Scribd
Upload
86 views

Cyber Security Lecture Notes 02

This document discusses identification, authentication, and password security. It defines identification as announcing one's identity and authentication as proving one's claimed identity. The most common authentication method is the username and password scheme where the user provides a username and password. To improve security, passwords should be strong and unique, regularly changed, and cryptographically protected while stored. Common attacks on passwords include guessing, dictionary attacks, brute force attacks, and pre-computing hashed passwords.

Uploaded by

Sampath Darshana
Copyright
© © All Rights Reserved
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
86 views

Cyber Security Lecture Notes 02

This document discusses identification, authentication, and password security. It defines identification as announcing one's identity and authentication as proving one's claimed identity. The most common authentication method is the username and password scheme where the user provides a username and password. To improve security, passwords should be strong and unique, regularly changed, and cryptographically protected while stored. Common attacks on passwords include guessing, dictionary attacks, brute force attacks, and pre-computing hashed passwords.

Uploaded by

Sampath Darshana
Copyright
© © All Rights Reserved
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 24

Department of Computer Science

ISYS40451 Cyber Security

Lecture 2
Identification and Authentication

Dr Xiaoqi Ma
Outline
1 Identification and identity

2 Authentication

3 Username and password scheme

4 Managing passwords

5 Protecting passwords

6 Attacks on passwords

7 Summary
Identification
 Definition of Identification: “The process of showing, proving or recognizing who or
what somebody / something is” – Oxford Advanced Learner’s Dictionary
 Identification concerns the manner in which a user provides his unique identity to the IT
system
 It means “You announce who you are”
Identity
 Identities are often well known, predictable or guessable
 The identity must be unique so that the system can distinguish among different users
 Depending on operational requirements, one “identity” may describe one individual,
more than one individual, or one (or more) individuals only part of the time
Authentication
 Definition of Authentication: “to prove that something is genuine, real or true” – Oxford
Advanced Learner’s Dictionary
 Authentication is the process of associating an individual with his unique identity, that is,
the manner in which the individual establishes the validity of his claimed identity
 It means “You prove that you are who you claim to be”
Basic Authentication Methods

****

Something Something Somebody


you know you have you are
Something You Know
 Passwords
 PIN numbers
 Answers to security questions
Something You Have
 Keys
 Security tokens
 Smart cards
Something (Somebody) You Are
 Biometrics
 Physiological
 Behavioural
Username and Password Scheme
 Username and password scheme is the most common authentication mechanism

Identification
You provide your username, which is the ID you registered with the
system

Authentication

You provide your password, which is a mutually agreed-upon code


“word” assumed to be known only to you and the system (?)
Managing Passwords
 Passwords are secrets shared between the user and the system authenticating the user (?)
 Passwords should always be kept secret
 NEVER write it down or tell anybody else
 Passwords should be distributed very carefully
Distributing Passwords
Collect in person

Send passwords by mail

Call back an authorised phone number

Call back someone else, e.g. the caller’s manager or security officer

Send passwords that are valid only for a single login

Send mail by courier with personal delivery

Request confirmation on a different channel to activate the user account


Choosing Passwords
 Use characters other than just A-Z
 Choose long passwords
 Avoid obvious passwords
 Change passwords regularly
 Never write them down
 Don’t tell anyone else
Improving Passwords
 Password checkers
 Password generation
 Password aging
 Limit login attempts
Protecting Passwords (1)
 Cryptographic protection
 Apply one-way function, which is relatively easy to
compute but significantly harder to undo or reverse.
That is, given x it is easy to compute f(x), but given
f(x) it is hard to compute x
 The system stores one-way function values of
passwords instead of plaintext passwords

abcd1234
Protecting Passwords (2)
 Access control enforced by the operating system
 Restrict access to password files
 Combination of cryptographic protection and access control
 Password salting
Attacks on Passwords
 Password guessing
 Dictionary attack
 Brute force attack
 Pre-computation dictionary attack
Password Guessing
 Passwords can be guessed by humans with knowledge of the user’s personal information:
 The words “password”, “passcode”, and their derivatives
 A row of letters from the qwerty keyboard – qwerty itself, asdf, or qwertyuiop
 The name of user or their significant other, e.g. a relative or pet
 Their birthplace or date of birth, or a relative’s
 Car license plate number
 Telephone or mobile number
 A simple modification of one of the preceding, such as suffixing a digit, particularly 1, or reversing the
order of the letters
Dictionary Attack
 Defeating an authentication mechanism by trying to determine its
password by searching likely possibilities
 A dictionary attack successively tries all the words in a list containing
possible passwords
 The list (dictionary) is a pre-arranged list of values
 Dictionary attacks succeed because many people have a tendency to
choose passwords which are short, single words found in dictionaries or
simple, easily-predicted variations on words, such as appending a digit
Brute Force Attack
 Search the password space exhaustively
 For example, if passwords are strings consisting of the 26 characters A-Z and can be of any length
from 1 to 8 characters, the number of possible passwords will be

261 + 262 + ⋯ + 268 ≈ 5 × 1012


 If an attacker can try one password per millisecond, it would take on the order of 150 years to test all
passwords
 If the attacker speeds up to one password per microsecond, it would take about two months
 On average, the attacker only needs to try half of the whole password space
Pre-Computation Dictionary Attack (1)
 Many systems store hash values (a special kind of one-way function) of passwords,
instead of passwords themselves
 Pre-computation involves hashing each word in the dictionary (or any search space of
candidate passwords) and storing the word and its computed hash in a way that enables
lookup on the list of computed hashes
 When a new hashed password is obtained, password recovery is instantaneous
Pre-Computation Dictionary Attack (2)
Spoofing Attack: An Example
 Username/password scheme provides unilateral authentication
 How does the user know who has received this password? So far, no way!
 Spoofing attack: the attacker runs a program presenting a fake login screen on some
terminal or workstation
Summary
1 Identification and identity
2 Authentication
3 Username and password scheme
4 Managing passwords
5 Protecting passwords
6 Attacks on passwords

You might also like