Presentation is loading. Please wait.

Presentation is loading. Please wait.

Challenge/Response Authentication

Published byErika Waters Modified over 6 years ago

Similar presentations

Presentation on theme: "Challenge/Response Authentication"— Presentation transcript:

1 Challenge/Response Authentication
Authentication by what questions you can answer correctly Again, by what you know The system asks the user to provide some information If it’s provided correctly, the user is authenticated

2 Differences From Passwords
Challenge/response systems ask for different information every time Or at least the questions come from a large set Best security achieved by requiring what amounts to encryption of the challenge But that requires special hardware Essentially, a smart card

3 Challenge/Response Problems
Either the question is too hard to answer without special hardware Or the question is too easy for intruders to spoof the answer Still, commonly used in real-world situations E.g., authenticating you by asking your childhood pet’s name “Security questions” used as an alternative to passwords

4 Identification Devices
Authentication by what you have A smart card or other hardware device that is readable by the computer Authenticate by providing the device to the computer

5 Simple Use of Authentication Tokens
If you have the token, you are identified Generally requires connecting the authentication device to computer Unless done via wireless Weak, because it’s subject to theft and spoofing How can we do better?

6 Authentication With Smart Cards
Authentication verified! challenge E(challenge) challenge E(challenge) How can the server be sure of the remote user’s identity?

7 Some Details on Smart Cards
Cryptography performed only on smart card So compromised client machine can’t steal keys Often user must enter password to activate card Should it be entered to the card or the computer?

8 Problems With Identification Devices
If lost or stolen, you can’t authenticate yourself And maybe someone else can Often combined with passwords to avoid this problem Unless cleverly done, susceptible to sniffing attacks Requires special hardware

9 Attacks on Smart Cards Often based on fake terminals
E.g., fake or altered ATM machine Ideally, card shouldn’t respond to fake or tampered terminal Alas, they often do European Chip & Pin standard broken in 2011, for example

10 Another Form of Attack Smart cards sometimes used to protect or hide stuff from the card’s owner E.g., smart cards that allow access to rapid transit systems Owner has total access Some attacks based on hacking card hardware Recent research makes this more feasible Or observing card behavior

11 Authentication Through Biometrics
Authentication based on who you are Things like fingerprints, voice patterns, retinal patterns, etc. To authenticate to the system, allow system to measure the appropriate physical characteristics Biometric converted to binary and compared to stored values With some level of match required

12 Problems With Biometric Authentication
Requires very special hardware Except systems that use typing patterns May not be as foolproof as you think Many physical characteristics vary too much for practical use Generally not helpful for authenticating programs or roles What happens when it’s cracked? You only have two retinas, after all

13 When Do Biometrics (Maybe) Work Well?
When you use them for authentication Carefully obtain clean readings from legitimate users Compare those to attempts to authenticate When biometric readers are themselves secure In conjunction with other authentication

14 When Do Biometrics (Definitely) Work Poorly?
Finding “needles in haystacks” Face recognition of terrorists in airports When working off low-quality readings When the biometric reader is easy to bypass or spoof Anything across a network is suspect When the biometric is “noisy” Too many false negatives

15 Characterizing Biometric Accuracy
How many false positives? Match made when it shouldn’t have been Versus how many false negatives? Match not made when it should have been The Crossover Error Rate (CER) False Positive Rate False Negative Rate Generally, the lower the CER is, the better the system Errors Sensitivity But sometimes one rate more important than the other

16 Some Typical Crossover Error Rates
Technology Rate Retinal Scan 1:10,000,000+ Iris Scan 1:131,000 Fingerprints 1:500 Facial Recognition 1:500 Hand Geometry 1:500 Signature Dynamics 1:50 Voice Dynamics 1:50 Data as of 2002 Things can improve a lot in this area over time Also depends on how you use them And on what’s important to your use

17 Biometrics and Usability
Always a tradeoff in false positives vs. false negatives For consumer devices, false negatives are very, very bad People discard devices that won’t let the legitimate user in Can you make the false positive rate non-trivial with almost no false negs?

18 Didn’t Carnegie Mellon Just Perfect Facial Recognition?
Not really Quick and dirty version got 1 in 3 right With more photos and time, did better But think about how accurate your use of biometrics needs to be In many cases, you need 5 nines or so

19 Another Cautionary Tale
British cameras captured faces of many rioters in London in 2011 Tried to use facial recognition software to automatically identify them Very poor results, in terms of accuracy Because camera images were of poor quality Current technology requires good image quality

20 Authentication by Where You Are
Sometimes useful in ubiquitous computing The issue is whether the message in question is coming from the machine that’s nearby Less important who owns that machine Requires sufficient proof of physical location And ability to tie a device at that location to its messages Sometimes used in conjunction with other authentication methods E.g., the door opens only if an authorized user is right outside it

Download ppt "Challenge/Response Authentication"

Similar presentations

Lecture 6 User Authentication (cont)

Lecture 6 User Authentication (cont)
CSC 386 – Computer Security Scott Heggen. Agenda Authentication Passwords Reducing the probability of a password being guessed Reducing the probability.

CSC 386 – Computer Security Scott Heggen. Agenda Authentication Passwords Reducing the probability of a password being guessed Reducing the probability.
COEN 350: Network Security Authentication. Between human and machine Between machine and machine.

COEN 350: Network Security Authentication. Between human and machine Between machine and machine.
Section 2.3.5 – Biometrics 1. Biometrics Biometric refers to any measure used to uniquely identify a person based on biological or physiological traits.

Section – Biometrics 1. Biometrics Biometric refers to any measure used to uniquely identify a person based on biological or physiological traits.
By: Monika Achury and Shuchita Singh

By: Monika Achury and Shuchita Singh
BIOMETRICS AND NETWORK AUTHENTICATION Security Innovators.

BIOMETRICS AND NETWORK AUTHENTICATION Security Innovators.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Biometrics and Authentication Shivani Kirubanandan.

Biometrics and Authentication Shivani Kirubanandan.
Marjie Rodrigues 411154.

Marjie Rodrigues
Security-Authentication

Security-Authentication
CMSC 414 Computer and Network Security Lecture 11 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 11 Jonathan Katz.
Security systems need to be able to distinguish the “white hats” from the “black hats”. This all begins with identity. What are some common identifiers.

Security systems need to be able to distinguish the “white hats” from the “black hats”. This all begins with identity. What are some common identifiers.
Biometrics. Outline What is Biometrics? Why Biometrics? Physiological Behavioral Applications Concerns / Issues 2.

Biometrics. Outline What is Biometrics? Why Biometrics? Physiological Behavioral Applications Concerns / Issues 2.
Chapter 10: Authentication Guide to Computer Network Security.

Chapter 10: Authentication Guide to Computer Network Security.
BUSINESS B1 Information Security.

BUSINESS B1 Information Security.
Chapter-2 Identification & Authentication. Introduction  To secure a network the first step is to avoid unauthorized access to the network.  This can.

Chapter-2 Identification & Authentication. Introduction  To secure a network the first step is to avoid unauthorized access to the network.  This can.
Lecture 19 Page 1 CS 111 Online Authentication for Operating Systems What is authentication? How does the problem apply to operating systems? Techniques.

Lecture 19 Page 1 CS 111 Online Authentication for Operating Systems What is authentication? How does the problem apply to operating systems? Techniques.
Lecture 7 Page 1 CS 236 Online Challenge/Response Authentication Authentication by what questions you can answer correctly –Again, by what you know The.

Lecture 7 Page 1 CS 236 Online Challenge/Response Authentication Authentication by what questions you can answer correctly –Again, by what you know The.
The Future of Biometrics. Operation and performance In a typical IT biometric system, a person registers with the system when one or more of his physical.

The Future of Biometrics. Operation and performance In a typical IT biometric system, a person registers with the system when one or more of his physical.
Security Issues and Strategies Chapter 8 – Computers: Understanding Technology (Third edition)

Security Issues and Strategies Chapter 8 – Computers: Understanding Technology (Third edition)

Similar presentations

Ads by Google