User authentication - PowerPoint PPT Presentation

1 / 24
About This Presentation
Title:

User authentication

Description:

Title: User authentication Author: lewism Last modified by: lewism Created Date: 7/6/2004 8:31:41 PM Document presentation format: On-screen Show Company – PowerPoint PPT presentation

Number of Views:96
Avg rating:3.0/5.0
Slides: 25
Provided by: lew5
Learn more at: https://cs.nyu.edu
Category:

less

Transcript and Presenter's Notes

Title: User authentication


1
User authentication
  • How do we know that someone really is who they
    claim to be?

2
  • In the days of yore (typically, the era of your
    grandparents) a handshake was good enough to back
    up a deal a persons reputation was developed
    over time as he or she became known in the
    community however, as a community becomes
    larger, and distance greater, it becomes
    necessary to provide formal documents that
    vouchsafe identity and character.

3
Documentary proof of identity
  • The usual documents include
  • Birth certificate
  • Drivers license (or alternative)
  • Passport
  • Along with others college id, credit card, even
    utility bills!
  • (What is needed to open a bank account now?)

4
  • How reliable are such documents, in and of
    themselves? In the aggregate?
  • consider, if you were so inclined, how could
    you build an alternate identity?

5
  • The Internet community is too large for people
    to know everyone else directly, and on-line
    identities such as ImAGoodGuy can be changed
    readily the face-to-face methods arent
    available here to ascertain who someone is, how
    reliable they are, and what level of privilege is
    available to them.

6
  • The primary means to ascertain identity on
    computing systems is by means of a user ID and
    associated password or Personal Identification
    Number (PIN).

7
  • A login to a network computer account requires an
    ID and password, as does a dial-up session to an
    Internet Service Provider. Need some cash from
    an ATM? This, too, requires a card (with an
    account number) and associated password.

8
  • The use of passwords as the sole means of
    regulating access is a notoriously weak method of
    authentication. People choose passwords that are
    easy to remember, which generally means that they
    choose words or names that are familiar. This
    practice restricts the range of passwords to a
    fraction of what is possible, and by choosing
    passwords that might be found in a dictionary
    they become much more vulnerable to the most
    common techniques of computer hacking.

9
Improving password security
  • Disallow dictionary-based passwords
  • Require combinations of upper and lower case
    letters
  • Include non-alphabetic characters
  • Require a minimum of, say, eight characters in
    a password, as short passwords are easier to
    crack
  • Limit the number of unsuccessful login attempts

10
  • Implement a password expiration program such
    that passwords expire at intervals (perhaps every
    thirty days, or even every day or after each
    transaction)
  • Implement challenge and response strategies
    that require users to periodically reenter
    passwords (either the original or second-level
    personal data) during active secure sessions

11
  • Ensure that passwords are encrypted for
    transmission across networks
  • Implement a physical security inspection process
    that prevents post-it problems and related
    physical security leaks

12
  • Given that the password mechanism is so common,
    protecting everything from our computer files to
    our bank accounts, it is easy to overlook the
    fact that passwords dont authenticate users at
    all they merely indicate that someone knows the
    password! There is no actual verification that
    the person entering the code really is the person
    that they claim to be.

13
  • This is a staggering realization. Our most
    common method of user authentication does not
    really authenticate the users!

14
Biometrics
  • Situations and environments requiring high levels
    of security now rely on biometric methods to
    verify identity, with statistically higher levels
    of confidence methods include fingerprinting,
    hand-scans, voice prints, retina scans, even DNA
    data.

15
  • Not all such techniques migrate readily to the
    Internet environment why not?
  • Whatever method is chosen for the authentication
    of users, it should be relatively non-obtrusive,
    and, ideally, transparent to the user unless
    the hassle factor is part of the security
    strategy!

16
Online biometrics
  • One approach that is quite intriguing is that of
    keystroke dynamics. Consider that a weakness
    with the existing password system is that anyone
    can type in a correct password and gain admission
    to the system.
  • Suppose, however, that the way that you type
    your password is also retained every time you log
    in how long it takes to enter the password, the
    duration of each keystroke, and the delay between
    successive keystrokes.

17
  • Initially, the system is loose, allowing some
    variability in the entry, but as time goes on the
    data establishes a tighter range of acceptable
    patterns, and in so doing increases the
    probability that the person entering the password
    is the same one, every time. The user might
    never know that the system is in place, at least
    until the usual pattern is broken and the login
    rejected.

18
  • Early research suggests that keyboard dynamics,
    that is, the way that a user enters a password,
    can be more discriminating than the use of
    fingerprinting!
  • Similarly, graphical passwords have the same
    characteristics. Suppose that the authentication
    process requires that you physically write or
    draw your password. It would be difficult for a
    person to replicate someone elses drawing, and
    even more difficult to draw it in the same way,
    with the identical sequence of pen strokes and
    flourishes.

19
  • the use of biometric techniques and the resulting
    stronger authentication associated with their use
    would prevent now-routine practices such as
    checking the e-mail of a co-worker while
    traveling, but then there are other, more
    reliable and accountable methods involving shared
    access privileges that would re-enable that sort
    of activity.

20
  • There is also the problem that any type of remote
    authentication has certain risks of
    man-in-the-middle sniffing and related replay
    attacks, such that prior login attempts might be
    captured and successfully resubmitted, but these
    too can be addressed using other methods
    involving time stamps and sequencing information.
  •  

21
  • And theres always the possibility that if the
    biometric patterns are too rigidly enforced, an
    extra cup of coffee on the way to work might
    prevent a user from accessing his or her own
    account.

22
  • The need for user authentication commensurately
    increases as the degree to which users access
    privileged information or conduct financial
    transactions increases. A solution that requires
    a high level of confidence in the user
    authentication process will likely use several
    techniques in concert, so as to raise the
    probability of accurate authentication as close
    to 100 as is possible.

23
  • An interesting early paper on user authentication
    through keystroke analysis is Fabian Monrose and
    Avi Rubin. Authentication via keystroke dynamics.
    In Proceedings of the 4th ACM Conference on
    Computer and Communications Security, pages
    48-56, April 1997.

24
  • Graphical passwords are explored in I. Jermyn,
    A. Mayer, F. Monrose, M. Reiter, A. Rubin, "The
    Design and Analysis of Graphical Passwords," In
    Proceedings of the 8th USENIX Security Symposium,
    Washington, D.C., August 1999.
Write a Comment
User Comments (0)
About PowerShow.com