State Based Password Authentication

1
State Based Password Authentication

• Saeed A. Rajput

2005 FRC Technology Transfer Conference Orlando,
Florida
2
Introduction

• Why is user ID Password based authentication
• so common?

3
Password on-line attack

• Brute-Force Attack
• If alphabet size 95
• And PW Length n 6
• Then PW Space P956 700 x 109
• _at_ 50 million passwords / second, can break it in
  2 hours (avg.)

4
Password on-line attack

• Non-Brute force attacks are designed to
• reduce attempts
• Dictionary attack password candidates lt 100,000
• Syllable attack
• Rule-based attack
• Example Say we know that password has 1 or 2
  digits
• then a rule can generate passwords such as user1,
  mind67, snapshot99, etc.

5
Attack Model

• Login sequence
• Single attempt
• Attack Set of all attempts for a given user
• Examples
• Brute Force Attack
• Dictionary Attack
• Attack Complexity --- size of attack
  sequence set
• Attack infeasibility
• function (Complexity, Policy)

6
Making Authentication Secure

• Attack infeasibility function (Complexity,
  Policy)
• Two options
• Increase Complexity
• Enforce strong passwords
• Apply more complicated rule
• Example 45Satlk7m234
• Stronger Policy Next Slide----

7
Conventional Defense Policies

• Attack infeasibility function (Complexity,
  Policy)
• Limit the number of attempts
• Require visual confirmation
• Lock user account for limited time
• Enforce IP/time/location/context restrictions
• Require more personal information
  

8
Problems Conventional Policies

• Need more information about user ssn
• Cause inconvenience to user longer PW
• Depend on Lockouts out of control
• Need to provide help desk
• ?phone call to help desk, 25 per call

9
State increase function f(i) Linear

• We have seen this example already.
• f (i) k i max k
• f (i) max i i gt max k

10
State Increase function f (i)

• Non-linear function Example

11
Why non-linear function?

• Better UsabilitySecurity trade-off
• (a) Increases Attack infeasibility
• Many failed attempts gt high state
• New infeasibility vnew vold x max x k
• (b) Tolerates error
• For first few failed attempts
• small state transitions gt convenience

12
f (i) L e a i ?, a 1
13
Advantages

• Increase attack infeasibility
• v new v old x max x k
• Flexible Policies using single/simple approach
• Strong passwords not needed
• Additional personal information not required
• User can self -recover account
• Reduces password resetting help-desk phone calls

14
Commercial Impact

• Easy to implement into the authentication system.
  Simple algorithm
• Flexible Security Policies
• Same authentication mechanism can be used for
  strict as well as liberal access with no need to
  find new tricks to enhance security.
• Reduces expensive upgrades when security policies
  change or new critical systems are added to an
  enterprise.
• Easy for user only the PW is needed
• Reduce help desk cost

15
The Team

• Presenter Saeed Rajput, Ph.D. CISSP
• 8 years of experience in information security and
  security systems architecture.
• Past work Experience
• Cerebit, Inc.(VP), eTrango (Director), Racal
  Datacom (Security Architect), Skylight Software
  (Director) TimeWarner (Consultant)
• Selected Patent
• US6401206 "Method and Apparatus for Binding
  Electronic Impressions Made by Digital Identities
  To Documents," Issued June 4, 2002.
• Education
• Ph.D. USC, Electrical Engineering (Digital
  Communications)

16
The Team

• Jihong Chen
• 3 years of multidisciplinary experience including
  system management and software development
• Graduate Student at FAU
• Publication
• State Based Authentication, the 43rd ACMSE
  conference, 2005
• Education
• MSC, FAU, Computer Science.

17
The Team

• Sam Hsu
• Associate Professor, Department of Computer
  Science and Engineering, Florida Atlantic
  University.
• Research interests
• Web Technologies, Computer Networking, Web-based
  Distance Learning.
• Also interested in projects that have practical
  and educational applications
• Publications
• Has published over 40 refereed papers in the
  related fields in the past few years.
• Education
• Ph.D. FAU, Computer Engineering, 1993

18
Target Industries

• Any application that requires password based user
  authentication.
• Examples of applications
• Web logins
• Computer logins
• Network login
• Protect access to physical resources (key pads)
• ATM machine login
• How to incorporate the technology
• Modification to the authentication source code.

19
Technology Status

• Developed and working
• Patent Pending
• Weakness
• Long wait by the user
• What if user forgets password

20
Addressing the two weaknesses

• Addressing Long wait by the user weakness
• Automatic aid to recovery
• Software
• Hardware
• Auto-recovery after lapsed time
• Addressing user forgets password weakness
• Provide a password hint so users do not forget
  their password.

21
State Based Password Authentication

• For Further Information
• Today
• Saeed Rajput, Jeanie L. McGuire or Steve Nappi
• at the FAU booth or
• After the conference
• Steve Nappi
• 561-297-1165 or snappi_at_fau.edu
• Office of Technology Transfer