Scribd
Upload
47 views25 pages

Computer Security: Principles and Practice: Chapter 3: User Authentication

This chapter discusses user authentication and its importance as a fundamental security building block. It describes the identification and verification steps of authentication and four factors for authenticating a user's identity: something they know, have, are, or do. Password authentication is widely used but vulnerable to attacks, so techniques like salting, hashing, tokens, biometrics and remote authentication over networks are explored along with countermeasures to common attacks like eavesdropping and replay.

Uploaded by

haidertallal786
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
47 views25 pages

Computer Security: Principles and Practice: Chapter 3: User Authentication

This chapter discusses user authentication and its importance as a fundamental security building block. It describes the identification and verification steps of authentication and four factors for authenticating a user's identity: something they know, have, are, or do. Password authentication is widely used but vulnerable to attacks, so techniques like salting, hashing, tokens, biometrics and remote authentication over networks are explored along with countermeasures to common attacks like eavesdropping and replay.

Uploaded by

haidertallal786
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 25

Computer Security: Principles and

Practice

Chapter 3: User Authentication


User Authentication
• Fundamental security building block
– basis of access control & user accountability
• The process of verifying an identity claimed by or
for a system entity
• Two steps:
– identification: specify identifier
– verification: bind entity (person) and identifier
A model for electronic user
authentication
Means of user authentication

• Four means of authenticating user's identity


• Based one something the individual
– knows, e.g. password, PIN
– possesses, e.g. key, token, smartcard
– is (static biometrics), e.g. fingerprint, retina
– does (dynamic biometrics), e.g. voice, sign
• Can use alone or combined
• All can provide user authentication
• All have issues
Password authentication
• Widely used user authentication method
– user provides name/login and password
– system compares password with that saved for
specified login
• Authenticates ID of user logging and
– that the user is authorized to access system
– determines the user’s privileges
– is used in discretionary access control
Password vulnerabilities
• offline dictionary attack
• specific account attack (user john)
• popular password attack (against a wide range of IDs)
• password guessing against single user (w/ previous
knowledge about the user)
• workstation hijacking
• exploiting user mistakes
• exploiting multiple password use
• electronic monitoring
Countermeasures for password
vulnerability
• stop unauthorized access to password file
• intrusion detection measures
• account lockout mechanisms
• policies against using common passwords but
rather hard to guess passwords
• training & enforcement of policies
• automatic workstation logout
• encrypted network links
Use of hashed
passwords
Why a salt value?
• Prevents duplicate passwords from being visible
in the password file
• Increases the difficulty of offline dictionary
attacks
• Nearly impossible to tell if a person used the
same password on multiple systems
UNIX Implementation
• Original scheme
– 8 character password form 56-bit key
– 12-bit salt used to modify DES encryption into a one-
way hash function
– output translated to 11 character sequence
• Now regarded as woefully insecure
– e.g. supercomputer, 50 million tests, 80 min
• Sometimes still used for compatibility
Token-based authentication
• Object user possesses to authenticate, e.g.
– memory card (magnetic stripe)
– smartcard
Memory Card
• store but do not process data
• magnetic stripe card, e.g. bank card
• electronic memory card
• used alone for physical access (e.g., hotel rooms)
• some with password/PIN (e.g., ATMs)
• Drawbacks of memory cards include:
– need special reader
– loss of token issues
– user dissatisfaction (OK for ATM, not OK for
computer access)
Smartcard
• credit-card like
• has own processor, memory, I/O ports
– ROM, EEPROM, RAM memory
• executes protocol to authenticate with reader/computer
– static: similar to memory cards
– dynamic: passwords created every minute; entered
manually by user or electronically
– challenge-response: computer creates a random
number; smart card provides its hash (similar to PK)
• also have USB dongles
Electronic identify cards
• An important application of smart cards
• A national e-identity (eID)
• Serves the same purpose as other national ID
cards (e.g., a driver’s licence)
– Can provide stronger proof of identity
– A German card
• Personal data, Document number, Card access number (six
digit random number), Machine readable zone (MRZ): the
password
• Uses: ePass (government use), eID (general use), eSign (can
have private key and certificate)
User authentication with eID
Biometric authentication
• Authenticate user based on one of their physical
characteristics:
– facial
– fingerprint
– hand geometry
– retina pattern
– iris
– signature
– voice
Operation of a
biometric
system

Verification is analogous to
user login via a smart card
and a PIN

Identification is biometric
info but no IDs; system
compares with stored
templates
Biometric Accuracy
• The system generates a matching score (a number) that
quantifies similarity between the input and the stored template
• Concerns: sensor noise and detection inaccuracy
• Problems of false match/false non-match
Remote User Authentication
• Authentication over network more complex
– Problems of eavesdropping, replay
• Generally use challenge-response
– user sends identity
– host responds with random number r
– user computesf(r,h(P)) and sends back
– host compares value from user with own computed
value, if match user authenticated
• Protects against a number of attacks
Protocol for a password verification
• Similar approach
for token and
biometric
verification
Authentication Security Issues
• Client attacks: attacker attempts to achieve user
authentication without access to the remote host
– Masquerade as a legitimate user (e.g., guess the
password or try all passwords)
– Countermeasure: strong passwords; limit number of
attempts
Authentication Security Issues
• Host attacks: attacker attacks the host where
passwords/passcodes are stored
– Countermeasure: hashing, protect password
databases
Authentication Security Issues
• Eavesdropping: attacker attempts to learn
passwords by observing the user, finding written
passwords, keylogging
– Countermeasures
• diligence to keep passwords
• multifactor authentication
• admin revoke compromised passwords
Authentication Security Issues
• Replay: attacker repeats a previously captured
user response
– Countermeasure
• Challenge-response
• 1-time passcodes
Authentication Security Issues
• eavesdropping
• replay
• trojan horse

You might also like