CS5401: Authentication and Identification - PowerPoint PPT Presentation

1 / 51
About This Presentation
Title:

CS5401: Authentication and Identification

Description:

error rate of 1% (allows for dirt, pressure) Better if multiple fingers scanned ... Once cheaper, more accepted. Dr. Ehud Reiter, Computing Science, University ... – PowerPoint PPT presentation

Number of Views:324
Avg rating:3.0/5.0
Slides: 52
Provided by: computin7
Category:

less

Transcript and Presenter's Notes

Title: CS5401: Authentication and Identification


1
CS5401 Authentication and Identification
  • Passwords
  • Phishing
  • Biometrics
  • Combined approaches
  • Reading Anderson, chap 2 of 2nd ed (available
    free on web site) also Biometrics (chap 13 of
    1st ed)

2
Identification and Authentication
  • How can a person identify himself to a computer?
  • I am Ehud Reiter, therefore I have the right to
    see 5401exam.doc, or to transfer money from Ehud
    Reiters bank account
  • How can a computer identify itself to a person?
  • I am the Bank of Scotland website, you should
    type your password in
  • Usually more important than secrecy

3
Person-to-computer Ident
  • Being able to identify yourself to a computer is
    absolutely essential
  • ATM machines, e-banking
  • Access to e-mail, computer accounts
  • Access to personal information (eg, student
    portal)

4
Non-computer identification
  • Bank teller knows you by sight (good)
  • Bank teller checks your picture against a photo
    ID (iffy)
  • Bank back office compares cheque signature to one
    on record (iffy)
  • All examples of biometric identification

5
Computer Identification
  • How identify a human to a computer?
  • Crypto challenge-response, if human has hand-held
    cryptographic calculator
  • biometrics face recognition, retina/iris
  • token eg, ATM card
  • Password (most common by far)
  • Combinations (eg, token and password)

6
Passwords
  • Most common identification technique
  • Variants PIN (number), memorable date, etc
  • Problem Our brains are not well-suited to
    remembering passwords
  • Especially rarely used passwords
  • We also confuse passwords used in similar
    contexts

7
Passwords and E-commerce
  • A password must be frequently used to be
    remembered
  • not an e-commerce site visited once/yr
  • Different passwords should have different
    contexts of use
  • not amazon.co.uk, blackwells.co.uk, ...

8
Vulnerabilities
  • Users reveal passwords to outsiders
  • Users reuse passwords
  • Users choose easy to guess passwords
  • Password observed on entry
  • Password obtained from system files

9
Revealing Passwords
  • How to get password 1
  • Phone sysadmin and pretend to be CEOs new
    secretary
  • Phone user and pretend to be sysadmin
  • There are professional blaggers who make their
    living doing this!
  • Also called social engineering

10
Password Reuse
  • How to get a password 2
  • Impossible to remember a distinct password for
    each e-commerce site
  • cognitively impossible, not just laziness
  • So people tend to use the same password at many
    sites
  • So, set up an e-commerce site with passwords, and
    use these passwords on other sites

11
Easy to Guess Passwords
  • How to get a password 3
  • Try dictionaries and other lists of common words
  • done by programs such as crack
  • if lazy, try 20 most common female names
  • or get help from disgruntled ex-wife
  • Harder if system limits num of attempts
  • but this allows denial of service attacks
  • also can try lots of accounts

12
Passwords observed
  • How to get a password 4
  • Watch over shoulder as user types
  • Programs which fake login screens
  • Why Windows uses CTRL-ALT-DEL login
  • grab password packets from network
  • Hide a bug in the users keyboard
  • Become a postie, open mail from banks

13
Passwords stored
  • How to get password 5
  • Passwords must be stored somewhere
  • usually encrypted
  • get file and run crack on it
  • Audit/log files
  • eg, of login attempts, since user may type
    password as login name

14
Bypass Passwords
  • How to get access 6
  • Send user an email, or get him to look at a Web
    page (or advert), which takes over his computer
  • Many known vulnerabilities, based on bugs
  • Users are vulnerable unless they patch the bugs
    or use high security settings

15
Passwords in E-Commerce
  • E-commerce is very bad environment for passwords
  • Low usage rate (few times year)
  • Passwords not remembered
  • Procedures not remembered
  • Lots of similar sites (eg, e-bookshops)

16
Single Password?
  • Much better if a single password could be used to
    access many sites
  • Maintained by a central repository
  • Microsoft Windows Live ID
  • But people dont trust MS?
  • Bug could cause immense damage
  • Credit card passwords?
  • Authenticated by issuer where-ever used
  • Makes sense, if org could be trusted

17
Passwords in E-Commerce
  • There is no good solution for pure passwords,
    especially for e-commerce
  • expect these not to be secure!
  • make appropriate business and legal plans

18
Recommendations users
  • Use distinct passwords for important accounts
  • Use default for others, and expect to be insecure
  • (Anderson) passwords based on abbreviated phrases
  • I love books and CDS -IlvbksCDs
  • Make sure no ones watches you type a password
  • enable security features, such as Ctrl-Alt-Del
    login
  • These are personal recommendations!

19
Password constraints
  • Windows sysadmin can require
  • Minimum length
  • Complexity (eg, not just letters)
  • Password must change after N days
  • Password cannot change for N days
  • New password must be different from previous N
    passwords
  • UNIX, other OSs similar

20
Password Constraints
  • Do constraints help?
  • Probably if done in moderation
  • Not if sysadmin gets carried away and imposed
    strict constraints which are too difficult
  • Eg, change password every 2 weeks (as once
    happened to me!)

21
Recommend sysadmin
  • treat log files as sensitive, protected
  • Also files of encrypted password files
  • Be realistic about what users will do
  • Dont expect them to change their password every
    two weeks!
  • Watch out for unusual behaviour
  • Detect breakins
  • Be careful with privileges accounts
  • Dont leave a terminal logged into root
    unattended

22
Computer-to-person Ident
  • Computer programs and websites need to be able to
    identify themselves to a person
  • So users know they can enter confidential
    information into the program/website

23
Phishing
  • Attacker pretends to be someone else, gets user
    to enter password or other secret information
  • Bank websites are prime target
  • Typically user gets email purporting to be from
    bank, asking him to enter details into attackers
    website

24
Example
  • Dear Customer, Lloyds TSB has been receiving
    complaints from our customers for unauthorised
    use of the Lloyds TSB Online accounts. As a
    result we are making an extra security check on
    all of our Customers account in order to protect
    their information from theft and fraud.
  • Due to this, you are requested to follow the
    provided steps and confirm your Online Banking
    details for the safety of your Accounts. Please
    Click Here To Start /online.lloydstsb.co.uk/customer.ibc.htm .
  • However, Failure to do so may result in temporary
    account suspension. Please understand that this
    is a security measure intended to help protect
    you and your account. We apologize for any
    inconvenience.
  • Thanks for your co-operation. Fraud Prevention
    Unit Legal Advisor Lloyds TSB.

25
Phish website (1st screen)
26
Real website (1st screen)
27
Phish website (2nd screen)
28
Real website (2nd screen)
29
Phishing
  • Difficult to defend against because
  • Users arent trained
  • Phish emails can look very genuine
  • Get data about user, eg from Facebook?
  • Even small success rate can do a lot of damage

30
Defenses
  • Warn/train customers promise never email
  • Difficult to achieve 100 success
  • Phish detectors for email, web browser
  • Again not 100 reliable
  • Ask for part of a password
  • So phisher doesnt get all of it
  • Confirmation
  • Send email or text message with confirmation code
    to registered address, which user must enter

31
Computer-to-Person ID
  • Very difficult to reliably identify a computer to
    a person!
  • Especially is user is man in the street
  • Anderson suggests assume phishing will happen,
    try to minimise damage
  • Eg, only allow money transfers to specific
    nominated accounts, with limits

32
Biometric identification
  • Passwords are pretty useless at identifying
    people
  • Can we identify them by their properties?
  • Face, handwriting, retina, DNA, voice, signature,
    fingerprint
  • How humans identify other humans

33
Issues types of errors
  • False accept (fraud) mistakenly accept intruder
    as legimate
  • False reject (insult) mistakenly reject
    legitimate person as intruder
  • Usually can tradeoff by tuning matching
    algorithms
  • Near-exact match needed low fraud
  • Rough match OK low insult

34
Example
  • Rough match black hair, brown eyes
  • Low insult (will almost always match person)
  • High fraud (matches many other people)
  • Detailed match black hair, brown eyes, brown
    specs, no beard, shape of mouth
  • Higher insult rate (what if specs off, grows
    beard, yawning)
  • Lower fraud (matches fewer other people)

35
Error types
  • Balance depends on application
  • Access to sensitive data, equipment
  • Want low fraud rate, so demand good match
  • Person can try again if fails first time
  • Retail (eg, signatures for credit cards)
  • Want low insult rate, so accept rough match
  • Customers may never return if theyre incorrectly
    rejected

36
Other issues
  • Cost
  • Voice recognition is cheap
  • Eye (iris) scanning is expensive
  • User comfort
  • Face recognition is nice (look into camera)
  • DNA matching is not (blood/skin sample)
  • Theoretical accuracy
  • Iris is unique (determined while an embryo)
  • DNA is shared by identical twins
  • Voice can be imitated

37
Other Issues
  • Excluded population
  • Voice doesnt work on mute people
  • Fingerprints dont work on amputees
  • DNA works on everyone!
  • Variability
  • Dirty fingers for fingerprints
  • Sick (cold) for voice

38
Purpose?
  • Purpose of biometric identification
  • Authorisation (eg, access or change data)
  • Identification from group (eg, which of a group
    of suspects committed the crime)
  • Scare tactics (eg, the all-powerful computer
    never makes a mistake, so dont even try)

39
Handwriting
  • Recognise handwriting or signature
  • contracts, cheques,
  • widely used
  • Human error is at least 5 (high)
  • Over 30 if checker is not trained
  • Computer signature tablet is better
  • records velocity, pen-off-paper
  • 1 error rate (OK for some apps)

40
Face recognition
  • Recognise someones appearance
  • security guards, photo Ids
  • Humans
  • pretty good with people they know
  • poor with other people (eg, photo ID cards)
  • Computers
  • poor technically (30 error rate)
  • but useful deterrent (scare tactics)

41
Fingerprints
  • Identify person by patterns on finger
  • Forensics (who does print belong to)
  • pair error rate of 1 in 10,000,000,000
  • sounds good, but means false match 1 of time if
    comparing to 100M people database
  • Identification (I am who I say I am)
  • error rate of 1 (allows for dirt, pressure)
  • Better if multiple fingers scanned
  • but can be fooled by molds, etc
  • strange fingers scars, amputees,

42
Iris (retina)
  • Based on patterns in human eye
  • Error rate less than 1 in a million
  • Needs good image of eye
  • unacceptable in retail use??
  • Attacker can distort eye with eyedrops
  • Wave of future??
  • Once cheaper, more accepted

43
Voice Recognition
  • Identify characteristics of a voice
  • Very cheap (just a microphone)
  • Poor accuracy
  • Voices vary a lot anyways (excited, sick)
  • What are the invariants?
  • Fool with recording

44
Other techniques
  • DNA matching
  • Hand geometry
  • Ear structure
  • etc, etc

45
Biometrics
  • Less good than many people think
  • Problems with unusual people (illiterates cant
    write, amputees have no fingers)
  • Collusion if A deliberately writes poorly, she
    can make impersonation easier
  • Better for authenticating a person than for
    identifying against a big dbase
  • Excellent scare value!

46
Tokens
  • Identify yourself via a physical token that you
    possess
  • Often magnetic card or smart card
  • Can by cryptographic calculator
  • Not great by itself (can be stolen)
  • Useful when combined with other tech

47
Combine techniques
  • Use multiple identification techniques
  • Possibly including human identification
  • Require multiple people IDd to authorise
  • Dual signatures
  • Good practical way of reducing attacks

48
ATM
  • Token (card) and password needed
  • Stealing token (pickpocketing) does no good
    without password
  • Stealing password (watching user type) does no
    good without token
  • Combining two weak techniques gives a much
    stronger one

49
More than one Person
  • Two people must identify themselves to authorise
    an action
  • Launching nuclear missiles two keys (tokens)
    needed
  • Bank letter of guarantee two signatures

50
Human plus Computer
  • Commercial data centers
  • Password and/or smart card
  • Human guard who knows staff by face
  • Biometrics with attendant
  • Attendant can stop finger molds, etc
  • False alarms keep attendant awake

51
Key Points
  • Identifying people to computers is one of the
    most important security tasks
  • Passwords have many problems, especially in an
    e-commerce setting
  • Biometrics nice idea, not widely used
  • Combining several techniques can help a lot, when
    this is possible
Write a Comment
User Comments (0)
About PowerShow.com