Presentation is loading. Please wait.

Presentation is loading. Please wait.

Chapter 11: Authentication

Published byKároly Kis Modified over 5 years ago

Similar presentations

Presentation on theme: "Chapter 11: Authentication"— Presentation transcript:

1 Chapter 11: Authentication
Basics Passwords Challenge-Response Biometrics Location Multiple Methods November 1, 2004 Introduction to Computer Security ©2004 Matt Bishop

2 Establishing Identity
One or more of the following What entity knows (eg. password) What entity has (eg. badge, smart card) What entity is (eg. fingerprints, retinal characteristics) Where entity is (eg. In front of a particular terminal)

3 What entity knows

4 What entity has

5 What entity is

6 Where entity is

7 Authentication System
(A, C, F, L, S) A (authentication information): the set of specific information with which entities proves their identity; C (complementary information): the set of information that the system stores and uses to validate the authentication information; F (complementation function): generate the complementary information from the authentication information; f : A  C; L: authentication functions that prove identity; S: selection function enabling an entity to create or alter information in A or C; November 1, 2004 Introduction to Computer Security ©2004 Matt Bishop

8 Authentication System
(A, C, F, L, S) A (authentication information): the set of specific information with which entities proves their identity;

9 Authentication System
(A, C, F, L, S) C (complementary information): the set of information that the system stores and uses to validate the authentication information;

10 Authentication System
(A, C, F, L, S) F (complementation function): generate the complementary information from the authentication information; f : A  C;

11 Authentication System
(A, C, F, L, S) L: authentication functions that prove identity;

12 Authentication System
(A, C, F, L, S) S: selection function enabling an entity to create or alter information in A or C;

13 Example Password system, with passwords stored on line in clear text
A set of strings making up passwords C = A F singleton set of identity function { I } L single equality test function { eq } S function to set/change password November 1, 2004 Introduction to Computer Security ©2004 Matt Bishop

14 Passwords Example of an authentication mechanism based on what people know; Sequence of characters Examples: 10 digits, a string of letters, etc. Generated randomly, by user, by computer with user input Sequence of words Examples: pass-phrases Algorithms Examples: challenge-response, one-time passwords November 1, 2004 Introduction to Computer Security ©2004 Matt Bishop

15 Storage of Passwords Store as cleartext Encipher file
If password file compromised, all passwords revealed Encipher file Need to have decipherment, encipherment keys in memory Reduces to previous problem Store one-way hash of password If file read, attacker must still guess passwords or invert the hash November 1, 2004 Introduction to Computer Security ©2004 Matt Bishop

16 SHA-1 Hashing Example

17 Anatomy of Attacking Goal: find a  A such that:
For some f  F, f(a) = c  C c is associated with entity Two ways to determine whether a meets these requirements: Direct approach: as above Indirect approach: as l(a) succeeds iff f(a) = c  C for some c associated with an entity, compute l(a) November 1, 2004 Introduction to Computer Security ©2004 Matt Bishop

18 Preventing Attacks How to prevent this: Hide one of a, f, or c
Prevents obvious attack from above Example: UNIX/Linux shadow password files Hides c’s Block access to all l  L or result of l(a) Prevents attacker from knowing if guess succeeded Example: preventing any logins to an account from a network Prevents knowing results of l (or accessing l) November 1, 2004 Introduction to Computer Security ©2004 Matt Bishop

19 Guessing Through L Cannot prevent these Make them slow
Otherwise, legitimate users cannot log in Make them slow Backoff: the amount of time to wait before next attempt keep increasing; Disconnection: after some number of failed authentication attempts, the connection is broken and the user must reestablish it; Disabling: if n consecutive attempts to log in to an account fail, the account is disabled until a security manager can reenable it; Be very careful with administrative accounts! Jailing: Allow in, but restrict activities and record the attacker’s actions; November 1, 2004 Introduction to Computer Security ©2004 Matt Bishop

20 Dictionary Attack vs Brute Force
Definition 11–3. A dictionary attack is the guessing of a password by repeated trial and error.

21 Anderson’s Formula The goal of defenders is to maximize the time needed to guess a password. Anderson’s formula: P: probability of guessing a password in specified period of time G: number of guesses tested in 1 time unit T: number of time units N: number of possible passwords (|A|) Then P ≥ TG/N

22 Example Goal Solution Passwords drawn from a 96-char alphabet
Can test 104 guesses per second Probability of a success to be 0.5 over a 365 day period What is minimum password length? Solution N ≥ TG/P = (365246060)104/0.5 = 6.311011 Choose s such that 96s ≥ N So s ≥ 6, meaning passwords must be at least 6 chars long

23 Approaches: Password Selection
Random selection Any password from A equally likely to be selected Pronounceable passwords User selection of passwords November 1, 2004 Introduction to Computer Security ©2004 Matt Bishop

24 Random Selection of Passwords
Theorem 11-1: let the expected time to guess a password be T. Then T is a maximum when the selection of any of a set of possible passwords is equiprobable; Short passwords should be avoided; Size of password space could be reduced due to the limited period of pseudo-random number generator; Human factor is also an important role: a person who is assigned two random passwords must write them down; Use a transformation algorithm to keep the password safe: t: X  A; Transformation algorithm is “capitalize the third letter in the word, and append the digit 2.” “Swqgle3”  ? (the transformation algorithm needs to be memorized). November 1, 2004 Introduction to Computer Security ©2004 Matt Bishop

25 Pronounceable Passwords
Generate phonemes randomly Phoneme is unit of sound, eg. cv, vc, cvc, vcv (c: consonant, v: vowel) Examples: helgoret, juttelon are; przbqxdfl, zxrptglfn are not Problem: too few Solution: key crunching Run long key through hash function and convert to printable sequence Use this sequence as password November 1, 2004 Introduction to Computer Security ©2004 Matt Bishop

26 User Selection Problem: people pick easy to guess passwords
Based on account names, user names, computer names, place names Dictionary words (also reversed, odd capitalizations, control characters, “elite-speak”, conjugations or declensions, swear words, Torah/Bible/Koran/… words) Too short, digits only, letters only License plates, acronyms, social security numbers Personal characteristics or foibles (pet names, nicknames, job characteristics, etc. November 1, 2004 Introduction to Computer Security ©2004 Matt Bishop

27 Picking Good Passwords
“LlMm*2^Ap” Names of members of 2 families “OoHeO/FSK” Second letter of each word of length 4 or more in third line of third verse of Star-Spangled Banner, followed by “/”, followed by author’s initials What’s good here may be bad there “DMC/MHmh” bad at Dartmouth (“Dartmouth Medical Center/Mary Hitchcock memorial hospital”), ok here Why are these now bad passwords?  November 1, 2004 Introduction to Computer Security ©2004 Matt Bishop

28 Proactive Password Checking
Analyze proposed password for “goodness” Always invoked Can detect, reject bad passwords for an appropriate definition of “bad” Discriminate on per-user, per-site basis Needs to do pattern matching on words Needs to execute subprograms and use results Spell checker, for example Easy to set up and integrate into password selection system November 1, 2004 Introduction to Computer Security ©2004 Matt Bishop

29 Password Aging Force users to change passwords after some time has expired How do you force users not to re-use passwords? Record previous passwords Block changes for a period of time Give users time to think of good passwords Don’t force them to change before they can log in Warn them of expiration days in advance

30 Challenge-Response User, system share a secret function f (in practice, f is a known function with unknown parameters, such as a cryptographic key)

31 Pass Algorithms Challenge-response with the function f itself a secret
Example: Challenge is a random string of characters such as “abcdefg”, “ageksido” Response is some function of that string such as “bdf”, “gkip” Can alter algorithm based on ancillary information Network connection is as above, dial-up might require “aceg”, “aesd” Usually used in conjunction with fixed, reusable password November 1, 2004 Introduction to Computer Security ©2004 Matt Bishop

32 One-Time Passwords Password that can be used exactly once Problems
After use, it is immediately invalidated Problems Synchronization of user, system Generation of good random passwords Password distribution problem

33 Biometrics Fingerprints: optical or electrical techniques
Optical Scanner vs Capacitive Scanner; Maps fingerprint into a graph, then compares with database

34 Biometrics – Voice ID Voices: speaker verification or recognition
Verification: uses statistical techniques to test hypothesis that speaker is who is claimed (speaker dependent) Recognition: checks content of answers (speaker independent)

35 Other Characteristics
Eyes: patterns in irises unique Measure patterns, determine if differences are random; or correlate images using statistical tests

36 Other Characteristics
Faces: image, or specific characteristics like distance from nose to chin Lighting, view of face, other noise can hinder this

37 Other Characteristics
Keystroke dynamics: believed to be unique Keystroke intervals, pressure, duration of stroke, where key is struck Statistical tests used

38 Cautions These can be fooled!
Assumes biometric device accurate in the environment it is being used in! Transmission of data to validator is tamperproof, correct

39 Key Points Authentication is not cryptography
You have to consider system components Passwords are here to stay They provide a basis for most forms of authentication Protocols are important They can make masquerading harder Authentication methods can be combined Example: PAM November 1, 2004 Introduction to Computer Security ©2004 Matt Bishop

Download ppt "Chapter 11: Authentication"

Similar presentations

CSC 386 – Computer Security Scott Heggen. Agenda Authentication Passwords Reducing the probability of a password being guessed Reducing the probability.

CSC 386 – Computer Security Scott Heggen. Agenda Authentication Passwords Reducing the probability of a password being guessed Reducing the probability.
COEN 350: Network Security Authentication. Between human and machine Between machine and machine.

COEN 350: Network Security Authentication. Between human and machine Between machine and machine.
CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.

CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.
Chapter 12: Authentication Basics Passwords Challenge-Response Biometrics Location Multiple Methods Computer Security: Art and Science ©2002-2004 Matt.

Chapter 12: Authentication Basics Passwords Challenge-Response Biometrics Location Multiple Methods Computer Security: Art and Science © Matt.
Chapter 12: Authentication

Chapter 12: Authentication
1 Chapter 11: Authentication Basics Passwords. 2 Establishing Identity Authentication: binding of identity to subject One or more of the following –What.

1 Chapter 11: Authentication Basics Passwords. 2 Establishing Identity Authentication: binding of identity to subject One or more of the following –What.
CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.
1 Authentication CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute March 11, 2004.

1 Authentication CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute March 11, 2004.
November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #11-1 Chapter 11: Authentication Basics Passwords Challenge-Response Biometrics.

November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #11-1 Chapter 11: Authentication Basics Passwords Challenge-Response Biometrics.
Chapter 10 Boundary Controls. Cryptographic Controls Cryptology is the science of secret codes Cryptography deals with systems for transforming data into.

Chapter 10 Boundary Controls. Cryptographic Controls Cryptology is the science of secret codes Cryptography deals with systems for transforming data into.
June 1, 2004Computer Security: Art and Science ©2002-2004 Matt Bishop Slide #12-1 Chapter 12: Authentication Basics Passwords Challenge-Response Biometrics.

June 1, 2004Computer Security: Art and Science © Matt Bishop Slide #12-1 Chapter 12: Authentication Basics Passwords Challenge-Response Biometrics.
1 Authentication CS461/ECE422 Fall 2010. 2 Reading Chapter 12 from Computer Security Chapter 10 from Handbook of Applied Cryptography

1 Authentication CS461/ECE422 Fall Reading Chapter 12 from Computer Security Chapter 10 from Handbook of Applied Cryptography
Csci5233 Computer Security1 Bishop: Chapter 12 Authentication.

Csci5233 Computer Security1 Bishop: Chapter 12 Authentication.
Authentication CS461/ECE422 Spring 2012. Readings Chapter 3 from text Rainbow tables – Chapter 10 from Handbook.

Authentication CS461/ECE422 Spring Readings Chapter 3 from text Rainbow tables – Chapter 10 from Handbook.
November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #12-1 Chapter 11: Authentication Basics Passwords Challenge-Response Biometrics.

November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #12-1 Chapter 11: Authentication Basics Passwords Challenge-Response Biometrics.
Authentication Chapter 11 Modified (heavily) by Dan Fleck Coming up: Basics 1111.

Authentication Chapter 11 Modified (heavily) by Dan Fleck Coming up: Basics 1111.
Csci5233 Computer Security1 Bishop: Chapter 10 (Cont.) Key Management: Storage & Revoking.

Csci5233 Computer Security1 Bishop: Chapter 10 (Cont.) Key Management: Storage & Revoking.
CIS 450 – Network Security Chapter 8 – Password Security.

CIS 450 – Network Security Chapter 8 – Password Security.
Chapter-2 Identification & Authentication. Introduction  To secure a network the first step is to avoid unauthorized access to the network.  This can.

Chapter-2 Identification & Authentication. Introduction  To secure a network the first step is to avoid unauthorized access to the network.  This can.
10/8/20151 Computer Security Authentication. 10/8/20152 Entity Authentication Entity Authentication is the process of verifying a claimed identity It.

10/8/20151 Computer Security Authentication. 10/8/20152 Entity Authentication Entity Authentication is the process of verifying a claimed identity It.

Similar presentations

Ads by Google