Case study: Problems and suggestions on Dynamic Password Verification module for FTP service in an enterprise

1. Dynamic Password Generation

The dynamic password verification process of FTP service in an enterprise gateway is mainly divided into two parts: dynamic password generation and dynamic password verification. The dynamic password generation process is shown in Figure 1.1.

Fig. 1.1 Dynamic password generation algorithm

2. Login Verification Process

The process of dynamic password verification by the FTP client login and server side is shown in Figure 1.2.

Figure 1.2 Dynamic password verification process

3. There are problems

(1) The so-called dynamic password is actually not a dynamic password, but only through the same set of algorithms generated by the password to verify that the user name and password has a variety of possible, generating dynamic illusion;
(2) through the custom encryption algorithm generated password, but is clear text transmission, use grasping package tool at a glance;
(3) The encryption algorithm appears to be complex and reliable, but it does not play any role in the network security, the individual thinks its security is not higher than using only MD5 or SHA1 encryption;
(4) Once the encryption algorithm or password generator is compromised, the attack is much larger than the use of public cryptographic algorithms;
(5) Although an asymmetric one-way hash function (MD5) is used in the cryptographic algorithm, the login authentication is a symmetric cipher.

4. Login Test

We use the "aaabbbcccddd" and "111222333444" username through the encryption algorithm to process the acquired password, respectively, "BXZQL8N6Q9SL" and "CS112DFAEUAF", successfully login to the seat gateway FTP server, And grab the bag by Wireshark. Clearly, plaintext transmission can cause passwords to leak, as shown in figures 1.3 and 1.4.

Figure 1.3 Data packets captured by user AAABBBCCCDDD login FTP

Figure 1.4 Capture User 111222333444 log in FTP packets

5. Preliminary recommendations

(1) Avoid the use of plaintext transmission user password;
(2) Strengthen the privilege management of the FTP service of the seat gateway.

6. More recommendations

(1) If there is no good reason to require the use of dynamic password verification, proposed cancellation;
(2) If you do need to use dynamic password authentication, it is recommended that the server maintain a real-time dynamic user password table, and then notify the trusted client by other means, and increase the constraints (for example: Each dynamic password can only be used once, increase the number of logon failures);
(3) The plaintext transmission is changed to ciphertext transmission, and symmetric password authentication is changed to public key cryptography;
(4) The use of public encryption algorithms, such as RSA, AES, Des,md5+salt, etc.;
(5) The use of alternative FTP alternatives, such as: SFTP, HTTPS;
(6) If you do not make the above changes, it is necessary to restrict the user login to the FTP service after the operation of the scope and permissions.

For example, this verification method is equivalent to: Your house has a door, but this door is not a key, how to open it. Who wants to come in and yell "Sesame" on the door, and the people in the room will open the door to let you in when they hear it and sign the signal. If other people want to come in is also very simple, as long as the side quietly listen to other people shouting signal, and then also followed by shouting a cry can go in.