Presentation is loading. Please wait.

Presentation is loading. Please wait.

CSC 474 Information Systems Security

Published byElisabeth Dawson Modified over 9 years ago

Similar presentations

Presentation on theme: "CSC 474 Information Systems Security"— Presentation transcript:

1 CSC 474 Information Systems Security
Topic 3.2: User Authentication CSC 474 Dr. Peng Ning

2 User Authentication What the user knows What the user possesses
passwords, personal information What the user possesses a physical key, a ticket, a passport, a token, a smart card What the user is (biometrics) fingerprints, voiceprint, signature dynamics User authentication is based on one of the following three things. Either …, or …, or …. Examples of what the user knows include passwords, personal information, and so on. Examples of … CSC 474 Dr. Peng Ning

3 Passwords Most commonly used method. Computer Alice System
I’m Alice, the password is fiddlesticks Alice Can we store passwords in the file system? CSC 474 Dr. Peng Ning

4 Storing User Passwords
Directly Store the Passwords? Not a good idea! High risk Anyone who captures the password database could impersonate all the users. The password database would be very attractive to hackers. CSC 474 Dr. Peng Ning

5 One-Way Hash Function One-way hash function F F
F(x) is easy to compute From F(x), x is difficult to compute Example: F(x) = gx mod p, where p is a large prime number and g is a primitive root of p. F x F(x) The system uses one-way function to help store the passwords. For example, a one-way function could be to compute g to the power x for a given x. easy difficult CSC 474 Dr. Peng Ning

6 (user name, F(password))
Storing Passwords For each user, system stores (user name, F(password)) in a password file, where F is a one-way hash function When a user enters the password, system computes F(password); a match provides proof of identity CSC 474 Dr. Peng Ning

7 crypt Algorithm (Unix)
What is F? crypt Algorithm (Unix) Designed by Bob Morris and Ken Thompson Use Data Encryption Standard (DES) encryption algorithm User password and salt is used as the encryption key to encrypt a 64-bit block of zeros This process is repeated 25 times 25 times 00…0 DES F(x) 64 bits x = Password+Salt CSC 474 Dr. Peng Ning

8 Choice of Passwords Suppose passwords can be from 1 to 9 characters in length Possible choices for passwords = = 5 *1012 At the rate of 1 password per millisecond, it will take on the order of 150 years to test all passwords CSC 474 Dr. Peng Ning

9 Choice of Passwords (Cont’d)
However, we don’t need to try all possible passwords, only the probable passwords In a Bell Labs study (Morris & Thompson 1979), 3,289 passwords were examined 15 single ASCII characters, 72 two ASCII characters, 464 three ASCII characters, 477 four alphanumeric character, 706 five letters(all lower or all upper case), 605 six letters all lower case, 492 weak passwords (dictionary words spelled backwards, first names, surnames, etc.) Summary: 2,831 passwords (86% of the sample) were weak, i.e., they were either too easily predictable or too short Only the passwords that are possible to be chosen. CSC 474 Dr. Peng Ning

10 Dictionary Attacks Attack 1:
Create a dictionary of common words and names and their simple transformations Use these to guess the password Eagle Wine Rose Eagle What can we do about it? Slow down the system’s response. Yes! Dictionary CSC 474 Dr. Peng Ning

11 Dictionary Attacks (Cont’d)
Usually F is public and so is the password file In Unix, F is crypt, and the password file is /etc/passwd. Compute F(word) for each word in the dictionary A match gives the password Eagle Wine Rose TdWx% XkPT KYEN F(Eagle)=XkPT Password file Dictionary CSC 474 Dr. Peng Ning

12 Dictionary Attacks (Cont’d)
To speed up search, pre-compute F(dictionary) A simple look up gives the password Eagle Wine Rose XkPT %$DVC #AED! TdWx% XkPT KYEN F Look up Pre-computed Dictionary Password file Dictionary CSC 474 Dr. Peng Ning

13 Password Salt To make the dictionary attack a bit more difficult
Salt is a 12-bit number between 0 and 4095 Derived from the system clock and the process identifier CSC 474 Dr. Peng Ning

14 Password Salt (Cont’d)
Storing the passwords Password + Salt F F(Password + Salt) Password file Username, Salt, F(Password + Salt) CSC 474 Dr. Peng Ning

15 Password Salt (Cont’d)
Verifying the passwords Fetch Salt according to username Password + Salt F F(Password + Salt) Compare Password file Username, Salt, F(Password + Salt) CSC 474 Dr. Peng Ning

16 Does Password Salt Help?
Attack 1? Without Salt With Salt Eagle Wine Rose A word Yes/No Dictionary CSC 474 Dr. Peng Ning

17 Does Password Salt Help?
Attack 2? Without Salt With Salt Eagle Wine Rose TdWx% XkPT KYEN F Password file Dictionary CSC 474 Dr. Peng Ning

18 Does Password Salt Help?
Attack 3? Without Salt With Salt Y Eagle Wine Rose %$DVC XkPT #AED! TdWx% XkPT KYEN F Look up Pre-computed Dictionary Password file Dictionary CSC 474 Dr. Peng Ning

19 Password Management Policy and Procedure
Educate users to make better choices Does not work if the user population is large or novice Define rules for good password selection and ask users to follow them Rules serve as guideline for attackers Ask or force users to change their passwords periodically Force users to use machine generated passwords Random passwords are difficult to memorize; also password generator may become known to the attacker through analysis Actively attempt to break users’ passwords; force users to change those that are broken Attacker may have better dictionary Screen password choices; if a choice is weak, force users to make a different choice There are some ways to make passwords safer. Some of them are listed here. CSC 474 Dr. Peng Ning

20 One-time Passwords Use the password exactly once! CSC 474
Passwords are visible in the clear in distributed and networked systems Passwords are susceptible to replay attacks if encrypted naively CSC 474 Dr. Peng Ning

21 Lamport’s Scheme (S/Key)
Take advantage of One-Way function One-way hash function F F(x) is easy to compute From F(x), x is difficult to compute F x F(x) easy difficult CSC 474 Dr. Peng Ning

22 S/Key (Cont’d) Pre-computation F The System 1. Randomly generate x
2. Compute the following F x F1(x) F2(x) Fn(x) 3. Save (username, Fn(x)), and give x to the user. CSC 474 Dr. Peng Ning

23 S/Key (Cont’d) Authentication F
The first time, the user supplies F(n-1)(x). The system checks if F(F(n-1)(x))=Fn(x). If yes, the user is authenticated and the system replaces Fn(x) with F(n-1)(x). The second time, the user supplies F(n-2)(x). The third time, … F F(i-1)(x) Fi(x) CSC 474 Dr. Peng Ning

24 Time Synchronized There is a hand-held authenticator
It contains an internal clock, a secret key, and a display Display outputs a function of the current time and the key It changes about once per minute User supplies the user id and the display value Host uses the secret key, the function, and its clock to calculate the expected output The login is valid if the values match In practice, the clock skew is a problem CSC 474 Dr. Peng Ning

25 Time Synchronized (Cont’d)
Secret Key Time Encryption One Time Password CSC 474 Dr. Peng Ning

26 Challenge Response A non-repeating challenge from the host instead of a clock is used Note that the device requires a keypad. NETWORK HOST WORK STATION User ID Challenge Response CSC 474 Dr. Peng Ning

27 Challenge Response (Cont’d)
Secret Key Challenge Encryption Response CSC 474 Dr. Peng Ning

28 Challenge Response (Cont’d)
Problems with challenge/response schemes Key database is extremely sensitive This can be avoided if public key algorithms are used; however, the outputs would be too long for users to input conveniently CSC 474 Dr. Peng Ning

29 Biometrics Fingerprint Retina scan Voice pattern Signature
Typing style CSC 474 Dr. Peng Ning

30 Biometrics (Cont’d) Technique Description Min. Cost False Reading
Retina Eyes scanned 1 to 2 inches from screening device $2,400 1/10,000,000+ Iris Camera image of eye takes from 14 inches $3,500 1/131,000 Hand Hand scanned on plate by three video cameras at different angles $2,150 1/500 Fingerprint Finger scanned on glass plate $1,995 Signature Written with special pen on digitizer tablet $1,000 1/50 Voice Predefined phrase spoken into telephone or microphone $1,500 CSC 474 Dr. Peng Ning

31 Effectiveness of Biometrics
Two types of errors for authentication False acceptance (FA) Let imposters in FAR: the probability that an imposter is authenticated. False rejection (FR) Keep authorized users out FRR: the probability that an authorized user is rejected. Another type of error for identification False match (FM) One user is mistaken for another (legitimate user) FMR: the probability that a user is incorrectly matched to a different user’s profile. No technique is perfect! CSC 474 Dr. Peng Ning

32 Multimodal Biometrics
Use multiple Biometrics together. AND: Accept only when all are passed Why do we need this? OR: Accept as long as at least one is passed Others Retina scan Fingerprint Voice recognition User Decision Yes/No CSC 474 Dr. Peng Ning

33 Summary Password authentication One-time passwords Biometrics
Storing passwords Dictionary attacks Password Salt One-time passwords S/Key Time synchronized Challenge response Biometrics CSC 474 Dr. Peng Ning

Download ppt "CSC 474 Information Systems Security"

Similar presentations

Lecture 6 User Authentication (cont)

Lecture 6 User Authentication (cont)
CSC 774 Advanced Network Security

CSC 774 Advanced Network Security
Password Cracking Lesson 10. Why crack passwords?

Password Cracking Lesson 10. Why crack passwords?
CSC 774 Advanced Network Security

CSC 774 Advanced Network Security
CSC 386 – Computer Security Scott Heggen. Agenda Authentication Passwords Reducing the probability of a password being guessed Reducing the probability.

CSC 386 – Computer Security Scott Heggen. Agenda Authentication Passwords Reducing the probability of a password being guessed Reducing the probability.
Computer Science CSC 474By Dr. Peng Ning1 CSC 474 Information Systems Security Topic 2.1 Introduction to Cryptography.

Computer Science CSC 474By Dr. Peng Ning1 CSC 474 Information Systems Security Topic 2.1 Introduction to Cryptography.
Cryptology Passwords and Authentication Prof. David Singer Dept. of Mathematics Case Western Reserve University.

Cryptology Passwords and Authentication Prof. David Singer Dept. of Mathematics Case Western Reserve University.
COEN 350: Network Security Authentication. Between human and machine Between machine and machine.

COEN 350: Network Security Authentication. Between human and machine Between machine and machine.
CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.

CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (7) AUTHENTICATION.

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (7) AUTHENTICATION.
Computer Science 1 CSC 405 Introduction to Computer Security Topic 4. Security in Conventional Operating Systems -- Part II.

Computer Science 1 CSC 405 Introduction to Computer Security Topic 4. Security in Conventional Operating Systems -- Part II.
Chapter 12: Authentication Basics Passwords Challenge-Response Biometrics Location Multiple Methods Computer Security: Art and Science ©2002-2004 Matt.

Chapter 12: Authentication Basics Passwords Challenge-Response Biometrics Location Multiple Methods Computer Security: Art and Science © Matt.
 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.

 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.
1 Chapter 11: Authentication Basics Passwords. 2 Establishing Identity Authentication: binding of identity to subject One or more of the following –What.

1 Chapter 11: Authentication Basics Passwords. 2 Establishing Identity Authentication: binding of identity to subject One or more of the following –What.
CSE331: Introduction to Networks and Security Lecture 23 Fall 2002.

CSE331: Introduction to Networks and Security Lecture 23 Fall 2002.
Security-Authentication

Security-Authentication
Security systems need to be able to distinguish the “white hats” from the “black hats”. This all begins with identity. What are some common identifiers.

Security systems need to be able to distinguish the “white hats” from the “black hats”. This all begins with identity. What are some common identifiers.
Authentication Approaches over Internet Jia Li

Authentication Approaches over Internet Jia Li
Chapter 10: Authentication Guide to Computer Network Security.

Chapter 10: Authentication Guide to Computer Network Security.
Csci5233 Computer Security1 Bishop: Chapter 12 Authentication.

Csci5233 Computer Security1 Bishop: Chapter 12 Authentication.

Similar presentations

Ads by Google