4.5. User AuthenticationOutlineIntroductionUse of passwordsAttacks on passwordsPassword selection criteriaOne-time passwords (challenge-response systems)The authentication processAuthentication other than passwords(Biometrics)Conclusions

a. Introduction (1)Identification and Authentication (I&A) in Daily Life Using library servicesLibrarian asks for student’s name – identificationTo learn who you areLibrarian asks for a proof of identity – authenticationTo prove that you are who you say you areE.g., show a picture IDOnce you are identified and authenticated, you can use library services (borrow books, use computers, etc.)The external entity (user) must provide information to enable the system to confirm its identity

2/21/05 3

Introduction (3)

Basic Definitions Principal: a unique entity (a person named Robert Kowalski)Identity: specifies a principal (“Robert Kowalski”)Identification: obtaining identity from the principal (getting username “rkowals3” – 8 characters)Authentication: ensuring that principal matches the purported identity (a person named Robert Kowalski matches the “Robert Kowalski” identity)

Note:The same principal may have many different identities.E.g., a working student might have 2 identities for 2 roles:

Computer consultantStudent

Still, each of these identities specifies the sameprincipal.

Introduction (4)

Identification Problems In using library servicesLibrarian asks for student’s nameWhat if there are two students named Joan Smith?Librarian must find a unique identificationCan ask for a home phone number, address, etc.

Computer resolves “shared” names as follows:In a closed system (e.g. campus system):

each user has a unique pre-registered usernameIn an open system (e.g. a Web service with user registration):

each user tries to create a unique username many attempts allowed until unique username found

Introduction (5)

Authentication Problems In using library servicesLibrarian asks for a proof of identityStudent ID card proves identityWhat if the ID expired?Librarian must authenticate the studentCan ask for a driver’s license and a Registrar’s receipt

Computer must authenticate principalCorrect and current passwordIf invalid after n attempts, computer denies access to its resourcesIf expired, computer tells principal to get a new pwd

Introduction (6)

I&A is very important — basis for system to define user’s access rights

I&A can be based on:What entity knows – passwordsE.g., simple password, challenge-response authentication 2. What entity is – biometricsE.g., fingerprints, retinal characteristics 3. What entity has - access tokensE.g., badges, smart cards 4. Where entity is – location E.g., in front of terminal

Any combinations of the above - hybrid approaches

b. Protection of passwords (1)Hide enough informationShadow password file in UnixPrevent access to authentication function Authentication function that verifies users identity

Goal of authentication system (function): is to ensure that entities are correctly identified.

c. Attacks on passwordsKinds of password attacksTry all possible pwds (exhaustive, brute force attack)Try many probable pwds Try likely passwords pwds Search system list of pwdsFind pwds by exploiting indiscreet users (social engg)

d. Password selection criteria (1)Password selection criteria Use characters other than just A – ZChoose long passwordsAvoid actual names or wordsChoose an unlikely passwordChange password regularlyDon’t write it downDon’t tell anyone else

e. One-time passwords (1)One-time passwords = challenge-response systemsPwd changes every time it is used => can be used exactly onceImmediately invalidated after its useAn ultimate form of password aging

Not a static word/phrase but a math functionAlso for host-host authenticationScenario (see next slide):System provides challenge (argument)

User returns response (computed fcn value)System evaluates responseIf response is valid, user is authenticated

One-time passwords (2)

Challenge-Response Authentication Principal & system share a secret function f (f can be a known function with an unknown parameter, such as a cryptographic key)

user systemrequest to authenticate

user systemrandom message m(the challenge – e.g., “abcdefg”)

user systemr = f(m)(the response – e.g., “bdf”)

Example:Identification—friend or foe (IFF) is a challenge-response technique used to identify friendly and enemy aircraft

One-time passwords (3)Examples of challenge fcns:Simple functionf(x) = x+1 / f(x) = 3x**2 – 9x +2f(x) = „x-th prime number”f(x) = (day of the month) * (hour of current time)

Pseudo-random number generatorf(x) = r(x) - random nr for seed xRequires availability of the same pseudo-random generator to host and user

Character string fcnsf(<character_string>) = (transformed character string)E.g. f(a1a2a3a4a5a6) = a3a1a1a4 [e.g., f(signon) = gssn]

Cryptographic fcnsf(E(x)) = E( D(E(x)) + 1 ) (decrypt, add 1, encrypt)

One-time passwords (6)

Pass Algorithms- category of challenge-response where the fcn f is secret

Example:Challenge: random string of charactersE.g., “abcdefg”, “ageksido”Response: some function of that stringE.g., select chars in even positions: “bdf”, “gkio,” respectively

g. Authentication other than passwordsAuthentication other than passwordsUsing special biometric devices (h/w devices)Fingerprint detectors / handprint detectorsVoice recognizers / retina pattern scanners

Using extra info for authenticationUser location / User work hoursUser access patterns / User work habitsAn attacker who pretends to be a legitimate user „Jones” must act as Jones, or will be detected

h. ConclusionsAuthentication is not cryptographyYou have to consider system components

Passwords are here to stayThey provide a basis for most forms of authentication

Protocols are importantThey can make masquerading harder

Authentication methods can be combinedExamples: 2FA, 3FA