cs 483 – sd section by dr. daniyal alghazzawi (7) authentication
TRANSCRIPT
CS 483 – SD SECTION
BY DR. DANIYAL ALGHAZZAWI
(7)
AUTHENTICATION
Introduction
There are two primary parts to access control: Authentication Authorization
Authentication deals with the problem of determining whether a user (or other entity) should be allowed access to a particular system or resource.
Authentication Methods
The human can be authenticated to a machine based on any combination of the following:1. Something you know
e.g. Password2. Something you are
e.g. Fingerprint3. Something you have
e.g. ATM card
1. Something You Know - Passwords
Password is: something that you know something that computer can verify that you know something nobody else can guess-even access to
unlimited computing resources.One important fact regarding passwords is
that many things act as password. E.g. the PIN number for an ATM card
One solution to the password problem would be use randomly generated cryptographic keys in place of passwords. How?
Keys Versus Passwords
If a password is 8 characters long (8 bytes) with 256 possible choices for each character 2568 possible passwords. E.g. password
If a key with 64-bit (8 bytes) cryptographic key 264 possible keys. (Trudy must try 263 keys before she expects to find the correct one) E.g. Kf&Yw!a[
Although 264 = 2568 (8 bytes), and this appears to be equivalent, users don’t select passwords at random because users must remember their passwords.
Choosing Passwords
Some passwords better than others. For example the following passwords are weak: Frank (your name) 10251960 (your birthday)
Users should have passwords that are difficult to guess: jFiEk(43j-EmmL+y BedL1ON
Attacking Systems via Passwords
A common attack path for Trudy would be:
outsider normal user administrator
One weak password on a system –or one week password on an entire network- could be enough for the first stage of the attack to succeed.
Password Verification
Problem: Storing “raw” passwords is not secure
Solution: Storing hashed passwords is more secure.
Password Verification
Problem:1. Suppose Trudy has a “dictionary” containing N
passwords:d0, d1, d2, …, dN-1
she could pre-compute the hash of each password:y0=h(d0), y1=h(d1), y2=h(d2), …, yN-1=h(dN-1)
2. Trudy can guess the password p if she found h(p) is similar to one of the pre-compute hash yx
Soulution:1. generate a random salt value s (Note: the s is not secret)2. compute y = h(p,s)3. store the pair (s,y) in the password file.4. To verify an entered password z, compute h(z,s) = y
Math of Password Cracking
Supposed that: All passwords are
eight characters in length
there are 256 choices for each character
resulting in 2568 = 256 possible
passwords
Number of possible choices in each cell (byte/bit/…)
Number of cells (byte/bit/…)
256
256
Math of Password Cracking
Case I:Trudy decides that she wants to find Alice’s password.(Assuming that Alice’s password contains of 8 bytes)
This is precisely equivalent to an exhaustive key search and the expected work is
256/2=255
Math of Password Cracking
Case II:Trudy again wants to recover Alice’s password, but she is going to use her dictionary of common passwords. (Assuming that any given password will appear in the dictionary with a probability of about ¼, and Trudy has a dictionary of 220 common passowords)
The expected work is:¼(219)+¾(255)≈254.6
Math of Password Cracking
Case III:Trudy will be satisfied to find any one of the 1024 passwords in the hashed password file without using any dictionary(Assuming that the password file contains 210 = 1024 hashed passwords, and all of them are distinct)
The expected work is:255/210 = 245
Math of Password Cracking
Case IV:Trudy wants to find anyone of the 1024 passwords in the hashed password file, and she will make use of her dictionary.
The expected work is: Not salted password:
219 / 210 = 29
Salted password: ¼(219)+ ¾.¼(220+219)+(¾)2 ¼(2.220+219)+ … +
(¾)1023 ¼(1023.220+ 219) < 222
Other Password Issues/Problems
Remembering different passwords is difficult“Social engineering” is when someone
claiming to be a system administrator and needs your password
Password cracking tools, such as: L0phtCrack (for Windows) - now called LC5:
used to test password strength and sometimes to recover lost Microsoft Windows passwords, by using dictionary, brute-force, and hybrid attacks.
John the Ripper (for Unix)run against various encrypted password formats including DES, MD5, Blowfish, Kerberos AFS, and Windows NT/2000/XP/2003 LM hash
2. Something You Have - Biometrics
Biometrics are the “something you are” method of authentication or, in Schneider's immortal words, “you are your key”
There are many different types of biometrics as fingerprints and handwritten signatures.
Biometrics
A biometric should be Universal: The ideal biometric should apply to
virtually everyone. Distinguishing: The ideal biometric should
distinguish with virtual certainty. Permanent: The physical characteristic being
measured should never change. Collectable: The physical characteristic should be
easy to collect without any potential to cause harm to the subject.
Reliable, robust, and user-friendly
Biometrics Usage
1. Identification: Identify the subject from a list of many possible
subjects. E.g., a suspicious fingerprint from a crime scene is sent
to the FBI fingerprint database for comparison with all records on file. In this case, the comparison is one to many.
2. Authentication: The comparison is one to one E.g., if someone claiming to be Alice uses a
thumbprint mouse biometric, the captured thumbprint image is only compared with the stored thumbprint of Alice.
Phases of Biometric System
1. The Enrollment Phase:subjects have their biometric information entered into a database.
2. The Recognition Phase:subjects have their biometric information entered into a database.
Biometric Examples
1. Fingerprints
2. Hand Geometry
3. Iris Scan
Biometric Error Rates
For fielded fingerprint biometric systems, the equal error rate is typically about 5%
hand geometry has an equal error rate of about 10−3
3. Something You Have
For example, a network MAC address an ATM card a password generator
The process of a password generator is shown below:
Two-Factor Authentication
Two or three methods can work together for authentication
For example:the password generator scheme requires both:1. “something you have” (the password generator), and 2. “something you know” (the PIN).
Requiring two out of the three methods of authentication is known as two-factor authentication.