UNIT III USER AUTHENTICATION

Electronic User Authentication Principles

A Model for Electronic User Authentication
Means of Authentication
Password-Based Authentication
The Vulnerability of Passwords
Password Selection Strategies
Biometric Authentication
Physical Characteristic Used in Biometric Applications
Learning Objectives
After studying this chapter, you should be able to:
Discuss the four general means of authenticating a user’s identity.
Understand User authentication.
Understand Password-Based Authentication
Summarize some of the key security issues for user authentication.
Understand Biometric Authentication
Enlist Physical Characteristic Used in Biometric Applications
 In most computer security contexts, user authentication is the fundamental building
block and the primary line of defense. User authentication is the basis for most types of
access control and for user accountability. RFC 4949 defines user authentication as
follows:
The process of verifying an identity claimed by or for a system entity. An authentication
process consists of two steps:
Identification step Presenting an identifier to the security system. (Identifiers should be
assigned carefully, because authenticated identities are the basis for other security
services, such as access control service.)
Verification step: Presenting or generating authentication information that corroborates
the binding between the entity and the identifier.

For example, user Alice Toklas could have the user identifier ABTOKLAS. This information
needs to be stored on any server or computer system that Alice wishes to use and could be
known to system administrators and other users. A typical item of authentication information
associated with this user ID is a password, which is kept secret (known only to Alice and to
the system)'. If no one is able to obtain or guess Alice’s password, then the combination of
Alice’s user ID and password enables administrators to set up Alice’s access permissions and
audit her activity. Because Alice’s ID is not secret, system users can send her e-mail, but because
her password is secret, no one can pretend to be Alice.
In essence, identification is the means by which a user provides a claimed identity to the system; user
authentication is the means of establishing the validity of the claim. Note that user authentication is distinct from
message authentication. Message authentication is a procedure that allows communicating parties to verify
that the contents of a received message have not been altered and that the source is authentic.

Typically the password is stored in hashed form on the server and this Hash code may not be
secret.
This chapter first provides an overview of different means of user authentication and then examines
each in some detail.

3.1 ELECTRONIC USER AUTHENTICATION PRINCIPLES

NIST SP 800-63-2 (Electronic Authentication Guideline, August 2013) defines electronic

user authentication as the process of establishing confidence in user identities that are
presented electronically to an information system. Systems can use the authenticated
identity to determine if the authenticated individual is authorized to perform particular
functions, such as database transactions or access to system resources. In many cases,
the authentication and transaction or other authorized function take place across an open
network such as the Internet. Equally authentication and subsequent authorization can take place
locally, such as across a local area network.
A Model for Electronic User Authentication
SP 800-63-2 defines a general model for user authentication that involves a number of entities
and procedures. We discuss this model with reference to Figure 3.1.

The initial requirement for performing user authentication is that the user must be registered
with the system. The following is a typical sequence for registration. An applicant applies to a
registration authority (RA) to become a subscriber of a credential service provider (CSP). In this
model, the RA is a trusted entity that establishes and vouches (gives guarantee) for the
identity of an applicant to a CSP. The CSP then engages in an exchange with the
subscriber. Depending on the details of the overall authentication system, the CSP issues some
sort of electronic credential to the subscriber. The credential is a data structure that
authoritatively binds an identity and additional attributes to a token possessed by a
subscriber, and can be verified when presented to the verifier in an authentication transaction.
The token could be an encryption key or an encrypted password that identifies the subscriber.
The token may be issued by the CSP, generated directly by the subscriber, or provided by a
third party. The token and credential may be used in subsequent authentication events.
Once a user is registered as a subscriber, the actual authentication process can take place
between the subscriber and one or more systems that perform authentication and,
subsequently, authorization. The party to be authenticated is called a claimant and the party
verifying that identity is called a verifier. When a claimant successfully demonstrates
possession and control of a token to a verifier through an authentication protocol, the verifier can
 verify that the claimant is the subscriber named in the corresponding credential. The verifier passes
on an assertion about the identity of the subscriber to the relying party (RP). That assertion
includes identity information about a subscriber, such as the subscriber name, an identifier
assigned at registration, or other subscriber attributes that were verified in the registration
process. The RP can use the authenticated information provided by the verifier to make
access control or authorization decisions.
An implemented system for authentication will differ from or be more complex than this
simplified model, but the model illustrates the key roles and functions needed for a secure
authentication system.
Means of Authentication
There are four general means of authenticating a user’s identity, which can be used alone or in
combination:
• Something the individual knows: Examples includes a password, a personal
identification number (PIN), or answers to a prearranged set of questions.
• Something the individual possesses: Examples include electronic keycards, smart
cards, and physical keys. This type of authenticator is referred to as a token.
• Something the individual is (static biometrics): Examples include recognition by
fingerprint, retina, and face.
• Something the individual does (dynamic biometrics): Examples include recognition by
voice pattern, handwriting characteristics, and typing rhythm.
All of these methods, properly implemented and used, can provide secure user
authentication. However, each method has problems. An adversary may be able to guess or
steal a password. Similarly, an adversary may be able to forge or Steal a token. A user may
forget a password or lose a token. Further, there is a significant administrative overhead for
managing password and token information on systems and securing such information on systems.
With respect to biometric authenticators, there are a variety of problems, including dealing with
false positives and false negatives, user acceptance, cost, and convenience.

3.2 PASSWORD-BASED AUTHENTICATION

A widely used line of defense against intruders is the password system. Virtually all multiuser
systems, network-based servers, Web-based e-commerce sites, and other similar services require
that a user provide not only a name or identifier (ID) but also a password. The system
compares the password to a previously stored password for that user lD, maintained in a
system password file. The password serves to authenticate the ID of the individual logging
on to the system. In turn, the ID provides security in the following ways:
• The lD determines whether the user is authorized to gain access to a system. In some
 systems, only those who already have an ID filed on the system are allowed to gain
access.
• The ID determines the privileges accorded to the user. A few users may have supervisory or
“superuser” status that enables them to read files and perform functions that are especially
protected by the operating system. Some systems have guest or anonymous accounts, and
users of these accounts have more limited privileges than others.
• The lD is used in what is referred to as discretionary (Optional) access control. For
example, by listing the lDs of the other users, a user may grant permission to them to
read files owned by that user.
The Vulnerability of Passwords
In this subsection, we outline the main forms of attack against password-based authentication
and briefly outline a countermeasure strategy.
Typically, a system that uses password-based authentication maintains a password file
indexed by user ID. One technique that is typically used is to store not the user’s password but
a one-way hash function of the password.
We can identify the following attack strategies and countermeasures:
• Offline dictionary attack: Typically, strong access controls are used to protect the
system’s password file. However, experience shows that determined hackers can
frequently bypass such controls and gain access to the file. The attacker obtains the
system password file and compares the password hashes against hashes of commonly used
passwords. If a match is found, the attacker can gain access by that ID/password
combination. Countermeasures include controls to prevent unauthorized access to the
password file, intrusion detection measures to identify a compromise, and rapid
reissuance of passwords should the password file be compromised.
• Specific account attack: The attacker targets a specific account and submits password
guesses until the correct password is discovered. The standard countermeasure is an
account lockout mechanism, which locks out access to the account after a number of
failed login attempts. Typical practice is no more than five access attempts.
• Popular password attack: A variation of the preceding attack is to use a popular
password and try it against a wide range of user lDs. A user’s tendency is to choose a
password that is easily remembered; this unfortunately makes the password easy to
guess. Countermeasures include policies to inhibit (avoid) the selection by users of
common passwords and scanning the IP addresses of authentication requests and client
cookies for submission patterns.
• Password guessing against single user: The attacker attempts to gain knowledge about the
account holder and system password policies and uses that knowledge to guess the
password. Countermeasures include training in and enforcement of password policies that
 make passwords difficult to guess. Such policies address the secrecy, minimum length
of the password, character set, prohibition against using well-known user identifiers, and
length of time before the password must be changed.
• Workstation hijacking: The attacker waits until a logged-in workstation is unattended.
The standard countermeasure is automatically logging the workstation out after a period of
inactivily. Intrusion detection schemes can be used to detect changes in user
behavior.
• Exploiting user mistakes: If the system assigns a password, then the user is more likely
to write it down because it is difficult to remember. This situation creates the potential for
an adversary to read the written password. A user may intentionally share a password,
to enable a colleague to share files, for example. Also, attackers are frequently
successful in obtaining passwords by using social engineering tactics that trick the user
or an account manager into revealing a password. Many computer systems are shipped with
preconfigured passwords for system administrators. Unless these preconfigured
passwords are changed, they are easily guessed. Countermeasures include user
training, intrusion detection, and simpler passwords combined with another
authentication mechanism.
• Exploiting multiple password use: Attacks can also become much more

effective of damaging if different network devices share the same or a similar

password for a given user. Countermeasures include a policy that forbids thesame or
similar password on particular network devices.
• Electronic monitoring: If a password is communicated across a network to log on to a
remote system, it is vulnerable to eavesdropping. Simple encryption will not fix this
problem, because the encrypted password is, in effect, the password and can be observed
and reused by an adversary.
Despite the many security vulnerabilities of passwords, they remain the most
commonly used user authentication technique, and this is unlikely to change in the
foreseeable future. Among the reasons for the persistent popularity of passwords are
the following:
1. Techniques that utilize client-side hardware, such as fingerprint scanners and smart card
readers, require the implementation of the appropriate user authentication software to
exploit this hardware on both the client and server systems. Until there is widespread
acceptance on one side, there is reluctance to implement on the other side, so we end up
with a who-goes-first stalemate.
2. Physical tokens, such as smart cards, are expensive and/or inconvenient to carry
around, especially if multiple tokens are needed.
3. Schemes that rely on a single sign-on to multiple services, create a single point of
 security risk.
4. Automated password managers that relieve users of the burden of knowing and entering
passwords have poor support for roaming and synchronization across multiple client
platforms, and their usability had not be adequately researched.
Thus, it is worth our while to study the use of passwords for user authentication in
some detail.

Password Selection Strategies

When not constrained, many users choose a password that is too short or too easy to guess. At
the other extreme, if users are assigned passwords consisting of eight randomly selected printable
characters, password cracking is effectively impossible. But it would be almost as impossible for
most users to remember the passwords. Fortunately, even if we limit the password universe to
strings of characters that are reasonably memorable, the size of the universe is still too large to
permit practical cracking. Our goal, then, is to eliminate guessable passwords while allowing
the user to select a password that is memorable. Four basic techniques are in use:
• User education
• Computer-generated passwords
• Reactive password checking
• Complex password policy
Users can be told the importance of using hard-to-guess passwords and can be provided
with guidelines for selecting strong passwords. This user education strategy is unlikely to
succeed at most installations, particularly where there is a large user population or a lot of
turnover. Many users will simply ignore the guidelines. Others may not be good judges of
what is a strong password. For example, many users (mistakenly) believe that reversing a word
or capitalizing the last letter makes a password unguessable.
Nonetheless, it makes sense to provide users with guidelines on the selection of
passwords. Perhaps the best approach is the following advice: A good technique for choosing a
password is to use the first letter of each word of a phrase. However, do not pick a well-
known phrase like “An apple a day keeps the doctor away” (Aaadktda). Instead, pick
something like “My dog’s first name is Rex” (MdtniR) or “My sister Peg is 24 years old”
(MsPi24yo). Studies have shown that users can generally remember such passwords but that
they are not susceptible to password guessing attacks based on commonly used passwords.
Computer-generated passwords also have problems. If the passwords are quite random in
nature, users will not be able to remember them. Even if the password is pronounceable, the
user may have difficulty remembering it and so be tempted to write it down. In general,
computer-generated password schemes have a history of poor acceptance by users. FIPS 181
defines one of the best-designed automated password generators. The standard includes not
only a description of the approach but also a complete listing of the C source code of the
algorithm. The algorithm generates words by forming pronounceable syllables and
concatenating them to form a word. A random number generator produces a random stream of
characters used to construct the syllables and words.
A reactive password checking strategy is one in which the system periodically runs its
own password cracker to find guessable passwords. The system cancels any passwords that are
guessed and notifies the user. This tactic has a number of drawbacks. First, it is resource
intensive if the job is done right. Because a determined opponent who is able to steal a
password file can devote full CPU time to the task for hours or even days, an effective
reactive password checker is at a distinct disadvantage. Furthermore, any existing passwords
remain vulnerable until the reactive password checker finds them. A good example is the
openware Jack the Ripper password cracker (opens all.com/john/pro/), which works on a variety
of operating systems.
A promising approach to improved password security is a complex password policy, or
proactive password checker. In this scheme, a user is allowed to select his or her own password.
However, at the time of selection, the system checks to see if the password is allowable and, if
not, rejects it. Such checkers are based on the philosophy that, with sufficient guidance from the
system, users can select memorable passwords from a fairly large password space that are not
likely to be guessed in a dictionary attack.
The trick with a proactive password checker is to strike a balance between user
acceptability and strength. If the system rejects too many passwords, users will complain that it is
too hard to select a password. If the system uses some simple algorithm to define what is
acceptable, this provides guidance to password crackers to refine their guessing technique.
this subsection, we look at possible approaches to proactive password check ing.

RULE E N FORCEMENT: The first approach is a simple system for rule enforcement. For
example, the following rules could be enforced:
• All passwords must be at least eight characters long.
• In the first eight characters, the passwords must include at least one each of
uppercase, lowercase, numeric digits, and punctuation marks.
These rules could be coupled with advice to the user. Although this approach is
superior to simply educating users, it may not be sufficient to thwart password
crackers. This scheme alerts crackers as to which passwords not to try but may still make it
possible to do password cracking.
The process of rule enforcement can be automated by using a proactive password
checker, which enforces a variety of rules on passwords and is configurable by the
system administrator.
 PASSWORD CHECKER: Another possible procedure is simply to compile a large
dictionary of possible “bad” passwords. When a user selects a password, the system checks
to make sure that it is not on the disapproved list. There are two problems with this
approach:
• Space: The dictionary must be very large to be effective.
• Time: The time required to search a large dictionary may itself be large. In addition,
to check for likely permutations of dictionary words, either those words must be
included in the dictionary, making it truly huge, or each search must also involve
considerable processing.

Bloom Filter: A technique for developing an effective and efficient proactive

password checker that is based on rejecting words on a list has been implemented on a
number of systems, including Linux. It is based on the use of a Bloom filter.
The Bloom filter involves the use of probabilistic techniques. There is a small
probability that some passwords not in the dictionary will be rejected. It is often the case
in designing algorithms that the use of probabilistic techniques results in a less time-
consuming or less complex solution, or both.

3.4 BIOMETRIC AUTHENTICATItJN

A biometric authentication system attempts to authenticate an individual based on his or her

unique physical characteristics. These include static characteristics, such as fingerprints, hand
geometry, facial characteristics, and retinal and iris patterns; and dynamic characteristics,
such as voiceprint and signature. In essence, biometrics is based on pattern recognition.
Compared to passwords and tokens, biometric authentication is both technically more complex
and expensive. While it is used in a number of specific applications, biometrics has yet to
mature as a standard tool for user authentication to computer systems.

Physical Characteristics Used in Biometric Applications

A number of different types of physical characteristics are either in use or under study for
user authentication. The most common are the following:
• Facial characteristics: Facial characteristics are the most common means of human-
to-human identification; thus it is natural to consider them for identification by
computer. The most common approach is to define characteristics based on relative
location and shape of key facial features, such as eyes, eyebrows, nose, lips, and chin
shape. An alternative approach is to use an infrared camera to produce a face thermogram
 that correlates with the underlying vascular system in the human face.
• Fingerprints: Fingerprints have been used as a means of identification for centuries, and
the process has been systematized and automated particularly for law enforcement
purposes. A fingerprint is the pattern of ridges and furrows on the surface of the fingertip.
Fingerprints are believed to be unique across the entire human population. In practice,
automated fingerprint recognition and matching system extract a number of features
from the fingerprint for storage as a numerical surrogate for the full fingerprint pattern.
• Hand geometry: Hand geometry systems identify features of the hand, including
shape, and lengths and widths of fingers.
• Retinal pattern: The pattern formed by veins beneath the retinal surface is unique and
therefore suitable for identification. (The retina is a thin layer of tissue that lines the
back of the eye on the inside. It is located near the optic nerve. The purpose of the retina
is to receive light that the lens has focused, convert the light into neural signals, and
send these signals on to the brain for visual recognition.) A retinal biometric system
obtains a digital image of the retinal pattern by projecting a low-intensity beam of
visual or infrared light into the eye.
• Iris: Another unique physical characteristic is the detailed structure of the iris. (Iris. The colored part
of the eye which helps regulate the amount of light entering the eye. When there is bright light, the iris
closes the pupil to let in less light. And when there is low light, the iris opens up the pupil to let in more
light.)
• Signature: Each individual has a unique style of handwriting and this is reflected
especially in the signature, which is typically a frequently written sequence. However,
multiple signature samples from a single individual will not be identical. This complicates
the task of developing a computer representation of the signature that can be matched to
future samples.
• Voice: Whereas the signature style of an individual reflects not only the unique physical
attributes of the writer but also the writing habit that has developed, voice patterns are more
closely tied to the physical and anatomical characteristics of the speaker. Nevertheless,
there is still a variation from sample to sample over time from the same speaker,
complicating the biometric recognition task.
The concept of accuracy does not apply to user authentication schemes using smart
cards or passwords. For example, if a user enters a password, it either matches exactly
the password expected for that user or not. In the case of biometric parameters, the system
instead must determine how closely a presented biometric characteristic matches a stored
characteristic.