360 likes | 495 Views
Authentication. Definitions. Identification - a claim about identity Who or what I am (global or local) Authentication - confirming that claims are true I am who I say I am I have a valid credential Authorization - granting permission based on a valid claim
E N D
Definitions • Identification - a claim about identity • Who or what I am (global or local) • Authentication - confirming that claims are true • I am who I say I am • I have a valid credential • Authorization - granting permission based on a valid claim • Now that I have been validated, I am allowed to access certain resources or take certain actions • Access control system - a system that authenticates users and gives them access to resources based on their authorizations • Includes or relies upon an authentication mechanism • May include the ability to grant course or fine-grained authorizations, revoke or delegate authorizations Slides modified from Lorrie Cranor, CMU
Building blocks of authentication • Factors • Something you know (or recognize) • Something you have • Something you are • Mechanisms • Text-based passwords • Graphical passwords • Hardware tokens • Public key crypto protocols • Biometrics
Two factor systems • Two factors are better than one • Especially two factors from different categories Question: What are some examples of two-factor authentication?
Evaluation • Accessibility • Memorability • Depth of processing, retrieval, meaningfulness • Security • Predictability, abundance, disclosure, crackability, confidentiality • Cost • Environmental considerations • Range of users, frequency of use, type of access, etc.
Typical password advice • Pick a hard to guess password • Don’t use it anywhere else • Change it often • Don’t write it down • Do you? Bank = b3aYZ Amazon = aa66x! Phonebill = p$2$ta1
Problems with Passwords • Selection • Difficult to think of a good password • Passwords people think of first are easy to guess • Memorability • Easy to forget passwords that aren’t frequently used • Difficult to remember “secure” passwords with a mix of upper & lower case letters, numbers, and special characters • Reuse • Too many passwords to remember • A previously used password is memorable • Sharing • Often unintentional through reuse • Systems aren’t designed to support the way people work together and share information
26 Characters 36 Characters 52 Characters 68 Characters 94 Characters single case letters with digits, all displayable ASCII characters lower case letters and digits mixed case letters symbols and punctuation including mixed case letters 3 0.18 seconds 0.47 seconds 1.41 seconds 3.14 seconds 8.3 seconds 4 4.57 seconds 16.8 seconds 1.22 minutes 3.56 minutes 13.0 minutes 5 1.98 minutes 10.1 minutes 1.06 hours 4.04 hours 20.4 hours 6 51.5 minutes 6.05 hours 13.7 days 2.26 months 2.63 months 7 22.3 hours 9.07 days 3.91 months 2.13 years 20.6 years 8 24.2 days 10.7 months 17.0 years 1.45 centuries 1.93 millennia 9 1.72 years 32.2 years 8.82 centuries 9.86 millennia 182 millennia 10 44.8 years 1.16 millennia 45.8 millennia 670 millennia 17,079 millennia 11 11.6 centuries 41.7 millennia 2,384 millennia 45,582 millennia 1,605,461 millennia 12 30.3 millennia 1,503 millennia 123,946 millennia 3,099,562 millennia 150,913,342 millennia How Long does it take to Crack a Password? • Brute force attack • Assuming 100,000 encryption operations per second • FIPS Password Usage • 3.3.1 Passwords shall have maximum lifetime of 1 year Password Length http://geodsoft.com/howto/password/cracking_passwords.htm#howlong
The Password Quiz • What is your score? • Do you agree with each piece of advice? • What is most common problem in the class? • Any bad habits not addressed?
Check your password https://www.google.com/accounts/EditPasswd http://www.securitystats.com/tools/password.php Question: Why don’t all sites do this?
Text-based passwords • Random (system or user assigned) • Mnemonic • Challenge questions (semantic) • Anyone ever had a system assigned random password? Your experience?
Substitute numbers for words or similar-looking letters fsasya,oF Substitute symbols for words or similar-looking letters 4sa7ya,oF Mnemonic Passwords Four F Four and and a , , score s y years seven s seven a ago o our F Fathers First letter of each word (with punctuation) 4sa7ya,oF 4sasya,oF 4s&7ya,oF Source: Cynthia Kuo, SOUPS 2006
The Promise? • Phrases help users incorporate different character classes in passwords • Easier to think of character-for-word substitutions • Virtually infinite number of phrases • Dictionaries do not contain mnemonics Source: Cynthia Kuo, SOUPS 2006
Memorability of Password Study • Goal • examine effects of advice on password selection in real world • Method: experiment • independent variables? • Advice given • Dependent variables? • Attacks, length, requests, memorability survey
Study, cont. • Conditions • Comparison • Control • Random password • Passphrase (mnemonic) • Students randomly assigned • Attacks performed one month later • Survey four months later
Results • All conditions longer password than comparison group • Random & passphrase conditions had significantly fewer successful attacks • Requests for password the same • Random group kept written copy of password for much longer than others • Non-compliance rate of 10% What are the implications? What are the strengths of the study? Weaknesses?
Mnemonic password evaluation • Mnemonic passwords are not a panacea, but are an interesting option • No comprehensive dictionary today • May become more vulnerable in future • Users choose music lyrics, movies, literature, and television • Attackers incentivized to build dictionaries • Publicly available phrases should be avoided! C. Kuo, S. Romanosky, and L. Cranor. Human Selection of Mnemonic Phrase-Based Passwords. In Proceedings of the 2006 Symposium On Usable Privacy and Security, 12-14 July 2006, Pittsburgh, PA. Source: Cynthia Kuo, SOUPS 2006
Password keeper software • Run on PC or handheld • Only remember one password • How many use one of these? • Advantages? • Disadvantages?
“Forgotten password” mechanism • Email password or magic URL to address on file • Challenge questions • Why not make this the normal way to access infrequently used sites?
Challenge Questions • Question and answer pairs • Issues: • Privacy: asking for personal info • Security: how difficult are they to guess and observe? • Usability: answerable? how memorable? How repeatable? What challenge questions have you seen? Purpose?
Challenge questions • How likely to be guessed? • How concerned should we be about • Shoulder surfing? • Time to enter answers? • A knowledgeable other person? • Privacy?
Graphical Passwords • We are much better at remembering pictures than text • User enters password by clicking on on the screen • Choosing correct set of images • Choosing regions in a particular image • Potentially more difficult to attack (no dictionaries) • Anyone ever used one?
Schemes • Choose a series of images • Random[1] • Passfaces[2] • Visual passwords (for mobile devices)[3] • Provide your own images • R. Dhamija and A. Perrig, "Deja Vu: A User Study Using Images for Authentication," in Proceedings of 9th USENIX Security Symposium, 2000. • http://www.realuser.com/ • W. Jansen, et al, "Picture Password: A Visual Login Technique for Mobile Devices," National Institute of Standards and Technology Interagency Report NISTIR 7030, 2003.
Schemes • Click on regions of image • Blonder’s original idea: click on predefined regions [1] • Passlogix – click on items in order [2] • Passpoints – click on any point in order [3] • G. E. Blonder, "Graphical passwords," in Lucent Technologies, Inc., Murray Hill, NJ, U. S. Patent, Ed. United States, 1996. • http://www.passlogix.com/ • S. Wiedenbeck, et al. "Authentication using graphical passwords: Basic results," in Human-Computer Interaction International (HCII 2005). Las Vegas, NV, 2005.
Schemes • Freeform • Draw-a-Secret (DAS) I. Jermyn, et al. "The Design and Analysis of GraphicalPasswords," in Proceedings of the 8th USENIX SecuritySymposium, 1999. • Signature drawing
Advantages: As memorable or more than text As large a password space as text passwords Attack needs to generate mouse output Less vulnerable to dictionary attacks More difficult to share Disadvantages Time consuming More storage and communication requirements Shoulder surfing an issue Potential interference if becomes widespread Theoretical Comparisons See a nice discussion in: Suo and Zhu. “Graphical Passwords: A Survey,” in the Proceedings of the 21st Annual Computer Security Applications Conference, December 2005.
How do they really compare? • Many studies of various schemes… • Faces vs. Story • Method: experiment • independent – participant race and sex, faces or story • Dependent – types of items chosen, liklihood of attack • Real passwords – used to access grades, etc. • Also gathered survey responses • Results: • we are highly predictable, particularly for faces • Attacker could have succeeded with 1 or 2 guesses for 10% of males! • Implications?
Other examples • Passpoints predictable too! • Can predict or discover hot spots to launch attacks. Julie Thorpe and P.C. van Oorschot. Human-Seeded Attacks and Exploiting Hot-Spots in Graphical Passwords, in Proceedings of 16th USENIX Security Symposium, 2007.
Other uses of images • CAPTCHA – differentiate between humans and computers • Use computer generated image to guarantee interaction coming from a human • An AI-hard problem Luis von Ahn, Manuel Blum, Nicholas Hopper and John Langford. “CAPTCHA: Using Hard AI Problems for Security,” In Advances in Cryptology, Eurocrypt 2003.
More food for thought • How concerned should we be about the weakest link/worse case user? • Do we need 100% compliance for good passwords? How do we achieve? • What do you think of “bugmenot” • Is it possible to have authorization without identification?
Project Groups • 3 groups of 4, 1 group of 3 • Form your group by the END of class next week • Preliminary user study of privacy or security application, mechanism, or concerns • Deliverables: • Idea • Initial plan 5 points • Plan 20 points • Report 20 points • Presentation 5 points
Project Ideas • Start with a question or problem… • Why don’t more people encrypt their emails? • How well does product X work for task Y? • What personal information do people expect to be protected? • Flip through chapters in the book & papers • Follow up on existing study • Examine your own product/research/idea • Examine something you currently find frustrating, interesting, etc.
A Look Ahead • Next week: User studies • pay attention to the method of study in your readings • ALSO: observation assignment • Two weeks – rest of authentication • ALSO: project ideas due
Next week’s assignment • Observe people using technology • Public place, observe long enough for multiple users • Take notes on what you see • Think about privacy and security, but observe and note everything • Write up a few paragraphs describing your observations • Don’t forget IRB certification