computer security: principles and practice,...

User Authentication

(Chapter 3)

Computer Security, Principles and Practice, 3rd Edition,William Stallings and Lawrie Brown

Contents

Token-Based Authentication

Biometric Authentication

Remote User Authentication

Security Issues for User Authentication

Practical Application: An Iris Biometric System

Case Study: Security Problems for ATM Systems

2

Learning Objectives

After studying this chapter, you should be able to:

Discuss the four general means of authenticating a user’s identity

Explain the mechanism by which hashed passwords are used for user authentication

Present an overview of token-based user authentication

Present an overview of biometric-based user authentication

Discuss the issues involved and the approaches for remote user authentication

Summarize some of the key security issues for user authentication

3

Threats & Security properties

MS STRIDE and Their mitigations

-4-Computer security & OS lab, DKU

MFA: Multi-Factor AuthenticationACLs: Access Control Lists

Authentication

RFC 2828 defines user authentication as:

“The process of verifying an identity claimed by or

for a system entity.”

Fundamental building block and primary line of defense

basis for access control & user accountability

Authentication

Authentication is usually based on a combination of1. Something you know: things such as a PIN, a password, prearranged

questions, or your mother's maiden name.

2. Something you have: a driver's license, a smart card or a radio key forstoring secret keys.

3. Something you are: biometrics

Static biometrics: fingerprints, retina, face, palm prints

Dynamic biometrics: voice pattern, handwriting, typing rhythm

4. Somewhere you are/not: IP or MAC address

Two-factor authentication (a kind of strong authentication)● requires providing more than one type of authentication information


http://en.wikipedia.org/wiki/Passwordhttp://en.wikipedia.org/wiki/Maiden_namehttp://en.wikipedia.org/wiki/Biometrics

User Authentication

7Computer security & OS lab, DKU

The means of authenticating user identity are based on:

•Password, PIN, answers to prearranged questions

•Smartcard, electronic keycard, physical key

• Fingerprint, retina, face •Voice pattern,

handwriting, typing rhythm

Authentication

-8-Computer security & OS lab, DKUSource: http://www.validsoft.com/five-factor-authentication

http:///http:///http://www.validsoft.com/five-factor-authentication

• Password Authentication

• Password Cracking

Something You Know

Password Authentication

widely used line of defense against intruders user provides name/login and password

system compares password with the one stored for that specified login

the user ID: determines that the user is authorized to access the system

determines the user’s privileges

is used in discretionary access control (DAC)

Password The passwords in /etc/passwd were encrypted with the crypt(3) function

(one-way hash)

/etc/shadow

– 11 –

Password based Authentication

Password Vulnerabilities

Offline dictionary attack

Workstation hijacking

● The attacker waits until a logged-in workstation is unattended.

Exploiting user mistakes

● Sometimes, user writes down the password

● attackers are frequently successful in obtaining passwords by using social engineering tactics that trick the user or an account manager into revealing a password.

● Many computer systems are shipped with preconfigured passwords for system administrators

Exploiting multiple password use

● Attacks can also become much more effective or damaging if different network devices share the same or a similar password for a given user.

Electronic monitoring

● If a password is communicated across a network to log on to a remote system, it is vulnerable to eavesdropping


Simple Countermeasures

controls to prevent unauthorized access to password file Intrusion detection measures to identify a compromise

rapid reissuance of compromised passwords

account lockout mechanisms Locks out access to the account after a number of failed login attempts

policies to inhibit users from selecting common passwords

training in and enforcement of password policies that make passwords difficult to guess

Minimum length of the password, Character set, Prohibition against using well-known user identifiers, and Length of time before the password must be changed

automatic workstation logout

policies that forbids the same or similar passwords on network devices

Password encryption (Basic hash encryption)

AES vs. MD5


Authentication

Password Cracking: Brute force attack vs. Dictionary attack

Brute force attack● Guess every possible password

− Try all permutations of the letters & symbols in the alphabet

● Depending on the length & complexity of your password, this can take time

Dictionary attack● Most people (70% of the people) use real words as passwords

● Try all dictionary words before trying a brute force attack

● List of common passwords used

● SW available that will run through these lists (l0phtcrack, Brutus, John the Ripper)

● is based on trying all the strings in a pre-arranged listing, typically derived from a list of words such as in a dictionary

● tries only those possibilities which are deemed most likely to succeed


Authentication

Password Cracking


Pre-computed dictionary attack (Rainbow table attacks)

● It is possible to achieve a time-space tradeoff by pre-computing a list of hashes of dictionary words, and storing these in a DB using the hash as the DB key.

Dictionary attack

• Hybrid attack Words from dictionary & their variations used in

attack• Social Engineering

People write passwords in different places People disclose passwords natively to others

• Shoulder surfing Hackers slyly watch over peoples shoulders to steal

passwords

https://en.wikipedia.org/wiki/Time-space_tradeoffhttps://en.wikipedia.org/wiki/Pre-computinghttps://en.wikipedia.org/wiki/Cryptographic_hash_function

Hashed passwords with salt

A fixed-length salt value

● Time

● Pseudo random number

Purpose of the salt

● Prevents duplicate passwords

● Increases the difficulty of offline dictionary attacks

● It becomes nearly impossible to find out whether a person with passwords on two or more systems has used the same password on all of them


Salted hash encryption for protecting Passwords

A fixed-length salt


A salt string can be a random array of characters created and then attached to a user’s password before hashing it.

This extra step—adding salt—exponentially increases the difficulty of cracking the password.

Password with Salt


Improved Implementations

much stronger hash/salt schemes

available for Unix

recommended hash function is based on MD5

• salt of up to 48-bits

• password length is unlimited

• produces 128-bit hash

• uses an inner loop with 1000 iterations to achieve slowdown

OpenBSD uses Blowfish block cipher based hash algorithm called Bcrypt

• most secure version of Unix hash/salt scheme

• uses 128-bit salt to create 192-bit hash value

• Memory card

• Smart card / token

Something You Have

Table 3.3 Types of Cards Used as Tokens

Memory Cards

can store but do not process data

the most common is the magnetic stripe card

can include an internal electronic memory

can be used alone for physical access hotel room

ATM

provides significantly greater security when combined with a password or PIN

drawbacks of memory cards include: requires a special reader

loss of token

user dissatisfaction

Smart Cards

Most important category of smart token

● Has the appearance of a credit card

● Has an electronic interface

● May use any of the smart token protocols

Contain:

● An entire microprocessor

− Processor

− Memory

− I/O ports

Typically include three types of memory:

● Read-only memory (ROM)

− Stores data that does not change during the card’s life

● Electrically erasable programmable ROM (EEPROM)

− Holds application data and programs

● Random access memory (RAM)

− Holds temporary data generated when applications are executed


Computer security & OS lab, DKU-24-

Figure 3.5

Smart Card/Reader Exchange

Smart Tokens

Physical characteristics:● Include an embedded microprocessor

● A smart token that looks like a bank card

● Can look like calculators, keys, small portable objects

Interface:● Manual interfaces include a keypad and display for interaction

● Electronic interfaces communicate with a compatible reader/writer

Authentication protocol:● Classified into three categories:

− Static

− Dynamic password generator

− Challenge-response


• Biometric

Something You are

Biometric Authentication

attempts to authenticate an individual based on unique physical characteristics

based on pattern recognition

is technically complex and expensive when compared to passwords and tokens

physical characteristics used include: facial characteristics

fingerprints

hand geometry

retinal pattern (망막 패턴)

iris (홍채)

signature

voice

Figure 3.5Cost Versus Accuracy

Computer security & OS lab, DKU29

• Verification with one template (for immigration procedures)

• Identification with N templates(for a criminal investigation)

Figure 3.6

Operation of a Biometric System

Biometric

sensor Biometric

database

Name (PIN)

User interface

(a) Enrollment

Feature

extractor

Biometric

sensor

Name (PIN)

User interface

(b) Verification

One template

N templates

user's identity or

"user unidentified"

Feature

extractor

Feature

matcher

Biometric

sensor

User interface

(c) Identification

Feature

extractor

Feature

matcher

true/false

Figure 3.8 A Generic Biometric System. Enrollment creates

an association between a user and the user's biometric

characteristics. Depending on the application, user

authentication either involves verifying that a claimed user is

the actual user or identifying an unknown user .

Biometric

database

Biometric

database

Biometric Accuracy

• Challenge-Response Protocol


– 32 –


Authentication over a network, the Internet, or a communications link is more complex

Additional security threats such as: Eavesdropping, capturing a password, replaying an authentication

sequence that has been observed

Generally rely on some form of a challenge-response protocol to counter threats

Computer Security & OS Lab., DKU

Authentication

Basic Challenge-Response Protocols for Remote User Authentication


Authentication

Basic Challenge-Response Protocols for Remote User Authentication

user transmits identity to remote host

Host generates a random number, r (nonce)

Host returns nonce, and functions h() and f() to be used in the response This transmission from host

to user is the challenge

The use of r helps defend against an adversary capturing the user’s transmission • The hashed password

cannot be captured during transmission

• The use of r defends against a replay attack


h is a hash function

Random number r’ = r

P’ is the user’s password

h(P(U)) : registered hashed password for user U

Figure 3.10 (a) Protocol for a password

Authentication

Token Protocol, Figure 3.10b

User transmits identity to the remote host

Host returns a random number and identifiers of functions f() and h()

User activates passcode by entering a password

Password P’

password is shared between the user and token and does not involve the remote host.

At used end, Token provides a passcode W’

Token either stores a static passcode or generates a one-time random passcode

For a static passcode, the host stores the hashed value h(W(U))

The token responds to the host with the quantity f(r’, h(W’)).


Example of a

token protocol

Computer security & OS lab, DKU36

Table 3.4

Some Potential Attacks,

Susceptible Authenticators,

and Typical Defenses

37

Eavesdropping

Adversary attempts to learn the password by some sort of attack that involves the physical proximity of user and

adversary

Host Attacks

Directed at the user file at the host where

passwords, token passcodes, or

biometric templates are stored

Replay

Adversary repeats a previously captured

user response

Client Attacks

Adversary attempts to achieve user

authentication without access to the

remote host or the intervening

communications path

Trojan Horse An application or physical device

masquerades as an authentic application

or device for the purpose of capturing a

user password, passcode, or biometric

Denial-of-Service

Attempts to disable a user authentication

service by flooding the service with numerous

authentication attempts

38Figure 3.13 General Iris Scan Site Architecture for UAE System

Iris workstation

Iris Engine 1 Iris Engine 2

Iris Merge

Remote

Iris

scanner

Iris workstation

LAN switch

Network

switch

Iris

scanner

Iris workstation

Iris

scanner

Irisdatabase

39

Case Study:

ATM Security Problems

Authentication

Summary of User Authentication


• Biometric authenticationo Physical characteristics used

in biometric applications

o Operation of a biometric authentication system

o Biometric accuracy

• Remote user authenticationo Password protocol

o Token protocol

o Static biometric protocol

o Dynamic biometric protocol

• Security issues for user authentication

• Electronic user authentication principleso A model for electronic user

authentication

o Means of authentication

o Risk assessment for user authentication

• Password-based authentication o The vulnerability of passwords

o The use of hashed passwords

o Password cracking of user-chosen passwords

o Password file access control

o Password selection strategies

• Token-based authenticationo Memory cards

o Smart cards

o Electronic identity cards

computer security: principles and practice,...

Documents