Академический Документы
Профессиональный Документы
Культура Документы
User Authentication
RFC 4949
RFC 4949 defines user authentication as:
“The process of verifying an identity claimed
by or for a system entity.”
Authentication Process
• Fundamental • Identification step
building block Presenting an
identifier to the
and primary security system
line of defense
• Verification step
Presenting or
• Basis for generating
authentication
access control information that
and user corroborates the
binding between
accountability the entity and the
identifier
Authentication Process
• For example, user Alice Toklas could have the user
identifier ABTOKLAS.
o This information needs to be stored on any server or
computer system that Alice wishes to use and could be
known to system administrators and other users.
o A typical item of authentication information associated
with this user ID is a password, which is kept secret (known
only to Alice and to the system).
o If no one is able to obtain or guess Alice’s password, then
the combination of Alice’s user ID and password enables
administrators to set up Alice’s access permissions and
audit her activity.
o Because Alice’s ID is not secret, system users can send her
e-mail, but because her password is secret, no one can
pretend to be Alice.
Authentication Process
• In essence,
o identification is the means by which a user provides a
claimed identity to the system; (Is the way you tell the
system who you are-User Name)
o user authentication is the means of establishing the validity
of the claim. (Is the way to prove yourself- Password)
• Note that user authentication is distinct from message
authentication.
o Message authentication is a procedure that allows
communicating parties to verify that the contents of a
received message have not been altered and that the
source is authentic.
o This chapter is concerned solely with user authentication.
Electronic User Authentication
Principles
• NIST defines electronic user authentication as the process
of establishing confidence in user identities that are
presented electronically to an information system.
• Systems can use the authenticated identity to determine if
the authenticated individual is authorized to perform
particular functions, such as database transactions or
access to system resources.
• NIST defines a general model for user authentication that
involves a number of entities and procedures. This model is
discussed with reference in the following figure :
Registration, Credential Issuance,
and Maintenance
Registration Identity Proofing Subscriber/ Authenticated Session Relying
Authority (RA) User Registration Claimant Party (RP)
Au
th
Registration l e Authenticated
ntia nce nt
ic
Confirmation e Ex at Assertion
r ed ssua ch d e
C /I an Pr
e n, tion ge oto
k a
To istr co
l
g
Re
Credential
Token/Credential
Service Verifier
Provider (RA) Validation
E-Authentication using
Token and Credential
• Password, PIN,
answers to • Smartcard, • Fingerprint,
prearranged electronic retina, face
questions • Voice pattern,
keycard, handwriting,
physical key typing rhythm
Means of User Authentication
• There are four general means of authenticating a user's identity,
which can be used alone or in combination:
• Problems:
• Each method has problems:
o Passwords:
• An adversary may be able to guess or steal a password.
• an adversary may be able to forge or steal a token.
• A user may forget a password or lose a token.
• There is a significant administrative overhead for managing password and
token information on systems and securing such information on systems.
o Biometric authenticators, there are a variety of problems, including
• dealing with false positives and false negatives (security failure), user
acceptance, cost, and convenience.
• False positive (false alarms ): The authorized users are identified as
intruders.
• False Negative: an attempt to limit false positives by a tight
interpretation of intruder behavior will lead to an increase in false
negatives , or intruders not identified as intruders.
Risk Assessment for
User Authentication
Assurance
• There are
three Level
separate
concepts: Potential
impact
Areas of
risk
More specifically Four levels of
is defined as: assurance
Describes an
organization’s Level 1
The degree of confidence
degree of in the vetting (checking)
•Little or no confidence in the
asserted identity's validity
process used to establish
certainty that a the identity of the
individual to whom the Level 2
user has credential was issued •Some confidence in the asserted
identity’s validity
presented a
credential that Level 3
•High confidence in the asserted
The degree of confidence
refers to his or her that the individual who
identity's validity
Exploiting
Specific Popular Exploiting
multiple
account password user
password
attack attack mistakes
use
Password Vulnerabilities
1) Offline dictionary attack:
o Typically, strong access controls are used to protect the system’s
password file.
o However, if the attacker obtains the system password file and
compares the password hashes against hashes of commonly used
passwords.
o If a match is found, the attacker can gain access by that
ID/password combination.
o Countermeasures include controls to prevent unauthorized access
to the password file, intrusion detection measures to identify a
compromise, and rapid reissuance of passwords should the password
file be compromised.
2) Specific account attack:
o The attacker targets a specific account and submits password
guesses until the correct password is discovered.
o The standard countermeasure is an account lockout mechanism,
locks out access after a number of failed login attempts.
Password Vulnerabilities
3) Popular password attack:
o Attacker uses a popular password and tries it against a wide range of
user IDs.
o A user’s tendency is to choose a password that is easily remembered;
it unfortunately makes the password easy to guess.
o Countermeasures include
• policies to inhibit the selection by users of common passwords
• Scanning the IP addresses of authentication requests and client
cookies for submission patterns.
4) Password guessing against single user:
o The attacker attempts to gain knowledge about the account holder
and system password policies and uses that knowledge to guess the
password.
o Countermeasures include
• training in and enforcement of password policies that make
passwords difficult to guess
o (minimum length of the password, character set, prohibition
against using well-known user identifiers, and period used).
Password Vulnerabilities
5) Workstation hijacking:
o The attacker waits until a logged-in workstation is unattended.
o Countermeasures is automatically logging the workstation out
after a period of inactivity.
Hash
Salt
Password File
User id
User ID Salt Hash code
Salt
Select Password
slow hash
function
Hashed password
Compare
(b) Verifying a password
Now regarded as
inadequate
• Still often required for compatibility with
existing account management software
or multivendor environments
Improved
Implementations
OpenBSD uses Blowfish
block cipher based hash
algorithm called Bcrypt
•Most secure version of Unix
Much stronger hash/salt hash/salt scheme
schemes available for •Uses 128-bit salt to create
Unix 192-bit hash value
Recommended hash
function is based on MD5
•Salt of up to 48-bits
•Password length is unlimited
•Produces 128-bit hash
•Uses an inner loop with 1000
iterations to achieve slowdown
Password Cracking
Dictionary attacks Rainbow table attacks
• Develop a large dictionary • Pre-compute tables of
of possible passwords and hash values for all salts
try each against the • A mammoth table of hash
password file values
• Each password must be • Can be countered by using
hashed using each salt a sufficiently large salt
value and then compared value and a sufficiently
to stored hash values large hash length
40%
Percent guessed
30%
20%
10%
0%
104 107 1010 1013
Number of guesses
Make
available
only to
Vulnerabilities
privileged
users
Rule enforcement
Password
•Specific rules that
cracker passwords must
•Compile a large adhere to
dictionary of
passwords not to use
Bloom filter
•Used to build a table
based on dictionary
using hashes
•Check desired
password against this
table
Proactive Password
Checking
• Proactive password checking - where user selects own
password which the system then checks to see if it is
allowable and, if not, rejects it. It must strike a balance
between user acceptability and strength. Likely the best
solution.
• Three techniques are available;
1. Rule enforcement Specific rules that passwords must
adhere to
o All passwords must be at least eight characters long.
o the passwords must include at least one each of uppercase, lowercase,
numeric digits, and punctuation marks.
o The process of rule enforcement can be automated by using a proactive
password checker, such as the openware pam_passwdqc
(openwall.com/passwdqc/), which enforces a variety of rules on passwords
and is configurable by the system administrator.
2. Password cracker Compile a large
dictionary of passwords not to use
o to compile a large dictionary of possible “bad”
passwords. When a user selects a password, the
system checks to make sure that it is not on the
disapproved list. There are two problems with this
approach:
• There are two problems with this
approach:
o Space: The dictionary must be very large to be effective.
o Time: The time required to search a large dictionary may itself be
large. In addition, to check for likely permutations of dictionary
words, either those words must be included in the dictionary,
making it truly huge, or each search must also involve
considerable processing.
3. Bloom filter Used to build a table
based on dictionary using hashes
• Check desired password against this table
o an effective and efficient proactive password
checker that is based on rejecting words on a list
that has been implemented on a number of
systems, including Linux.
1
0.1
2 hash functions
Pr[false positive]
0.01
4 hash functions
6 hash functions
0.001
0 5 10 15 20
Can serve the same purposes as other national Has human-readable data printed on its
ID cards, and similar cards such as a driver’s surface
license, for access to government and •Personal data
commercial services •Document number
•Card access number (CAN)
•Machine readable zone (MRZ)
Electronic
Functions
and Data
for
eID Cards
2. Se
rvic
e re q
1. User requests service 3. R uest
(e.g., via Web browser) edir
ect t
9. A o eID
uthe mes
ntica sage
tion
10. S r esul
ervi t for
ce g war
rant ded
ed
Host/application
server
Biometric Feature
sensor extractor Biometric
database
User interface
(a) Enrollment
Name (PIN)
Biometric Feature
sensor extractor Biometric
database
Biometric Feature
sensor extractor Biometric
database
decision
threshold (t)
imposter profile of
profile genuine user
false
nonmatch false
possible match
possible
in
cr
ea
se
t hr
es
10% ho
ld
false nonmatch rate
in
se crea
de
d c
co ecr uri sed
cr
nv ea ty,
ea
se
en sed
th
ien
re
de ecu ase nce
ce
s
cr rit d
ho
s e ie
ea y,
l d
in ven
se
co
c
d
n
1%
ne
e li
r at
r
rro
al e
eq u
0.1%
0.0001% 0.001% 0.01% 0.1% 1% 10% 100%
false match rate 100%
10%
1%
0.1%
0.0001% 0.001% 0.01% 0.1% 1% 10% 100%
false match rate
LAN switch
Iris Merge
Remote
Iris
database
Network
switch
Figure 3.13 General Iris Scan Site Architecture for UAE System
Case Study:
ATM
Security
Problems
Summary
• Electronic user • Biometric
authentication principles authentication
o A model for electronic user
authentication o Physical characteristics
o Means of authentication used in biometric
o Risk assessment for user applications
authentication o Operation of a biometric
• Password-based authentication system
authentication o Biometric accuracy
o The vulnerability of passwords • Remote user
o The use of hashed passwords
o Password cracking of user- authentication
chosen passwords o Password protocol
o Password file access control o Token protocol
o Password selection strategies
o Static biometric protocol
• Token-based o Dynamic biometric
authentication protocol
o Memory cards
o Smart cards
• Security issues for
o Electronic identity cards user authentication