Identification and Authentication

1
Identification and Authentication

2
Reading Assignment

• Reading assignments for August 28
• Required
• Smith Chs 1, 2,
• Smith Chs 7, 9, 10 (Read Only)
• Recommended
• Biometric Security barely skin deep
  (http//www.pcworld.com/news/article/0,aid,103535,
  00.asp )
• Security Tools Crackers (http//www.mycert.mimos.
  my/resource/cracker.htm )

3
User Authentication

• What the user knows
• Password, personal information
• What the user possesses
• Physical key, ticket, passport, token, smart card
• What the user is (biometrics)
• Fingerprints, voiceprint, signature dynamics

4
Passwords

• Commonly used method
• For each user, system stores (user name,
  F(password)), where F is some transformation
  (e.g., one-way hash) in a password file
• F(password) is easy to compute
• From F(password), password is difficult to
  compute
• Password is not stored in the system
• When user enters the password, system computes
  F(password) match provides proof of identity

5
Password Management Policy

• Educate users to make better choices
• Define rules for good password selection and ask
  users to follow them
• Ask or force users to change their password
  periodically
• Actively attempt to break users passwords and
  force users to change broken ones
• Screen password choices

6
Vulnerabilities of Passwords

• Inherent vulnerabilities
• Easy to guess or snoop
• No control on sharing
• Practical vulnerabilities
• Visible if unencrypted in distributed and network
  environment
• Susceptible for replay attacks if encrypted
  naively
• Password advantage
• Easy to modify compromised password.

7
Weak Passwords

• Bell Labs study (Morris and Thompson, 1979), 3289
  passwords were examined
• 15 single ASCII characters, 72 two ASCII
  characters, 464 three ASCII characters, 477 four
  ASCII characters, 706 five letters (all lower
  case or all upper case), 605 six letters, all
  lower case, 492 week passwords (name, dictionary
  words, etc.)
• Summary 2831 passwords (86 of the sample) were
  weak, i.e., either too easy to predict or too
  short

8
Attacks on Password

• Guessing attack/dictionary attack
• Social Engineering
• Sniffing
• Trojan login
• Van Eck sniffing

9
Guessing Attack

• Exploits human nature to use easy to remember
  passwords
• Trial-and-error attack
• Easy to detect (failed logins) and block
• Need audit mechanism

10
Social Engineering

• Attacker asks for password by masquerading as
  somebody else (not necessarily an authenticated
  user)
• May be difficult to detect
• Protection against social engineering strict
  security policy and users education

11
Dictionary Attacks on Passwords

• Attack 1
• Create dictionary of common words and names and
  their simple transformations
• Use these to guess password
• Attack 2
• Usually F is public and so is the password file
  (encrypted)
• Compute F(word) for each word in dictionary
• Find match
• Attack 3
• Pre-compute dictionary
• Look up matches

12
Password Salt

• Used to make dictionary attack more difficult
• Salt is a 12 bit number between 0 and 4095
• It is derived from the system clock and the
  process identifier
• Compute F(passwordsalt) both salt and
  F(passwordsalt) are stored in the password table
• User gives password, system finds salt and
  computes F(passwordsalt) and check for match
• Note with salt, the same password is computed in
  4096 ways

13
Password sniffing

• Attacker install sniffer software on the network
• Automated sniffer uses clues that a login is
  being initiated
• Replay attack hashed traffic

14
One-time Password

• Use the password exactly once!

15
Lamports scheme

• Doesnt require any special hardware
• System computes F(x),F2(x),, F100(x) (this
  allows 100 logins before password change)
• System stores users name and F100(x)
• User supplies F99(x) the first time
• If the login is correct, system replaces F100(x)
  with F99(x)
• Next login user supplies F98(x) and so on
• User calculates Fn(x) using a hand-held
  calculator, a workstation, or other devices

16
Time Synchronized

• There is a hand-held authenticator
• It contains an internal clock (counter), a secret
  key, and a display
• Display outputs a function of the current time
  and the key
• It changes about once per minute
• User supplies the user id and the display value
• Host uses the secret key, the function and its
  clock to calculate the expected output
• Login is valid if the values match within a time
  window

17
Time Synchronized
Secret key
Time
DES
One Time Password
18
Attacks on One-Time Password

• Vulnerable to
• Attacks on authentication connection (e.g., phone
  line redirection, IP address theft)
• Man in the middle attack attacker interferes
  with authentication process and replay the
  one-time password
• IP hijacking allows an attacker to steal an
  established connection

19
Challenge Response

• Non-repeating challenges from the host is used
• The device requires a keypad

Network
Work station
Host
User ID
Challenge
Response
20
Challenge Response
Secret key
Challenge
DES
One Time Password
21
Tokens

• Passive token
• Presents base secret to the authentication
  mechanism
• Problems
• Easy to copy
• Misuse by authorized users
• Active token
• Uses its base secret to perform some function,
  that will authenticate the owner
• May use cryptographic techniques for
  authentication
• Problems
• Often requires reader

22
Devices with Personal Identification Number (PIN)

• Devices are subject to theft, some devices
  require PIN (something the user knows)
• Internal PIN used by the device to authenticate
  the user
• External PIN attached to the one-time password
  and sent to the remote system together
• Problems with challenge/response schemes
• Key database is extremely sensitive
• This can be avoided if public key algorithms are
  used

23
Smart Cards

• Portable devices with a CPU, I/O ports, and some
  nonvolatile memory
• Can carry out computation required by public key
  algorithms and transmit directly to the host
• Some use biometrics data about the user instead
  of the PIN
• Very popular in Europe

24
Biometrics

• Use unique personal properties to authenticate
  people

25
Something You Are

• Need automated analyzing tool
• Find matches
• May be difficult to authenticate a person (noise
  of data)
• Vulnerable to replay attack
• Vulnerable to fake copies
• Expensive
• Safe within physically controlled area

26
Types of Biometrics

• Measuring physical traits
• Fingerprint
• Retina/iris scan
• Face recognition
• Measuring behavioral traits
• Voice pattern
• Signature
• Typing style

27
Forging physical traits

• Replay illegal copies
• Captured digital copy
• Fake fingerprint by photocopy (fools few
  fingerprint devices)
• Fake wax fingerprint (fools most fingerprint
  devices)
• Similar attacks may work against behavioral
  authentication
• Usability v.s. security

28
Problems with Biometrics

• Expensive
• Retina scan (min. cost) about 2,200
• Voice (min. cost) about 1,500
• Signature (min. cost) about 1,000
• False readings
• Retina scan 1/10,000,000
• Signature 1/50
• Fingerprint 1/500
• Cant be modified when compromised