DOC PREVIEW
NCSU CSC (ECE) 574 - Identification and Authentication

This preview shows page 1-2-3-4-5-6 out of 18 pages.

Save
View full document
View full document
Premium Document
Do you want full access? Go Premium and unlock all 18 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 18 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 18 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 18 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 18 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 18 pages.
Access to all documents
Download any document
Ad free experience
Premium Document
Do you want full access? Go Premium and unlock all 18 pages.
Access to all documents
Download any document
Ad free experience

Unformatted text preview:

CSC 474/574 Dr. Peng Ning 1Computer ScienceCSC 474/574Information Systems SecurityTopic 3: Identification andAuthenticationCSC 474/574 Dr. Peng Ning 2Computer ScienceAuthentication• Any process through which one proves orverifies certain information.• User authentication– Allows a user to prove his/her identity to anotherentity (e.g., a system, a device).CSC 474/574 Dr. Peng Ning 3Computer ScienceIdentification• Identification is a process through which oneascertains the identity of another person or entity.• Authentication and identification are different.– Identification requires that the verifier check theinformation presented against all the entities it knows about,– Authentication requires that the information be checked fora single, previously identified, entity.– Identification must, by definition, uniquely identify a givenentity,– Authentication does not necessarily require uniqueness.CSC 474/574 Dr. Peng Ning 4Computer ScienceUser Authentication• What the user knows– passwords, personal information• What the user possesses– a physical key, a ticket, a passport, a token, a smartcard• What the user is (biometrics)– fingerprints, voiceprint, signature dynamicsCSC 474/574 Dr. Peng Ning 5Computer SciencePasswords• Most commonly used method.AliceComputerSystemI’ m Alice, the password is fiddlesticksCSC 474/574 Dr. Peng Ning 6Computer ScienceStoring User Passwords• Directly Store the Passwords?– Not a good idea!– High risk• Anyone who captures the password database couldimpersonate all the users.• The password database would be very attractive tohackers.CSC 474/574 Dr. Peng Ning 7Computer ScienceOne-Way Hash Function• One-way hash function F– F(x) is easy to compute– From F(x), x is difficult to compute– Example: F(x) = gx mod p, where p is a large primenumber and g is a primitive root of p.Fx F(x)easydifficultCSC 474/574 Dr. Peng Ning 8Computer ScienceStoring Passwords• For each user, system stores(user name, F(password))in a password file, where F is a one-way hashfunction• When a user enters the password, systemcomputes F(password); a match provides proofof identityCSC 474/574 Dr. Peng Ning 9Computer ScienceWhat is F?• crypt Algorithm (Unix)– Designed by Bob Morris and Ken Thompson– Use Data Encryption Standard (DES) encryption algorithm– User password and salt is used as the encryption key toencrypt a 64-bit block of zeros– This process is repeated 25 timesDES•00…0•x = Password+Salt25 times•F(x)64 bitsCSC 474/574 Dr. Peng Ning 10Computer ScienceChoice of Passwords• Suppose passwords can be from 1 to 9 characters inlength• Possible choices for passwords = 261 + 262 + ... + 269= 5 *1012• At the rate of 1 password per millisecond, it will takeon the order of 150 years to test all passwordsCSC 474/574 Dr. Peng Ning 11Computer ScienceChoice of Passwords (Cont’d)• However, we don’t need to try all possible passwords,only the probable passwords• In a Bell Labs study (Morris & Thompson 1979),3,289 passwords were examined– 15 single ASCII characters, 72 two ASCII characters, 464three ASCII characters, 477 four alphanumeric character,706 five letters(all lower or all upper case), 605 six lettersall lower case, 492 weak passwords (dictionary wordsspelled backwards, first names, surnames, etc.)– Summary: 2,831 passwords (86% of the sample) were weak,i.e., they were either too easily predictable or too shortCSC 474/574 Dr. Peng Ning 12Computer ScienceDictionary Attacks• Attack 1:– Create a dictionary of common words and names and theirsimple transformations– Use these to guess the passwordEagleWineRose…DictionaryEagleYes!CSC 474/574 Dr. Peng Ning 13Computer ScienceDictionary Attacks (Cont’d)• Attack 2:– Usually F is public and so is the password file• In Unix, F is crypt, and the password file is /etc/passwd.– Compute F(word) for each word in the dictionary– A match gives the passwordEagleWineRose…DictionaryTdWx%XkPTKYEN…Password fileF(Eagle)=XkPTCSC 474/574 Dr. Peng Ning 14Computer ScienceDictionary Attacks (Cont’d)• Attack 3:– To speed up search, pre-compute F(dictionary)– A simple look up gives the passwordEagleWineRose…DictionaryTdWx%XkPTKYEN …Password fileXkPT%$DVC#AED!…Pre-computedDictionaryF Look upCSC 474/574 Dr. Peng Ning 15Computer SciencePassword Salt• To make the dictionary attack a bit more difficult• Salt is a 12-bit number between 0 and 4095• Derived from the system clock and the processidentifierCSC 474/574 Dr. Peng Ning 16Computer SciencePassword Salt (Cont’d)• Storing the passwordsFPassword + SaltF(Password + Salt)Username, Salt, F(Password + Salt)Password fileCSC 474/574 Dr. Peng Ning 17Computer SciencePassword Salt (Cont’d)• Verifying the passwordsFPassword + SaltF(Password + Salt)Username, Salt, F(Password + Salt)Password fileFetch Saltaccording to usernameCompareCSC 474/574 Dr. Peng Ning 18Computer ScienceDoes Password Salt Help?• Attack 1?– Without Salt– With SaltEagleWineRose…DictionaryA wordYes/NoCSC 474/574 Dr. Peng Ning 19Computer ScienceDoes Password Salt Help?• Attack 2?– Without Salt– With SaltEagleWineRose…DictionaryTdWx%XkPTKYEN…Password fileFCSC 474/574 Dr. Peng Ning 20Computer ScienceDoes Password Salt Help?• Attack 3?– Without Salt– With SaltEagleWineRose…DictionaryTdWx%XkPTKYEN …Password file%$DVCXkPT#AED!…Pre-computedDictionaryF Look upYCSC 474/574 Dr. Peng Ning 21Computer SciencePassword Management Policy and Procedure• Educate users to make better choices– Does not work if the user population is large or novice• Define rules for good password selection and ask users tofollow them– Rules serve as guideline for attackers• Ask or force users to change their passwords periodically• Force users to use machine generated passwords– Random passwords are difficult to memorize; also password generatormay become known to the attacker through analysis• Actively attempt to break users’ passwords; force users tochange those that are broken– Attacker may have better dictionary• Screen password choices; if a choice is weak, force users tomake a different choiceCSC 474/574 Dr. Peng Ning 22Computer ScienceOne-time Passwords• Use the password exactly once!CSC 474/574 Dr. Peng Ning 23Computer ScienceLamport’s Scheme (S/Key)• Take advantage of One-Way function• One-way hash function F– F(x) is easy to compute– From F(x), x is difficult to computeFx


View Full Document

NCSU CSC (ECE) 574 - Identification and Authentication

Download Identification and Authentication
Our administrator received your request to download this document. We will send you the file to your email shortly.
Loading Unlocking...
Login

Join to view Identification and Authentication and access 3M+ class-specific study document.

or
We will never post anything without your permission.
Don't have an account?
Sign Up

Join to view Identification and Authentication 2 2 and access 3M+ class-specific study document.

or

By creating an account you agree to our Privacy Policy and Terms Of Use

Already a member?