Chapter 3: User Authentication Comp Sci 3600 Security
Outline 1 2 3 4
Outline 1 2 3 4
User Authentication NIST SP 800-63-3 (Digital Authentication Guideline, October 2016) defines user as: The process of establishing confidence in user identities that are presented electronically to an information system. Systems can use the authenticated identity to determine if the authenticated individual is authorized to perform particular functions.
Outline 1 2 3 4
Authentication Fundamental building block and primary line of defense Basis for access control and user accountability Identification step: Presenting an identifier to the security system Verification step: Presenting or generating information that corroborates the binding between the entity and the identifier
Outline 1 2 3 4
Four Means of Authentication Something the individual knows:, PIN, answers to prearranged questions Something the individual possesses (token): Smartcard, electronic keycard, physical key Something the individual is (static biometrics): Fingerprint, retina, face Something the individual does (dynamic biometrics): Voice pattern, handwriting, typing rhythm
Authentication Model Registration Authority (RA) Registration, Credential Issuance, and Maintenance Registration Confirmation Credential Service Provider (RA) Identity Proofing User Registration Token, Credential Registration/Issuance Subscriber/ Claimant Authenticated Session Authenticated Protocol Exchange Token/Credential Validation Authenticated Assertion E-Authentication using Token and Credential Relying Party (RP) Verifier Figure 3.1 The NIST SP 800-63-2 E-Authentication Architectural Model
Outline 1 2 3 4
Assessment Assurance Level: Describes an organization s degree of certainty that a user has presented a credential that refers to his or her identity. The degree of confidence in the vetting process used to establish the identity of the individual to whom the credential was issued. The degree of confidence that the individual who uses the credential is the individual to whom the credential was issued
Assessment Potential Impact Closely related to that of assurance level Defines three levels of potential impact on organizations or individuals should there be a breach of security Potential magnitude of impact combined with probability can produce areas of likely risk
Outline 1 2 3 4
Authentication Widely used line of defense against intruders User provides name/login and password System compares password with the one stored for that specified login The user ID Determines that the user is authorized to access the system Determines the user s privileges (e.g., su) Is used in discretionary access control
Outline 1 2 3 4
Offline dictionary attack: obtain system password file and compares the password hashes against hashes of common passwords. Specific account attack: target specific account and submits password guesses. Popular password attack: use a popular password and try it against a wide range of user IDs guessing against single user: gain knowledge about the account holder and system password policies and uses that knowledge to guess the password. Workstation hijacking: wait until a logged-in workstation is unattended. Exploiting user mistakes: E.g., If the system assigns a password, then the user is more likely to write it down because it is difficult to remember. Exploiting multiple password use: if different devices share the same or a similar password for a given user and one is compromised Electronic monitoring: password is communicated across a network to log on to a remote system, it is vulnerable to eavesdropping.
Outline 1 2 3 4
Pass the salt, not the hash Salt is random data that is used as an additional input to a one-way function that hashes a password or passphrase. Primary function of salts is to defend against dictionary or against its hashed equivalent, a pre-computed rainbow table attack. Used to safeguard passwords in storage. New salt is randomly generated for each password. Salt and the password are concatenated and processed with a cryptographic hash function, and the resulting output (but not the original password) is stored with the salt in a database. Hashing allows for later without keeping and therefore risking the plaintext password in the event that the data store is compromised.
Hashing passwords, with and without salt Salt User id slow hash function Select Load User ID (a) Loading a new password File User ID Salt Hash code File Salt Salt Hash code slow hash function Hash password with salt value Linux/Unix does this, but Windows does not. and salt serve as inputs to a hashing algorithm to produce a fixed-length hash code. Why slow hash? Hashed password Compare (b) Verifying a password Figure 3.2 UNIX Scheme
hashing with salt benefits It prevents duplicate passwords from being visible in the password file. Even if two users choose the same password, those passwords will be assigned different salt values. Hence, the hashed passwords of the two users will differ. It greatly increases the difficulty of offline dictionary. For a salt of length b bits, the number of possible passwords is increased by a factor of 2 b, increasing the difficulty of guessing a password in a dictionary attack. It becomes nearly impossible to find out whether a person with passwords on two or more systems has used the same password on all of them.
Outline 1 2 3 4
Dictionary attack: develop a large dictionary of possible passwords and to try each of these against the password file. Each password must be hashed using each available salt value and then compared with stored hash values. Rainbow table: Pre-compute tables of hash values for all salts. A mammoth table of hash values. Can be countered by using a sufficiently large salt value and a sufficiently large hash length Guessable passwords: user s name, initials, account name, and other relevant personal information, dictionary words Leaked password databases (hashes and actual passwords) on real password databases
on real password databases Percent guessed 50% 40% 30% 20% 10% 0% 10 4 10 7 10 10 10 13 Number of guesses Figure 3.3 The Percentage of Guessed After a Given Number of Guesses
File Access Control Protection Deny the opponent access to the password file. If the hashed password portion of the file is accessible only by a privileged user Hashed passwords are kept in a separate file from the user IDs, referred to as a shadow password file Weakness in the OS that allows access to the file Accident with permissions making it readable Users with same password on other systems Access from backup media Sniff passwords in network traffic
Outline 1 2 3 4
User education on good passwords Computer-generated passwords: password managers Reactive password : system periodically runs its own password cracker to find guessable passwords. Complex password policy (proactive password checker): user is allowed to select password. System checks to see if the password is allowable and, if not, rejects it.
on Strength
Checker Rule enforcement All passwords must be at least n characters long. In the first n characters, the passwords must include at least one each of uppercase, lowercase, numeric digits, and punctuation marks. checker Compile a large dictionary of possible bad passwords. When a user selects a password, the system checks to make sure that it is not on the disapproved list. Computationally expensive Bloom filter Like hash table, but faster. Block users from using words on a common list or anything which hashes to common values.
Bloom filter An empty Bloom filter is a bit array of m bits, all set to 0. k different hash functions defined, each of which maps or hashes some set element to one of the m array positions k is a constant, much smaller than m, which is proportional to the number of elements to be added To add an element, feed it to each of the k hash functions to get k array positions. Set the bits at all these positions to 1. To query for an element (test whether it is in the set), feed it to each of the k hash functions to get k array positions. If any of the bits at these positions is 0, the element is definitely not in the set; if it were, then all the bits would have been set to 1 when it was inserted. If all are 1, then either the element is in the set, or the bits have by chance been set to 1 during the insertion of other elements, resulting in a false positive.
Bloom filter An example of a Bloom filter, representing the set x, y, z. The colored arrows show the positions in the bit array that each set element is mapped to. The element w is not in the set x, y, z, because it hashes to one bit-array position containing 0. For this figure, m = 18 and k = 3.
Bloom Filter Performance (Lower Y is Better) 1 0.1 2 hash functions Pr[false positive] 0.01 6 hash functions 4 hash functions 0.001 0 5 10 15 20 Ratio of hash table size (bits) to dictionary size (words) Figure 3.4 Performance of Bloom Filter Storage size is lesser on the left, and greater on the right.
Outline 1 2 3 4
2 factor anyone?
Outline 1 2 3 4
Objects that a user possesses for the purpose of user are called tokens.
Outline 1 2 3 4
Biometric Cost Hand Signature Face Voice Retina Finger Accuracy Iris Figure 3.7 Cost Versus Accuracy of Various Biometric Characteristics in User Authentication Schemes.
Biometric modes Name (PIN) Biometric sensor Feature extractor Biometric database User interface (a) Enrollment Name (PIN) User interface Biometric sensor true/false (b) Verification Feature extractor Feature matcher One template Biometric database User interface Biometric sensor user's identity or "user unidentified" Feature extractor Feature matcher N templates Biometric database (c) Identification Figure 3.8 A Generic Biometric System. Enrollment creates an association between a user and the user's biometric characteristics. Depending on the application, user either involves verifying that a claimed user is the actual user or identifying an unknown user.
Decision thresholds Probability density function imposter profile false nonmatch possible average matching value of imposter decision threshold (t) average matching value of genuine user profile of genuine user false match possible Matching score (s) Figure 3.9 Profiles of a Biometric Characteristic of an Imposter and an Authorized Users In this depiction, the comparison between presented feature and a reference feature is reduced to a single numeric value. If the input value (s) is greater than a preassigned threshold (t), a match is declared.
Decision thresholds 100% false nonmatch rate 10% 1% increased security, decreased convenience increase threshold decreased security, inceased convenience 0.1% 0.0001% 0.001% 0.01% 0.1% equal error rate line false match rate decrease threshold 1% 10% 100% 100% Figure 3.10 Idealized Biometric Measurement Operating Characteristic Curves (log-log scale)
Decision thresholds 100% Face Fingerprint Voice Hand Iris false nonmatch rate 10% 1% 0.1% 0.0001% 0.001% 0.01% 0.1% 1% 10% 100% false match rate Figure 3.11 Actual Biometric Measurement Operating Characteristic Curves, reported in [MANS01]. To clarify differences among systems, a log-log scale is used.
Remote biometrics Iris scanner Iris scanner Iris scanner Iris Merge Remote Iris workstation Iris workstation Iris database LAN switch Iris Engine 1 Iris Engine 2 Network switch Iris workstation Figure 3.13 General Iris Scan Site Architecture for UAE System
Outline 1 2 3 4
based Schemes Client Host U U, User r, random number (r, h(), f()) h(), f(), functions P r, return of r f(r, h(p )) if f(r, h(p )) = f(r, h(p(u))) yes/no then yes else no (b) Protocol for a password Client Host U U, User r, random number (r, E()) E(), function B BT biometric D biometric device E(r, D, BT ) r, return of r E 1 E(r, P, BT ) = (r, P, BT ) if r = r AND D = D AND BT = BT(U) then yes else no yes/no Client Host U U, User r, random number (r, h(), f()) h(), f(), functions P W password to passcode via token r, return of r f(r, h(w )) if f(r, h(w )) = f(r, h(w(u))) yes/no then yes else no (b) Protocol for a token Client Host U U, User r, random number x, random sequence challenge (r, x, E()) E(), function B, x BS (x ) r, return of r E(r, BS (x )) E 1 E(r, BS (x )) = (r, BS (x )) extract B from (r, BS (x )) if r = r AND x = x AND B = B(U) yes/no then yes else no (c) Protocol for static biometric (d) Protocol for dynamic biometric Figure 3.12 Basic Protocols for Remote User Authentication