Identification and Authentication

 Identification:
- Identification is the process of recognizing and distinguishing users,
devices, or systems within a network.
- It is the first step in the security process before authentication and
authorization.

 Authentication:
- Authentication is the process of verifying the identity of a user, device,
or system before granting access to resources.
- It ensures that the entity claiming an identity is actually who they say
they are.

User name and Password

 User name:
 - A username (also called a user ID, login name, or account name)
is a unique identifier assigned to a user in a system, network, or online
platform.
- It is used for identification during the authentication process.

 Password:
- A password is a secret combination of characters (letters, numbers,
symbols) used to verify a user's identity during authentication.
- It acts as a security key to protect access to accounts, systems, or
data.

 User name and Password Management:

1. The first step is called identification
2. The second step is called authentication.
3. Entity authentication: The process of verify the identify claimed by
some system entity.
4. Password Security Management: Managing password security can
be little expensive and obtaining a valid password is a common way of
gaining unauthorized access to a computer system.

Password Attacks
Password attack is the process of attempting to gain unauthorized access to
restricted systems using common password or algorithms that guess
passwords. In other words, it is an art of obtaining the correct password that
gives access to a system protected by an authentication method.

Types of Password Attacks:

1. Piggybacking
2. Shoulder surfing
3. Dumpster diving

1. Piggybacking:

Piggybacking is a type of password attack. Password attack is the process

of attempting to gain unauthorized access to restricted systems using
common password or algorithms that guess passwords. In other words, it
is an art of obtaining the correct password that gives access to a system
protected by an authentication method.

Piggybacking is a social engineering attack where an attacker gains an

unauthorized access to a system or network by following an authorized
person without permission.

Piggybacking is when an attacker uses someone else's access to enter a

secure area or system without permission.

Piggybacking is the simple approach of following closely behind a person

who has just used their own access card or PIN to gain physical access to
a room or building.

In this way an attacker can gain access to the facility without knowing the
access code or acquiring an access card.

Example:

- A person enters a secure building by following an employee through a

locked door without using their own ID card.
- In Wi-Fi networks, piggybacking means using someone’s Wi-Fi without
permission.

2. Shoulder Surfing:

Shoulder surfing is a type of password attack. Password attack is the

process of attempting to gain unauthorized access to restricted systems
using common password or algorithms that guess passwords. In other
 words, it is an art of obtaining the correct password that gives access to a
system protected by an authentication method.

Shoulder surfing is a type of social engineering attack where someone

secretly watches you while you enter confidential information like
passwords, PINs, or credit card numbers.

Shoulder surfing is the act of spying over someone's shoulder to steal

sensitive information, usually in public places.

Shoulder surfing is similar procedure, when an attackers position

themselves in such a way that he is able to observe the authorized user
entering the correct access code.

This attack is by direct observation techniques, like looking over some

one when he is entering PIN or password etc.

Example:

- Someone watches you type your ATM PIN from behind in a queue.
- A person sitting next to you on a bus glances at your phone while you
enter your password.

3. Dumpster diving:

Password attack is the process of attempting to gain unauthorized access

to restricted systems using common password or algorithms that guess
passwords. In other words, it is an art of obtaining the correct password
that gives access to a system protected by an authentication method.

Dumpster diving is a social engineering attack where an attacker

searches through discarded documents, storage devices or trash to
obtain sensitive information.

Dumpster diving is the act of retrieving sensitive data (like passwords,

account details, or personal documents) from physical or digital waste.
Example:

 Finding and using old bank statements, password notes, or employee

ID cards thrown in the trash.
 Recovering deleted files from unsecured old computers or hard drives.

 Difference between Piggybacking, Shoulder Surfing and

Dumpster Diving.
Sr. Piggybacking Shoulder Surfing Dumpster Diving
No.
1. Piggybacking is a social Shoulder Surfing is a Dumpster Diving is a
engineering attack. social engineering social engineering attack.
Social engineering attack. Social Social engineering attack
attack is a trick used by engineering attack is a is a trick used by
attackers to fool people trick used by attackers attackers to fool people
into giving away private to fool people into giving into giving away private
information like away private information information like password
password or bank like password or bank or bank details.
details. details.
2. Piggybacking is a Shoulder surfing is a Dumpster Diving is a
method where an method where someone method where an
attacker gains an secretly watches you attacker searches
unauthorized access to a while you enter through discarded
system or network by confidential information documents, storage
following an authorized like password, PINs, or devices or trash to find
person without credit card numbers. sensitive information
permission. such as passwords, bank
details or personal data.

3. For example: If an For example: At an ATM, For example: Many users

authorized person enters when you are entering write down their sensitive
their password and start your PIN, someone information or passwords
user session on a secretly watches you in diary or on papers.
computer system but while you enter it. This is After some time, they
then steps away without called shoulder surfing. throw it in the dustbin. An
logging out or locking attacker can find this
the screen, an paper and steal sensitive
unauthorized person can information or password.
come and use that open This is called dumpster
session to gain access. diving.
This unauthorized use of
an active session is
called as piggybacking.
4. Piggybacking is when an Shoulder surfing is the Dumpster diving is the
attacker uses someone act of spying over act of retrieving sensitive
else's access to enter a someone's shoulder to data like passwords,
secure area or system steal sensitive account details, or
without permission. information, usually in personal documents from
public places. physical or digital waste.
5. To prevent To prevent shoulder To prevent dumpster
piggybacking: Do not surfing: Shield your diving: Shred documents
allow unknown people to keypad while typing before disposal. Properly
follow you into secure passwords or PINs. wipe or destroy storage
areas. Use ID cards or Maintain distance from devices before
biometric access for others in queues. discarding.
entry.
6. Attack method is Attack method is Visual Attack method is Data
Physical access (e.g., spying (e.g., looking retrieval from discarded
entering behind over shoulder) items
 someone)

Biometric
Phases of Biometric System:
1. Enrollment Phase
2. Recognition Phase

1. Enrollment Phase:

Enrollment Phase is a phase of biometric system. Biometric

system is a technology which takes an individual’s physiological,
behavioral or both traits as input, analyze it, and identifies the
individual as a genuine or malicious user.

In this phase, biometric information of the user or person is recorded in a

database.

It is a one-time process. Generally, in this phase, measurement of the

appropriate information is done very precisely.

It is also called as registration phase.

Steps involved:

- Biometric data (e.g., fingerprint, face) is captured using a

sensor.
- Features are extracted from the data.
- A biometric template is created.
- This template is stored in a secure database.

The purpose of this phase to create a reference template for

future matching.

2. Recognition Phase:

This is the second phase of the biometric system. Biometric

system is a technology which takes an individual’s physiological,
behavioral or both traits as input, analyze it, and identifies the
individual as a genuine or malicious user.
 This phase is used to verify the identity of the person trying to access
the system.

This phase must be quick, accurate, and able to determine the

authentication problem easily.

Steps involved:

- The user gives a new biometric input.

- The system extracts features and creates a temporary
template.
- It compares this template with stored templates.
- If it matches, access is granted; otherwise, denied.

It is also called as authentication phase.

The main purpose of the recognition phase is to confirm whether

the person is who they claim to be.

1. Sensor: The sensor is the first block of the biometric system which
collects all the important data for biometrics. It is the interface between the
system and the real world. Typically, it is an image acquisition system, but it
depends on the features or characteristics required that it has to be
replaced or not.
2. Pre-processing: It is the second block that executes all the pre-
processing. Its function is to enhance the input and to eliminate artifacts
from the sensor, background noise, etc. It performs some kind of
normalization.

3. Feature extractor: This is the third and the most important step in the
biometric system. Extraction of features is to be done to identify them at a
later stage. The goal of a feature extractor is to characterize an object to be
recognized by measurements.

4. Template generator: The template generator generates the templates

that are used for authentication with the help of the extracted features. A
template is a vector of numbers or an image with distinct tracts.
Characteristics obtained from the source groups come together to form a
template. Templates are being stored in the database for comparison and
serve as input for the match.
5. Matcher: The matching phase is performed by the use of a match. In this
part, the procured template is given to a matcher that compares it with the
stored templates using various algorithms such as Hamming distance, etc.
After matching the inputs, the results will be generated.

6. Application device: It is a device that uses the results of a biometric

system. The Iris recognition system and facial recognition system are some
common examples of application devices.

A person's biometric traits fall into the following three categories:

Biological
Physiological
Behavioral.
A physiological trait is a biological pattern found on or in the human body,
such as a face, fingerprints, iris pattern, DNA, hand geometry, etc.
Behavioral patterns, however, develop over time and become consistent
characteristics, such as handwriting, voice, gait, and typing rhythm. The
biometric feature that is used to identify an individual determines the type
of biometric system. Biological characteristics and behavioral traits of
individuals can be detected and from which distinct, repeatable biometric
features can be extracted to automate recognition.

Types of Biometrics

There are two broad categories of biometrics:

1. Physiological Biometrics
2. Behavioral Biometrics
Physiological Biometrics: Physical traits are measured for identification and
verification in this type of biometrics. The trait should be chosen such that it is unique
among the population, and resistant to changes due to illness, aging, injury, etc.

Physiological Biometric Techniques:

 Fingerprint: Fingerprints are unique for every individual. They can be measured in
several ways. Minutiae-based measurement uses graphs to match ridges whereas
image-based measurement finds similarities between the individuals' fingertips image
 and fingerprint images present in the database. It has high level of security and used
both for identification and verification. However, due to old age or diseases/injury,
fingerprint may get altered. Common usage: in mobiles for verification, in offices for
identification.
 Facial Recognition: Features of the face like distance between nose, mouth, ears,
length of face, skin color, are used for verification and identification. Accuracy can be
affected by fog, sunglasses, aging, etc.
 Iris and Retina: Patterns found in the eye are unique and can be used for both
identification and recognition. Devices to analyze retina are expensive and hence it is
less common. Diseases like cataract may alter iris patterns
 Voice Recognition: The pitch, voice modulation, and tone, among other things are
measured. Security is medium, due to the similarity in voice of people, hence used
mostly for verification. The accuracy can be hindered due to the presence of noise, or
due to aging or illness.
 DNA: DNA is unique and persistent throughout lifetime. Thus, security is high and can
be used for both identification and verification.
Behavioral Biometrics:
Traits of human behavior are measured in this case. Monitoring is required in this type of
biometrics to prevent impersonation by the claimant.
 Signature: Signature is one of the most commonly used biometrics. They are used to
verify checks by matching the signature of the check against the signature present in
the database. Signature tablets and special pens are used to compare the signatures.
Duration required to write the signature can also be used to increase accuracy.
Signatures are mostly used for verification.
 Keystroke Dynamics: This technique measures the behavior of a person when
typing on a keyboard. Some of the characteristics take into account are:

o Typing speed.
o Frequency of errors
o Duration of key depressions