Topic 3 User Authentication

Outline
z Introduce the concept of user authentication:
using passwords using tokens using biometrics

z Discuss issues related to remote user authentication. z Present example of an application and a case study.

(C) Davar Pishva, 2013

Security and Information System Management

What is User Authentication?

Definition
z It is the process of verifying an identity claimed by or for a system entity. z It is the fundamental building block and the first line of defense.
It is the basis of access control & user accountability

z It has two steps:

identification - specify identifier verification - bind entity (person) and identifier

z It is distinct from message authentication.

(C) Davar Pishva, 2013

Security and Information System Management

Means of User Authentication

There are four means of authenticating user's identity, which are based one something the individual:
z knows - e.g. password, PIN z possesses - e.g. key, token, smartcard z is (static biometrics) - e.g. fingerprint, retina z does (dynamic biometrics) - e.g. voice, sign

The schemes can use alone or combined. All can provide user authentication. All have issues.
(C) Davar Pishva, 2013

Security and Information System Management

Password Authentication
It is a widely used user authentication method.
z User provides name/login and password. z System compares password with that saved for specified login.

It authenticates ID of user logging and

z that the user is authorized to access system. z It determines the users privileges. z It is used in discretionary access control.

(C) Davar Pishva, 2013

Security and Information System Management

Password Vulnerabilities
We can identify the following attack strategies against password:
z offline dictionary attack z specific account attack z popular password attack z password guessing against single user z workstation hijacking z exploiting user mistakes z exploiting multiple password use z electronic monitoring

(C) Davar Pishva, 2013

Security and Information System Management

Countermeasures
The following countermeasures can be taken against password attack:
z stop unauthorized access to password file z intrusion detection measures z account lockout mechanisms z policies against using common passwords but rather hard to guess passwords z training & enforcement of policies z automatic workstation logout z encrypted network links

(C) Davar Pishva, 2013

Security and Information System Management

Use of Hashed Passwords

This is a widely used password security technique. It combines user password with a fixed-length salt value, which is
z related to the time the password is assigned to the user (old system). z pseudorandom or random number (newer system).

There are two threats to this password scheme.

z Gain access to the machine. z Obtain a copy of password file.

(C) Davar Pishva, 2013

Security and Information System Management

UNIX Implementation
Original Scheme
z 8 character password form 56-bit key z 12-bit salt used to modify DES encryption into a one-way hash function (known as crypt(3)) z 0 value repeatedly encrypted 25 times z resulting 64-bit output is translated to 11 character sequence.

Now regarded as woefully insecure

z e.g. supercomputer, 50 million tests, 80 min z anyone should be able to do the same in a few months using a PC.

Sometimes still used for compatibility.

(C) Davar Pishva, 2013

Security and Information System Management

Improved Implementations
Presently there are other, stronger, hash/salt variants:
z Many systems now use MD5 (Message Digest Algorithm 5)
with 48-bit salt, no limit on the password length, hashed with 1000 times inner loop, and produces 128-bit hash.

z OpenBSD uses Blowfish block cipher based hash algorithm called Bcrypt
uses 128-bit salt to create 192-bit hash value.
(C) Davar Pishva, 2013

Security and Information System Management

Password Cracking
Dictionary Attacks
z Try each word then obvious variants in large dictionary of possible passwords against hash in password file.
It takes long time.

Rainbow Table Attacks

z Precompute tables of hash values for all salts. z Generate a mammoth table of hash values.
It requires large storage, but 1.4GB table cracks 99.9% of alphanumeric Windows passwords in 13.8 secs.

z Not feasible if larger salt values used.

(C) Davar Pishva, 2013

Security and Information System Management

10

Password Choices
Users may pick short passwords
z e.g. result of a study on 54 machines representing 7000 accounts showed that 3% of the passwords were 3 chars or less, easily crackable.
A simple remedy is for the system to reject any password choice that is too small.

Users may pick guessable passwords

z This makes the job of password cracking straightforward, crackers use lists of likely passwords. z e.g. one study of 14000 encrypted passwords guessed nearly 1/4 of them.
It took about 1 hour on a fast systems to compute all variants.
1 break is enough to gain a wide range of privileges on a system!

(C) Davar Pishva, 2013

Security and Information System Management

11

Password File Access Control

One way to thwart a password attack is to deny the opponent access to the password file.
z Make it available only to privileged users. z Often using a separate shadow password file.

Still have vulnerabilities

z Exploit O/S bug to bypass the access control system. z Accident with permissions making it readable. z Users with same password on other systems. z Access from unprotected backup media. z Sniff passwords in unprotected network traffic.

(C) Davar Pishva, 2013

Security and Information System Management

12

Using Better Passwords

We clearly have problems with passwords. Our goal is:
z Eliminate guessable passwords and z make it easy for user to remember.

Techniques:
z User education z Computer-generated passwords z Reactive password checking z Proactive password checking

(C) Davar Pishva, 2013

Security and Information System Management

13

Proactive Password Checking

Possible approaches to proactive password checking:
z Rule enforcement plus user advice, e.g.
8+ chars, upper/lower/numeric/punctuation
may not suffice

z Password Cracker
To make sure that it is not on the disapproved list.
Consumes significant time and space.

z Markov Model
Generates guessable passwords. Hence reject any password it might generate.

z Bloom Filter
Use to build table based on dictionary using hashes. Check desired password against this table.

(C) Davar Pishva, 2013

Security and Information System Management

14

Token Authentication
Toke refers to an object which a user possesses to authenticate, e.g.
z Embossed Card
Raised characters only, on front, e.g. Old credit card

z Magnetic Stripe Card

Magnetic bar on back, characters on front, e.g. Bank card

z Memory Card
has Electronic memory inside, e.g. Prepaid phone card

z Smartcard
has Electronic memory and processor inside, e.g. Biometric ID card

(C) Davar Pishva, 2013

Security and Information System Management

15

Memory Card
Stores but do not process data
z Magnetic stripe card, e.g. bank card z Electronic memory card, e.g. APU student ID

Used alone for physical access Together with password/PIN for computer use Drawbacks of memory cards include:
z Need special reader z Loss of token issues z User dissatisfaction (e.g. for PC use)

(C) Davar Pishva, 2013

Security and Information System Management

16

Smartcard
Credit-card like appearance Has own processor, memory, I/O ports
z Wired or wireless access by reader z May have crypto co-processor z ROM, EEPROM, RAM memory

Executes protocol to authenticate with reader/computer. An alternative to the smart card is a small, inexpensive flash memory device known as a USB dongle.

(C) Davar Pishva, 2013

Security and Information System Management

17

Biometric Authentication
Authenticate user based on one of their physical characteristics
z Static Characteristics:
fingerprints hand geometry, facial characteristics, retinal and iris patterns

z Dynamic Characteristics:
voiceprint signature.

(C) Davar Pishva, 2013

Security and Information System Management

18

Operation of a Biometric System

During operation,
z the system senses some biometric characteristic of this user (e.g. fingerprint of right index finger), and z extracts its useful data range (template).

The operation can be divided into:

z Enrollment Phase
During which the extracted templates are stored in a database.

z Authentication/Verification Phase
During which templates of newly acquired biometrics characteristics are compared with those of database value for the purpose of authentication or verification.

z Identification Phase
During which template of a newly acquired biometrics characteristics is compared with the set of stored templates. If there is a match, then this user is identified. Otherwise, the user is rejected.
(C) Davar Pishva, 2013

Security and Information System Management

19

Biometric Accuracy
The problem with biometrics technology is that the extracted templates are never identical.
z As such, the system uses an algorithm to generate a matching score (typically a single number) that quantifies the similarity between the input and the stored templates.

This results in problems of false match / false non-match which are better known as:
z False Reject Rate z False Accept Rate

(C) Davar Pishva, 2013

Security and Information System Management

20

Remote User Authentication

Refers to authentication over network and are more complex due to:
z problems of eavesdropping, replay

Generally use challenge-response scheme:

z user sends identity z host responds with random number z user computes f(r, h(P)) and sends back z host compares value from user with own computed value, if match user authenticated

The scheme protects against a number of attacks

(C) Davar Pishva, 2013

Security and Information System Management

21

Authentication Security Issues

Client Attacks
z An adversary attempts to achieve user authentication without access to the remote host (to masquerade as a legitimate user).

Host Attacks
z These are directed at the user file at the host where passwords, token passcodes, or biometric templates are stored.

Eavesdropping
z An adversary attempt to learn the password by observing the user, finding a written copy of the password, keystroke logging, etc.

Replay
z An adversary repeats a previously captured user response.

Trojan Horse
z An application or physical device masquerades as an authentic application or device for the purpose of capturing a user password, passcode, or biometric.
The adversary can then use the captured information to masquerade as a legitimate user.

Denial-Of-Service
z Attempts to disable a user authentication service by flooding the service with numerous authentication attempts.

(C) Davar Pishva, 2013

Security and Information System Management

22

Practical Application

(C) Davar Pishva, 2013

Security and Information System Management

23

Case Study: ATM Security

(C) Davar Pishva, 2013

Security and Information System Management

24

Topic 3 User Authentication

Summary
z Introduced user authentication using
Passwords Tokens Biometrics

z Discussed issues related to remote user authentication. z Presented example of an application and a case study.

(C) Davar Pishva, 2013

Security and Information System Management

25

Homework
Topic 1
z Page 36
Review Questions 1.1 to 1.6 (Submit any 5) Problem 1.1

Topic 2
z Pages 70-71
Review Questions 2.1 to 2.13 (Submit any 5) Problem 2.1

Topic 3
z Page 107
Review Questions 3.1 to 3.9 (Submit any 5) Problem 3.2

(C) Davar Pishva, 2013

Security and Information System Management

26