Password Authentication and Biometrics Ch02 PDF

Housekeeping Notice Please mute your handphone during classes TPB 6323 Password Authentication and Biometrics Chapter 2 Password and Token Based Authentication Objectives Exploring the Two factors Usage of potential authentication passwords in threats of the , i.e., the purpose of usage of passwords + authentication passwords token User Authentication and Passwords Many applications depend on reliable user authentication Categories of authentication technology: What you What you Who you are have know User Authentication and Passwords These types of authentication may be further characterized as follows: Characteristic Secrets Tokens Biometrics Reliable identification? Good Very Good Excellent Requires client-side hardware No Sometimes Yes Requires client-side software No Sometimes Yes Typical deployment cost/user Low Medium High Works with legacy systems Yes No No Security Threats Due to cost and compatibility with Passwords are legacy systems, the simply secret most popular form words, or at best of user secret phrases authentication is a password Basic Password Authentication Setup User chooses User Pwd File password Hash of password kiwifruit stored in password exrygbzyf k gnosfix file ggjoklbsz Authentication hash function … … User logs into system, supplies password System computes hash, compares to file Password can compromised in many ways: User Name? John Password? SecretPwd 1) Users may write them down or share them, so that they are no longer really secret Password can compromised in many ways: User Name? John Password? SecretPwd 2) Passwords can be guessed, either by a person or a program designed to quickly try many possibilities Password can compromised in many ways: User Name? John Password? SecretPwd 3) Passwords may be hacked when transmitted over a network Password can compromised in many ways: User Name? John Password? SecretPwd 4) Passwords may be tapped when stored on a workstation, server or backup media Human Factors Users in a large organization frequently have many passwords, each protecting their access to a different computer systems Users have some basic limitations, which limit what can be done in the context of secure password management Complicated passwords In particular, it is hard Many different passwords for most people to Passwords that change frequently remember: Passwords for systems that are used infrequently Heavy web users have an average of 21 passwords; 81% of users select a common password and 30% write their passwords down or store them in a file. How do you remember your own password if it is too complicated? Human Factors When people have trouble remembering their passwords, they do one or more of the following: Write down their passwords – and reduce security to the protection afforded by a piece of paper Forget their passwords – and require frequent assistance from a computer help desk organization to reset it Use very simple, easily compromised password Reuse old password as often as possible Human Factors Top 20 most common passwords used by region: Sources: https://www.safetydetectives.com/blog/the- most-hacked-passwords-in-the-world/ All-time common passwords: 123456; 123456789; qwerty; password; 111111; 12345678; abc123; 1234567; password1; 12345 Composition Rules One of the primary weaknesses of passwords is that they may be guessed While a human may give up after trying to guess ten or a hundred possible passwords, software such as Crack and L0phtCrack will happily try millions of combinations To combat password guessing attack, users should pick hard-to-guess passwords Composition Rules One way to do this is to ensure that the set of all possible passwords is too large to search thoroughly, and then to eliminate probable guesses Users must be required to choose their passwords from the widest possible set of characters A reasonable set of password rules, designed to ensure that the search space for all possible values is as reasonably large, and that passwords are not too easy to guess Composition Rules To ensure that the search space is sufficiently large: Passwords must be at least ten characters long Passwords must contain at least three combinations of Uppercase, Lowercase, Numeric numbers, and Special symbols (as discussed in Chapter 01) The number of possible password combinations is calculated by taking the number of legal characters in a password, and raising that number to the number of characters in the password Composition Rules The possibilities for some likely combinations are: Legal 5 6 7 8 9 10 Characters 0–9 1.00e0 1.00e0 1.00e0 1.00e0 1.00e0 1.00e1 5 6 7 8 9 0 a–z 1.19e0 3.09e0 8.03e0 2.09e1 5.43e1 1.41e1 7 9 9 1 2 4 a – z, 0 – 9 6.05e0 2.18e0 7.84e1 2.82e1 1.02e1 3.66e1 7 9 0 2 4 5 a – z, A – Z, 0 – 9 9.16e0 5.68e1 3.52e1 2.18e1 1.35e1 8.39e1 8 0 2 4 6 7 a – z, A – Z, 0 – 9, 7.34e0 6.90e1 6.48e1 6.10e1 5.73e1 5.39e1 32 punct 9 1 3 5 7 9 Composition Rules The possibilities for some likely combinations Legal 5 are: 6 7 8 9 10 Characters 0–9 1.00e0 1.00e0 1.00e0 1.00e0 1.00e0 1.00e1 5 6 5390000000000000 7 8 9 0 0000 guesses! a–z 1.19e0 3.09e0 8.03e0 2.09e1 5.43e1 1.41e1 7 9 9 1 2 4 a – z, 0 – 9 6.05e0 2.18e0 7.84e1 2.82e1 1.02e1 3.66e1 7 9 0 2 4 5 a – z, A – Z, 0 – 9 9.16e0 5.68e1 3.52e1 2.18e1 1.35e1 8.39e1 8 0 2 4 6 7 a – z, A – Z, 0 – 9, 7.34e0 6.90e1 6.48e1 6.10e1 5.73e1 5.39e1 32 punct 9 1 3 5 7 9 Composition Rules To eliminate easily guessed passwords: Passwords must not be based on the user’s name or login ID Passwords must not be based on a dictionary word, in any language Passwords must not contain more than two paired letters Changing and Reusing Passwords To limit the usefulness of passwords that have been compromised, the best practice is to change them regularly A common rule on many systems is to force users to change their passwords when they log in for an extended period (e.g. 60 or 90 days) User should not reuse old passwords. Many systems support this by recording some representation of old passwords, and ensuring that users cannot change their password back to a previously used value Secrecy Passwords are intended to uniquely identify a user. As such, they must be secrets – known only to the user they identify Choose passwords that are easily guessed – so are not really secret Users frequently behave Share their passwords with in ways that lead to coworkers, friends or family password disclosure. In Write down their passwords, and place the written password near particular, users may: their computer, or in an ostensibly private place like a wallet Password Synchronization The password policy in each organization must explicitly forbid these behaviors, and specify negative consequences to users who violate the policy To help users comply with an effective password policy, user friendly password management tools and processes should be provided Key among such aids to users is password synchronization, which helps user to remember a few rather than write down many passwords Password Synchronization Password synchronization is an authentication process that coordinates user passwords across various computers and computing devices so a user only has to remember one password instead of multiple passwords for different machines or devices Password synchronization typically increases security by insisting on the user of strong passwords that cannot be easily guessed Easier to implement if compared to single sign on (SSO) Password Synchronization There are a number of password synchronization products, e.g.: Microsoft Azure AD, https://docs.microsoft.com/en-us/azure/activ e-directory/hybrid/whatis-phs Hitachi ID systems, https://www.hitachi-id.com/ Mobile applications, usually refer as Password Manager Password Synchronization Password synchronization is among a number of identity management processes that have been developed to deal with password chaos Password chaos is a too-common situation in which users have multiple identities and passwords across a variety of networks, web sites, applications, computers or computing devices According to ZDNet article, password chaos is one of the main threats to the development of e- commerce Password Synchronization Requirements: Very insecure systems, such as those that use little or no cryptography to protect passwords, should not participate in a password synchronization system Synchronized passwords should be changed regularly Users should be required to select strong (hard to guess) passwords when synchronization is introduced The bottom line is that a single, hard-to- guess, regularly changing password is Intruder Detection Many systems can detect an attempt by a user to log in with an incorrect password If too many invalid attempts are made in a short period of time, it is possible that someone is trying to guess the user’s password To make password guessing attacks more difficult, many systems include an “intruder lockout” feature E.g., If N invalid attempts to login to the same account are made during T_1 minutes, then the account is disabled for T_2 minutes Intruder Detection While the “intruder lockout” mechanism is effective against concerted attacks against a single account, it does nothing to prevent an intruder from simultaneously trying to guess the passwords of many use users. Also, intruder lockout can be used to carry out a denial of service -- by systematically locking out many accounts, including administrator ones. Intruder Detection Because of these limitations, the best practice is to limit enforcement of intruder lockout to: Apply only to users, exempting at least one administrator login. This limits the scope of denial of service attacks Apply a high threshold for intruder detection -- e.g., 10 failed attempts in 5 minutes. This prevents spurious lockouts due to users who have trouble remembering or typing their own passwords Automatically and quickly clear lockouts -- for example, after 10 or 15 minutes. This reduces the impact on legitimate users while continuing to significantly reduce the number of passwords that an intruder can guess in a short Encryption Passwords may be stored on user workstations or servers. They must be transmitted, in some form, from the user's workstation to a server when the user first logs in, and possibly again later CIA: confidentiality component – ensures that only authorized users can view data Precaution – use encryption Ciphers data to make it unreadable if intercepted Includes algorithm and key Symmetric and Asymmetric Encryption Symmetric encryption Uses same key to encrypt and decrypt data Asymmetric encryption Uses two keys: public and private Data encrypted with the public key can only be decrypted with the paired private key Hashing Algorithm: MD5 Message Digest 5 128 bits Commonly used to verify disk files, downloads, etc. Not very secure—hash collisions can be found fairly easily Collisions Two different files with the same hash Hashing Algorithm: SHA Secure Hash Algorithm (SHA) SHA-0 (not used) SHA-1 160 bits long, very common No collisions found yet, but they are now within reach of well-funded attackers Should require 2^80 calculations to find a collision, but an attack has been found that requires only 2^52 Hashing Algorithm: SHA-2 and SHA-3 SHA-2 Stronger than SHA-1 Four versions: SHA-224, SHA-256, SHA-384 and SHA-512 SHA-3 Approved in Oct. 2012 Even stronger HMAC Hash-based Message Authentication Code Hash the message Then encrypt the hash with a shared secret key Provides integrity and authenticity Example: HMAC-MD5 Two Factors Authentication ATM card (something you have) + PIN (something you know) eBanking login credentials (something you know) + one time password generated from token (something you have) Two Factors Authentication Could drastically Require more reduce the than one incidence of mechanisms to online identity authenticate a theft, phishing user. expeditions and other frauds The Needs for Two Factors Authentication People are working from home, from The workforce is coffee shop hotspots, moving more and client offices, and more mobile even competitor’s offices Two factors More and more of our authentication is everyday tools are ideal for protecting moving into online VPN and web-based assets portals One-Time Password How does static password breakdown? Easy to guess john, smith, amy, password, … Easy to crack JoHn, pass@word, @dmin123, … Hard to remember @~D!/]a! One-Time Password To make it more difficult to gain unauthorized access to restricted resources Eliminate constant alteration of password, one-time password May involve the use of special tokens One-Time Password Three types: Use mathematical algorithm to generate a new password based on the previous Based on time-synchronization between authentication server and the client providing the password Using mathematical algorithm, but new password based on a challenge (e.g. a random number chosen by the authentication server or transaction details) and a counter OTP based on Mathematical Algorithm Use one-way function Starting with an initial seed, then generate passwords f(s), f(f(s)), f(f(f(s))), … A new seed value can be chosen after the set of s is exhausted OTP based on Time- Synchronization Usually related to physical tokens given to each user Inside the token is an accurate clock that has been synchronized with the clock on the authentication server Generation of new passwords is based on the current time, rather than previous password or secret key OTP based on Challenge Require user to provide time-synchronized challenge to be properly authenticated This can be done by inputting the value into the token itself To avoid duplicates, an additional counter is usually involved

Password Authentication and Biometrics Ch02 PDF

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue