Information Security - User Authentication PDF
Document Details
Uploaded by ManeuverableSard9094
Tags
Summary
This document explores information security focusing on user authentication. It covers different authentication methods, their processes, and discusses security vulnerabilities, such as password cracking, and potential countermeasures.
Full Transcript
Information Security User Authentication Outlines ◼ User Authentication techniques User Authentication “The process of verifying an identity claimed by or for a system entity.” Authentication Process ◼Fundamental ◼Identification step b...
Information Security User Authentication Outlines ◼ User Authentication techniques User Authentication “The process of verifying an identity claimed by or for a system entity.” Authentication Process ◼Fundamental ◼Identification step building block ⚫ Presenting an identifier to the security system and primary line of defense Verification step ⚫ Presenting or generating ◼Basis for access authentication information that control and user corroborates the accountability binding between the entity and the identifier Authentication Process ◼ An authentication process consists of two steps: ❖ Identification step: Presenting an identifier to the security system. (Identifiers should be assigned carefully, because authenticated identities are the basis for other security services, such as access control service.) ❖ Verification step: Presenting or generating authentication information that corroborates the binding between the entity and the identifier. Password Authentication ◼ Widely used line of defense against intruders ❖ User provides name/login and password ❖ System compares password with the one stored for that specified login ◼ The user ID: ❖ Determines that the user is authorized to access the system ❖ Determines the user’s privileges ❖ Is used in discretionary access control ◼ Password Authentication Benefits: ❖ Used for a long time. ❖ Integrated into many operating systems ❖ Users are familiar with them. Password Vulnerabilities Countermeasures ◼ stop unauthorized access to password file ◼ intrusion detection measures ◼ account lockout mechanisms ◼ policies against using common passwords but rather hard to guess passwords ◼ training & enforcement of policies ◼ automatic workstation logout ◼ encrypted network links Use of Hashed Passwords Example: UNIX system Password Cracking Modern Approaches ◼ Complex password policy ❖ Forcing users to pick stronger passwords However password-cracking techniques have also improved ❖ The processing capacity available for password cracking has increased dramatically ❖ The use of sophisticated algorithms to generate potential passwords ❖ Studying examples and structures of actual passwords in use Password Selection Strategies Something User Has: Token Authentication ◼ Most of these techniques are a combination of something the user has and something the user knows. ◼ Objects that the user has for a purpose of authentication are called tokens. ◼ The tokens are divided to: Memory Tokens and Smart Tokens. Token Authentication ◼ object user possesses to authenticate, e.g. ❖ magnetic stripe card ❖ memory card ❖ Smartcard/Smart tokens Types of Cards Used as Tokens Card Type Defining Feature Example Embossed Raised characters only, on Old credit card front Magnetic stripe Magnetic bar on back, characters on front Bank card Memory Electronic memory inside Prepaid phone card Smart Electronic memory and processor inside Biometric ID card Contact Electrical contacts exposed on surface Contactless Radio antenna embedded inside Memory Card/ Token ◼ store but do not process data ◼ magnetic stripe card, e.g. bank card ◼ electronic memory card ◼ used alone for physical access ◼ with password/PIN for computer use ◼ drawbacks of memory cards include: ❖ need special reader ❖ loss of token issues ❖ user dissatisfaction (Need to hold it with him) ❖ Token cost Smart Tokens ◼ Smart token expands the functionality of a memory token by incorporating one or more integrated circuits into the token itself. ◼ Smart token also requires a user to provide something he know (ex: password) in order to "unlock" the smart token for use. ◼ Smart token Benefits: ❖ Great flexibility. ❖ Solve many authentication problems. ❖ Greater security than memory cards. ❖ Solve the problem of electronic monitoring. Smart Tokens/Cards ◼Physical characteristics: o Include an embedded microprocessor o A smart token that looks like a bank card o Can look like calculators, keys, small portable objects ◼ Interface: o Manual interfaces include a keypad and display for interaction o Electronic interfaces communicate with a compatible reader/writer ◼ Authentication protocol: o Classified into three categories: Static Dynamic password generator Challenge-response Smart Cards ◼ Most important category of smart token o Has the appearance of a credit card o Has an electronic interface o May use any of the smart token protocols ◼ Contain: o An entire microprocessor Processor Memory I/O ports ◼ Typically include three types of memory: o Read-only memory (ROM) Stores data that does not change during the card’s life o Electrically erasable programmable ROM (EEPROM) Holds application data and programs o Random access memory (RAM) Holds temporary data generated when applications are executed Biometric Authentication ◼ Attempts to authenticate an individual based on unique physical characteristics ◼ Based on pattern recognition ◼ Is technically complex and expensive when compared to passwords and tokens ◼ Physical characteristics used include: o Facial characteristics o Fingerprints o Hand geometry o Retinal pattern o Iris o Signature o Voice Authentication Procedures Two-Parity Two-Parity Third-parity ? CSC-S 421 Dr. Mohamed Elhoseny Fall 2020-2021
