1. 1 Lecture 8: Authentication of People what you know (password schemes) what you have (keys, smart cards, etc.) what you are (voice recognition, fingerprints, retinal scans, etc.)

2. 2 Careless Use of Passwords rarely changing the password (increases the probability of being stolen, gives more time for attack) writing down the password (where the bad guys can see them) emailing/putting password on the web/using it in scripts (email is archived and otherwise easily accessible) using password in multiple places (cascading break-in) rotating through the same passwords if forced to change (defeats security)

3. 3 Preventing Guessable Passwords the measures should not be extreme enough for the users to start writing the passwords down reactive – run a guesser on password file –may be too late proactive –force users to change passwords frequently users may alternate or pick derivatives of the old password –select random passwords for a user hard to remember variant: pronounceable random strings (1 vowel for 3 consonants) – 10 character pronounceable as good as 8 character random –let users select their own but prevent them from picking bad ones good passwords – intentional misspelling, odd capitalization, first letters of a phrase; mixing non-alphabetic characters

4. 4 More on Password Strength what’s the length of the password? depends on circumstances: 4 digits for ATM card (10000 choices) but only 3 attempts in controlled environment (camera) generic: should be as strong as a secret key – 64 random bits –if considering lower/upper case and punctuation marks – 47 possibilities per key stroke + Alt/Ctrl, function keys) 6 bits per keystroke – 11 random characters humans will not remember –pronounceable: case sensitive string of letters 4 bits per keystroke randomness – 16 random characters –user-chosen: randomness 2 bits per keystroke – 32 characters cryptographically – passwords are one of the weakest points in system security

5. 5 On-line Password Guessing poor choices make easy guessing targets –first names, initials, SS# –initial passwords related to account/user information defenses: –after wrong guesses lock the account after consecutive failed passwords (used for PINs in ATM cards – only 3 attempts); not universal – can be used for DoS attack –slow down password processing –auditing: alert user about unsuccessful login attempts does not work for “stale” accounts –disallow short or guessable passwords

6. 6 Off-line Password Guessing stealing password files –countermeasure: store only hashes of passwords problem: nobody besides the user knows the password what if she forgets it? attacks: –exhaustive search –dictionary defenses: –don’t allow short/guessable passwords –don’t make password files readable –salting: mix a random number to each hash

7. 7 Eavesdropping attacks watching the screen watching the keyboard login Trojan horses keyboard sniffers network sniffers defenses protect password entry good network administration cryptographic protection one-time passwords list of passwords –system challenges with a random number –user replies with the corresponding password

8. 8 Initial Password Distribution “bootstrap” problem: how to give the user a password Initial off-line authentication –let user chose password –initial password is selected by the system administrator –pre-expired passwords: has to be changed at the first login

9. 9 Authentication Tokens physical device a person must present for authentication key (physical) ATM, credit cards (magnetic strip to store info – insecure) smart cards: on-card processor for cryptographic authentication. –PIN-protected cards: memory protected by PIN (locks up after a sequence of incorrect guesses) –challenge-response cards: performs challenge-response authentication through the card reader problem – needs a card reader at every access point new technology: tokens working through USB ports. –cryptographic calculator Current time encrypted, displayed to user, entered to terminal Adv: Access through standard terminals

10. 10 Biometrics Authentication by inherent physical characteristics usually invasive, expensive and not useful for remote authentication examples –retinal scanner – examines the back of the eye –fingerprint reader – seem to be hard automate –face recognition – what if you get a black eye? –iris scanner - less invasive than retinal scanner (can be done from a distance –voiceprints – may be defeated with a recording, what if you get a sore throat? –keystroke timing – –signatures – hard to automate; possible if signature production (movements are also recorded)