1 / 23

AUTHENTICATION

AUTHENTICATION . CS 483 – SD Section By Dr. Daniyal Alghazzawi (7). Introduction. There are two primary parts to access control: Authentication Authorization

feleti
Download Presentation

AUTHENTICATION

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. AUTHENTICATION CS 483 – SD Section By Dr. Daniyal Alghazzawi (7)

  2. Introduction • There are two primary parts to access control: • Authentication • Authorization • Authentication deals with the problem of determining whether a user (or other entity) should be allowed access to a particular system or resource.

  3. Authentication Methods • The human can be authenticated to a machine based on any combination of the following: • Something you knowe.g. Password • Something you aree.g. Fingerprint • Something you havee.g. ATM card

  4. 1. Something You Know - Passwords • Password is: • something that you know • something that computer can verify that you know • something nobody else can guess-even access to unlimited computing resources. • One important fact regarding passwords is that many things act as password. • E.g. the PIN number for an ATM card • One solution to the password problem would be use randomly generated cryptographic keys in place of passwords. How?

  5. Keys Versus Passwords • If a password is 8 characters long (8 bytes) with 256 possible choices for each character  2568 possible passwords. • E.g. password • If a key with 64-bit (8 bytes) cryptographic key  264 possible keys. (Trudy must try 263 keys before she expects to find the correct one) • E.g. Kf&Yw!a[ • Although 264 = 2568 (8 bytes), and this appears to be equivalent, users don’t select passwords at random because users must remember their passwords.

  6. Choosing Passwords • Some passwords better than others. For example the following passwords are weak: • Frank (your name) • 10251960 (your birthday) • Users should have passwords that are difficult to guess: • jFiEk(43j-EmmL+y • BedL1ON

  7. Attacking Systems via Passwords • A common attack path for Trudy would be: outsider normal user administrator • One weak password on a system –or one week password on an entire network- could be enough for the first stage of the attack to succeed.

  8. Password Verification • Problem: • Storing “raw” passwords is not secure • Solution: • Storing hashed passwords is more secure.

  9. Password Verification • Problem: • Suppose Trudy has a “dictionary” containing N passwords:d0, d1, d2, …, dN-1 she could pre-compute the hash of each password: y0=h(d0), y1=h(d1), y2=h(d2), …, yN-1=h(dN-1) • Trudy can guess the password p if she found h(p) is similar to one of the pre-compute hash yx • Soulution: • generate a random salt value s (Note: the s is not secret) • compute y = h(p,s) • store the pair (s,y) in the password file. • To verify an entered password z, compute h(z,s) = y

  10. Math of Password Cracking • Supposed that: • All passwords are eight characters in length • there are 256 choices for each character • resulting in • 2568 = 256 possible passwords 256 56 2 Number of possible choices in each cell (byte/bit/…) Number of cells (byte/bit/…)

  11. Math of Password Cracking • Case I:Trudy decides that she wants to find Alice’s password.(Assuming that Alice’s password contains of 8 bytes) This is precisely equivalent to an exhaustive key search and the expected work is 256/2=255

  12. Math of Password Cracking Case II:Trudy again wants to recover Alice’s password, but she is going to use her dictionary of common passwords. (Assuming that any given password will appear in the dictionary with a probability of about ¼, and Trudy has a dictionary of 220 common passowords) The expected work is: ¼(219)+¾(255)≈254.6

  13. Math of Password Cracking Case III:Trudy will be satisfied to find any one of the 1024 passwords in the hashed password file without using any dictionary(Assuming that the password file contains 210 = 1024 hashed passwords, and all of them are distinct)The expected work is: 255/210 = 245

  14. Math of Password Cracking • Case IV:Trudy wants to find anyone of the 1024 passwords in the hashed password file, and she will make use of her dictionary. The expected work is: • Not salted password: 219 / 210 = 29 • Salted password: ¼(219)+ ¾.¼(220+219)+(¾)2 ¼(2.220+219)+ … +(¾)1023 ¼(1023.220+ 219) < 222

  15. Other Password Issues/Problems • Remembering different passwords is difficult • “Social engineering” is when someone claiming to be a system administrator and needs your password • Password cracking tools, such as: • L0phtCrack (for Windows) - now called LC5:used to test password strength and sometimes to recover lost Microsoft Windows passwords, by using dictionary, brute-force, and hybrid attacks. • John the Ripper (for Unix)runagainst various encrypted password formats including DES, MD5, Blowfish, Kerberos AFS, and Windows NT/2000/XP/2003 LM hash

  16. 2. Something You Have - Biometrics • Biometrics are the “something you are” method of authentication or, in Schneider's immortal words, “you are your key” • There are many different types of biometrics as fingerprints and handwritten signatures.

  17. Biometrics • A biometric should be • Universal:The ideal biometric should apply to virtually everyone. • Distinguishing:The ideal biometric should distinguish with virtual certainty. • Permanent: The physical characteristic being measured should never change. • Collectable: The physical characteristic should be easy to collect without any potential to cause harm to the subject. • Reliable, robust, and user-friendly

  18. Biometrics Usage • Identification: • Identify the subject from a list of many possible subjects. • E.g., a suspicious fingerprint from a crime scene is sent to the FBI fingerprint database for comparison with all records on file. In this case, the comparison is one to many. • Authentication: • The comparison is one to one • E.g., if someone claiming to be Alice uses a thumbprint mouse biometric, the captured thumbprint image is only compared with the stored thumbprint of Alice.

  19. Phases of Biometric System The Enrollment Phase: subjects have their biometric information entered into a database. The Recognition Phase: subjects have their biometric information entered into a database.

  20. Biometric Examples Fingerprints Hand Geometry Iris Scan

  21. Biometric Error Rates • For fielded fingerprint biometric systems, the equal error rate is typically about 5% • hand geometry has an equal error rate of about 10−3

  22. 3. Something You Have • For example, • a network MAC address • an ATM card • a password generator • The process of a password generator is shown below:

  23. Two-Factor Authentication • Two or three methods can work together for authentication • For example: the password generator scheme requires both:1. “something you have” (the password generator), and 2. “something you know” (the PIN). • Requiring two out of the three methods of authentication is known as two-factor authentication.

More Related