2. March 2005 1R. Smith - University of St Thomas - Minnesota QMCS 490 - Class Today Authentication ReduxAuthentication Redux Some more biometrics slidesSome more biometrics slides Challenge Response authenticationChallenge Response authentication Token based authenticationToken based authentication

3. March 2005 2R. Smith - University of St Thomas - Minnesota Elements/Actors PrincipalPrincipal CharacteristicCharacteristic ProprietorProprietor Authentication mechanismAuthentication mechanism Access control mechanismAccess control mechanism –Examples 40 thieves40 thieves PasswordsPasswords ATMATM Web serverWeb server

4. March 2005 3R. Smith - University of St Thomas - Minnesota Strategies Standards of due careStandards of due care Risk analysisRisk analysis Exceed industry practicesExceed industry practices

5. March 2005 4R. Smith - University of St Thomas - Minnesota Average Attack Space If the attack “tries” X times, thenIf the attack “tries” X times, then There is a 50% chance of success.There is a 50% chance of success. Usually tied to the size of a base secretUsually tied to the size of a base secret

6. March 2005 5R. Smith - University of St Thomas - Minnesota Biometrics: Recap Measure physical trait: finger, hand, eye, face, … From Authentication © 2002. Used by permission

7. March 2005 6R. Smith - University of St Thomas - Minnesota Some Based on Behavior Measure something the person does, instead of measuring a physical traitMeasure something the person does, instead of measuring a physical trait Examples: voice, keystrokes, written signatureExamples: voice, keystrokes, written signature From Authentication © 2002. Used by permission

8. March 2005 7R. Smith - University of St Thomas - Minnesota Biometric Matching Compares user’s signature to previously established pattern built from that traitCompares user’s signature to previously established pattern built from that trait Pattern and signature contents vary according to the biometric and the implementationPattern and signature contents vary according to the biometric and the implementation From Authentication © 2002. Used by permission

9. March 2005 8R. Smith - University of St Thomas - Minnesota Pattern Matching We compare how closely a signature matches one user’s pattern versus another’s patternWe compare how closely a signature matches one user’s pattern versus another’s pattern From Authentication © 2002. Used by permission

10. March 2005 9R. Smith - University of St Thomas - Minnesota Matching in Practice You should often match yourself and rarely match others From Authentication © 2002. Used by permission

11. March 2005 10R. Smith - University of St Thomas - Minnesota Matching Self vs. Others It’s possible that an imposter will sneak through From Authentication © 2002. Used by permission

12. March 2005 11R. Smith - University of St Thomas - Minnesota Biometric Strength

13. March 2005 12R. Smith - University of St Thomas - Minnesota More about Passwords …

14. March 2005 13R. Smith - University of St Thomas - Minnesota Password Ping-Pong AttacksDefenses PasswordsSteal the Password File Password HashingGuessing Guess DetectionSocial Engineering Help Desk RestrictionsKeystroke Sniffing Memory ProtectionPassword Sharing Password TokensNetwork Sniffing One-Time Passwords ??

15. March 2005 14R. Smith - University of St Thomas - Minnesota Guessable Passwords

16. March 2005 15R. Smith - University of St Thomas - Minnesota Strength in Practice

17. March 2005 16R. Smith - University of St Thomas - Minnesota Sniffing Trumps Strength From Authentication © 2002. Used by permission

18. March 2005 17R. Smith - University of St Thomas - Minnesota Interactive Challenge Requires a calculator (hardware or software)Requires a calculator (hardware or software) Base secret is embedded in the calculatorBase secret is embedded in the calculator Authenticates the owner of the base secretAuthenticates the owner of the base secret From Authentication © 2002. Used by permission

19. March 2005 18R. Smith - University of St Thomas - Minnesota Embedded Challenge Login client handles challenge automatically (DEC, Novell)Login client handles challenge automatically (DEC, Novell) The password is the base secretThe password is the base secret From Authentication © 2002. Used by permission

20. March 2005 19R. Smith - University of St Thomas - Minnesota Tokens for Authentication Something you have that’s hard to copySomething you have that’s hard to copy –Attacker needs to steal it to log on –I can’t tell if someone has sniffed my password, but I can tell immediately if someone has stolen my token From Authentication © 2002. Used by permission

21. March 2005 20R. Smith - University of St Thomas - Minnesota Hardware Tokens Resist copying and other attacks by storing the base secret in a tamper-resistant package.Resist copying and other attacks by storing the base secret in a tamper-resistant package. From Authentication © 2002. Used by permission

22. March 2005 21R. Smith - University of St Thomas - Minnesota One-Time Password Tokens Attacker can’t reuse the sniffed password From Authentication © 2002. Used by permission

23. March 2005 22R. Smith - University of St Thomas - Minnesota Combination Product Fingerprint used locally to “unlock” the token From Authentication © 2002. Used by permission

24. March 2005 23R. Smith - University of St Thomas - Minnesota Average Attack Space for Tokens For “Off Line”For “Off Line” –This is to clone someone’s token –Figure out the size of the base secret –Use that as the number of trials –Applies to all tokens For “On Line”For “On Line” –This is to crack into the server without cracking the token –Figure out the size of the one time password –Use that as the number of trials –Applies to all tokens/users/attacks

25. March 2005 24R. Smith - University of St Thomas - Minnesota Creative Commons License This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit http://creativecommons.org/licenses/by-sa/3.0/us/ or send a letter to Creative Commons, 171 Second Street, Suite 300, San Francisco, California, 94105, USA.