A Biologically Inspired Password Authentication System Dipankar Dasgupta and Sudip Saha Center for Information Assurance University of Memphis Memphis, TN 38152 Outline Motivation Position Authentication (PA) Negative Authentication (NA) Implementation Details of NA Preliminary Experiments and results Scope of Negative Authentication Conclusions and future directions References 1
Motivation To provides a robust solution in immunizing authentication systems (local, remote or online) by putting an additional layer of password protection (invisible) to the user. To reduce the risk of exploiting user credential profile (encrypted or unencrypted form) by making use of some kind of approximate complement profile. To defend through obfuscation, an approach inspired by T-cell maturation process in the biological immune system. Identification Identification of the user can be based on the following: Who the user is : a fingerprint, iris scan or voice verification, to prove biology. What the user knows : password or personal identification number (PIN) the user enters What the user has : smart card or digital certificate. Where the user is : global positioning satellite (GPS). A common trend of authentication (Identification part) is through the account details such as username and password that is what the user knows. 2
Authentication The process of verifying the claimed identity of a user. Two steps are involved Identification (through login ID) Verification (through password) Traditional approaches Identify the entity in a secure storage of all identities and verify As real credentials are accessed, it is termed positive authentication (PA) Traditional Windows Identity storages Security Account Manager (SAM) file Password stored in NTLM hashed form Used for local system logins in Windows NT systems Active Directory Password stored in different hash forms, eg. OWF hash Used for Windows domain logins, LDAP authentication. 3
Traditional Unix Identity storages etc/passwd Obsolete usage as a password storage in Linux authentication Readable by all, so very risky Format Account : Password : UID : GID : GECOS : Directory : Shell example username Password hashed By MD5, DES, Blowfish etc etc/shadow Used as password storage in password-file-authentication in Linux Only readable by root a storage with different access privilege Format Username : Hashed Password :.... example Issues with current approaches In all the existing approaches that are designed for secure authentication they use positive identification database directly during authentication process. Security Threats: The authentication servers are vulnerable to online and offline guessing attacks. The password information table could be read or altered by an intruder. An intruder can also append a new ID and password into the table. In fact, most security penetration occurs when the security validation information is exposed in any form. 4
Affect of Authentication failures Lack of proper authentication gives a way (key to the kingdom) for easy hacking. Once the hackers gain access to the system can do any harmful activities, such as: Stealing confidential Information launching distributed denial of service attacks defacing web sites stealing billing and credit card information making fraudulent purchases, etc. Reports on Password Attacks Zone-H statistics report of registered attacks in 2005-2007, Published in March, 2008: Various Attacks successfully employed in the web (www.zone-h.org) 5
What is Negative Authentication? PAs use a password profile containing all the user passwords who are authorized to access the system (or the server). The negative counterpart (non-self/antipassword space) represents all strings that are not in the password file. These Anti- Passwords can be used as the first line of Authentication to filter out all illegitimate access requests. Negative Authentication approach(contd.) System resource Authentication Process http://www.memphis.edu/fedex/passwordimmunizer/index.htm 6
Negative Authentication approach(contd.) System resource Authentication process http://www.memphis.edu/fedex/passwordimmunizer/index.htm Negative Authentication approach(contd.) System resource Ambiguity in Anti-P file http://www.memphis.edu/fedex/passwordimmunizer/index.htm 7
Process of Anti-P Generation Generate encrypted vectors Test Data and Experiments Password: OpenWall Project (approx 2500 most common passwords) OpenWall Project (approx 2500 most common passwords) Username: Most common first name and last names in USA US census (http://www.census.gov/genealogy/names/names_files.html) Forensic Log Usernames used for cracking Objective of experiments Decrease number of Anti-Ps (Detectors) Achieve a good detection rate with obfuscation Not too high» Almost same effect as positive authentication Not too low» No value of negative authentication 8
Selecting parameters Table: The table summarizes the results of experiments with varying: size of valid accounts and Anti-P coverage. In case of larger account set, higher coverage is required to get good detection rate, but at the same time, it needs large set of Anti-Ps. Selecting Confusion Parameter Fig : Effect of change in confusion parameter on number of Anti-Ps and detection rate. Depending on the number of accounts, both detection rate and Anti-P set size do not change upto some confusion parameter. Both of them falls for high confusion parameter. But, Anti-P set size starts falling at a lower confusion parameter than detection rate does. Depending on the account set size, a suitable confusion parameter can be chosen where smaller number of Anti-Ps can be achieve with a little compromise of detection rate. 9
# Anti-Ps and Detection rate (a) # Anti-P (a) Detection Rate Fig : Variation of Anti-P and detection rate with change in number of passwords and coverage with confusion parameter = 0.05. (a): # Anti-Ps increase almost exponentially with increase in expected Anti-P coverage. Whereas, it increases up to some point with as number of accounts increases, (b) Detection rate increases with coverage but decreases with number of accounts Effect of eliminating small Anti-Ps Fig : Both #Anti-Ps and Detection rate decrease, if small Anti-Ps are eliminated. But, # Anti-Ps falls faster than Detection rate do. For example, if in case of 1000 valid passwords, Anti-Ps of 0.04 or smaller are eliminated, then #Anti-Ps fall to 83% of actual number, whereas, detection rate fall only to 95% of actual rate. 10
Sparseness Issue of hashes Fig : Scatter plot of 5600 username, password pairs (a) plaintext credential, (b) hashed credential Plaintext Vs Hashed information Fig: Performance comparison for plaintext and hashed account information. Variation of (a) Anti-P and (b) detection rate with change in parameters. 11
Scope of Negative Authentication Negative Authentication (NA) can be used wherever positive authentication (PA) is used Wherever credential stores are maintained and a request is searched for match there. E.g. Challenge Response authentication HTTP form based authentication LDAP authentication NT Lan Manager Authentication Scope of negative Authentication (Contd) Negative Authentication is not applicable to some approaches where passwords are not matched against a credential store. E.g. Kerberos authentication for windows domain login Document-oriented authentication like digital signature PKI based authentication 12
Conclusions and Future direction With this approach, it will be harder (if not impossible) to discover any individual password even though Anti-Passwords are being compromised. Negative profile is less vulnerable to guessing attack, and can be used for forensic This approach does not address the security issues in transit (with communication channel) Future direction: Dealing with very large password file (as in E-Business) Make Negative Authentication adaptive to account changes Real-world implementation in PAM References Z. Ji, D. Dasgupta, Real-Valued Negative Selection Using Variable-Sized Detectors. Proceedings of the Genetic and Evolutionary Computation Conference (GECCO), Seattle, Washington, June, 2004. D. Dasgupta, R. Azeem, An Investigation of Negative Authentication Systems, Proceedings of 3rd International Conference on Information Warfare and Security, Omaha, USA, April, 2008. Z. Ji, D. Dasgupta, Estimating the Detector Coverage in a Negative Selection Algorithm, Proceedings of Genetic and Evolutionary Computation(GECCO), Washington, D. C., June, 2005. B. Hartman, D. J. Flinn, K. Beznosov, S. Kawamoto, Mastering Web Services Security, Wiley Publishing Inc, 2003. R.E. Smith, Authentication: from passwords to public keys, Addison-Wesley, 2002. D. Dasgupta and S. Forrest, An anomaly detection algorithm inspired by the immune system, In: Dasgupta D (Editor) Artificial Immune Systems and Their Applications, Springer-Verlag, 1999, pp.262 277. Zone-H statistics report 2005-2007, http://www.zone-h.org/news/id/4686 13