cs-lecture6-authentication.pdf

Transcript

Lecture6- Authentication

6.1 Authentication
 Human Authentication: Your neighbor recognizes you, sees you frequently, and knows
you are someone who should be going into your home. Your neighbor can also notice
someone different, especially if that person is doing something suspicious, such as
snooping around your doorway, peering up and down the walk, or picking up a heavy
stone. Coupling these suspicious events with hearing the sound of breaking glass,
your neighbor might even call the police.

 Computers have replaced many face-to-face interactions with electronic ones. the basis
of computer security is controlled access: someone is authorized to take some action on
something. Determining who a person really is consists of two separate steps:
1. Identification is the act of asserting who a person is.
2. Authentication is the act of proving that asserted identity: that the person is who she says
she is.

6.2 Identification versus Authentication
 Identities are often well known, predictable, or guessable your identity is more than just
your name: Your bank account number, debit card number, email address, and other
things are ways by which people and processes identify you.

 Authentication, on the other hand, should be reliable. If identification asserts your
identity, authentication confirms that you are who you purport to be.
Identities are typically public or well known. Authentication should be private.

 Authentication mechanisms use any of three qualities to confirm a user’s identity:

Something the user knows. Passwords, PIN numbers, passphrases, a secret handshake, and
mother’s maiden name are examples of what a user may know.

Something the user is. These authenticators, called biometrics, are based on a physical
characteristic of the user, such as a fingerprint, the pattern of a person’s voice, or a face (picture).
These authentication methods are old (we recognize friends in person by their faces or on a
telephone by their voices) but are just starting to be used in computer authentications.

Something the user has. Identity badges, physical keys, a driver’s license, or a uniform are
common examples of things people have that make them recognizable.

Two or more forms can be combined; for example, a bank card and a PIN combine something
the user has (the card) with something the user knows (the PIN).

54
 Lecture6- Authentication

6.2.1 Authentication Based on Phrases and Facts: Something You Know (Password Use)

 User authentication and verification using password: A user enters some piece of
identification, such as a name or an assigned user ID; this identification can be available
to the public or can be easy to guess because it does not provide the real protection. The
protection system then requests a password from the user. If the password matches the
one on file for the user, the user is authenticated and allowed access. If the password
match fails, the system requests the password again, in case the user mistyped.

Even though passwords are widely used, they suffer from some difficulties of use:

Use. Supplying a password for each access to an object can be inconvenient and time
consuming.

Disclosure. If a user discloses a password to an unauthorized individual, the object becomes
immediately accessible. If the user then changes the password to re-protect the object, the user
must inform any other legitimate users of the new password because their old password will fail.

Revocation. To revoke one user’s access right to an object, someone must change the
password, thereby causing the same problems as disclosure.

Loss. Depending on how the passwords are implemented, it may be impossible to retrieve a lost
or forgotten password. The operators or system administrators can certainly intervene and
provide a new password, but often they cannot determine what password a user had chosen
previously. If the user loses (or forgets) the password, administrators must assign a new one.

6.2.1.1 Attacking and Protecting Passwords

How secure are passwords themselves?
 Passwords are somewhat limited as protection devices because of the relatively small
number of bits of information they contain.
 Worse, people pick passwords that do not even take advantage of the number of bits
available: Choosing a well-known string, such as qwerty, password, or 123456 reduces
an attacker’s uncertainty or difficulty essentially to zero.

a. Dictionary Attacks
User may use password from dictionaries as follow:

contained in a short college dictionary
contained in a complete English word list
contained in common non-English-language dictionaries
contained in a short college dictionary with capitalizations (PaSsWorD) or substitutions
(digit 0 for letter O, and so forth)
contained in a complete English dictionary with capitalizations or substitutions
contained in common non-English dictionaries with capitalization or substitutions

55
 Lecture6- Authentication

an attacker can search in this dictionaries to infer user password,
Countermeasure:
 Several network sites post dictionaries of phrases, science fiction character names,
places, mythological names, Chinese words, Yiddish words, and other specialized lists.
These lists help site administrators identify users who have chosen weak passwords,
. The COPS Crack , and SATAN utilities allow an administrator to scan a system for
weak passwords.
. Now Internet sites offer so-called password recovery software as freeware or shareware
for under $20. (These are password-cracking programs.)

b. Inferring Passwords Likely for a User
User may use password derived from well-known personal information likes:

the same as the user ID
is, or is derived from, the user’s name
on a common word list (for example, password, secret, private) plus common
names and patterns (for example, qwerty, aaaaaa)

c. Exhaustive Attack
 In an exhaustive or brute force attack, the attacker tries all possible passwords, usually
in some automated fashion. Of course, the number of possible passwords depends on the
implementation of the particular computing system.
 For example, if passwords are words consisting of the 26 characters A–Z and can be of
any length from 1 to 8 characters, there are 261 passwords of 1 character, 262 passwords
of 2 characters, and 268 passwords of 8 characters. Therefore, the system as a whole has
261 * 262 ….. 268= 269 - 1 = 5 * 1012 or five million possible passwords.

6.2.1.2 Good Passwords
If we do use passwords, we can improve their security by a few simple practices:

Use characters other than just a–z. If passwords are chosen from the letters a–z, there are only
26 possibilities for each character. Adding digits expands the number of possibilities to 36. Using
both uppercase and lowercase letters plus digits expands the number of possible characters to 62.
Although this change seems small, the effect is large when someone is testing a full space.

Choose long passwords. The combinatorial explosion of password guessing difficulty begins
around length 4 or 5. Choosing longer passwords makes it less likely that a password will be

56
 Lecture6- Authentication

uncovered. Remember that a brute force penetration can stop as soon as the password is found.
Some penetrators will try the easy cases—known words and short passwords—and move on to
another target if those attacks fail..
Avoid actual names or words. Theoretically, there are 266, or about 300 million 6-letter
―words‖ (meaning any combination of letters), but there are only about150,000 words in a good
collegiate dictionary, ignoring length. By picking one of the 99.95 percent non words, you force
the attacker to use a longer brute-force search instead of the abbreviated dictionary search.

Use a string you can remember. One easy-to-remember password is UcnB2s. That unlikely
looking jumble is a simple transformation of ―you can never be too secure.‖ The first letters of
words from a song, a few letters from different words of a private phrase, or something involving
a memorable basketball score are examples of reasonable passwords.

Use variants for multiple passwords. Start with a phrase as in the previous suggestion: Ih1b2s
(I have one brother, two sisters). Then append some patterns involving the first few vowels and
consonants of the entity for the password: Ih1b2sIvs for vIsa, Ih1b2sAfc for fAcebook, and so
forth.

Change the password regularly. you should change it from time to time. A penetrator may
break a password system by obtaining an old list or working exhaustively on an encrypted list.

Don’t write it down. Note: you should not tape your PIN to your bank card or post your
password on your computer screen.

Don’t tell anyone else. The easiest attack is social engineering, in which the attacker contacts
the system’s administrator or a user to elicit the password in some way. For example, the attacker
may phone a user, claim to be ―system administration,‖ and ask the user to verify the user’s
password. Under no circumstances should you ever give out your private password; legitimate
administrators can circumvent your password if need be, and others are merely trying to deceive
you.
These principles lead to solid password selection

6.2.2 Authentication Based on Biometrics: Something You Are
 Biometrics are biological properties, based on some physical characteristic of the human
body. The list of biometric authentication technologies is still growing. Now devices can
recognize the following biometrics:
fingerprint
hand geometry (shape and size of fingers)
retina and iris (parts of the eye)
voice
handwriting, signature, hand motion
typing characteristics
blood vessels in the finger or hand
face

57
 Lecture6- Authentication

facial features, such as nose shape or eye spacing

 Authentication with biometrics has advantages over passwords because a biometric
cannot be lost, stolen, forgotten, or shared and is always available, always at hand, so to
speak. These characteristics are difficult, if not impossible, to forge.

 Biometric authentication means a subject matches a template closely enough. ―Close‖ is a
system parameter that can be tuned.

6.2.2.1 Problems with Use of Biometrics
Biometrics comes with several problems:

Biometrics are relatively new, and some people find their use intrusive. For example, people in
some cultures are insulted by having to submit to fingerprinting, because they think that only
criminals are fingerprinted.

Biometric recognition devices are costly, although as the devices become more popular, their
cost per device should go down. Still, outfitting every user’s workstation with a reader can be
expensive for a large company with many employees.

Biometric readers and comparisons can become a single point of failure. Consider a retail
application in which a biometric recognition is linked to a payment scheme: As one user puts it,
―If my credit card fails to register, I can always pull out a second card, but if my fingerprint is
not recognized, I have only that one finger.‖ (Fingerprint recognition is specific to a single
finger; the pattern of one finger is not the same as another.) Manual laborers can actually rub off
their fingerprints over time, and a sore or irritation may confound a fingerprint reader.

All biometric readers use sampling and establish a threshold for acceptance of a close match.
The device has to sample the biometric, measure often hundreds of key points, and compare that
set of measurements with a template. Features vary slightly from one reading to the next, for
example, if your face is tilted, if you press one side of a finger more than another, or if your
voice is affected by a sinus infection. Variation reduces accuracy.

Although equipment accuracy is improving, false readings still occur. We label a false positive
or false accept a reading that is accepted when it should be rejected (that is, the authenticator
does not match) and a false negative or false reject one that rejects when it should accept.
Often, reducing a false positive rate increases false negatives,

6.2.3 Authentication Based on Tokens: Something You Have
 Something you have means that you have a physical object in your possession. One
physical authenticator with which you are probably familiar is a key.

58
 Lecture6- Authentication

 Other familiar examples of tokens are badges and identity cards. You may have an
―affinity card‖: a card with a code that gets you a discount at a store.

 Another kind of authentication token has data to communicate invisibly. Examples
of this kind of token include credit cards with a magnetic stripe, credit cards with an embedded
computer chip, or access cards with passive or active wireless technology. You introduce the
token into an appropriate reader, and the reader senses values from the card. If your identity and
values from your token match, this correspondence adds confidence that you are who you say
you are.

6.2.3.1 Token types

a. Active and Passive Tokens
 Passive tokens do nothing, and active ones take some action. A photo or key is an
example of a passive token in that the contents of the token never change.
 An active token can have some variability or interaction with its surroundings. For
example, some public transportation systems use cards with a magnetic strip. When you
insert the card into a reader, the machine reads the current balance, subtracts the price of
the trip and rewrites a new balance for the next use. In this case, the token is just a
repository to hold the current value.

b. Static and Dynamic Tokens
 The value of a static token remains fixed. Keys, identity cards, passports, credit and
other magnetic-stripe cards, and radio transmitter cards (called RFID devices) are
examples of static tokens. Static tokens are most useful for onsite authentication: When a
guard looks at your picture badge, the fact that you possess such a badge and that your face
looks (at least vaguely) like the picture causes the guard to pass your authentication and
allow you access.

 A dynamic token is one whose value changes. a dynamic authentication token is
essentially a device that generates an unpredictable value that we might call a pass
number. Some devices change numbers at a particular interval, for example, once a
minute; others change numbers when you press a button, and others compute a new
number in response to an input, sometimes called a challenge. In all cases, it does not
matter if someone else sees or hears you provide the pass number, because that one value
will be valid for only one access (yours), and knowing that one value will not allow the
outsider to guess or generate the next pass number. Dynamic token generators are useful
for remote authentication, especially of a person to a computer.

An example of a dynamic token is the SecurID token from RSA Laboratories, shown in Figure
2-6. To use a SecurID token, you enter the current number displayed on the token when
prompted by the authenticating application. Each token generates a distinct, virtually
unpredictable series of numbers that change every minute, so the authentication system knows
what number to expect from your token at any moment. In this way, two people can have

59
 Lecture6- Authentication

SecurID tokens, but each token authenticates only its assigned owner. Entering the number from
another token does not pass your authentication. And because the token generates a new number
every minute, entering the number from a previous authentication fails as well.

6.3 Multifactor Authentication

 Combining authentication information is called multifactor authentication. Two forms
of authentication (which is, not surprisingly, known as two-factor authentication)
 Identity cards, such as a driver’s license, often contain a picture and signature. The card
itself is a token, but anyone seeing that card can compare your face to the picture and
confirm that the card belongs to you. Or the person can ask you to write your name and
can compare signatures. In that way, the authentication is both token based and biometric
(because your appearance and the way you sign your name are innate properties of you).

6.4 Secure Authentication
 Passwords, biometrics, and tokens can all participate in secure authentication. Of course,
simply using any or all of them is no guarantee that an authentication approach will be
secure.
To achieve true security, we need to think carefully about the problem we are trying to solve and
the tools we have; we also need to think about blocking possible attacks and attackers.

 Suppose we want to control access to a computing system. In addition to a name and
password, we can use other information available to authenticate users. Suppose Adams
works in the accounting department during the shift between 8:00 a.m. and 5:00 p.m.,
Monday through Friday. Any legitimate access attempt by Adams should be made during
those times, through a workstation in the accounting department offices. By limiting
Adams to logging in under those conditions, the system protects against two problems:

1. Someone from outside might try to impersonate Adams. This attempt would be thwarted
by either the time of access or the port through which the access was attempted.
2. Adams might attempt to access the system from home or on a weekend, planning to use
resources not allowed or to do something that would be too risky with other people
around.

60
 Lecture6- Authentication

Limiting users to certain workstations or certain times of access can cause complications
(as when a user legitimately needs to work overtime, a person has to access the
system while out of town on business, or a particular workstation fails). However, some
companies use these authentication techniques because the added security they provide
outweighs inconvenience. As security analysts, we need to train our minds to recognize
qualities that distinguish normal, allowed activity.

61