Authentication

Authentication Strong passwords Kerberos CHAP Digital Certificates Biometrics

Strong Passwords Minimum 6 to 8 characters in password At least one letter and one digit Case sensitive Avoid well-known substitutions 0 for letter ‘O’ 2 for ‘to’ 4 for ‘for’ 5 for ‘S’ Set expiration date for password

Kerberos Developed at MIT in 1983 Meant for internal networks Passwords are sent in cleartext Developed for authenticating users in a single or multi-server environment Current version # is 5 Freeware (http://web.mit.edu/is/help/kerberos) Sets up a key for every specified service for the authenticated user

Kerberos How authentication works? User logs in with userid and password User wants access to use a service (e.g. FTP) Request goes to an Authentication Server (AS) in encrypted form using the password of user AS verifies the user using the password associated with the userid AS sends two data items back to user. One of the data items is encrypted with user’s password. It is called the Ticket. The other data item is encrypted with the requested service’s master key, called the Session key.

Kerberos The user decrypts the ticket with their password to verify that the response came from AS. Then the user creates an authenticator using their userid and timestamp. Finally, the user encrypts the authenticator with the session key and sends it to the service. The service decrypts the information with its master key and identifies the authenticator. Then the user is allowed to use the service.

Kerberos – Single service diagram Key Distribution Center Authentication Server (AS) User Service 1 2 3 4

Kerberos The previous description is suited for a single-server single-service environment. For multi-server multi-service environment a different authentication process is used. Upon initial login, the user is automatically authenticated and a Ticket-Granting Ticket (TGT) is created. The user sends the TGT for any service needed to the Ticket Granting Server (TGS) and obtains the necessary key to access the service.

Kerberos Assumptions made by Kerberos systems: User has the correct password. Does not prevent dictionary attack to guess password Assumes physical security of all devices on the network Does not prevent denial of service attacks All authenticating devices must have their clocks synchronized in order for time stamps to match

Challenge Handshake Authentication Protocol CHAP is a point-to-point protocol Used where hosts are connected to routers using switched circuits or dial-up lines Host asks the AS permission to use CHAP AS responds with permission to use CHAP AS sends a challenge message to host

Challenge Handshake Authentication Protocol Host selects a one-way hash function and hashes the message from AS. The hashed value is sent to AS. AS calculates the same hash value using the same hash function. If the values match then connection is maintained, otherwise the connection is terminated. Under CHAP, AS periodically sends challenge sequences to verify authenticity of host

Digital Certificates Issued by trusted third parties known as Certificate Authorities (CAs) Verisign is a trusted third party Used to authenticate an individual or an organization Digital Certificates are usually given for a period of one year They can be revoked It is given at various security levels. Higher the security level, the CA verifies the authenticity of the certificate seeker more.

Digital Certificates Digital Certificates can be issued by any one as long as there are people willing to believe them Major CAs are: Verisign GeoTrust BeTrusted Thawte

Digital Certificates Digital Certificates are part of the authentication mechanism. The other part is Digital Signature. When a user uses the digital signature, the user starts with their private key and encrypts the message and sends it. The receiver uses the sender’s public key and decrypts the message In traditional encryption, the sender uses the public key of the receiver and encrypts the message and sends it and the receiver decrypts the message with their private key

Digital Certificates Additional authentication means used by CAs are: Security token Passive token Active token One time password

Digital Certificates Security token is usually a hardware device such as a Smart Card If the security token is a software token, it is usually associated with a particular workstation Security tokens use two-factor authentication using a password and a device (or an appropriate hardware identifier)

Digital Certificates Passive token is a storage device that holds multiple keys. Appropriate key is transmitted using the transmission device used. Inexpensive to manufacture Sometimes an extra PIN is required to use the passive token Examples: Garage door opener ATM card

Digital Certificates An Active token does not transmit any data, unlike a passive token Active tokens create another form of the base key (such as one-time password) or an encrypted form of the base key Smart cards are commonly used for active tokens

Digital Certificates A One-time password has a limited duration validity on a single use Generated using a counter-based token or a clock-based token Counter-based token is an active token that generates a one-time password based on a counter in the server and the secret key of the user Clock-based token is an active token that generates one-time passwords based on the server clock

Biometrics Biometric authentication involves unique physical or behavioral characteristics of individuals Example: finger print, retinal scan, facial recognition Finger print authentication has matured as a reliable technology Retinal scan and facial recognition are yet to come to a level of reliability

Biometrics How biometric authentication works? Take the example of finger print. To authenticate a user, biometric is used as a secondary validation tool. First, a database of fingerprints of valid users is built When access is needed to a facility or system, then the user provides the fingerprint The fingerprint matching system uses numeric values of measurement based on ridges and valleys in the fingerprint. The user has to set acceptable level of matching. Matching returns a successful percentage of mapping. Based on the level set, the fingerprint is considered matched or not. The system does not provide level of matching, rather provides an YES or NO answer for the match Authenticated user information is kept for audit trail

Biometrics Potential problems with Biometrics: False positives Means that an unauthorized person is granted access This can happen when the level of match expected is set low in the program False negatives Means that an authorized person is not granted access One possible reason is that the biometric might have changed since the data was input, such as surgery in a finger

Biometrics Other forms of biometrics in use: Palm scan. This method uses the ridges and valleys in the entire palm in a manner similar to fingerprint. Retinal scan. This method uses an analysis of blood vessels located in the back of eye. Fairly reliable but time consuming. Iris scan. This method uses an analysis of the colored part surrounding the pupil in the eye. Not easy to use, especially with many people having contact lenses of various colors.

Biometrics Facial scan. This method uses an analysis of the contours of the face. Technically, a grown person’s facial contours do not change in spite of appearances such as a beard or aging. The skin is just a cover over the bones and so this scan uses the underlying bone structure. Reliability is not high. Signature verification. This method uses pattern recognition in matching a signature. Very reliable and easy to use but not secure since the signature forgery is hard to detect. Voice authentication. This method uses pattern recognition based on conversion of spoken words into digital signals based on speech characteristics. Fairly reliable but not widely used as it is difficult to control background noise for a highly reliable authentication.

Biometrics Advantages Disadvantages Second tier authentication tool Reliability can be enhanced in authentication Disadvantages Costly Time consuming at the point-of-use Bulky equipment may be needed at point-of-use

Security Scenarios to Solve Biometric technology is constantly improving. Your manager has asked you to examine two different biometric technologies as authentication tools to access confidential data. Develop a report that identifies the equipment, suppliers, reliability, cost, ease of use (at data gathering time and at point-of-use). The report should be in a tabular form so that the manager can easily compare your research and make a decision.