cs 483 – sd section by dr. daniyal alghazzawi (7) authentication

CS 483 – SD SECTION

BY DR. DANIYAL ALGHAZZAWI

(7)

AUTHENTICATION

Introduction

There are two primary parts to access control: Authentication Authorization

Authentication deals with the problem of determining whether a user (or other entity) should be allowed access to a particular system or resource.

Authentication Methods

The human can be authenticated to a machine based on any combination of the following:1. Something you know

e.g. Password2. Something you are

e.g. Fingerprint3. Something you have

e.g. ATM card

1. Something You Know - Passwords

Password is: something that you know something that computer can verify that you know something nobody else can guess-even access to

unlimited computing resources.One important fact regarding passwords is

that many things act as password. E.g. the PIN number for an ATM card

One solution to the password problem would be use randomly generated cryptographic keys in place of passwords. How?

Keys Versus Passwords

If a password is 8 characters long (8 bytes) with 256 possible choices for each character 2568 possible passwords. E.g. password

If a key with 64-bit (8 bytes) cryptographic key 264 possible keys. (Trudy must try 263 keys before she expects to find the correct one) E.g. Kf&Yw!a[

Although 264 = 2568 (8 bytes), and this appears to be equivalent, users don’t select passwords at random because users must remember their passwords.

Choosing Passwords

Some passwords better than others. For example the following passwords are weak: Frank (your name) 10251960 (your birthday)

Users should have passwords that are difficult to guess: jFiEk(43j-EmmL+y BedL1ON

Attacking Systems via Passwords

A common attack path for Trudy would be:

outsider normal user administrator

One weak password on a system –or one week password on an entire network- could be enough for the first stage of the attack to succeed.

Password Verification

Problem: Storing “raw” passwords is not secure

Solution: Storing hashed passwords is more secure.

Password Verification

Problem:1. Suppose Trudy has a “dictionary” containing N

passwords:d0, d1, d2, …, dN-1

she could pre-compute the hash of each password:y0=h(d0), y1=h(d1), y2=h(d2), …, yN-1=h(dN-1)

2. Trudy can guess the password p if she found h(p) is similar to one of the pre-compute hash yx

Soulution:1. generate a random salt value s (Note: the s is not secret)2. compute y = h(p,s)3. store the pair (s,y) in the password file.4. To verify an entered password z, compute h(z,s) = y

Math of Password Cracking

Supposed that: All passwords are

eight characters in length

there are 256 choices for each character

resulting in 2568 = 256 possible

passwords

Number of possible choices in each cell (byte/bit/…)

Number of cells (byte/bit/…)

256

256

Math of Password Cracking

Case I:Trudy decides that she wants to find Alice’s password.(Assuming that Alice’s password contains of 8 bytes)

This is precisely equivalent to an exhaustive key search and the expected work is

256/2=255

Math of Password Cracking

Case II:Trudy again wants to recover Alice’s password, but she is going to use her dictionary of common passwords. (Assuming that any given password will appear in the dictionary with a probability of about ¼, and Trudy has a dictionary of 220 common passowords)

The expected work is:¼(219)+¾(255)≈254.6

Math of Password Cracking

Case III:Trudy will be satisfied to find any one of the 1024 passwords in the hashed password file without using any dictionary(Assuming that the password file contains 210 = 1024 hashed passwords, and all of them are distinct)

The expected work is:255/210 = 245

Math of Password Cracking

Case IV:Trudy wants to find anyone of the 1024 passwords in the hashed password file, and she will make use of her dictionary.

The expected work is: Not salted password:

219 / 210 = 29

Salted password: ¼(219)+ ¾.¼(220+219)+(¾)2 ¼(2.220+219)+ … +

(¾)1023 ¼(1023.220+ 219) < 222

Other Password Issues/Problems

Remembering different passwords is difficult“Social engineering” is when someone

claiming to be a system administrator and needs your password

Password cracking tools, such as: L0phtCrack (for Windows) - now called LC5:

used to test password strength and sometimes to recover lost Microsoft Windows passwords, by using dictionary, brute-force, and hybrid attacks.

John the Ripper (for Unix)run against various encrypted password formats including DES, MD5, Blowfish, Kerberos AFS, and Windows NT/2000/XP/2003 LM hash

2. Something You Have - Biometrics

Biometrics are the “something you are” method of authentication or, in Schneider's immortal words, “you are your key”

There are many different types of biometrics as fingerprints and handwritten signatures.

Biometrics

A biometric should be Universal: The ideal biometric should apply to

virtually everyone. Distinguishing: The ideal biometric should

distinguish with virtual certainty. Permanent: The physical characteristic being

measured should never change. Collectable: The physical characteristic should be

easy to collect without any potential to cause harm to the subject.

Reliable, robust, and user-friendly

Biometrics Usage

1. Identification: Identify the subject from a list of many possible

subjects. E.g., a suspicious fingerprint from a crime scene is sent

to the FBI fingerprint database for comparison with all records on file. In this case, the comparison is one to many.

2. Authentication: The comparison is one to one E.g., if someone claiming to be Alice uses a

thumbprint mouse biometric, the captured thumbprint image is only compared with the stored thumbprint of Alice.

Phases of Biometric System

1. The Enrollment Phase:subjects have their biometric information entered into a database.

2. The Recognition Phase:subjects have their biometric information entered into a database.

Biometric Examples

1. Fingerprints

2. Hand Geometry

3. Iris Scan

Biometric Error Rates

For fielded fingerprint biometric systems, the equal error rate is typically about 5%

hand geometry has an equal error rate of about 10−3

3. Something You Have

For example, a network MAC address an ATM card a password generator

The process of a password generator is shown below:

Two-Factor Authentication

Two or three methods can work together for authentication

For example:the password generator scheme requires both:1. “something you have” (the password generator), and 2. “something you know” (the PIN).

Requiring two out of the three methods of authentication is known as two-factor authentication.