Lecture 8: Authentication of People - PowerPoint PPT Presentation

1 / 10
About This Presentation
Title:

Lecture 8: Authentication of People

Description:

problem needs a card reader at every access point ... usually invasive, expensive and not useful for remote authentication. examples ... – PowerPoint PPT presentation

Number of Views:25
Avg rating:3.0/5.0
Slides: 11
Provided by: Charlie138
Category:

less

Transcript and Presenter's Notes

Title: Lecture 8: Authentication of People


1
Lecture 8 Authentication of People
  • what you know (password schemes)
  • what you have (keys, smart cards, etc.)
  • what you are (voice recognition, fingerprints,
    retinal scans, etc.)

2
Careless Use of Passwords
  • rarely changing the password (increases the
    probability of being stolen, gives more time for
    attack)
  • writing down the password (where the bad guys can
    see them)
  • emailing/putting password on the web/using it in
    scripts (email is archived and otherwise easily
    accessible)
  • using password in multiple places (cascading
    break-in)
  • rotating through the same passwords if forced to
    change (defeats security)

3
Preventing Guessable Passwords
  • the measures should not be extreme enough for the
    users to start writing the passwords down
  • reactive run a guesser on password file
  • may be too late
  • proactive
  • force users to change passwords frequently
  • users may alternate or pick derivatives of the
    old password
  • select random passwords for a user
  • hard to remember
  • variant pronounceable random strings (1 vowel
    for 3 consonants) 10 character pronounceable as
    good as 8 character random
  • let users select their own but prevent them from
    picking bad ones
  • good passwords intentional misspelling, odd
    capitalization, first letters of a phrase mixing
    non-alphabetic characters

4
More on Password Strength
  • whats the length of the password?
  • depends on circumstances 4 digits for ATM card
    (10000 choices) but only 3 attempts in controlled
    environment (camera)
  • generic should be as strong as a secret key 64
    random bits
  • if considering lower/upper case and punctuation
    marks 47 possibilities per key stroke
    Alt/Ctrl, function keys) 6 bits per keystroke
    11 random characters
  • humans will not remember
  • pronounceable case sensitive string of letters 4
    bits per keystroke randomness 16 random
    characters
  • user-chosen randomness 2 bits per keystroke 32
    characters
  • cryptographically passwords are one of the
    weakest points in system security

5
On-line Password Guessing
  • poor choices make easy guessing targets
  • first names, initials, SS
  • initial passwords related to account/user
    information
  • defenses
  • after wrong guesses lock the account after
    consecutive failed passwords (used for PINs in
    ATM cards only 3 attempts)
  • not universal can be used for DoS attack
  • slow down password processing
  • auditing alert user about unsuccessful login
    attempts
  • does not work for stale accounts
  • disallow short or guessable passwords

6
Off-line Password Guessing
  • stealing password files
  • countermeasure store only hashes of passwords
  • problem nobody besides the user knows the
    password what if she forgets it?
  • attacks
  • exhaustive search
  • dictionary
  • defenses
  • dont allow short/guessable passwords
  • dont make password files readable
  • salting mix a random number to each hash

7
Eavesdropping
  • attacks
  • watching the screen
  • watching the keyboard
  • login Trojan horses
  • keyboard sniffers
  • network sniffers
  • defenses
  • protect password entry
  • good network administration
  • cryptographic protection
  • one-time passwords
  • list of passwords
  • system challenges with a random number
  • user replies with the corresponding password

8
Initial Password Distribution
  • bootstrap problem how to give the user a
    password
  • Initial off-line authentication
  • let user chose password
  • initial password is selected by the system
    administrator
  • pre-expired passwords has to be changed at the
    first login

9
Authentication Tokens
  • physical device a person must present for
    authentication
  • key (physical)
  • ATM, credit cards (magnetic strip to store info
    insecure)
  • smart cards on-card processor for cryptographic
    authentication.
  • PIN-protected cards memory protected by PIN
    (locks up after a sequence of incorrect guesses)
  • challenge-response cards performs
    challenge-response authentication through the
    card reader
  • problem needs a card reader at every access
    point
  • new technology tokens working through USB
    ports.
  • cryptographic calculator
  • Current time encrypted, displayed to user,
    entered to terminal
  • Adv Access through standard terminals

10
Biometrics
  • Authentication by inherent physical
    characteristics
  • usually invasive, expensive and not useful for
    remote authentication
  • examples
  • retinal scanner examines the back of the eye
  • fingerprint reader seem to be hard automate
  • face recognition what if you get a black eye?
  • iris scanner - less invasive than retinal scanner
    (can be done from a distance
  • voiceprints may be defeated with a recording,
    what if you get a sore throat?
  • keystroke timing
  • signatures hard to automate possible if
    signature production (movements are also recorded)
Write a Comment
User Comments (0)
About PowerShow.com