Documentos de Académico
Documentos de Profesional
Documentos de Cultura
Outline
z Introduce the concept of user authentication:
using passwords using tokens using biometrics
z Discuss issues related to remote user authentication. z Present example of an application and a case study.
The schemes can use alone or combined. All can provide user authentication. All have issues.
(C) Davar Pishva, 2013
Password Authentication
It is a widely used user authentication method.
z User provides name/login and password. z System compares password with that saved for specified login.
Password Vulnerabilities
We can identify the following attack strategies against password:
z offline dictionary attack z specific account attack z popular password attack z password guessing against single user z workstation hijacking z exploiting user mistakes z exploiting multiple password use z electronic monitoring
Countermeasures
The following countermeasures can be taken against password attack:
z stop unauthorized access to password file z intrusion detection measures z account lockout mechanisms z policies against using common passwords but rather hard to guess passwords z training & enforcement of policies z automatic workstation logout z encrypted network links
UNIX Implementation
Original Scheme
z 8 character password form 56-bit key z 12-bit salt used to modify DES encryption into a one-way hash function (known as crypt(3)) z 0 value repeatedly encrypted 25 times z resulting 64-bit output is translated to 11 character sequence.
Improved Implementations
Presently there are other, stronger, hash/salt variants:
z Many systems now use MD5 (Message Digest Algorithm 5)
with 48-bit salt, no limit on the password length, hashed with 1000 times inner loop, and produces 128-bit hash.
z OpenBSD uses Blowfish block cipher based hash algorithm called Bcrypt
uses 128-bit salt to create 192-bit hash value.
(C) Davar Pishva, 2013
Password Cracking
Dictionary Attacks
z Try each word then obvious variants in large dictionary of possible passwords against hash in password file.
It takes long time.
10
Password Choices
Users may pick short passwords
z e.g. result of a study on 54 machines representing 7000 accounts showed that 3% of the passwords were 3 chars or less, easily crackable.
A simple remedy is for the system to reject any password choice that is too small.
11
12
Techniques:
z User education z Computer-generated passwords z Reactive password checking z Proactive password checking
13
z Password Cracker
To make sure that it is not on the disapproved list.
Consumes significant time and space.
z Markov Model
Generates guessable passwords. Hence reject any password it might generate.
z Bloom Filter
Use to build table based on dictionary using hashes. Check desired password against this table.
14
Token Authentication
Toke refers to an object which a user possesses to authenticate, e.g.
z Embossed Card
Raised characters only, on front, e.g. Old credit card
z Memory Card
has Electronic memory inside, e.g. Prepaid phone card
z Smartcard
has Electronic memory and processor inside, e.g. Biometric ID card
15
Memory Card
Stores but do not process data
z Magnetic stripe card, e.g. bank card z Electronic memory card, e.g. APU student ID
Used alone for physical access Together with password/PIN for computer use Drawbacks of memory cards include:
z Need special reader z Loss of token issues z User dissatisfaction (e.g. for PC use)
16
Smartcard
Credit-card like appearance Has own processor, memory, I/O ports
z Wired or wireless access by reader z May have crypto co-processor z ROM, EEPROM, RAM memory
Executes protocol to authenticate with reader/computer. An alternative to the smart card is a small, inexpensive flash memory device known as a USB dongle.
17
Biometric Authentication
Authenticate user based on one of their physical characteristics
z Static Characteristics:
fingerprints hand geometry, facial characteristics, retinal and iris patterns
z Dynamic Characteristics:
voiceprint signature.
18
z Authentication/Verification Phase
During which templates of newly acquired biometrics characteristics are compared with those of database value for the purpose of authentication or verification.
z Identification Phase
During which template of a newly acquired biometrics characteristics is compared with the set of stored templates. If there is a match, then this user is identified. Otherwise, the user is rejected.
(C) Davar Pishva, 2013
19
Biometric Accuracy
The problem with biometrics technology is that the extracted templates are never identical.
z As such, the system uses an algorithm to generate a matching score (typically a single number) that quantifies the similarity between the input and the stored templates.
This results in problems of false match / false non-match which are better known as:
z False Reject Rate z False Accept Rate
20
21
Host Attacks
z These are directed at the user file at the host where passwords, token passcodes, or biometric templates are stored.
Eavesdropping
z An adversary attempt to learn the password by observing the user, finding a written copy of the password, keystroke logging, etc.
Replay
z An adversary repeats a previously captured user response.
Trojan Horse
z An application or physical device masquerades as an authentic application or device for the purpose of capturing a user password, passcode, or biometric.
The adversary can then use the captured information to masquerade as a legitimate user.
Denial-Of-Service
z Attempts to disable a user authentication service by flooding the service with numerous authentication attempts.
22
Practical Application
23
24
z Discussed issues related to remote user authentication. z Presented example of an application and a case study.
25
Homework
Topic 1
z Page 36
Review Questions 1.1 to 1.6 (Submit any 5) Problem 1.1
Topic 2
z Pages 70-71
Review Questions 2.1 to 2.13 (Submit any 5) Problem 2.1
Topic 3
z Page 107
Review Questions 3.1 to 3.9 (Submit any 5) Problem 3.2
26