Information Security

Chapter 2

Authentication
Authentication
• The property of accurate identification is called
authentication;
 The first critical tool for security professionals is
authentication and its techniques and technologies,
 Computers have replaced many face-to-face interactions with
electronic ones,
 With no vigilant neighbor to recognize that something is
awry,
 people need other mechanisms to separate authorized from
unauthorized parties.
• The basis of computer security is controlled access:
 someone is authorized to take some action on something,
 In security, the subject can be;
 people, computer processes (executing programs), network
connections, devices, and similar active entities.
Authentication
• Computers depend on data to recognize
others;
• In computer systems, determining who a
person really is consists of two separate steps:
 Identification:
− is the act of asserting who a person is.
 like names, are often well:
 known, public, and
 not protected.
 Authentication:
− is the act of proving that asserted identity: that the
person is who she says she is.
 Like password, card, fingerprint, that are:
 private and
 necessarily protected.
Authentication;
Identification Versus Authentication
• Identification:
 asserting who a person is,
 Identities are often well known, predictable, guessable or
easily determined as;
− your name, Your bank account number,
− debit card number, email address, and
− other things are ways by which people and processes identify you.
 it does not provide the real protection.
 Not protected.
• Authentication should be;
 proving that asserted identity.
 Reliable and private,
 Protected, and
 Authentication mechanisms use any of three qualities to
confirm a user’s identity:
Authentication;
Identification Versus Authentication
− Something the user knows;
 Passwords, PIN numbers, passphrases, a secret handshake, and
mother’s maiden name.
− Something the user has;
 Identity badges, physical keys, a driver’s license, or a uniform are
common examples of things people have that make them
recognizable.
− Something the user is;
 These authenticators, called biometrics, are based on a physical
characteristic of the user, such as;
− a fingerprint, retina and iris of the eye, blood vessels in the finger or
hand, a face (picture) or facial features.
− These authentication methods are just starting to be used in
computer authentications.
− Something the user does;
 include recognition by voice pattern, handwriting characteristics,
typing rhythm, and Signatures.
 Two or more forms can be combined;
− for ex; a bank card and a PIN combine;
 Something the user has (the card) with something the user
knows (the PIN).
Authentication;
Authentication Based on Phrases and Facts: Something You Know

• A passwords were the first form of computer

authentication and remain popular;
 these forms are becoming;
 easier to use,
 less expensive, and
 more common.
• Password protection seems to offer a relatively
secure system for confirming identity related
information;
 But human practice sometimes degrades its
quality.
• The use of passwords is fairly straightforward;
 A user enters some piece of identification, a name Or a user
ID,
 The protection system then requests a password from the
user.
Password Use
• Even though passwords are widely used, they
suffer from some difficulties of use:
 Use; Supplying a password for each access to an object can be
inconvenient and time consuming.
 Disclosure; If a user discloses a password to an unauthorized
individual, the object becomes immediately accessible,
 If the user then changes the password to re-protect the object,
the user must inform any other legitimate users of the new
password because their old password will fail.
 Revocation; To revoke one user’s access right to an object,
 someone must change the password, thereby causing the
same problems as disclosure.
 Loss; Depending on how the passwords are implemented,
 it may be impossible to retrieve a lost or forgotten password in
some systems.
Attacking and Protecting Passwords
• Passwords are somewhat limited as
protection devices;
 the relatively small number of bits of information
they contain,
 Worse, people pick passwords that do not even take
advantage of the number of bits available:
 Choosing a well-known string.
• An attacker might try in order to determine a
password. the password guessing steps are:
 no password,
 the same as the user ID,
 the user’s name or is derived from user’s name,
 on a common word list plus common names and patterns,
Attacking and Protecting Passwords
 contained in;
 a short college dictionary, or a complete English
word list,
 common non-English-language dictionaries,
 a short college dictionary with capitalizations or
substitutions,
 a complete English dictionary with capitalizations or
substitutions, and
 common non-English dictionaries with capitalization
or substitutions.
 obtained by brute force attacks, trying all
possible combinations of alphabetic
characters, or
 obtained by brute force attacks, trying all
possible combinations from the full
character set.
Attacking and Protecting Passwords
• Some of the password attack approaches;
 Dictionary Attacks,
 Inferring Passwords Likely for a User,
 Guessing Probable Passwords,
 Defeating Concealment,
 Exhaustive Attack or brute force attack.
Dictionary Attacks
• Several network sites post dictionaries of;
 phrases, places, mythological names, Chinese words,
Yiddish words, and other specialized lists;
• These lists help site administrators to identify
users who have chosen weak passwords,
 but the same dictionaries can also be used by attackers of
sites that do not have such attentive administrators.
 The COPS, Crack, and SATAN utilities allow an
administrator to scan a system for weak passwords,
 But these same utilities, or other homemade ones, allow
attackers to do the same.
• People think they can be clever by picking a
simple password and replacing certain
characters,
 But users aren’t the only people who could think up
these substitutions.
Inferring Passwords Likely for a User
• People typically choose personal passwords;
• Morris and Thompson shows the characteristics
of the 3,289 passwords gathered;
 The following figure illustrates a distribution of
password types;

FIGURE 2-1: Distribution of Password Types

Guessing Probable Passwords
• Penetrators searching for passwords realize
these very human characteristics and use
them to their advantage;
 Penetrators try techniques that are likely to lead
to rapid success,
 If people prefer short passwords to long ones, the penetrator
will plan to try all passwords but to try them in order by
length,
 There are only 261 + 262 + 263 = 18,278 (not case sensitive)
passwords of length 3 or less.
• People often use anything simple that
comes to mind as a password;
 so human attackers might succeed by trying a few
popular passwords.
Exhaustive Attack
• In an exhaustive or brute force attack;
 the attacker tries all possible passwords,
 usually in some automated fashion.
 the number of possible passwords depends on the
implementation of the particular computing system, for
example;
 Characters that use to write password, and
 Password length.
• Another form of copying occurs with passwords;
 If you have to enter or speak your password, someone else
can look over your shoulder or overhear you,
 now that authenticator is easily copied or forged.
• All these techniques to defeat passwords,
combined with usability issues;
 indicate that we need to look for other methods of
authentication.
Good Passwords
• Chosen carefully, passwords can be strong
authenticators;
• If we do use passwords, we can improve their
security by a few simple practices (criteria):
 Use characters other than just a–z;
 Using both uppercase and lowercase letters plus digits and symbols.
 Choose long passwords (at least 8-character);
 Avoid actual names or words;
 It must not contain blanks;
 It must begin with alphabet;
 Use a string you can remember;
 Use variants for multiple passwords;
 Change the password regularly;
 Don’t write it down;
 Don’t tell anyone else;