Information Security

Chapter 2

Toolbox: Authentication, Access

Control, and Cryptography
Charles P. Pfleeger
Information Security

Authentication
Charles P. Pfleeger
Chapter 2
• In this chapter we present:
 The first too of a tools that use frequently by
security professionals;
− authentication,
 The other tools will present in in the next
Lectures, these tools are:
 access control, and
 cryptography.
Authentication
• The property of accurate identification is called
authentication;
 The first critical tool for security professionals is:
 authentication and its techniques & technologies.
 In previously; Authentication is face-to-face interactions;
 Computers have replaced many face-to-face
interactions with electronic ones.
 With no vigilant neighbor to recognize that something
is awry,
 people need other mechanisms to separate
authorized from unauthorized parties.
• The basis of computer security is controlled access:
 someone is authorized to take some action on
something,
 In security, the subject can be;
 people, computer processes (executing programs),
network connections, devices, and similar active
entities.
 Authentication
• Computers depend on data to recognize others;
• In computer systems, determining who a person
really is consists of two separate steps:
 Identification:
− is the act of asserting who a person is.
− Identification is the means of verifying the identity of
a user, process, or device, typically as a prerequisite
for granting access to resources in a system.
 like names, are often well:
 known, public, and not protected.
 Authentication:
− is the act of proving that asserted identity: that the
person is who she says she is.
− authentication is a technical measure that prevents
unauthorized individuals or processes from entering a
system.
 Like password, card, fingerprint, …etc., that are:
 private and necessarily protected.
Authentication;
Identification Versus Authentication
• Identification:
 asserting who a person is,
 is the means of verifying the identity of a user,
process, or device, typically as a prerequisite
for granting access to resources in a system.
 Identities are often well known, predictable,
guessable or easily determined, such as;
− your name, Your bank account number,
− debit card number, email address, and
− other things are ways by which people and processes
identify you.
 it does not provide the real protection,
 Not protected.
Authentication;
Identification Versus Authentication
• Authentication should be;
 proving that asserted identity.
 is a technical measure that prevents
unauthorized individuals or processes from
entering a system.
 Reliable and private,
 Protected, and
 Authentication mechanisms use any of four
qualities to confirm a user’s identity:
− Something the user knows;
 Passwords, PIN numbers, passphrases, a secret
handshake, and mother’s maiden name.
− Something the user has;
 Identity badges (tokens), physical keys, a driver’s
license, or a uniform are common examples of things
people have that make them recognizable.
Authentication;
Identification Versus Authentication
− Something the user is;
 These authenticators, called biometrics, are based on
a physical characteristic of the user, such as;
− a fingerprint, retina and iris of the eye, blood vessels
in the finger or hand, a face (picture) or facial
features.
− These authentication methods are just starting to be
used in computer authentications.
− Something the user does;
 include recognition by voice pattern, handwriting
characteristics, typing rhythm, and Signatures.

• Two or more forms can be combined;

− for ex; a bank card and a PIN combine;
 Something the user has (the card) with something
the user knows (the PIN).
 User Authentication Mechanisms;
User Authentication Mechanisms

Password Biometric Certificate Kerberos

Authentication Authentication

Authentication Single Sign On Security

Token Key Distribution Handshake
Center (KDC) Pitfalls

Script-Based Agent-based
Approach Approach Mutual
Challenge/ Time- Authentication
Response based
Tokens Tokens One-Way
Authentication
Authentication Based on Phrases and Facts:
Something You Know;
• A passwords were the first form of computer
authentication and remain popular;
 these forms are becoming;
 easier to use,
 less expensive, and
 more common.
• Password protection seems to offer a
relatively secure system for confirming identity
related information;
 But human practice sometimes degrades its
quality.
• The use of passwords is fairly straightforward;
 A user enters some piece of identification,
 a name Or a user ID.
 The protection system then requests a password
from the user.
Password Use
• Even though passwords are widely used, they
suffer from some difficulties of use:
 Use; Supplying a password for each access to an object
can be inconvenient and time consuming.
 Disclosure; If a user discloses a password to an
unauthorized individual, the object becomes immediately
accessible,
 If the user then changes the password to re-protect
the object, the user must inform any other legitimate
users of the new password because their old password
will fail.
 Revocation; To revoke one user’s access right to an object,
 someone must change the password, thereby
causing the same problems as disclosure.
 Loss; Depending on how the passwords are implemented,
 it may be impossible to retrieve a lost or forgotten
password in some systems.
Attacking and Protecting Passwords

• Some of the password attack approaches;

 Dictionary Attacks,
 Inferring Passwords Likely for a User,
 Guessing Probable Passwords,
 Defeating Concealment,
 Exhaustive Attack or brute force attack.
Attacking and Protecting Passwords
• Passwords are somewhat limited as
protection devices;
 the relatively small number of bits of information
they contain,
 Worse, people pick passwords that do not even
take advantage of the number of bits available:
Choosing a well-known string.
• An attacker might try in order to determine a
password, the password guessing steps are:
 no password,
 the same as the user ID,
 the user’s name or is derived from user’s name,
 on a common word list plus common names
and patterns,
Attacking and Protecting Passwords
 contained in;
 a short college dictionary, or a complete English
word list,
 common non-English-language dictionaries,
 a short college dictionary with capitalizations or
substitutions,
 a complete English dictionary with
capitalizations or substitutions, and
 common non-English dictionaries with
capitalization or substitutions.
 obtained by brute force attacks, trying all
possible combinations of alphabetic
characters, or
obtained by brute force attacks, trying all
possible combinations from the full
character set.
Dictionary Attacks
• Several network sites post dictionaries of;
 phrases, places, mythological names, Chinese
words, Yiddish words, and other specialized lists;
• These lists help site administrators to identify
users who have chosen weak passwords,
 but the same dictionaries can also be used by attackers
of sites that do not have such attentive administrators.
 The COPS, Crack, and SATAN utilities allow an
administrator to scan a system for weak
passwords,
 But these same utilities, or other homemade ones,
allow attackers to do the same.
• People think they can be clever by picking a
simple password and replacing certain characters,
 But users aren’t the only people who could think up
these substitutions.
Inferring Passwords Likely for a User
• People typically choose personal passwords;
• Morris and Thompson showed the
characteristics of the 3,289 passwords gathered;
 The following figure illustrates a distribution of
password types;

FIGURE 2-1: Distribution of Password Types

Inferring Passwords Likely for a User
• In December 2009;
 the computer security firm Imperva analyzed 34
million Facebook passwords that had previously
been disclosed accidentally, reporting that;
 about 30% of users chose passwords of fewer than seven
characters,
 nearly 50% of people used names, slang words,
dictionary words or trivial passwords-consecutive digits,
adjacent keyboard keys and so on,
 most popular passwords included 12345, 123456,
1234567, password, and iloveyou, in the top ten.
• Either people are unable to choose good
passwords;
 perhaps because of the pressure of the situation, or
 they fear they will forget solid passwords.
Guessing Probable Passwords
• Penetrators searching for passwords realize
these very human characteristics and use
them to their advantage;
 Penetrators try techniques that are likely to
lead to rapid success,
 If people prefer short passwords to long ones,
 the penetrator will plan to try all passwords but to try
them in order by length,
 There are only 261 + 262 + 263 = 18,278 (not
case sensitive) passwords of length 3 or less.
• People often use anything simple that
comes to mind as a password;
 so human attackers might succeed by trying a
few popular passwords.
 Defeating Concealment
• Easier than guessing a password is just to read one
from a table;
 The OS authenticates a user by asking a name and
password.
• But that table then becomes a treasure trove for
evildoers, See Table 2-2;
• OSs stymie that approach by storing passwords not
in their public form but in a concealed form;
 When a user creates a password, the OS accepts and
immediately conceals it,
− storing the unreadable version. See Table 2-3;
 critical point is that the concealment process be one-way:
− password Converting to its concealment form is simple,
− but going the other way to deriving the corresponding
password is effectively impossible,
 on some websites, the system cannot tell you what
your forgotten password was.
Defeating Concealment
• For active authentication;
 most systems lock out a user who fails a small number
of successive login attempts,
 if the attacker obtains an encrypted password table and
learns the concealment algorithm,
 a computer program can easily test hundreds of
thousands of guesses in a matter of minutes.
• people often use one of a few predictable
passwords, the interceptor can;
 creates what is called a rainbow table, table (2-4);
 a list of the concealed forms of the common passwords.
 intercepts the table and can learn that users A and B
have the same password.
 He can guess that A and B both chose common
passwords, and
 start trying the usual ones and others also.
Defeating Concealment
• To counter both these threats;
 some systems use an extra piece called the
salt,
 A salt is an extra data field different for each user;
‒ perhaps the date the account was created , or
‒ a part of the user’s name.
 The salt value is joined to the password before
and the combination is transformed by
concealment,
 In this way, Pat+aaaaaa has a different concealment
value from Roz+aaaaaa, as shown in Table 2-5.
 an attacker cannot build a rainbow table,
 because the common passwords now all have a
unique component, too.
Exhaustive Attack
• In an exhaustive or brute force attack;
 the attacker tries all possible passwords,
 usually in some automated fashion.
 the number of possible passwords depends on the
implementation of the particular computing system, for
example;
 Characters that use to write password, and
 Password length.
• Another form of copying occurs with passwords;
 If you have to enter or speak your password,
 someone else can look over your shoulder or overhear you,
 now that authenticator is easily copied or forged.
• All these techniques to defeat passwords,
combined with usability issues;
 indicate that we need to look for other methods of
authentication.
Password Policy
• Password Policy to remain in compliance with
our information assurance policies;
• passwords on all computing systems must
conform to the following standard:
 A password is set to expire every 60 days.
 You are required, therefore, to change your password at
least once every 60 days. (The 60-day period begins each
time you change a password.)
 A password must be at least 12 characters in length.
 A password must contain the following:
 Lowercase characters ( a, b, c, and so on)
 Uppercase characters (A, B, C, and so on)
 Numerical characters (1, 2, 3, and so on)
 Special characters (!, @, #, and so on)
‒ If the password has only one nonalphabetic
character, that character must not be the first or last
character in the password string.
Password Policy
• passwords on all computing systems must
conform to the following standard: continue;
 A new password cannot be a password that you
previously used during the past 24 password changes.
 A new password must differ from the old password by at
least three characters.
 A new password cannot contain within it a person’s
name or any word or abbreviation found in a dictionary.
 A password can be changed only once during a 24-hour
period.
Good Passwords
Choosing an Effective Password
• Chosen carefully, passwords can be strong
authenticators;
• If we do use passwords, we can improve their
security by a few simple practices (criteria);
• The following are recommendations to choosing
password that should make it much more difficult
for a hacker to successfully break in to your user ID:
 Use characters other than just a–z;
 Using both upper-lowercase letters plus digits and symbols.
 Choose long passwords (at least 15-character) or more;
 Most operating systems set a maximum of 8 characters,
 We require a 12-character password because longer
passwords are much harder to crack than shorter ones.
 Avoid actual names or words;
 Avoid names, especially names of family members, pets, or
fictional characters from movies, books, or plays.
Choosing an Effective Password
 It must not contain blanks;
 It must begin with alphabet;
 Use variants for multiple passwords;
 Change the password regularly;
 Choose a password that is not a word or abbreviation in
any dictionary, including foreign language dictionaries.
 Avoid simple strategies such as prepending or appending a
digit to a word or name.
 These are some of the easiest passwords to crack.
 Avoid obvious keyboard patterns (such as QWERTY) or
numbering schemes (such as 123).
 Avoid passwords that are common to your work such as
 star identifiers, computer names, and the like.
 Avoid names, especially names of family members, pets,
or fictional characters from movies, books, or plays.
 Avoid using personal information, such as:
 your Social Security number, license plate number,
telephone number, and so on) that may be easy to locate.
Choosing an Effective Password
 Don’t write it down;
 Don’t tell anyone else;
 Finally, choose a password that you can easily remember;
 The use of a passphrase may be helpful. (Select a phrase
known only by you and use the first or last letter of each
word in the phrase as your password.) Be aware that some
passphrases may generate a sequence of characters that will
match a word or abbreviation in the dictionary.
 You may have to try several different passphrases to find
one that the password “cracker” will accept.
Other Things Known;
• Other Things Known;
 GrIDSure authentication system
(http://www.gridsure.com) has been integrated into
Microsoft’s Unified Access Gateway (UAG) platform;
 This system allows a user to authenticate herself with
a one-time passcode based on a pattern of squares
chosen from a grid.
− When the user wishes access, she is presented with a
grid containing randomly assigned numbers;
− she then enters as her passcode the numbers that
correspond to her chosen pattern.
 ImageShield product from Confident Technologies
asks a user to enroll by choosing three categories
from a list;
 Then at authentication time, the user is shown a grid
of pictures, some from the user’s categories and
others not,
 Each picture has a 1-character letter or number.
Security Questions;
• Security Questions;
 Instead of passwords, some companies use questions
to which (presumably) only the right person would
know the answer;
 Such questions include;
 mother’s maiden name, street name from childhood,
model of first automobile, and name of favorite teacher.
• Assignments:
 Information Security Policy and Types,
 Information Security Policy Frameworks,
 Examples: FISMA, ISO 27001/2:2013, COBIT.
 Information Security Procedures and Standards.
 Risk Management,
 Business Continuity,
 “Information Security for Banking and Finance” (ISO/TR
13569) or highest,
 For more: Biometric Authentication.
Authentication Based on Biometrics: Something You Are

• Biometrics are biological properties, based on some

physical characteristic of the human body;
• The list of biometric authentication technologies is still
growing;
 Now devices can recognize the following biometrics Chas:
 Fingerprint, voice, face,
 hand geometry (shape and size of fingers),
 retina and iris (parts of the eye),
 handwriting, signature, hand motion,
 typing characteristics,
 blood vessels in the finger or hand,
 facial features, such as nose shape or eye spacing.
• A biometrics has advantages over passwords;
 a biometric cannot be lost, stolen, forgotten, or shared and
is always available, always at hand, so to speak.
 These characteristics are difficult,
 if not impossible, to forge.
 Examples of Biometric Authenticators

• Many physical characteristics are possibilities as

authenticators;
 we present examples of two of them:
 one for the size and shape of the hand, and
 one for the patterns of veins in the hand.

FIGURE 2-2: Hand Geometry Reader FIGURE 2-3: Hand Vein Reader (Permission for
(Graeme Dawes/Shutterstock) image provided courtesy of Fujitsu Frontech)
Problems with Use of Biometrics
• Biometrics come with several problems:
 Biometrics are relatively new, and some
people find their use intrusive,
 Biometric recognition devices are costly,
 although as the devices become more popular,
their cost per device should go down.
 Biometric readers and comparisons can
become a single point of failure,
 All biometric readers use sampling and
establish a threshold for acceptance of a close
match,
 The speed at which a recognition must be
done limits accuracy,
Problems with Use of Biometrics
 Although equipment accuracy is improving, false
readings still occur;
 false positive or false accept a reading that is

See
accepted when it should be rejected (that is, the
authenticator does not match) and
 a false negative or false reject one that rejects when
it should accept.

Sidebar
 Often, reducing a false positive rate increases false
negatives, and vice versa.
 The consequences for a false negative are usually < for

2.6;
a false positive, so;
 an acceptable system may have a false positive rate
of 0.001 percent but a false negative rate of 1%.
 False positive: incorrectly confirming an identity.
 False negative: incorrectly denying an identity.
 Although we like to think of biometrics as unique
parts of an individual;
 forgeries are possible, See Sidebar 2.7;
Problems with Use of Biometrics
• Remember that:
 Biometric matches are not exact;
 the issue is whether the rate of false positives and
false negatives is acceptable,
 Authentication with biometrics uses a pattern or
template,
 much like a baseline, that represents
measurement of the characteristic.
 Biometrics are reliable for authentication but
are much less reliable for identification,
 Biometrics depend on a physical characteristic
that can vary from one day to the next or as
people age,
• See Sidebars 2.8 - 2.12;
Authentication Based on Tokens: Something You Have

• Something you have means that you have

a physical object in your possession;
 One physical authenticator with which you are
probably familiar is a key,
 This type authenticators known as tokens,
 Other familiar examples of tokens are:
 Badges, and,
 identity cards.
 Another kind of authentication token has data
to communicate invisibly,
− Examples of this kind of token include;
 credit cards with a magnetic stripe,
 credit cards with an embedded computer chip, Or
 access cards with passive or active wireless
technology.
Authentication Based on Tokens;
Active and Passive Tokens

• passive tokens do nothing;

 A photo or key is an example of a passive token,
the contents of the token never change.
• An active token can have some variability or
interaction with its surroundings;
 Active token ones take some action,
 communicate with a sensor.
 For ex: some public transportation systems use cards
with a magnetic strip;
 When you insert the card into a reader,
 the machine reads the current balance, subtracts the price
of the trip and rewrites a new balance for the next use.
 Another form of active token initiates a two-way
communication with its reader,
 often by wireless or radio signaling.
Authentication Based on Tokens;
Static and Dynamic Tokens

• The value of a static token remains fixed;

 For example;
 Keys, identity cards, passports, credit and other magnetic-
stripe cards, and radio transmitter cards (called RFID devices),
 Static tokens are most useful for onsite
authentication,
 We are also interested in remote authentication,
that is, in your being able to prove your identity to
a person or computer somewhere else;
 With the example of the picture badge,
 it may not be easy to transmit the image of the badge and
the appearance of your face for a remote computer to
compare.
 Remote authentication is susceptible to the problem of
the token having been forged;
 Tokens are vulnerable to an attack called skimming,
 Skimming is the use of a device to copy authentication
data surreptitiously and relay it to an attacker.
Authentication Based on Tokens;
Static and Dynamic Tokens

• To overcome copying of physical tokens or

passwords, we can use dynamic tokens;
• A dynamic token is one whose value changes;
 A dynamic authentication token is essentially a
device that generates an unpredictable value
that we might call a pass number, for
examples;
 Some devices change numbers at a particular interval,
 others change numbers when you press a button, and
 others compute a new number in response to an
input,
− sometimes called a challenge.
• In all cases, it does not matter if someone
else sees or hears you provide the pass
number.
Static and Dynamic Tokens
• Dynamic tokens have computing power on the
token to change their internal state;
 Dynamic token generators are useful for remote
authentication, especially of a person to a computer.
 An example of a dynamic token is the SecurID token
from RSA Laboratories.

FIGURE 2-6: SecurID Token

(Photo courtesy of RSA, the security division of EMS and
copyright © RSA Corporation, all rights reserved.)
Federated Identity Management
• If these different forms of authentication seem
confusing and overwhelming;
 remembering identities and distinct passwords for
many systems is challenging.
• A federated identity management scheme is a union
of separate identification and authentication systems;
 Instead of maintaining separate user profiles;
 a federated scheme maintains one profile with one
authentication method,
 Separate systems share access to the authenticated
identity database,
 Authentication is performed in one place, and separate
processes and systems determine that an already
authenticated user is to be activated.
• Federated identity management unifies the
identification and authentication process for a group
of systems;
Federated Identity Management
• Closely related is a single sign-on process;
 Think of an umbrella procedure to which you log in once per
session (for example, once a day),
 The umbrella procedure maintains your identities and
authentication codes for all the different processes you access.
 Example access email,
 the single sign-on process passes email ID and Password details to
the email handler, and
 you resume control after the authentication step has succeeded.
Multifactor Authentication
• The single-factor authentication offer
advantages and disadvantages, For ex;
 a token works only as long as you do not give
it away (or lose it or have it stolen), and
 password use fails if someone can see you
enter your password by peering over your
shoulder.
• We can compensate for the limitation of
one form of authentication by combining
it with another form;
 Combining authentication information is
called multifactor authentication.
Multifactor Authentication

• Two forms of authentication (two-factor

authentication) are presumed to be better
than one;
• two forms are strong, But as the number of
forms increases, so also;
 does the user’s inconvenience,
 Each authentication factor requires:
 the system and its administrators, and
 the users to manage more security information,
• We assume that more factors imply higher
confidence;
 although few studies support that assumption, and;
 two kinds of authentication imply two pieces of
software and perhaps two kinds of readers, :
 as well as the time to perform two authentications.
Secure Authentication
• Passwords, biometrics, and tokens can all
participate in secure authentication;
 Of course, simply using any or all of them is
no guarantee that an authentication
approach will be secure.
• To achieve true security, we need to think
carefully about the;
 problem we are trying to solve and the tools
we have,
 blocking possible attacks and attackers.
 Secure Authentication
• Suppose we want to control access to a computing
system;
• In addition to a name and password;
 we can use other information available to authenticate users,
 Suppose Adams works in the accounting department from
8:00 a.m. - 5:00 p.m., Sat. through Thurs.;
 By limiting Adams to logging in under those conditions, the
system protects against two problems:
 Someone from outside might try to impersonate
Adams, This attempt would be thwarted by:
−either the time of access, or
−the port through which the access was attempted.
 Adams might attempt to access the system from home
or on a weekend;
 planning to use resources not allowed for Adams to:
−access the system from home or on a weekend, or
−to do something that would be too risky with other
people around.