Network Security Topic 3: User Authentication Topic 3: User - PowerPoint PPT Presentation

5/25/2019 Network Security Topic 3: User Authentication Topic 3: User Authentication 1

Reading for this Lecture 5/25/2019 • Password Topic 3: User Authentication • Password strength • Salt_(cryptography) • Password cracking • Trusted path • One time password 2

Important Takeaway Message 5/25/2019 Thinking about security is to consider and weigh in different Topic 3: User Authentication trade-offs Understanding and proper usages of some basic terminologies are 3 important

Three A’s of Information Security 5/25/2019 Authentication Topic 3: User Authentication vs. Access Control vs. Audit 4

Authentication, Authorization, and Audit 5/25/2019 • Authentication • It is the process of determining whether Topic 3: User Authentication somebody is who he/she is claiming to be • Access control • It is the process of determining whether an action is allowed with respect to some well- defined rules or policies • Audit • Record everything to identify attackers 5 after the fact

Authentication and Access Control (From Wikipedia) 5/25/2019 • Authentication is the act of establishing or confirming something (or someone) as authentic, that is, that claims made by or about the subject are true . This might Topic 3: User Authentication involve confirming the identity of a person , tracing the origins of an artifact, ensuring that a product is what its packaging and labeling claims to be, or assuring that a computer program is a trusted one • Access control is a system which enables an authority to control access to areas and resources in a given physical facility or computer-based information system 6

Why Audit? 5/25/2019 • Do not have enough information during decision making time to make a judgment whether an access request Topic 3: User Authentication is valid • It is difficult to weigh in all possible conditions of a valid access request • Specially relevant when legitimacy of access request depends on contextual information 7

5/25/2019 Our concentration today Topic 3: User Authentication is user authentication 8

Scenarios Requiring User Authentication 5/25/2019 • Logging into a local computer • Logging into a remote computer Topic 3: User Authentication • Logging into a network • Accessing websites (A) I am John (B) Yeah, Right. (C) I am John, here is my token 9 (D) OKAY

Authentication Token 5/25/2019 • Based on something the user know • Example : Passphrase, password Topic 3: User Authentication • Based on something the user possesses • Example : Smart card or token • Based on something the user is 10 • Example : Biometric

Proposals of Authentication Token 5/25/2019 • Cryptography-based Topic 3: User Authentication • Others • Passwords • Biometrics • Graphical passwords • 2-factor authentication • Out of band authentication 11

Cryptography-based Designs 5/25/2019 • One-time passwords • Each password is used only once Topic 3: User Authentication • Defend against adversary who can eavesdrop and later impersonate • Challenge-response • Send a response related to the password and a challenge • Zero-knowledge proof of knowledge • Prove knowledge of a value without revealing it ( Out of scope) 12

One-Time Passwords (OTP) 5/25/2019 • Two parties share a list of one-time passwords Topic 3: User Authentication • Time synchronized OTP • Example: MAC K (t) where t is the current time • Using a hash chain (Proposed by Lamport) • H(s), H(H(s)), …, H 1000 (s) 13 • Use these hash values in reverse order

Leslie B. Lamport The winner of the 2013 Turing Award 5/25/2019 • Developer of the document preparation system LaTeX Topic 3: User Authentication • 2013 Turing Award for imposing clear, well- defined coherence on the seemingly chaotic behavior of distributed computing systems 14

Lamport’s One-Time Password 5/25/2019 • Setting: A wants to authenticate itself to B • Initialization: Topic 3: User Authentication • A selects an arbitrary value S, a hash function H(), and integer value t • A computes w 0 = H t (S) and sends w 0 , and H() to B • B stores w 0 • Protocol: To authenticate to B at time i where 1 <= i <= t • A sends to B: A, i, w i = H t-i (S) • B checks: i = i A , H(w i ) = w i-1 • If both holds, i A = i A + 1 15

Challenge-Response Protocols 5/25/2019 • Goal : one entity authenticates to other entity proving the knowledge of a secret, ‘challenge’ Topic 3: User Authentication • How to design this using the crypto tool we have learned? • Approach : Use time-variant parameters to prevent replay, interleaving attacks, provide uniqueness and timeliness 16 • Example: nonce (used only once), timestamps

Challenge-Response Protocols 5/25/2019 • Unilateral authentication (timestamp-based) • A to B: MAC K (t A , B) Topic 3: User Authentication • Unilateral authentication (nonce-based) • B to A: r B • A to B: MAC K (r B , B) • Mutual authentication (nonce-based) • B to A: r B • A to B: r A , MAC K (r A , r B , B) • B to A: MAC K (r B , r A ) 17

Public-key Cryptography 5/25/2019 Cleverly use Digital Signature to authenticate to a party. Topic 3: User Authentication ( This will be covered later ) 18

Passwords 5/25/2019 • Oldest and most common form of authentication token due to its ease of deployment Topic 3: User Authentication • 1961 Compatible Time-Sharing System at MIT was most likely the first deployment of passwords • Password was deployed in traditional computer systems like MULTICS and Unix in 19 the 1970

Variations of Passwords 5/25/2019 • Passphrase • A sequence of words Topic 3: User Authentication or other text used for similar purpose as password • Passcode • Personal Identification 20 Number (PIN)

Attractive Properties of Password 5/25/2019 • Easily deployable • No need for additional hardware Topic 3: User Authentication • Customizable • Choose your own password • Convenient to replace 21 • Ease of use

Problems with Passwords 5/25/2019 • For security, it is desirable for passwords to be unpredictable Topic 3: User Authentication • However, it is difficult to remember highly random things • Recent survey showed, an individual on average has 106 online accounts • It is desired for individuals to not have the same password for all accounts 22

Problems with Passwords 5/25/2019 There is an inherent tension Topic 3: User Authentication between security and usability of passwords 23

Usability Metrics 5/25/2019 • Sentiment • Creation difficulty, recall difficulty Topic 3: User Authentication • Time • Password creation and recall • Memorability • Recall attempts, password writedown 24

Human Memory 5/25/2019 • Human Memory is semantic Topic 3: User Authentication • Human memory is associative • Human memory is lossy 25

Human memory is Semantic 5/25/2019 • Memorize: nbccbsabc Topic 3: User Authentication • Memorize: tkqizrlwp • 3 Chunks vs. 9 Chunks! • Usability Goal : Minimize Number of Chunks 26 Source: The magical number seven, plus or minus two [Miller, 56]

Human memory is Associative ? Topic 3: User Authentication 5/25/2019 27

Cues 5/25/2019 • Cue: context when a memory is stored Topic 3: User Authentication • Surrounding Environment • Sounds • Visual Surroundings • Web Site • …. • As time passes we forget some of this context… 28

Human memory is Lossy 5/25/2019 • Rehearse or Forget! • How much work? p amazon ???? Topic 3: User Authentication • Quantify Usability p google • Rehearsal Assumption 29

Usability Question 5/25/2019 • Important Question : Are human inherently bad at remembering random Topic 3: User Authentication information? • Answer : Not really, with proper training • Paper : Towards reliable storage of 56-bit secrets in human memory (USENIX-2014) 30

56.4 bit secret learning after 36 logins 5/25/2019 Topic 3: User Authentication 31 Towards reliable storage of 56-bit secrets in human memory, Usenix Security 2014.

Example of Weak Passwords (Wikipedia) 5/25/2019 • Default passwords (as supplied by the system vendor and meant to be changed at installation time) : password , default , admin , guest , etc. Topic 3: User Authentication • Dictionary words : chameleon , RedSox , sandbags , bunnyhop! , IntenseCrabtree , etc. • Words with numbers appended : password1 , deer2000 , john1234 , etc., • Words with simple obfuscation : p@ssw0rd , l33th4x0r , g0ldf1sh , etc. • Doubled words : crabcrab , stopstop , treetree , passpass , etc., can be easily tested automatically. 32

Example of Weak Passwords (Wikipedia) 5/25/2019 • Common sequences from a keyboard row : qwerty , 12345 , asdfgh , fred , etc. Topic 3: User Authentication • Numeric sequences based on well known numbers such as 911, 314159, or 27182, etc., • IDs : jsmith123 , 1/1/1970 , 555–1234 , etc., • Personal Info : license plate number, SSN, telephone number, student ID, address, birthday, relative's or pet's names, etc., • Can easily be tested automatically after a simple investigation of person's details. 33

Password Composition Policy 5/25/2019 Topic 3: User Authentication Password Generated: P@ssw0rd1 34