Scribd
Upload
35 views

Week 10-User Authentication

This document discusses various methods of user authentication for computer security. It covers password authentication which is widely used but has vulnerabilities like dictionary attacks. It also discusses using hashed passwords with salts to secure passwords as well as better practices like longer, random passwords. The document also examines token-based authentication using devices like smart cards and memory cards, as well as biometric authentication using unique physical traits.

Uploaded by

Tahir Bashir
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
35 views

Week 10-User Authentication

This document discusses various methods of user authentication for computer security. It covers password authentication which is widely used but has vulnerabilities like dictionary attacks. It also discusses using hashed passwords with salts to secure passwords as well as better practices like longer, random passwords. The document also examines token-based authentication using devices like smart cards and memory cards, as well as biometric authentication using unique physical traits.

Uploaded by

Tahir Bashir
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 28

COMPUTER SECURITY

USER
AUTHENTICATION
CONTENT
• USER AUTHENTICATION
• MEANS OF USER AUTHENTICATION
• PASSWORD AUTHENTICATION
• PASSWORD VULNERABILITIES
• USE OF HASHED PASSWORDS – IN UNIX
• PASSWORD CRACKING TECHNIQUES
• USING BETTER PASSWORDS
• TOKEN AUTHENTICATION
• BIOMETRIC AUTHENTICATION

USER AUTHENTICATION
1. USER AUTHENTICATION

• “The process of verifying an identity claimed by or for a


system entity.
• Fundamental security building block
• Basis of most types of access control & for user accountability.
• User authentication is distinct from message authentication.
• User authentication process consists of two steps:
1. Identification: Presenting an identifier to the security
system.
2. Verification: Binding entity (person) and identifier

USER AUTHENTICATION 3
2. MEANS OF USER AUTHENTICATION
• Four general means of authenticating a user's identity are based on
something:

• Individual knows: Includes a password, a personal identification


number (PIN), or answers to a prearranged set of questions.

• Individual possesses: Includes electronic keycards, smart cards,


and
physical keys. Also known as a token.

• Individual is (static biometrics): Includes recognition by fingerprint,


retina, and face.

• Individual does (dynamic biometrics): Examples include


recognition
by voice pattern, handwriting characteristics, and typing rhythm.
• can use alone or combined 4
USER AUTHENTICATION
• all can provide user authentication & have issues.
3. PASSWORD AUTHENTICATION

• Widely used user authentication method


– User provides name/login and password
– System compares password with that saved for specified
login

• Authenticates ID of user logging and


– That the user is authorized to access system
– Determines the user’s privileges

USER AUTHENTICATION 5
4. PASSWORD VULNERABILITIES

Offline Password
guessing Workstation Eectronic
dictionary against hijacking monitoring
attack single user

Exploiting
Specific Popular Exploiting
multiple
password user
password
account attack mistakes
use
attack

USER AUTHENTICATION 6
Following are the attack strategies:

1. Offline dictionary attack:


• A hacker gain access to the system password file.
• Compares the password hashes against hashes of commonly used
passwords.

2. Specific account attack:


• Attacker targets a specific account &submits password guesses until the
correct password is discovered.

3. Popular password attack / Against single user:


• The attacker chooses a popular password and tries it.
• Attacker attempts to gain knowledge about the account holder and system
password policies and uses that knowledge to guess the password.
USER AUTHENTICATION 7
4. Workstation hijacking:
• The attacker waits until a logged-in workstation is
unattended.

5. Exploiting user mistakes:


• User is more likely to write it down passwords, because it
is difficult to remember.

6. Exploiting multiple password use.


• Similar password for a many applications

•7. Electronic monitoring:


If a password is communicated across a network to log on to a
remote system, it is vulnerable to eavesdropping.
USER AUTHENTICATION 8
Countermeasures

• stop unauthorized access to password


file
• intrusion detection measures
• account lockout mechanisms
• policies against using common
passwords but rather hard to guess
passwords
• training & enforcement of policies
• automatic workstation logout
• encrypted network links
5. USE OF HASHED PASSWORDS – IN UNIX

USER AUTHENTICATION 9
• A widely used password security technique.
• Use of hashed passwords and a salt value.
• Found on all UNIX and other operating systems.
1. Loading a new password:
• The user selects or is assigned a password.
• Password combined with a fixed-length salt value.
• Salt is a pseudorandom or random number.
• PW & salt serve as inputs to a hashing algorithm to produce a fixed-length
hash code.
• Hashed password then stored, together with a plaintext copy of the salt, in
the password file for the corresponding user ID.
2. Verifying a password:
• When a user attempts to log on to a system,
the user provides an ID and a password.
• OS uses the ID to retrieve the plaintext salt and
the encrypted password.
• The salt and user-supplied password are used as
input to the encryption routine.
• If the result matches the storedAvalueI,the password is accepted. 10
UNIX Implementation

original scheme
8 character password form 56-bit key
12-bit salt used to modify DES encryption into a one-way hash function
0 value repeatedly encrypted 25 times
output translated to 11 character sequence
now regarded as woefully insecure
e.g. supercomputer, 50 million tests, 80 min
sometimes still used for compatibility
Improved Implementations

have other, stronger, hash/salt variants


many systems now use MD5
with 48-bit salt
password length is unlimited
is hashed with 1000 times inner loop
produces 128-bit hash
OpenBSD uses Blowfish block cipher based hash algorithm called
Bcrypt
uses 128-bit salt to create 192-bit hash value
6. PASSWORD CRACKING TECHNIQUES

Dictionary attacks
• Develop a large dictionary of possible passwords and try
each against the password file
• Each password must be hashed using each salt value and
then compared to stored hash values

Rainbow table attacks


• Pre-compute tables of hash values for all salts
• A mammoth table of hash values
• Can be countered by using a sufficiently large salt value
and a sufficiently large hash length

USER AUTHENTICATION
7. USING BETTER PASSWORDS
• Clearly have problems with passwords
• Goal to eliminate guessable passwords
• At the same time, easy for user to remember
• Four basic techniques:
1. User education
2. Computer-generated passwords
3. Reactive password checking
4. Proactive password checking

1. User education:
• Users can be told the importance of using hard-to-guess passwords.
• Provide users with guidelines for selecting strong passwords.
• Can be problematic when have a large user population.
• Because many users will simply ignore the guidelines.
USER AUTHENTICATION 12
2. Computer-generated passwords:
• Poor acceptance by users.
• Random in nature, users will not remember.

3. Reactive password checking:


• System periodically runs its own password cracker to
find guessable passwords.
• The system cancels any passwords that are guessed and
notifies the user.
• Can be costly in resources to implement.

4. Proactive password checking:


• User selects own password which the system then
checks to see if it is allowable and, if not, rejects it.
USER AUTHENTICATION 13
8. TOKEN AUTHENTICATION
• Objects that a user possesses for the purpose of user
authentication are called tokens.
• Token are of different forms, they are:

1. Embossed: Raised characters only, on front, e.g. Old credit


card.
2. Magnetic stripe: Magnetic bar on back, characters on
front,
e.g. Bank card.

3. Memory: Has Electronic memory inside, e.g. Prepaid


phone card.

4. Smartcard: Has Electronic memory and processor inside, e.g.


Biometric ID card

USER AUTHENTICATION 14
8.1 MEMORY CARD / MAGNETIC STRIPS
• Store but do not process data
• Magnetic stripe card, e.g. bank card
• Electronic memory card
• Used alone for physical access
• With password/PIN for computer use
• Drawbacks of memory cards include:
– Need special reader
– Loss of token issues
– User dissatisfaction

USER AUTHENTICATION 15
8.2 SMARTCARD / EMBOSED

• Credit-Card like
• Has own processor, memory, I/O ports
– Wired or wireless access by reader
– May have crypto co-processor
– ROM, EEPROM, RAM memory
• Executes protocol to authenticate with reader/
• Also have USB dongles computer

USER AUTHENTICATION 16
9. BIOMETRIC
AUTHENTICATION
• Authenticate user based on one of their physical
characteristics
• Biometric authentication system authenticates an
individual based on unique
• Physical characteristics like Fingerprints, hand
geometry, facial characteristics, and retinal and iris
patterns.
• Dynamic characteristics like voiceprint and
signature.

17
USER AUTHENTICATION
1. Facial characteristics:
Characteristics based on location and shape of key facial res,
featu such as eyes, eyebrows, nose, lips, and chin shape.

2. Fingerprints:
The pattern of ridges and furrows on the surface of the fingertip.

3. Hand geometry:
Identify features of hand,: e.g. shape, lengths & widths of
fingers.

4. Retinal pattern:
Formed by veins beneath the retinal surface is unique.
Uses digital image of the retinal pattern by projecting a
low- intensity beam of visual or infrared light into the eye.
5. Signature: Each individual has a unique style of
handwriting, especially in signature.
USER AUTHENTICATION 18
9.1 OPERATION OF A BIOMETRIC SYSTEM

USER AUTHENTICATION 19
Operation of a biometric system.
• Each users must first be enrolled in the system.
• For biometric system, the user presents a name and a password or
PIN.
• System senses some biometric characteristic of this user (e.g.
fingerprint of right index finger).
• The system digitizes the input and then extracts a set of features
that can be stored as a number or set of numbers.
• This set of numbers is referred to as the user’s template.
• User authentication on a biometric system involves either
verification or identification.

• Verification is similar to a user logging on to a system by using a


memory card or smart card coupled with a password or PIN.
• In Identification process, the individual uses the biometric sensor
but presents no additional information.
• The system then compares the presented template with the set
of stored templates. If there is a match, then this user is
Otherwise,
identified. the user is rejected. 20
USER AUTHENTICATION
Remote User Authentication

• authentication over network more complex


• problems of eavesdropping, replay
• generally use challenge-response
• user sends identity
• host responds with random number
• user computes f(r,h(P)) and sends back
• host compares value from user with own
computed value, if match user
authenticated
• protects against a number of attacks
Authentication Security Issues

client attacks
host attacks
eavesdropping
replay
trojan horse
denial-of-service
Practical Application
Summary

introduced user authentication


using passwords
using tokens
using biometrics
remote user authentication issues
example application and case study
Slides are From
Computer Security: Principles and Practice

Chapter 3 – User Authentication


by William Stallings and Lawrie Brown

You might also like