Authentication

26/12/2023 CS6018 Information Security 1

 Introduction

Successful access control system includes number of

components, depending on system’s needs for
authentication and authorization

Strong authentication requires at least two forms of

authentication to authenticate the supplicant’s identity

The technology to manage authentication based on what a

supplicant knows is widely integrated into the networking
and security software systems in use across the IT industry

26/12/2023 CS6018 Information Security 2

 Authentication Vs Authorization

Authentication Authorization:

Authentication is validation of a • Are you allowed to do that?

supplicant’s identity • Once you have access, what can you
do?
Four general ways in which authentication • Enforces limits on actions
is carried out:
• What a supplicant knows Note: Access control often used as
• What a supplicant has synonym for authorization
• Who a supplicant is
• What a supplicant produces

26/12/2023 CS6018 Information Security 3

 How to authenticate a human to a machine?

Can be based on…

- Something you know. For example, a password
- Something you have. For example, a smartcard
- Something you are. For example, your fingerprint
Lots of things act as passwords!
- PIN
- Social security number
- Date of birth
- Name of your pet, etc.

26/12/2023 CS6018 Information Security 4

 Why Passwords?

Why is “something you know” more popular than

“something you have” and “something you are”?

Cost: passwords are free

Convenience: easier to reset password than to issue user a

new thumb

26/12/2023 CS6018 Information Security 5

 Loss of Information

The time to crack/hack passwords with respect to the password length and its
complexity. The search speed supposedly equals 100,000 passwords per
second (a very decent speed).

26/12/2023 CS6018 Information Security 6

 How Passwords Stolen?

Keylogger or Keystroke Logger

Brute force Attack

Dictionary Attack

Hybrid Attack

Social Engineering

26/12/2023 CS6018 Information Security 7

 How Passwords Stolen through Key logger?

Keylogger or Keystroke Logger

Key logger, or system monitor, is a hardware device or small program that

monitors each keystroke a user types on a specific computer's keyboard.

As a hardware device, a keylogger is a small battery-sized plug that serves as a

connector between the user's keyboard and computer.

As a software, A keylogger program typically consists of two files that get

installed in the same directory: a dynamic link library (DLL) file (which does all
the recording) and anexecutablefile (.EXE) that installs the DLL file and triggers
it to work.
26/12/2023 CS6018 Information Security 8
 Cont…

The keylogger program records each keystroke the user types and uploads the
information over the Internet periodically to whoever installed the program.

Although keylogger programs are promoted for benign purposes like allowing
parents to monitor their children's whereabouts on the Internet, most privacy
advocates agree that the potential for abuse is so great that legislation should
be enacted to clearly make the unauthorized use of keyloggers a criminal
offense.

26/12/2023 CS6018 Information Security 9

 Key logger Prevention

Make sure anytime you are using a public computer make sure there are new
devices between the computer and the keyboard.

There are detection programs for software keyloggers that are often installed as a
part of some Malware or Rootkit. These are dangerous and the hardest to
detect.

26/12/2023 CS6018 Information Security 10

 Intro to Dictionary and Brute Force Attacks

26/12/2023 CS6018 Information Security 11

 Dictionary Attack

Uses a list of common values or words

“Dictionary" is uploaded to a cracking app

Words run against passwords

Intended to narrow field of possible password values

Succeed if password is single word that is easily predictable.

Easy to defeat, (adding single random char in middle)

26/12/2023 CS6018 Information Security 12

 Cont…

26/12/2023 CS6018 Information Security 13

 Example

26/12/2023 CS6018 Information Security 14

 Brute Force Attack

Most widely used method of cracking passwords

Every combination of every character tried until password is found

Password is guaranteed to be found

The longer the password, the longer it will take to crack.

E.g password that is 2 chars long, is case sensitive, consists of letters and
numbers * First char: lower case letters (26) + upper case letters (26) +
numbers (10) = 62 *Second char: same as first = 62 * Total permutations 62 *
62 = 3,844
26/12/2023 CS6018 Information Security 15
 Time to Crack Password Using Brute Force Attack

26/12/2023 CS6018 Information Security 16

 Example

When hackers use computers to systematically cycle through each letter in a character set.

26/12/2023 CS6018 Information Security 17

 Hybrid Attack

Combines Brute force and Dictionary Attack

Checks all words in the dictionary along with it's variations.

Noticeably slower than a dictionary attack

Common: Integrates dictionary words with common mutations

Dates: Combines dictionary attack with dates in various formats

Numbers: Mixes dictionary words with various number combinations

26/12/2023 CS6018 Information Security 18

 Social Engineering

Use of social skills to convince people to reveal access credentials or other

valuable information

People are the easiest way to get information

Posing as someone else to gain access to a system

Stroking someones ego to get them to reveal information or passwords

Use of Authority to get information from someone

26/12/2023 CS6018 Information Security 19

 What is Safe Password?

Basic goal of a secure password is one that is easy for YOU to remember but hard
for someone else to find out

Long complicated passwords are not always the best solution

E.g. : random password like !$fjDd&^fw43_f%@+ • Will you really be able to

memorize that?

26/12/2023 CS6018 Information Security 20

 Bad Practices

DO NOT write down your passwords

DO NOT share your password with anyone

DO NOT use any personal information

DO NOT use word or number patterns (e.g. "aaabbb", "qwerty" "123321", etc. )

26/12/2023 CS6018 Information Security 21

 Good Practices

Minimum length of 8 characters

User numeric characters (0-9)

Use upper and lower case

Use special characters (e.g. ! ? & # * )

Use passphrases

26/12/2023 CS6018 Information Security 22

 Pass Phrase to Create Password

Think of a phrase or sentence that's easy for you to remember.

Example: "Making passwords is easy when you follow these 5 steps“

Turn your sentence or phrase into a password. - Take the first letter of each word in your
sentence to create a password - Example: "mpiewyft5s“

Make your password complex by using special characters and upper and lowercase. - For
instance, substitute "i" with "!" , "e" with "3" and "s" with "$" - "mpiewyft5s" becomes "Mp!
3wYft53$"

Consider testing your password with a password checker, which will rate your password on
strength, complexity, length, etc.

Change your passwords at least every 90 days and do not "recycle" passwords; i.e. using old passwords
26/12/2023
again, or slightly modifying your existing CS6018 Information Security
password. 23
 What makes a good password?

26/12/2023 CS6018 Information Security 24

 Key vs Passwords

If key is 64 bits Passwords are 8 characters, and 256 different

characters
Then 264 keys
Then 2568 = 264 pwds
Choose key at random
Users do not select passwords at random
Then attacker must try about
263 keys Attacker has far less than 263 pwds to try (dictionary
attack)

Bad passwords ex: frank, Fido, password, 4444,

Pikachu, 102560

Good Passwords ex: jfIej,43j-EmmL+y,

09864376537263, P0kem0N, FSa7Yago,
26/12/2023 0nceuP0nAt1m8
CS6018 Information Security 25
 Password - Conclusion

Be aware of different attacks, and how they are used to crack passwords

Do not fall for social engineering!

Basic goal of a secure password is one that is easy for YOU to remember but hard
for someone else to find out

Use pass phrases to create secure passwords

Check the strength of your passwords

Change passwords often

26/12/2023 CS6018 Information Security 26
 Biometric

“You are your key” - Schneier

Examples
- Fingerprint, Handwritten signature, Facial recognition, Speech recognition, Gait
(walking) recognition, “Digital doggie” (odor recognition), Many more!

26/12/2023 CS6018 Information Security 27

 Why Biometric?

Biometrics seen as desirable replacement for passwords

Cheap and reliable biometrics needed

Today, a very active area of research

Biometrics are used in security today

- Thumbprint mouse
- Palm print for secure entry
- Fingerprint to unlock car door, etc.

But biometrics not too popular

26/12/2023 - Has not lived up to its CS6018
promise (yet)
Information Security 28
 Ideal Biometric

Universal - applies to (almost) everyone

- In reality, no biometric applies to everyone
Distinguishing - distinguish with certainty
- In reality, cannot hope for 100% certainty
Permanent - physical characteristic being measured never changes
- In reality, want it to remain valid for a long time
Collectable - easy to collect required data
- Depends on whether subjects are cooperative
Safe, easy to use, etc., etc.

26/12/2023 CS6018 Information Security 29

 Biometric Modes

Identification - Who goes there?

- Compare one to many
- Example: The FBI fingerprint database
Authentication - Is that really you?
- Compare one to one
- Example: Thumbprint mouse
Identification problem more difficult
- More “random” matches since more comparisons
Fingerprint Comparison
Examples of loops, whorls and arches
Minutia extracted from these features

26/12/2023 CS6018 Information Security 30

 Thank You

26/12/2023 CS6018 Information Security 31