COEN 350: Network Security

Authentication

Authentication

Between human and machine Between machine and machine

Human Machine Authentication Authentication protocols are based

on What you know.

E.g. password, pass-phrase, (secret key, private key).

What you have. Physical key, smart card.

What you are. Biometrics.

Where you are. E.g. trusted machine, access to room, …

Authentication

Passwords Predate computers. As do some attacks (stealing, guessing)

Older cell phone technology transmits originating number with a password.

Password good, call goes through. Eavesdropper receives phone number –

password combination. Eavesdropper can now clone the phone.

Authentication Password Attacks

Guessing On-line

Time consuming. Authentication attempts are usually logged. Can detect attack long before it is likely to succeed. Can disrupt the attack.

Off-line Attacker needs to steal relevant data from which

password(s) can be determined. Attacker can use arbitrary amount of computing power.

Capturing Passwords Eavesdropping Login Trojan Horse

Authentication

Passwords are stored On each server Alice uses. Centrally: Authentication Storage Node:

Each server retrieves the information when it wants to authenticate Alice.

Centrally: Authentication Facilitator Node:

Each server takes Alice’s data and password and goes to the AFN.

Authentication

Password can be stored Unencrypted

Simple Dangerous

Implicitly as hashes of passwords As in UNIX, VMS

Encrypted Hashed and Encrypted

Authentication Example: Network Information Service (Yellow Pages)

Directory service is the authentication storage node.

Stores hashed passwords of users. Typically, hashed passwords list is world

readable Access by claiming to be a server.

NIS authentication storage node does not authenticate itself to users.

Allows impersonation of authentication service.

Authentication Passwords for machine – machine

communication can be made difficult to guess. Arbitrary length Truly random choice of characters.

Human-machine passwords Guessable Subject to dictionary attack.

Authentication Dictionary attack

Most passwords are natural language words. Or derived from natural language words. Guess the language. Use a dictionary to try out all words in the

language. Start with common passwords first. Replace a single character in a word, attach

a random character, etc.

Authentication

Brute-Force Attack Generate all possible password.

Sometimes make assumptions on the alphabet

only printable character characters on a key-board

Authentication Salting

Protects hashed passwords against an offline attack.

Brute Force attack attacks all passwords in password file simultaneously.

Authentication

Salting Store a salt with each password Hash depends on salt and

password. Use different salts for different

passwords. Store salt with password.

Authentication Salting

Brute force attack, dictionary attack can only attack a single password.

Authentication

Passwords are compromised: By obtaining password file.

Safeguard by Hashing and Salting Encryption

By eavesdropping on an exchange Use one-way passwords:

Lamport Hash

Authentication Address Based

Common in early UNIX Rtools:

.rhosts In user home directory (Computer, Account) pairs These pairs are allowed access to the user’s

account /etc/hosts.equiv

List of network addresses of “equivalent” machines Account name on A is equivalent to account name on B.

Users have to have identical account names.

Authentication

Addressed based authentication threatened by Access escalation

Attacker gains access to one hosts. Access cascades to equivalent hosts /

rhosts. Spoofing addresses

Very easy to spoof source address. Harder to intercept traffic back.

Authentication Ethernet network address

impersonation Easy on the same link. Hubs do not protect. Switches can be spoofed through the

ARP protocol. Routers are harder to fool, but can be

attacked and provided with misleading routing data.

Authentication

Cryptographic authentication Alice proves her identity to Bob by

proving to Bob that she knows a secret.

Hashes Secret key cryptography Public key cryptography.

Human Machine Authentication

Initial password distribution to humans Pre-expired, strong passwords

Through mail Derivable from common knowledge

Student ID

Human Machine Authentication Authentication Token

Possession of the token proves right to access.

Magnetic stripe as on credit cards. Harder to reproduce “Impossible” to guess

Demand special hardware Can be lost or stolen

Add pin or password protection Are not safe against communication

eavesdropping and forging

Human Machine Authentication Authentication Token

Smart Card. Needs to be inserted in a smart card reader. Card authenticates to the smart card reader.

PIN protected smart cards. Stops working after a number of false PINs.

Cryptographic challenge / response cards Card contains a cryptographic key. Authenticating computer issues a challenge. Card solves the challenge after PIN is entered. Harder to crack than PIN protected smart cards

because key is never revealed.

Human Machine Authentication Authentication Token

Smart Card. Readerless smart card (Cryptographic

calculator) Communicates with owner through mini-keyboard

and display. Authenticating computer issues a challenge to

Alice. Alice types in challenge into readerless smart card. Readerless smart card solves the challenge.

After Alice puts in her password. Alice transfers the answer to the computer.

Human Machine Authentication Biometrics

Retinal scanner Fingerprint reader Face recognition Iris scanner Handprint readers Voiceprints Keystroke timing Signatures