Authentication - PowerPoint PPT Presentation

1 / 36
About This Presentation
Title:

Authentication

Description:

Authentication Definitions ... Something you have Something you are Mechanisms Text-based passwords Graphical passwords ... etc. Typical password advice Typical ... – PowerPoint PPT presentation

Number of Views:1014
Avg rating:3.0/5.0
Slides: 37
Provided by: Heather483
Category:

less

Transcript and Presenter's Notes

Title: Authentication


1
Authentication
2
Definitions
  • Identification - a claim about identity
  • Who or what I am (global or local)
  • Authentication - confirming that claims are true
  • I am who I say I am
  • I have a valid credential
  • Authorization - granting permission based on a
    valid claim
  • Now that I have been validated, I am allowed to
    access certain resources or take certain actions
  • Access control system - a system that
    authenticates users and gives them access to
    resources based on their authorizations
  • Includes or relies upon an authentication
    mechanism
  • May include the ability to grant course or
    fine-grained authorizations, revoke or delegate
    authorizations

Slides modified from Lorrie Cranor, CMU
3
Building blocks of authentication
  • Factors
  • Something you know (or recognize)
  • Something you have
  • Something you are
  • Mechanisms
  • Text-based passwords
  • Graphical passwords
  • Hardware tokens
  • Public key crypto protocols
  • Biometrics

4
Two factor systems
  • Two factors are better than one
  • Especially two factors from different categories
  • Question What are some examples of two-factor
    authentication?

5
Evaluation
  • Accessibility
  • Memorability
  • Depth of processing, retrieval, meaningfulness
  • Security
  • Predictability, abundance, disclosure,
    crackability, confidentiality
  • Cost
  • Environmental considerations
  • Range of users, frequency of use, type of access,
    etc.

6
Typical password advice
7
Typical password advice
  • Pick a hard to guess password
  • Dont use it anywhere else
  • Change it often
  • Dont write it down
  • Do you?

Bank b3aYZ Amazon aa66x! Phonebill
p2ta1
8
Problems with Passwords
  • Selection
  • Difficult to think of a good password
  • Passwords people think of first are easy to guess
  • Memorability
  • Easy to forget passwords that arent frequently
    used
  • Difficult to remember secure passwords with a
    mix of upper lower case letters, numbers, and
    special characters
  • Reuse
  • Too many passwords to remember
  • A previously used password is memorable
  • Sharing
  • Often unintentional through reuse
  • Systems arent designed to support the way people
    work together and share information

9
How Long does it take to Crack a Password?
  • Brute force attack
  • Assuming 100,000 encryption operations per second
  • FIPS Password Usage
  • 3.3.1 Passwords shall have maximum lifetime of 1
    year

Password Length
http//geodsoft.com/howto/password/cracking_passwo
rds.htmhowlong
10
The Password Quiz
  • What is your score?
  • Do you agree with each piece of advice?
  • What is most common problem in the class?
  • Any bad habits not addressed?

11
Check your password
https//www.google.com/accounts/EditPasswd
http//www.securitystats.com/tools/password.php
Question Why dont all sites do this?
12
Text-based passwords
  • Random (system or user assigned)
  • Mnemonic
  • Challenge questions (semantic)
  • Anyone ever had a system assigned random
    password? Your experience?

13
Mnemonic Passwords
Four
F
Four
score
s
and
a
and
years
y
,
,
seven
s
seven
ago
a
our
o
Fathers
F
First letter of each word (with punctuation)
4sasya,oF
4sa7ya,oF
4s7ya,oF
Source Cynthia Kuo, SOUPS 2006
14
The Promise?
  • Phrases help users incorporate different
    character classes in passwords
  • Easier to think of character-for-word
    substitutions
  • Virtually infinite number of phrases
  • Dictionaries do not contain mnemonics

Source Cynthia Kuo, SOUPS 2006
15
Memorability of Password Study
  • Goal
  • examine effects of advice on password selection
    in real world
  • Method experiment
  • independent variables?
  • Advice given
  • Dependent variables?
  • Attacks, length, requests, memorability survey

16
Study, cont.
  • Conditions
  • Comparison
  • Control
  • Random password
  • Passphrase (mnemonic)
  • Students randomly assigned
  • Attacks performed one month later
  • Survey four months later

17
Results
  • All conditions longer password than comparison
    group
  • Random passphrase conditions had significantly
    fewer successful attacks
  • Requests for password the same
  • Random group kept written copy of password for
    much longer than others
  • Non-compliance rate of 10
  • What are the implications?
  • What are the strengths of the study? Weaknesses?

18
Mnemonic password evaluation
  • Mnemonic passwords are not a panacea, but are an
    interesting option
  • No comprehensive dictionary today
  • May become more vulnerable in future
  • Users choose music lyrics, movies, literature,
    and television
  • Attackers incentivized to build dictionaries
  • Publicly available phrases should be avoided!
  • C. Kuo, S. Romanosky, and L. Cranor. Human
    Selection of Mnemonic Phrase-Based Passwords. In
    Proceedings of the 2006 Symposium On Usable
    Privacy and Security, 12-14 July 2006,
    Pittsburgh, PA.

Source Cynthia Kuo, SOUPS 2006
19
Password keeper software
  • Run on PC or handheld
  • Only remember one password
  • How many use one of these?
  • Advantages?
  • Disadvantages?

20
Forgotten password mechanism
  • Email password or magic URL to address on file
  • Challenge questions
  • Why not make this the normal way to access
    infrequently used sites?

21
Challenge Questions
  • Question and answer pairs
  • Issues
  • Privacy asking for personal info
  • Security how difficult are they to guess and
    observe?
  • Usability answerable? how memorable? How
    repeatable?
  • What challenge questions have you seen?
  • Purpose?

22
Challenge questions
  • How likely to be guessed?
  • How concerned should we be about
  • Shoulder surfing?
  • Time to enter answers?
  • A knowledgeable other person?
  • Privacy?

23
Graphical Passwords
  • We are much better at remembering pictures than
    text
  • User enters password by clicking on on the screen
  • Choosing correct set of images
  • Choosing regions in a particular image
  • Potentially more difficult to attack (no
    dictionaries)
  • Anyone ever used one?

24
Schemes
  • Choose a series of images
  • Random1
  • Passfaces2
  • Visual passwords (for mobile devices)3
  • Provide your own images
  • R. Dhamija and A. Perrig, "Deja Vu A User Study
    Using Images for Authentication," in Proceedings
    of 9th USENIX Security Symposium, 2000.
  • http//www.realuser.com/
  • W. Jansen, et al, "Picture Password A Visual
    Login Technique for Mobile Devices," National
    Institute of Standards and Technology Interagency
    Report NISTIR 7030, 2003.

25
Schemes
  • Click on regions of image
  • Blonders original idea click on predefined
    regions 1
  • Passlogix click on items in order 2
  • Passpoints click on any point in order 3
  • G. E. Blonder, "Graphical passwords," in Lucent
    Technologies, Inc., Murray Hill, NJ, U. S.
    Patent, Ed. United States, 1996.
  • http//www.passlogix.com/
  • S. Wiedenbeck, et al. "Authentication using
    graphical passwords Basic results," in
    Human-Computer Interaction International (HCII
    2005). Las Vegas, NV, 2005.

26
Schemes
  • Freeform
  • Draw-a-Secret (DAS)
  • I. Jermyn, et al. "The Design and Analysis of
    GraphicalPasswords," in Proceedings of the 8th
    USENIX SecuritySymposium, 1999.
  • Signature drawing

27
Theoretical Comparisons
  • Advantages
  • As memorable or more than text
  • As large a password space as text passwords
  • Attack needs to generate mouse output
  • Less vulnerable to dictionary attacks
  • More difficult to share
  • Disadvantages
  • Time consuming
  • More storage and communication requirements
  • Shoulder surfing an issue
  • Potential interference if becomes widespread

See a nice discussion in Suo and Zhu. Graphical
Passwords A Survey, in the Proceedings of the
21st Annual Computer Security Applications
Conference, December 2005.
28
How do they really compare?
  • Many studies of various schemes
  • Faces vs. Story
  • Method experiment
  • independent participant race and sex, faces or
    story
  • Dependent types of items chosen, liklihood of
    attack
  • Real passwords used to access grades, etc.
  • Also gathered survey responses
  • Results
  • we are highly predictable, particularly for faces
  • Attacker could have succeeded with 1 or 2 guesses
    for 10 of males!
  • Implications?

29
Other examples
  • Passpoints predictable too!
  • Can predict or discover hot spots to launch
    attacks.

Julie Thorpe and P.C. van Oorschot. Human-Seeded
Attacks and Exploiting Hot-Spots in Graphical
Passwords, in Proceedings of 16th USENIX Security
Symposium, 2007.
30
Other uses of images
  • CAPTCHA differentiate between humans and
    computers
  • Use computer generated image to guarantee
    interaction coming from a human
  • An AI-hard problem

Luis von Ahn, Manuel Blum, Nicholas Hopper and
John Langford. CAPTCHA Using Hard AI Problems
for Security, In Advances in Cryptology,
Eurocrypt 2003.
31
More food for thought
  • How concerned should we be about the weakest
    link/worse case user?
  • Do we need 100 compliance for good passwords?
    How do we achieve?
  • What do you think of bugmenot
  • Is it possible to have authorization without
    identification?

32
Project Groups
  • 3 groups of 4, 1 group of 3
  • Form your group by the END of class next week
  • Preliminary user study of privacy or security
    application, mechanism, or concerns
  • Deliverables
  • Idea
  • Initial plan 5 points
  • Plan 20 points
  • Report 20 points
  • Presentation 5 points

33
Project Ideas
  • Start with a question or problem
  • Why dont more people encrypt their emails?
  • How well does product X work for task Y?
  • What personal information do people expect to be
    protected?
  • Flip through chapters in the book papers
  • Follow up on existing study
  • Examine your own product/research/idea
  • Examine something you currently find frustrating,
    interesting, etc.

34
Ideas?
35
A Look Ahead
  • Next week User studies
  • pay attention to the method of study in your
    readings
  • ALSO observation assignment
  • Two weeks rest of authentication
  • ALSO project ideas due

36
Next weeks assignment
  • Observe people using technology
  • Public place, observe long enough for multiple
    users
  • Take notes on what you see
  • Think about privacy and security, but observe and
    note everything
  • Write up a few paragraphs describing your
    observations
  • Dont forget IRB certification
Write a Comment
User Comments (0)
About PowerShow.com