Scribd
Upload
108 views

Authentication Techniques

Authentication: From Passwords to Public Keys by Richard E. Smith (c) 2002, Addison Wesley. February 2002 Rick Smith's site at Authentication February 2002 Strong Password Rules Block off-line attacks with strong password rules off.

Uploaded by

sonali_123
Copyright
© Attribution Non-Commercial (BY-NC)
Available Formats
Download as PDF, TXT or read online on Scribd
108 views

Authentication Techniques

Authentication: From Passwords to Public Keys by Richard E. Smith (c) 2002, Addison Wesley. February 2002 Rick Smith's site at Authentication February 2002 Strong Password Rules Block off-line attacks with strong password rules off.

Uploaded by

sonali_123
Copyright
© Attribution Non-Commercial (BY-NC)
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 10

Authentication February 2002

SECURE
COMPUTING

An Overview of Authentication
Techniques

Richard E. Smith, Ph.D., CISSP


Author of
Authentication: From Passwords to Public Keys

February 2002 Rick Smith 1

Just bits on a wire…

Cover art from


Authentication: From
Passwords to Public Keys
by Richard E. Smith © 2002,
Addison Wesley.
Illustration by Peter Steiner,
The Cartoon Bank. Used by
permission.

February 2002 Rick Smith 2

Rick Smith 's site at http://www.visi.com/crypto/ 1


Authentication February 2002

The Password Tradition

From Authentication © 2002. Used by permission

• 1963: a substitute for student lockers at MIT


• Works by proving ownership of a personal secret
• Attack: Steal the password file from the hard drive
• Defense: “Hash” each password irreversibly
February 2002 Rick Smith 3

Attack: Sniffing

From Authentication © 2002. Used by permission

February 2002 Rick Smith 4

Rick Smith 's site at http://www.visi.com/crypto/ 2


Authentication February 2002

Defense: Challenge Response

From Authentication © 2002. Used by permission

• Secret password + cryptography to protect the


password from sniffing
• MS Windows, Novell, Apple, etc.
February 2002 Rick Smith 5

Password Ping-Pong

Attacks Defenses
?? One-Time Passwords

Network Sniffing Password Tokens

Mouse Pad Searches Password Rules

Off-Line Guessing Guess Detection

On-Line Guessing Challenge Response

Sniffing Password Hashing

Steal the Password File Passwords

February 2002 Rick Smith 6

Rick Smith 's site at http://www.visi.com/crypto/ 3


Authentication February 2002

Off-Line Attacks Work


%
Incident Year Guessed
Internet Worm 1988 ~50%

Klein’s Study 1990 24.2%

Spafford’s Study 1992 20%

CERT Incident IN-1998-03 1998 25.6%

Cambridge study by Yan, et al. 2000 35%

February 2002 Rick Smith 7

Strong Password Rules


• Block off-
off-line attacks with strong password rules
• Such rules are usually generalized as follows:
The password must be impossible to memorize.

• The Result of Strong Password Rules


– look under some mouse pads and find ---

From Authentication © 2002. Used by permission

February 2002 Rick Smith 8

Rick Smith 's site at http://www.visi.com/crypto/ 4


Authentication February 2002

Strength in Practice

Type of Average
Example Attack Attack
Space
Random 8-character Interactive 245
password or Off-Line
15 23
Dictionary Attack Interactive 2 to 2
or Off-Line
Mouse Pad Search Interactive 21 to 24

Practical Off-Line Attacks Off-Line 240 to 2 63

February 2002 Rick Smith 9

Tokens: Something You Have

From Authentication © 2002. Used by permission

• Each carries a large, hard to guess secret


• Portable, usually tamper resistant
• Some implemented in software
February 2002 Rick Smith 10

Rick Smith 's site at http://www.visi.com/crypto/ 5


Authentication February 2002

One-Time Password Tokens

From Authentication © 2002. Used by permission

Attacker can’t reuse a sniffed password


February 2002 Rick Smith 11

Tokens Resist Attacks

Type of Average
Example Attack Attack
Space
Password Off-Line 215 to 223
One-Time Password Token Interactive 219 to 223
54 63
One-Time Password Token Off-Line 2 to 2
63 116
Token with Public Key Off-Line 2 to 2

February 2002 Rick Smith 12

Rick Smith 's site at http://www.visi.com/crypto/ 6


Authentication February 2002

Biometrics: Things you are

From Authentication © 2002. Used by permission

• Measures user’s physical trait (signature


(signature))
against a previously established pattern
• Users rarely lose or damage their biometrics
• But – matches are only approximate!
February 2002 Rick Smith 13

Biometrics in Practice

Type of Average
Example Attack Attack
Space
Random 8-Char Password Interactive 2 45

Dictionary Attack Off-Line 215 to 223

6
Biometric with 1% FAR Team 2

Biometric with 0.01% FAR Team 2 12

February 2002 Rick Smith 14

Rick Smith 's site at http://www.visi.com/crypto/ 7


Authentication February 2002

Sniffing & Biometric Encryption

From Authentication © 2002. Used by permission

• Q: What if someone sniffs a biometric reading?


• A: They can replay it and masquerade!
• Defense: use cryptography to protect the data
• Problem: we have to manage another secret!
February 2002 Rick Smith 15

SECURE
COMPUTING

Thank You!

Questions? Concerns? Comments?

My e-
e -mail:
[email protected]
http://www.visi.com/crypto

February 2002 Rick Smith 16

Rick Smith 's site at http://www.visi.com/crypto/ 8


Authentication February 2002

Security Books

• Authentication.. Richard E. Smith. Addison-


Authentication Addison- Wesley: 2001. http://www.visi
http://www.visi.com/crypto/
.com/crypto/

• Computer Security Basics,.


Basics,. Deborah Russell & G. T. Gangemi Sr. O’Reilly &
Associates: 1991

• Web Security & Commerce.


Commerce. Simson Garfinkelwith
Garfinkel with Gene Spafford
Spafford.. O’Reilly &
Associates: 1997

• Internet Cryptography.
Cryptography. Richard E. Smith. Addison-
Addison - Wesley: 1997.

• Computer Crime: A Crimefighter’s Handbook


Handbook.. Icove , Seger & VonStorch
VonStorch.. O’Reilly &
Associates: 1995

• Web Security: A Step-


Step-by
by-- Step Reference Guide.
Guide. Lincoln D. Stein, Addision
Addision-- Wesley:
1998

February 2002 Rick Smith 17

Security Resources

• Information Security Magazine


(www.infosecuritymag.com
www.infosecuritymag.com))
• Packet Storm
(www.packetstorm.com
www.packetstorm.com))
• 2600
(www.2600.com
www.2600.com))
• ATTRITION
(www.attrition.org
www.attrition.org))
• Hackers Club
(www.hackersclub.com
www.hackersclub.com))

February 2002 Rick Smith 18

Rick Smith 's site at http://www.visi.com/crypto/ 9


Authentication February 2002

Security E-
E -Mail Lists

– CERT-
CERT- advisory
[email protected]: The Computer Emergency Response Team
(CERT) issues advisories for security holes

– CERT-
CERT- tools [email protected]: CERT’s tools mailing list keeps subscribers up-
up-
to--date on security tool news.
to

– ntbugtraq
ntbugtraq@listserv.
@listserv.ntbugtraq
ntbugtraq.com:
.com: Moderated list of NT bugs

– firewall-
firewall-wizards@
wizards@nfr
nfr.net:
.net: The Firewall Wizards Mailing List moderated by
Marcus J. Ranum.

– cryptography@
cryptography@wasabisystems
wasabisystems.com:
.com: Cryptography mailing list

– microsoft_security@announce.
[email protected]:
microsoft.com: to keep track of Microsoft
security bug announcements

February 2002 Rick Smith 19

Rick Smith 's site at http://www.visi.com/crypto/ 10

You might also like