Thanks to visit codestin.com
Credit goes to www.scribd.com

Scribd
Upload
9 views25 pages

Lecture 9 Authentication User

The document discusses user authentication as a fundamental security building block, outlining its two main steps: identification and verification. It details various methods of authentication, including knowledge-based, possession-based, and biometric approaches, while also highlighting vulnerabilities such as password attacks and the importance of robust password policies. Additionally, it covers the complexities of network authentication and the challenges posed by different types of attacks.

Uploaded by

abbastayyaba417
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
9 views25 pages

Lecture 9 Authentication User

The document discusses user authentication as a fundamental security building block, outlining its two main steps: identification and verification. It details various methods of authentication, including knowledge-based, possession-based, and biometric approaches, while also highlighting vulnerabilities such as password attacks and the importance of robust password policies. Additionally, it covers the complexities of network authentication and the challenges posed by different types of attacks.

Uploaded by

abbastayyaba417
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
You are on page 1/ 25

Lecture 9

 fundamental security building block


◦ basis of access control & user accountability
 is the process of verifying an identity
claimed by or for a system entity
 has two steps:

◦ identification - specify identifier


◦ verification - bind entity (person) and identifier
 distinct from message authentication
 four means of authenticating user's identity
 based one something the individual
◦ knows - e.g. password, PIN
◦ possesses - e.g. key, token, smartcard
◦ is (static biometrics) - e.g. fingerprint, retina
◦ does (dynamic biometrics) - e.g. voice, sign
 can use alone or combined
 all can provide user authentication
 all have issues
 widely used user authentication method
◦ user provides name/login and password
◦ system compares password with that saved for
specified login
 authenticates ID of user logging and
◦ that the user is authorized to access system
◦ determines the user’s privileges
◦ is used in discretionary access control
 offline dictionary attack
 specific account attack
 popular password attack
 password guessing against single user
 workstation hijacking
 exploiting user mistakes
 exploiting multiple password use
 electronic monitoring
 stop unauthorized access to password file
 intrusion detection measures
 account lockout mechanisms
 policies against using common passwords
but rather hard to guess passwords
 training & enforcement of policies
 automatic workstation logout
 encrypted network links
 original scheme
◦ 8 character password form 56-bit key
◦ 12-bit salt used to modify DES encryption into a
one-way hash function
◦ 0 value repeatedly encrypted 25 times
◦ output translated to 11 character sequence
 now regarded as woefully insecure
◦ e.g. supercomputer, 50 million tests, 80 min
 sometimes still used for compatibility
 have other, stronger, hash/salt variants
 many systems now use MD5

◦ with 48-bit salt


◦ password length is unlimited
◦ is hashed with 1000 times inner loop
◦ produces 128-bit hash
 OpenBSD uses Blowfish block cipher based
hash algorithm called Bcrypt
◦ uses 128-bit salt to create 192-bit hash value
 dictionary attacks
◦ try each word then obvious variants in large
dictionary against hash in password file
 rainbow table attacks
◦ precompute tables of hash values for all salts
◦ a mammoth table of hash values
◦ e.g. 1.4GB table cracks 99.9% of alphanumeric
Windows passwords in 13.8 secs
◦ not feasible if larger salt values used
 users may pick short passwords
◦ e.g. 3% were 3 chars or less, easily guessed
◦ system can reject choices that are too short
 users may pick guessable passwords
◦ so crackers use lists of likely passwords
◦ e.g. one study of 14000 encrypted passwords
guessed nearly 1/4 of them
◦ would take about 1 hour on fastest systems to
compute all variants, and only need 1 break!
 can block offline guessing attacks by
denying access to encrypted passwords
◦ make available only to privileged users
◦ often using a separate shadow password file
 still have vulnerabilities
◦ exploit O/S bug
◦ accident with permissions making it readable
◦ users with same password on other systems
◦ access from unprotected backup media
◦ sniff passwords in unprotected network traffic
 clearly have problems with passwords
 goal to eliminate guessable passwords
 whilst still easy for user to remember
 techniques:

◦ user education
◦ computer-generated passwords
◦ reactive password checking
◦ proactive password checking
 rule enforcement plus user advice, e.g.
◦ 8+ chars, upper/lower/numeric/punctuation
◦ may not suffice
 password cracker
◦ time and space issues
 Markov Model
◦ generates guessable passwords
◦ hence reject any password it might generate
 Bloom Filter
◦ use to build table based on dictionary using
hashes
◦ check desired password against this table
 Objects that a user possesses to
authenticate, e.g.
◦ embossed card.
◦ magnetic stripe card
◦ memory card
◦ smartcard
 store but do not process data
 magnetic stripe card, e.g. bank card
 electronic memory card
 used alone for physical access
 with password/PIN for computer use
 drawbacks of memory cards include:
◦ need special reader
◦ loss of token issues
◦ user dissatisfaction
 credit-card like
 has own processor, memory, I/O ports

◦ wired or wireless access by reader


◦ may have crypto co-processor
◦ ROM, EEPROM, RAM memory
 executes protocol to authenticate with
reader/computer
 also have USB dongles
 authenticate user based on one of their
physical characteristics
 authentication over network more complex
◦ problems of eavesdropping, replay
 generally use challenge-response
◦ user sends identity
◦ host responds with random number
◦ user computes f(r,h(P)) and sends back
◦ host compares value from user with own
computed value, if match user authenticated
 protects against a number of attacks
 client attacks
 host attacks
 eavesdropping
 replay
 trojan horse
 denial-of-service
 introduced user authentication
◦ using passwords
◦ using tokens
◦ using biometrics
 remote user authentication issues
 example application and case study
Slides are From

Chapter 3 – User Authentication


First Edition
by William Stallings and Lawrie
Brown

Lecture slides by Lawrie Brown


 Find GCD(120,27) using Euclidian Algorithm

You might also like