Identification and Authentication
Identification and Authentication When you log on to computer you enter your username and password. The first step is called identification : you announce who you are, the second step is called authentication you prove that you are who claim to be. Identification: recognizing your identity (e.g. By checking your username). Authentication: verifying that you are really who claim to be (e.g. By checking your password). Here, we are only concerned with ‘entity authentication’: the process of verifying the identity claimed by some system entity. Why do we need identification and authentication? Access control decisions. Auditing (i.e. accountability).
Username and Password How does it work? Prevent or delay further login attempts after a certain failed-login threshold has been reached. Lock the screen or close the session automatically if the machine is idle for too long. Repeated authentication. Most computer systems use identification and authentication through usernames and passwords as their first line of defence. Widely accepted, not too difficult to implement Can be expensive to manage password securely Obtaining a valid password is a common attack
Username and Password An attacker may: Intercept the password at the time a new user account is created. Try to guess the password. Obtain the password via phishing, spoofing, keyloggers, etc. Compromise the password file, or try social engineering.
Bootstrapping Password Protection Passwords are meant to be secrets shared between the user and the system authenticating her/him. So, how to bootstrap the system so that the password is delivered ‘only’ to the legitimate user? User could be sked to come to an office and collect their password personally. The password could be conveyed by email , mail, phone or enter by the user on a web page. Same dilemma with password resetting. Recommendation : Do not give the password to the caller but call back an authorized phone number Request confirmation on a different channel to active user account. Send mail by courier with personal delivery
Guessing Password Choosing Passwords is a critical security issue you have to keeping probability of guessing to minimum. An attacker may follow two basic guessing strategies: Exhaustive search – brute force Intelligent search – words associated with user, common passwords, or dictionary attack Defences : Change default password. Password length. Password format: mix upper and lower case and include numerical and other symbol;(The password space is |A|n , where n is the password length and |A| is the size of the character set) Avoid obvious passwords.
Guessing Password Password security helpers: Password checkers: use tool that check passwords against some dictionary of weak passwods. Password generators: Software tools to produce secure (random, often pronounceable) passwords Password aging: Force users to change password at regular intervals Limit login attempts: Either hard limit (three attempts), or delay after failed attempt Users are unlikely to memories long and complicated passwords. Similar considerations apply when passwords are changed very frequently. People are best at memorising passwords they use regularly. So, there is a trade-off that must be managed.
Phishing, Spoofing, and Social Engineering Identification and authentication through username and password provide ‘unilateral authentication’. Spoofing Attack: the attacker runs a program that presents a fake login screen on a machine and leaves the machine. Can be confronted by: Displaying the number of failed logins since last session. Trusted Path (e.g. MS Windows secure attention sequence CTRL+ALT+DEL). Mutual Authentication. Phishing Attack: ask users for their password under some false pretence. Social Engineering Attack : more successful when they better understand the psyche of the target.
Password Cashing Beyond spoofing attack, attacker may have another way to ‘find’ password. Password temporarily stored (buffer, cache, web page) Beyond control of user Sometimes for too long Example of early banking system and web cache when using the back button. Close application but don’t end browser session.
Protection the Password File To verify user’s identity , the system compare the password entered by the user against a value stored in the password file. The password can be intercepted: By a keylogger. In transit. Password file might be compromised or modified. To protect the password file, we could use: Cryptographic Protection. Access Control enforced by OS. A combination of both.
Protection the Password File For cryptographic protection we don’t need an encryption algorithm. A one way function will do the job ( given x it is easy to compute f(x) , but given f(x) it is hard to compute x ). One way function have been used to protect stored passwords. Off-line dictionary attack. (Unix crypt(3), 25 repeated DES encryption of all-zero blocks and the password is the key ─ performance trade-off).
Protection the Password File Access Control can be set that only privileged users may have write access to the password file. What about read access? Examples: 1. In UNIX, /etc/passwd is world-readable. The /etc/passwd file is a text file with one record per line, each describing a user account. khaled10:x:1001:1000:Khaled Abdullah,Riyadh,khaled10@imamu.edu.sa:/home/khaled10:/bin/sh 2. Shadow file /etc/shadow is a system file in which encryption user password are stored. 3. Password Salting: is a way of making password hashing more secure by adding a random string of characters to passwords before their hash is calculated, which makes them harder to reverse. 4. In Windows NT, password file is accessible, but it is written using proprietary binary format (Security by obscurity).
Single Sign On The user is authenticated only once within a single working session. You enter your password once. The system may store this password and whenever you have to authenticate your self again , the system will take the password and do the job for you. SSO raises new security concerns , how do you protect the stored password? The system needs your password in clear.
Alternative Approaches As a user, you can be authenticated on the basis of: Something You Know. Something You Hold. Who You Are. What You Do. Where You Are.
Something You Know The user has to know some ‘secret’ to be authenticated such as password,PIN,etc. There is no way to telling the difference between the legitimate user and an intruder who has obtained the user’s password.
Something You Hold The user has to present a ‘physical token’ to be authenticated such as key, card, smartcard, ID tag, mobile phone, etc. Can be stolen or lost so anybody who is in possession of the token has the same rights as the legitimate owner. To increase security , physical tokens are often used in combination with something you know or they contain information identifying the legitimate user such as photo.
Who You Are Biometrics (i.e. your physical characteristics) such as face, fingerprints, iris patterns, hand geometry, voice, etc. Biometrics can be used for either: Identification: a 1:n comparison that tries to identify the user from a database of n persons. Authentication: a 1:1 comparison that checks whether there is a matching for given user. Consider fingerprints as an example. Enrolment : collect samples, extract minutiae (or biometric features), create reference templates and store them. FER (failure-to-enrol rate): gives the frequency with which the system fails to enroll a user. Matching algorithm: measures similarity between reference template and current template. False positive ─ security problem. False negative ─ availability problem.
Who You Are False Match Rate (FMR) = 𝑁𝑢𝑚𝑏𝑒𝑟 𝑜𝑓 𝑠𝑢𝑐𝑐𝑒𝑠𝑠𝑓𝑢𝑙 𝑓𝑎𝑙𝑠𝑒 𝑚𝑎𝑡𝑐ℎ𝑒𝑠 𝑁𝑢𝑚𝑏𝑒𝑟 𝑜𝑓 𝑎𝑡𝑡𝑒𝑚𝑝𝑡𝑒𝑑 𝑓𝑎𝑙𝑠𝑒 𝑚𝑎𝑡𝑐ℎ𝑒𝑠 False Non-Match Rate (FNMR) = 𝑁𝑢𝑚𝑏𝑒𝑟 𝑜𝑓 𝑟𝑒𝑗𝑒𝑐𝑡𝑒𝑑 𝑔𝑒𝑛𝑢𝑖𝑛𝑒 𝑚𝑎𝑡𝑐ℎ𝑒𝑠 𝑁𝑢𝑚𝑏𝑒𝑟 𝑜𝑓 𝑎𝑡𝑡𝑒𝑚𝑝𝑡𝑒𝑑 𝑔𝑒𝑛𝑢𝑖𝑛𝑒 𝑚𝑎𝑡𝑐ℎ𝑒𝑠 The probabilities of these two failures decide the quality of the biometric system Best state-of-art fingerprint recognition schemes have an EER of about 1-2%
What You Do Behavioural and usage patterns such as Hand-written signatures, writing speed, writing pressure, keyboard typing, etc. The system has to set up so that false positive and false negative are reduced to level acceptable for the intended application.
Where You Are Location. Specific lab, specific machine, specific country, GPS location, etc.
Reading “Computer Security ”, 3rd edition by Dieter Gollmann. Wiley, March, 2011. Chapter 4