Unformatted text preview:

Computer Science CSC/ECE 574 Computer and Network Security Topic 6. Authentication CSC/ECE 574 Dr. Peng Ning 1 Computer Science CSC/ECE 574 Dr. Peng Ning 2 Authentication • Authentication is the process of reliably verifying certain information. • Examples – User authentication • Allow a user to prove his/her identity to another entity (e.g., a system, a device). – Message authentication • Verify that a message has not been altered without proper authorization. • A related concept – identification Computer Science CSC/ECE 574 Dr. Peng Ning 3 Identification • Identification is a process through which one ascertains the identity of another person or entity. • Authentication and identification are different. – Identification requires that the verifier check the information presented against all the entities it knows about, – Authentication requires that the information be checked for a single, previously identified, entity. – Identification must, by definition, uniquely identify a given entity, – Authentication does not necessarily require uniqueness. Computer Science CSC/ECE 574 Dr. Peng Ning 4 Authentication Mechanisms • Password-based authentication – Use a secret quantity (the password) that the prover states to prove he/she knows it. – Threat: password guessing/dictionary attack Alice Computer System I’m Alice, the password is fiddlesticks Computer Science CSC/ECE 574 Dr. Peng Ning 5 Authentication Mechanisms (Cont’d) • Address-based authentication – Assume the identity of the source can be inferred based on the network address from which packets arrive. – Adopted early in UNIX and VMS • Berkeley rtools (rsh, rlogin, etc) – /etc/hosts.equiv file • List of computers – Per user .rhosts file • List of <computer, account> • Threat – Spoof of network address • Not authentication of source addresses Computer Science CSC/ECE 574 Dr. Peng Ning 6 Authentication Mechanisms (Cont’d) • Cryptographic authentication protocols – Basic idea: • A prover proves some information by performing a cryptographic operation on a quantity that the verifier supplies. – Usually reduced to the knowledge of a secret value • A symmetric key • The private key of a public/private key pairComputer Science CSC/ECE 574 Computer and Network Security Topic 6.1 User Authentication CSC/ECE 574 Dr. Peng Ning 7 Computer Science CSC/ECE 574 Dr. Peng Ning 8 Authentication and Identity • What is identity? – which characteristics uniquely identifies a person? – do we care if identity is unique? • Authentication: verify a user’s identity – a supplicant wishes to authenticate – a verifier performs the authentication • What’s relationship of identity to role, or job function? Computer Science CSC/ECE 574 Dr. Peng Ning 9 User Authentication Can Be Based On… • What the user knows – passwords, personal information, a key, a credit card number, etc. • Where the user is or can be reached – email address, IP address, … • Physical characteristics of the user – fingerprints, voiceprint, signature dynamics, iris pattern, DNA, etc. • What the user has in their possession – smart card, (physical) key, USB token, … • Which of the above is best? Best in what way? Computer Science CSC/ECE 574 Dr. Peng Ning 10 Crypto-Based Authentication • Basic idea: user performs a requested cryptographic operation on a value (a challenge) that the verifier supplies • Usually based on knowledge of a key (secret key or private key) • Examples: RSA, zero knowledge proofs, … • We’ll look at such protocols in more detail next time Computer Science CSC/ECE 574 Dr. Peng Ning 11 Address-Based User Authentication • Associates identity with network address or email address – used by many web services • Several early OS functions and tools worked this way • Benefits? Problems? Computer Science CSC/ECE 574 Dr. Peng Ning 12 Password AuthenticationComputer Science CSC/ECE 574 Dr. Peng Ning 13 Password-Based User Authentication • User demonstrates knowledge of a secret value to authenticate – most common method of user authentication • Threats to password-based authentication? challenge response Computer Science CSC/ECE 574 Dr. Peng Ning 14 Some Issues for Password Systems • A password should be easy to remember but hard to guess – that’s difficult to achieve! • Some questions – what makes a good password? – where is the password stored, and in what form? – how is knowledge of the password verified? Computer Science CSC/ECE 574 Dr. Peng Ning 15 Password Storage • Storing unencrypted passwords in a file is high risk – compromising the file system compromises all the stored passwords • Better idea: use the password to compute a one-way function (e.g., a hash, an encryption), and store the output of the one-way function • When user inputs the requested password… 1. compute its one-way function 2. compare with the stored value Computer Science CSC/ECE 574 Dr. Peng Ning 16 Attacks on Passwords • Suppose passwords could be up to 9 characters long • This would produce 1018 possible passwords; 320,000 years to try them all at 10 million a second! • Unfortunately, not all passwords are equally likely to be used Computer Science CSC/ECE 574 Dr. Peng Ning 17 Example of a Study • In a sample of over 3000 passwords: – 500 were easily guessed versions of dictionary words or first name / last name – 86% of passwords were easily guessed Length in characters 1 2 3 4 5 6 Number of passwords 15 72 464 477 706 605 (lower case only) Computer Science CSC/ECE 574 Dr. Peng Ning 18 Common Password Choices • Pet names • Common names • Common words • Dates • Variations of above (backwards, append a few digits, etc.)Computer Science CSC/ECE 574 Dr. Peng Ning 19 Dictionary Attacks • Attack 1 (online): – Create a dictionary of common words and names and their simple transformations – Use these to guess the password Eagle Wine Rose … Dictionary Eagle Yes! Computer Science CSC/ECE 574 Dr. Peng Ning 20 Dictionary Attacks (Cont’d) • Attack 2 (offline): – Usually F is public and so


View Full Document

NCSU CSC (ECE) 574 - Authentication

Download Authentication
Our administrator received your request to download this document. We will send you the file to your email shortly.
Loading Unlocking...
Login

Join to view Authentication and access 3M+ class-specific study document.

or
We will never post anything without your permission.
Don't have an account?
Sign Up

Join to view Authentication 2 2 and access 3M+ class-specific study document.

or

By creating an account you agree to our Privacy Policy and Terms Of Use

Already a member?