Scribd
Upload
20 views29 pages

CH03

Chapter 3 discusses user authentication, defining it as the process of establishing confidence in user identities presented electronically. It outlines four means of authentication: something the individual knows, possesses, is (biometrics), and does (dynamic biometrics), along with risk assessment concepts and assurance levels. Additionally, it covers password-based authentication, vulnerabilities, modern approaches, and various types of tokens and biometric authentication methods.

Uploaded by

Noor Alnaser
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
20 views29 pages

CH03

Chapter 3 discusses user authentication, defining it as the process of establishing confidence in user identities presented electronically. It outlines four means of authentication: something the individual knows, possesses, is (biometrics), and does (dynamic biometrics), along with risk assessment concepts and assurance levels. Additionally, it covers password-based authentication, vulnerabilities, modern approaches, and various types of tokens and biometric authentication methods.

Uploaded by

Noor Alnaser
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 29

Chapter 3

User Authentication
NIST SP 800-63-3 (Digital
Authentication Guideline, October
2016) defines digital user
authentication as:

“The process of establishing


confidence in user identities that
are presented electronically to
an information system.”
(Table can be found on page 65 in the textbook)
The four means of authenticating
user identity are based on:
Something Something Something Something
the the the the
individual individual individual is individual
knows possesses (static does
• Password, PIN, (token) biometrics) (dynamic
answers to • Smartcard, • Fingerprint, biometrics)
prearranged electronic retina, face • Voice pattern,
questions keycard, handwriting,
physical key typing rhythm
Risk Assessment for
User Authentication

• There are Assuranc


e Level
three
separate
concepts:
Potential
impact

Areas of
risk
Assurance Level
More
specifically is
Four levels
defined as: of assurance
Describes an
organization’s Level 1
degree of The degree of
confidence in the
• Little or no confidence in the
asserted identity's validity
certainty that a vetting process used
to establish the
user has identity of the Level 2
individual to whom the
presented a credential was issued
• Some confidence in the
asserted identity’s validity

credential that
refers to his or Level 3
• High confidence in the
her identity The degree of
confidence that the
asserted identity's validity

individual who uses


the credential is the Level 4
individual to whom the • Very high confidence in the
credential was issued asserted identity’s validity
Potential Impact
• FIPS 199 defines three levels of potential
impact on organizations or individuals
should there be a breach of security:
o Low
• An authentication error could be expected to have a
limited adverse effect on organizational operations,
organizational assets, or individuals
o Moderate
• An authentication error could be expected to have a
serious adverse effect
o High
• An authentication error could be expected to have a
severe or catastrophic adverse effect
Password-Based
Authentication
• Widely used line of defense against
intruders
o User provides name/login and password
o System compares password with the one stored for that
specified login
• The user ID:
o Determines that the user is authorized to access the
system
o Determines the user’s privileges
o Is used in discretionary access control
Password
Vulnerabilities
Password Electroni
Offline guessing Workstati
c
dictionar against on
single hijacking monitori
y attack
user ng

Exploitin
Specific Popular Exploiting g
account password user multiple
attack attack mistakes passwor
d use
UNIX Implementation
Original scheme
• Up to eight printable characters in
length
• 12-bit salt used to modify DES
encryption into a one-way hash function
• Zero value repeatedly encrypted 25
times
• Output translated to 11 character
sequence

Now regarded as
inadequate
• Still often required for compatibility with
existing account management software
or multivendor environments
Password Cracking
Dictionary attacks Rainbow table
• Develop a large attacks
dictionary of possible • Pre-compute tables of
passwords and try hash values for all salts
each against the • A mammoth table of
password file hash values
• Each password must • Can be countered by
be hashed using each using a sufficiently
salt value and then large salt value and a
compared to stored sufficiently large hash
hash values length

Password crackers John the Ripper


exploit the fact that • Open-source password
people choose cracker first developed
easily guessable in in 1996
• Uses a combination of
passwords
brute-force and
• Shorter password dictionary techniques
lengths are also easier
to crack
Modern Approaches
• Complex password policy
o Forcing users to pick stronger passwords

• However password-cracking techniques


have also improved
o The processing capacity available for password cracking has
increased dramatically
o The use of sophisticated algorithms to generate potential
passwords
o Studying examples and structures of actual passwords in use
Password File Access
Control
Can block offline guessing attacks by
denying access to encrypted passwords

Make
available
only to
Vulnerabilities
privileged
users

Weakness Accident Users


Sniff
in the OS with with Access
password
that permissio same from
Shadow s in
allows ns password backup
password network
access to making it on other media
file traffic
the file readable systems
Password Selection Strategies
User education
Users can be told the importance of using hard to guess passwords and can be provided with guidelines for selecting
strong passwords

Computer generated passwords


Users have trouble remembering them

Reactive password checking


System periodically runs its own password cracker to find guessable passwords

Complex password policy


User is allowed to select their own password, however the
Goal is to eliminate guessable passwords while allowing
system checks to see if the password is allowable, and if
the user to select a password that is memorable
not, rejects it
Proactive Password
Checking
• Rule enforcement
o Specific rules that passwords must adhere to

• Password checker
o Compile a large dictionary of passwords not to use

• Bloom filter
o Used to build a table based on hash values
o Check desired password against this table
Table 3.3

Types of Cards Used as Tokens


Memory Cards
• Can store but do not process data
• The most common is the magnetic stripe card
• Can include an internal electronic memory
• Can be used alone for physical access
o Hotel room
o ATM
• Provides significantly greater security when combined
with a password or PIN
• Drawbacks of memory cards include:
o Requires a special reader
o Loss of token
o User dissatisfaction
Smart Tokens
• Physical characteristics:
o Include an embedded microprocessor
o A smart token that looks like a bank card
o Can look like calculators, keys, small portable objects
• User interface:
o Manual interfaces include a keypad and display
for human/token interaction

• Electronic interface
o A smart card or other token requires an electronic interface to
communicate with a compatible reader/writer
o Contact and contactless interfaces
• Authentication protocol:
o Classified into three categories:
• Static
• Dynamic password generator
• Challenge-response
Smart Cards
• Most important category of smart token
o Has the appearance of a credit card
o Has an electronic interface
o May use any of the smart token protocols

• Contain:
o An entire microprocessor
• Processor
• Memory
• I/O ports
• Typically include three types of memory:
o Read-only memory (ROM)
• Stores data that does not change during the card’s life
o Electrically erasable programmable ROM (EEPROM)
• Holds application data and programs
o Random access memory (RAM)
• Holds temporary data generated when applications are executed
Electronic Identity
Cards (eID)
Use of a smart card as a Most advanced deployment is
national identity card for the German card neuer
citizens Personalausweis

Can serve the same purposes as other Has human-readable data printed on its
national ID cards, and similar cards such surface
as a driver’s license, for access to • Personal data
government and commercial services • Document number
• Card access number (CAN)
• Machine readable zone (MRZ)

Can provide stronger proof of identity


and can be used in a wider variety of
applications

In effect, is a smart card that has been


verified by the national government as
valid and authentic
Biometric
Authentication
• Attempts to authenticate an individual based on
unique physical characteristics
• Based on pattern recognition
• Is technically complex and expensive when
compared to passwords and tokens
• Physical characteristics used include:
o Facial characteristics
o Fingerprints
o Hand geometry
o Retinal pattern
o Iris
o Signature
o Voice
Eavesdropping
Adversary attempts
to learn the
password by some
Denial-of- sort of attack that Host Attacks
Service involves the
Directed at the
physical proximity
user file at the
of user and
Attempts to host where
adversary
disable a user passwords, token
authentication passcodes, or
service by flooding biometric
templates are
numerous
AUTHENTICATI
the service with
stored
authentication
attempts
ON
Trojan Horse SECURITY
An ISSUES Replay
application or Client Adversary
physical device repeats a
masquerades as
Attacks previously
an authentic Adversary captured user
application or attempts to response
device for the achieve user
purpose of authentication
capturing a user without access to
password, the remote host
passcode, or or the
biometric intervening
communications
path

You might also like