230 likes | 371 Views
AUTHENTICATION . CS 483 – SD Section By Dr. Daniyal Alghazzawi (7). Introduction. There are two primary parts to access control: Authentication Authorization
E N D
AUTHENTICATION CS 483 – SD Section By Dr. Daniyal Alghazzawi (7)
Introduction • There are two primary parts to access control: • Authentication • Authorization • Authentication deals with the problem of determining whether a user (or other entity) should be allowed access to a particular system or resource.
Authentication Methods • The human can be authenticated to a machine based on any combination of the following: • Something you knowe.g. Password • Something you aree.g. Fingerprint • Something you havee.g. ATM card
1. Something You Know - Passwords • Password is: • something that you know • something that computer can verify that you know • something nobody else can guess-even access to unlimited computing resources. • One important fact regarding passwords is that many things act as password. • E.g. the PIN number for an ATM card • One solution to the password problem would be use randomly generated cryptographic keys in place of passwords. How?
Keys Versus Passwords • If a password is 8 characters long (8 bytes) with 256 possible choices for each character 2568 possible passwords. • E.g. password • If a key with 64-bit (8 bytes) cryptographic key 264 possible keys. (Trudy must try 263 keys before she expects to find the correct one) • E.g. Kf&Yw!a[ • Although 264 = 2568 (8 bytes), and this appears to be equivalent, users don’t select passwords at random because users must remember their passwords.
Choosing Passwords • Some passwords better than others. For example the following passwords are weak: • Frank (your name) • 10251960 (your birthday) • Users should have passwords that are difficult to guess: • jFiEk(43j-EmmL+y • BedL1ON
Attacking Systems via Passwords • A common attack path for Trudy would be: outsider normal user administrator • One weak password on a system –or one week password on an entire network- could be enough for the first stage of the attack to succeed.
Password Verification • Problem: • Storing “raw” passwords is not secure • Solution: • Storing hashed passwords is more secure.
Password Verification • Problem: • Suppose Trudy has a “dictionary” containing N passwords:d0, d1, d2, …, dN-1 she could pre-compute the hash of each password: y0=h(d0), y1=h(d1), y2=h(d2), …, yN-1=h(dN-1) • Trudy can guess the password p if she found h(p) is similar to one of the pre-compute hash yx • Soulution: • generate a random salt value s (Note: the s is not secret) • compute y = h(p,s) • store the pair (s,y) in the password file. • To verify an entered password z, compute h(z,s) = y
Math of Password Cracking • Supposed that: • All passwords are eight characters in length • there are 256 choices for each character • resulting in • 2568 = 256 possible passwords 256 56 2 Number of possible choices in each cell (byte/bit/…) Number of cells (byte/bit/…)
Math of Password Cracking • Case I:Trudy decides that she wants to find Alice’s password.(Assuming that Alice’s password contains of 8 bytes) This is precisely equivalent to an exhaustive key search and the expected work is 256/2=255
Math of Password Cracking Case II:Trudy again wants to recover Alice’s password, but she is going to use her dictionary of common passwords. (Assuming that any given password will appear in the dictionary with a probability of about ¼, and Trudy has a dictionary of 220 common passowords) The expected work is: ¼(219)+¾(255)≈254.6
Math of Password Cracking Case III:Trudy will be satisfied to find any one of the 1024 passwords in the hashed password file without using any dictionary(Assuming that the password file contains 210 = 1024 hashed passwords, and all of them are distinct)The expected work is: 255/210 = 245
Math of Password Cracking • Case IV:Trudy wants to find anyone of the 1024 passwords in the hashed password file, and she will make use of her dictionary. The expected work is: • Not salted password: 219 / 210 = 29 • Salted password: ¼(219)+ ¾.¼(220+219)+(¾)2 ¼(2.220+219)+ … +(¾)1023 ¼(1023.220+ 219) < 222
Other Password Issues/Problems • Remembering different passwords is difficult • “Social engineering” is when someone claiming to be a system administrator and needs your password • Password cracking tools, such as: • L0phtCrack (for Windows) - now called LC5:used to test password strength and sometimes to recover lost Microsoft Windows passwords, by using dictionary, brute-force, and hybrid attacks. • John the Ripper (for Unix)runagainst various encrypted password formats including DES, MD5, Blowfish, Kerberos AFS, and Windows NT/2000/XP/2003 LM hash
2. Something You Have - Biometrics • Biometrics are the “something you are” method of authentication or, in Schneider's immortal words, “you are your key” • There are many different types of biometrics as fingerprints and handwritten signatures.
Biometrics • A biometric should be • Universal:The ideal biometric should apply to virtually everyone. • Distinguishing:The ideal biometric should distinguish with virtual certainty. • Permanent: The physical characteristic being measured should never change. • Collectable: The physical characteristic should be easy to collect without any potential to cause harm to the subject. • Reliable, robust, and user-friendly
Biometrics Usage • Identification: • Identify the subject from a list of many possible subjects. • E.g., a suspicious fingerprint from a crime scene is sent to the FBI fingerprint database for comparison with all records on file. In this case, the comparison is one to many. • Authentication: • The comparison is one to one • E.g., if someone claiming to be Alice uses a thumbprint mouse biometric, the captured thumbprint image is only compared with the stored thumbprint of Alice.
Phases of Biometric System The Enrollment Phase: subjects have their biometric information entered into a database. The Recognition Phase: subjects have their biometric information entered into a database.
Biometric Examples Fingerprints Hand Geometry Iris Scan
Biometric Error Rates • For fielded fingerprint biometric systems, the equal error rate is typically about 5% • hand geometry has an equal error rate of about 10−3
3. Something You Have • For example, • a network MAC address • an ATM card • a password generator • The process of a password generator is shown below:
Two-Factor Authentication • Two or three methods can work together for authentication • For example: the password generator scheme requires both:1. “something you have” (the password generator), and 2. “something you know” (the PIN). • Requiring two out of the three methods of authentication is known as two-factor authentication.