user authentication
play

User Authentication Storing Passwords Selecting Passwords ITS335: - PowerPoint PPT Presentation

ITS335 User Authentication Authentication Passwords User Authentication Storing Passwords Selecting Passwords ITS335: IT Security Tokens Biometrics Sirindhorn International Institute of Technology Summary Thammasat University Prepared


  1. ITS335 User Authentication Authentication Passwords User Authentication Storing Passwords Selecting Passwords ITS335: IT Security Tokens Biometrics Sirindhorn International Institute of Technology Summary Thammasat University Prepared by Steven Gordon on 25 October 2013 its335y13s2l03, Steve/Courses/2013/s2/its335/lectures/auth.tex, r2958 1/40

  2. ITS335 Contents User Authentication User Authentication Authentication Passwords Storing Passwords Password-Based Authentication Selecting Passwords Storing Passwords Tokens Biometrics Summary Selecting Passwords Token-Based Authentication Biometric Authentication Summary 2/40

  3. ITS335 User Authentication User Authentication Authentication Passwords Storing Passwords Selecting Passwords The process of verifying a claim that a system entity or Tokens system resource has a certain attribute value. Biometrics Summary — R. Shirey, “Internet Security Glossary, Version 2”, IETF RFC4949 3/40

  4. ITS335 Two Steps of Authentication User Authentication 1. Identification step: presenting an identifier to the security system Authentication ◮ E.g. user ID Passwords ◮ Generally unique but not secret Storing Passwords 2. Verification step: presenting or generating Selecting Passwords authentication information that acts as evidence to Tokens prove the binding between the attribute and that for Biometrics which it is claimed. Summary ◮ E.g. password, PIN, biometric information ◮ Often secret or cannot be generated by others User authentication is primary line of defence in computer security; other security controls rely on user authentication 4/40

  5. ITS335 Means of Authentication User Authentication Something the individual . . . Authentication Knows Passwords ◮ E.g. password, PIN, question answers Storing Passwords Selecting Passwords Possesses Tokens Biometrics ◮ Token, e.g. keycards, smart card, physical key Summary Is ◮ Static biometrics, e.g. fingerprint, retina, face Does ◮ Dynamic biometrics, e.g. voice pattern, handwriting, typing rhythm 5/40

  6. ITS335 Humans and Computers User Authentication Authentication Passwords Storing Passwords Humans are also large, expensive to maintain, difficult to Selecting manage and they pollute the environment. It is astonishing Passwords that these devices continue to be manufactured and Tokens deployed. But they are sufficiently pervasive that we must Biometrics Summary design our protocols around their limitations. — Kaufman, Perlman, Speciner “Network Security: Private Communication in a Public World”, Prentice Hall 2002 6/40

  7. ITS335 Contents User Authentication User Authentication Authentication Passwords Storing Passwords Password-Based Authentication Selecting Passwords Storing Passwords Tokens Biometrics Summary Selecting Passwords Token-Based Authentication Biometric Authentication Summary 7/40

  8. ITS335 Password-Based Authentication User Authentication ◮ Many multiuser computer systems used combination of ID and password for user authentication Authentication Passwords ◮ System initially stores username and password Storing Passwords ◮ User submits username/password to system; compared Selecting Passwords against stored values; if match, user is authenticated Tokens ◮ Identity (ID): Biometrics ◮ Determines whether user us authorised to gain access to Summary system ◮ Determines privileges of user, e.g. normal or superuser ◮ Used in access control to grant permissions to resources for user ◮ Password: ◮ What is a good password? ◮ How to store the passwords? ◮ How to submit the passwords? ◮ How to respond (if no match)? 8/40

  9. ITS335 Vulnerability of Passwords User Authentication Offline Dictionary Attack Attacker obtains access to ID/password (hash) database; use dictionary to find Authentication passwords Passwords Storing Passwords ◮ Countermeasures: control access to database; Selecting reissue passwords if compromised; strong hashes and Passwords salts Tokens Biometrics Specific Account Attack Attacker submits password guesses Summary on specific account ◮ Countermeasure: lock account after too many failed attempts Popular Password Attack Try popular password with many IDs ◮ Countermeasures: control password selection; block computers that make multiple attempts 9/40

  10. ITS335 Vulnerability of Passwords User Authentication Password Guessing Against Single User Gain knowledge about user and use that to guess password Authentication Passwords ◮ Countermeasures: control password selection; train Storing Passwords users in password selection Selecting Passwords Computer Hijacking Attackers gains access to computer Tokens that user currently logged in to Biometrics ◮ Countermeasure: auto-logout Summary Exploiting User Mistakes Users write down password, share with friends, tricked into revealing passwords, use pre-configured passwords ◮ Countermeasures: user training, passwords plus other authentication 10/40

  11. ITS335 Vulnerability of Passwords User Authentication Exploiting Multiple Password Use Passwords re-used across different systems/accounts, make easier for attacker to Authentication access resources once one password discovered Passwords Storing Passwords ◮ Countermeasure: control selection of passwords on Selecting multiple account/devices Passwords Tokens Electronic Monitoring Attacker intercepts passwords sent Biometrics across network Summary ◮ Countermeasure: encrypt communications that send passwords 11/40

  12. ITS335 Contents User Authentication User Authentication Authentication Passwords Storing Passwords Password-Based Authentication Selecting Passwords Storing Passwords Tokens Biometrics Summary Selecting Passwords Token-Based Authentication Biometric Authentication Summary 12/40

  13. ITS335 Storing Passwords User Authentication ◮ Upon initial usage, user ID and password are registered with system Authentication Passwords ◮ ID, password (or information based on it), and Storing Passwords optionally other user information stored on system, e.g. Selecting in file or database Passwords Tokens ◮ To access system, user submits ID and password, Biometrics compared against stored values Summary ◮ How should passwords be stored? 13/40

  14. ITS335 Storing Passwords in the Clear User Authentication ID , P Authentication Passwords Insider attack: normal user reads the database and learns Storing Passwords other users passwords Selecting Passwords ◮ Countermeasure: access control on password database Tokens Insider attack: admin user reads the database and learns Biometrics other users passwords Summary ◮ Countermeasure: none—admin users must be trusted! Outsider attack: attacker gains unauthorised access to database and learns all passwords ◮ Countermeasure: do not store passwords in the clear 14/40

  15. ITS335 Encrypting the Passwords User Authentication ID , E ( K , P ) Authentication Passwords ◮ Encrypted passwords are stored Storing Passwords Selecting ◮ When user submits password, it is encrypted and Passwords compared to the stored value Tokens Biometrics ◮ Drawback: Secret key, K , must be stored (on file or Summary memory); if attacker can read database, then likely they can also read K 15/40

  16. ITS335 Hashing the Passwords User Authentication ID , H ( P ) Authentication Passwords ◮ Hashes of passwords are stored Storing Passwords Selecting ◮ When user submits password, it is hashed and compared Passwords to the stored value Tokens ◮ Practical properties of hash functions: Biometrics Summary ◮ Variable sized input; produce a fixed length, small output ◮ No collisions ◮ One-way function ◮ If attacker gains database, practically impossible to take a hash value and directly determine the original password 16/40

  17. ITS335 Brute Force Attack on Hashed Passwords User Authentication ◮ Aim: given one (or more) target hash value, find the original password Authentication Passwords ◮ Start with large set of possible passwords (e.g. from Storing Passwords dictionary, all possible n -character combinations) Selecting ◮ Calculate hash of possible password, compare with Passwords target hash Tokens ◮ if match, original password is found Biometrics ◮ else, try next possible password Summary ◮ Attack duration depends on size of possible password set 17/40

  18. ITS335 Pre-calculated Hashes and Rainbow Tables User Authentication ◮ How to speed up brute force attack? Use hash values calculated by someone else Authentication Passwords ◮ Possible passwords and corresponding hashes stored in Storing Passwords database Selecting ◮ Attacker performs lookup on database for target hash Passwords Tokens ◮ How big is such a database of pre-calculated hashes? Biometrics ◮ In raw form, generally too big to be practical (100’s, Summary 1000’s of TB) ◮ Using specialised data structures (e.g. Rainbow tables), can obtain manageable size, e.g. 1 TB ◮ Trade-off: reduce search time, but increase storage space ◮ Countermeasures: ◮ Longer passwords ◮ Slower hash algorithms ◮ Salting the password before hashing 18/40

Recommend


More recommend