Presentation on theme: "CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (7) AUTHENTICATION."— Presentation transcript:
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (7) AUTHENTICATION
Introduction There are two primary parts to access control: Authentication Authorization Authentication deals with the problem of determining whether a user (or other entity) should be allowed access to a particular system or resource.
Authentication Methods The human can be authenticated to a machine based on any combination of the following: 1. Something you know e.g. Password 2. Something you are e.g. Fingerprint 3. Something you have e.g. ATM card
1. Something You Know - Passwords Password is: something that you know something that computer can verify that you know something nobody else can guess-even access to unlimited computing resources. One important fact regarding passwords is that many things act as password. E.g. the PIN number for an ATM card One solution to the password problem would be use randomly generated cryptographic keys in place of passwords. How?
Keys Versus Passwords If a password is 8 characters long (8 bytes) with 256 possible choices for each character 256 8 possible passwords. E.g. password If a key with 64-bit (8 bytes) cryptographic key 2 64 possible keys. (Trudy must try 2 63 keys before she expects to find the correct one) E.g. Kf&Yw!a[ Although 2 64 = 256 8 (8 bytes), and this appears to be equivalent, users don’t select passwords at random because users must remember their passwords.
Choosing Passwords Some passwords better than others. For example the following passwords are weak: Frank (your name) 10251960 (your birthday) Users should have passwords that are difficult to guess: jFiEk(43j-EmmL+y BedL1ON
Attacking Systems via Passwords A common attack path for Trudy would be: outsider normal user administrator One weak password on a system –or one week password on an entire network- could be enough for the first stage of the attack to succeed.
Password Verification Problem: Storing “raw” passwords is not secure Solution: Storing hashed passwords is more secure.
Password Verification Problem: 1. Suppose Trudy has a “dictionary” containing N passwords: d 0, d 1, d 2, …, d N-1 she could pre-compute the hash of each password: y 0 =h(d 0 ), y 1 =h(d 1 ), y 2 =h(d 2 ), …, y N-1 =h(d N-1 ) 2. Trudy can guess the password p if she found h(p) is similar to one of the pre-compute hash y x Soulution: 1. generate a random salt value s (Note: the s is not secret) 2. compute y = h(p,s) 3. store the pair (s,y) in the password file. 4. To verify an entered password z, compute h(z,s) = y
Math of Password Cracking Supposed that: All passwords are eight characters in length there are 256 choices for each character resulting in 256 8 = 2 56 possible passwords Number of possible choices in each cell (byte/bit/…) Number of cells (byte/bit/…) 2 56 2 56
Math of Password Cracking Case I: Trudy decides that she wants to find Alice’s password. (Assuming that Alice’s password contains of 8 bytes) This is precisely equivalent to an exhaustive key search and the expected work is 2 56 /2=2 55
Math of Password Cracking Case II: Trudy again wants to recover Alice’s password, but she is going to use her dictionary of common passwords. (Assuming that any given password will appear in the dictionary with a probability of about ¼, and Trudy has a dictionary of 2 20 common passowords) The expected work is: ¼(2 19 )+¾(2 55 )≈2 54.6
Math of Password Cracking Case III: Trudy will be satisfied to find any one of the 1024 passwords in the hashed password file without using any dictionary (Assuming that the password file contains 2 10 = 1024 hashed passwords, and all of them are distinct) The expected work is: 2 55 /2 10 = 2 45
Math of Password Cracking Case IV: Trudy wants to find anyone of the 1024 passwords in the hashed password file, and she will make use of her dictionary. The expected work is: Not salted password: 2 19 / 2 10 = 2 9 Salted password: ¼(2 19 )+ ¾.¼(2 20 +2 19 )+(¾) 2 ¼(2.2 20 +2 19 )+ … +(¾) 1023 ¼(1023.2 20 + 2 19 ) < 2 22
Other Password Issues/Problems Remembering different passwords is difficult “Social engineering” is when someone claiming to be a system administrator and needs your password Password cracking tools, such as: L0phtCrack (for Windows) - now called LC5: used to test password strength and sometimes to recover lost Microsoft Windows passwords, by using dictionary, brute- force, and hybrid attacks. John the Ripper (for Unix) run against various encrypted password formats including DES, MD5, Blowfish, Kerberos AFS, and Windows NT/2000/XP/2003 LM hash
2. Something You Have - Biometrics Biometrics are the “something you are” method of authentication or, in Schneider's immortal words, “you are your key” There are many different types of biometrics as fingerprints and handwritten signatures.
Biometrics A biometric should be Universal: The ideal biometric should apply to virtually everyone. Distinguishing: The ideal biometric should distinguish with virtual certainty. Permanent: The physical characteristic being measured should never change. Collectable: The physical characteristic should be easy to collect without any potential to cause harm to the subject. Reliable, robust, and user-friendly
Biometrics Usage 1. Identification: Identify the subject from a list of many possible subjects. E.g., a suspicious fingerprint from a crime scene is sent to the FBI fingerprint database for comparison with all records on file. In this case, the comparison is one to many. 2. Authentication: The comparison is one to one E.g., if someone claiming to be Alice uses a thumbprint mouse biometric, the captured thumbprint image is only compared with the stored thumbprint of Alice.
Phases of Biometric System 1. The Enrollment Phase: subjects have their biometric information entered into a database. 2. The Recognition Phase: subjects have their biometric information entered into a database.
Biometric Error Rates For fielded fingerprint biometric systems, the equal error rate is typically about 5% hand geometry has an equal error rate of about 10 −3
3. Something You Have For example, a network MAC address an ATM card a password generator The process of a password generator is shown below:
Two-Factor Authentication Two or three methods can work together for authentication For example: the password generator scheme requires both: 1. “something you have” (the password generator), and 2. “something you know” (the PIN). Requiring two out of the three methods of authentication is known as two-factor authentication.