Authentication Elisa Bertino CERIAS and CS ECE Departments Purdue University Elisa Bertino Pag 1 Purdue University Authentication Topics Chapter 11 of Textbook Basics Passwords Challenge Response Biometrics Location Multiple Methods Elisa Bertino Pag 2 Purdue University Basics There exists two reasons for authenticating users The user identity is a parameter in access control decisions The user identity is recorded when logging securityrelevant events in the audit trail It is not always necessary or desirable to base access control on user identities while there is a much stronger case for using identities in the audit logs Elisa Bertino Pag 3 Purdue University Basics When a user connects to a computer system is has to enter User name this step is called identification Password this step is called authentication Authentication the process of verifying a claimed identity Elisa Bertino Pag 4 Purdue University Verifying Identity One or more of the following What entity knows eg password What entity has eg badge smart card What entity is eg fingerprints retinal characteristics Where entity is eg In front of a particular terminal Elisa Bertino Pag 5 Purdue University Authentication Process It consists of several steps Obtaining the authentication information from an entity Analyzing the data Determining if the authentication information is associated with that entity Elisa Bertino Pag 6 Purdue University Authentication System A C F L S A information that proves identity C information stored on computer and used to validate authentication information F complementation function f A C L functions that prove identity S functions enabling entity to create alter information in A or C Elisa Bertino Pag 7 Purdue University Example Password system with passwords stored on line in clear text A set of strings making up passwords C A F singleton set of identity function I L single equality test function eq S function to set change password Elisa Bertino Pag 8 Purdue University Passwords Sequence of characters Examples 10 digits a string of letters etc Generated randomly by user by computer with user input Sequence of words Examples pass phrases Note A pass phrase is a sequence of characters that it is too long to be a password and it is thus turned into a shorter virtual password by the password system Algorithms Examples challenge response one time passwords Elisa Bertino Pag 9 Purdue University Storage Store as cleartext If password file compromised all passwords are revealed Encipher file Need to have encryption decryption keys in memory Reduces to previous problem Store one way hash of password If file read attacker must still guess passwords or invert the hash Elisa Bertino Pag 10 Purdue University Example UNIX system standard hash function Hashes password into 11 char string using one of 4096 hash functions As authentication system A strings of 8 chars or less C 2 char hash id 11 char hash The 2 char identify the hash function used F 4096 versions of modified DES L login su S passwd nispasswd passwd Elisa Bertino Pag 11 Purdue University Passwords based Authentication A password is information associated with an entity that confirms its identity How can passwords be protected A solution one way hashing A user s password is encrypted and then stored The stored password is never decrypted It should be difficult for an attacker to revert the stored password to the plaintext password A user A may try to guess the password of another user B and thus impersonate B next slide Elisa Bertino Pag 12 Purdue University Analysis of an Impersonation Attack Goal find a A such that For some f F f a c C c is associated with the given entity Two ways to determine whether a meets these requirements Direct approach as above it is possible if C is known to the attacker Indirect approach as l a succeeds iff f a c C for some c associated with an entity compute l a Elisa Bertino Pag 13 Purdue University Preventing Attacks Hide one of a f or c Prevents obvious attack from above Example UNIX Linux shadow password files Hides c s Unix shadow password files can only be accessed by the super user access control is thus used Block access to all l L or result of l a Prevents attacker from knowing if guess succeeded Example preventing any logins to an account from a network Prevents knowing results of l or accessing l Elisa Bertino Pag 14 Purdue University Dictionary Attacks Trial and error from a list of potential passwords Type 1 attacker knows A f c Also referred to as Off line the attacker knows f and c s and repeatedly tries different guesses g A until the list is done or passwords guessed Type 2 attacker knows A l Also referred to as On line the attacker has access to functions in L and tries guesses g until some l g succeeds Examples trying to log in by guessing a password Elisa Bertino Pag 15 Purdue University Countering Password Guessing The goal of the defender is to maximize the time needed to guess the password Anderson s formula P probability of guessing a password in a specified period of time G number of guesses tested in 1 time unit T number of time units N number of possible passwords A Then P TG N refer to the textbook for examples Elisa Bertino Pag 16 Purdue University Example of Use of Anderson s Formula Consider the case of a 4 digit PIN Suppose that the number of possible passwords PINs is N 104 assuming that the digits 0 9 are allowed in each of the 4 positions of the PIN Assume that an attacker can make G 10 000 per second in an offline attack How long would it take to guess a PIN with absolute certainty P TG N or T PN G 1 0 10 000 10 000 1 Elisa Bertino Pag 17 Purdue University Approaches Password Selection Random selection Any password from A equally likely to be selected Such passwords are difficult to remember for users especially when they have multiple randomly selected passwords Pronounceable passwords User selection of passwords Elisa Bertino Pag 18 Purdue University Pronounceable Passwords Generate phonemes randomly Phoneme is unit of sound eg cv vc cvc vcv where c is a consonant v is a vowel Examples helgoret juttelon are pronounceable przbqxdfl zxrptglfn are not pronounceable Problem the number of pronounceable passwords of length n is considerably lower than the number of random passwords of length n Elisa Bertino Pag 19 Purdue University User Selection Problem people pick easy to guess passwords Based on account names user names computer names place names Dictionary words also
View Full Document
Unlocking...