Lecture 02: Authentication - CMSC 413 Introduction to Cybersecurity
Document Details
Uploaded by NiceScholarship2612
Virginia Commonwealth University
Dr. Changqing Luo
Tags
Summary
These lecture notes cover various authentication methods in cybersecurity, focusing on the different means and security implications of passwords, tokens, and biometrics. The notes also discuss theoretical and practical aspects of cybersecurity authentication practices.
Full Transcript
CMSC 413 Introduction to Cybersecurity Lecture 02: Authentication Instructor: Dr. Changqing Luo Department of Computer Science Authentication RFC 2828 defines user authentication as: – The process of verifying an identity claimed by or for a system entity User authenticati...
CMSC 413 Introduction to Cybersecurity Lecture 02: Authentication Instructor: Dr. Changqing Luo Department of Computer Science Authentication RFC 2828 defines user authentication as: – The process of verifying an identity claimed by or for a system entity User authentication is the fundamental security building block and first line of defense – Basis of access control and user accountability Distinct from message authentication Passwords can be used for authentication – Why IP addresses are not enough? User Authentication User authentication has two steps: – identification - presenting an identifier to the security system – verification - presenting or generating authentication information that corroborates the binding between the entity and the identifier Means of User Authentication Four means of authenticating user’s identity: the famous 4W – What you know: e.g., password, PIN, private key… – What you have: e.g., smartcard, token, key… – Who you are (static biometrics): e.g., fingerprint, retina – What you can do (dynamic biometrics): e.g., voice, sign, recognize a puzzle Means of User Authentication All can provide user authentication Can use alone or combined All have issues – Password lost or stolen – Token or key forgery – High equipment cost, and false positives for biometrics Password Authentication widely used user authentication method – user provides name/login and password – system compares password with that saved for specified login password authenticates the ID of user logging and – that the user is authorized to access system – ID determines the user’s privileges – is used in discretionary access control What is a Password? A password is a string or characters used for user authentication to prove identity or resource assessment approval –Personal Identification Number (PIN) – Passphrase What makes a strong password? – length, complexity, and unpredictability Password Storage Plain text passwords Encrypted passwords Hashed passwords password in Plaintext Basic password system: file with username, password records john:automobile mary:balloon joe:wepntkas Simple to implement, but risky – All users are compromised if the hacker gets the password file Worst Passwords of 2013 Password Hashing Store Encrypted passwords, don’t store in plaintext – Could decrypt (e.g. DES) to check, but where to store the key? Even better: use one-way encryption - hashing No way to decrypt If file stolen, passwords not compromised – E.g., SHA-1 hashes stored in file, not plaintext password john:9Mfsk4EQh+XD2lBcCAvputrIuVbWKqbxPgKla7u67oo= mary:AEd62KRDHUXW6tp+XazwhTLSUlADWXrinUPbxQEfnsI= joe:J3mhF7Mv4pnfjcnoHZ1ZrUELjSBJFOo1r6D6fx8tfwU= Password Hashing Hashed Passwords-A widely used password security technique Password Hashing Example “What is your username & password?” Does h(automobile) username is John & password is automobile = 9Mfsk4EQ… ??? Hash: One-way encryption No need to (can’t) decrypt Just compare hashes Plaintext password not in file (not in clear) Password Vulnerabilities offline dictionary attack specific account attack popular password attack password guessing against single user workstation hijacking exploiting user mistakes exploiting multiple password use electronic monitoring Password Attacks Online brute-force attacks/ dictionary attacks Offline attacks on the list of hashed passwords Password re-use across sites Off-line Dictionary Attack Attacker Obtains Offline: attacker steals file Password File: joe 9Mfsk4EQ... and tries combos mary AEd62KRD... Online: try combos john J3mhF7Mv... against live system Attacker computes possible password hashes (using words from dictionary) H(password) = z5wcuJWE... H(123456) = tvj/d6R4… Attacker H(qwerty) = AEd62KRD... mary has password qwerty! Salting Salting – include additional info in hash Add third field to file storing random # (salt) Example Entry: john with password automobile john:ScF5GDhWeHr2q5m7mSDuGPVasV2NHz4kuu5n5eyuMbo=:1515 Hash of password concatenated with salt: h(automobile|1515) = ScF5GDhW... Salting: Good News Dictionary attack against arbitrary user is harder – Before Salts: hash word & compare with password file – After Salts: hash combos of word & possible salts Online Dictionary Attack Foiled h(automobile2975) = KNVXKOHBDEBKOURX h(automobile1487) = ZNBXLPOEWNVDEJOG h(automobile2764) = ZMCXOSJNFKOFJHKDF h(automobile4012) = DJKOINSLOKDKOLJUS h(automobile3912) = CNVIUDONSOUIEPQN …Etc… h(aardvark2975) = DKOUOXKOUDJWOIQ h(aardvark1487) = PODNJUIHDJSHYEJNU …Etc… /etc/passwd: Too many john LPINSFRABXJYWONF 2975 combinations!!! mary DOIIDBQBZIDRWNKG 1487 Attack is joe LDHNSUNELDUALKDY 2764 Foiled! Salting: Bad News Ineffective against chosen-victim attack – Attacker wants to compromise particular account – Just hash dictionary words with victim’s salt Attacker’s job is harder, not impossible Online Dictionary Attack Attacker actively tries combos on live system Can monitor attacks – Watch for lots of failed attempts – Mark or block suspicious IPs Password Guessing using Bots What if bots are trying to guess your password? – Use of CAPTCHA However, – Traditional CAPTCHA is failing. In 2013, some artificial intelligence company developed software to solve CAPTCHA with 90% correction rate – New generation of CAPTCHA uses image recognition Password Attacks Countermeasure Several techniques to help securely manage passwords ✓ Strong Passwords ✓ Limiting Logins ✓ Honeypots ✓ Artificial Delays ✓ Filtering ✓ Last Login ✓ Aging ✓ Image ✓ Pronounceable Authentication ✓ One-Time Passwords Honeypot Password Simple username/password (guest/guest) on honeypot to attract attackers Bait attackers into trying simple combos Alert admin when attempts are trapped Could be an indication of attack Log the activities from the IP and observe what they’re up to Trap the attackers so let them waste time Password Filtering Let users choose password – Within certain restrictions to guarantee stronger password – Ex: if in the dictionary or easy to guess May require mixed case, numbers, special characters – Can specify set of secure passwords through regular expressions – Also set a particular min length Aging Password Encourage/require users to change passwords every certain number of days Could “age” passwords by only accepting it a certain number of times But if require change too often, then users will workaround, more insecure Pronounceable Password Users want to choose dictionary words because they’re easy to remember Pronounceable Passwords – Non-dictionary words, but also easy to recall – Syllables & vowels connected together – e.g. ahrosios, chireckl, harciefy Limited Login Attempts Allow just 3-4 failed logins, then disable or lock account – Attacker only gets fixed number of guesses – Inconvenient to users if they’re forgetful – Legitimate user would have to ask sys admin to unlock or reset their password – Potential for DoS attacks if usernames compromised and attacker guesses randomly for all, locking up large percentage of users of system Artificial Delay Artificial delay when user tries login over network Wait 2n seconds after nth failure from particular IP address Problem? – One person’s attempts can delay another – https://www.yahoo.com/news/3-old-disabled- family-apos-015804751.html Last Login Notify user of last login date, time, location each time they login – Educate them to pay attention – Tell user to report any inconsistencies Discrepancies = indications of attacks Catch attacks that may not have been noticed – Ex: Alice usually logs in monthly from CA – Last login was 2 weeks ago in Russia – Alice knows something’s wrong, reports it Image Authentication Combat phishing: images as second-factor Ask users to pick image during account creation – Display at login after username is entered – Phisher can’t spoof the image – Educate user to not enter password if he doesn’t see the image he picked Hello Carol Password: One-Time Password Multiple uses of password gives attacker multiple opportunities to steal it OTP: login in with different password each time Devices generate passwords to be used each time user logs in – Device uses seed to generate stream of passwords – Server knows seed, current time, can verify password OTP devices integrated into PDAs, cell-phones Token Authentication – Memory Card store but do not process data – magnetic stripe card, e.g. bank card – electronic memory card used alone for physical access with password/PIN for computer use drawbacks of memory cards include: – need special reader – loss of token issues – user dissatisfaction Token Authentication – Smartcard credit-card like has own processor, memory, I/O ports – wired or wireless access by reader – may have crypto co-processor – ROM, EEPROM, RAM memory executes protocol to authenticate with reader/computer also have USB dongles Token Authentication – RFID Card may become very popular in the near future has two parts – One is for storing and processing information, modulating and demodulating a (RF) signal, and other specialized functions. – The second is an antenna for receiving and transmitting the signal. authentication with a RFID reader wirelessly Biometric Authentication Authenticate users based on one of their physical characteristics – static characteristics, such as fingerprint, hand geometry, facial characteristics, and retinal and iris pattern – dynamic characteristics, such as voiceprint and signature More advanced than password or token due to its uniqueness and hard to replicate Biometric Authentication: Cost vs. Accuracy Operation of a Biometric System An Example: Iris Authentication Biometric Accuracy never get identical templates – problems of false match / false non-match Biometric Accuracy (continued) can plot receiver operating characteristic (ROC) curve pick threshold balancing error rates (application dependent) – Forensic application requires a low false non-match rate – Banking application requires a low false match rate Practical Application Using Iris-authentication of debit card users CIN (customer identification number) Remote User Authentication convince parties of each other’s identity and to exchange session keys over the network – may be one-way or mutual key security issues are – confidentiality – to protect session keys from eavesdropping – timeliness – to prevent replay attacks Replay Attacks where a valid signed message is copied and later resent – Such replays, at worst, could allow an opponent to successfully impersonate another party – At minimum, a successful replay can disrupt operations by presenting parties with messages that appear genuine but are not. countermeasures include – use of sequence numbers (generally impractical) – timestamps (needs synchronized clocks) – challenge/response (using unique nonce) Remote User Authentication Protocols generally use challenge-response – user sends identity – host responds with random number and choice of two functions h() and f() – user computes f(r, h(P)) and sends back – host compares value from user with own computed value, if match user authenticated – A fully-fledged version can be Kerberos Protocols Remote Authentication Security Issues Client attacks – guess passwords Host attacks – password, token, or biometric template files Eavesdropping – keylogging, sniffer ftp and telnet Replay attacks – repeat a previously captured client response. Trojan horse – rogue ATM or Application Denial-of-service (DoS) SSH Authentication SSH uses public key cryptography to authenticate the remote computer and enables the remote computer to authenticate the user, if necessary. – Public-Key Authentication (RSA, DSA) Thank you for your attention!