05/03/2025

 

Lecturer: Nguyễn Thị Thanh Vân – FIT - HCMUTE

 Understand the importance of authentication

 Learn how authentication can be implemented
 Understand threats to authentication

04/03/2025 2

1
 05/03/2025

 Introduction

 Electronic User Authentication Principles

 Password-Based Authentication

 Token-Based Authentication

 Biometric Authentication

 Remote User Authentication

 Security Issues for User Authentication

04/03/2025 3

 AAA is an architectural framework for configuring:

Verification that the credentials of a

user or other system entity are valid

The granting of a right/permission to a

system entity to access a system
resource

examination of system records and activities in

order to test for adequacy of system controls, to
ensure compliance with established policy and
04/03/2025 operational procedures 4

2
 05/03/2025

Authentication Authorization
Who are you?
How much can you spend?

Accounting
What did you spend it on?

04/03/2025 5

3
 05/03/2025

 Availability:
 when the correct credentials are presented, the resources
should be made available to the processor (on behalf of the
user).
 No false negatives:
 if a process presents incorrect credentials but is given access
 These should not happen.
 No false positives:
 if a process presents the correct credentials but is denied
access
 These should not happen either

Check the correct answer from the choices.

An attacker correctly guesses Alice’s password and

logins in as her. Is this a case of...

False negative

True positive

False positive

True negative

4
 05/03/2025




Check the correct answer from the choices.

We now have personal devices that are not shared across

multiple users. What threats motivate the use of authentication
in such devices?

Malware infection that may exfiltrate sensitive data

Loss of theft of the device

5
 05/03/2025

 1961: Password (Fernando J. Corbató, MIT): storing plaintext passwords

 Late 1960s: password encryption (Robert Morris, Bell Labs.) hash of password
o extremely difficult to crack. Hackers can build password scanners.
 1980s: Dynamic Passwords
o The passwords change based on factors such as time, location, or physical password
updates.
o Two dynamic password protocols: Time-based one-time (OTP) and HMAC based OTP.
 Late 1990s: Public Key Infrastructure
o Transport Layer Security protocol - TLS
o Late 1990s, Taher Elgamal - an engineer at Netscape - developed Secure Sockets
Layer (SSL)
05/03/2025 11

 2000s: multi-factor authentication and single sign-on

 2010s: Biometrics
o In 2011, the Motorola ATRIX Android was the first mobile device to feature a fingerprint
o Apple is behind the times with Touch ID technology. By 2017, Apple had a FaceID
technology,
o Biometric authentication technology provides a higher level of security and convenience
 Decades of 2020: Passwordless Authentication
o use the authentication key (physical key, virtual key application on smartphones) then
activate the biometric key for authentication.
o Big technology trend

04/03/2025 12

6
 05/03/2025

Something the individual knows Something the individual process

Password Smart card
PIN, Physical key
Answer Token

Something the individual is (Static biometrics)

fingerprint
retina,
Face
iris
Something the individual does (Dynamic biometric)
Voice, gait
Handwriting
04/03/2025 13
Typing rhythm

 GOTPass: users employ “images and a one-time

numerical code” in order to secure password.
o using patterns and images instead of letters and numbers
o the generated digits random code

04/03/2025 14

7
 05/03/2025

 Authentication: Verifies user access to the operating system

 Physical authentication:
o Allows physical entrance to company property
o Magnetic cards and biometric measures
 Digital authentication: verifies user identity by digital means
 Digital certificates: identifies and verifies holder of certificate
 Digital token (security token):
o Small electronic device
o Displays a number unique to the token holder;
o Uses a different password each time
 Digital card: Also known as a security card or smart card
o Similar to a credit card; uses an electronic circuit instead of a magnetic strip
o Stores user identification information
 Kerberos:
o Developed by MIT
o Uses tickets for authentication purposes
15

 Lightweight Directory Access Protocol (LDAP):

o Developed by the University of Michigan
o A centralized directory database stores:
• Users (user name and user ID)
• Passwords
• Internal telephone directory
• Security keys
o Efficient for reading but not suited for frequently changing information
 NT LAN Manager (NTLM):
o Developed and used by Microsoft
o Employs a challenge/response authentication protocol
 Public Key Infrastructures (PKI):
o User keeps a private key
o Authentication firm holds a public key
o Encrypt and decrypt data using both keys

16

8
 05/03/2025

 RADIUS: used by network devices to provide a

centralized authentication mechanism
o RADIUS provides: Authentication, Authorization,
Accounting
 Secure Socket Layer (SSL): authentication
information is transmitted over the network in an
encrypted form
 Secure Remote Password (SRP):
o Password is not stored locally
o Invulnerable to brute force or dictionary attacks

17

9
 05/03/2025

● Assurance level: the degree of confidence

● Level 1: Little or no confidence in the asserted identity’s validity.
● Level 2: Some confidence in the asserted identity’s validity.
● Level 3: High confidence in the asserted identity’s validity
● Level 4: Very high confidence in the asserted identity’s validity.
● Potential impact: potential impact on organizations r individuals should there be a
breach of security
● Low: adverse effect on organizational operation
● Moderate: serious adverse effect
● High: severe or catastrophic adverse effect
● areas of risk.: mapping between the potential impact and the appropriate level of
assurance

● areas of risk.

10
 05/03/2025

 Password-Based Authentication
 The Vulnerability of Passwords
 The Use of Hashed Passwords
 Dynamic Passwords

 Token-Based Authentication

 Biometric Authentication

 Passwordless authentication

21

 The password systems defense against intruders

 Systems require: user provide name or ID + password
o all multiuser systems,
o network-based servers,
o Web-based e-commerce sites,
o and other similar services
 The password serves to authenticate the ID of the
individual logging on to the system.

04/03/2025 22

11
 05/03/2025

1. Offline dictionary attack:

 A hacker gain access to the system password file.
 Compares the password hashes against hashes of commonly
used passwords.

2. Specific account attack:

 Attacker targets a specific account &submits password
guesses until the correct password is discovered.

3. Popular password attack / Against single user:

 The attacker chooses a popular password and tries it.
 Attacker attempts to gain knowledge about the account holder
and system password policies and uses that knowledge to
guess the password.

04/03/2025 23

4. Workstation hijacking:
 The attacker waits until a logged-in workstation is
unattended.

5. Exploiting user mistakes:

 User is more likely to write it down passwords, because it is
difficult to remember.

6. Exploiting multiple password use.

 Similar password for a many applications

7. Electronic monitoring:
 If a password is communicated across a network to log on
to a remote system, it is vulnerable to eavesdropping.

04/03/2025 24

12
 05/03/2025

Check which passwords made the top 10 most

common passwords for 2014:

123456 696969

password 123123

letmein batman

abc123 qwerty

111111 123456789

Security Admin User

User allocated First time login:

randomly-generated change password
password

Account [Forgot [Invalid password

[unlocked] Password] Attempts]
Account
Inform user [locked]
[Manual] Enter 3 invalid
In controlled
Passwords
manner
[Auto]
timeout
Notify
Verify user ID Security admin System Account
(e.g., call back) Automatically [unlocked]
unlocks

13
 05/03/2025

 One-way encrypted using a strong algorithm

 Never written down and retained near terminal or in desk
 should be changed every 30 days, by notifying user in advance
 A history of passwords should prevent user from using same
password in 1 year
 Passwords should be >= 8 (better 12) characters, including 3 of:
alpha, numeric, upper/lower case, and special characters
 Passwords should not be identifiable with user, e.g., family member
or pet name
 Four basic techniques are in use:
• User education
• Computer-generated passwords
• Reactive password checking
• Complex password policy

Bad Password
Merry Christmas

(Lengthen)
Merry Xmas

MerryChrisToYou
(Synonym)
(Intertwine
MerryJul
Letters) (convert vowels (Abbreviate)
to numeric)
MaryJul
(Keypad shift MerChr2You
Right …. Up)
MXemrarsy
GladJesBirth
M5rryXm1s Mary*Jul
Good
,rttuc,sd J3446sjqw
Password mErcHr2yOu

14
 05/03/2025

 Restrict number of admin accounts

o should never be locked out, whereas others are
o Login IDs should follow a confidential internal naming rule
 Admin password:
o should only be known by one user
o can be kept in locked cabinet in sealed envelope, where top
manager has key

 Common accounts: Guest, Administrator, Admin should

be renamed
 Session time out should require password re-entry

Single Sign On (SSO) is the ability for a user to enter the same id and
password to logon to multiple applications within an enterprise.

Advantages Disadvantages
 One good password replaces  Single point of failure -> total compromise

lots of passwords  Complex software development due to

diverse OS
 IDs consistent throughout
 Expensive
system(s)
 Reduced admin work in setup
& forgotten passwords
 Quick access to systems App1 DB2 App3

Secondary Domains
Enter
Password
Primary Domain (System)

15
 05/03/2025

 CAS is a single sign-on protocol for the web

04/03/2025 31

How do we check the password supplied with a user id?

Method 1 - store a list of passwords, one for
each user in the system file.

● The file is readable only by the root/admin account

● What if the permissions are set incorrectly?
● Why should admin know the passwords?
● If security is breached, the passwords are exposed to an
attacker.

16
 05/03/2025

How do we check the password supplied with a user id?

Method 2 - do not store passwords, but store

something that is derived from them

●Use a one-way hash function and store the result

●The password file is readable only for root/admin

password
Password file
UserID salt E(pwd, [salt,0])

Load

Loading password

17
 05/03/2025

Password file
UserID UserID salt E(pwd, [salt,0])

salt

select password

hashed password
compare
Verifying pasword

Hash Functions

18
 05/03/2025

 A hash function maps a variable-length message into a fixed-length

hash value,
or message digest
h = H(M)
 The principal object:
o data integrity

 Problems: hackers could build programs to brute-force guess

passwords. To combat this, computer scientists came up with
dynamic passwords.
04/03/2025 37

 PKI is a mechanism for a third party (CA - Certificate

authority) to provide and authenticate the identities of
parties involved in the information exchange process.

04/03/2025 38

19
 05/03/2025

 Every PKI must include:

o Certificate authority () = Issuer of digital certificates (including
signing)
o Registration authority () = Verifier of identities requesting digital
certificates
o Central directory = Where keys are stored
o Certificate management system = Structure for operations, such
as accessing stored certifications
o Certificate policy = Statement of PKI requirements

04/03/2025 39

 Two dynamic password protocols:

o TOTP = Time-based OTP where the
uniqueness of the OTP is generated based
on the current time.
o HOTP = HMAC-based OTP where the
uniqueness of the OTP is generated based
on the hash of the previous password.
 These passwords change based on variables, like location,
time, or a physical password update (like a FOB).
 They remove any risk of and solve the problem caused when
users have the same password in many places.
 It’s very common for dynamic passwords to be used in
conjunction with regular passwords as a form of two-factor
authentication (2FA).
 Multi-factor authentication (MFA) a little later, but it’s important
to note that it did appear as early as the ‘80s
04/03/2025 40

20
 05/03/2025

04/03/2025 41

 Password-Based Authentication
 The Vulnerability of Passwords
 The Use of Hashed Passwords
 Dynamic Passwords


 Token-Based Authentication

 Biometric Authentication
 Passwordless authentication

42

21
 05/03/2025

 Operation

 Token Types:
o Card
o Token

04/03/2025 43

 Memory cards can store only a simple

security code
(not process data).
 The bank card: a magnetic stripe on the back.
 Using memory card:
o Alone
o + PIN
 Among the potential drawbacks
o Requires special reader: increases the cost
hardware and software.
o Token loss: determine the PIN to gain
unauthorized access
o User dissatisfaction: use for computer access

04/03/2025 44

22
 05/03/2025

 Has own processor, memory, I/O ports

o Wired or wireless access by reader
o May have crypto co-processor
o ROM, EEPROM, RAM memory
 Executes protocol to authenticate with reader/computer
o Static:
o Dynamic password generator:
o Challenge-response:

 Application: bank, Government ID…

04/03/2025 45

 Each time the card is inserted

o a reset is initiated (clock value)
o the card responds (the parameters and
protocols).
o The terminal may be able to change the
protocol used and other parameters via
a protocol type selection (PTS)
command.
o The cards PTS response confirms the
protocols and parameters to be used.
o The terminal and card can now execute
the protocol to perform the desired
application.

04/03/2025 46

23
 05/03/2025

 A smart card as a national identity card for citizens

 A national electronic identity (eID)
o national ID cards
o driver’s license
 an eID card has been verified by the national government as
valid and authentic.
 Functions:
o ePass: stores a digital representation of the cardholder’s identity.
(electronic passport)
o eID: stores an identity record that authorized service can access
o eSign: stores a private key and a certificate verifying the key

04/03/2025 47

04/03/2025 48

24
 05/03/2025

04/03/2025 49

04/03/2025 50

25
 05/03/2025

 Password-Based Authentication
 The Vulnerability of Passwords
The Use of Hashed Passwords

 Token-Based Authentication

 Biometric Authentication

51

 Advantages of biometric systems:

o Avoid remembering long passwords, losing tokens
o Unique and uncopyable
o Systems and resources become more secure from unauthorized access
o Trusted, standard feature in smart mobile devices

 Static, Dynamic

05/03/2025 52

26
 05/03/2025

Enrollment

04/03/2025 53

 Single factor biometrics.

Limitations:
o Noise problem
o Variable biometric factor
o Successful impersonation by attackers

 Multiple factor biometrics. Using Feature Fusion

o Advantages: superior recognition performance

o Disadvantages: High cost, long processing time
05/03/2025 54

27
 05/03/2025

 based on pattern recognition.

 more complex and expensive.

04/03/2025 55

04/03/2025 56

28
 05/03/2025

Multi-factor authentication
● Uses more than one method
● Type password but also send a code via SMS
■ It goes to your phone (something you have)
■ Gmail implements this
● ATM card and a PIN
● Other things like your location

● Attacker must defeat both to compromise authentication

Authentication over a network:

● Do we always have a trusted path to the
OS we need to authenticate to?
■ Remote services
● Network authentication introduces new
problems
● Need crypto to secure network
communication
● Other attacks (man-in-the-middle)

29
 05/03/2025

 More security threats with remote user authentication

o an eavesdropper being able to capture a password
o an adversary replaying an authentication sequence that has
been observed
 Systems generally rely on some form of challenge-
response protocol.
 Protocols:
o Password Protocol
o Token protocol
o Biometric protocol

04/03/2025 59

04/03/2025 60

30
 05/03/2025

o Passcode W’
(synchronized with host)
o Password P’
(shared user and token, not host)

04/03/2025 61

04/03/2025 62

31
 05/03/2025

04/03/2025 63

Kerberos

05/03/2025 64

32
 05/03/2025

Kerberos

05/03/2025 65

 RADIUS (Remote Authentication Dial-In User Service)

05/03/2025 66

33
 05/03/2025

 Evaluate Recognition and Risk Signals to skip Passwords

 Passwordless authentication
o In the late 2010s () began to become known.
o However, it was not until the early 2020s that this technology was
applied to many platforms.

05/03/2025 67

 Characteristic
o use the authentication key (physical key, virtual key application
on smartphones) then activate the biometric key for
authentication.
o It is a big technology trend of the future because of outstanding
benefits in enhancing security efficiency,
o a major trend that inevitably creates the future for secure strong
authentication when most of the world's large corporations are
developing and using this technology such as Apple, Microsoft,
Samsung, Amazon.

04/03/2025 68

34
 05/03/2025

 Two mainstream methods for directly replacing password authentication.

o The first is to use the phone-as-a-token (PHAAT) method.
o Secondly, both single-factor and multi-factor authentication (MFA) can be modelled to
authenticate without the use of passwords.
 Adopt Passwordless phone-as-a-token authentication:

04/03/2025 69

 Fast IDentity Online (Fast ID Online)

o a set of technology-agnostic security specifications for
strong authentication.
 FIDO2 – the new passwordless standard
o Passwordless authentication
using a hardware authenticator, eliminates the need for weak
password-based authentication.
o Two factor authentication
using a hardware authenticator as an extra layer of protection beyond
a password.
o Multi-factor authentication
using a hardware authenticator and a PIN or biometric, to meet high
assurance requirements such as needed for financial transactions
and ordering a prescription.

04/03/2025 70

35
 05/03/2025

User’s device
creates a new
Public key is sent
public/private
to the online
key pair unique
service and
for the local
associated with
device, online
the user’s acc
service and user’s
05/03/2025 account 71

05/03/2025 72

36
 05/03/2025

05/03/2025 73

 1.

 2.

04/03/2025 74

37
 05/03/2025

 Zero-trust: "never trust, always verify,"

 A security framework requiring all users, whether in or
outside the organization’s network, to be authenticated,
authorized, and continuously validated for security
configuration and posture before being granted or
keeping access to applications and data.
 Zero Trust assumes that:
o there is no traditional network edge;
o networks can be local,
o in the cloud, or a combination or hybrid with resources anywhere
o as well as workers in any location.

04/03/2025 75

04/03/2025 76

38
 05/03/2025

04/03/2025 77

 Anonymous Authentication: ko dùng username/pass

 Basic Authentication: Có dùng username/pass (plaintext)
 Digest Authentication: u/p có mã hóa
 Windows Authentication: Dùng kỹ thuật băm (NTLM or
Kerberos protocols) để xác nhận thông tin của users.
 Client Certificate Mapping Authentication
Server tạo ra các giấy Client Certificate và yêu cầu Client khi
truy xuất tới Server thì phải gởi giấy chứng nhận.
 Forms Authentication
Cho phép user logon vào một form (html logon page) để chứng
thực
 ASP.NET Impersonation Authentication
Có thể dùng ứng dụng ASP.NET dưới sư bảo mật khác với bảo
mật mặc định của ASP.NET

04/03/2025 78

39
 05/03/2025

 Install and configure IIS in Windows and use

authentication types

 Install and configure Apache in Linux and use

authentication types (digest and Basic)

04/03/2025 79

● Introduction

● Electronic User Authentication Principles

● Password-Based Authentication

● Token-Based Authentication

● Biometric Authentication

● Remote User Authentication

● Security Issues for User Authentication

40