authentication beyond passwords
play

Authentication: Beyond Passwords Prof. Tom Austin San Jos State - PowerPoint PPT Presentation

Mar 28, 2023 •471 likes •800 views

CS 166: Information Security Authentication: Beyond Passwords Prof. Tom Austin San Jos State University Biometrics Something You Are Biometric You are your key Schneier Examples Fingerprint Are Handwritten

  1. CS 166: Information Security Authentication: Beyond Passwords Prof. Tom Austin San José State University

  2. Biometrics

  3. Something You Are • Biometric – “You are your key” ¾ Schneier • Examples – Fingerprint Are – Handwritten signature Have Know – Facial recognition – Speech recognition – Gait (walking) recognition – “Digital doggie” (odor recognition)

  4. Why Biometrics? • More secure replacement for passwords • Cheap and reliable biometrics needed – active area of research • Biometrics are used in security today – Thumbprint mouse – Palm print for secure entry – Fingerprint to unlock car door • But biometrics not too popular

  5. Ideal Biometric • Universal ¾ applies to (almost) everyone – In reality, no biometric applies to everyone • Distinguishing ¾ distinguish with certainty – In reality, cannot hope for 100% certainty • Permanent ¾ physical characteristic being measured never changes – In reality, OK if it to remains valid for long time • Collectable ¾ easy to collect required data – Depends on whether subjects are cooperative • Also, safe, user-friendly, etc., etc.

  6. Biometric Modes • Identification ¾ Who goes there? – Compare one-to-many – Example: The FBI fingerprint database • Authentication ¾ Are you who you say you are? – Compare one-to-one – Example: Thumbprint mouse • Identification problem is more difficult – More “random” matches since more comparisons • We are interested in authentication

  7. Enrollment vs Recognition • Enrollment phase – Subject’s biometric info put into database – Must carefully measure the required info – OK if slow and repeated measurement needed – Must be very precise – May be weak point of many biometric • Recognition phase – Biometric detection, when used in practice – Must be quick and simple – But must be reasonably accurate

  8. Cooperative Subjects? • Authentication — cooperative subjects • Identification — uncooperative subjects • For example, facial recognition – Used in Las Vegas casinos to detect known cheaters (terrorists in airports, etc.) – Often do not have ideal enrollment conditions – Subject will try to confuse recognition phase • Cooperative subject makes it much easier – We are focused on authentication – So, subjects are generally cooperative

  9. Biometric Errors • Fraud rate versus insult rate – Fraud ¾ Trudy mis-authenticated as Alice – Insult ¾ Alice not authenticated as Alice • For any biometric, can decrease fraud or insult, but other one will increase • For example – 99% voiceprint match Þ low fraud, high insult – 30% voiceprint match Þ high fraud, low insult • Equal error rate: rate where fraud == insult – A way to compare different biometrics

  10. Fingerprint History • 1823 ¾ Professor Johannes Evangelist Purkinje discussed 9 fingerprint patterns • 1856 ¾ Sir William Hershel used fingerprint (in India) on contracts • 1880 ¾ Dr. Henry Faulds article in Nature about fingerprints for ID • 1883 ¾ Mark Twain’s Life on the Mississippi (murderer ID’ed by fingerprint)

  11. Fingerprint History • 1888 ¾ Sir Francis Galton developed classification system – His system of “minutia” still used today – Also verified that fingerprints do not change • Some countries require fixed number of “points” (minutia) to match in criminal cases – In Britain, at least 15 points – In US, no fixed number of points

  12. Fingerprint Comparison • Examples of loops , whorls , and arches • Minutia extracted from these features Loop (double) Whorl Arch

  13. Fingerprint: Enrollment 1. Capture image of fingerprint 2. Enhance image 3. Identify points

  14. Fingerprint: Recognition • Extracted points are compared with information stored in a database • Is it a statistical match? • Aside: Do identical twins’ fingerprints differ?

  15. Hand Geometry q A popular biometric q Measures shape of hand o Width of hand, fingers o Length of fingers, etc. q Human hands not unique q Hand geometry sufficient for many situations q OK for authentication q Not useful for ID problem

  16. Hand Geometry: Pros and Cons • Advantages – Quick ¾ 1 minute for enrollment, 5 seconds for recognition – Hands are symmetric • Disadvantages – Cannot use on very young or very old – Relatively high equal error rate

  17. Iris Patterns • Iris pattern development is “chaotic” • Little or no genetic influence • Different even for identical twins • Pattern is stable through lifetime

  18. Iris Recognition: History • 1936 – suggested by Frank Burch • 1980s – James Bond films • 1986 – first patent appeared • 1994 – John Daugman patented best current approach – Patent owned by Iridian Technologies

  19. Iris Scan • Scanner locates iris • Take b/w photo • Use polar coordinates… • 2-D wavelet transform • Get 256 byte iris code

  20. Measuring Iris Similarity • Based on Hamming distance • Define d(x,y) to be – # of non match bits / # of bits compared – d(0010,0101) = 3/4 and d(101111,101001) = 1/3 • Compute d(x,y) on 2048-bit iris code – Perfect match is d(x,y) = 0 – For same iris, expected distance is 0.08 – At random, expect distance of 0.50 – Accept iris scan as match if distance < 0.32

  21. Iris Scan Error Rate Distance between 2 different eyes Distance between the same eye, distance Fraud rate measured twice 1 in 1.3 * 10 10 0.29 1 in 1.5 * 10 9 0.30 1 in 1.8 * 10 8 0.31 1 in 2.6 * 10 7 0.32 1 in 4.0 * 10 6 0.33 1 in 6.9 * 10 5 0.34 1 in 1.3 * 10 5 0.35 == equal error rate distance

  22. Could an attacker use a photo to trick the system?

  23. Famous picture of a girl in Afghanistan from National Geographic. Is this the same person?

  24. Attacks on Iris Scan • Scanning the woman's iris and the iris of the picture found a match. – http://news.bbc.co.uk/2/hi/south_asia/1870382.stm • Morale of the story: a picture works. • To prevent attack, scanner could use light to be sure it is a “live” iris. – But that raises the cost of the device.

  25. Equal Error Rate Comparison • Equal error rate (EER): fraud == insult rate • Fingerprint biometric has EER of about 5% • Hand geometry has EER of about 10 -3 • In theory, iris scan has EER of about 10 -6 – But in practice, may be hard to achieve – Enrollment phase must be extremely accurate • Most biometrics much worse than fingerprint! • Biometrics useful for authentication… – …but identification biometrics almost useless today

  26. Biometrics: The Bottom Line • Biometrics are hard to forge • But attacker could – Steal Alice’s thumb – Photocopy Bob’s fingerprint, eye, etc. – Subvert software, database, “trusted path” … • And how to revoke a “broken” biometric? • Biometrics are not foolproof • Biometric use is limited today • That should change in the (near?) future

  27. Something You Have • Something in your possession • Examples include following… – Car key – Laptop computer (or MAC address) – Password generator (next) – ATM card, smartcard, etc.

  28. Password Generator 1. 1. “I’m Alice” 3. PIN, R 3. 2. R 2. 4. h(K,R) 4. password 5. 5. h(K,R) generator K Bob, K Alice • Alice receives random “challenge” R from Bob • Alice enters PIN and R in password generator • Password generator hashes symmetric key K with R • Alice sends “response” h(K,R) back to Bob • Bob verifies response • Note: Alice has pwd generator and knows PIN

  29. 2-factor Authentication • Requires any 2 out of 3 of o Something you know o Something you have o Something you are • Examples – ATM: Card and PIN – Credit card: Card and signature – Password generator: Device and PIN – Smartcard with password/PIN

  30. Single Sign-on • A hassle to enter password(s) repeatedly – Alice wants to authenticate only once – “Credentials” stay with Alice wherever she goes – Subsequent authentications transparent to Alice • Kerberos --- example single sign-on protocol • Single sign-on for the Internet? – Microsoft Passport – Liberty Alliance – Facebook

  31. Web Cookies • Cookie is provided by a Website and stored on user’s machine • Cookie indexes a database at Website • Cookies maintain state across sessions – Web uses a stateless protocol: HTTP – Cookies also maintain state within a session • Sorta like a single sign-on for a website – But, a very, very weak form of authentication • Cookies also create privacy concerns

  32. Lab 10: Hamming distance Find the Hamming distance of X and Y where: (a) X = FE01 (hex notation) Y = 7E13 (hex notation) (b) X = 0101 (binary notation) Y = 1101 (binary notation)

Recommend

User Authentication and Passwords Storing Passwords Selecting Passwords CSS322: Security and

User Authentication and Passwords Storing Passwords Selecting Passwords CSS322: Security and

CSS322 Passwords Authentication Passwords Entropy User Authentication and Passwords Storing Passwords Selecting Passwords CSS322: Security and Cryptography Sirindhorn International Institute of Technology Thammasat University Prepared by

670 views • 28 slides
User Authentication Storing Passwords Selecting Passwords ITS335: IT Security Tokens

User Authentication Storing Passwords Selecting Passwords ITS335: IT Security Tokens

ITS335 User Authentication Authentication Passwords User Authentication Storing Passwords Selecting Passwords ITS335: IT Security Tokens Biometrics Sirindhorn International Institute of Technology Summary Thammasat University Prepared

663 views • 40 slides
PASSWORDS CS682: Advanced Security Topics Vasiliki Panteli 3/9/2020 Passwords 1 Passwords

PASSWORDS CS682: Advanced Security Topics Vasiliki Panteli 3/9/2020 Passwords 1 Passwords

PASSWORDS CS682: Advanced Security Topics Vasiliki Panteli 3/9/2020 Passwords 1 Passwords Passwords is a user authentication mechanism that is widely adopted for many years Methods for user authentication: Something you know

901 views • 52 slides
Authentication of People what you know (passwords) what you have (keys) what you are

Authentication of People what you know (passwords) what you have (keys) what you are

people 1 Authentication of People what you know (passwords) what you have (keys) what you are (biometric devices) where you are (physical) October 26, 2000 people 2 Passwords initial password distribution (students)

559 views • 13 slides
Authentication of People what you know (passwords) what you have (keys) what you are

Authentication of People what you know (passwords) what you have (keys) what you are

people 1 Authentication of People what you know (passwords) what you have (keys) what you are (biometric devices) where you are (physical) Slide 1 Passwords initial password distribution (students) limit password guessing

305 views • 7 slides
Authentication Kypros Ioannou Professor: Elias Athanasopoulos Passwords (1/3) A password is

Authentication Kypros Ioannou Professor: Elias Athanasopoulos Passwords (1/3) A password is

Authentication Kypros Ioannou Professor: Elias Athanasopoulos Passwords (1/3) A password is weak authentication mechanism. Use Brute Force to find the password. We are using Hashing and Salt to protect the password. Passwords: Two factors

559 views • 51 slides
Lecture 14 Passwords and Authentication Stephen Checkoway University of Illinois at Chicago

Lecture 14 Passwords and Authentication Stephen Checkoway University of Illinois at Chicago

Lecture 14 Passwords and Authentication Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides based on Baileys ECE 422 Major Portions Courtesy Ryan Cunningham AUTHENTICATION Authentication Basics

653 views • 42 slides
ISE 331 Fundamentals of Computer Security Authentication and Attacks Agenda User

ISE 331 Fundamentals of Computer Security Authentication and Attacks Agenda User

ISE 331 Fundamentals of Computer Security Authentication and Attacks Agenda User Authentication Authentication process Means of authentication Passwords Vulnerabilities of passwords Password Cracking Dictionary Attacks

472 views • 21 slides
USABLE SECURITY GRAD SEC SEP 28 2017 USER AUTHENTICATION What we know (passwords) What we

USABLE SECURITY GRAD SEC SEP 28 2017 USER AUTHENTICATION What we know (passwords) What we

USABLE SECURITY GRAD SEC SEP 28 2017 USER AUTHENTICATION What we know (passwords) What we have (tokens) What we are (iris, fingerprint) [Accuracy vs. cost trade-off] Other USER AUTHENTICATION INKBLOT AUTHENTICATION Come up with

671 views • 20 slides
Hour #1: Passwords Identification, Authentication, and Authorization Identification: You

Hour #1: Passwords Identification, Authentication, and Authorization Identification: You

CSCI E-170 Computer Security, Usability &amp; Privacy Hour #1: Passwords Identification, Authentication, and Authorization Identification: You give your name Authentication: Youve proven that its really you.

486 views • 31 slides
Crypto with Passwords Lecture 22 Passwords Password or passphrase: Low-entropy shared secret

Crypto with Passwords Lecture 22 Passwords Password or passphrase: Low-entropy shared secret

Crypto with Passwords Lecture 22 Passwords Password or passphrase: Low-entropy shared secret Typical goal: client authenticating to server, without being tied to a device holding a cryptographic key. On authentication, a session key should be

344 views • 11 slides
Authentication and Passwords Autumn 2016 Tadayoshi Kohno yoshi@cs.Washington.edu Thanks to Dan

Authentication and Passwords Autumn 2016 Tadayoshi Kohno yoshi@cs.Washington.edu Thanks to Dan

CSE 484 / CSE M 584: Computer Security and Privacy Authentication and Passwords Autumn 2016 Tadayoshi Kohno yoshi@cs.Washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, John Manferdelli, John Mitchell, Franzi Roesner, Vitaly

751 views • 39 slides
Authentication and Passwords Spring 2017 Shrirang (Shri) Mare shri@cs.washington.edu Thanks to

Authentication and Passwords Spring 2017 Shrirang (Shri) Mare shri@cs.washington.edu Thanks to

CSE 484 / CSE M 584: Computer Security and Privacy Authentication and Passwords Spring 2017 Shrirang (Shri) Mare shri@cs.washington.edu Thanks to Franzi Roesner, Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, John Manferdelli, John

654 views • 41 slides
OPAQUE: A Strong Asymmetric PAKE Protocol Secure Against Pre-Computation Attacks Stanislaw

OPAQUE: A Strong Asymmetric PAKE Protocol Secure Against Pre-Computation Attacks Stanislaw

OPAQUE: A Strong Asymmetric PAKE Protocol Secure Against Pre-Computation Attacks Stanislaw Jarecki, Hugo Krawczyk, Jiayu Xu Motivation: Password Authentication Passwords are the prevalent tool for authentication Passwords are vulnerable

481 views • 22 slides
A Key to Your Heart: Biometric Authentication Based on ECG Signals Who Are You?! Adventures in

A Key to Your Heart: Biometric Authentication Based on ECG Signals Who Are You?! Adventures in

A Key to Your Heart: Biometric Authentication Based on ECG Signals Who Are You?! Adventures in Authentication Workshop (WAY) 2019 Nikita Samarin, Donald Sannella Traditional Passwords Most common mechanism of authenticating users online

251 views • 14 slides
Secure Passwords Through Enhanced Hashing Benjamin Strahs, Chuan Yue, and Haining Wang The

Secure Passwords Through Enhanced Hashing Benjamin Strahs, Chuan Yue, and Haining Wang The

Secure Passwords Through Enhanced Hashing Benjamin Strahs, Chuan Yue, and Haining Wang The College of William and Mary Passwords The most common online authentication method Something you know instead of something you have (hardware

559 views • 29 slides
Good Passwords, Bad Passwords, and How to See the Difference David Klaftenegger Department of

Good Passwords, Bad Passwords, and How to See the Difference David Klaftenegger Department of

Good Passwords, Bad Passwords, and How to See the Difference David Klaftenegger Department of Information Technology Uppsala University, Sweden 20. January 2020 Caveat Auditor Background Passwords this talk contains opinions Diceware

447 views • 43 slides
Authentication CS461/ECE422 1 Reading Chapter 10 from Handbook of Applied Cryptography

Authentication CS461/ECE422 1 Reading Chapter 10 from Handbook of Applied Cryptography

Authentication CS461/ECE422 1 Reading Chapter 10 from Handbook of Applied Cryptography http://www.cacr.math.uwaterloo.ca/hac/ about/chap10.pdf 2 Overview Basics of an authentication system Passwords Storage Selection

410 views • 38 slides
T/Key: Second-Factor Authentication Without Server Secrets Dima Kogan 1 , Nathan Manohar 2 , Dan

T/Key: Second-Factor Authentication Without Server Secrets Dima Kogan 1 , Nathan Manohar 2 , Dan

T/Key: Second-Factor Authentication Without Server Secrets Dima Kogan 1 , Nathan Manohar 2 , Dan Boneh 1 1 Stanford, 2 UCLA Passwords have multiple security issues eavesdropping/key logging phishing password reuse Two-factor authentication

779 views • 31 slides
Security: Some Fun with Passwords How to handle Passwords: the Basics Rainbow Attacks Not

Security: Some Fun with Passwords How to handle Passwords: the Basics Rainbow Attacks Not

CSCE Intro to Computer Systems Security - Passwords Security: Some Fun with Passwords How to handle Passwords: the Basics Rainbow Attacks Not too long ago Hi, I forgot my password! Let me help you. What is your name? My Name is John

369 views • 5 slides
Multi-Factor Authentication: Security or Snake Oil? Steven Myers Rachna Dhamija Jeffrey

Multi-Factor Authentication: Security or Snake Oil? Steven Myers Rachna Dhamija Jeffrey

Multi-Factor Authentication: Security or Snake Oil? Steven Myers Rachna Dhamija Jeffrey Friedberg Phishing &amp; Identity Theft Historically most online banking done with passwords (single-factor authentication) Password communicated

449 views • 42 slides
Setting Strong Encrypted Passwords Configuring Password Encryption for Clear Text Passwords Cisco

Setting Strong Encrypted Passwords Configuring Password Encryption for Clear Text Passwords Cisco

Setting Strong Encrypted Passwords Configuring Password Encryption for Clear Text Passwords Cisco IOS stores passwords in clear text in network device configuration files for several features such as passwords for local and remote CLI sessions,

354 views • 13 slides
Lecture 3 - Passwords and Authentication CMPSC 443 - Spring 2012 Introduction Computer and

Lecture 3 - Passwords and Authentication CMPSC 443 - Spring 2012 Introduction Computer and

Lecture 3 - Passwords and Authentication CMPSC 443 - Spring 2012 Introduction Computer and Network Security Professor Jaeger www.cse.psu.edu/~tjaeger/cse443-s12 CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor

589 views • 19 slides
STUDENT PASSWORDS GUI DEL I NES FOR 2 0 1 9 -2 020 S T U D E N T S , U P D A T E Y O U R P A

STUDENT PASSWORDS GUI DEL I NES FOR 2 0 1 9 -2 020 S T U D E N T S , U P D A T E Y O U R P A

STUDENT PASSWORDS GUI DEL I NES FOR 2 0 1 9 -2 020 S T U D E N T S , U P D A T E Y O U R P A S S W O R D F R O M H O M E ! Students: Update your password this summer from home! Student passwords were reset on 7/3/2019. Please follow the

525 views • 14 slides

More recommend