02/10/2017
Lecturer: Nguyễn Thị Thanh Vân – FIT - HCMUTE
Understand the importance of authentication
Learn how authentication can be implemented
Understand threats to authentication
24/09/2017 2
1
� 02/10/2017
Introduction
Electronic User Authentication Principles
Password-Based Authentication
Token-Based Authentication
Biometric Authentication
Remote User Authentication
Security Issues for User Authentication
24/09/2017 3
2
� 02/10/2017
Availability:
when the correct credentials are presented, the
resources should be made available to the processor
(on behalf of the user).
No false negatives:
if a process presents incorrect credentials but is given
access
These should not happen.
No false positives:
if a process presents the correct credentials but is denied
access
These should not happen either
3
� 02/10/2017
Check the correct answer from the choices.
We now have personal devices that are not shared across
multiple users. What threats motivate the use of authentication
in such devices?
Malware infection that may exfiltrate sensitive data
Loss of theft of the device
4
� 02/10/2017
Something the individual knows Something the individual process
Password Smart card
PIN, Physical key
Answer Token
Something the individual is (Static biometrics)
fingerprint
retina,
Face
iris
Something the individual does (Dynam ic biom etric)
Voice,
Handwriting
24/09/2017 9
Typing rhythm
GOTPass: users employ “images and a one-time
numerical code” in order to secure password.
o using patterns and images instead of letters and numbers
o the generated digits random code
24/09/2017 10
5
� 02/10/2017
Authentication: Verifies user access to the operating system
Physical authentication:
o Allow s physical entrance to company property
o Magnetic cards and biometric measures
Digital authentication: verifies user identity by digital means
Digital certificates: identifies and verifies holder of certificate
Digital token (security token):
o Small electronic device
o Displays a number unique to the token holder;
o Uses a different passw ord each time
Digital card: Also known as a security card or smart card
o Similar to a credit card; uses an electronic circuit instead of a magnetic strip
o Stores user identification information
Kerberos:
o Developed by MIT
o Uses tickets for authentication purposes
11
Lightweight Directory Access Protocol (LDAP):
o Developed by the University of Michigan
o A centralized directory database stores:
• Users (user name and user ID)
• Passw ords
• Internal telephone directory
• Security keys
o Efficient for reading but not suited for frequently changing information
NT LAN Manager (NTLM):
o Developed and used by Microsoft
o Employs a challenge/response authentication protocol
Public Key Infrastructures (PKI):
o User keeps a private key
o Authentication firm holds a public key
o Encrypt and decrypt data using both keys
12
6
� 02/10/2017
RADIUS: used by network devices to provide a
centralized authentication mechanism
Secure Socket Layer (SSL): authentication
information is transmitted over the network in
an encrypted form
Secure Remote Password (SRP):
o Password is not stored locally
o Invulnerable to brute force or dictionary attacks
13
7
� 02/10/2017
Check the correct answer from the choices.
An attacker correctly guesses Alice’s password and
logins in as her. Is this a case of...
False negative
True positive
False positive
True negative
● Assurance level: the degree of confidence
● Level 1: Little or no confidence in the asserted identity’s validity.
● Level 2: Some confidence in the asserted identity’s validity.
● Level 3: High confidence in the asserted identity’s validity
● Level 4: Very high confidence in the asserted identity’s validity.
● Potential impact: potential impact on organizations r individuals should there be a
breach of security
● Low : adverse effect on organizational operation
● Moderate: serious adverse effect
● High: severe or catastrophic adverse effect
● areas of risk.: mapping betw een the potential impact and the appropriate level of
assurance
8
� 02/10/2017
● areas of risk.
Password-Based Authentication
The Vulnerability of Passwords
The Use of Hashed Passwords
Password Cracking of User-Chosen Passwords
Password File Access Control
Password Selection Strategies
Token-Based Authentication
Biometric Authentication
18
9
� 02/10/2017
The password systems defense against intruders
Systems require: user provide name or ID + password
o all multiuser systems,
o network-based servers,
o Web-based e-commerce sites,
o and other similar services
The password serves to authenticate the ID of the
individual logging on to the system.
24/09/2017 19
1. Offline dictionary attack:
A hacker gain access to the system password file.
Compares the password hashes against hashes of commonly used
passwords.
2. Specific account attack:
Attacker targets a specific account &submits password guesses until
the correct password is discovered.
3. Popular password attack / Against single user:
The attacker chooses a popular password and tries it.
Attacker attempts to gain knowledge about the account holder and
system password policies and uses that knowledge to guess the
password.
24/09/2017 20
10
� 02/10/2017
4. Workstation hijacking:
The attacker waits until a logged-in workstation is unattended.
5. Exploiting user mistakes:
User is more likely to write it down passwords, because it is
difficult to remember.
6. Exploiting multiple password use.
Similar password for a many applications
7. Electronic monitoring:
If a password is communicated across a network to log on to a
remote system, it is vulnerable to eavesdropping.
24/09/2017 21
Check which passwords made the top 10 most
common passwords for 2014:
123456 696969
password 123123
letmein batman
abc123 qwerty
111111 123456789
11
� 02/10/2017
How do we check the password supplied with a user id?
Method 1 - store a list of passwords, one for
each user in the system file.
● The file is readable only by the root/admin account
● What if the permissions are set incorrectly?
● Why should admin know the passwords?
● If security is breached, the passwords are exposed to an
attacker.
How do we check the password supplied with a user id?
Method 2 - do not store passwords, but store
something that is derived from them
●Use a one-way hash function and store the result
●The password file is readable only for root/admin
12
� 02/10/2017
Hash Functions
A hash function maps a variable-length message into a fixed-length
hash value,
or message digest
h = H(M)
The principal object:
o data integrity
24/09/2017 26
13
� 02/10/2017
Variable input size
Fixed output size
Efficiency: H (M) is easily calculated with arbitrary M
For any given value h, it is difficult to find M such that H(M) = h
o One-way function
For any M1, it is very difficult to find M2#M1 such that H(M2) =
H(M1)
o collision resistant: weak
Very difficult to find any pair (M1, M2) such that H (M1) = H(M2)
o collision resistant: Strong
A Strong hash function: satisfied all 6 reqs (weak: 5 reqs)
24/09/2017 27
●We assume a one-way
property for hash functions
●If we know common
passwords, we can determine
their hash
●For dictionary and offline
attacks, we have the hash
values and plenty of time to
test for matches
14
� 02/10/2017
two categories of attacks on hash functions:
o Brute-force attack:
• depend only on bit length of the hash value (not specific algorithm )
• Attack to: One-way function; collision resistant - weak
wishes to find a value y such that H(y)=h, try 2m-1 values
• Attack to: collision resistant - strong
wishes to find 2 messages: x,y, that yield H(y)=H(x), try 2m/2 values
o Cryptanalysis:
• based on weaknesses in a particular cryptographic algorithm.
• require a cryptanalytic effort greater than or equal to the BF effort
24/09/2017 29
● Guessing the password for a given
user allows impersonation
● Impersonating a real login program
● Keylogging to steal a password
15
� 02/10/2017
Publicly available software can do 108 MD5 hashes/sec on
a GPU
Six random upper case/lower case/digits then 626 possible
passwords, about 10 minutes
Eight random characters increases it to about six days
Passwords are not really random
To reduce the work required for a brute force attack:
● Try the popular passwords first
● Create a rainbow table
What if two users pick the same password?
● Add a random salt before hashing
● Store the salt with the hashed value
● Check by using the salt with the typed password
24/09/2017 31
16
� 02/10/2017
● As password length and complexity increases,
usability suffers
● Phishing and social engineering – users do not
authenticate who is asking for a password.
● Once a password is stolen, it can be used many times
● This is why there are policies that say passwords be
changed frequently
● Humans have a hard time remembering lots of
passwords. Usable passwords are easy to guess.
Sys Administrators:
●Never store passwords in the clear
●Store only hashed values generated with a
random salt and limit access to them
●Avoid general purpose fast hash functions
Users:
●Use password managers
17
� 02/10/2017
● The hashed passw ords are kept in a separate file from the user
IDs, referred to as a shadow passw ord file .
● Special attention is paid to making the shadow passw ord file protected
from unauthorized access.
● Vulnerabilities:
● Exploit a softw are vulnerability in the OS to bypass the access control
system long enough to extract the passw ord file.
● An accident of protection might render the passw ord file readable
● Use the same passw ord on other machines in other protection
domains
● Access to this backup enables the attacker to read the passw ord file.
● Collecting user IDs and passw ords is through sniffing netw ork traffic.
● Four basic techniques are in use:
• User education
• Computer-generated passwords
• Reactive password checking
• Complex password policy
18
� 02/10/2017
You must have them
May require additional hardware (e.g., readers)
How does it implement authentication
(challenge/response)
Cost and misplaced trust (RSA SecureID master key
breach)
Types:
o Memory card
o Token
24/09/2017 37
Memory cards can store only a simple security
code
(not process data).
The bank card: a magnetic stripe on the back.
Using memory card:
o Alone
o + PIN
Among the potential drawbacks
o Requires special reader: increases the cost
hardware and software.
o Token loss: determine the PIN to gain unauthorized
access
o User dissatisfaction: use for computer access
24/09/2017 38
19
� 02/10/2017
Has own processor, memory, I/O ports
o Wired or wireless access by reader
o May have crypto co-processor
o ROM, EEPROM, RAM memory
Executes protocol to authenticate with
reader/computer
o Static:
o Dynamic password generator:
o Challenge-response:
Also have USB dongles
24/09/2017 39
Each time the card is inserted
o a reset is initiated (clock value)
o the card responds (the parameters and
protocols).
o The terminal may be able to change
the protocol used and other
parameters via a protocol type
selection (PTS) command.
o The cards PTS response confirms the
protocols and parameters to be used.
o The terminal and card can now
execute the protocol to perform the
desired application.
24/09/2017 40
20
� 02/10/2017
A smart card as a national identity card for citizens
A national electronic identity (eID)
o national ID cards
o driver’s license
an eID card has been verified by the national government as
valid and authentic.
Functions:
o ePass: stores a digital representation of the cardholder’s identity.
(electronic passport)
o eID: stores an identity record that authorized service can access
o eSign: stores a private key and a certificate verifying the key
24/09/2017 41
24/09/2017 42
21
� 02/10/2017
28/09/2017 43
28/09/2017 44
22
� 02/10/2017
based on pattern recognition.
more complex and expensive.
24/09/2017 45
24/09/2017 46
23
� 02/10/2017
24/09/2017 47
28/09/2017 48
24
� 02/10/2017
Multi-factor authentication
● Uses more than one method
● Type password but also send a code via SMS
■ It goes to your phone (something you have)
■ Gmail implements this
● ATM card and a PIN
● Other things like your location
● Attacker must defeat both to compromise
authentication
A multi-factor authentication method will likely
reduce false negative. Choose one:
True
False
25
� 02/10/2017
Authentication over a network:
● Do we always have a trusted path to the
OS we need to authenticate to?
■ Remote services
● Network authentication introduces new
problems
● Need crypto to secure network
communication
● Other attacks (man-in-the-middle)
More security threats with remote user authentication
o an eavesdropper being able to capture a password
o an adversary replaying an authentication sequence that has
been observed
Systems generally rely on some form of challenge-
response protocol.
Protocols:
o Password Protocol
o Token protocol
o Biometric protocol
24/09/2017 52
26
� 02/10/2017
24/09/2017 53
o Passcode W’
(synchronized with host)
o Password P’
(shared user and token, not host)
28/09/2017 54
27
� 02/10/2017
24/09/2017 55
24/09/2017 56
28
� 02/10/2017
24/09/2017 57
24/09/2017 58
29
� 02/10/2017
Lesson Summary
● Introduction
● Electronic User Authentication Principles
● Password-Based Authentication
● Token-Based Authentication
● Biometric Authentication
● Remote User Authentication
● Security Issues for User Authentication
24/09/2017 60
30
