Computer Security:

Principles and
Practice
Fourth Edition

By: William Stallings and Lawrie Brown

Chapter 3
User Authentication
NIST SP 800-63-3 (Digital
Authentication Guideline, October
2016) defines digital user
authentication as:

“The process of establishing

confidence in user identities that
are presented electronically to
an information system.”
(Table can be found on page 65 in the textbook)
 The four means of authenticating
user identity are based on:
Something Something Something Something
the the the the
individual individual individual is individual
knows possesses (static does
• Password, PIN, (token) biometrics) (dynamic
answers to • Smartcard, • Fingerprint, biometrics)
prearranged electronic retina, face • Voice pattern,
questions keycard, handwriting,
physical key typing rhythm
 Risk Assessment for
User Authentication

• There are Assuranc

e Level
three
separate
concepts:
Potential
impact

Areas of
risk
 Assurance Level
More
specifically is
Four levels
defined as: of assurance
Describes an
organization’s Level 1
degree of The degree of
confidence in the
• Little or no confidence in the
asserted identity's validity
certainty that a vetting process used
to establish the
user has identity of the Level 2
individual to whom the
presented a credential was issued
• Some confidence in the
asserted identity’s validity

credential that
refers to his or Level 3
• High confidence in the
her identity The degree of
confidence that the
asserted identity's validity

individual who uses

the credential is the Level 4
individual to whom the • Very high confidence in the
credential was issued asserted identity’s validity
 Potential Impact
• FIPS 199 defines three levels of potential
impact on organizations or individuals
should there be a breach of security:
o Low
• An authentication error could be expected to have a
limited adverse effect on organizational operations,
organizational assets, or individuals
o Moderate
• An authentication error could be expected to have a
serious adverse effect
o High
• An authentication error could be expected to have a
severe or catastrophic adverse effect
 Table
3.2

Maximum Potential Impacts for Each

Assurance Level
 Password-Based
Authentication
• Widely used line of defense against
intruders
o User provides name/login and password
o System compares password with the one stored for that
specified login
• The user ID:
o Determines that the user is authorized to access the
system
o Determines the user’s privileges
o Is used in discretionary access control
 Password
Vulnerabilities
Password Electroni
Offline guessing Workstati
c
dictionar against on
single hijacking monitori
y attack
user ng

Exploitin
Specific Popular Exploiting g
account password user multiple
attack attack mistakes passwor
d use
UNIX Implementation
Original scheme
• Up to eight printable characters in
length
• 12-bit salt used to modify DES
encryption into a one-way hash function
• Zero value repeatedly encrypted 25
times
• Output translated to 11 character
sequence

Now regarded as
inadequate
• Still often required for compatibility with
existing account management software
or multivendor environments
 Improved
Implementations
OpenBSD uses Blowfish
block cipher based hash
algorithm called Bcrypt
• Most secure version of Unix
Much stronger hash/salt hash/salt scheme
schemes available for • Uses 128-bit salt to create
Unix 192-bit hash value

Recommended hash
function is based on
MD5
• Salt of up to 48-bits
• Password length is unlimited
• Produces 128-bit hash
• Uses an inner loop with 1000
iterations to achieve
slowdown
Password Cracking
Dictionary attacks Rainbow table
• Develop a large attacks
dictionary of possible • Pre-compute tables of
passwords and try hash values for all salts
each against the • A mammoth table of
password file hash values
• Each password must • Can be countered by
be hashed using each using a sufficiently
salt value and then large salt value and a
compared to stored sufficiently large hash
hash values length

Password crackers John the Ripper

exploit the fact that • Open-source password
people choose cracker first developed
easily guessable in in 1996
• Uses a combination of
passwords
brute-force and
• Shorter password dictionary techniques
lengths are also easier
to crack
 Modern Approaches
• Complex password policy
o Forcing users to pick stronger passwords

• However password-cracking techniques

have also improved
o The processing capacity available for password cracking has
increased dramatically
o The use of sophisticated algorithms to generate potential
passwords
o Studying examples and structures of actual passwords in use
 Password File Access
Control
Can block offline guessing attacks by
denying access to encrypted passwords

Make
available
only to
Vulnerabilities
privileged
users

Weakness Accident Users

Sniff
in the OS with with Access
password
that permissio same from
Shadow s in
allows ns password backup
password network
access to making it on other media
file traffic
the file readable systems
Password Selection Strategies
User education
Users can be told the importance of using hard to guess passwords and can be provided with guidelines for selecting
strong passwords

Computer generated passwords

Users have trouble remembering them

Reactive password checking

System periodically runs its own password cracker to find guessable passwords

Complex password policy

User is allowed to select their own password, however the
Goal is to eliminate guessable passwords while allowing
system checks to see if the password is allowable, and if
the user to select a password that is memorable
not, rejects it
 Proactive Password
Checking
• Rule enforcement
o Specific rules that passwords must adhere to

• Password checker
o Compile a large dictionary of passwords not to use

• Bloom filter
o Used to build a table based on hash values
o Check desired password against this table
 Table 3.3

Types of Cards Used as Tokens

 Memory Cards
• Can store but do not process data
• The most common is the magnetic stripe card
• Can include an internal electronic memory
• Can be used alone for physical access
o Hotel room
o ATM
• Provides significantly greater security when combined
with a password or PIN
• Drawbacks of memory cards include:
o Requires a special reader
o Loss of token
o User dissatisfaction
 Smart Tokens
• Physical characteristics:
o Include an embedded microprocessor
o A smart token that looks like a bank card
o Can look like calculators, keys, small portable objects
• User interface:
o Manual interfaces include a keypad and display
for human/token interaction

• Electronic interface
o A smart card or other token requires an electronic interface to
communicate with a compatible reader/writer
o Contact and contactless interfaces
• Authentication protocol:
o Classified into three categories:
• Static
• Dynamic password generator
• Challenge-response
 Smart Cards
• Most important category of smart token
o Has the appearance of a credit card
o Has an electronic interface
o May use any of the smart token protocols

• Contain:
o An entire microprocessor
• Processor
• Memory
• I/O ports
• Typically include three types of memory:
o Read-only memory (ROM)
• Stores data that does not change during the card’s life
o Electrically erasable programmable ROM (EEPROM)
• Holds application data and programs
o Random access memory (RAM)
• Holds temporary data generated when applications are executed
 Electronic Identity
Cards (eID)
Use of a smart card as a
national identity card for
citizens
Most advanced deployment is
the German card neuer
Personalausweis

Can serve the same purposes as other
national ID cards, and similar cards such
as a driver’s license, for access to
government and commercial services
Has human-readable data printed on its
surface
• Personal data
• Document number
• Card access number (CAN)
• Machine readable zone (MRZ)

Can provide stronger proof of identity

and can be used in a wider variety of
applications

In effect, is a smart card that has been

verified by the national government as
valid and authentic
 Table 3.4

Electronic
Functions
and Data
for
eID Cards

CAN = card access number

MRZ = machine readable zone
PACE = password authenticated connection establishment
PIN = personal identification number
 Password Authenticated
Connection Establishment
(PACE)

For offline
applications, either
the MRZ printed on
For online the back of the card
applications, access or the six-digit card
is established by the access number
Ensures that the user entering the 6- (CAN) printed on the
contactless RF chip digit PIN (which front is used
in the eID card should only be
cannot be read known to the holder
without explicit of the card)
access control
 Biometric
Authentication
• Attempts to authenticate an individual based on
unique physical characteristics
• Based on pattern recognition
• Is technically complex and expensive when
compared to passwords and tokens
• Physical characteristics used include:
o Facial characteristics
o Fingerprints
o Hand geometry
o Retinal pattern
o Iris
o Signature
o Voice
 Remote User
Authentication
• Authentication over a network, the
Internet, or a communications link is more
complex
• Additional security threats such as:
o Eavesdropping, capturing a password,
replaying an authentication sequence that
has been observed

• Generally rely on some form of a

challenge-response protocol to counter
threats
 Table 3.5
Some Potential
Attacks,
Susceptible
Authenticators,
and
Typical Defenses

(Table is on page 96 in the textbook)

 Eavesdropping
Adversary attempts
to learn the
password by some
Denial-of- sort of attack that Host Attacks
Service involves the
Directed at the
physical proximity
user file at the
of user and
Attempts to host where
adversary
disable a user passwords, token
authentication passcodes, or
service by flooding biometric
templates are
numerous
AUTHENTICATI
the service with
stored
authentication
attempts
ON
Trojan Horse SECURITY
An ISSUES Replay
application or Client Adversary
physical device repeats a
masquerades as
Attacks previously
an authentic Adversary captured user
application or attempts to response
device for the achieve user
purpose of authentication
capturing a user without access to
password, the remote host
passcode, or or the
biometric intervening
communications
path
 Case
Study:
ATM
Security
Problems
 Summary
• Digital user
authentication principles
o A model for digital user
authentication
o Means of authentication
o Risk assessment for user
authentication
• Password-based
authentication
o The vulnerability of passwords
o The use of hashed passwords
o Password cracking of user-chosen
passwords
o Password file access control
o Password selection strategies
• Biometric
authentication
o Physical characteristics used
in biometric applications
o Operation of a biometric
authentication system
o Biometric accuracy
• Remote user
authentication
o Password protocol
o Token protocol
o Static biometric protocol
o Dynamic biometric protocol

• Token-based • Security issues for

authentication user authentication
o Memory cards
o Smart cards
o