Presentation is loading. Please wait.

Presentation is loading. Please wait.

Access Control Authentication: Who goes there? Determine whether access is allowed Authenticate human to machine Authenticate machine to machine Authorization:

Published byLilian Wilkinson Modified over 9 years ago

Similar presentations

Presentation on theme: "Access Control Authentication: Who goes there? Determine whether access is allowed Authenticate human to machine Authenticate machine to machine Authorization:"— Presentation transcript:

1

2 Access Control

3 Authentication: Who goes there? Determine whether access is allowed Authenticate human to machine Authenticate machine to machine Authorization: Are you allowed to do that? Once you have access, what can you do? Enforces limits on actions Note: Access control often used as synonym for authorization Chapter 7 Authentication 2

4 Passwords Biometrics Smartcard

5 Who Goes There? How to authenticate a human to a machine? Can be based on… Something you know: a password Something you have: a smartcard Something you are: your fingerprint Chapter 7 Authentication 4 Are Know Have

6 Password Chapter 7 Authentication 5

7 Something You Know Passwords Lots of things act as passwords! PIN (Personal Identification Number) Social security number Mother’s maiden name Date of birth Name of your pet, etc. Chapter 7 Authentication 6 Are Have Know

8 Trouble with Passwords - 1/2 Passwords are one of the biggest practical problems facing security engineers today. One solution use cryptographic keys as passwords Cryptographic keys are also large, expensive to maintain, difficult to manage, and they pollute the environment. Chapter 7 Authentication 7

9 Trouble with Passwords - 2/2 Humans are incapable of securely storing high- quality cryptographic keys, and have unacceptable speed and accuracy when performing cryptographic operations. Chapter 7 Authentication 8

10 Why Passwords? Why is “something you know” more popular than “something you have” and “something you are”? Two reasons Cost: passwords are free Convenience: easier for System Administrator to reset password than to issue new smartcard Chapter 7 Authentication 9

11 Password issues Keys and Passwords Choosing Passwords Attacking Systems via Passwords Password Verification Math of Password Cracking Other Password Issues Chapter 7 Authentication 10

12 Keys vs Passwords – 1/2 Crypto keys Spse key is 64 bits Then 2 64 keys Choose key at random Then attacker must try about 2 63 keys Passwords Spse pwds are 8 characters, and 256 different choices for 1 character Then 256 8 = 2 64 pwds Users do not select passwords at random Attacker has far less than 2 63 pwds to try (dictionary attack) Chapter 7 Authentication 11

13 Keys vs Passwords - 2/2 Dictionary Attack “dictionary” of 2 20 ≈ 1,000,000 passwords: reasonable probability to crack any given password But for randomly generated 64-bits key Given of 2 20 ≈ 1,000,000 passwords, Then the chance to success is only 2 20 / 2 64 = 1/ 2 44 ≈ 1/17,000,000,000,000 Nonrandomness of pwds is the root of problems Chapter 7 Authentication 12

14 Choosing Password - 1/4 Bad passwords frank Fido password 4444 Pikachu 102560 AustinStamp Good Passwords? jfIej,43j-EmmL+y 09864376537263 P0kem0N FSa7Yago 0nceuP0nAt1m8 PokeGCTall150 Chapter 7 Authentication 13

15 Choosing Password - 2/4 Passphase is another solution for pwd a sequence of words or other text used to control access to a computer system A passphrase is similar to a password in usage, but is generally longer for added security. Experiment: three groups of users Group A: At least 6 chars, 1 non-letter Group B: Password based on passphrase Group C: 8 random characters Chapter 7 Authentication 14

16 Choosing Password - 3/4 Results Group A: About 30% of pwds easy to crack Group B: About 10% cracked Passwords easy to remember Group C: About 10% cracked Passwords hard to remember Chapter 7 Authentication winner 15

17 Choosing Password - 4/4 Assigned passwords sometimes best User compliance hard to achieve In each case, 1/3rd did not comply and about 1/3rd of those easy to crack! If passwords not assigned, best advice is Choose passwords based on passphrase Use pwd cracking tool to test for weak pwds Require periodic password changes? Chapter 7 Authentication 16

18 Attacks on Passwords - 1/2 Attacker could… Target one particular account Target any account on system Target any account on any system Attempt denial of service (DoS) attack Common attack path Outsider  normal user  administrator May only require one weak password! Chapter 7 Authentication 17

19 Attacks on Passwords - 2/2 Suppose system locks after 3 bad passwords. How long should it lock until SA restores service ? 5 seconds – (insufficient to deter automatic attack) 5 minutes – (open door to a DOS) What are +’s and -’s of each? The correction answer of it is not readily apparent Chapter 7 Authentication 18

20 Password Verification - 1/5 To determine the validity of an entered password, the computer must have something to compare against But need a way to verify passwords Store pwds in a file Store pwds in a file after hashing Store pwds in a file after salt hashing Bad idea to store passwords in a file Chapter 7 Authentication 19

21 Password Verification - 2/5 Cryptographic solution: hash the passwords Store y = hash(password) Can verify entered password by hashing If attacker obtains password file, he does not obtain passwords Of course, If attacker with pwd file can guess x and check whether y = hash(x), t hen attacker has found pwd! But, At least, the attacker can not use the file directly! Chapter 7 Authentication 20

22 Password Verification - 3/5 Spse attacker pre-computes hash(x) for all x in a dictionary of common pwds and attacker gets access to pwd file containing hashed pwds Attacker only needs to compare hashes to his pre-computed dictionary Same attack will work each time Can we prevent this attack? Or at least make attacker’s job more difficult? Chapter 7 Authentication 21

23 Password Verification - 4/5 Salt value can make attacker more difficult Slat serves as IV of CBC mode: IV is not secret Given password, choose random s, compute y = hash(pwd, s) and store the pair (s,y) in the password file Note: The salt value is not secret Chapter 7 Authentication 22

24 Password Verification - 5/5 Easy to verify password To verify pwd z, retrieve (s,y) from pwd file Compute hash(z,s) and compare it y Attacker must recompute dictionary hashes for each user  lots more work! Spse Alice’s pwd is hashed with s a, Bob’s s b Then to crack Alice’s pwd using the dictionary, Trudy must compute hashes of the word in dic with s a, but crack Bob’s Trudy must recompute the hashes using s b Chapter 7 Authentication 23

25 Other Password Issues -1/3 Too many passwords to remember Results in password reuse Why is this a problem? – Trudy would be wise to try it other place where you use a password. Failure to change default passwords Social engineering If someone calls you, claiming to be a SA who needs your pwd in order to correct prob., would you give out your pwd? - 34% will give it and 70% will give their pwd away for a candy bar Chapter 7 Authentication 24

26 Other Password Issues -2/3 Who suffers from bad password? ATM PIN: only you Login password: every one of the system Error logs may contain “almost” passwords Bugs, keystroke logging, spyware, etc. Chapter 7 Authentication 25

27 Other Password Issues -3/3 Popular password cracking tools Password Crackers Password Portal L0phtCrack and LC4 (Windows) L0phtCrack and LC4 John the Ripper (Unix) John the Ripper Admins should use these tools to test for weak passwords since attackers will! Good article on password cracking Passwords - Conerstone of Computer Security Chapter 7 Authentication 26

28 Passwords The bottom line Password cracking is too easy! One weak password may break security Users choose bad passwords Social engineering attacks, etc. The bad guy has all of the advantages All of the math favors bad guys Passwords are a big security problem Chapter 7 Authentication 27

29 Biometrics Chapter 7 Authentication 28

30 Something You Are Biometric “You are your key”  Schneier Chapter 7 Authentication Examples Fingerprint Handwritten signature Facial recognition Speech recognition Gait (walking) recognition “Digital doggie” (odor recognition) Many more! 29 Know Have Are

31 Why Biometrics? Biometrics seen as desirable replacement for passwords Cheap and reliable biometrics needed Today, a very active area of research Biometrics are used in security today Thumbprint mouse Palm print for secure entry Fingerprint to unlock car door, etc. But biometrics not too popular Has not lived up to its promise (yet?) – Why? Chapter 7 Authentication 30

32 The DARK SIDE … Social acceptance: Perceived as invasive; People liked facial scans less as fingerprints as a substitute for a PIN in ATM. Easy to forge: Biometric measurements are easy to forge. It's easy to steal a biometric after the measurement is taken. Impossible to revoke: What happens if a biometric is stolen? It can not be revoked…Once someone steals your biometric, it remains stolen for life. Privacy: issues…Biometrics are personal Chapter 7 Authentication 31

33 Ideal Biometric Universal 보편성  applies to (almost) everyone In reality, no biometric applies to everyone Distinguishing 구별성  distinguish with certainty In reality, cannot hope for 100% certainty Permanent 영구성  physical characteristic being measured never changes In reality, want it to remain valid for a long time Collectable 수집성  easy to collect required data Depends on whether subjects are cooperative Safe, easy to use, etc., etc. Chapter 7 Authentication 32

34 Biometric Modes Identification 식별  Who goes there? Compare one to many Example: The FBI fingerprint database Authentication 인증  Is that really you? Compare one to one Example: Thumbprint mouse Identification problem more difficult More “random” matches since more comparisons We are interested in authentication Chapter 7 Authentication 33

35 Two phases of Bio system Enrollment phase Subject’s biometric info put into database Must carefully measure the required info It could be needed slow and repeated measurement A weak point of many biometric schemes Must be very precise for good recognition Recognition phase Biometric detection when used in practice Must be quick and simple But must be reasonably accurate Chapter 7 Authentication 34

36 Cooperative Subjects We are assuming cooperative subjects In authentication, subjects are cooperative In identification, problem often have uncooperative subjects For example, facial recognition Proposed for use in Las Vegas casinos to detect known cheaters Also as way to detect terrorists in airports, etc. Probably do not have ideal enrollment conditions Subject will try to confuse recognition phase Cooperative subjects make bio prob much more tractable!!! Chapter 7 Authentication 35

37 Biometric issues Type of Error Biometric Examples Fingerprints Hand Geometry Iris Scan Biometric Error Rates Biometric Conclusions Chapter 7 Authentication 36

38 Biometric Examples Type of Error Chapter 7 Authentication 37

39 Biometric Errors Fraud rate 기만율 versus insult rate 모욕률 Fraud  user A mis-authenticated as user B Insult  user A not authenticate as user A For any biometric, can decrease fraud or insult, but other will increase For example 99% voiceprint match  low fraud, high insult 30% voiceprint match  high fraud, low insult Equal error rate: rate where fraud == insult The useful measure for comparing different biometric system Chapter 7 Authentication 38

40 Biometric Examples Fingerprint Chapter 7 Authentication 39

41 Fingerprint History - 1/2 Ancient China: as a form of signature Scientific Form 1798  J.C. Major suggest that Fingerprint might be unique 1823  Professor J. E. Purkinje discussed 9 fingerprint patterns 1856  Sir W. Hershel used fingerprint (in India) on contracts 1880  Dr. H. Faulds article in Nature about fingerprints for ID 1883  M.Twain’s Life on the Mississippi, a murderer ID’ed by fingerprint Chapter 7 Authentication 40

42 Fingerprint History - 2/2 Widespread use of fingerprint 1892  Sir Francis Galton (cousin of Darwin) developed classification system His system of “minutia” is still in use today Also verified that fingerprints do not change Some countries require a number of points (i.e., minutia 지문특징 ) to match in criminal cases In Britain, 15 points In US, no fixed number of points required Chapter 7 Authentication 41

43 Fingerprint Comparison Examples of loops 제상문, whorls 외상문 and arches 궁상문 Minutia extracted from these features Chapter 7 Authentication Loop (double) Whorl 소용돌이꼴 Arch 42

44 Fingerprint Biometric - 1/2 1.Capture image of fingerprint 2.Enhance image 3.Identify minutia Chapter 7 Authentication 43

45 Fingerprint Biometric - 2/2 Extracted minutia are compared with user’s minutia stored in a database Analogous to the manual analysis Is it a statistical match? Chapter 7 Authentication 44

46 Biometric Examples Hand Geometry Chapter 7 Authentication 45

47 Hand Geometry Chapter 7 Authentication Popular form of biometric Measures shape of hand Width of hand, fingers Length of fingers, etc. (16) Human hands not unique Hand geometry sufficient for many situations Suitable for authentication Not useful for ID problem 46

48 Hand Geometry Advantages Quick 1 minute for enrollment 5 seconds for recognition Hands symmetric (use other hand backwards) Disadvantages Cannot use on very young or very old Relatively high equal error rate Chapter 7 Authentication 47

49 Biometric Examples Iris Scan Chapter 7 Authentication 48

50 Iris Patterns Iris: the colored part of the eye In theory, the best for authentication Iris pattern development is “chaotic” So, minor variations lead to large differences Little or no genetic influence Different even for identical twins Pattern is stable through lifetime Chapter 7 Authentication 49

51 Iris Recognition: History The first idea of using the human iris for ID -1936 suggested by Frank Burch Resurface - 1980s James Bond films The first patent appeared - 1986 The best current approach to iris scanning – 1994 patented by John Daugman Patent owned by Iridian Technologies Chapter 7 Authentication 50

52 Automated Iris Scan 1.Scanner locates iris 2.Take black/white photo Use polar coordinates… 3.The image is processed using 2-D wavelet transform 4.Get 256(2048bits) byte iris code Chapter 7 Authentication 51

53 Measuring Iris Similarity Based on Hamming distance Define d(x,y) to be (# of non match bits) / (# of bits compared) Example d(0010,0101) = 3/4 and d(101111,101001) = 1/3 Compute d(x,y) on 2048 -bit iris code Perfect match is d(x,y) = 0 For same iris, expected distance is 0.08 At random, expect distance of 0.50 Accept as match if distance less than 0.32 Chapter 7 Authentication 52

54 Iris Scan Error Rate Chapter 7 Authentication distance 0.29 1 in 1.3  10 10 0.30 1 in 1.5  10 9 0.31 1 in 1.8  10 8 0.32 1 in 2.6  10 7 0.33 1 in 4.0  10 6 0.34 1 in 6.9  10 5 0.35 1 in 1.3  10 5 distance Fraud rate : equal error rate 53

55 Attack on Iris Scan Good photo of eye can be scanned And attacker can use photo of eye Chapter 7 Authentication Afghan woman was authenticated by iris scan of old photo Story is herehere To prevent photo attack, scanner could use light to be sure it is a “live” iris 54

56 Biometric Error Rates Chapter 7 Authentication 55

57 Equal Error Rate Comparison Equal error rate (EER): fraud rate == insult rate Fingerprint bio has EER of about 5% Hand geometry has EER of about 10 -3 Iris scan has EER of about 10 -6 But in practice, hard to achieve Enrollment phase must be extremely accurate Chapter 7 Authentication 56

58 Equal Error Rate Comparison In practice, most biometrics much worse than fingerprint! Biometrics useful for authentication… But ID biometrics are almost useless today Chapter 7 Authentication 57

59 Biometric Conclusions Chapter 7 Authentication 58

60 Biometrics: The Bottom Line Biometrics are hard to forge But attacker could Steal Alice’s thumb Photocopy Bob’s fingerprint, eye, etc. Subvert software, database, “trusted path”, … Also, how to revoke a “broken” biometric? Biometrics are not foolproof! Biometric use is limited today That should change in the future… Chapter 7 Authentication 59

61 Smart Card Chapter 7 Authentication 60

62 Something You Have Something in your possession Examples include Car key Laptop computer Or specific MAC address Password generator We’ll look at this next ATM card, smartcard, etc. Chapter 7 Authentication 61 Are Know Have

63 Password Generator Alice gets “challenge” R from Bob Alice enters R into password generator Alice sends “response” back to Bob Alice has pwd generator and knows PIN Chapter 7 Authentication Alice Bob 1. “I’m Alice” 2. R 5. F(R) 3. PIN, R 4. F(R) Password generator 62

64 Other issues Chapter 7 Authentication 63

65 2-factor Authentication Requires 2 out of 3 of Something you know Something you have Something you are Examples ATM: Card and PIN Credit card: Card and signature Password generator: Device and PIN Smartcard with password/PIN Chapter 7 Authentication 64

66 Single Sign-on A hassle to enter password(s) repeatedly Users want to authenticate only once “Credentials” stay with user wherever he goes Subsequent authentication is transparent to user Single sign-on for the Internet? Microsoft: Passport Everybody else: Liberty Alliance 자유동맹군 Based on Security Assertion Markup Language (SAML) Chapter 7 Authentication 65

Download ppt "Access Control Authentication: Who goes there? Determine whether access is allowed Authenticate human to machine Authenticate machine to machine Authorization:"

Similar presentations

Lecture 6 User Authentication (cont)

Lecture 6 User Authentication (cont)
CSC 386 – Computer Security Scott Heggen. Agenda Authentication Passwords Reducing the probability of a password being guessed Reducing the probability.

CSC 386 – Computer Security Scott Heggen. Agenda Authentication Passwords Reducing the probability of a password being guessed Reducing the probability.
COEN 350: Network Security Authentication. Between human and machine Between machine and machine.

COEN 350: Network Security Authentication. Between human and machine Between machine and machine.
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (7) AUTHENTICATION.

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (7) AUTHENTICATION.
Computer Science 653 --- Lecture 3 Biometrics Professor Wayne Patterson Howard University Fall 2009.

Computer Science Lecture 3 Biometrics Professor Wayne Patterson Howard University Fall 2009.
Pattern Recognition 1/6/2009 Instructor: Wen-Hung Liao, Ph.D. Biometrics.

Pattern Recognition 1/6/2009 Instructor: Wen-Hung Liao, Ph.D. Biometrics.
By: Monika Achury and Shuchita Singh

By: Monika Achury and Shuchita Singh
BIOMETRICS AND NETWORK AUTHENTICATION Security Innovators.

BIOMETRICS AND NETWORK AUTHENTICATION Security Innovators.
Chapter 12: Authentication Basics Passwords Challenge-Response Biometrics Location Multiple Methods Computer Security: Art and Science ©2002-2004 Matt.

Chapter 12: Authentication Basics Passwords Challenge-Response Biometrics Location Multiple Methods Computer Security: Art and Science © Matt.
 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.

 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.
Intro To Secure Comm. Exercise 2. Problem  You wish for your users to access a remote server via user and password.  All of the users have modems and.

Intro To Secure Comm. Exercise 2. Problem  You wish for your users to access a remote server via user and password.  All of the users have modems and.
Introduction to Fingerprint Biometrics By Tamar Bar.

Introduction to Fingerprint Biometrics By Tamar Bar.
Department of Electrical and Computer Engineering Physical Biometrics Matthew Webb ECE 8741.

Department of Electrical and Computer Engineering Physical Biometrics Matthew Webb ECE 8741.
GUIDE TO BIOMETRICS CHAPTER I & II September 7 th 2005 Presentation by Tamer Uz.

GUIDE TO BIOMETRICS CHAPTER I & II September 7 th 2005 Presentation by Tamer Uz.
Access Control 1 Access Control Access Control 2 Access Control  Two parts to access control  Authentication: Who goes there? o Determine whether access.

Access Control 1 Access Control Access Control 2 Access Control  Two parts to access control  Authentication: Who goes there? o Determine whether access.
CSCI 530 Lab Authentication. Authentication is verifying the identity of a particular person Example: Logging into a system Example: PGP – Digital Signature.

CSCI 530 Lab Authentication. Authentication is verifying the identity of a particular person Example: Logging into a system Example: PGP – Digital Signature.
B IOMETRICS Akash Mudubagilu Arindam Gupta. O VERVIEW What is Biometrics? Why Biometrics? General Biometric System Different types of Biometrics Uses.

B IOMETRICS Akash Mudubagilu Arindam Gupta. O VERVIEW What is Biometrics? Why Biometrics? General Biometric System Different types of Biometrics Uses.
Marjie Rodrigues 411154.

Marjie Rodrigues
Security-Authentication

Security-Authentication
Biometric Authentication Presenter: Yaoyu, Zhang Presenter: Yaoyu, Zhang.

Biometric Authentication Presenter: Yaoyu, Zhang Presenter: Yaoyu, Zhang.

Similar presentations

Ads by Google