Information Assurance and Security - 1 Chapter IV- Authentication

Start your lesson here.

Concepts of Authentication
Authentication comes from the Greek word: authentikos, means "real or genuine. It is
the act of proving an assertion, such as the identity of a computer system user.
Authentication is the process of verifying that identity. It might involve validating
personal identity documents, or ensuring that a product or document is not counterfeit
[1].
In the olden days, authentication
is already being practiced with
the use of a sealing wax. It uses
a wax material of a seal which,
after melting, hardens quickly (to
paper, parchment, ribbons and
wire, and other material) forming
a bond that is difficult to
separate without noticeable
tampering. Wax is used to verify Wax seal
something such as a document is Source: Wikipedia.
https://en.wikipedia.org/wiki/Sealing_wax#/
unopened, to verify the sender's media/File:Cornelis_Norbertus_Gysbrechts_
-_Quodlibet.jpg
identity, for example with a signet ring, and as
decoration. Sealing wax can be used to take
impressions of other seals. Wax was used to seal letters
close and later, from about the 16th
Letters sealed with wax in a painting of 1675 by Cornelis century, envelopes. Before sealing wax, the Romans
used bitumen for this purpose [2].
Norbertus Gysbrechts
Source: Wikipedia.
https://en.wikipedia.org/wiki/Sealing_wax#/media/File:Cornelis_Norb
ertus_Gysbrechts_-_Quodlibet.jpg

Authentication Process
Some electronic applications utilizing digital signatures in electronic commerce
(ecommerce) include e-mail and financial transactions. E-mail may need to be digitally
signed, where sensitive information is being transmitted and security services such as
sender authentication, message integrity and non-repudiation are desired. Financial
transactions, in which money is being transferred directly or in exchange for services
and goods, could also benefit from the use of digital signatures as an authentication
process.

Integrity
Integrity is a fundamental requirement of a trustworthy identity infrastructure. Identity
systems exchange credentials as well as messages and transactions regarding
attributes, provisioning information, and other data. Trusting that the contents have not
been tampered with is important. As an example, consider a document representing
identity credentials. To trust those credentials, we must be able to verify they are
authentic and have not been changed.
Technology used for Authentication

89
Information Assurance and Security - 1 Chapter IV- Authentication

Start your lesson here.

INTRODUCTION

Ever since computers have started to be widely adopted and carriers for data requiring
restricted access, the password based authentication has taken place as a most
commonly used authentication method. We use the term password to include single
words, phrases, and PINs (personal identification numbers) that are closely kept secrets
used for authentication. The basic problem with passwords can be explained succinctly:
a memorable password can often be guessed or searched by an attacker and a long,
random, changing password is difficult to remember.

Password storing

A password loss has to be prevented at two endpoints. The first one is the user.
Probably no sensible technical measure can stop him or her from writing down the
password on a little piece of paper titled ’my password’ and then leave it somewhere for
adversary to grab. The only thing that can be done here is to force the user not to act
like this. The other endpoint however has much better prospects. Databases of user
password scan be shielded with layers of security measures to stop the attacker. These
measures range from active defense elements like firewalls and IPSs to passive
measures that serve as a last resort in case the attacker has breached in. One of such
passive measures lies in a way how passwords are stored.

Plaintext passwords

Having a password on a disk in a plaintext form indicates more of a lack of security

measures than the opposite, nevertheless, it is still a valid way to store passwords and
as such is worth mentioning. The security flaw is obvious - when the attacker gets in, all
passwords are waiting to be abused. But what could be the motivation to use such a
weak measure?
• First, for a creator of the system it is the easiest possible way to get his job done.
• Second ,a user who has forgotten a password can get it from an administrator
without the need to change it.
Needles to say that such arguments are not even remotely an excuse, and storing pass-
words in a plaintext should be avoided at all costs.

Encrypted passwords

Much better way to store a password is to cryptographically protect it. That way any
attacker who manages to gain access to passwords is confronted with another, mostly
computation-ally intensive task. Often this effort has to be spent on each password
separately leaving the others secure. Of many various ways of cryptographic protection
of passwords one method is to employ block ciphers. This method is used for example

95
Information Assurance and Security - 1 Chapter IV- Authentication

in DES version of UNIX crypt(3) library function. To produce an output that is going to
be stored instead of a password, following sequence of steps is executed:
• the password is truncated to eight characters
• each character is coerced to 7 bits, thus constituting a 56-bit DES key
• this key is then used to encrypt one block of all zeroes
• the cipher text is repeatedly encrypted 25 times with 12 bits of salt
• a result is stored as a base64 encoded string
These steps are repeated every time the password is supplied, and resulting strings are
com-pared. It needs only a little modification to work with any other cipher. Passwords
stored in this form are fairly resistant to attacks but do not enable lost pass-word
recovery for forgetful users. But this is just a minor inconvenience.
One specific method, that is somewhere in the middle between passwords in plain text
and passwords encrypted as described before, is encryption with a secret key. This
approach has an advantage of allowing password recovery. Although it may appear to
be as secure as is the strength of an encryption function, there is more to consider.
Matter of a secrecy of the password was just shifted to matter of secrecy of that key.
Once the key is leaked all passwords are vulnerable. Therefore, this method should be
considered insecure.

Hashed passwords

The crypt(3) example in the previous section was not an encryption per se, because the
password was used as a key, but the encrypted text was not intended to be hidden. It
can be viewed as an example of a hash function constructed in an uncommon way,
because it satisfies definition presented by Preneel[5]One way hash function is a
function h satisfying the following conditions:
• The description of h must be publicly known and should not require any secret in-
formation for its operation
• The argument X can be of arbitrary length and the result h(X) has a fixed length
of nbits
• Given h and X, the computation of h(X) must be "easy"
• The hash function must be one-way in the sense that given a Y in the image of h,
itis "hard" to find a message X such that h(X) = Y and given X and h(X) it is
"hard" to find a message X1 different form X such that h(X1) = h(X)
Hash functions are probably the most prevalent method of a password transformation
be-fore storing. They offer a reasonably strong protection (especially when using
functions producing hashes longer than 128 bits), are relatively easy to compute and
protect even against insider attacks, which previous methods failed on. During last few
years there have been many researches on attacks on various hash functions,
especially MD5 and SHA [1,2,6,7]. They have succeeded in discovering time-effective
algorithms for finding collisions, but they are generally not a threat for password
storage. Collision means that few bytes of plaintext are altered yet produce the same
hash. And be-cause the plaintext (password) is not known the collision itself is not going
to help.

96
Information Assurance and Security - 1 Chapter IV- Authentication

Creating safe passwords

Now that different methods that attacker can use to crack passwords have been
enumerate edit is appropriate to describe how the reasonably safe password should
look like. Following form should be enforced by every administrator
• the password does not resemble words that can be found in a dictionary
• the password does not contain substring longer than three characters that can be
found in a dictionary
• the password is at least 8 characters long
• letters, numbers and special characters are used
• the password has no connection with the username
• the password is changed every two months
These rules are all direct answers to different cracking techniques, but by themselves
are not very descriptive to common users. For this reason there is a simple yet powerful
technique that should be suggested to them:
Choose a long sentence that you can remember and use first letters of each word and
special characters and numbers resembling words as a password. Here are few
examples:
• S1hsr/.1dhtfw! : Since I have started reading Slashdot I don’t have time for work!
• O#gcgitPC. : Only sharp guys can get inside the PC.
• Wo@hIdtusp? : Why on Earth have I decided to use such password?
Such passwords should be strong enough to withstand any cracking attempt.

Thinking Box:

1.common techniques for selecting or assigning passwords.

2. What is password hashing?
3.explain the following diagram

Recommended Learning Materials and Resources

https://is.muni.cz/th/qkn59/thesis.pdf
https://www.mathematik.uni-kl.de/~ederc/download/Cryptography.pdf
https://www.cs.umd.edu/~waa/414-F11/IntroToCrypto.pdf
https://opendatasecurity.io/wp-
content/uploads/2017/11/Cybersecurity_Guide_For_Dummies_Compressed.pdf

97
Information Assurance and Security - 1 Chapter IV- Authentication

Start your lesson here.

TOKEN-BASED AUTHENTICATION

Introduction
Users log in to a system and—once authenticated—are provided with a token to access
other services without having to enter their username and password multiple times. In
short, token-based authentication adds a second layer of security to application,
network, or service access.

a token is a piece of data that, combined with the correct system, is used to secure user
access to systems and applications. In token-based authentication, tokens are
employed to ensure every request to a server is verified—similar to how passwords
allow users to log into a service.

Physical tokens come in many forms. Some can be inserted into a USB port and others
provide randomized codes for users to enter manually. The system then compares the
information provided by the token with the details stored on its database and, if it is
correct, the user is authorized to access the system. An identity token, security token,
access token, or simply token, is a physical device that performs or aids authentication.
This can be a secure storage device containing passwords, such as a bankcard, remote
garage door opener, or smart card. This can also be an active device that yields one-
time passcodes, either time-synchronous (changing in synchrony with a master at the
host). Token security defenses include tamper-resistant packaging and special
hardware that disables the token if it is tampered with or if the number of failed
authentication attempts exceeds a chosen threshold. When we refer to “token” in this
paper, the general concept will be a portable, secure storage device accessed at the
client end via a password to obtain a passcode that is transmitted to the host for
authentication. A passcode is a secret number like a password, except it is machine-
generated and machine-stored, so it can be longer, more random, and perhaps
changing.

Who uses token-based authentication

The key advantage of token-based authentication is that it removes the need for weak
login credentials. It can help organizations opting for a passwordless approach to
identity and access management by offering a strong multifactor authentication factor
that can complement biometrics, push notifications, and more.

Token-based authentication is particularly well suited to mobile apps, platform-as-a-

service applications, and single-page applications. It simplifies the process of
implementing native or hybrid applications and enables organizations to actively

101
Information Assurance and Security - 1 Chapter IV- Authentication

participate in the API economy, sharing their information with a range of modern clients
and frameworks.

There are three main authentication tokens available:

• Connected tokens: Users can physically connect these tokens to the system
they wish to access. For example, smart cards can be inserted into a device’s
smart card reader.
• Disconnected tokens: The most commonly-used tokens in two-factor
authentication alongside passwords. Users don’t have to physically insert these
tokens into their devices, but rather they may need to enter a code that the token
generates.
• Contactless tokens: These tokens don’t need to physically connect to a device
and don’t require users to manually input information. A common example of this
is Bluetooth tokens, which transmit authentication data to a system, which then
determines whether the user has access rights.

A token is a piece of data that has no meaning or use on its own, but combined with the
correct tokenization system, becomes a vital player in securing your application. Token
based authentication works by ensuring that each request to a server is accompanied
by a signed token which the server verifies for authenticity and only then responds to
the request.

What is token-based authentication?

Token-based authentication is just one of many web authentication methods used to

create a more secure verification process. Other web authentication methods include
biometric authentication and password authentication. While each authentication
method is unique, all methods fall under one of the following three categories:
knowledge (something you know), inheritance (something you are), and possession
(something you own).

Password authentication falls within the knowledge category because users rely on a
word or phrase they’ve previously created to verify their identity. Biometric
authentication is an example of “something you are” due to its use of biological traits,
like fingerprints. And last, but certainly not least, token-based authentication belongs in
the possession category.

Token authentication requires users to obtain a computer-generated code (or token)

before they’re granted network entry. Token authentication is typically used in
conjunction with password authentication for an added layer of security. This is what we
refer to as two-factor authentication (2FA). That means even if an attacker successfully
implements a brute force attack to take out any password in place, they’ll have to also
bypass the token authentication layer. Without access to the token, gaining access to
the network becomes increasingly difficult. This additional layer discourages attackers
and can save networks from potentially disastrous breaches.

102
Information Assurance and Security - 1 Chapter IV- Authentication

How do tokens work?

In many cases, tokens are created via dongles or key fobs that generate a new
authentication token every 60 seconds in accordance with a known algorithm. Due to
the power these hardware devices hold, users are required to keep them safe at all
times to ensure they don’t fall into the wrong hands. As such, team members must
relinquish their dongle or fob when their employment ends.

The most common token systems contain a header, payload, and signature. The
header consists of the payload type as well as the signing algorithm being used. The
payload contains the claims, which are simply any statements pertaining to the user.
The signature is exactly what it sounds like—the signature used to prove that the
message hasn’t been jeopardized in transit. These three elements work together to
create a highly efficient and secure authentication system.

While these traditional token authentication systems are still in effect today, the rise of
smartphones has made token-based authentication easier than ever. Smartphones can
now be augmented to serve as code generators, providing end users with the security
passcodes necessary to gain access to their network at any given time. As part of the
login process, users receive a cryptographically secure one-time passcode that is time-
limited to 30 or 60 seconds, depending on the settings at the server end. These soft
tokens are generated either by an authenticator app on the device or sent on demand
via SMS.

The advent of smartphone token-based authentication means that most staff already
have the hardware to generate the codes. As a result, implementation costs and staff

103
Information Assurance and Security - 1 Chapter IV- Authentication

training are kept to a minimum, making this form of token-based authentication a

tempting option for many companies.

Is token-based authentication secure?

As cybercriminals advance, so must the protection practices and policies that MSPs put
into place. Due to the rising use of brute force attacks, dictionary attacks, and phishing
tactics to snatch user credentials, it’s becoming glaringly obvious that password
authentication is no longer enough to keep attackers at bay.

Token-based authentication, when used in tandem with other authentication practices,

creates a 2FA barrier designed to stop even the most advanced hacker in his or her
tracks. Because tokens can only be gleaned from the device that produces them—
whether that be a key fob or smartphone—token authorization systems are considered
highly secure and effective.

But despite the many advantages associated with an authentication token platform,
there is always a slim chance of risk that remains. While smartphone-based tokens are
incredibly convenient to utilize, smartphones also introduce potential vulnerabilities.
Tokens sent as texts are riskier because they can be intercepted during transit. As with
other hardware devices, smartphones can also be lost or stolen and wind up in the
grasp of those with dangerous intentions.

Token-based authentication best practices

Implementing a robust authentication strategy is critical when it comes to helping your

customers protect their networks from a security breach. But for your strategy to truly be
effective requires strict adherence to all relevant best practices. Here are a few key
factors to keep in mind when deploying a token-based authentication strategy:

• Put the right token into play: While there are a number of web tokens in
existence, none quite match the popularity and reliability of the JSON Web Token
(JWT). JWT is considered an open standard (RFC 7519) for transmitting
sensitive information between multiple parties. The information exchanged is
digitally signed using an algorithm or public/private key pairing to ensure optimal
security.
• Keep it private: A token should be treated the same way user credentials are.
Educate customers on the importance of keeping their token codes private—i.e.
treating them the same way they would the code to a vault full of their most
valuable possessions. This mindset is particularly relevant when it comes to the
signing key.
• Leverage HTTPS connections: HTTPS connections have been constructed
with security protocols top of mind, leveraging encryption and security
certifications designed to protect sensitive data. It’s important to use HTTPS

104
Information Assurance and Security - 1 Chapter IV- Authentication

connection vs HTTP or any other form of connection when sending tokens, as

these alternative systems face higher chances of interception from an attacker.

Reaping the benefits of authentication tokens

Historically, one layer of authentication was the gold standard. But in today’s
cybersecurity climate—in which hackers are more cunning than ever before—one
authentication is the bare minimum. Knowledge-based authentication practices work
best when implemented alongside possession-based ones to form robust 2FA systems.

This is where token authentication comes into effect. Token systems that rely on
hardware to deploy computer-generated codes are a critical component of any
comprehensive security strategy. These systems put 2FA to work to stop attackers
before they gain access to—and wreak havoc on—the network.

On top of proactively securing customer networks, however, it’s critical that MSPs also
help customers react to data breaches. In the event that a bad actor does successfully
manage to gain access to a network, having data stored safely on the cloud can prevent
your customers from having to fall victim to data loss or the threat of hefty ransoms.

Teaching and Learning Activities

Thinking Box:

1. Who uses token-based authentication

2. Is token-based authentication secure?
3. How do tokens work?
4. What is token-based authentication?

Recommended learning materials and resources for supplementary reading.

https://opendatasecurity.io/wp-
content/uploads/2017/11/Cybersecurity_Guide_For_Dummies_Compressed.pdf
https://www.ftc.gov/system/files/attachments/cybersecurity-small-
business/cybersecuirty_sb_factsheets_all.pdf
http://www.uou.ac.in/sites/default/files/slm/Introduction-cyber-security.pdf
https://www.geeksforgeeks.org/what-is-information-security/

105
Information Assurance and Security - 1 Chapter IV- Authentication

Start your lesson here.

BIOMETRIC AUTHENTICATION
Introduction
The word ‘biometrics’ is derived from the ancient Greek bios (life) and metron
(measure). In general usage, biometrics refers to both the methods used to measure
and analyze an individual’s unique physiological or behavioral characteristics and the
characteristics themselves, including fingerprints, facial geometry, iris patterns and
more. Research in the field of biometrics encompasses a broad realm of activities
including identifying traits that are unique to individuals, developing and testing the
reliability of technologies related to verifying biometric matching, and analyzing
consumer attitudes towards and comfort with the collection, usage, and digital storage
of such traits. A biometric is a feature measured from the human body that is
distinguishing enough to be used for user authentication. Biometrics include:
fingerprints, eye (iris and retina), face, hand, voice, and signature, as well as other more
obscure or futuristic biometrics such as gait and smell. A biometric purports to
inextricably link the authenticator to its owner, something passwords and tokens cannot
do, since they can be lent or stolen.
Biometric Types
Biometrics differ from the other authenticators in ways that are described here.
Biometrics are usually classified as physical or behavioral types. The physical type
includes biometrics based on stable body features, such as fingerprint, face, iris, and
hand. The behavioral type includes learned movements such as handwritten signature,
keyboard dynamics (typing), and gait. Speech is usually categorized as behavioral
because it is a product of learned behavior; however the underlying body feature upon
which speech is based is the vocal apparatus (lungs, vocal cords, nasal tract, vocal
tract),which is physical and relatively stable. In fact all biometrics used for authentication
depend to some degree upon a physical body feature; otherwise there is no constant
upon which to authenticate. Due to these ambiguities, we suggest a different
classification that doesn’t involve the physical and behavioral labels.
Instead of classifying the biometric itself, we classify the biometric signal that we
measure. There are two types:
1. Stable biometric signal.
A stable biometric signal is relatively constant in time. Except for minor
perturbations due to noise (and excluding drastic obfuscation by accident or
plastic surgery), the features used for matching stabilize before or at maturity.
Biometric matching is usually not done on the raw signal. Instead, a smaller-
sized template of these features is first extracted.

108
Information Assurance and Security - 1 Chapter IV- Authentication

2. Alterable biometric signal.

an alterable biometric signal is comprised of two components, the underlying,
stable biometric
Biometric Error
A user can forget or mistype a password, or can lose a token. These errors are
inconvenient but the user has only himself to blame. Far more frustrating is system error
where the user is not at fault and is unable to remedy the problem. Although computer
scan go down, keypads can malfunction, and token readers can fail to read, the rate of
hardware error is low compared to errors of some biometrics, which can reject the user
up to a few times each 100 attempts. Biometric error can occur for several reasons. The
capture device might be dirty. The lighting might be poor. The system might have
initially made a poor enrollment decision. The system might not adjust well to different
environmental factors (cold, rain, sun glare, dryness, etc.) or to day-to-day variability of
users.
There are two types of biometric error: verification error and identification error.
Verification error describes error for a biometric system in which an attempt is made to
match against a single identity (1-to-1 matching).Identification error describes error for a
biometric system in which an attempt is made to match one person in a database
containing records of that person plus many others (1-to- many matching).

Biometric techniques
There are lots of biometric techniques available nowadays. A few of them are in the
stage of the research only (e.g. the odor analysis), but a significant number of
technologies is already mature and commercially available (at least ten different types
of biometrics are commercially available nowadays: fingerprint, finger geometry, hand
geometry, palm print, iris pattern, retina pattern, facial recognition, voice comparison,
signature dynamics and typing rhythm).
Fingerprint technologies
Fingerprint identification is perhaps the oldest of all the biometric techniques.
Fingerprints were used already in the Old China as a means of positively identifying a
person as an author of the document. Their use in law enforcement since the last
century is well known and actually let to an association fingerprint = crime.
Fingerprints are not compared and usually also not stored as bitmaps. Fingerprint
matching techniques can be placed into two categories: minutiae-based and correlation
based. Minutiae-based techniques find the minutiae points first and then map their
relative placement on the finger. Minutiae are individual unique characteristics within the
fingerprint pattern such as ridge endings, bifurcations, divergences, dots or islands. In
the recent years automated fingerprint comparisons have been most often based on

109
Information Assurance and Security - 1 Chapter IV- Authentication

minutiae The problem with minutiae is that it is difficult to extract the minutiae points
accurately when the fingerprint is of low quality. This method also does not take into
account the global pattern of ridges and furrows. The correlation-based method is able
to overcome some of the difficulties of the minutiae-based approach. However, it has
some of its own shortcomings. Correlation-based techniques require the precise
location of a registration point and are affected by image translation and rotation. The
readability of a fingerprint depends on a variety of work and environmental factors.
These include age, gender, occupation and race.
Iris
The iris is the colored ring of textured tissue that surrounds the pupil of the eye. Even
twins have different iris patterns and everyone’s left and right iris is different, too. Each
iris is a unique structure featuring a complex pattern. This can be a combination of
specific characteristics known as corona, crypts, filaments, freckles, pits, furrows,
striations. and rings. The iris pattern is taken by a special gray-scale camera in the
distance of 10–40 cm from the camera (earlier models of iris scanners required closer
eye positioning). The camera is hidden behind a mirror, the user looks into the mirror so
that he/she can see his/her scanning own eye, then also the camera can “see” the eye.
Once the eye is stable (not moving too fast) and the camera has focused properly, the
image of the eye is captured.
Hand geometry
Hand geometry is based on the fact that nearly every person’s hand is shaped
differently and that the shape of a person’s hand does not change after certain age.
Hand geometry systems produce estimates of certain measurements of the hand such
as the length and the width of fingers. Various methods are used to measure the hand.
These methods are most commonly based either on mechanical or optical principle.
The latter ones are much more common today. Optical hand geometry scanners
capture the image of the hand and using the image edge detection algorithm compute
the hand’s characteristics. There are basically 2 sub-categories of optical scanners.
Devices from the first category create a black-and-white bitmap image of the hand’s
shape.
Facial recognition
Facial recognition is the most natural means of biometric identification. The method of
distinguishing one individual from another is an ability of virtually every human. Until
recently the facial recognition has never been treated as a science.
Facial recognition technology has recently developed into two areas: facial metrics and
Eigen faces.
Facial metrics technology relies on the measurement of the specific facial features (the
systems usually look for the positioning of the eyes, nose and mouth and the distances
between these features).

110
Information Assurance and Security - 1 Chapter IV- Authentication

Eigen faces Based on categorizing faces according to the degree of fit with a fixed set
of 150 master Eigen-faces. This technique is in fact similar to the police method of
creating a portrait, but the image processing is automated and based on a real picture
here. Every face is assigned a degree of fit to each Eigen-faces of the 150 master Eigen
faces, only the 40 template Eigen faces with the highest degree of fit are necessary to
reconstruct the face with the accuracy of 99%.
The core biometric technology
There are biometric techniques commercially available and new techniques are in the
stage of research and development. Any human physiological or behavioral
characteristics can become a biometric provided the following properties are fulfilled:
Universality: This means that every person should have the characteristics. It is really
difficult to get 100% coverage. There are mute people, people without fingers or with
injured eyes. All these cases must be handled.
Uniqueness: This means that no two persons should be the same in terms of the
biometric characteristics. Fingerprints have a high discrimination rate and the probability
of two persons with the same iris is estimated as low as 1 : 10^52.Identical twins, on the
other side, cannot be easily distinguished by face recognition and DNA-analysis
systems.
Permanence: This means that the characteristics should be invariant with time. While
the iris usually remains stable over decades, a person’s face changes significantly with
time. The signature and its dynamics may change as well and the finger is a frequent
subject to injuries.
Collectability: This means that the characteristics must be measured quantitatively and
obtaining the characteristics should be easy. Face recognition systems are not intrusive
and obtaining of a face image is easy. In the contrast the DNA analysis requires a blood
or other bodily sample. The retina scan is rather intrusive as well.
Performance: This refers to the achievable identification/verification accuracy and the
resources and working or environmental conditions needed to achieve an acceptable
accuracy. The crossover accuracy of iris-based systems is under 1% and the system is
able to compare over 4 · 10^6. Iris codes in one second. The crossover accuracy of
some signature dynamics systems is as high as 25% and the verification decision takes
over one second.
Acceptability: This indicates to what extend people are willing to accept the biometric
system. Face recognition systems are personally not intrusive, but there are countries
where taking pictures of persons is not viable. The retina scanner requires an infrared
laser beam directed through the cornea of the eye. This is rather invasive and only few
users accept this technology.

111
Information Assurance and Security - 1 Chapter IV- Authentication

Start your lesson here.

REMOTE USER AUTHENTICATION

Introduction
Authentication of remote users is a problem commonly encountered in distributed
computing environments. The authentication functions that have been developed to
support network-based use authentication. the authentication functions that have been
developed to support network-based use authentication. In most computer security
contexts, user authentication is the fundamental building block and the primary line of
defense.
Remote User-Authentication Principles
fundamental security building block
•basis of access control & user accountability
•is the process of verifying an identity claimed by or for a system entity
•has two steps:
•identification -specify identifier
•verification -bind entity (person) and identifier
•distinct from message authentication
There are four general means of authenticating a user’s identity, which can be used
alone or in combination
•Something the individual knows–Examples include a password, a personal
identification number (PIN), or answers to a prearranged set of questions
•Something the individual possesses–Examples include cryptographic keys,
electronic keycards, smart cards, and physical keys–This is referred to as a
token
•Something the individual is (static biometrics)–Examples include recognition by
fingerprint, retina, and face
•Something the individual does (dynamic biometrics)–Examples include
recognition by voice pattern, handwriting characteristics, and typing rhythm
For network-based user authentication, the most important methods involve
cryptographic keys and something the individual knows, such as a password

117
Information Assurance and Security - 1 Chapter IV- Authentication

Mutual Authentication used to convince parties of each other’s identity and to

exchange session keys
•may be one-way or mutual
•key issues are confidentiality to protect session keys timeliness to prevent replay
attacks
Replay Attacks
1. The simplest replay attack is one in which the opponent simply copies a message
and replays it later
2. An opponent can replay a times tamped message within the valid time window
3. An opponent can replay a time stamped message within the valid time window, but in
addition, the opponent suppresses the original message; thus, the repetition cannot be
detected
4. Another attack involves a backward replay without modification and is possible if
symmetric encryption is used and the sender cannot easily recognize the difference
between messages sent and messages received on the basis of content
Approaches to Coping with Replay Attacks
-Attach a sequence number to each message used in an authentication exchange
o A new message is accepted only if its sequence number is in the proper
order
o Difficulty with this approach is that it requires each party to keep track of
the last sequence number for each claimant it has dealt with
o Generally not used for authentication and key exchange because of
overhead

-Timestamps
o –Requires that clocks among the various participants be synchronized
o –Party A accepts a message as fresh only if the message contains a timestamp
that, in A’s judgment, is close enough to A’s knowledge of current time
-Challenge/response
o Party A, expecting a fresh message from B, first sends B a nonce (challenge)
and requires that the subsequent message (response) received from B contain
the correct nonce value

118
Information Assurance and Security - 1 Chapter IV- Authentication

Start your lesson here.

SECURITY ISSUES FOR USER AUTHENTICATION

Introduction
As with any security service, user authentication, particularly remote user
authentication, is subject to a variety of attacks. summarizes the principal attacks on
user authentication, broken down by type of authenticator.
Client attacks are those in which an adversary attempts to achieve user
authentication without access to the remote host or to the intervening communica-tions
path. The adversary attempts to masquerade as a legitimate user. For a pass-word-
based system, the adversary may attempt to guess the likely user password.
Multiple guesses may be made. At the extreme, the adversary sequences
through all possible passwords in an exhaustive attempt to succeed. One way to thwart
such an attack is to select a password that is both lengthy and unpredictable. In
effect, such a password has large entropy; that is, many bits are required to represent
the password. Another countermeasure is to limit the number of attempts that can be
made in a given time period from a given source. A token can generate a high-
entropy passcode from a low-entropy PIN or password, thwarting exhaustive
searches. The adversary may be able to guess or acquire the PIN or password but must
additionally acquire the physical token to succeed.
Topic 2 Host attacks are directed at the user file at the host where passwords, token
passcodes, or biometric templates are stored. For tokens, there is the additional
defense of using one-time passcodes, so that passcodes are not stored in a
host passcode file. Biometric features of a user are difficult to secure because they are
physical features of the user. For a static feature, biometric device authentication
adds a measure of protection. For a dynamic feature, a challenge-response
protocol enhances security.
Topic 3 Eavesdropping in the context of passwords refers to an adversary’s attempt to
learn the password by observing the user, finding a written copy of the password, or
some similar attack that involves the physical proximity of user and adversary. Another
form of eavesdropping is keystroke logging (keylogging), in which malicious hardware or
software is installed so that the attacker can capture the user’s keystrokes for later
analysis. A system that relies on multiple factors (e.g., password plus token or password
plus biometric) is resistant to this type of attack. For a token, an analogous threat is theft
of the token or physical copying of the token. Again, a multifactor protocol resists this
type of attack better than a simple token protocol. The analogous threat for a biometric
protocol is copying or imitating the biometric parameter to generate the desired

124
Information Assurance and Security - 1 Chapter IV- Authentication

template. Dynamic biometrics are less susceptible to such attacks. For static biometrics,
device authentication is a useful countermeasure. Replay attacks involve an adversary
repeating a previously captured user response. The most common countermeasure to
such attacks is the challenge-response protocol. In a Trojan horse attack, an application
or physical device masquerades as an authentic application or device to capture a user
password, passcode, or biometric. The adversary can then use the captured information
to masquerade as a legitimate user.
A simple example of this is a rogue bank machine used to capture user ID/password
combinations. A denial-of-service attack attempts to disable a user authentication
service by flooding the service with numerous authentication attempts. A more selective
attack denies service to a specific user by attempting logon until the threshold is
reached that causes lockout to this user because of too many login attempts. A
multifactor authentication protocol that includes a token thwarts this attack because the
adversary must first acquire the token.

Thinking Box:

1. What is Client attacks

2. What is Host attacks
3. What is Eavesdropping
4. What are the different way to protect the users
5. What are the different way to protect the servers

Recommended learning materials and resources for supplementary reading.

https://opendatasecurity.io/wp-
content/uploads/2017/11/Cybersecurity_Guide_For_Dummies_Compressed.pdf
https://www.ftc.gov/system/files/attachments/cybersecurity-small-
business/cybersecuirty_sb_factsheets_all.pdf

125