Presentation is loading. Please wait.

Presentation is loading. Please wait.

A Practical Comparison of Modern Authentication Mechanisms.

Similar presentations


Presentation on theme: "A Practical Comparison of Modern Authentication Mechanisms."— Presentation transcript:

1

2 A Practical Comparison of Modern Authentication Mechanisms

3 Biometrics: Things you are Measure physical trait: finger, hand, eye, face, … From Authentication © 2002. Used by permission

4 Biometric Authentication Biometrics aren’t memorized & can’t be shared Compares user’s signature to previously established pattern built from that trait “Biometric pattern” file instead of password file From Authentication © 2002. Used by permission

5 Some Based on Behavior Measure something the person does, instead of measuring a physical trait Examples: voice, keystrokes, written signature From Authentication © 2002. Used by permission

6 Pattern Matching We compare how closely a signature matches one user’s pattern versus another’s pattern From Authentication © 2002. Used by permission

7 Matching in Practice FRR = doesn’t recognize me; FAR = recognized Bob instead From Authentication © 2002. Used by permission

8 Biometrics in Practice Higher security means more mistakes –When we reduce the FAR, we increase the FRR –More picky about signatures from legitimate users, too

9 The Biometric Dilemma The biometric pattern acts like a base secret But, biometrics are not secrets Each user leaves artifacts of her voice, fingerprints, and appearance wherever she goes Users can’t change biometrics if someone makes a copy Risks to personal privacy

10 Biometric Encryption Use “secure” biometric readers Authenticate the readers with base secrets Use cryptography to protect the readings Problem: must administer the readers’ secrets From Authentication © 2002. Used by permission

11 Biometric Enrollment How it works –User provides one or more biometric readings –The system converts each reading into a signature –The system constructs the pattern from those signatures Problems with biometric enrollment –It’s hard to reliably “pre-enroll” users –Users must provide biometric readings interactively Accuracy is time consuming –Take trial readings, build tentative patterns, try them out –Take more readings to refine patterns –Higher accuracy requires more trial readings

12 Tokens: Something You Have Each carries a large, hard to guess secret Portable, usually tamper resistant Some implemented in software From Authentication © 2002. Used by permission

13 Hardware Tokens Resist copying and other attacks by storing the base secret in a tamper-resistant package. From Authentication © 2002. Used by permission

14 Hardware Restricts Sharing These 3 easily share a password, invited or not… … but only one at a time has the token, even if stolen User ID: croe Password: ?? User ID: croe Password: egg User ID: croe Password: ?? User ID: croe Password: ?? User ID: croe Password: ?? User ID: croe Password: 1463 1463 Shared User ID: croe Password: ?? User ID: croe Password: egg User ID: croe Password: ?? User ID: croe Password: 6435 6435 User ID: croe Password: egg Stolen Sniffed User ID: croe Password: 7724 7724 User ID: croe Password: egg User ID: croe Password: ?? User ID: croe Password: ?? User ID: croe Password: ?? User ID: croe Password: egg User ID: croe Password: egg

15 Public Keys vs. Secret Keys Two different technologies for tokens Secret Keys –Produce single use (“one time”) passwords –Use Centralized Authentication Servers Public Key Pairs –Use challenge response protocols –Use Certificates and “Public Key Infrastructure” (PKI)

16 Secret Key Authentication SofToken SofToken

17 WebEnrollmentWebEnrollment AccessPolicyAccessPolicy AAAAAA PKIPKI AuthenticationBrokerAuthenticationBroker LDAP Central Authentication Server Web Agent Web Servers RADIUSRADIUS VPN Gateways AuthenticationServer Customers WEB VPN PartnersAgentAgent Citrix Servers Employees Citrix Sales Staff RADIUSRADIUS RAS Servers Dialup AgentsAgents UNIX & Windows IT Staff System login SafeWord PremierAccess™

18 One-Time Password Tokens Attacker can’t reuse the sniffed password From Authentication © 2002. Used by permission

19 SafeWord Server User ’s Token Token’s Secret Key Sequence One-Time Password Token’s Secret Key Sequence Expected Password(s) DES ? One-time Passwords

20 MobilePass™ Authentication 1.Dial the authentication server with your cell phone 2.Server sends you a text message with the one time password 3.Type the one time password into the password prompt 4.Authentication server compares the password you typed with the password it sent to your phone from Secure Computing

21 Tokens Resist Attacks

22 Public Key Authentication Key File USB Device Biometric Smart Cards

23 Public Key Authentication Bob’s Private Key Bob@mail.com Key: 3,5555 1. Bob sends his public key to Server 3,5555 = 2. Server sends a random challenge {Random} 68238203 Match! = Public Key Encrypt 3. Bob encrypts challenge with his private key Public Key Decrypt 4. Server decrypts challenge with Bob’s public key Bob’s Public Key Certificate

24 Public Key Tokens Smart cards, USB “Key” format, and PC cards Safest ones never disclose the private key –Generate the public key pair on the card –Provide services, but never exports the key From Authentication © 2002. Used by permission

25 Public Keys in Practice Available with Kerberos/Windows 2000 –Challenge response function logs you in to the domain Widely used to authentication E-commerce hosts on the World Wide Web –Far more common than user authentication –Invisible to end users (did you know it was happening?) Enrollment Process 1.Generate a public/private key pair; protect your private key 2.Give the public key and your name to Certificate Authority 3.Certificate Authority issues you a Certificate 4.Share your Certificate with those who must authenticate you

26 Certificates in E-Commerce Certificates associate a name and a key –Certificate integrity assured by a “digital signature” –Signature affixed by the “Certificate Authority” (CA) Customers use CA’s Public Key –Check certificate signature with CA’s public key –You must have the CA key to verify the certificate! From Authentication © 2002. Used by permission

27 Public Keys Resist Attacks

28 Public Key is Better… Does not need a central authentication server –Eliminate need to protect a centralized list of secret keys –Eliminate need for real time communication to server –You only need a set of CA keys to authenticate people & sites Risk of subversion is distributed to individual machines performing authentication Easy to authenticate new users –Each new user simply acquires and provides a certificate Safer to distribute across multiple enterprises Higher resistance to trial-and-error attacks

29 Or is Secret Key Better… Simpler underlying technology –Can be deployed off-the-shelf –Does not require a complex “infrastructure” –Redundant central servers can provide reliability and availability One time passwords fit existing password prompts Works with existing software base –RADIUS compatibility, older Microsoft Windows integration Easy to revoke access –You just update the user’s entry on the central server –It’s very difficult to revoke public keys – once a certificate is distributed, there’s no reliable way to track down all copies of it and delete them.

30 “Software” Tokens Guess resistance of tokens at a lower cost Secret Key Examples –Token vendors build “soft tokens” –SafeWord™, e.id™, SecurID™ Public Key Examples –Keyfiles on Lotus Notes, Web browsers Does not prevent delegation Can not detect sniffing, copying

31 Multi-Factor Authentication We cover the weaknesses of individual techniques (tokens, passwords, biometrics) by combining two or more in one mechanism Two Factor Authentication –ATM Cards - card plus PIN –One-time password token with a keypad - token plus PIN –Biometric reading protected with a secret encryption key Three Factor Authentication –Token + memorized PIN + biometric reading –More Expensive = Rarely used

32 Multi-Factor Token Fingerprint “unlocks” the authentication token From Authentication © 2002. Used by permission

33 Authentication Strengths

34 Summary Passwords are still the cheapest and most common –Can not protect valuable assets - too easy to attack –Risky on the Internet unless you use encryption, too Biometrics have limited use on networks –Too easy to intercept and replay –Must be used in conjunction with cryptography Tokens give strongest protection –Embedded cryptographic secrets can be hard to attack –Hardware tokens prevent sharing and delegation –Protect against theft with added factor: a PIN or a biometric


Download ppt "A Practical Comparison of Modern Authentication Mechanisms."

Similar presentations


Ads by Google