Authentication

1
Authentication
2
Authentication

• Strong passwords
• Kerberos
• CHAP
• Digital Certificates
• Biometrics

3
Strong Passwords

• Minimum 6 to 8 characters in password
• At least one letter and one digit
• Case sensitive
• Avoid well-known substitutions
• 0 for letter O
• 2 for to
• 4 for for
• 5 for S
• Set expiration date for password

4
Kerberos

• Developed at MIT in 1983
• Meant for internal networks
• Passwords are sent in cleartext
• Developed for authenticating users in a single or
  multi-server environment
• Current version is 5
• Freeware (http//web.mit.edu/is/help/kerberos)
• Sets up a key for every specified service for the
  authenticated user

5
Kerberos

• How authentication works?
• User logs in with userid and password
• User wants access to use a service (e.g. FTP)
• Request goes to an Authentication Server (AS) in
  encrypted form using the password of user
• AS verifies the user using the password
  associated with the userid
• AS sends two data items back to user. One of the
  data items is encrypted with users password. It
  is called the Ticket. The other data item is
  encrypted with the requested services master
  key, called the Session key.

6
Kerberos

• The user decrypts the ticket with their password
  to verify that the response came from AS. Then
  the user creates an authenticator using their
  userid and timestamp. Finally, the user encrypts
  the authenticator with the session key and sends
  it to the service. The service decrypts the
  information with its master key and identifies
  the authenticator. Then the user is allowed to
  use the service.

7
Kerberos Single service diagram
8
Kerberos

• The previous description is suited for a
  single-server single-service environment. For
  multi-server multi-service environment a
  different authentication process is used.
• Upon initial login, the user is automatically
  authenticated and a Ticket-Granting Ticket (TGT)
  is created. The user sends the TGT for any
  service needed to the Ticket Granting Server
  (TGS) and obtains the necessary key to access the
  service.

9
Kerberos

• Assumptions made by Kerberos systems
• User has the correct password. Does not prevent
  dictionary attack to guess password
• Assumes physical security of all devices on the
  network
• Does not prevent denial of service attacks
• All authenticating devices must have their clocks
  synchronized in order for time stamps to match

10
Challenge Handshake Authentication Protocol

• CHAP is a point-to-point protocol
• Used where hosts are connected to routers using
  switched circuits or dial-up lines
• Host asks the AS permission to use CHAP
• AS responds with permission to use CHAP
• AS sends a challenge message to host

11
Challenge Handshake Authentication Protocol

• Host selects a one-way hash function and hashes
  the message from AS. The hashed value is sent to
  AS. AS calculates the same hash value using the
  same hash function. If the values match then
  connection is maintained, otherwise the
  connection is terminated.
• Under CHAP, AS periodically sends challenge
  sequences to verify authenticity of host

12
Digital Certificates

• Issued by trusted third parties known as
  Certificate Authorities (CAs)
• Verisign is a trusted third party
• Used to authenticate an individual or an
  organization
• Digital Certificates are usually given for a
  period of one year
• They can be revoked
• It is given at various security levels. Higher
  the security level, the CA verifies the
  authenticity of the certificate seeker more.

13
Digital Certificates

• Digital Certificates can be issued by any one as
  long as there are people willing to believe them
• Major CAs are
• Verisign
• GeoTrust
• BeTrusted
• Thawte

14
Digital Certificates

• Digital Certificates are part of the
  authentication mechanism. The other part is
  Digital Signature.
• When a user uses the digital signature, the user
  starts with their private key and encrypts the
  message and sends it. The receiver uses the
  senders public key and decrypts the message
• In traditional encryption, the sender uses the
  public key of the receiver and encrypts the
  message and sends it and the receiver decrypts
  the message with their private key

15
Digital Certificates

• Additional authentication means used by CAs are
• Security token
• Passive token
• Active token
• One time password

16
Digital Certificates

• Security token is usually a hardware device such
  as a Smart Card
• If the security token is a software token, it is
  usually associated with a particular workstation
• Security tokens use two-factor authentication
  using a password and a device (or an appropriate
  hardware identifier)

17
Digital Certificates

• Passive token is a storage device that holds
  multiple keys. Appropriate key is transmitted
  using the transmission device used.
• Inexpensive to manufacture
• Sometimes an extra PIN is required to use the
  passive token
• Examples
• Garage door opener
• ATM card

18
Digital Certificates

• An Active token does not transmit any data,
  unlike a passive token
• Active tokens create another form of the base key
  (such as one-time password) or an encrypted form
  of the base key
• Smart cards are commonly used for active tokens

19
Digital Certificates

• A One-time password has a limited duration
  validity on a single use
• Generated using a counter-based token or a
  clock-based token
• Counter-based token is an active token that
  generates a one-time password based on a counter
  in the server and the secret key of the user
• Clock-based token is an active token that
  generates one-time passwords based on the server
  clock

20
Biometrics

• Biometric authentication involves unique physical
  or behavioral characteristics of individuals
• Example finger print, retinal scan, facial
  recognition
• Finger print authentication has matured as a
  reliable technology
• Retinal scan and facial recognition are yet to
  come to a level of reliability

21
Biometrics

• How biometric authentication works?
• Take the example of finger print. To
  authenticate a user, biometric is used as a
  secondary validation tool.
• First, a database of fingerprints of valid users
  is built
• When access is needed to a facility or system,
  then the user provides the fingerprint
• The fingerprint matching system uses numeric
  values of measurement based on ridges and valleys
  in the fingerprint. The user has to set
  acceptable level of matching. Matching returns a
  successful percentage of mapping. Based on the
  level set, the fingerprint is considered matched
  or not. The system does not provide level of
  matching, rather provides an YES or NO answer for
  the match
• Authenticated user information is kept for audit
  trail

22
Biometrics

• Potential problems with Biometrics
• False positives
• Means that an unauthorized person is granted
  access
• This can happen when the level of match expected
  is set low in the program
• False negatives
• Means that an authorized person is not granted
  access
• One possible reason is that the biometric might
  have changed since the data was input, such as
  surgery in a finger

23
Biometrics

• Other forms of biometrics in use
• Palm scan. This method uses the ridges and
  valleys in the entire palm in a manner similar to
  fingerprint.
• Retinal scan. This method uses an analysis of
  blood vessels located in the back of eye. Fairly
  reliable but time consuming.
• Iris scan. This method uses an analysis of the
  colored part surrounding the pupil in the eye.
  Not easy to use, especially with many people
  having contact lenses of various colors.

24
Biometrics

• Facial scan. This method uses an analysis of the
  contours of the face. Technically, a grown
  persons facial contours do not change in spite
  of appearances such as a beard or aging. The
  skin is just a cover over the bones and so this
  scan uses the underlying bone structure.
  Reliability is not high.
• Signature verification. This method uses pattern
  recognition in matching a signature. Very
  reliable and easy to use but not secure since the
  signature forgery is hard to detect.
• Voice authentication. This method uses pattern
  recognition based on conversion of spoken words
  into digital signals based on speech
  characteristics. Fairly reliable but not widely
  used as it is difficult to control background
  noise for a highly reliable authentication.

25
Biometrics

• Advantages
• Second tier authentication tool
• Reliability can be enhanced in authentication
• Disadvantages
• Costly
• Time consuming at the point-of-use
• Bulky equipment may be needed at point-of-use

26
Security Scenarios to Solve

• Biometric technology is constantly improving.
  Your manager has asked you to examine two
  different biometric technologies as
  authentication tools to access confidential data.
  Develop a report that identifies the equipment,
  suppliers, reliability, cost, ease of use (at
  data gathering time and at point-of-use). The
  report should be in a tabular form so that the
  manager can easily compare your research and make
  a decision.