Title: Authentication
1Authentication
2Authentication
- Most technical security safeguards have
authentication as a precondition - How to authenticate
3The authentication process
- Identify
- Either by claim or by recognizing
- Authenticate
- Prove
- Ask the user for credentials
- Verification
- Verify this credentials .
- Authorization
- Mark the user as authenticated
- Commonly here also the AC rights are assigned
4Password
- A secret (word) know by the user and the system
5Password
- Username
- Some name under which the user is known to the
system hardly secret - Secret Password
- The secret connected to the user name
6Entropy for passwords
- Entropy represents the uncertainty of the
password - This represents how likely it is to guess the
password - The entropy is calculated from the reciprocal
probability of each observed character in the
password - H -S pi ld pi
7Good and bad passwords
- Linkable names (own, child's,...)?
- Linkable numbers (telephone, birthdays, )?
- Related words (like the car -gt Ferrari)?
- Common words from dictionaries
- Common patterns (qwerty, 123456, )?
- Fashion words
- Containing big an small letters
- Containing numbers and special characters
- gt 8 characters
- Can be written fast
- First 3 prevent the search
- 4 is to prevent observation
8Password verification
- Compare the input with a stored value
- Passwords need to be stored
- Plain
- Encrypted
- One way
- Bi-directional
- Passwords need to be transferred
- Plain
- Encrypted
9Security of Passwords
- Security is based mainly on the user but also how
it is implemented in the system - Systems can implement additional functions to
harden passwords
10Attacks against passwordsystems
- Test all possible passwords
- Guess likely words lexical attacks
- Rainbow tables
- Social engineering
- Looking for the systems password list
- Attacking the authentication mechanism
- Ask the user
11Ways to harden
- Limited number of tries
- Wrong inputs slow down the process
- Challenge Respond
- Authorize also the system
- Combining different systems
- Harden the process
- Require passwords with high entropy
12One time passwords
- A password is only valid ones
- Technqiues
- Transaction numbers (TAN)?
- Hashed with time stamp
13Cryptographic techniques
- Cryptography for authentication purpose
- Popular techniques
- Kerberos
- Certificates X.509
- Challenge Respond Systems
- Problems
- Complex
- Infrastructure dependent
14Security token
- Something you have
- Popular Representative
- Cryptographic Token
- SmartCards
- Problems
- Costly
- Technical Infrastructure
15Smart Cards
- A card with a chip
- Not necessarily for authentication
- Different types
- ROM Cards
- EEPROM Cards
- Microprocessor cards
16Smart cards
- Prominent Examples
- Bank cards
- Credit cards
- Mobile phone cards
17Attacks against Smart cards
- Protocol attacks
- the communication between the smart card and the
card reader - Blocking signaling
- block Signals (for example erase signals)
- Freeze or reset the card
- make the content of the RAM readable
18Attacks against Smart cards
- Physical Probing
- reading data directly from the hardware
- Damage part of the chip
- for example the address counter
- Reverse engineering
- reveal the chip design and gain knowledge
- Power analysis
- Measure the difference in powerconsumption
19Biometrics
- The security relies on the property of a human
being - Measuring some aspects of the human anatomy or
physiology and compare it with previously
recorded values - Problems Humans change over time
20Concepts
- Physical
- DNA
- Face
- Fingerprint
- Iris
- Hand geometry
- Behavioral
- Voice
- Signature Verification
21Conventional biometrics
- Face recognition - ID Cards
- The oldest and probably most accepted method
- Average security result of studies
- Handwritten signatures
- Is in Europe highly accepted
- Good enough security
22Fingerprints
- Look at the friction ridges that cover fingertips
- Branches and end points geometry commonly 16
- Pores of the skin
- Easy to deployed and relative limited resistance
- Problems
- There is a statistical probability of mismatch
the number of variation is limited - Fingerprints are mostly noisy
- Alteration is easy
23Iris Scan
- Patterns in the Iris are recognized
- Iris codes provide the lowest false accept rates
of any known system US Study - Problems
- Get people to put there eye into a scanner
- Systems might be vulnerable to simple
photography's
24Problems with biometrics
- Not exact enough
- False positives and Positive False are common
- Technical difficult
- The technology is new
- Privacy problems
- Sicknesses can be recognized
- Social problems
- Usage of system
- Revelation generates problems
- Data leak out incidentally
- When the use become widespread your data will be
known by a lot of people
25Singel Sign-on
- Only one sign-on for all applications
- Techniques
- Save password but how
- Issue a ticket
- Trends
- Identity managment systems
26Identity Management Types of IdM (Systems)?
? There are hybrid systems that combine
characteristics
27Identity is changing
- IT puts more HighTech on ID cards
- Biometrics to bind them closer to a human being
- Chips to add services (such as a PKI)?
- Profiles may make the traditional ID concept
obsolete - People are represented not by numbers or ID keys
any more but by data sets. - Identities become a fuzzy thing.
- New IDs and ID management systems are coming up
- Mobile communication (GSM) has introduced a
globally interoperable ID token the Subscriber
Identity Module - Ebay lets people trade using Pseudonyms.
- Europe (the EU) consider joint ID and ID
management systems - European countries have different traditions on
identity card use - Compatibility of ID systems is not trivial
- Work on new standards for Identity management
systems and entity authentication are initiated
by ISO and ITU
28Identity Concepts Partial Identities Illustrated
Anonymity
foreign
languages
education address
capabilities
salary
name
income credit cards
tax status
denomination account number
birthdate marital status
hobbies
insurance nickname
(dis)likes
phone number health
status
blood group
Identities Management
Shopping
Leisure
29Changing borders of (partial) identities
Anonymity
foreign
languages
education address
capabilities
salary
name
income credit cards
tax status
denomination account number
birthdate marital status
hobbies
insurance nickname
(dis)likes
phone number health
status
blood group
Shopping
Borders are blurring
Leisure
30Changing borders of (partial) identities (cont.)?
Anonymity
foreign
languages
education address
capabilities
salary
name
income credit cards
tax status
denomination account number
birthdate marital status
hobbies
insurance nickname
(dis)likes
phone number health
status
blood group
Communication and contacts
Shopping
Leisure
31Questions ?