Authentication - PowerPoint PPT Presentation

About This Presentation
Title:

Authentication

Description:

Authentication * * * * Authentication Most technical security safeguards have authentication as a precondition How to authenticate: Location Somewhere you are ... – PowerPoint PPT presentation

Number of Views:148
Avg rating:3.0/5.0
Slides: 32
Provided by: AlbinZ1
Category:

less

Transcript and Presenter's Notes

Title: Authentication


1
Authentication
2
Authentication
  • Most technical security safeguards have
    authentication as a precondition
  • How to authenticate

3
The authentication process
  • Identify
  • Either by claim or by recognizing
  • Authenticate
  • Prove
  • Ask the user for credentials
  • Verification
  • Verify this credentials .
  • Authorization
  • Mark the user as authenticated
  • Commonly here also the AC rights are assigned

4
Password
  • A secret (word) know by the user and the system

5
Password
  • Username
  • Some name under which the user is known to the
    system hardly secret
  • Secret Password
  • The secret connected to the user name

6
Entropy for passwords
  • Entropy represents the uncertainty of the
    password
  • This represents how likely it is to guess the
    password
  • The entropy is calculated from the reciprocal
    probability of each observed character in the
    password
  • H -S pi ld pi

7
Good and bad passwords
  • Linkable names (own, child's,...)?
  • Linkable numbers (telephone, birthdays, )?
  • Related words (like the car -gt Ferrari)?
  • Common words from dictionaries
  • Common patterns (qwerty, 123456, )?
  • Fashion words
  • Containing big an small letters
  • Containing numbers and special characters
  • gt 8 characters
  • Can be written fast
  • First 3 prevent the search
  • 4 is to prevent observation

8
Password verification
  • Compare the input with a stored value
  • Passwords need to be stored
  • Plain
  • Encrypted
  • One way
  • Bi-directional
  • Passwords need to be transferred
  • Plain
  • Encrypted

9
Security of Passwords
  • Security is based mainly on the user but also how
    it is implemented in the system
  • Systems can implement additional functions to
    harden passwords

10
Attacks against passwordsystems
  • Test all possible passwords
  • Guess likely words lexical attacks
  • Rainbow tables
  • Social engineering
  • Looking for the systems password list
  • Attacking the authentication mechanism
  • Ask the user

11
Ways to harden
  • Limited number of tries
  • Wrong inputs slow down the process
  • Challenge Respond
  • Authorize also the system
  • Combining different systems
  • Harden the process
  • Require passwords with high entropy

12
One time passwords
  • A password is only valid ones
  • Technqiues
  • Transaction numbers (TAN)?
  • Hashed with time stamp

13
Cryptographic techniques
  • Cryptography for authentication purpose
  • Popular techniques
  • Kerberos
  • Certificates X.509
  • Challenge Respond Systems
  • Problems
  • Complex
  • Infrastructure dependent

14
Security token
  • Something you have
  • Popular Representative
  • Cryptographic Token
  • SmartCards
  • Problems
  • Costly
  • Technical Infrastructure

15
Smart Cards
  • A card with a chip
  • Not necessarily for authentication
  • Different types
  • ROM Cards
  • EEPROM Cards
  • Microprocessor cards

16
Smart cards
  • Prominent Examples
  • Bank cards
  • Credit cards
  • Mobile phone cards

17
Attacks against Smart cards
  • Protocol attacks
  • the communication between the smart card and the
    card reader
  • Blocking signaling
  • block Signals (for example erase signals)
  • Freeze or reset the card
  • make the content of the RAM readable

18
Attacks against Smart cards
  • Physical Probing
  • reading data directly from the hardware
  • Damage part of the chip
  • for example the address counter
  • Reverse engineering
  • reveal the chip design and gain knowledge
  • Power analysis
  • Measure the difference in powerconsumption

19
Biometrics
  • The security relies on the property of a human
    being
  • Measuring some aspects of the human anatomy or
    physiology and compare it with previously
    recorded values
  • Problems Humans change over time

20
Concepts
  • Physical
  • DNA
  • Face
  • Fingerprint
  • Iris
  • Hand geometry
  • Behavioral
  • Voice
  • Signature Verification

21
Conventional biometrics
  • Face recognition - ID Cards
  • The oldest and probably most accepted method
  • Average security result of studies
  • Handwritten signatures
  • Is in Europe highly accepted
  • Good enough security

22
Fingerprints
  • Look at the friction ridges that cover fingertips
  • Branches and end points geometry commonly 16
  • Pores of the skin
  • Easy to deployed and relative limited resistance
  • Problems
  • There is a statistical probability of mismatch
    the number of variation is limited
  • Fingerprints are mostly noisy
  • Alteration is easy

23
Iris Scan
  • Patterns in the Iris are recognized
  • Iris codes provide the lowest false accept rates
    of any known system US Study
  • Problems
  • Get people to put there eye into a scanner
  • Systems might be vulnerable to simple
    photography's

24
Problems with biometrics
  • Not exact enough
  • False positives and Positive False are common
  • Technical difficult
  • The technology is new
  • Privacy problems
  • Sicknesses can be recognized
  • Social problems
  • Usage of system
  • Revelation generates problems
  • Data leak out incidentally
  • When the use become widespread your data will be
    known by a lot of people

25
Singel Sign-on
  • Only one sign-on for all applications
  • Techniques
  • Save password but how
  • Issue a ticket
  • Trends
  • Identity managment systems

26
Identity Management Types of IdM (Systems)?
? There are hybrid systems that combine
characteristics
27
Identity is changing
  • IT puts more HighTech on ID cards
  • Biometrics to bind them closer to a human being
  • Chips to add services (such as a PKI)?
  • Profiles may make the traditional ID concept
    obsolete
  • People are represented not by numbers or ID keys
    any more but by data sets.
  • Identities become a fuzzy thing.
  • New IDs and ID management systems are coming up
  • Mobile communication (GSM) has introduced a
    globally interoperable ID token the Subscriber
    Identity Module
  • Ebay lets people trade using Pseudonyms.
  • Europe (the EU) consider joint ID and ID
    management systems
  • European countries have different traditions on
    identity card use
  • Compatibility of ID systems is not trivial
  • Work on new standards for Identity management
    systems and entity authentication are initiated
    by ISO and ITU

28
Identity Concepts Partial Identities Illustrated
Anonymity
foreign
languages
education address
capabilities
salary
name
income credit cards
tax status
denomination account number


birthdate marital status
hobbies

insurance nickname
(dis)likes

phone number health
status
blood group
Identities Management
Shopping
Leisure
29
Changing borders of (partial) identities
Anonymity
foreign
languages
education address
capabilities
salary
name
income credit cards
tax status
denomination account number


birthdate marital status
hobbies

insurance nickname
(dis)likes

phone number health
status
blood group
Shopping
Borders are blurring
Leisure
30
Changing borders of (partial) identities (cont.)?
Anonymity
foreign
languages
education address
capabilities
salary
name
income credit cards
tax status
denomination account number


birthdate marital status
hobbies

insurance nickname
(dis)likes

phone number health
status
blood group
Communication and contacts
Shopping
Leisure
31
Questions ?
Write a Comment
User Comments (0)
About PowerShow.com