Chapter-2 Identification & Authentication
Introduction To secure a network the first step is to avoid unauthorized access to the network. This can be achieved with any type of authentication mechanisms. When one node wants to communicate with the other node in a network in a secure manner they use an authentication mechanism: the node that wants to communicate has to prove its identity in the network so that its right to access the network resources can be determined. the node that wants to communicate has to prove its identity in the network so that its right to access the network resources can be determined.
Types of Authentication Authentication Methods Biometric based authentication Artifact based authentication Smart cardsDigital signatures Certificates, tokens Knowledge based authentication Usernames and passwords
Types of Authentication All of the above can be briefly identified as: Knowledge based Authentication is based on “What you know” i.,e what the users know for eg, user names, passwords, keys etc. Knowledge based Authentication is based on “What you know” i.,e what the users know for eg, user names, passwords, keys etc. Artifact Based Authenticatiobn is based on “ What you possess” i.e what the user possess such as Certificates, tokens, smart cards etc. Artifact Based Authenticatiobn is based on “ What you possess” i.e what the user possess such as Certificates, tokens, smart cards etc. Biometric based Authentication is based on “ What you are “i.e what the user inherits for eg biometric techniques Biometric based Authentication is based on “ What you are “i.e what the user inherits for eg biometric techniques
Password Based Authentication The popular mechanism of knowledge based authentication is passwords In this method of authentication the user who wants to communicate with the server has to provide its username and password to the server in order to prove his identity in the network. Password : can be defined as a character string used to authenticate an identity(of a user). The passwords can be of one of the types: Plain-text password based systems Plain-text password based systems Encrypted Passwords Encrypted Passwords One time passwords One time passwords Challenge and Response based systems Challenge and Response based systems
Password Policy Password Policy A good password is one that is easy to remember but difficult to guess. Password should not be Dictionary Words, Proper Nouns, or Foreign Words. Password should be mixture of upper and lowercase characters along with numbers. Users should never disclose their passwords to anybody unless they know them to be authorized. Systems administrators should implement safeguards to ensure that people on their systems are using adequately strong passwords. They should set password expiration dates on all programs being run on the organization’s systems.
Password Based Systems Plain-text password based systems: These systems are not secure enough as the passwords can be hacked by a man in the middle attack easily. Encrypted Passwords: In this method various encryption algorithms can be used to encrypt the passwords traveling over the wires in the network. Therefore the password becomes unreadable and difficult for the intruder to get it. Few of the algorithms that are used for password encryption are: SHA, MD5, RSASHA, MD5, RSA
One Time Passwords Even encrypted passwords if decrypted once by the intruder can be used for hacking critical data. One idea is to use a new password every time the user logs in. One time password systems can be of two types: Challenge Response e.g. RSA SecurID system Challenge Response e.g. RSA SecurID system Codebook e.g. S/Key Codebook e.g. S/Key
One Time Passwords Challenge Response authentication : When the new session is being established by the server it issues a challenge string to the client, which is different every time. When the new session is being established by the server it issues a challenge string to the client, which is different every time. After receiving this challenge string the user types in his or her pass phrase for the session. After receiving this challenge string the user types in his or her pass phrase for the session. Then the secure hash is calculated for the pass phrase using one of the MD4, MD5, or SHA1 hashing algorithms. Then the secure hash is calculated for the pass phrase using one of the MD4, MD5, or SHA1 hashing algorithms.
One Time Passwords The variables that are required for the calculating the secure hash are hidden in the challenge string issued by the server. The variables that are required for the calculating the secure hash are hidden in the challenge string issued by the server. When the server receives the hash value sent by the client it matches it with the password (hash value) it has calculated using the same hashing algorithm. When the server receives the hash value sent by the client it matches it with the password (hash value) it has calculated using the same hashing algorithm. If there is a match, the user is authenticated. If there is a match, the user is authenticated.
One Time Passwords Code Book Scheme: A codebook is a list of passwords that are used, one at a time, and then never reused. A codebook is a list of passwords that are used, one at a time, and then never reused. With the system each user is given a mathematical algorithm, which is used to generate a sequence of passwords. With the system each user is given a mathematical algorithm, which is used to generate a sequence of passwords. The user can either run this algorithm on a portable computer when needed, or can print out a listing of generated passwords as a paper codebook. The user can either run this algorithm on a portable computer when needed, or can print out a listing of generated passwords as a paper codebook.
Code Book Scheme When a user wants to login to a system,the user either looks up the next password in the codebook, or generates the next password in the virtual codebook. This password is then used as the password to give to the system. The user may also need to specify a fixed password along with the codebook entry.
Code Book Scheme Client’s Code book ………… …………. ………….. …………. Server’s code book ………… …………. ………….. …………. User sends next password from code book Send me new password for authenticatio n The password matches with my code book entry. You are authenticated.
Weak versus Strong Passwords Weak Passwords may be of one of the types: User’s personal information like name, vehicle number, phone number. User’s personal information like name, vehicle number, phone number. A dictionary word. A dictionary word. An easy to remember sequence of characters or alphanumeric characters like qwerty, abc123. An easy to remember sequence of characters or alphanumeric characters like qwerty, abc123.
Weak versus Strong Passwords If supplied in plain text, weak passwords are easy to hack or crack by nature using any of these methods: Brute-force attack Brute-force attack Dictionary attack etc. Dictionary attack etc.
Weak versus Strong Passwords Strong Passwords: As weak passwords are easy to guess, it is recommended to use a password which: is of at least 8 characters length. is of at least 8 characters length. contains at least one numeric character. contains at least one numeric character. contains at least one special character. contains at least one special character. Doesn't contain any dictionary word. Doesn't contain any dictionary word. They should also be easy to remember otherwise this may result in users writing a difficult to remember password near to his/her desk. They should also be easy to remember otherwise this may result in users writing a difficult to remember password near to his/her desk.
Password selection strategies Password selection strategies : User Education User Education Computer generated passwords Computer generated passwords Reactive password checking Reactive password checking Proactive password checking Proactive password checking The most secured method of good and strong password selection is the proactive pwd checking method, in which user selects his own password and at the time of selection, the system checks to see if password is allowable or not.
Password vulnerabilities & attacks Possible Vulnerabilities of passwords are Guessing, cracking & spoofing Guessing, cracking & spoofing Testing the pwd files Testing the pwd files Proactive pwd checkers Proactive pwd checkers Shadow password files Shadow password files Password related attacks : Password cracking Password cracking Brute force attack Brute force attack Dictionary attack Dictionary attack
Artifact Based Authentication This method deals with the possession of an artifact i.e an item by the user, display of which enables the user to be authenticated. Popular examples of this method are smart cards, digital signatures, certificates etc.
Digital Signatures Digital signatures are based on Public Key Cryptography. Digital signatures are used to verify whether a document sent by a person is really sent by him and has not been changed in the route through which it came. We try to show with an example that how digital signatures work. A digital signature user must have a key pair: Public Key: Known to all (made public). Public Key: Known to all (made public). Private key: Only known to the key pair owner. Private key: Only known to the key pair owner.
Smart Cards Smart cards are hardware devices that provide a much secure authentication for storing and transferring the important information. They are of the size of a credit card containing a small chip which stores the private key and a copy of the certificate. A PIN (Personal Identification Number) is used in association with smart card, to provide more secure authentication.
Smart Cards A smart card looks like: Card readers are used to read the information from a smart card. Smart card Card reader
Working of smart cards The authentication method used in smart is Challenge Response type of authentication. When the user inserts his smart in a card reader, the the program that is stored in the client system asks the user for his unique PIN. The user enters the PIN and if the PIN is correct the communication between the client application and the smart card starts.
Working of smart cards A challenge response procedure takes place between the client and the server. Private key on the card is used to encrypt the data and encrypted data is then transferred to the server. The public key stored on the server is used to decrypt the data. If the data gets successfully decrypted, the user is authenticated.
Advantages of Smart Cards This is a very secure authentication mechanism because: the process works on a two-factor authentication - what you know (PIN) and what you have (smart card or private key). the process works on a two-factor authentication - what you know (PIN) and what you have (smart card or private key). Brute force attacks and Dictionary attacks don’t work here as only a limited number of PIN entries are allowed for the smart card holder. Brute force attacks and Dictionary attacks don’t work here as only a limited number of PIN entries are allowed for the smart card holder.
Applications of Smart Cards Although smart cards are new in India, in many other countries they are used extensively for applications like: Electronic toll collection. Electronic toll collection. Financial Services Financial Services Healthcare services Healthcare services Cellular phones Cellular phones Set-top boxes Set-top boxes Secure network access Secure network access
Biometric Techniques Biometrics comprise the techniques for measuring human beings and the statstical methods of processing these measurements. In the field of identification biometrics uses computers to identify or authenticate the identity of a person based on the measurement of at least physical characteristic for eg, fingerprint, retinal image, DNA etc. Biometric Identification : consists in finding one person out of a no. of people based on the analysis of a physical characteristic such as a fingerprint or an image of the iris. Te characteristic is collected by a sensor, analyzed and compared by software to previously collected personal data. Working of biometric techniques : It basically works in three steps: Capturing of a biometric sample from an individual Capturing of a biometric sample from an individual Storing the captured sample as reference sample Storing the captured sample as reference sample Match the current captured sample with the stored reference sample. Match the current captured sample with the stored reference sample. Biometrics can be classified into two categories :Physiological biometric techniques such as fingerprints, hand geometry, palm recognition, iris recog.,DNA analysis etc.
Types of Biometric techniques Biometrics can be classified into two categories : Physiological biometric techniques such as fingerprints, hand geometry, palm recognition, iris recognition, DNA analysis etc. Behavioral techniques which depend on the behaviour of a person such as signature dynamics, keystroke dynamics etc. Signature Dynamics : is a technique that is based on the dynamics of making a signature rather than a direct comparison of a written signature with a stored one. Factors that are measured for signature dynamics are acceleration rates, directions, pressure, stroke length etc.
Effectiveness of biometric techniques Biometric techniques are evaluated on three basic criteria : i) False Rejection Rate : this is the percentage of authorized users that are denied access due to failure of the biometric device. ii) False Acceptance Rate : the percentage of unauthorized users allowed access iii) Cross over error rate : is the point at which the no. of false rejections equal the false acceptances.It is also known as the equal error rate