Authentication

1
Authentication
2
Authentication

• Most technical security safeguards have
  authentication as a precondition
• How to authenticate

3
The authentication process

• Identify
• Either by claim or by recognizing
• Authenticate
• Prove
• Ask the user for credentials
• Verification
• Verify this credentials .
• Authorization
• Mark the user as authenticated
• Commonly here also the AC rights are assigned

4
Password

• A secret (word) know by the user and the system

5
Password

• Username
• Some name under which the user is known to the
  system hardly secret
• Secret Password
• The secret connected to the user name

6
Entropy for passwords

• Entropy represents the uncertainty of the
  password
• This represents how likely it is to guess the
  password
• The entropy is calculated from the reciprocal
  probability of each observed character in the
  password
• H -S pi ld pi

7
Good and bad passwords

• Linkable names (own, child's,...)?
• Linkable numbers (telephone, birthdays, )?
• Related words (like the car -gt Ferrari)?
• Common words from dictionaries
• Common patterns (qwerty, 123456, )?
• Fashion words

• Containing big an small letters
• Containing numbers and special characters
• gt 8 characters
• Can be written fast
• First 3 prevent the search
• 4 is to prevent observation

8
Password verification

• Compare the input with a stored value
• Passwords need to be stored
• Plain
• Encrypted
• One way
• Bi-directional
• Passwords need to be transferred
• Plain
• Encrypted

9
Security of Passwords

• Security is based mainly on the user but also how
  it is implemented in the system
• Systems can implement additional functions to
  harden passwords

10
Attacks against passwordsystems

• Test all possible passwords
• Guess likely words lexical attacks
• Rainbow tables
• Social engineering
• Looking for the systems password list
• Attacking the authentication mechanism
• Ask the user

11
Ways to harden

• Limited number of tries
• Wrong inputs slow down the process
• Challenge Respond
• Authorize also the system
• Combining different systems
• Harden the process
• Require passwords with high entropy

12
One time passwords

• A password is only valid ones
• Technqiues
• Transaction numbers (TAN)?
• Hashed with time stamp

13
Cryptographic techniques

• Cryptography for authentication purpose
• Popular techniques
• Kerberos
• Certificates X.509
• Challenge Respond Systems
• Problems
• Complex
• Infrastructure dependent

14
Security token

• Something you have
• Popular Representative
• Cryptographic Token
• SmartCards
• Problems
• Costly
• Technical Infrastructure

15
Smart Cards

• A card with a chip
• Not necessarily for authentication
• Different types
• ROM Cards
• EEPROM Cards
• Microprocessor cards

16
Smart cards

• Prominent Examples
• Bank cards
• Credit cards
• Mobile phone cards

17
Attacks against Smart cards

• Protocol attacks
• the communication between the smart card and the
  card reader
• Blocking signaling
• block Signals (for example erase signals)
• Freeze or reset the card
• make the content of the RAM readable

18
Attacks against Smart cards

• Physical Probing
• reading data directly from the hardware
• Damage part of the chip
• for example the address counter
• Reverse engineering
• reveal the chip design and gain knowledge
• Power analysis
• Measure the difference in powerconsumption

19
Biometrics

• The security relies on the property of a human
  being
• Measuring some aspects of the human anatomy or
  physiology and compare it with previously
  recorded values
• Problems Humans change over time

20
Concepts

• Physical
• DNA
• Face
• Fingerprint
• Iris
• Hand geometry
• Behavioral
• Voice
• Signature Verification

21
Conventional biometrics

• Face recognition - ID Cards
• The oldest and probably most accepted method
• Average security result of studies
• Handwritten signatures
• Is in Europe highly accepted
• Good enough security

22
Fingerprints

• Look at the friction ridges that cover fingertips
• Branches and end points geometry commonly 16
• Pores of the skin
• Easy to deployed and relative limited resistance
• Problems
• There is a statistical probability of mismatch
  the number of variation is limited
• Fingerprints are mostly noisy
• Alteration is easy

23
Iris Scan

• Patterns in the Iris are recognized
• Iris codes provide the lowest false accept rates
  of any known system US Study
• Problems
• Get people to put there eye into a scanner
• Systems might be vulnerable to simple
  photography's

24
Problems with biometrics

• Not exact enough
• False positives and Positive False are common
• Technical difficult
• The technology is new
• Privacy problems
• Sicknesses can be recognized
• Social problems
• Usage of system
• Revelation generates problems
• Data leak out incidentally
• When the use become widespread your data will be
  known by a lot of people

25
Singel Sign-on

• Only one sign-on for all applications
• Techniques
• Save password but how
• Issue a ticket
• Trends
• Identity managment systems

26
Identity Management Types of IdM (Systems)?
? There are hybrid systems that combine
characteristics
27
Identity is changing

• IT puts more HighTech on ID cards
• Biometrics to bind them closer to a human being
• Chips to add services (such as a PKI)?
• Profiles may make the traditional ID concept
  obsolete
• People are represented not by numbers or ID keys
  any more but by data sets.
• Identities become a fuzzy thing.
• New IDs and ID management systems are coming up
• Mobile communication (GSM) has introduced a
  globally interoperable ID token the Subscriber
  Identity Module
• Ebay lets people trade using Pseudonyms.
• Europe (the EU) consider joint ID and ID
  management systems
• European countries have different traditions on
  identity card use
• Compatibility of ID systems is not trivial
• Work on new standards for Identity management
  systems and entity authentication are initiated
  by ISO and ITU

28
Identity Concepts Partial Identities Illustrated
Anonymity
foreign
languages
education address
capabilities
salary
name
income credit cards
tax status
denomination account number


birthdate marital status
hobbies

insurance nickname
(dis)likes

phone number health
status
blood group
Identities Management
Shopping
Leisure
29
Changing borders of (partial) identities
Anonymity
foreign
languages
education address
capabilities
salary
name
income credit cards
tax status
denomination account number


birthdate marital status
hobbies

insurance nickname
(dis)likes

phone number health
status
blood group
Shopping
Borders are blurring
Leisure
30
Changing borders of (partial) identities (cont.)?
Anonymity
foreign
languages
education address
capabilities
salary
name
income credit cards
tax status
denomination account number


birthdate marital status
hobbies

insurance nickname
(dis)likes

phone number health
status
blood group
Communication and contacts
Shopping
Leisure
31
Questions ?