashing algorithm used, in this case, “6” denotes SHA-512. The second field is the salt value used to make hash value unique. The last field is the hash of the combination of your salt and password. You can easily verify the generation of hash by using the perl one-line script on your Ubuntu terminal.
perl -e ‘print crypt(“<PASSWORD>”,”$<HASH-ALGO>$<SALT-VALUE>$”) . “
”‘
Here, <PASSWORD>=cs6238
<HASH-ALGO>=6
<SALT-VALUE>=UPICuFgR
Note: Explore all other fields as you will need to know them for project.
After storing the hash entry in file /etc/shadow, the system will create a home directory and a user entry in /etc/passwd file which stores essential information required during login, i.e., user account information. This file contains one entry per line for each user. An entry in /etc/passwd for user cs6238 is looks like:
Each entry in /etc/passwd has seven fields, each separated with “:”. The first field contains the username. The second field contains the password for the user. “x” denotes that the hashed password entry is in the shadow file. Next two entries are of uid and guid. Last two entries are home directory of the user and the absolute path of the command shell. We are not going to discuss passwd file contents in detail as for the project it is sufficient to know what in the passwd file. However, you are welcome to further explore details of passwd files. After updating the entry in passwd file, user creation completes.
[1] By now, you should know how to import a VM. If not, please visit: https://docs.oracle.com/cd/E26217_01/E26796/html/qsimport–vm.html.
[2] Ideally, these tokens should be obtained without any user effort but to simplify the project, you will provide these tokens manually (e.g., cut and paste).
The project writeup is available here: Project2.pdf
The project VM can be built by the student:
https://ubuntu.com/download/desktop
You can follow this guide:
Then download and extract this folder into your Desktop folder in the VM:
git clone https://github.com/TA-gatech/Project2.git
If you have any questions please join the TA office hours or post them to Ed Discussion
Ed Discussion also has links and mirror links to a pre-installed VM.
cs6238.ovaLinks to an external site.
Project 2 Walk through:
Coming Soon!
Good luck!
Rubric
Some Rubric
Total Points: 100
Reviews
There are no reviews yet.