Authentication

Most technical security safeguards have authentication as a precondition How to authenticate: LocationSomewhere you are BiometrieSomething you are Smart Card, TokenSomething you have Password, SecretsSomething you know

The authentication process Authentication Ask the user for credentials Verification Verify this credentials agains something previously known Authorization Mark the user as authenticated Commonly here also the AC rights are assigned

Password A secret (word) know by the user and the system

Password Username Some name under which the user is known to the system – hardly secret Secret Password The secret connected to the user name

Entropy for passwords Entropy represents the uncertainty of the password This represents how likely it is to guess the password The entropy is calculated from the reciprocal probability of each observed character in the password H = -Σ p i * ld p i

Good and bad passwords Linkable names (own, child's,...)‏ Linkable numbers (telephone, birthdays, …)‏ Related words (like the car -> Ferrari)‏ Common words from dictionaries Common patterns (qwerty, , …)‏ Fashion words Containing big an small letters Containing numbers and special characters > 8 characters Can be written fast First 3 prevent the search 4 is to prevent observation

Password verification Compatre the input with a stored value Passwords need to be stored Plain Encrypted One way Bi-directional Passwords need to be transfered Plain Encyrpted

Security of Passwords Security is based mainly on the user but also how it is implemented in the system Systems can implement additional functions to harden passwords

Attacks against passwordsystems Test all possible passwords Guess likely words – lexical attacks Social engineering Looking for the systems password list Attacking the authentication mechanism Ask the user

Ways to harden Limited number of tries Wrong inputs slow down the process Challenge Respond Authorize also the system Combining different systems Harden the process Require passwords with high entropy

One time passwords A password is only valid one‘s Technqiues Transaction numbers (TAN)‏ Hashed with time stamp

Cryptographic techniques Cryptography for authentication purpose Popular techniques Kerberos Certificates X.509 Challenge Respond Systems Problems Complex Infrastructure dependent

Security token Something you have Popular Representative Cryptographic Token SmartCards Problems Costly Technical Infrastructure

Smart Cards A card with a chip Not necessarily for authentication Different types ROM Cards EEPROM Cards Microprocessor cards

Smart cards Prominent Examples Bank cards Credit cards Mobile phone cards

Attacks against Smart cards Protocol attacks the communication between the smart card and the card reader Blocking signaling block Signals (for example erase signals Freeze or reset the card make the content of the RAM readable

Attacks against Smart cards Physical Probing reading data directly from the hardware Damage part of the chip for example the address counter Reverse engineering reveal the chip design and gain knowledge

Biometrics The security relies on the property of a human being Measuring some aspects of the human anatomy or physiology and compare it with previously recorded values Problems: Humans change over time

Concepts Physical DNA Face Fingerprint Iris Hand geometry Behavioral Voice Signature Verification

Conventional biometrics Face recognition - ID Cards The oldest and probably most accepted method Average security – result of studies Handwritten signatures Is in Europe highly accepted Good enough security

Fingerprints Look at the friction ridges that cover fingertips Branches and end points geometry – commonly 16 Pores of the skin Easy to deployed and relative limited resistance Problems There is a statistical probability of mismatch – the number of variation is limited Fingerprints are mostly „noisy“ Alteration is easy

Iris Scan Patterns in the Iris are recognized Iris codes provide the lowest false accept rates of any known system – US Study Problems Get people to put there eye into a scanner Systems might be ulnerable to simple photographies

Problems with biometrics Not exact enough False positives and Positive False are common Technical difficult The technology is new Privacy problems Sicknesses can be recognized Social problems Usage of system Revelation generates problems Data leak out incidentally When the use became widespread your data will be known by a lot of people

Singel Sign-on Only one sign-on for all applications Techniques Save password – but how Issue a ticket Trends Identity managment systems

26 Identity Management Types of IdM (Systems)‏ by user herself/himself supported by service providers Management of own identities: chosen identity (= Tier1) ‏ Type 3 by organisation Profiling: derived identity abstracted identity (= Tier 3) Type 2 by organisation Account Management: assigned identity (= Tier 2) ‏ Type 1  There are hybrid systems that combine characteristics

27 “Identity” is changing IT puts more HighTech on ID cards Biometrics to bind them closer to a human being Chips to add services (such as a PKI)‏ Profiles may make the „traditional“ ID concept obsolete People are represented not by numbers or ID keys any more but by data sets. Identities become “a fuzzy thing”. New IDs and ID management systems are coming up Mobile communication (GSM) has introduced a globally interoperable „ID token“: the Subscriber Identity Module Ebay lets people trade using Pseudonyms. Europe (the EU) consider joint ID and ID management systems European countries have different traditions on identity card use Compatibility of ID systems is not trivial Work on new standards for Identity management systems and entity authentication are initiated by ISO and ITU

28 Identity Concepts Partial Identities Illustrated AnonymityWorkPublicAuthority Health Care foreign languages education address capabilities salary name income credit cards tax status denomination account number birthdate marital status hobbies insurance nickname (dis)likes phone number health status blood group Shopping Leisure Identities Management

29 Changing borders of (partial) identities AnonymityWorkPublicAuthority Health Care foreign languages education address capabilities salary name income credit cards tax status denomination account number birthdate marital status hobbies insurance nickname (dis)likes phone number health status blood group Shopping Leisure Borders are blurring

30 Changing borders of (partial) identities (cont.)‏ AnonymityWorkPublicAuthority Health Care foreign languages education address capabilities salary name income credit cards tax status denomination account number birthdate marital status hobbies insurance nickname (dis)likes phone number health status blood group Shopping Leisure Communication and contacts

Questions ?