Authentication

Definitions Identification - a claim about identity Identification - a claim about identity –Who or what I am (global or local) Authentication - confirming that claims are true Authentication - confirming that claims are true –I am who I say I am –I have a valid credential Authorization - granting permission based on a valid claim Authorization - granting permission based on a valid claim –Now that I have been validated, I am allowed to access certain resources or take certain actions Access control system - a system that authenticates users and gives them access to resources based on their authorizations Access control system - a system that authenticates users and gives them access to resources based on their authorizations –Includes or relies upon an authentication mechanism –May include the ability to grant course or fine-grained authorizations, revoke or delegate authorizations Slides modified from Lorrie Cranor, CMU

Building blocks of authentication Factors Factors –Something you know (or recognize) –Something you have –Something you are Mechanisms Mechanisms –Text-based passwords –Graphical passwords –Hardware tokens –Public key crypto protocols –Biometrics

Two factor systems Two factors are better than one Two factors are better than one –Especially two factors from different categories Question: What are some examples of two- factor authentication?

Evaluation Accessibility Accessibility Memorability Memorability –Depth of processing, retrieval, meaningfulness Security Security –Predictability, abundance, disclosure, crackability, confidentiality Cost Cost Environmental considerations Environmental considerations –Range of users, frequency of use, type of access, etc.

Typical password advice

Pick a hard to guess password Pick a hard to guess password Don’t use it anywhere else Don’t use it anywhere else Change it often Change it often Don’t write it down Don’t write it down –Do you? Bank = b3aYZ Amazon = aa66x! Phonebill = p$2$ta1

Problems with Passwords Selection Selection –Difficult to think of a good password –Passwords people think of first are easy to guess Memorability Memorability –Easy to forget passwords that aren’t frequently used –Difficult to remember “secure” passwords with a mix of upper & lower case letters, numbers, and special characters Reuse Reuse –Too many passwords to remember –A previously used password is memorable Sharing Sharing –Often unintentional through reuse –Systems aren’t designed to support the way people work together and share information

How Long does it take to Crack a Password? Brute force attack Brute force attack Assuming 100,000 encryption operations per second Assuming 100,000 encryption operations per second FIPS Password Usage FIPS Password Usage –3.3.1 Passwords shall have maximum lifetime of 1 year Password Length

The Password Quiz What is your score? What is your score? Do you agree with each piece of advice? Do you agree with each piece of advice? What is most common problem in the class? What is most common problem in the class? Any bad habits not addressed? Any bad habits not addressed?

Check your password Question: Why don’t all sites do this?

Text-based passwords Random (system or user assigned) Random (system or user assigned) Mnemonic Mnemonic Challenge questions (semantic) Challenge questions (semantic) Anyone ever had a system assigned random password? Your experience? Anyone ever had a system assigned random password? Your experience?

Four Mnemonic Passwords First letter of each word (with punctuation) fsasya,oF Substitute numbers for words or similar-looking letters 4sa7ya,oF Substitute symbols for words or similar-looking letters F 4sasya,oF Four 4sa7ya,oF 4s&7ya,oF score score s andaand seven seven sseven yearsy ago a,, our oFathers F Source: Cynthia Kuo, SOUPS 2006

The Promise? Phrases help users incorporate different character classes in passwords Phrases help users incorporate different character classes in passwords –Easier to think of character-for-word substitutions Virtually infinite number of phrases Virtually infinite number of phrases Dictionaries do not contain mnemonics Dictionaries do not contain mnemonics Source: Cynthia Kuo, SOUPS 2006

Memorability of Password Study Goal Goal –examine effects of advice on password selection in real world Method: experiment Method: experiment independent variables? independent variables? Advice given Advice given Dependent variables? Dependent variables? Attacks, length, requests, memorability survey Attacks, length, requests, memorability survey

Study, cont. Conditions Conditions –Comparison –Control –Random password –Passphrase (mnemonic) Students randomly assigned Students randomly assigned Attacks performed one month later Attacks performed one month later Survey four months later Survey four months later

Results All conditions longer password than comparison group All conditions longer password than comparison group Random & passphrase conditions had significantly fewer successful attacks Random & passphrase conditions had significantly fewer successful attacks Requests for password the same Requests for password the same Random group kept written copy of password for much longer than others Random group kept written copy of password for much longer than others Non-compliance rate of 10% Non-compliance rate of 10% What are the implications? What are the strengths of the study? Weaknesses?

Source: Cynthia Kuo, SOUPS 2006 Mnemonic password evaluation Mnemonic passwords are not a panacea, but are an interesting option Mnemonic passwords are not a panacea, but are an interesting option –No comprehensive dictionary today May become more vulnerable in future May become more vulnerable in future –Users choose music lyrics, movies, literature, and television –Attackers incentivized to build dictionaries Publicly available phrases should be avoided! Publicly available phrases should be avoided! C. Kuo, S. Romanosky, and L. Cranor. Human Selection of Mnemonic Phrase-Based Passwords. In Proceedings of the 2006 Symposium On Usable Privacy and Security, July 2006, Pittsburgh, PA.

Password keeper software Run on PC or handheld Run on PC or handheld Only remember one password Only remember one password How many use one of these? How many use one of these? Advantages? Advantages? Disadvantages? Disadvantages?

“Forgotten password” mechanism password or magic URL to address on file password or magic URL to address on file Challenge questions Challenge questions Why not make this the normal way to access infrequently used sites? Why not make this the normal way to access infrequently used sites?

Challenge Questions Question and answer pairs Question and answer pairs Issues: Issues: –Privacy: asking for personal info –Security: how difficult are they to guess and observe? –Usability: answerable? how memorable? How repeatable? What challenge questions have you seen? Purpose?

Challenge questions How likely to be guessed? How likely to be guessed? How concerned should we be about How concerned should we be about –Shoulder surfing? –Time to enter answers? –A knowledgeable other person? –Privacy?

Graphical Passwords We are much better at remembering pictures than text We are much better at remembering pictures than text User enters password by clicking on on the screen User enters password by clicking on on the screen –Choosing correct set of images –Choosing regions in a particular image Potentially more difficult to attack (no dictionaries) Potentially more difficult to attack (no dictionaries) Anyone ever used one? Anyone ever used one?

Schemes Choose a series of images Choose a series of images –Random[1] –Passfaces[2] –Visual passwords (for mobile devices)[3] –Provide your own images 1.R. Dhamija and A. Perrig, "Deja Vu: A User Study Using Images for Authentication," in Proceedings of 9th USENIX Security Symposium, W. Jansen, et al, "Picture Password: A Visual Login Technique for Mobile Devices," National Institute of Standards and Technology Interagency Report NISTIR 7030, 2003.

Schemes Click on regions of image Click on regions of image –Blonder’s original idea: click on predefined regions [1] –Passlogix – click on items in order [2] –Passpoints – click on any point in order [3] 1.G. E. Blonder, "Graphical passwords," in Lucent Technologies, Inc., Murray Hill, NJ, U. S. Patent, Ed. United States, S. Wiedenbeck, et al. "Authentication using graphical passwords: Basic results," in Human-Computer Interaction International (HCII 2005). Las Vegas, NV, 2005.

Schemes Freeform Freeform –Draw-a-Secret (DAS) I. Jermyn, et al. "The Design and Analysis of GraphicalPasswords," in Proceedings of the 8th USENIX SecuritySymposium, –Signature drawing

Theoretical Comparisons Advantages: Advantages: –As memorable or more than text –As large a password space as text passwords –Attack needs to generate mouse output –Less vulnerable to dictionary attacks –More difficult to share Disadvantages Disadvantages –Time consuming –More storage and communication requirements –Shoulder surfing an issue –Potential interference if becomes widespread See a nice discussion in: Suo and Zhu. “Graphical Passwords: A Survey,” in the Proceedings of the 21 st Annual Computer Security Applications Conference, December 2005.

How do they really compare? Many studies of various schemes… Many studies of various schemes… Faces vs. Story Faces vs. Story –Method: experiment independent – participant race and sex, faces or story independent – participant race and sex, faces or story Dependent – types of items chosen, liklihood of attack Dependent – types of items chosen, liklihood of attack –Real passwords – used to access grades, etc. –Also gathered survey responses –Results: we are highly predictable, particularly for faces we are highly predictable, particularly for faces Attacker could have succeeded with 1 or 2 guesses for 10% of males! Attacker could have succeeded with 1 or 2 guesses for 10% of males! –Implications?

Other examples Passpoints predictable too! Passpoints predictable too! Can predict or discover hot spots to launch attacks. Can predict or discover hot spots to launch attacks. Julie Thorpe and P.C. van Oorschot. Human-Seeded Attacks and Exploiting Hot-Spots in Graphical Passwords, in Proceedings of 16 th USENIX Security Symposium, 2007.

Other uses of images CAPTCHA – differentiate between humans and computers CAPTCHA – differentiate between humans and computers –Use computer generated image to guarantee interaction coming from a human –An AI-hard problem Luis von Ahn, Manuel Blum, Nicholas Hopper and John Langford. “CAPTCHA: Using Hard AI Problems for Security,” In Advances in Cryptology, Eurocrypt 2003.

More food for thought How concerned should we be about the weakest link/worse case user? How concerned should we be about the weakest link/worse case user? –Do we need 100% compliance for good passwords? How do we achieve? What do you think of “bugmenot” What do you think of “bugmenot”bugmenot Is it possible to have authorization without identification? Is it possible to have authorization without identification?

Project Groups 3 groups of 4, 1 group of 3 3 groups of 4, 1 group of 3 Form your group by the END of class next week Form your group by the END of class next week Preliminary user study of privacy or security application, mechanism, or concerns Preliminary user study of privacy or security application, mechanism, or concerns Deliverables: Deliverables: –Idea –Initial plan 5 points –Plan 20 points –Report 20 points –Presentation 5 points

Project Ideas Start with a question or problem… Start with a question or problem… –Why don’t more people encrypt their s? –How well does product X work for task Y? –What personal information do people expect to be protected? Flip through chapters in the book & papers Flip through chapters in the book & papers –Follow up on existing study Examine your own product/research/idea Examine your own product/research/idea Examine something you currently find frustrating, interesting, etc. Examine something you currently find frustrating, interesting, etc.

Ideas?

A Look Ahead Next week: User studies Next week: User studies –pay attention to the method of study in your readings –ALSO: observation assignment Two weeks – rest of authentication Two weeks – rest of authentication –ALSO: project ideas due

Next week’s assignment Observe people using technology Observe people using technology –Public place, observe long enough for multiple users –Take notes on what you see Think about privacy and security, but observe and note everything Think about privacy and security, but observe and note everything –Write up a few paragraphs describing your observations Don’t forget IRB certification Don’t forget IRB certification