Scribd
Upload
22 views

User Authentication i

The document discusses the three key aspects of information security: authentication, access control, and auditing. It emphasizes the importance of user authentication methods, the threats to passwords, and mechanisms to strengthen password security. Additionally, it covers spoofing attacks, keylogging threats, and strategies for using passwords securely over insecure channels.

Uploaded by

Sameer Javed
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
22 views

User Authentication i

The document discusses the three key aspects of information security: authentication, access control, and auditing. It emphasizes the importance of user authentication methods, the threats to passwords, and mechanisms to strengthen password security. Additionally, it covers spoofing attacks, keylogging threats, and strategies for using passwords securely over insecure channels.

Uploaded by

Sameer Javed
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
You are on page 1/ 15

Presented by

Engr. Farooq Iqba


Three A’s of Information Security

• Security is about differentiating among


authorized accesses and unauthorized accesses
– Confidentiality, Integrity, Availability all require this
• Authentication
– Figures out who is accessing
• Access control
– Ensure only authorized access are allowed
• Auditing
– Record what is happening, to identify attacks later and recover

User Authentication 2
Authentication & Access Control
according to Wikipedia
• Authentication is the act of establishing or confirming
something (or someone) as authentic,
– that is, that claims made by or about the subject are true. This
might involve confirming the identity of a person, tracing the
origins of an artifact, ensuring that a product is what its
packaging and labeling claims to be, or assuring that a computer
program is a trusted one.

• Access control is a system which enables an authority


to control access to areas and resources in a given
physical facility or computer-based information system.

User Authentication 3
User Authentication

• Using a method to validate users who attempt to access


a computer system or resources, to ensure they are
authorized
• Types of user authentication
– Something you know
• E.g., user account names and passwords
– Something you have
• Smart cards or other security tokens
– Something you are
• Biometrics

User Authentication 4
Variants of Passwords

• Password
• Passcode
• Personal identification number (PIN)

User Authentication 5
Scenarios Requiring User
Authentication
• Scenarios Client
– Logging into a local computer
– Logging into a computer remotely
– Logging into a network

Password
– Access web sites

• Vulnerabilities can exist at client side,


server side, or communications
channel.
Server

User Authentication 6
Threats to Passwords

• Eavesdropping (insecure channel between client and


server)
• Login spoofing (human errors), shoulder surfing
• Social engineering (human errors)
– e.g., pretexting: creating and using an invented scenario (the
pretext) to persuade a target to release information or perform an
action and is usually done over the telephone
• Online guessing (weak passwords)

User Authentication 7
Guessing Attacks: Two Factors for
Password Strength
• The average number of guesses the attacker must make
to find the correct password
– determined by how unpredictable the password is, including how
long the password is, what set of symbols it is drawn from, and
how it is created.

• The ease with which an attacker can check the validity of


a guessed password
– determined by how the password is stored, how the checking is
done, and any limitation on trying passwords

User Authentication 8
Example of Weak Passwords (from
Wikipedia)
• Default passwords (as supplied by the system vendor and
meant to be changed at installation time): password,
default, admin, guest, etc.
• Dictionary words: chameleon, RedSox, sandbags,
bunnyhop!, IntenseCrabtree, etc.
• Words with numbers appended: password1, deer2000,
john1234, etc.,
• Words with simple obfuscation: p@ssw0rd, l33th4x0r,
g0ldf1sh, etc.
• Doubled words: crabcrab, stopstop, treetree, passpass,
etc., can be easily tested automatically.

User Authentication 9
Example of Weak Passwords (from
Wikipedia)
• Common sequences from a keyboard row: qwerty, 12345,
asdfgh, fred, etc.
• Numeric sequences based on well known numbers such as
911, 314159, or 27182, etc.,
• Identifiers: jsmith123, 1/1/1970, 555–1234, "your username",
etc.,
• Anything personally related to an individual: license plate
number, Social Security number, current or past telephone
number, student ID, address, birthday, sports team, relative's or
pet's names/nicknames/birthdays, etc.,
– can easily be tested automatically after a simple investigation of
person's details.

User Authentication 10
Mechanisms to Avoid Weak Passwords

• Allow long passphrases


• Randomly generate passwords where appropriate
– Though probably inappropriate for most scenarios
• Check the quality of user-selected passwords
– use a number of rules of thumb
– run dictionary attack tools
• Give user suggestions/guidelines in choosing passwords
– e.g., think of a sentence and select letters from it, “It’s 12 noon
and I am hungry” => “I’S12&IAH”
– Using both letter, numbers, and special characters

User Authentication 11
Mechanisms to Defend Against
Dictionary and Guessing Attacks
• Protect stored passwords (use both cryptography
& access control)

• Disable accounts with multiple failed attempts


• Require extra authentication mechanism (e.g.,
phone, other email account, etc.)

User Authentication 12
Spoofing & Defenses on the Web

• Phishing attacks
– attempting to acquire sensitive information such as usernames,
passwords and credit card details by masquerading as a trustworthy entity
in electronic communication.
• Website forgery
– Set up fake websites that look like e-commerce sites and trick users into
visiting the sites and entering sensitive info
• Defense methods
– Browser filtering of known phishing sites
– Cryptographic authentication of servers (will talk about in future)
– User-configured authentication of servers
• Ensures that the site is the one the human user has in mind
• E.g., site key, pre-selected picture/phrases

User Authentication 13
KeyLogging

• Threats from insecure client side


• Keystroke logging (keylogging) is the action of tracking (or logging) the
keys struck on a keyboard, typically in a covert manner so that the
person using the keyboard is unaware that their actions are being
monitored.
• Software -based
– key-stroke events, grab web forms, analyze HTTP packets
• Hardware-based
– Connector, wireless sniffers, acoustic based
• Defenses:
– Anti-spyware, network monitors, on-screen soft keyboard, automatic form
filler, etc.
• In general difficult to deal with once on the system

User Authentication 14
Using Passwords Over Insecure
Channels
• One-time passwords
– Each password is used only once
– Defend against passive adversaries who eavesdrop and
later attempt to impersonate
• Challenge response
– Send a response related to both the password and a
challenge
• Zero knowledge proof of knowledge
– Prove knowledge of a secret value, without leaking any
info about the secret

User Authentication 15

You might also like