Computer Science CSC/ECE 574 Computer and Network Security Topic 6. Authentication CSC/ECE 574 Dr. Peng Ning 1 Computer Science CSC/ECE 574 Dr. Peng Ning 2 Authentication • Authentication is the process of reliably verifying certain information. • Examples – User authentication • Allow a user to prove his/her identity to another entity (e.g., a system, a device). – Message authentication • Verify that a message has not been altered without proper authorization. • A related concept – identification Computer Science CSC/ECE 574 Dr. Peng Ning 3 Identification • Identification is a process through which one ascertains the identity of another person or entity. • Authentication and identification are different. – Identification requires that the verifier check the information presented against all the entities it knows about, – Authentication requires that the information be checked for a single, previously identified, entity. – Identification must, by definition, uniquely identify a given entity, – Authentication does not necessarily require uniqueness. Computer Science CSC/ECE 574 Dr. Peng Ning 4 Authentication Mechanisms • Password-based authentication – Use a secret quantity (the password) that the prover states to prove he/she knows it. – Threat: password guessing/dictionary attack Alice Computer System I’m Alice, the password is fiddlesticks Computer Science CSC/ECE 574 Dr. Peng Ning 5 Authentication Mechanisms (Cont’d) • Address-based authentication – Assume the identity of the source can be inferred based on the network address from which packets arrive. – Adopted early in UNIX and VMS • Berkeley rtools (rsh, rlogin, etc) – /etc/hosts.equiv file • List of computers – Per user .rhosts file • List of <computer, account> • Threat – Spoof of network address • Not authentication of source addresses Computer Science CSC/ECE 574 Dr. Peng Ning 6 Authentication Mechanisms (Cont’d) • Cryptographic authentication protocols – Basic idea: • A prover proves some information by performing a cryptographic operation on a quantity that the verifier supplies. – Usually reduced to the knowledge of a secret value • A symmetric key • The private key of a public/private key pairComputer Science CSC/ECE 574 Computer and Network Security Topic 6.1 User Authentication CSC/ECE 574 Dr. Peng Ning 7 Computer Science CSC/ECE 574 Dr. Peng Ning 8 Authentication and Identity • What is identity? – which characteristics uniquely identifies a person? – do we care if identity is unique? • Authentication: verify a user’s identity – a supplicant wishes to authenticate – a verifier performs the authentication • What’s relationship of identity to role, or job function? Computer Science CSC/ECE 574 Dr. Peng Ning 9 User Authentication Can Be Based On… • What the user knows – passwords, personal information, a key, a credit card number, etc. • Where the user is or can be reached – email address, IP address, … • Physical characteristics of the user – fingerprints, voiceprint, signature dynamics, iris pattern, DNA, etc. • What the user has in their possession – smart card, (physical) key, USB token, … • Which of the above is best? Best in what way? Computer Science CSC/ECE 574 Dr. Peng Ning 10 Crypto-Based Authentication • Basic idea: user performs a requested cryptographic operation on a value (a challenge) that the verifier supplies • Usually based on knowledge of a key (secret key or private key) • Examples: RSA, zero knowledge proofs, … • We’ll look at such protocols in more detail next time Computer Science CSC/ECE 574 Dr. Peng Ning 11 Address-Based User Authentication • Associates identity with network address or email address – used by many web services • Several early OS functions and tools worked this way • Benefits? Problems? Computer Science CSC/ECE 574 Dr. Peng Ning 12 Password AuthenticationComputer Science CSC/ECE 574 Dr. Peng Ning 13 Password-Based User Authentication • User demonstrates knowledge of a secret value to authenticate – most common method of user authentication • Threats to password-based authentication? challenge response Computer Science CSC/ECE 574 Dr. Peng Ning 14 Some Issues for Password Systems • A password should be easy to remember but hard to guess – that’s difficult to achieve! • Some questions – what makes a good password? – where is the password stored, and in what form? – how is knowledge of the password verified? Computer Science CSC/ECE 574 Dr. Peng Ning 15 Password Storage • Storing unencrypted passwords in a file is high risk – compromising the file system compromises all the stored passwords • Better idea: use the password to compute a one-way function (e.g., a hash, an encryption), and store the output of the one-way function • When user inputs the requested password… 1. compute its one-way function 2. compare with the stored value Computer Science CSC/ECE 574 Dr. Peng Ning 16 Attacks on Passwords • Suppose passwords could be up to 9 characters long • This would produce 1018 possible passwords; 320,000 years to try them all at 10 million a second! • Unfortunately, not all passwords are equally likely to be used Computer Science CSC/ECE 574 Dr. Peng Ning 17 Example of a Study • In a sample of over 3000 passwords: – 500 were easily guessed versions of dictionary words or first name / last name – 86% of passwords were easily guessed Length in characters 1 2 3 4 5 6 Number of passwords 15 72 464 477 706 605 (lower case only) Computer Science CSC/ECE 574 Dr. Peng Ning 18 Common Password Choices • Pet names • Common names • Common words • Dates • Variations of above (backwards, append a few digits, etc.)Computer Science CSC/ECE 574 Dr. Peng Ning 19 Dictionary Attacks • Attack 1 (online): – Create a dictionary of common words and names and their simple transformations – Use these to guess the password Eagle Wine Rose … Dictionary Eagle Yes! Computer Science CSC/ECE 574 Dr. Peng Ning 20 Dictionary Attacks (Cont’d) • Attack 2 (offline): – Usually F is public and so
View Full Document