computer security: principles and practice,...
TRANSCRIPT
-
User Authentication
(Chapter 3)
Computer Security, Principles and Practice, 3rd Edition,William Stallings and Lawrie Brown
-
Contents
Token-Based Authentication
Biometric Authentication
Remote User Authentication
Security Issues for User Authentication
Practical Application: An Iris Biometric System
Case Study: Security Problems for ATM Systems
2
-
Learning Objectives
After studying this chapter, you should be able to:
Discuss the four general means of authenticating a user’s identity
Explain the mechanism by which hashed passwords are used for user authentication
Present an overview of token-based user authentication
Present an overview of biometric-based user authentication
Discuss the issues involved and the approaches for remote user authentication
Summarize some of the key security issues for user authentication
3
-
Threats & Security properties
MS STRIDE and Their mitigations
-4-Computer security & OS lab, DKU
MFA: Multi-Factor AuthenticationACLs: Access Control Lists
-
Authentication
RFC 2828 defines user authentication as:
“The process of verifying an identity claimed by or
for a system entity.”
Fundamental building block and primary line of defense
basis for access control & user accountability
-
Authentication
Authentication is usually based on a combination of1. Something you know: things such as a PIN, a password, prearranged
questions, or your mother's maiden name.
2. Something you have: a driver's license, a smart card or a radio key forstoring secret keys.
3. Something you are: biometrics
Static biometrics: fingerprints, retina, face, palm prints
Dynamic biometrics: voice pattern, handwriting, typing rhythm
4. Somewhere you are/not: IP or MAC address
Two-factor authentication (a kind of strong authentication)● requires providing more than one type of authentication information
-6-Computer security & OS lab, DKU
http://en.wikipedia.org/wiki/Passwordhttp://en.wikipedia.org/wiki/Maiden_namehttp://en.wikipedia.org/wiki/Biometrics
-
User Authentication
7Computer security & OS lab, DKU
The means of authenticating user identity are based on:
•Password, PIN, answers to prearranged questions
•Smartcard, electronic keycard, physical key
• Fingerprint, retina, face •Voice pattern,
handwriting, typing rhythm
-
Authentication
-8-Computer security & OS lab, DKUSource: http://www.validsoft.com/five-factor-authentication
http:///http:///http://www.validsoft.com/five-factor-authentication
-
• Password Authentication
• Password Cracking
Something You Know
-
Password Authentication
widely used line of defense against intruders user provides name/login and password
system compares password with the one stored for that specified login
the user ID: determines that the user is authorized to access the system
determines the user’s privileges
is used in discretionary access control (DAC)
Password The passwords in /etc/passwd were encrypted with the crypt(3) function
(one-way hash)
/etc/shadow
-
– 11 –
Password based Authentication
-
Password Vulnerabilities
Offline dictionary attack
Workstation hijacking
● The attacker waits until a logged-in workstation is unattended.
Exploiting user mistakes
● Sometimes, user writes down the password
● attackers are frequently successful in obtaining passwords by using social engineering tactics that trick the user or an account manager into revealing a password.
● Many computer systems are shipped with preconfigured passwords for system administrators
Exploiting multiple password use
● Attacks can also become much more effective or damaging if different network devices share the same or a similar password for a given user.
Electronic monitoring
● If a password is communicated across a network to log on to a remote system, it is vulnerable to eavesdropping
-12-Computer security & OS lab, DKU
-
Simple Countermeasures
controls to prevent unauthorized access to password file Intrusion detection measures to identify a compromise
rapid reissuance of compromised passwords
account lockout mechanisms Locks out access to the account after a number of failed login attempts
policies to inhibit users from selecting common passwords
training in and enforcement of password policies that make passwords difficult to guess
Minimum length of the password, Character set, Prohibition against using well-known user identifiers, and Length of time before the password must be changed
automatic workstation logout
policies that forbids the same or similar passwords on network devices
Password encryption (Basic hash encryption)
AES vs. MD5
-13-Computer security & OS lab, DKU
-
Authentication
Password Cracking: Brute force attack vs. Dictionary attack
Brute force attack● Guess every possible password
− Try all permutations of the letters & symbols in the alphabet
● Depending on the length & complexity of your password, this can take time
Dictionary attack● Most people (70% of the people) use real words as passwords
● Try all dictionary words before trying a brute force attack
● List of common passwords used
● SW available that will run through these lists (l0phtcrack, Brutus, John the Ripper)
● is based on trying all the strings in a pre-arranged listing, typically derived from a list of words such as in a dictionary
● tries only those possibilities which are deemed most likely to succeed
14Computer security & OS lab, DKU
-
Authentication
Password Cracking
15Computer security & OS lab, DKU
Pre-computed dictionary attack (Rainbow table attacks)
● It is possible to achieve a time-space tradeoff by pre-computing a list of hashes of dictionary words, and storing these in a DB using the hash as the DB key.
Dictionary attack
• Hybrid attack Words from dictionary & their variations used in
attack• Social Engineering
People write passwords in different places People disclose passwords natively to others
• Shoulder surfing Hackers slyly watch over peoples shoulders to steal
passwords
https://en.wikipedia.org/wiki/Time-space_tradeoffhttps://en.wikipedia.org/wiki/Pre-computinghttps://en.wikipedia.org/wiki/Cryptographic_hash_function
-
Hashed passwords with salt
A fixed-length salt value
● Time
● Pseudo random number
Purpose of the salt
● Prevents duplicate passwords
● Increases the difficulty of offline dictionary attacks
● It becomes nearly impossible to find out whether a person with passwords on two or more systems has used the same password on all of them
-16-Computer security & OS lab, DKU
-
Salted hash encryption for protecting Passwords
A fixed-length salt
-17-Computer security & OS lab, DKU
A salt string can be a random array of characters created and then attached to a user’s password before hashing it.
This extra step—adding salt—exponentially increases the difficulty of cracking the password.
-
Password with Salt
-18-Computer security & OS lab, DKU
-
Improved Implementations
much stronger hash/salt schemes
available for Unix
recommended hash function is based on MD5
• salt of up to 48-bits
• password length is unlimited
• produces 128-bit hash
• uses an inner loop with 1000 iterations to achieve slowdown
OpenBSD uses Blowfish block cipher based hash algorithm called Bcrypt
• most secure version of Unix hash/salt scheme
• uses 128-bit salt to create 192-bit hash value
-
• Memory card
• Smart card / token
Something You Have
-
Table 3.3 Types of Cards Used as Tokens
-
Memory Cards
can store but do not process data
the most common is the magnetic stripe card
can include an internal electronic memory
can be used alone for physical access hotel room
ATM
provides significantly greater security when combined with a password or PIN
drawbacks of memory cards include: requires a special reader
loss of token
user dissatisfaction
-
Smart Cards
Most important category of smart token
● Has the appearance of a credit card
● Has an electronic interface
● May use any of the smart token protocols
Contain:
● An entire microprocessor
− Processor
− Memory
− I/O ports
Typically include three types of memory:
● Read-only memory (ROM)
− Stores data that does not change during the card’s life
● Electrically erasable programmable ROM (EEPROM)
− Holds application data and programs
● Random access memory (RAM)
− Holds temporary data generated when applications are executed
-23-Computer security & OS lab, DKU
-
Computer security & OS lab, DKU-24-
Figure 3.5
Smart Card/Reader Exchange
-
Smart Tokens
Physical characteristics:● Include an embedded microprocessor
● A smart token that looks like a bank card
● Can look like calculators, keys, small portable objects
Interface:● Manual interfaces include a keypad and display for interaction
● Electronic interfaces communicate with a compatible reader/writer
Authentication protocol:● Classified into three categories:
− Static
− Dynamic password generator
− Challenge-response
-25-Computer security & OS lab, DKU
-
• Biometric
Something You are
-
Biometric Authentication
attempts to authenticate an individual based on unique physical characteristics
based on pattern recognition
is technically complex and expensive when compared to passwords and tokens
physical characteristics used include: facial characteristics
fingerprints
hand geometry
retinal pattern (망막 패턴)
iris (홍채)
signature
voice
-
Figure 3.5Cost Versus Accuracy
-
Computer security & OS lab, DKU29
• Verification with one template (for immigration procedures)
• Identification with N templates(for a criminal investigation)
Figure 3.6
Operation of a Biometric System
Biometric
sensor Biometric
database
Name (PIN)
User interface
(a) Enrollment
Feature
extractor
Biometric
sensor
Name (PIN)
User interface
(b) Verification
One template
N templates
user's identity or
"user unidentified"
Feature
extractor
Feature
matcher
Biometric
sensor
User interface
(c) Identification
Feature
extractor
Feature
matcher
true/false
Figure 3.8 A Generic Biometric System. Enrollment creates
an association between a user and the user's biometric
characteristics. Depending on the application, user
authentication either involves verifying that a claimed user is
the actual user or identifying an unknown user .
Biometric
database
Biometric
database
-
Biometric Accuracy
-
• Challenge-Response Protocol
Remote User Authentication
-
– 32 –
Remote User Authentication
Authentication over a network, the Internet, or a communications link is more complex
Additional security threats such as: Eavesdropping, capturing a password, replaying an authentication
sequence that has been observed
Generally rely on some form of a challenge-response protocol to counter threats
Computer Security & OS Lab., DKU
-
Authentication
Basic Challenge-Response Protocols for Remote User Authentication
33Computer security & OS lab, DKU
-
Authentication
Basic Challenge-Response Protocols for Remote User Authentication
user transmits identity to remote host
Host generates a random number, r (nonce)
Host returns nonce, and functions h() and f() to be used in the response This transmission from host
to user is the challenge
The use of r helps defend against an adversary capturing the user’s transmission • The hashed password
cannot be captured during transmission
• The use of r defends against a replay attack
34Computer security & OS lab, DKU
h is a hash function
Random number r’ = r
P’ is the user’s password
h(P(U)) : registered hashed password for user U
Figure 3.10 (a) Protocol for a password
-
Authentication
Token Protocol, Figure 3.10b
User transmits identity to the remote host
Host returns a random number and identifiers of functions f() and h()
User activates passcode by entering a password
Password P’
password is shared between the user and token and does not involve the remote host.
At used end, Token provides a passcode W’
Token either stores a static passcode or generates a one-time random passcode
For a static passcode, the host stores the hashed value h(W(U))
The token responds to the host with the quantity f(r’, h(W’)).
35Computer security & OS lab, DKU
Example of a
token protocol
-
Computer security & OS lab, DKU36
Table 3.4
Some Potential Attacks,
Susceptible Authenticators,
and Typical Defenses
-
37
Eavesdropping
Adversary attempts to learn the password by some sort of attack that involves the physical proximity of user and
adversary
Host Attacks
Directed at the user file at the host where
passwords, token passcodes, or
biometric templates are stored
Replay
Adversary repeats a previously captured
user response
Client Attacks
Adversary attempts to achieve user
authentication without access to the
remote host or the intervening
communications path
Trojan Horse An application or physical device
masquerades as an authentic application
or device for the purpose of capturing a
user password, passcode, or biometric
Denial-of-Service
Attempts to disable a user authentication
service by flooding the service with numerous
authentication attempts
-
38Figure 3.13 General Iris Scan Site Architecture for UAE System
Iris workstation
Iris Engine 1 Iris Engine 2
Iris Merge
Remote
Iris
scanner
Iris workstation
LAN switch
Network
switch
Iris
scanner
Iris workstation
Iris
scanner
Irisdatabase
-
39
Case Study:
ATM Security Problems
-
Authentication
Summary of User Authentication
40Computer security & OS lab, DKU
• Biometric authenticationo Physical characteristics used
in biometric applications
o Operation of a biometric authentication system
o Biometric accuracy
• Remote user authenticationo Password protocol
o Token protocol
o Static biometric protocol
o Dynamic biometric protocol
• Security issues for user authentication
• Electronic user authentication principleso A model for electronic user
authentication
o Means of authentication
o Risk assessment for user authentication
• Password-based authentication o The vulnerability of passwords
o The use of hashed passwords
o Password cracking of user-chosen passwords
o Password file access control
o Password selection strategies
• Token-based authenticationo Memory cards
o Smart cards
o Electronic identity cards