cs-lecture6-authentication.pdf

Full Transcript

Lecture6- Authentication 6.1 Authentication  Human Authentication: Your neighbor recognizes you, sees you frequently, and knows you are someone who should be going into your home. Your neighbor can also notice someone different, especially if that...

Lecture6- Authentication 6.1 Authentication  Human Authentication: Your neighbor recognizes you, sees you frequently, and knows you are someone who should be going into your home. Your neighbor can also notice someone different, especially if that person is doing something suspicious, such as snooping around your doorway, peering up and down the walk, or picking up a heavy stone. Coupling these suspicious events with hearing the sound of breaking glass, your neighbor might even call the police.  Computers have replaced many face-to-face interactions with electronic ones. the basis of computer security is controlled access: someone is authorized to take some action on something. Determining who a person really is consists of two separate steps: 1. Identification is the act of asserting who a person is. 2. Authentication is the act of proving that asserted identity: that the person is who she says she is. 6.2 Identification versus Authentication  Identities are often well known, predictable, or guessable your identity is more than just your name: Your bank account number, debit card number, email address, and other things are ways by which people and processes identify you.  Authentication, on the other hand, should be reliable. If identification asserts your identity, authentication confirms that you are who you purport to be. Identities are typically public or well known. Authentication should be private.  Authentication mechanisms use any of three qualities to confirm a user’s identity: Something the user knows. Passwords, PIN numbers, passphrases, a secret handshake, and mother’s maiden name are examples of what a user may know. Something the user is. These authenticators, called biometrics, are based on a physical characteristic of the user, such as a fingerprint, the pattern of a person’s voice, or a face (picture). These authentication methods are old (we recognize friends in person by their faces or on a telephone by their voices) but are just starting to be used in computer authentications. Something the user has. Identity badges, physical keys, a driver’s license, or a uniform are common examples of things people have that make them recognizable. Two or more forms can be combined; for example, a bank card and a PIN combine something the user has (the card) with something the user knows (the PIN). 54 Lecture6- Authentication 6.2.1 Authentication Based on Phrases and Facts: Something You Know (Password Use)  User authentication and verification using password: A user enters some piece of identification, such as a name or an assigned user ID; this identification can be available to the public or can be easy to guess because it does not provide the real protection. The protection system then requests a password from the user. If the password matches the one on file for the user, the user is authenticated and allowed access. If the password match fails, the system requests the password again, in case the user mistyped. Even though passwords are widely used, they suffer from some difficulties of use: Use. Supplying a password for each access to an object can be inconvenient and time consuming. Disclosure. If a user discloses a password to an unauthorized individual, the object becomes immediately accessible. If the user then changes the password to re-protect the object, the user must inform any other legitimate users of the new password because their old password will fail. Revocation. To revoke one user’s access right to an object, someone must change the password, thereby causing the same problems as disclosure. Loss. Depending on how the passwords are implemented, it may be impossible to retrieve a lost or forgotten password. The operators or system administrators can certainly intervene and provide a new password, but often they cannot determine what password a user had chosen previously. If the user loses (or forgets) the password, administrators must assign a new one. 6.2.1.1 Attacking and Protecting Passwords How secure are passwords themselves?  Passwords are somewhat limited as protection devices because of the relatively small number of bits of information they contain.  Worse, people pick passwords that do not even take advantage of the number of bits available: Choosing a well-known string, such as qwerty, password, or 123456 reduces an attacker’s uncertainty or difficulty essentially to zero. a. Dictionary Attacks User may use password from dictionaries as follow: contained in a short college dictionary contained in a complete English word list contained in common non-English-language dictionaries contained in a short college dictionary with capitalizations (PaSsWorD) or substitutions (digit 0 for letter O, and so forth) contained in a complete English dictionary with capitalizations or substitutions contained in common non-English dictionaries with capitalization or substitutions 55 Lecture6- Authentication an attacker can search in this dictionaries to infer user password, Countermeasure:  Several network sites post dictionaries of phrases, science fiction character names, places, mythological names, Chinese words, Yiddish words, and other specialized lists. These lists help site administrators identify users who have chosen weak passwords, . The COPS Crack , and SATAN utilities allow an administrator to scan a system for weak passwords. . Now Internet sites offer so-called password recovery software as freeware or shareware for under $20. (These are password-cracking programs.) b. Inferring Passwords Likely for a User User may use password derived from well-known personal information likes: the same as the user ID is, or is derived from, the user’s name on a common word list (for example, password, secret, private) plus common names and patterns (for example, qwerty, aaaaaa) c. Exhaustive Attack  In an exhaustive or brute force attack, the attacker tries all possible passwords, usually in some automated fashion. Of course, the number of possible passwords depends on the implementation of the particular computing system.  For example, if passwords are words consisting of the 26 characters A–Z and can be of any length from 1 to 8 characters, there are 261 passwords of 1 character, 262 passwords of 2 characters, and 268 passwords of 8 characters. Therefore, the system as a whole has 261 * 262 ….. 268= 269 - 1 = 5 * 1012 or five million possible passwords. 6.2.1.2 Good Passwords If we do use passwords, we can improve their security by a few simple practices: Use characters other than just a–z. If passwords are chosen from the letters a–z, there are only 26 possibilities for each character. Adding digits expands the number of possibilities to 36. Using both uppercase and lowercase letters plus digits expands the number of possible characters to 62. Although this change seems small, the effect is large when someone is testing a full space. Choose long passwords. The combinatorial explosion of password guessing difficulty begins around length 4 or 5. Choosing longer passwords makes it less likely that a password will be 56 Lecture6- Authentication uncovered. Remember that a brute force penetration can stop as soon as the password is found. Some penetrators will try the easy cases—known words and short passwords—and move on to another target if those attacks fail.. Avoid actual names or words. Theoretically, there are 266, or about 300 million 6-letter ―words‖ (meaning any combination of letters), but there are only about150,000 words in a good collegiate dictionary, ignoring length. By picking one of the 99.95 percent non words, you force the attacker to use a longer brute-force search instead of the abbreviated dictionary search. Use a string you can remember. One easy-to-remember password is UcnB2s. That unlikely looking jumble is a simple transformation of ―you can never be too secure.‖ The first letters of words from a song, a few letters from different words of a private phrase, or something involving a memorable basketball score are examples of reasonable passwords. Use variants for multiple passwords. Start with a phrase as in the previous suggestion: Ih1b2s (I have one brother, two sisters). Then append some patterns involving the first few vowels and consonants of the entity for the password: Ih1b2sIvs for vIsa, Ih1b2sAfc for fAcebook, and so forth. Change the password regularly. you should change it from time to time. A penetrator may break a password system by obtaining an old list or working exhaustively on an encrypted list. Don’t write it down. Note: you should not tape your PIN to your bank card or post your password on your computer screen. Don’t tell anyone else. The easiest attack is social engineering, in which the attacker contacts the system’s administrator or a user to elicit the password in some way. For example, the attacker may phone a user, claim to be ―system administration,‖ and ask the user to verify the user’s password. Under no circumstances should you ever give out your private password; legitimate administrators can circumvent your password if need be, and others are merely trying to deceive you. These principles lead to solid password selection 6.2.2 Authentication Based on Biometrics: Something You Are  Biometrics are biological properties, based on some physical characteristic of the human body. The list of biometric authentication technologies is still growing. Now devices can recognize the following biometrics: fingerprint hand geometry (shape and size of fingers) retina and iris (parts of the eye) voice handwriting, signature, hand motion typing characteristics blood vessels in the finger or hand face 57 Lecture6- Authentication facial features, such as nose shape or eye spacing  Authentication with biometrics has advantages over passwords because a biometric cannot be lost, stolen, forgotten, or shared and is always available, always at hand, so to speak. These characteristics are difficult, if not impossible, to forge.  Biometric authentication means a subject matches a template closely enough. ―Close‖ is a system parameter that can be tuned. 6.2.2.1 Problems with Use of Biometrics Biometrics comes with several problems: Biometrics are relatively new, and some people find their use intrusive. For example, people in some cultures are insulted by having to submit to fingerprinting, because they think that only criminals are fingerprinted. Biometric recognition devices are costly, although as the devices become more popular, their cost per device should go down. Still, outfitting every user’s workstation with a reader can be expensive for a large company with many employees. Biometric readers and comparisons can become a single point of failure. Consider a retail application in which a biometric recognition is linked to a payment scheme: As one user puts it, ―If my credit card fails to register, I can always pull out a second card, but if my fingerprint is not recognized, I have only that one finger.‖ (Fingerprint recognition is specific to a single finger; the pattern of one finger is not the same as another.) Manual laborers can actually rub off their fingerprints over time, and a sore or irritation may confound a fingerprint reader. All biometric readers use sampling and establish a threshold for acceptance of a close match. The device has to sample the biometric, measure often hundreds of key points, and compare that set of measurements with a template. Features vary slightly from one reading to the next, for example, if your face is tilted, if you press one side of a finger more than another, or if your voice is affected by a sinus infection. Variation reduces accuracy. Although equipment accuracy is improving, false readings still occur. We label a false positive or false accept a reading that is accepted when it should be rejected (that is, the authenticator does not match) and a false negative or false reject one that rejects when it should accept. Often, reducing a false positive rate increases false negatives, 6.2.3 Authentication Based on Tokens: Something You Have  Something you have means that you have a physical object in your possession. One physical authenticator with which you are probably familiar is a key. 58 Lecture6- Authentication  Other familiar examples of tokens are badges and identity cards. You may have an ―affinity card‖: a card with a code that gets you a discount at a store.  Another kind of authentication token has data to communicate invisibly. Examples of this kind of token include credit cards with a magnetic stripe, credit cards with an embedded computer chip, or access cards with passive or active wireless technology. You introduce the token into an appropriate reader, and the reader senses values from the card. If your identity and values from your token match, this correspondence adds confidence that you are who you say you are. 6.2.3.1 Token types a. Active and Passive Tokens  Passive tokens do nothing, and active ones take some action. A photo or key is an example of a passive token in that the contents of the token never change.  An active token can have some variability or interaction with its surroundings. For example, some public transportation systems use cards with a magnetic strip. When you insert the card into a reader, the machine reads the current balance, subtracts the price of the trip and rewrites a new balance for the next use. In this case, the token is just a repository to hold the current value. b. Static and Dynamic Tokens  The value of a static token remains fixed. Keys, identity cards, passports, credit and other magnetic-stripe cards, and radio transmitter cards (called RFID devices) are examples of static tokens. Static tokens are most useful for onsite authentication: When a guard looks at your picture badge, the fact that you possess such a badge and that your face looks (at least vaguely) like the picture causes the guard to pass your authentication and allow you access.  A dynamic token is one whose value changes. a dynamic authentication token is essentially a device that generates an unpredictable value that we might call a pass number. Some devices change numbers at a particular interval, for example, once a minute; others change numbers when you press a button, and others compute a new number in response to an input, sometimes called a challenge. In all cases, it does not matter if someone else sees or hears you provide the pass number, because that one value will be valid for only one access (yours), and knowing that one value will not allow the outsider to guess or generate the next pass number. Dynamic token generators are useful for remote authentication, especially of a person to a computer. An example of a dynamic token is the SecurID token from RSA Laboratories, shown in Figure 2-6. To use a SecurID token, you enter the current number displayed on the token when prompted by the authenticating application. Each token generates a distinct, virtually unpredictable series of numbers that change every minute, so the authentication system knows what number to expect from your token at any moment. In this way, two people can have 59 Lecture6- Authentication SecurID tokens, but each token authenticates only its assigned owner. Entering the number from another token does not pass your authentication. And because the token generates a new number every minute, entering the number from a previous authentication fails as well. 6.3 Multifactor Authentication  Combining authentication information is called multifactor authentication. Two forms of authentication (which is, not surprisingly, known as two-factor authentication)  Identity cards, such as a driver’s license, often contain a picture and signature. The card itself is a token, but anyone seeing that card can compare your face to the picture and confirm that the card belongs to you. Or the person can ask you to write your name and can compare signatures. In that way, the authentication is both token based and biometric (because your appearance and the way you sign your name are innate properties of you). 6.4 Secure Authentication  Passwords, biometrics, and tokens can all participate in secure authentication. Of course, simply using any or all of them is no guarantee that an authentication approach will be secure. To achieve true security, we need to think carefully about the problem we are trying to solve and the tools we have; we also need to think about blocking possible attacks and attackers.  Suppose we want to control access to a computing system. In addition to a name and password, we can use other information available to authenticate users. Suppose Adams works in the accounting department during the shift between 8:00 a.m. and 5:00 p.m., Monday through Friday. Any legitimate access attempt by Adams should be made during those times, through a workstation in the accounting department offices. By limiting Adams to logging in under those conditions, the system protects against two problems: 1. Someone from outside might try to impersonate Adams. This attempt would be thwarted by either the time of access or the port through which the access was attempted. 2. Adams might attempt to access the system from home or on a weekend, planning to use resources not allowed or to do something that would be too risky with other people around. 60 Lecture6- Authentication Limiting users to certain workstations or certain times of access can cause complications (as when a user legitimately needs to work overtime, a person has to access the system while out of town on business, or a particular workstation fails). However, some companies use these authentication techniques because the added security they provide outweighs inconvenience. As security analysts, we need to train our minds to recognize qualities that distinguish normal, allowed activity. 61

Use Quizgecko on...
Browser
Browser