Computer Security

Principles and Practice

Chapter3: User Authentication

by

Meaad AlSuwait
431204675

Supervisor:
Dr. Mohammed Alshehri

Course:
CS: Computer Security

Department of IT 605
College of Computer and Information Sciences
Majmaah University

(2023)
 Computer Security
Principles and Practice
Chapter3: User Authentication

Author: William Stallings.Lawrie Brown

ISBN-10: 0-13-377392-2
Contents

1 User Authentication 2
1.1 Chapter Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.2 Chapter Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.3 Knowledge Concepts of the Chapter . . . . . . . . . . . . . . . . 3
1.4 Problem-Solving Methods with Relevant Examples . . . . . . . . 5
1.5 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

1
Chapter 1

User Authentication

1.1 Chapter Overview

This chapter provides a comprehensive exploration of electronic user authentica-
tion principles and mechanisms, encompassing password-based authentication,
token-based authentication, and biometric authentication. It delves into the vul-
nerabilities associated with passwords and elucidates the utilization of hashed
passwords for user verification. Furthermore, the chapter examines the utiliza-
tion of various authentication tools, including memory cards, smart cards, and
electronic identity cards. It also furnishes an overview of remote user authen-
tication protocols, encompassing the password protocol, token protocol, static
biometric protocol, and dynamic biometric protocol. The chapter addresses crit-
ical security concerns related to user authentication and offers practical insights
through the presentation of an iris biometric system application. Additionally,
it includes a case study elucidating security issues in ATM systems. In dis-
cussing the challenges and risks linked to diverse user authentication methods,
the chapter underscores inconveniences tied to carrying physical tokens and se-
curity vulnerabilities associated with single sign-on schemes. Emphasis is placed
on safeguarding confidentiality and preserving data integrity in authentication
processes. Lastly, the chapter provides recommendations for long-term enhance-
ments and suggests changes in application-level software to enhance password
management and machine-to-machine authentication.

1.2 Chapter Objectives

1. Explore Four Methods of User Identity Authentication.
2. Clarify the Mechanism Behind Hashed Passwords in User Verification.
3. Grasp the Role of Bloom Filters in Password Management.

4. Present a Comprehensive Overview of Token-Based User Authentication.

2
 5. Delve into Challenges and Strategies for Remote User Authentication.
6. Summarize Key Security Concerns in User Identity Verification.
7. Illustrate a Practical Application of Iris Biometric Systems.
8. Analyze a Security Case Study in ATM Systems.

9. Suggest Additional Reading Resources for Deeper Topic Exploration.

1.3 Knowledge Concepts of the Chapter

1. Biometric: Biometrics refer to the measurement and statistical analysis
of people’s unique physical and behavioral characteristics, such as fin-
gerprints, iris patterns, or voice recognition, used for authentication and
identification purposes.
2. Challenge-Response Protocol: A challenge-response protocol is a method
where one party (the challenger) presents a question or challenge to an-
other party (the responder), who must provide the correct response or
answer for authentication or access.
3. Claimant: The claimant is an individual or entity attempting to prove
their identity or rights to access a system or resource.

4. Credential: A credential is a piece of information, such as a username and

password, a smart card, or a biometric trait, that is used to authenticate
a user’s identity.
5. Credential Service Provider (CSP): A CSP is an entity that issues and
manages digital certificates, cryptographic keys, and other authentication
credentials.
6. Dynamic Biometric: Dynamic biometric refers to biometric authentication
methods that involve capturing and analyzing an individual’s behavioral
characteristics, like signature dynamics or keystroke patterns.

7. Enroll: Enrollment is the process of registering or adding a user’s biometric

or other credentials into a system for future authentication.
8. Hashed Password: A hashed password is a password that has undergone a
one-way mathematical transformation, turning it into a fixed-length string
of characters, making it more secure.

9. Identification: Identification is the process of determining a user’s iden-

tity by comparing their provided credentials or biometric data against a
database of potential matches.

3
10. Memory Card: A memory card is a portable storage device that can store
data, such as personal information or digital certificates, often used for
authentication purposes.
11. Nonce: A nonce is a random or unique number used in security protocols
to prevent replay attacks and ensure the freshness of data.
12. Password: A password is a secret combination of characters used by a user
to authenticate themselves and gain access to a system or resource.
13. Rainbow Table: A rainbow table is a precomputed table used in password
cracking to reverse engineer hashed passwords.
14. Registration Authority (RA): An RA is an entity responsible for verifying
the identity of individuals or entities before their credentials are issued by
a CSP.
15. Relying Party (RP): A relying party is a system or entity that relies on
authentication information provided by a user or another system.
16. Salt: A salt is a random data element added to passwords before they are
hashed to prevent rainbow table attacks and increase security.
17. Shadow Password File: A shadow password file is a secure storage location
for user passwords on a Unix-based system, separate from the standard
password file.
18. Smart Card: A smart card is a small plastic card embedded with a mi-
crochip that can store and process data for authentication and identifica-
tion purposes.
19. Static Biometric: Static biometric refers to biometric authentication meth-
ods that involve capturing and analyzing an individual’s physical charac-
teristics, like fingerprints or facial recognition.
20. Subscriber: A subscriber is an individual or entity that holds an account
or subscription to a service or system.
21. Token: A token is a physical or digital device used for user authentication,
such as a hardware security token or a one-time password (OTP) token.
22. User Authentication: User authentication is the process of verifying the
identity of a user before granting them access to a system or resource.
23. Verification: Verification is the process of confirming that the provided
credentials or biometric data match the stored reference data to authen-
ticate a user’s identity.
24. Verifier: A verifier is a system or entity responsible for authenticating
users by comparing their provided credentials or biometric data against
reference data.

4
1.4 Problem-Solving Methods with Relevant Ex-
amples
One problem-solving approach outlined in Chapter 3 involves proactive pass-
word validation, which entails checking passwords against a database of well-
known weak passwords to deter users from selecting easily predictable pass-
words. This method can enhance the security of password-based authentication
systems by discouraging users from opting for vulnerable passwords susceptible
to password cracking attempts. For instance, consider a scenario where a com-
pany aims to enhance the security of its password-based authentication system.
To achieve this, the company opts to employ proactive password validation by
utilizing a Bloom filter to cross-reference passwords with a database of widely
recognized weak passwords. The Bloom filter enables the company to determine
whether a password exists in the database or not, all without retaining the ac-
tual passwords. Thanks to the implementation of proactive password validation,
the company effectively prevents users from selecting feeble passwords that are
straightforward to guess, such as ”password” or ”123456”. Consequently, this
bolsters the security of the company’s authentication system and diminishes
the susceptibility to password cracking attacks. Another problem-solving tech-
nique discussed in Chapter 3 focuses on leveraging biometric authentication to
enhance the security of remote user verification. Biometric authentication can
thwart unauthorized access to systems and applications by confirming a user’s
identity based on physical traits, such as fingerprints or iris patterns. For in-
stance, picture a scenario where a company seeks to enhance the security of
its remote user authentication system. The company elects to implement bio-
metric authentication via an iris recognition system. This cutting-edge system
allows users to remotely authenticate themselves by scanning their unique iris
patterns using a specialized camera. By incorporating biometric authentication,
the company fortifies the security of its remote user authentication system by
validating the user’s identity through a physical characteristic that is arduous
to counterfeit or reproduce. This proactive measure effectively curtails unau-
thorized access to the company’s systems and applications, thereby mitigating
the risk of security breaches.
Chapter 3 provides a concise overview of security issues pertaining to Au-
tomated Teller Machine (ATM) systems in Section 3.8. Within this section,
a case study conducted by Redspin, Inc. is presented, shedding light on a se-
curity vulnerability affecting smaller to medium-sized ATM card issuers. This
vulnerability underscores the critical importance of effectively integrating cryp-
tographic functions and services into a system to ensure robust security. The
case study introduces key terms, including ”cardholder” (an individual receiving
a debit card) and ”Iris scan site architecture” (a system employing iris recogni-
tion technology for user authentication). Furthermore, the section delves into
two primary vulnerabilities associated with ATM systems: confidentiality and
integrity.

• Confidentiality: This concerns the risk of malicious actors exploiting card

5
 details like the card number, expiration date, and account balance for
illicit online purchases or creating counterfeit cards for signature-based
transactions.
• Integrity: This pertains to the risk of attackers tampering with data during
transmission, potentially allowing them to impersonate either the proces-
sor or the ATM itself. This manipulation could enable the unauthorized
dispensing of money without the processor detecting the transaction.
To counter these threats effectively, Redspin recommends several protective
measures that banks can implement, including:

1. Network Segmentation: Separating ATM traffic from the rest of the net-
work to contain potential breaches.
2. Encryption and Authentication Protocols: Implementing robust encryp-
tion and authentication mechanisms to secure data in transit and verify
the legitimacy of transactions and users.

3. Intrusion Detection and Prevention Systems (IDPS): Utilizing IDPS to

actively monitor and identify potential security breaches, and employing
preventive measures to thwart unauthorized access.
By diligently implementing these measures, banks can significantly bolster
their security posture, mitigate the risk of security breaches, and safeguard the
financial information of their valued customers.

1.5 Conclusion
In conclusion, this chapter has provided a comprehensive exploration of elec-
tronic user authentication principles and mechanisms, encompassing password-
based authentication, token-based authentication, and biometric authentication.
We delved into the vulnerabilities associated with passwords and elucidated the
utilization of hashed passwords for user verification. Furthermore, we examined
the utilization of various authentication tools, including memory cards, smart
cards, and electronic identity cards. We also furnished an overview of remote
user authentication protocols, encompassing the password protocol, token pro-
tocol, static biometric protocol, and dynamic biometric protocol.
The chapter addressed critical security concerns related to user authentica-
tion and offered practical insights through the presentation of an iris biometric
system application. Additionally, it included a case study elucidating security
issues in ATM systems.
In discussing the challenges and risks linked to diverse user authentication
methods, we underscored inconveniences tied to carrying physical tokens and
security vulnerabilities associated with single sign-on schemes. Emphasis was
placed on safeguarding confidentiality and preserving data integrity in authen-
tication processes.

6
 Lastly, the chapter provided recommendations for long-term enhancements
and suggested changes in application-level software to enhance password man-
agement and machine-to-machine authentication.