ELECTRICAL & ELECTRONICS ENGINEERING, FOURAH BAY COLLEGE,

UNIVERSITY OF SIERRA LEONE

Lecture-03

EENG-524 Second Semester 2023

June 9, 2023
 Identification and Authentication
❑ In a secure system you might need to track the identities of users requesting its services.
❑ Authentication is the process of verifying a user’s identity.
❑ The are two reasons for authenticating a user:
▪ The user identity is a parameter in access control decisions.
▪ The user identity is recorded when logging security-relevant events in an audit trail.
Username and Password
❑ To log on to a computer and you are asked to enter your username and password.
▪ The first step is called identification: you announce who you are.
▪ The second step is called authentication: you prove that you are who you claim to be.
❑ Entity authentication: The process of verifying the identity claimed by some system entity.
❑ Enter your username and password, the computer compares the input password against the
entries stored in a password file.
❑ Repeated authentication addresses a familiar problem in computer security, known as
TOCTTOU (time of check to time of use).
❑ The operating system checks a user’s identity at the start of a session but uses the identity to
make access control decisions later on during the session.
 Identification and Authentication
Bootstrapping Password Protection
❑ Passwords are meant to be secrets shared between the user and the system authenticating the
user.
❑ How do you bootstrap a system so that the password ends up in the right places, but nowhere
else?
❑ In an enterprise, users could be asked to come to an office and collect their password
personally. If this is not feasible, the password could be conveyed by mail, email, or phone, or
entered by the user on a web page.
How to address the issue of authenticate a remote user
when the user has not got a password yet?
❑ Do not give the password to the caller but call back an authorized phone number from your
files, e.g. from an internal company address book
❑ Call back someone else, e.g. the caller’s manager or local security officer

❑ Send passwords that are valid only for a single login request so that the user has to change
immediately to a new password (intercepting the first password is thus of limited value)
❑ Send mail by courier with personal delivery

❑ Request confirmation on a different channel to activate the user account, e.g. enter the password
on a web page and send confirmation by SMS (phone).
❑ When setting up a new user account you might tolerate some delay in getting your password.
 Identification and Authentication
Guessing Passwords
❑ Password choice is a critical security issue.
❑ While you cannot eliminate the risk of an attacker guessing a valid password, you can try to
keep low the probability of such an event.
An attacker may follow two basic guessing strategies:

▪ Exhaustive search (brute force): try all possible combinations of valid symbols, up to
a certain length.
▪ Intelligent search (dictionary attack): search through a restricted name space, e.g. try
passwords that are somehow associated with a user such as name, names of friends and
relatives, car brand, car registration number, phone number, etc., or try passwords that are
generally popular.
What are the password defences?
▪ Change default passwords
▪ Password length, to thwart exhaustive search, a minimal password length should be prescribed
▪ Password format, mix upper and lower case symbols and include numerical and other
non-alphabetical symbols in your password.
▪ Avoid obvious passwords
 Identification and Authentication
How can the system further help to improve password security?
❑ Password checkers: as a system manager, use tools that check passwords against some
dictionary of ‘weak’ passwords and prevent users from choosing such passwords.
❑ Password generation: some operating systems include password generators producing random
but pronounceable passwords. Users are not allowed to pick their own password but have to
adopt a password proposed by the system.
❑ Password ageing: an expiry date for passwords is set, forcing users to change passwords
at regular intervals. There may be additional mechanisms to prevent users from choosing
previous passwords, e.g. a list of the last ten passwords used.
❑ Limit login attempts: the system monitors unsuccessful login attempts and reacts by locking
the user account completely or at least for a certain period of time to prevent or discourage
further attempts.
Phishing, Spoofing , and Social Engineering
❑ Identification and authentication through username and password provide unilateral authenticatio
❑ In phishing and spoofing attacks the user voluntarily sends the password over a channel, but is
misled about the end point of the channel.
❑ Phishing attacks ask users for their password (or other sensitive data) under some false
pretense. For example, the message could claim to come from a service you are using, tell you
about an upgrade of the security procedures, and ask you to enter your username and password
at the new security site that will offer you stronger protection1.
 Identification and Authentication
❑ In a spoofing attack, the attacker runs a program that presents a fake login screen on a
machine and leaves the machine. An unsuspecting user comes to this ‘idle’ machine and tries
to log in. The victim sees what appears to be the normal login menu.
❑ When entering username and password, the inputs are collected by the attacker’s program.
Login is then aborted with a (fake) error message and the spoofing program terminates. Control
returns to the operating system which now prompts the user with a genuine login request. The
user tries again, succeeds on this second attempt, and may remain completely unaware of the
fact that the password has been compromised.
How to Prevent Spoofing Attack
❑ Displaying the number of failed logins may indicate to the user that an attack has happened. If
your first login fails but you are told at your second attempt that there have been zero login
attempts since your last session, you should become suspicious.
❑ Trusted path: guarantee that the user communicates with the operating system and not with a
spoofing program. For example, Windows has a secure attention sequence CTRL+ALT+DEL
which invokes the Windows operating system logon screen. The user should press such a
secure attention key when starting a session, even when the logon screen is already displayed.
❑ Mutual authentication: if users require stronger guarantees about the identity of the system
they are communicating with, e.g. in a distributed system, the system could be required to
authenticate itself to the user.
 Identification and Authentication
❑ In a spoofing attack, the attacker runs a program that presents a fake login screen on a
machine and leaves the machine. An unsuspecting user comes to this ‘idle’ machine and tries
to log in. The victim sees what appears to be the normal login menu.
Password Caching
❑ Beyond spoofing attacks, an intruder may have other ways of ‘finding’ a password.
❑ Our description of login has been quite abstract. The password travels directly from the user to
the password checking routine.
❑ In reality, it will be held temporarily in intermediate storage locations such as buffers, caches,
or even a web page.
❑ The management of these storage locations is normally beyond the control of the user and a
password may be kept longer than the user expects.

Protecting the Password File

❑ To verify a user’s identity, the system compares the password entered by the user against a value
stored in the password file.
❑ The password can be intercepted by a keylogger at the machine at the user’s end.

❑ It can be intercepted in transit so it should be sent through a secure tunnel and the password file
might be compromised.
 Identification and Authentication
❑ To protect the password file, the following options should be considered:
▪ Cryptographic protection;
▪ Access control enforced by the operating system;
▪ A combination of cryptographic protection and access control, possibly with further
enhancements to slow down dictionary attacks.
❑ For cryptographic protection, we do not even need an encryption algorithm. A one-way function
will do the job.
▪ A one-way function is a function that is relatively easy to compute but significantly
harder to undo or reverse. That is, given x it is easy to compute f(x), but given f(x) it is
hard to compute x.

Singlr Sign-On
❑ A user would not find it particularly convenient if he/she has to enter passwords over and over
again when navigating through cyberspace to a bit of information.
❑ Having to re-enter the same password five times is bad enough.
❑ A single sign-on service solves this problem by allowing the user to enter password once.
❑ The system may store this password and whenever you have to authenticate yourself again, the
system will take the password and do the job for you.
❑ Single sign-on service adds convenience but it also raises new security concerns.
❑ How do you protect the stored password? Some of the techniques mentioned previously will no
longer work because the system now needs your password in the clear.
 Identification and Authentication
Alternative Approaches
❑ If you are dissatisfied with the level of security provided by passwords, what else can you do?
As a user, you can be authenticated on the basis of
▪ Something You Know
▪ Something You Hold
▪ Who You Are
▪ What You Do
▪ Where You Are.
Something You Know
❑ The user has to know some ‘secret’ to be authenticated.
❑ An example of this mode of authentication is a password, which is something you know.
Another example is the personal identification number (PIN) used with bank cards and similar
tokens.
❑ In this mode of authentication, anybody who obtains your secret ‘is you’.
❑ On the other hand, you leave no trace if you pass your secret to somebody else.
❑ When there is a case of computer misuse in your organization where somebody has logged in
using your username and password, can you prove your innocence? Can you prove that you
did not divulge your password?
 Identification and Authentication
Something You Hold
❑ The user has to present a physical token to be authenticated.
❑ A key that opens a lock is something you hold. A card or an identity tag used to control access
to a company’s premises are other examples of such a token.
❑ Driven by the cost of password management, large organizations have introduced smart cards
for user authentication.
❑ A physical token can be lost or stolen. As before, anybody who is in possession of the token has
the same rights as the legitimate owner.
❑ To increase security, physical tokens are often used in combination with something you
know: bank cards come with a PIN, or they contain information identifying the legitimate
user, such as a photo.
❑ However, not even the combination of mechanisms can totally prevent a fraudster from
obtaining the information necessary to impersonate a legitimate user, nor does it stop a user
from passing on that information voluntarily.
Who You Are
❑ Biometric schemes that use unique physical characteristics (traits, features) of a person such as
face, fingerprints, iris patterns, hand geometry, or possibly even DNA at some time in the future,
may seem to offer the ultimate solution for authenticating a person.
❑ Biometric schemes are used for two purposes:
▪ Identification: a 1:n comparison that tries to identify the user from a database of n persons;
▪ Verification: a 1:1 comparison that checks whether there is a match for a given user.
 Identification and Authentication
❑ Using fingerprints as an example to sketch how biometric authentication works. When the user
logs on, a new reading of the fingerprint is taken and compared against the reference template.
❑ Authentication by password gives a clear reject or accept at each authentication attempt. In
contrast, with biometrics the stored reference template will hardly ever match precisely the
template derived from the current measurements.
❑ A matching algorithm measures the similarity between reference template and current
template. The user is accepted if the similarity is above a predefined threshold. Thus, we have
to face up to new problems, false positives and false negatives.
❑ Accepting the wrong user (false positive) is clearly a security problem. Rejecting a legitimate
user (false negative) creates embarrassment and potential availability problems.
What You Do
❑ People perform some mechanical tasks in a way that is both repeatable and specific to the
individual.
❑ Hand-written signatures have long been used in banking to confirm the identity of users
when signing cheques and credit card payment slips.
❑ For greater security, users could sign on a special pad that measures attributes like writing
speed and writing pressure. On a keyboard, typing speed and intervals between key strokes
are being used to authenticate individual users
❑ As before, the authentication system has to be set up so that false positives and false negatives
are reduced to levels acceptable for the intended application.
 Identification and Authentication
Where You
❑ When you log on, the system may also take into account where you are.

❑ Some operating systems already do so and grant access only if you log on from a certain
terminal. For example, a system manager may only log on from an operator console but not
from an arbitrary user terminal.

❑ Similarly, as a user you may be only allowed to log on from the workstation in your office.
Decisions of this kind will be even more frequent in mobile and distributed computing.

❑ If the precise geographical location has to be established during authentication, a system may
use the services of the Global Positioning System (GPS).

❑ Identifying the location of a user when a login request is made may also help to resolve later
disputes about the true identity of that user.
END!