Lecture 6User Authentication (cont)
Password File Access Controlcan block offline guessing attacks by denying access toencrypted passwords     makeavailable o...
Password Selection                                     Techniques                                  user education users ca...
Proactive Password Checking• rule enforcement  – specific rules that passwords must adhere to• password cracker  – compile...
Types of Cards Used as Tokens
Memory Cards•   can store but do not process data•   the most common is the magnetic stripe card•   can include an interna...
Smartcard• physical characteristics:   – include an embedded microprocessor   – a smart token that looks like a bank card ...
Smart Card Dimensions      The smart card chip is embedded into the      plastic card and is not visible. The dimensions  ...
Communication Initialization   between a Smart Card and a Reader                  Communication Initialization            ...
Biometric Authentication• attempts to authenticate an individual based on  – unique physical characteristics  – pattern re...
– Second level    Cost Versus Accuracy– Third level   • Fourth level       – Fifth level
Operation   of aBiometric SystemA Generic Biometric SystemEnrollment creates anassociation between a userand the user’s bi...
Biometric Accuracy
Biometric Measurement Operating
Actual Biometric MeasurementOperating Characteristic Curves
Remote User Authentication• authentication over a network, the Internet,  or a communications link is more complex  – addi...
Password Protocol                      user transmits identity to                         remote host                    ...
Token Protocol user transmits identity to the    remote host   host returns a random number    and identifiers   token ...
Static Biometric Protocol                    user transmits an ID to the host                    host responds with a ra...
Dynamic Biometric Protocol host provides a random sequence    and a random number as a    challenge   sequence challenge...
denial-of-service                               attempts to disable a                                user authentication  ...
Potential Attacks,   Susceptible Authenticators,   and Typical    Defenses
PracticalApplicati on: Iris Biomet ricSyst
CaseStudy  : ATMSecuri  tyProbl ems
Summary                                            • password selection strategies                                        ...
Topic 6 authentication2 12_dec_2012-1
Upcoming SlideShare
Loading in …5
×

Topic 6 authentication2 12_dec_2012-1

1,425 views

Published on

Published in: Education
  • Be the first to comment

  • Be the first to like this

Topic 6 authentication2 12_dec_2012-1

  1. 1. Lecture 6User Authentication (cont)
  2. 2. Password File Access Controlcan block offline guessing attacks by denying access toencrypted passwords makeavailable only vulnerabilities to privileged usersshadow users with weakness in accident with sniffpassword file same access from the OS that permissions passwords in•a separate file password on backup allows access making it network from the user other media IDs where the to the file readable traffic systems hashed passwords are kept
  3. 3. Password Selection Techniques user education users can be told the importance of using hard to guess passwords and can be provided with guidelines for selecting strong passwords computer generated passwords users have trouble remembering them reactive password checking system periodically runs its own password cracker to find guessable passwords proactive password checking user is allowed to select their own password, goal is to eliminate guessable passwords whilehowever the system checks to see if the password allowing the user to select a password that is is allowable, and if not, rejects it memorable
  4. 4. Proactive Password Checking• rule enforcement – specific rules that passwords must adhere to• password cracker – compile a large dictionary of passwords not to use• Bloom filter – used to build a table based on dictionary using hashes – check desired password against this table
  5. 5. Types of Cards Used as Tokens
  6. 6. Memory Cards• can store but do not process data• the most common is the magnetic stripe card• can include an internal electronic memory• can be used alone for physical access – hotel room, ATM• provides significantly greater security when combined with a password or PIN• drawbacks of memory cards include: – requires a special reader – loss of token – user dissatisfaction
  7. 7. Smartcard• physical characteristics: – include an embedded microprocessor – a smart token that looks like a bank card – can look like calculators, keys, small portable objects• interface: – manual interfaces include a keypad and display for interaction – electronic interfaces communicate with a compatible reader/writer• authentication protocol: – static, dynamic password generator and challenge-response
  8. 8. Smart Card Dimensions The smart card chip is embedded into the plastic card and is not visible. The dimensions conform to ISO standard 7816-2.
  9. 9. Communication Initialization between a Smart Card and a Reader Communication Initialization between a Smart Card and a Reader
  10. 10. Biometric Authentication• attempts to authenticate an individual based on – unique physical characteristics – pattern recognition• technically complex and expensive – compared to passwords and tokens• physical characteristics used include: facial characteristics fingerprints hand geometry retinal pattern
  11. 11. – Second level Cost Versus Accuracy– Third level • Fourth level – Fifth level
  12. 12. Operation of aBiometric SystemA Generic Biometric SystemEnrollment creates anassociation between a userand the user’s biometriccharacteristics. Depending onthe application, userauthentication either involvesverifying that a claimed useris the actual user oridentifying an unknown user.
  13. 13. Biometric Accuracy
  14. 14. Biometric Measurement Operating
  15. 15. Actual Biometric MeasurementOperating Characteristic Curves
  16. 16. Remote User Authentication• authentication over a network, the Internet, or a communications link is more complex – additional security threats such as: – eavesdropping, capturing a password, replaying an authentication sequence that has been observed• generally rely on some form of a challenge- response protocol to counter threats
  17. 17. Password Protocol  user transmits identity to remote host  host generates a random number (nonce)  nonce is returned to the user  host stores a hash code of the password  function in which the password hash is one of the arguments Example of a  use of a random number helpschallenge-response defend against an adversary protocol capturing the user’s transmission
  18. 18. Token Protocol user transmits identity to the remote host host returns a random number and identifiers token either stores a static passcode or generates a one- time random passcode user activates passcode by entering a password Example of a password is shared between token protocol the user and token and does not involve the remote host
  19. 19. Static Biometric Protocol  user transmits an ID to the host  host responds with a random number and the identifier for an encryption  client system controls biometric device on user side  host decrypts incoming message and compares these to locally stored values Example of a  host provides authentication bystatic biometric comparing the incoming device protocol ID to a list of registered devices at the host database
  20. 20. Dynamic Biometric Protocol host provides a random sequence and a random number as a challenge sequence challenge is a sequence Example of a of numbers, characters, or words dynamic biometric user at client end must then protocol vocalize, type, or write the sequence to generate a biometric signal the client side encrypts the biometric signal and the random number host decrypts message and generates a comparison
  21. 21. denial-of-service attempts to disable a user authentication service by flooding the host attacks eavesdropping service with numerous directed at the user authenticationadversary attempts to attempts file at the host wherelearn the password by passwords, token some sort of attack passcodes, or that involves the biometric templates physical proximity of are stored user and adversary Authentication Security Trojan horse Issues replay an application or physical adversary repeats a device masquerades client attacks previously captured as an authentic user response application or device adversary attempts for the purpose of to achieve user capturing a user authentication password, passcode, without access to the or biometric remote host or the intervening communications path
  22. 22. Potential Attacks, Susceptible Authenticators, and Typical Defenses
  23. 23. PracticalApplicati on: Iris Biomet ricSyst
  24. 24. CaseStudy : ATMSecuri tyProbl ems
  25. 25. Summary • password selection strategies – user edit the• means of authenticating a user’s identity  Click to educationoutline text – something the individual knows, format – computer generated passwords possesses, is, does – reactive password checking − Second Outline Level• vulnerability of passwords – proactive password checking – offline dictionary attack – Bloom filter Outline Level  Third – specific account attack • token based authentication − Fourth Outline – popular password attack – memory cards Level – password guessing against single user – smart cards  Fifth Outline – workstation hijacking • biometric authentication Level – exploiting user mistakes • remote user authentication  Sixth Outline – exploiting multiple password use Level – password protocol – electronic monitoring – token protocol • Seventh Outline LevelClick to – hashed password and salt value – static biometric protocol edit Master text styles – password file access control – dynamic biometric protocol – Second level

×