Вы находитесь на странице: 1из 54

INFORMATION SECURITY

Module-II
Arun Anoop M,
Asst. Professor(CSE),
MES College Of Engg.,
Kuttipuram.

02/10/15

ARUN ANOOP M,AP,CSE


dept.,MESCE Kuttipuram

Portions in Authentication
(Module II)

Authentication.
Authentication Methods.
Passwords.
Biometric and examples.
2 factor authentication.
Single sign on
Web cookies.
CAPTCHA

02/10/15

ARUN ANOOP M,AP,CSE


dept.,MESCE Kuttipuram

DEMO Section

02/10/15

ARUN ANOOP M,AP,CSE


dept.,MESCE Kuttipuram

http://www4.comp.polyu.edu.hk/~csd
zhang/Biocomuting/group09/BA/sysBA
.swf
http://www4.comp.polyu.edu.hk/~cs
dzhang/Biocomuting/group09/BA/wha
tBA.html
http://www4.comp.polyu.edu.hk/~csd
zhang/Biocomuting/group09/BA/appB
A.html
http://www4.comp.polyu.edu.hk/~csd
zhang/Biocomuting/gp_12/Mm.swf
http://www.godsp.com/apps_presentations/flashcon

02/10/15

ARUN ANOOP M,AP,CSE


dept.,MESCE Kuttipuram

Access Control

Two parts

Authentication:

o Determine whether access is allowed


o Authenticate human to machine
o Or authenticate machine to machine

Authorization:
Are you allowed to do that?

ARUN ANOOP M,AP,CSE dept.,MESCE Kuttipuram

Authentication
choose your own method (and strength)

Authentication vs
Authorization

Authentication

Are you who you say you are?

o Restrictions on who (or what) can access system

Authorization

Are you allowed to do that?

o Restrictions on actions of authenticated users

Authorization is a form of access control

ARUN ANOOP M,AP,CSE dept.,MESCE Kuttipuram

Authentication Methods
How

to authenticate human a machine?


Can be based on
o Something you know
For example, a password

o Something you have


For example, a smartcard

o Something you are


For example, your fingerprint
ARUN ANOOP M,AP,CSE dept.,MESCE Kuttipuram

Authentication
Types

Strong
Authentication
KNOW
HAVE
ARE

ARUN ANOOP M,AP,CSE dept.,MESCE Kuttipuram

*******

ARUN ANOOP M,AP,CSE dept.,MESCE Kuttipuram

Something You
Know(example: PASSWORD)
Lots

of things act as passwords!

o PIN
o Social security number
o Mothers maiden name
o Date of birth
o Name of your pet, etc.
ARUN ANOOP M,AP,CSE dept.,MESCE Kuttipuram

Trouble with Passwords

Passwords are one of the biggest practical


problems facing security engineers today.

Humans are incapable of securely storing


high-quality cryptographic keys.

ARUN ANOOP M,AP,CSE dept.,MESCE Kuttipuram

Keys vs Passwords
Crypto keys
64 bits
cryptographic keys
Then 264 keys
Choose key at
random.
Then attacker must
try about 263 keys

Passwords
8 characters long
with 256 possible
choices for each
characters.
264 possible pwds
Users do not select
passwords at random
Attacker has
263pwds to try

ARUN ANOOP M,AP,CSE dept.,MESCE Kuttipuram

Good and Bad Passwords


Bad

o
o
o
o
o
o
o

passwords

Good

frank
Fido
password
4444
Pikachu
102560
AustinStamp

ARUN ANOOP M,AP,CSE dept.,MESCE Kuttipuram

Passwords?

o jfIej,43j-EmmL+y
o 09864376537263
o P0kem0N
o FSa7Yago
o 0nceuP0nAt1m8
o PokeGCTall150

Password File?
Bad

idea to store passwords in a file


But need a way to verify passwords
Cryptographic solution: hash the pwd
o Store y = h(password)
o Can verify entered password by hashing
o If Trudy obtains password file, she

does not obtain passwords

But

Trudy can try a forward search

o Guess x and check whether y = h(x)

ARUN ANOOP M,AP,CSE dept.,MESCE Kuttipuram

Salt

Hash password with salt

Choose random salt s and compute


y = h(password, s)
and store (s,y) in the password file

The salt s is not secret

Easy to verify salted password

ARUN ANOOP M,AP,CSE dept.,MESCE Kuttipuram

Other Password Issues

Too many passwords to remember


o Password reuse

Failure to change default passwords

Bugs(Program errors), keystroke logging,


spyware, etc.

ARUN ANOOP M,AP,CSE dept.,MESCE Kuttipuram

Passwords

Password cracking is too easy


o One weak password may break security
o Users choose bad passwords
o Social engineering attacks, etc.

ARUN ANOOP M,AP,CSE dept.,MESCE Kuttipuram

Password Cracking Tools

Popular password cracking tools


o Password Crackers
o Password Portal
o L0phtCrack and LC4 (Windows)
o John the Ripper (Unix)

Good articles on password cracking


o Passwords - Conerstone of Computer Security
o Passwords revealed by sweet deal

ARUN ANOOP M,AP,CSE dept.,MESCE Kuttipuram

Biometrics

ARUN ANOOP M,AP,CSE dept.,MESCE Kuttipuram

Two categories of
biometrics:

ARUN ANOOP M,AP,CSE dept.,MESCE Kuttipuram

Something You Are

Biometric
o You are your key

Examples

Schneier

o Fingerprint
o Handwritten signature
o Facial recognition
o Speech recognition
o Gait (walking) recognition

ARUN ANOOP M,AP,CSE dept.,MESCE Kuttipuram

Are
Know

Have

Why Biometrics?

More secure replacement for passwords

Biometrics are used in security today


o Thumbprint mouse
o Palm print for secure entry
o Fingerprint to unlock car door, etc.

ARUN ANOOP M,AP,CSE dept.,MESCE Kuttipuram

ARUN ANOOP M,AP,CSE dept.,MESCE Kuttipuram

Biometric Modes

Identification

Who goes there?

o Compare one to many


o Example: The FBI fingerprint database.
o facial recognition is used for identification.

Authentication

Are you who you say you are?

o Compare one to one


o Example: Thumbprint mouse

Identification problem is more difficult


o More random matches since more comparisons

ARUN ANOOP M,AP,CSE dept.,MESCE Kuttipuram

Identification:

is to identify the subject from a list


of many possible subjects.
1 to many.
Example: FBI fingerprint database.
Authentication:
Alice uses thumbprint mouse
biometrics(Captured thumbprint
image==stored thumbprint image).
ARUN ANOOP M,AP,CSE dept.,MESCE Kuttipuram

Enrollment vs Recognition

Enrollment phase
o Subjects biometric info put into database.
o A sample of biometric trait is captured,

processed by a computer , and stored for later


comparison.

Recognition phase
o Biometric system authenticates a person's

claimed identity from their previously enrolled


pattern.

ARUN ANOOP M,AP,CSE dept.,MESCE Kuttipuram

Biometric Errors

Fraud rate versus insult rate


o Fraud

Trudy mis-authenticated as Alice (Rate


at which mis-authentication occurs)

o Insult

Alice not authenticated as Alice (Alice


tries to authenticate herself but system fails to
authenticate her).

For example
o 99% voiceprint match low fraud, high insult
o 30% voiceprint match high fraud, low insult

Equal error rate: rate where fraud == insult

ARUN ANOOP M,AP,CSE dept.,MESCE Kuttipuram

BIOMETRIC EXAMPLES
1)Facial

recognition
2)Finger print verification
3)Hand Geometry
4)Retina Scanning
5)Iris scanning
6)Voice Verification
7)Signature verification
ARUN ANOOP M,AP,CSE dept.,MESCE Kuttipuram

BIOMETRIC EXAMPLES
FINGERPRINTS
HAND

GEOMETRY
IRIS SCAN
BIOMETRIC ERROR RATES
BIOMETRIC CONCLUSION

ARUN ANOOP M,AP,CSE dept.,MESCE Kuttipuram

ARUN ANOOP M,AP,CSE dept.,MESCE Kuttipuram

Fingerprint[1]
Were

used in ancient China as a form


of signature.
Use of fingerprints as a scientific
form of identification.
Fingerprints are routinely used for
identification, particularly in criminal
cases.
ARUN ANOOP M,AP,CSE dept.,MESCE Kuttipuram

Stages

ARUN ANOOP M,AP,CSE dept.,MESCE Kuttipuram

Fingerprint Comparison
Examples of loops, whorls, and arches
Minutia(points) extracted from these
features

Loop (double)

Whorl

ARUN ANOOP M,AP,CSE dept.,MESCE Kuttipuram

Arch

Fingerprint: Enrollment

Capture image of fingerprint

Enhance image

Identify points

ARUN ANOOP M,AP,CSE dept.,MESCE Kuttipuram

ARUN ANOOP M,AP,CSE dept.,MESCE Kuttipuram

Fingerprint: Recognition

Extracted points are compared with


information stored in a database

Do identical twins fingerprints differ?

ARUN ANOOP M,AP,CSE dept.,MESCE Kuttipuram

ARUN ANOOP M,AP,CSE dept.,MESCE Kuttipuram

Hand Geometry[2]
A popular biometric
Measures shape of hand

o Width of hand, fingers


o Length of fingers, etc.

Human hands not unique


Hand geometry sufficient
for many situations
Not suitable for
identification.
Easy & quick to measure.

ARUN ANOOP M,AP,CSE dept.,MESCE Kuttipuram

Measures shape of hand


o Width of hand, fingers

ARUN ANOOP M,AP,CSE dept.,MESCE


Kuttipuram
o Length
of fingers,

etc.

Hand Geometry
Advantages

o Quick

1 minute for enrollment, 5


seconds for recognition

o Hands are symmetric.


Disadvantages

o Cannot use on very young or very old


o Relatively high equal error rate
ARUN ANOOP M,AP,CSE dept.,MESCE Kuttipuram

Iris Scan[3]
Best

for authentication.

Pattern

is stable throughout lifetime.

ARUN ANOOP M,AP,CSE dept.,MESCE Kuttipuram

Captured
Stored Image
Image Pattern
Pattern

ARUN ANOOP M,AP,CSE dept.,MESCE Kuttipuram

Mapping patterns

ARUN ANOOP M,AP,CSE dept.,MESCE Kuttipuram

Iris Patterns

Iris(colored part of eye) is chaotic

Little or no genetic influence

Different even for identical twins

ARUN ANOOP M,AP,CSE dept.,MESCE Kuttipuram

Automated iris scanner


First

locate the iris.


Take black & White photo of eye.
Use polar coordinates.
Resulting image processed using 2D
wavelet transform.
Result: 256byte(2048bit) iris code.

ARUN ANOOP M,AP,CSE dept.,MESCE Kuttipuram

[1]

[2]
[4]

[3]

ARUN ANOOP M,AP,CSE dept.,MESCE Kuttipuram

256Byte

[5]

Measuring Iris Similarity

Iris codes compared Based on Hamming


distance.

X is Alices scanned iris in recognition phase.

Y is Alices iris scan stored in scanners


database from enrollment phase.

X & Y compared by computing the distance


d(X,Y) between X & Y as defined by

d(X,Y)=number of non-match bits/number of


bits compared.

Perfect match, d(X,Y)=0

ARUN ANOOP M,AP,CSE dept.,MESCE Kuttipuram

Match

case: Alices data from


enrollment phase is compared to her
scan data from the recognition phase.

Non-match data

Provides
information on
fraud rate

ARUN ANOOP M,AP,CSE dept.,MESCE Kuttipuram

Match data

Provide
information
on insult
rate

Under laboratory conditions


For

the same iris:


Expected distance->0.08
For different iris:
Expected distance->0.50
Match
if the distance is less than 0.32
Otherwise Non-match.
ARUN ANOOP M,AP,CSE dept.,MESCE Kuttipuram

Match

data provide information on


the insult rate.
Non-match data provide information
on the fraud rate.
Histogram
based
on
million
comparisons.
Overlapping region between match &
non-match-----Misidentification
occurs.

ARUN ANOOP M,AP,CSE dept.,MESCE Kuttipuram

Attack on Iris Scan


Good

photo of eye can be scanned

o Attacker could use photo of eye


Afghan

woman was authenticated by


iris scan of old photo
o Story is here

To

prevent attack, scanner could use


light to be sure it is a live iris

ARUN ANOOP M,AP,CSE dept.,MESCE Kuttipuram

Equal Error Rate Comparison

Equal error rate (EER): fraud == insult rate

Fingerprint biometric has EER of about 5%


Hand geometry has EER of about 10-3
Iris scan has EER of about 10-6

Biometrics is useful for authentication


Not for identification
ARUN ANOOP M,AP,CSE dept.,MESCE Kuttipuram

arunanoopm@gmail.com

+919497394076

ARUN ANOOP M,AP,CSE dept.,MESCE Kuttipuram