User Authentication

• Protective measures such as access control,

authorization, accountability make sense only
if we can identify and authenticate users
• Authentication validates user identity
Often as a sub-goal of authorization (determining
should the requesting entity be granted access to
requested resource)
• Authentication process consists of two steps
Identification step – presenting an identifier to
the system
Verification (authenticaiton) step – presenting
authentication information that binds the entity
and its identifier
 User Authentication Categories
• Three main categories of authentication methods
Something the user knows
Passwords, PINs, passphrases
Something the user possesses
Smart cards, physical keys, tokens
Something the user is and does
Physical biometrics: fingerprint, face, retina, iris
Dynamic biometrics: hadwriting style, typing rhythm,
behavioral pattern
• Fourth category is related to user’s location
Where the user is
• Used in combination - multi-factor authentication
Password Authentication
• Widely used user authentication method
User provides account id (username, userid) and
password
System compares password with that saved for specified
id
• Authenticated account identifier provides security by
Determining that account id is authorized to access
system
Determining the user’s privileges (e.g., admin or not)
Being a basis of discretionary access control
• Passwords useful as a weak means of authentication
Correct match may indicate knowledge as well as lucky
guess
Hence, correct password does not guarantee that
whoever entered it is the authorized user
 Password Vulnerabilities
• Offline password guessing
Attacker not in online interaction with the
server
• Online password guessing
All guesses are sent to the legitimate server
• Specific account attack
Submit candidate passwords until the
correct password discovered or until the
account is locked
• Popular password attack
Try popular passwords against a range of
user accounts
 Password Vulnerabilities
• Password guessing against single user
Make educated guesses based on knowledge
about the user (age, gender, marital status, ...)
• Exploiting user mistakes
Passwords written down, shared, social
engineering
• Exploiting multiple password use
Password reuse problem (due to cognitive
overload)
• Electronic monitoring
Intercept passwords communicated across a
network (simple encryption does not help)
 Example of Weak Passwords (from Wikipedia)
• Default passwords (as supplied by the system vendor and
meant to be changed at installation time): password,
default, admin, guest, etc.
• Dictionary words: chameleon, RedSox, sandbags,
bunnyhop!, IntenseCrabtree, etc.
• Words with numbers appended: password1, deer2000,
john1234, etc.,
• Words with simple obfuscation: p@ssw0rd, l33th4x0r,
g0ldf1sh, etc.
• Doubled words: crabcrab, stopstop, treetree, passpass,
etc., can be easily tested automatically.
 Example of Weak Passwords (from Wikipedia)
• Common sequences from a keyboard row: qwerty, 12345,
asdfgh, fred, etc.
• Numeric sequences based on well known numbers such as
911, 314159, or 27182, etc.,
• Identifiers: jsmith123, 1/1/1970, 555–1234, "your
username", etc.,
 Example of Weak Passwords (from Wikipedia)
• Anything personally related to an individual: license plate
number, Social Security number, current or past telephone
number, student ID, address, birthday, sports team,
relative's or pet's names/nicknames/birthdays, etc., can
easily be tested automatically after a simple investigation
of person's details.
 Storing Passwords
• Passwords are never stored in cleartext/plaintext
The risk of theft would be great
Insiders like system administrators, personel with access to
filesystem backups would all have direct access to passwords
• Instead, a hash of a password is stored
Recall the basic properties of cryptographic hash functions
Password (as plaintext)

Hash User ID
function

Password hash Password file

• Loading a new user (the user selects or is assigned a password)

• Verifying a password
 Storing Passwords Using Encryption
• It is also possible to protect secret
passwords by using reversible encryption
(e.g., using symmetric crypto)
• Still, password hashing is the most
prevalent/common method for storing
password
Can you see why?
Think about pros and cons of both
methods
 Threats to Passwords
• Eavesdropping (insecure channel between
client and server)
• Login spoofing (human errors), shoulder
surfing, keyloggers
• Offline dictionary attacks
• Social engineering (human errors)
e.g., pretexting: creating and using an
invented scenario (the pretext) to persuade a
target to release information or perform an
action and is usually done over the telephone
• Online guessing (weak passwords)
 Brute Force Attack Definition
• A brute force attack is a hacking method that uses trial and error
to crack passwords, login credentials, and encryption keys.
• It is a simple yet reliable tactic for gaining unauthorized access to
individual accounts and organizations’ systems and networks.
• The hacker tries multiple usernames and passwords, often using a
computer to test a wide range of combinations, until they find the
correct login information.
• The name "brute force" comes from attackers using excessively
forceful attempts to gain access to user accounts.
• Despite being an old cyberattack method, brute force attacks are
tried and tested and remain a popular tactic with hackers.
 Types of Brute Force Attacks

1. Simple brute force attacks

2. Dictionary attacks
3. Hybrid brute force attacks
4. Reverse brute force attacks
5. Credential stuffing
1. Simple brute force attacks
• A simple brute force attack occurs when a hacker attempts to guess
a user’s login credentials manually without using any software.
• This is typically through standard password combinations or
personal identification number (PIN) codes.
• These attacks are simple because many people still use weak
passwords, such as "password123" or "1234," or practice poor
password etiquette, such as using the same password for multiple
websites.
• Passwords can also be guessed by hackers that do minimal
reconnaissance work to crack an individual's potential password,
such as the name of their favorite sports team.
 2. Dictionary attacks
• A dictionary attack is a basic form of brute force hacking in which the
attacker selects a target, then tests possible passwords against that
individual’s username.
• The attack method itself is not technically considered a brute force
attack, but it can play an important role in a bad actor’s password-
cracking process.
• The name "dictionary attack" comes from hackers running through
dictionaries or a wordlist and amending words with special
characters and numbers.
• This type of attack is typically time-consuming and has a low chance
of success compared to newer, more effective attack methods.
 3. Hybrid brute force attacks
• A hybrid brute force attack is when a hacker combines a
dictionary attack method with a simple brute force attack.
• It begins with the hacker knowing a username, then carrying
out a dictionary attack and simple brute force methods to
discover an account login combination.
• The attacker starts with a list of potential words, then
experiments with character, letter, and number combinations
to find the correct password.
• This approach allows hackers to discover passwords that
combine common or popular words with numbers, years, or
random characters, such as "SanDiego123" or "Rover2024."
4. Reverse brute force attacks
• A reverse brute force attack sees an attacker begin the process with a
known password, which is typically discovered through a network
breach.
• They use that password to search for a matching login credential
using lists of millions of usernames.
• Attackers may also use a commonly used weak password, such as
"Password123," to search through a database of usernames for a
match.
 5. Credential stuffing
• Credential stuffing preys on users’ weak password etiquettes.
• Attackers collect username and password combinations they
have stolen, which they then test on other websites to see if they
can gain access to additional user accounts.
• This approach is successful if people use the same username and
password combination or reuse passwords for various accounts
and social media profiles.
 Rainbow Table Attack
What is a Rainbow Table?
• The passwords in a computer system are not stored directly as
plain texts but are hashed using encryption.
• A hash function is a 1-way function, which means that the original
value cannot be derived from a hash value.
• Whenever a user enters a password, it is converted into a hash
value and is compared with the already stored hash value.
• If the values match, the user is authenticated.
• A rainbow table is a database that is used to gain authentication
by cracking the password hash.
 Rainbow Table Attack
What is a Rainbow Table?
• It is a precomputed dictionary of
plaintext passwords and their
corresponding hash values that can
be used to find out what plaintext
password produces a particular hash.
• Since more than one text can
produce the same hash, it’s not
important to know what the original
password really was, as long as it
produces the same hash.
How does the Rainbow Table Attack work?
• A rainbow table works by doing a cryptanalysis very quickly and
effectively.
• Unlike brute-force attack, which works by calculating the hash
function of every string present with them, calculating their
hash value and then compare it with the one in the computer,
at every step.
• A rainbow table attack eliminates this need by already
computing hashes of the large set of available strings.
• There are two main steps in this:
• Creating a Table
• Cracking the Password
hashMD5(25d55ad2) = 5c41c6b3958e798662d8853ece970f70

Creating a Table
• Here, the hash of a string is taken and then reduced to create a
new string, which is reduced again, repeatedly.
• For example, let’s create a table of the most common
password, 12345678, using MD5 hash function on first 8
characters:
✓ First we take the string and pass it through md5 hash function.
hashMD5(12345678) = 25d55ad283aa400af464c76d713c07ad
✓ We reduce the hash by taking only the first 8 characters. Then, we re-hash it.
hashMD5(25d55ad2) = 5c41c6b3958e798662d8853ece970f70
✓ This is repeated until enough hashes in output chain.
This represents one chain, which starts from the first plain
text and ends at the last hash.
✓ After obtaining enough chains, we store them in a table.
 Cracking the Password
• Starting off with the hashed
text (the password) is
checked if it exists in the
database.
• If so, go to the start of the
chain and start hashing until
there is a match.
• As soon as the match is
obtained, the process ceases
and the authentication is
cracked.
• The following flowchart
 Advantages of Rainbow Table Attack

1.Unlike brute-forcing, performing the hash function isn’t the

problem here (since everything is precomputed). With all of
the values already computed, it’s simplified to just a simple
search-and-compare operation on the table.

2.The exact password string isn’t needed to be known. If the

hash is matched, it doesn’t matter if the string isn’t the
password itself. It will be authenticated.
 Disadvantages of Rainbow Table Attack

1.A large amount of storage is required for store tables.

2.With all of the values already computed, it’s simplified to just a

simple search-and-compare operation on the table.