76 terms

CS356 Chapter 3

User Authentication

Terms in this set (...)

User Authentication
The process of verifying an identity claimed by or for a system entity
Steps in the authentication process:
Identification step
Presenting an identifier to the security system
Verification step
Presenting or generating authentication information that corroborates the binding between entity and identifier.
What are the four means for authenticating a user's identity:
individual knows
individual possesses
static biometrics (individual is)
dynamic biometrics (individual does)
What are examples of something an individual knows?
password, PIN, prearranged set of questions
What are examples of something an individual possesses?
electronic keycards, smart cards, physical keys (these are called tokens)
What are examples of something an individual is?
recognition by fingerprint, retina, face, hand architecture
What are examples of something an individual does?
recognition by voice pattern, handwriting characteristics, typing rhythm
What ways does a password provide security?
authenticates the ID of the individual logging on to the system
What ways does the ID provide security?
1. determines whether a user is authorized to gain access to the system
2. determines privileges accorded to the user.
What is discretionary access control
assignment and subsequent propagation of all privileges associated with an object are controlled by the owner of that object and/or the principals whose authority can be traced back to the owner. This is a way IDs can be used to control access to files/directories.
What are the eight password attack strategies:
Offline dictionary attack
Specific account attack
Popular password attack
Password guessing against a single user
Workstation hijacking
Exploiting user mistakes
Exploiting multiple password use
Electronic monitoring
What is an offline dictionary attack?
hacker can bypass such controls and gain access to the system's password file, compare password hashes against hashes of commonly used passwords. If match is found attacker can gain access by that ID/password combination.
What are countermeasures to an offline dictionary attack?
additional controls to prevent access
intrusion detection measures
rapid reissuance of passwords upon compromise
What is a specific account attack?
targets a specific account and submits guesses until correct password identified
What are countermeasures to an specific account attack?
account lockout mechanisms. Typical practice is no more than five access attempts
What is a popular password attack
variation of specific password attack. Use a popular password and try it against a wide range of user ID'S
What are countermeasures to a popular password attack
1. policies to inhibit the selection by users of common passwords
2. scanning IP addresses of authentication requests
3. client cookies for submission passwords
What is password guessing against a single user
attacker attempts to gain knowledge about the account holder and system password policies and uses that information to guess the passwork
What are countermeasures to password guessing against a single user
intelligent password education. Policies include secrecy, minimum lengths, character set, length of time before password is changed
What is workstation hijacking?
attacker waits until a logged in workstation is unattended
What are countermeasures to workstation hijacking?
1. automatically logging the workstation out after a period of inactivity.
2. Intrusion detection schemes used to detect changes in users behavior
What does exploiting user mistakes mean?
optimizing on a user that writes a password down, shares a password, reveals a password through social engineering, not changing a preconfigured password
What are countermeasures against exploiting user mistakes?
user training, intrusion detection, simpler passwords, combined with another authentication mechanism
What is not a countermeasure against electronic monitoring?
Simple encryption -
an encrypted password can still be observed and reused by an attacker
What is electronic monitoring?
What three purposes does a salt value provide?
1. prevents duplicate passwords from being visible in the password file
2. greatly increases the difficulty of offline dictionary attacks
3. becomes almost impossible to find out if a user reuses passwords on multiple systems
What are inputs to a hashing algorithm
Is the hashing algorithm designed to be fast or slow?
Designed to be slow to thwart attacks
What kind of attacks has the hashed-password method been shown to be secure against?
cryptanalytic attacks - it multiplies the number of guesses that must be checked
What two things are stored in the password file?
the hashed password
plaintext copy of the salt
What are the two threats to the UNIX password scheme?
1. user gains access using a guest account or some other means and then runs a password guessing program
2. attacker obtains a copy of the password file and rubs a cracker program on another computer
What is the recommended hash function for several UNIX systems?
MD5 secure hash algorithm
What does the MD5 crypt routine use?
1. salt up to 48 bits
2. a password with no limitations on length
produces a 128 bit hash value and uses an inner loop with 1000 iterations
What is the most secure version of the UNIX hash/salt scheme?
Uses a hash funciton based on the Blowfish symmetric block cipher. Allows passwords up to 55 characters in length. Requires random salt of 128 bits. Produces a 192-bit hash value
password cracking approaches
1. large dictionary
2. rainbow table - precompute potential hash values
What are problems with user password choices?
1. password length
2. picking a password that is their name, their street name, a common dictionary word
shadow password file
a system file in which encryption user passwords are stored so that they are not avaliable to people trying to break the system
What are the four password selection techniques
1. User education
2. Computer-generated passwords
3. Reactive password checking
4. Proactive password checking
Reactive password checking
System periodically runs its own password cracker to find guessable passwords
Proactive password checking
User picks own password but at time of selection the system checks to see if password is allowable.
What are approaches to proactive password checking?
1. Rule enforcement
2. Password cracker
3. Bloom Filter
Password Cracker
compiles a large dictionary of possible "bad" passwords and checks this with the users password
What are the two problems with the Password Cracker
1. Space- dictionary must be large to be effective
2. Time
Bloom Filter
The bloom filter space efficient, probabilistic data structure. It is generally seeded with a list of common passwords. A hash table of N bits is defined and each entry is initially set to 0. For each password, its k hash values are calculated and the corresponding bit in the table is set to 1. When a user chooses a password, the password is calculated and if the corresponding entries are already set to 1, the password is rejected. False positives can make it hard for users to choose passwords even if they're unique.
What are the types of cards used as tokens?
1. Embossed (Old credit card)
2. Magnetic stripe (Bank card)
3. Memory (Prepaid phone card)
4. Smart Contact/Contactless (Biometric ID card)
memory card
stores but doesn't process data
can include an internal electronic memory
drawbacks to a memory card
Requires a special reader
Token loss
User dissatisfaction
Smart Card physical characteristics
embedded microprocessor
includes calculators, keys, other small portable characteristics
What is the purpose of a smart token?
Provide means of user authentication
What are the authentication protocols used with smart tokens?
1. Static
2. Dynamic password generator
3. Challenge-response
Static protocol
authentication protocol.
user authenticates him/herself to the token and then the roken authenticates the user to the computer
Dynamic password generator
authentication protocol
token generates a unique password periodically. The password can be entered manually or electronically via the token
Challenge response
authentication protocol
computer system generates a challenge (random string of numbers) and the smart token generates a response based on the challenge.
Does a smart card contain an entire microprocessor?
Yes. It has a processor, memory, and I/O ports
Types of memory in a smart card
1. read only (ROM) (card number, cardholders name)
2. Electronically erasable programmable ROM (application data and programs)
3. random access
Physical characteristics used in biometric authentication
1. Facial characteristics
2. Fingerprints
3. Hand geometry
4. Retinal pattern
5. Iris
6. Signature
7. Voice
Does the concept of accuracy apply to user authentication schemes that use smart cards or passwords?
Steps of a biometric authentication system?
verification or identification
Biometric authentication - verification
user enters a PIN and uses a biometric sensor
Biometric authentication - identification
only uses the biometric sensor
false match
When the algorithm classifies as genuine an actual impostor comparison.
false nonmatch
When the algorithm classifies as impostor an actual genuine comparison.
challenge response protocol
user first transmits his or her identity to the remote host. Host generates a random number (nonce) and returns nonce to the user. Host specifies two functions h() and f() (function that combines the h(user password) with the random number) to be used in the response. When the response arrives the host compares the users f(r, h(P(U))) to a calculated one to see if they match.
what is the challenge in the challenge response protocol
the transmission of the the nonce, and two functions h() (the hash function for the users password) and f() used in the response
Security issues for user authentication
Client attacks
Host attacks
Trojan horse
Denial of service
Client attacks
attacker attempts to achieve user authentication without access to the remote host or an intervening system. attacker attempts to masquerade as a legitimate user
Countermeasures against client attacks
lengthy/unpredictable password
limit number of attempts
a physical token
Host attacks
directed at the user file at the host where passwords, token passcodes, or biometric templates are stored
attempting to discover the password by observing the user, finding a written copy, or similar attacks that involve physical proximity. malicious hardware or software to capture users keystrokes for later analysis
involves an adversary repeating a previously captured user response
Countermeasures against Replay
challenge-response protocol
Trojan horse
application or physical device masquerades as an authentication application or device for the purpose of capturing a password
Denial of service
attempts to disable a user authentication service by flooding the service with numerous authentication attempts
Countermeasure against denial of service attack
multifactor authentication protocol that includes a token