Authentication - PowerPoint PPT Presentation

About This Presentation
Title:

Authentication

Description:

72 two ASCII characters. 464 three ASCII characters. 477 four ASCII characters ... Some devices require PIN (something the user knows) ... – PowerPoint PPT presentation

Number of Views:35
Avg rating:3.0/5.0
Slides: 37
Provided by: far1
Learn more at: https://www.cse.sc.edu
Category:

less

Transcript and Presenter's Notes

Title: Authentication


1
Authentication
  • What you know?
  • What you have?
  • What you are?

2
Authentication
  • Allows an entity (a user or a system) to prove
    its identity to another entity
  • Typically, the entity whose identity is verified
    reveals knowledge of some secret S to the
    verifier
  • Strong authentication the entity reveals
    knowledge of S to the verifier without revealing
    S to the verifier

3
Authentication Information
  • Must be securely maintained by the
  • system.

4
Elements of Authentication
  • Person/group/code/system
  • Distinguishing characteristic
  • Proprietor/system owner/administrator
  • Authentication mechanism
  • Access control mechanism

5
Authentication Requirements
  • System must ensure
  • Data exchange is established with addressed peer
    entity and not with an entity that masquerades or
    replays previous messages
  • Data source is the one claimed

6
Authentication vs. Identification
  • Identification Who are you?
  • Authentication Why should we believe you?
  • Authentication generally follows identification

7
User Authentication
  • What the user knows
  • Password, personal information
  • What the user possesses
  • Physical key, ticket, passport, token, smart card
  • What the user is (biometrics)
  • Fingerprints, voiceprint, signature dynamics

8
Passwords
  • For each user, system stores (user name,
    F(password)), where F is some transformation
    (e.g., one-way hash) in a password file
  • When user enters the password, system computes
    F(password) match provides proof of identity

9
F(password)
  • Password ?F(password) easy
  • F(password) ? password hard
  • Password is not stored in the system

10
Vulnerabilities of Passwords
  • Easy to guess or snoop
  • No control on sharing
  • Visible if unencrypted in networks
  • Susceptible for replay attacks if encrypted
    naively

11
Advantages of Passwords
  • Easy to modify compromised password
  • System well understood by most users
  • Specialized hardware not needed

12
Weak Passwords
  • Bell Labs study (Morris and Thompson, 1979), 3289
    passwords were examined
  • Summary 2831 passwords (86 of the sample) were
    weak, i.e., either too easy to predict or too
    short

13
Study Details
  • 15 single ASCII characters
  • 72 two ASCII characters
  • 464 three ASCII characters
  • 477 four ASCII characters
  • 706 five letters (all lower case or all upper
    case)
  • 605 six letters, all lower case
  • 492 weak passwords (name, dictionary words, etc.)

14
Password Attacks
  • Guessing attack
  • Dictionary attack
  • Social engineering
  • Spoofing attack
  • Other attacks (covered later)

15
Guessing Attack
  • Exploits human tendency to use easy to remember
    passwords
  • Trial-and-error attack
  • Easy to detect and block (failed logins)
  • Need audit mechanism

16
Dictionary Attack
  • Attack 1
  • Create dictionary of common words and names and
    their simple transformations
  • Use these to guess password
  • Attack 2
  • Usually F is public and so is the password file
    (encrypted)
  • Compute F(word) for each word in dictionary
  • Find match

17
Social Engineering
  • Attacker asks for password by masquerading as
    somebody else (not necessarily an authenticated
    user)
  • May be difficult to detect
  • Protection against social engineering strict
    security policy and user education

18
Login Spoofing
  • Create a fake login screen
  • Capture login and password when user attempts to
    log in
  • Present a fake failed login screen
  • User may not even notice there is a problem

19
Password Defenses
  • Password salt
  • Password management policies
  • Lamports scheme
  • One time passwords
  • Time synchronization
  • Challenge response

20
Password Salt
  • Used to make dictionary attack more difficult
  • Salt is a 12 bit number between 0 and 4095
  • Derived from system clock and the process ID
  • Compute F(passwordsalt) both salt and
    F(passwordsalt) are stored in the password table
  • User gives password, system finds salt and
    computes F(passwordsalt) and checks for match
  • Note with salt, the same password is computed in
    4096 ways

21
Password Management Policies
  • Educate users to make better choices
  • Define rules for good password selection and ask
    users to follow them
  • Ask or force users to change their password
    periodically
  • Actively attempt to break users passwords and
    force users to change broken ones
  • Screen password choices

22
Lamports scheme
  • Doesnt require any special hardware
  • System computes F(x),F2(x),, F100(x) (this
    allows 100 logins before password change)
  • System stores users name and F100(x)
  • User supplies F99(x) the first time
  • If the login is correct, system replaces F100(x)
    with F99(x)
  • Next login user supplies F98(x) and so on
  • User calculates Fn(x) using a hand-held
    calculator, a workstation, or other devices

23
One-time Password
  • Use the password exactly once!
  • Often done for initial assigned passwords
  • User must change password before doing anything
    else

24
Time Synchronized
  • There is a hand-held authenticator
  • It contains an internal clock, a secret key, and
    a display
  • Display outputs a function of the current time
    and the key
  • It changes about once per minute
  • User supplies the user id and the display value
  • Host uses the secret key, the function and its
    clock to calculate the expected output
  • Login is valid if the values match

25
Challenge/Response
  • Non-repeating challenges from the host
  • The device requires a keypad

Network
Work station
Host
User ID
Challenge
Response
26
Challenge/Response Problems
  • Key database is extremely sensitive
  • This can be avoided if public key algorithms are
    used

27
Devices with Personal Identification Number (PIN)
  • Devices are subject to theft
  • Some devices require PIN (something the user
    knows)
  • PIN is used by the device to authenticate the user

28
Smart Cards
  • Portable devices with a CPU, I/O ports, and some
    nonvolatile memory
  • Can carry out computation required by public key
    algorithms and transmit directly to the host
  • Some use biometrics data about the user instead
    of the PIN

29
Biometrics
  • Fingerprint
  • Retina scan
  • Voice pattern
  • Signature
  • Typing style
  • Hand geometry

30
Problems with Biometrics
  • Expensive
  • Retina scan (min. cost) about 2,200
  • Voice (min. cost) about 1,500
  • Signature (min. cost) about 1,000
  • False readings
  • Retina scan 1/10,000,000
  • Signature 1/50
  • Fingerprint 1/500
  • Cant be modified when compromised

31
Errors in Biometrics
  • False rejection rate (FRR)
  • Authorized subject is rejected
  • False acceptance rate (FAR)
  • Unauthorized subject is accepted
  • Crossover error rate (CER)
  • FRR FAR

32
Two-factor Authentication
  • Require two forms of authentication
  • Password smart card
  • PIN hand geometry

33
Wellness Center
  • Identification SSN
  • Authorization hand geometry
  • High change of random hands matching
  • Low chance of your friends hand matching yours

34
Single Sign-On (SSO)
  • Provide identification and authorization once for
    a set of related systems
  • VIP limited SSO
  • Kerberos (ker-ber-OUS)
  • Symmetric key cryptosystem
  • Trusted third party (Key Distribution Center
    (KDC) a trusted third party

35
Responsibility for Data
  • Data owner (data administrator)
  • Sets policies
  • Data custodian (database administrator)
  • Implements policies
  • Data user (database user)
  • Follows policies

36
Chapter Topic Review
  • Access control
  • Identification and authentication
  • Possible threats
  • Miscellaneous examples
Write a Comment
User Comments (0)
About PowerShow.com