CENG413

Information Security
Izmir Katip Celebi University
Fall 2024-2025

Lecture 03
H. Burak Akyol, Ph.D.

These slides are adapted from the lecture notes of D. Soper and the lecture notes of A. D. Brucker.
Controlled Access
• One of the foundational principles of computer security is controlled
access
• Controlled access: Someone (a person or a system) is authorized to perform
one or more actions on a digital asset
• The success or failure of controlled access hinges on knowing exactly
who a person or system really is
• The controlled access paradigm fails whenever an attacker’s efforts at
impersonation are successful
• Impersonation: The act of pretending to be another person (or entity) for the
purpose of entertainment or fraud

• Question: In the information age, how can a system be certain that

you are who you claim to be?
2
Impersonation/Failed Authentication Attack
• Computer systems rely on data in order to recognize users
• An impersonation or failed authentication attack is successful when a
computer system is unable to distinguish between a legitimate user
and an imposter
• We say that authentication has failed because the purpose of authentication
is to prove that a user is who she says she is
• From the perspective of someone wanting to be recognized by a
system:
• Identification is the action or process of asserting one’s identity
• Authentication is the act of establishing or confirming that one actually is who
he or she claims to be

3
Identification Authentication

4
Identification vs. Authentication
• Markers of a person’s identity are often public, well-known, and
unprotected (or easy to guess)
• E.g., a person name, e-mail address, phone numbers, user IDs, etc.
• These markers are known as identifiers
• Many people could easily obtain this information and claim to be you simply
by using one of your identifiers

• Authentication seeks to confirm that an entity is who he/she/it claims

to be
• Methods of authentication should be reliable
• Data used for identification is often public – data used for authentication
purposes should be kept private

5
Authentication Failures
• Authentication failures can be classified into two categories:
1- False negatives
• A false negative occurs when a system refuses to authenticate a valid
identity
2- False positives
• A false positive occurs when a system authenticates an invalid
identity
• The rate at which false negatives and false positives occur is often linked to
each other
• Decreasing rate at which one problem occurs often increases the rate at
which the other problem occurs, and vice-versa

6
Passwords
• A password is an agreed-upon word, phrase, or set of characters that
is presumed to be known only by the user and the system
• Problems with passwords:
1- They can be lost or forgotten
• By either the user or the system
2- They can be inconvenient to use
• E.g., by requiring users to constantly enter or re-enter
passwords
3- They can be shared with or disclosed to another entity
• By either the user or the system
4- They can be revoked
• Revoking a password can have cascading effects throughout a
system
7
Attacking Passwords
• Passwords can be cracked in many ways:
• Try all possible passwords (brute-force attack)
• Try common passwords (dictionary attack) Level of
• Try passwords likely for this user Difficulty
• Search through the system password file
• Just ask the user for their password (phishing attack)

Funny video: https://www.youtube.com/watch?v=opRMrEfAIiI

8
Loose-Lipped Systems
• Poorly designed authentication systems can provide attackers with more
information than they should possess:
• E.g., if a username/password pair is required for access, a poorly designed
system may tell the user whether a username is valid

• There is also a danger in making organizational password standards public

• E.g., “A password must be 8 characters long, must contain at least one letter
and one number, and cannot contain any special characters”
• If this information is available to an attacker, it vastly reduces the
password search space!
• E.g., there is no need to search for 7-character or 9-character
passwords

9
Brute-Force Attacks
• A brute-force attack (exhaustive attack) involves trying every possible
combination of characters until the correct password is found
• The time required to crack a password depends upon the length of the
password
• E.g., if a password is between 1 and 8 characters long, and is comprised of
upper or lowercase letters (26×2=52 possibilities in the English language),
numbers (10 possibilities), or special characters (32 possibilities on an
English keyboard) then there are 941+942+943+944+945+946+947+948
(more than 6.1×1015) possible passwords
• On average, the password will be cracked after trying half of these
possibilities
• Note that if the attacker knows that the password is exactly 8 characters
long, then over 6.5×1013 of these possibilities can be immediately discarded
from the search space
• Making password standards public can be a security risk!
10
Dictionary Attacks
• Most passwords are not random sequences of characters and
numbers, but instead combinations of “normal” words, proper
names, acronyms, etc.
• E.g., “Betty23” or “ChocolateFrog”
• Because of this situation, cracking a password does not necessarily
require a brute-force attack
• Instead a dictionary attack can be used
• In a dictionary attack a list of possible passwords is used in order to
break into an account
• The list might contain common words, names, acronyms, common
passwords, etc.
• This vastly reduces the search space!

11
Passwords Likely for a Specific User
• Each unique person has characteristics that can be exploited by savvy attackers
seeking to crack their passwords
• By learning about a person, it is much easier to guess their password
• Is your password related to your life, interests, or personal preferences?
• Examples of personal details useful for password cracking:
• Family members’ names, birthdays, etc.
• Pets’ names, favorite TV shows, foods, numbers, colors, cars, hobbies, etc.
• As with a dictionary attack, this information can help to reduce the search
space for password cracker

• Note that much of this personal information is now voluntarily disclosed on

people’s social networking pages!

12
Enhancing Password-Based Security
• Password-based security can be enhanced through the authentication
process itself
• Examples:
• After providing an incorrect password three times in a row, the system
locks the user’s account, requiring the system administrator to
manually reset the password
• Each failed login attempt has a delay – this prevents automated/brute-
force attacks
• E.g., if each failed login attempt takes 5 seconds, only 12 attempts
can be made per minute. Testing trillions of possible combinations
thus becomes infeasible
13
Strong Authentication
• Authentication mechanisms utilize one or more of the following to establish a
user’s identity:
• Something the user knows (forgot)
• E.g., password, PIN, mother’s maiden name, etc.
• Something the user has (lost)
• E.g., a physical key, ID badge, driver’s license, security token, etc.
• Something the user is (was)
• E.g., voice recognition, biometrics, etc.
• Context location, e.g., the user’s current location (a place the user visited)
• E.g., being physically close to an object, being in a secure building, etc.

• Combining two or more of these authentication mechanisms strengthens the

authentication process
14
Multi-Factor Authentication
• Security can be enhanced by combining passwords with other authentication
information
• Temporal access limitations
• System access is limited to specific days/times
• Geographic access limitations
• System access is limited to a specific building, department, workstation,
range of IP addresses, etc.

• Adding additional authentication mechanisms may improve security, but doing

so also increases inconvenience and managerial overhead

• Nowadays, organizations are usually implements two-factor authentication.

15
Two-Factor Authentication
Time-based Token Authentication
• Username: mcollings
• Password:****
• One-time password code (token code):167563
• Changes every 120 seconds (generally)
or
• Can be clock synchronized

16
Two-Factor Authentication
Exercise
Consider the concept of multi-factor authentication.

1- Give a brief definition of multi-factor authentication and explain what property a

good multi-factor authentication system should satisfy.

2- Name
a) an example of a good multi-factor authentication system and
b) an example of a bad multi-factor authentication system.
Give a brief justification of why your examples are good/bad multi-factor
authentication systems.
17
Password-Based Authentication
Exercise
Some websites ask the user to enter only selected characters of their password. For
example, during a login, a user might be asked to enter the 3rd, 7th, and 9th
character of their password.

1- Briefly explain an attack that can be prevented by this technique.

2- Briefly argue whether choosing the selected character positions randomly at

each login increases the security or not.

18
Biometrics
• Biometrics involves the use of a physical or biological characteristic of a
human body to authenticate a user
• Based upon the assumption that the characteristic being measured is
unique to each person
• Examples include fingerprints, voice recognition, retinal scans, face
recognition, hand recognition, DNA, etc.

• Question: Should a government be able to require that every citizen

provide it with biometric data, such as fingerprints or a DNA sample?

19