A Negative Authentication System 1

Transcription

1 A Negative Authentication System 1 Dipankar Dasgupta Department of Computer Science The University of Memphis, Memphis, TN dasgupta@memphis.edu Rukhsana Azeem Department of Computer Science The University of Memphis, Memphis, TN razeem2@memphis.edu ABSTRACT The work explores a new paradigm in user authentication in accessing in order to improve the security of computer systems. Most authentication systems use password data (self-id) to identify legitimate users, which is referred to as Positive Identification (PI). Specifically, these systems use a password profile containing all the user passwords that are authorized to access the system (or the server). The negative counterpart (non-self/anti-password space) represents all strings that are not in the password database, which can possibly be explored by hackers (using password guessing or cracking tools). While this Anti- Password (Anti-P) space appears to be very large, our technique uses a form of implicit clustering to generate a small set of Anti-P detectors to cover this password guessing space. The developed system demonstrated that by examining Anti-Password Clusters, it is possible to deduce what is in the password database it complemented. The novelty of this approach is that it is hard (if not impossible) to discover any individual password even though Anti-P detectors are being compromised. As a result this technique can filter out all illegitimate users (hackers, crackers, etc.) before allowing the legal users to access the positive password verification system. Thus, it can provide a robust solution in immunizing authentication systems (local, remote or online) by putting an additional layer of protection (invisible) to the user. Keywords Secure Authentication, Password Attacks, Positive Identification, Negative Selection. Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. 1. INTRODUCTION 1.1 Identification and Authentication The major issue in authenticating a user is How do we, as people, identify ourselves to a machine [1]? The user recognition in a system takes place in two steps: Identification to authenticate a user requires some form of profile to be identified, and Verification to verify that the user s claimed identity is valid, and it is usually implemented through a user password at logon time. Figure 1 illustrates different steps in the authentication process. Figure 1: User Authentication Process [5]. Each user password is stored in a cryptographic form, called Hash function. Hashing results in converting a string of any length at the input and generating a bit-string of fixed length (hash) at the output. It has, however, two main characteristics: even a minor modification in the input string leads to change of the output hash value; and it's practically impossible to find the input string knowing the hash value (irreversible) [2, 7, 8]. 1 This paper provides an implementation details of the concepts described in the unpublished technical report by D. Dasgupta, Password Immunizer: A Bio-Inspired Approach for user authentication, Technical Report No. CS , January.

2 12, 2007 (revised on April 15, 2007), The University of Memphis. 1.2 Security issues in Authentication One of the key area in computer security research is to develop strong authentication, i.e., to determine whether a user should be allowed access to a given system or resource. In many cases, lack of proper authentication results in hacking. [16, 17] Once the hackers gain access to the system, he can do many harmful activities, such as launching distributed denial of service attacks, defacing web sites, stealing personal information, making fraudulent purchases, Stealing financial information, etc. To authenticate users and processes, passwords (and ids) play a major role, while passwords need to be always accessible for proper authentication, but they should be secure. Many approaches are being developed for positive identification of a legitimate user, which include the use of strong static passwords, one-time password, and dynamic passwords and pass phrases. A pass phrase is similar to a password in usage, but is suggested to be long (a sequence of words or other text) for added security. 2. TEQHNIQUES USED TO GAIN UNAUTHORIZED ACCESS Exploitation of password (user account) is one of largest issues in cyber security as it is an easy way to gain the unauthorized access. This process is the single widespread form of attack that penetrates a network, system, or resource with or without the use of tools to unlock a resource that has been secured with a password is known as password cracking. There are many reasons that make passwords cracking possible. These reasons include human factors such as short or easily-guessing passwords, usage of weak (proprietary) algorithms, export restrictions that prohibit usage of strong cryptography, incorrect usage of strong algorithms, some implementation flaws including backdoors, bugs etc.. Common password cracking techniques include Brute force attack [26], Dictionary attack [27], and Hybrid attack [28]. A combination of two or more attacks mentioned above is known as "syllable attack". It may be used when password is deformed or non-existing word is used, and the cracker can combine the syllables to get such a word. The most powerful attack is "rule-based attack", which can be used when cracker obtains some information about the password that he wants to crack. For example, he knows that password consists of the word and one- or two-digit number. He writes the rule and the program generates only suitable passwords (user1, mind67, snapshot99 etc). Finally, some weak algorithms allow "known-plaintext attack". It means that the cracker has some files or files fragments in un-encrypted form and wants to decrypt others. Strong crypto-algorithms successfully resist this type of attack - the knowledge of unencrypted file will give nothing to the cracker. 2.1 Passwords Cracking Tools Password cracking tools become the major security threat as they allow hackers gain access to the system and performing harmful activities. These tools can decrypt passwords or otherwise disable password protection (e.g. decrypt file without knowing the password). If mechanisms of password protection use weak encryption, then it is possible to recover the original password or pick a new one, considered to be correct. Examples of some password cracking tools that are available [29] include John the Ripper, THC Hydra, Rainbow Crack, Brutus, L0phtcrack, etc 2.2 Existing Methods in Securing User Authentication Many techniques have been developed so as to make the authentication system secure and robust [24]. For example, personal identification number (PIN), Security token (or sometimes a hardware token [6], authentication token or cryptographic token), Password manager, One- Time Passwords [4], single sign-on (SSO), Challenge Handshake Authentication Protocol (CHAP) [3], Callback, Graphical Password [9, 21, 22]. In all the existing approaches that are designed for secure authentication they use positive identification database directly during authentication process. However, this method is dangerous. The password information table could be read or altered by an intruder. An intruder can also append a new ID and password into the table [23]. In fact, most security penetration occurs when the security validation information is exposed in same ways. 3 AN IMMUNITY-BASED NEGATIVE IDENTIFICATION APPROACH One of the important features of the biological immune system is its use of negative detection in which "self" is represented (approximately) by the set of circulating lymphocytes that fail to match self. This suggests the idea of a negative representation, in which a set of data elements is represented by its complement set. That is, all the elements not in the original set are represented, and the data itself are not explicitly stored (i.e. negative database [19, 20]). This representation has interesting information-hiding properties when privacy is a concern

3 and seems to be very appropriate in password attack detection. Studies show that the negative information can be represented efficiently, even though the negative image will typically be much larger than the positive image. The major issue in authenticating a user is How do we, as user, identify ourselves to a machine? In Hindu philosophy, in saying "I am not this; no, nor am I this, nor this," that which then remains is a pure awareness of I. The existing authentication systems (password, biometric, etc.) use positive identification data directly during authentication process making it vulnerable to possible attacks. The proposed approach first checks Password Immunizer system (negative authentication) before any positive verification during the logon process. This can eliminate brute-force attack on password database as all illegitimate users (hackers, crackers) are filtered out before allowing them to access the positive password verification system, providing an additional layer of protection (invisible) to the user. 3.1 Generic Negative Selection Algorithm The biological immune system is an intricate network of specialized tissues, organs, cells, and chemicals with the capability of distinguishing entities within the body as self or non-self and eliminating those that are nonself. The Negative Selection Algorithm (NSA) is an example of importing ideas from immunology to computational models. This algorithm is based on the principles of selfnon-self discrimination, which is analogous to the censoring process of T cell maturation in the immune system. Figure 2 shows the concept of self and nonself space Figure 2: The basic concept of the Negative Selection Algorithm (NSA). Illustrate the concept of self (password) by green colored shapes and the nonself (anti-password) space covered by different circles represented as detectors (Anti-P) [10, 12]. The negative selection algorithm can be summarized as follows (adopted from [13]): Define self as a collection P of elements in the password space U, a collection that needs to be protected. For instance, if U corresponds to the password space (represented by encrypted alphabets and determined by crypto/hash being used), P can represent the subset of password that are being used by the users of the system. Generate a set Anti-P of detectors, each of which fails to match any string in P. An approach that mimics the immune system generates random detectors and discards those that match any element in the self set (P). However, a more efficient approach [15] tries to minimize the number of generated detectors while maximizing the covering of the nonself space. Check every login requests with Anti-P detectors, if any detector ever matches, then it indicates that the entered password is not correct, as the Anti-P detectors are designed not to match any representative of P. The above description is very general and does not say anything about the representation of the problem space and the type of matching rule is used. It is, however, clear that the algorithmic complexity of generating good detectors can vary significantly, which depends on the Anti-P detector representation scheme, and the rule that determines if an Anti-P detector matches a user entry. Most of the research works on the NSA have been restricted to the binary matching rules like r-contiguous [14]. The reason being simple to use, and there exist efficient algorithms to generate detectors, exploiting the simplicity of the binary representation and its matching rules. However, the scalability issue has prevented it from being applied more extensively. 4 NEGATIVE AUTHENTICATION SYSTEM: IMPLEMENTATION DETAILS This work uses a negative selection for user authentication i.e. filtering the invalid users, which should improve security posture in user authentication systems. Most authentication systems use the user dataset (self-space) to identity the legitimate user, which is called Positive Identification (PI). As the password database holds highly sensitive personal information to should be kept in a protected place and its every access needs to be carefully monitored. The proposed system works in the promise the user first be verified using the negative image of the password dataset instead of the actual. Figure 3 shows a multi-layered authentication system, where every access request first check for negative authentication before any positive verification.

4 Anti-Ps are generated in the highly secured area which is then circulated in the Anti-P system as a part of negative authentication. Hence when a user enters its credentials it is first checked against the bad passwords (Anti P s) then send for further verification Figure 5: Different phases of Negative Authentication Figure 6 shows the Flow Chart for Generation of Anti-Ps and validation against user entries. The generation process accepts a complete password file and processes the file into the 4-dimensional data and normalized between 0 and 1.This self file is stored and used for the generation of Nonself detectors (Anti-Ps). The validation process accepts a single user name and password from the user interface and preprocesses it for checking against the generated Anti-Ps. Figure 3: Overview of the multi-layered authentication system, where every access request first check for negative authentication before any positive verification. For Generation Figure 4 shows the internal structure of the Anti-P system, that provide the representation of generation of Anti-Password detectors in a two dimensional space. Figure 4: Internal structure of the Anti-P system. Figure 6: Flow Chart for Generation of detectors (Anti- P s) and Validation against Anti-P s Figure 5 summarizes various phases of the Anti-P generation process of Negative Authentication system.

5 Phase 1: Passwords file (Data Collection): Each entry in the generated file represents an account detail and is of the format Username and hash value of the password which are separated using : as the separator. Phase 2: Preprocessing: The goal of niching GA is to evolve a set of Anti-Ps to cover the non-self space. The iterative process in Figure 7 generates a set of Anti-Ps driven by two main goals: 1. Should not overlap with self, and 2. Make the Anti-P s as large as possible and keep them separate from each other, in order to maximize the non-self covering. The niching GA runs multiple times to generate different Anti-Ps to cover the entire non-self region. Each run involves the generation of a new Anti-Ps, covering a portion of the non-self region while modifying its raw fitness as per the overlap with the previously selected Anti-Ps. Step 1: Each entry in the password file is rehashed using the same MD5 encryption method. The password file is now transformed into the hash values of the Username and hash value of the password which now a 32 bit hexadecimal format. Step 2: This file is now parsed to 4 dimensional formats which are then converted to decimal representation. Then this data is normalized where actual values of the variables are scaled to fit in the defined range of [0.0, 1.0] using maximum and minimum (+/- 20% to normal data) value of each dimension in the data set. Any value above and below the defined max and min is considered as 1.0 and 0.0, respectively Figure 7: The RNS pseudo-code for Anti-P generation. 3. EXPERIMENTS AND RESULTS Anti-P set This work uses an immunological approach to build a Negative Authentication system to improve the Authentication and Authorization system by uniquely examining the validity of users and try to prevent unauthorized access to computing devices. Figure 8 shows the user interface developed for Negative Authentication system. Phase 3: Anti-P generation: A real-valued negative selection algorithm (NSA) [18, 25] is being used to generate Anti-Ps. This algorithm uses only one class (password) for generating Anti-Passwords for the complement class (Anti-Ps). The work applies an evolutionary approach called niching GA [30] to generate Anti-P detectors from the given Password profile (database). Figure 8: The User Authentication Interface.

6 A 4-dimensional password datasets are used for experimentation. The training file is the set password file that needs to be secured. All set of passwords that does not belong to the training file are the testing data. Different testing sets are prepared by using n% of the training data where n= 25, 50, 75 and (100 n) % of testing data. The experimentation was divided into two different sets of experimental data 1. Testing Password Data size of 100 and Testing Password Data sizes of 200, 400, 600 and 800 All the results shown in figure are average of 10 repeated experiments. Detection rate and false negative rate are defined as DR = TP/(TP+FN), FNR = FN/(Max FN), Respectively, where TP, FN, FP, TN are the counts of true positive, false negative, false positive and true negative. 1. Criteria used for the data sizes 100 and 500 For a given training data set, find the trend of the detector sizes with the detection rates. For suitable detector sizes applicable to various data sizes, find the trend of the collective detection rate (this is achievable by averaging over a selected number of runs, ex. 10) versus collective False Negative rate to analyze the overall behavior of different detector sizes. For a given training data set and a suitable given detector size, find the trend of the variation of detection rates over a series of a selected number of runs. (ex. 10). This is to scrutinize the detection stability. Results Analysis: DR ROC curve between False Negative Rate and Detection Rate for Password Dataset size 100. #D=70 #D=100 #D= FN Rate DR ROC curve between False Negative Rate and Detection Rate for Password Dataset size 500. #D=200 #D=450 #D= FN Rate Figure 10: ROC curve between False Negative rate and Detection rate for Datasets 500 with 100% of the testing data In Figure 9 and 10 the ROC curves neatly displays the detection rates for a data size of 100 for the various detector sizes against its corresponding FN rates. The curves indicate that the variation is gradual. Each of the individual table shows the trend for DR versus FN rates for a given detector size (suitably selected or achieved) and the trend shows a stable performance about detection. Figure 11 gives a summary of Detection Results with variation of detector size for Datasets 100 with 100% of the testing data. DR Variation of Detector size FN Rate ADR AFN Figure 11: Summary of Detection Results with variation of detector size for Datasets 100 with 100% of the testing data Figure 9: ROC curve between False Negative rate and Detection rate for Datasets 100 with 100% of the testing data

7 Variation of Detector size ADR AFN Det ect ors set variat ion wit h dif f erent Dat a sizes Det ect ors ADR #D Da t a S i z e Figure 12: Summary of Detection Results with variation of detector size for Datasets 500 with 100% of the testing data Figure 13: Summary of Detection Results with variation of detector size for Datasets 200,400,600 and 800 with 25%, 50% and 75%of the testing data Figure 12 shows the variation of 3 suitable detector sizes for their average detection and FNR indicates that the increase in sizes (suitably distributed, because of average of 10 runs) has a near proportional behavior on detection rates while inversely proportional to FN 2. Criteria used for the data sizes 200, 400, 600 and 800 I. For a given training data set, few sets of testing data sets were used that had 25%, 50% and 75% of actual self to test a good set of detector set in each case to analyze the FN rate, in order to check the goodness of the detectors in differentiating self. II. For the available data sizes, find the trend of detector sizes, overall detection rates (including the mean, best and worst cases). This is to analyze the effect of different password data sizes (with gradual increments) on several performance metrics. Detection Rates Average-Max-Min Trend Average DR Data Sizes Figure 13 gives a summary of Detection Results with variation of detector size for Datasets 200,400,600 and 800 with 25%, 50% and 75%of the testing data and Figure 14 gives a summary of Detection Results with mean, best and worst detection rate for Datasets 200,400,600 and 800 with 25%, 50% and 75%of the testing data. Figure 14: Summary of Detection Results with mean, best and worst detection rate for Datasets 200,400,600 and 800 with 25%, 50% and 75%of the testing data.

8 Table 1: Mean Results using RNS on Password Data Percentage of training data Password File #D FA DR FA DR FA DR Size Table 2: Mean, best and worst detection rate in Table 1 % of training data Password File Size 25 Detection Rate 50 Detection Rate Min Max Mean Min Max Mea n Min 75 Detection Rate Ma x Mean Considering the Password data, which is random the detectors are generated randomly to meet the criteria of total nonself space coverage and no self overlap, as the data size increases it is observed that the detectors are generated with small shapes to satisfy the coverage requirements. For the process of generating the Anti-P space we use the complete training set. The generation process of Anti-P s makes sure that none of the self (i.e. valid credentials are covered by Anti-P s), hence never will be the case that a valid user be filtered by the Anti-P system. There fore the False Alarm Rate is always 0 4. Summary Authentication has an important role as it provides security and privacy as authentication is the secure identification of system users. The existing authentication systems (password, biometric, etc.) use positive identification data directly during the authentication process making it vulnerable to possible attacks on password servers. This work developed negative authentication system (password immunizer), which is a unique and novel approach to eliminate brute-force attacks on password databases/servers. The password immunizer first checks for negative authentication before any positive verification during the logon process. Thus, the Anti-P system can filtered out all illegitimate users (hackers, crackers, etc.) before allowing them to access the positive password verification system, providing an additional layer of protection (invisible) to the user. While this new approach can block all types of password guessing, but it can identify if someone use a stolen password, which will need active monitoring of user activities. The password immunizer not only advances our knowledge in developing next generation authentication system, but also helps in learning lessons from the biological defense system and how to build a secure password protection system. Similar to most authentication systems, the proposed technique also does not offer resistance to shoulder surfing (which consists of simply watching a user login) or user logging with stolen passwords. This can only be detected by monitoring the user activities which is not the focus of this work. The future research will focus on incremental detector generation process for addition and deletion of a user in the system. The research will continue with integrating the build prototype with the current authentication system, and its performance could be tested. This Password Immunizer provides strong logging capabilities which were tested as prototype in windows environment. A further extension would be to implement it in different operating systems. As of now this is a single user authentication system, after the evaluation of the current architecture the working Group will focus on extending this to a Multi-user (Network) authentication system. The long-term goal is to encourage developers to build privacy and security protections into the current

9 authentication system which could help in minimizing the exposure of sensitive information. As intruders discovering new ways to break in, user authentication systems should be more flexible and intelligent enough to withstand both known and unknown password attacks, and this bio-inspired system can provide a robust solution in immunizing any authentication system. 5. REFERENCES [1] Stephen T. Kent and Lynette I. Millett, Editor. Who Goes There?: Authentication Through the Lens of Privacy by, Committee on Authentication Technologies and Their Privacy Implications, National Research Council [2] UNIX authentication: [3] CHAP: Challenge Handshake Authentication Protocol Overview (RFC 1994): [4] One Time Passwords: sics.htm Website accessed on April 03, [5] Advanced Operating System Internals, WINDOWS, LOGON PROCESS; [6] RSA: AN_PB_0706.pdf [7] Cisco Systems: RSA SecureID User Authentication for Cisco Aironet Wireless LAN, Ref: AN_PB_0706.pdf [8] Abhijit Rao. Inception of Relation-based User Authentication system coupled with User Behavior Analysis, Manipal Institute of Technology, Manipal, Karnataka, India. [9] Susan Wiedenbeck, Jim Waters, Jean-Camille Birget, Alex Brodskiy, Nasir Memon. Authentication Using Graphical Passwords. [10] Sankalp Balachandran, Dipankar Dasgupta, Fernando Nino, Deon Garrett. A Framework for Evolving Multi-Shaped Detectors in Negative Selection by Computer Science Department, University of Memphis. [11] B. Ives, K. Walsh, H. Schneider. The domino effect of password reuse. Communications of the ACM 47(4) (2004) [12] D. Dasgupta, S. Forrest (1999). An anomaly detection algorithm inspired by the immune system. In: Dasgupta D (Editor) Artificial Immune Systems and Their Applications, Springer-Verlag, pp [13] D. Dasgupta and S. Forrest. Novelty Detection in Time Series Data using Ideas from Immunology. In the proceedings of the 5th International Conference on Intelligent Systems, (Received The Best Paper Award), Reno, June 19-21, [14] D. Dasgupta (Editor). Artificial Immune Systems and Their Applications, ISBN , Springer-Verlag, [15] D. Dasgupta and F. Gonzalez. An Immunity-Based Technique to Characterize Intrusions in Computer Networks. In the journal IEEE Transactions on Evolutionary Computation, Vol. 6, No. 3, June [16] D. Klein, A survey of, and improvements to, password security, UNIX Security Workshop II, Berkeley, Calif., Usenix Association (1990). [17] D.C. Feldmeier, P.R. Karn, UNIX Password security - ten years later, Advances in Cryptology - CRYPTO'89, LNCS 435, Springer (1990) 44-63]. [18] F. Gonzales, D. Dasgupta, Anomaly Detection Using Real- Valued Negative Selection. In Genetic Programming and Evolvable Machines, 4, (2003) [19] F. Esponda, E.S. Ackley, P. Helman, H. Jia, and S. Forrest. Protecting Data Privacy through Hard-to-Reverse Negative Databases. (pdf) Ninth Information Security Conference (ISC'06) Proceedings, Springer LNCS 4176, pp.72-84, September [20] F. Esponda, E.S. Ackley, S. Forrest and P. Helman. On-line Negative Databases. International Journal of Unconventional Computing, Volume 1, Number 3, pp , [21] J. Thorpe, P. van Oorschot, Towards Secure Design Choices for Implementing Graphical Passwords, 20th Annual Computer Security Applications Conference (2004 ACSAC), Dec. 6-10, 2004, Tucson, Arizona. [22] J.C. Birget, Dawei Hong, Nasir Memon, Graphical passwords based on robust discretization, IEEE Transactions on Information Forensics and Security, 1(3) (Sept. 2006) [23] R. Morris, K. Thompson, Password security: a case history, Communications of the ACM 22 (1979) [24] R.E. Smith, Authentication: from passwords to public keys, Addison-Wesley (2002). [25] Zhou Ji and D. Dasgupta Real-Valued Negative Selection using Variable-Sized Detectors. Genetic and Evolutionary Computation Conference (GECCO-2004) Seattle, Washington June 26-30, 2004 [26] Brute force attack: y/brute_force.html, Website accessed on April 03, 2007 [27] Dictionary Attacks: Website accessed on April 03, 2007 [28] Hybrid Attack: Website accessed on April 03, 2007 [29] Top 10 password cracker tools: Website accessed on April 03, 2007 [30] W. S. Mahfoud. "A comparison of parallel and sequential niching methods". In L. J. Eshelman, editor, 6th Int. Conf. on Genetic Algorithms, pages Morgan--Kaufmann, 1995.

10