06-Aug-24 1

AUTHENTICATION
06-Aug-24 2

Authentication and Identification

• Identification is the act of asserting who a person is.
• Authentication is the act of proving that asserted identity: that
the person is who she says she is.
• Identification is asserting who a person is.
• Authentication is proving that asserted identity.
06-Aug-24 3

Identification Versus Authentication

• Identities are often well known, predictable, or guessable.
• Examples
• If you send email to someone, you implicitly send along your
email account ID so the other person can reply to you.
• In an online discussion you may post comments under a
screen name as a way of linking your various postings.
• Your bank account number is printed on checks you write;
your debit card account number is shown on your card, and
so on. In each of these cases you reveal a part of your
identity.
• For these reasons, many people could easily, although
falsely, claim to be you by presenting one of your known
identifiers.
06-Aug-24 4

Identification Versus Authentication

• Authentication mechanisms use any of three qualities
to confirm a user’s identity:
• Something the user knows
• Something the user is
• Something the user has
• Authentication is based on something you know, are,
or have.
 06-Aug-24 5

Authentication
• The act of proving that a user is who she
says she is

• Methods:
• 1. Something the user knows
• 2. Something the user is
• 3. Something user has
• 4. Location Factors
• 5. Behavioral Factors
06-Aug-24 6

1. Something You Know(Password)

Issues
• Use. Supplying a password for each access to an object can
be inconvenient and time consuming.
• Disclosure. If a user discloses a password to an
unauthorized individual, the object becomes immediately
accessible. If the user then changes the password to re-
protect the object, the user must inform any other legitimate
users of the new password because their old password will
fail.
• Revocation. To revoke one user’s access right to an object,
someone must change the password, thereby causing the
same problems as disclosure.
• Loss. Sometimes, it may be impossible to retrieve a lost or
forgotten password. The operators or system administrators
can certainly intervene and provide a new password. If the
user loses (or forgets) the password, administrators must
assign a new one.
06-Aug-24 7

Attacking and Protecting Passwords

• Passwords are somewhat limited as protection devices because of the relatively
small number of bits of information they contain.
password guessing steps
• Knight and Hartley list password guessing steps. These steps are in increasing
degree of difficulty (number of guesses), and so they indicate the amount of
work to which the attacker must go in order to derive a password.
• no password
• the same as the user ID
• is, or is derived from, the user’s name
• on a common word list (for example, password, secret, private) plus common
names and patterns (for example, qwerty, aaaaaa)
• contained in a short dictionary
• contained in a short dictionary with capitalizations (PaSsWorD) or
substitutions (digit 0 for letter O, and so forth)
• obtained by brute force, trying all possible combinations of alphabetic
characters
• obtained by brute force, trying all possible combinations from the full
character set
06-Aug-24 8

Passwords
• Password strength is determined by how many guesses are required.
• systems store passwords in hidden (encrypted) form so that compromising
the id–password list does not give immediate access to all user accounts.
• Converting a password to its concealment form is simple, but going the
other way (starting with a concealed version and deriving the corresponding
password) is effectively impossible. (For this reason, on some websites if
you forget your password, the system can reset your password to a new,
random value, but it cannot tell you what your forgotten password was.)
• People often use one of a few predictable passwords. The interceptor can
create what is called a rainbow table, a list of the concealed forms of the
common passwords.
• Assume that that Pat and Roz both chose the same password. Both copies
will have the same concealed value, so someone who intercepts the table
can learn that users Pat and Roz have the same password. Knowing that, the
interceptor can also guess that Pat and Roz both chose common passwords,
and start trying the usual ones; when one works, the other will, too.
06-Aug-24 9

Passwords
• To counter these threats, some systems use an extra piece
called the salt.
• A salt is an extra data field different for each user, perhaps the
date the account was created or a part of the user’s name.
• The salt value is joined to the password before the combination
is transformed by concealment.
• In this way, Pat+aaaaaa has a different concealment value from
Roz+aaaaaa. Also, an attacker cannot build a rainbow table
because the common passwords now all have a unique
component, too.
• Salt: user-specific component joined to an encrypted
password to distinguish identical passwords
 06-Aug-24 10

Good Passwords
• Use characters other than just a–z. If passwords are chosen from the letters a–z,
there are only 26 possibilities for each character. Adding digits expands the
number of possibilities to 36. Using both uppercase and lowercase letters plus
digits expands the number of possible characters to 62.
• Choose long passwords. The combinatorial explosion of password guessing
difficulty begins around length 4 or 5. Choosing longer passwords makes it less
likely that a password will be uncovered.
• Avoid actual names or words. Theoretically, there are about 300 million 6-letter
“words” (meaning any combination of letters), but there are only about 150,000
words in a good collegiate dictionary, ignoring length. By picking one of the 99.95
percent nonwords, you force the attacker to use a longer brute-force search
instead of the abbreviated dictionary search.
• Use a string you can remember. Password choice is a double bind. To remember
the password easily, you want one that has special meaning to you. However, you
don’t want someone else to be able to guess this special meaning. One easy-to-
remember password is UcnB2s. This unlikely looking jumble is a simple
transformation of “you can never be too secure”
06-Aug-24 11

Good Passwords
• Use variants for multiple passwords. With accounts, websites, and subscriptions, an
individual can easily amass 50 or 100 passwords, which is clearly too many to
remember. Unless you use a trick. Start with a phrase as in the previous suggestion:
Ih1b2s (I have one brother, two sisters). Then append some patterns involving the
first few vowels and consonants of the entity for the password: Ih1b2sAfc for
fAcebook, and so forth.
• Change the password regularly. Even if you have no reason to suspect that
someone has compromised the password, you should change it from time to time. A
penetrator may break a password system by obtaining an old list or working
exhaustively on an encrypted list.
• Don’t write it down. Note: This time-honored advice is relevant only if physical
security is a serious risk. People who have accounts on many machines and servers,
and with many applications or sites, may have trouble remembering all the access
codes.
• Don’t tell anyone else. The easiest attack is social engineering, in which the attacker
contacts the system’s administrator or a user to elicit the password in some way. For
example, the attacker may phone a user, claim to be “system administration,” and
ask the user to verify the user’s password.
06-Aug-24 12

Security questions
• Instead of passwords, some companies use
questions to which (presumably) only the right
person would know the answer.
• Such questions include street name from
childhood, model of first automobile, and name
of favorite teacher.
• The user picks relevant questions and supplies
the answers when creating an identity.
• Knowledge Factors are The Least Secure
Authentication Factors.
 06-Aug-24 13

2. Something the user is

biometric Factors
• Something unique to the user's physical attributes.
• Examples include fingerprints, facial recognition, voice recognition,
retina scans, and other forms of biometric data.
• Some investment firms commonly use voice recognition when you
call them to verify your identity. Your voice is analysed based on its
acoustics and individual characteristics like your accent, speech
rhythm, and vocabulary.
• As an example of multi-factor authentication that uses biometrics,
consider your cell phone. You can enable multi-factor authentication
so that you have to enter a PIN (something you know) and scan your
fingerprint (something you have).

• Biometrics are a convenient form of authentication because you have

them readily available.
06-Aug-24 14

Problems with Use of Biometrics

• Biometrics are relatively new, and some people find their use intrusive. For
example, people in some cultures are insulted by having to submit to fingerprinting,
because they think that only criminals are fingerprinted.
• Biometric recognition devices are costly.
• Biometric readers and comparisons can become a single point of failure Consider a
retail application in which a biometric recognition is linked to a payment scheme: if
my fingerprint is not recognized, I have only that one finger.”
• All biometric readers use sampling and establish a threshold for acceptance of a
close match. The device has to sample the biometric, measure often hundreds of
key points, and compare that set of measurements with a template. Features vary
slightly from one reading to the next, for example, if your face is tilted, if you press
one side of a finger more than another, or if your voice is affected by a sinus
infection. Variation reduces accuracy.
• Although equipment accuracy is improving, false readings still occur. We label a false
positive or false accept a reading that is accepted when it should be rejected (that
is, the authenticator does not match) and a false negative or false reject one that
rejects when it should accept.
• False positive: incorrectly confirming an identity.
• False negative: incorrectly denying an identity.
06-Aug-24 15

3. Something the user has

• Something you have means that you have a physical object in your
possession.
• One physical authenticator with which you are probably familiar is a key.
Other familiar examples of tokens are badges and identity cards.
• As the names imply, passive tokens do nothing, and active ones take some
action. A photo or key is an example of a passive token in that the contents
of the token never change. (And, of course, with photos permanence can be
a problem, as people change hair style or color and their faces change over
time.)
• An active token can have some variability or interaction with its
surroundings. For example, some public transportation systems use cards
with a magnetic strip. When you insert the card into a reader, the machine
reads the current balance, subtracts the price of the trip and rewrites a new
balance for the next use. In this case, the token is just a repository to hold
the current value.
• Passive tokens do not change. Active tokens communicate with a sensor.
06-Aug-24 16

Static tokens
• The value of a static token remains fixed. Keys, identity cards, passports,
credit and other magnetic-stripe cards, and radio transmitter cards (called
RFID devices) are examples of static tokens. Static tokens are most useful for
onsite authentication: When a guard looks at your picture badge, the fact
that you possess such a badge and that your face looks (at least vaguely)
like the picture causes the guard to pass your authentication and allow you
access.
• Tokens are vulnerable to an attack called skimming. Skimming is the use of
a device to copy authentication data surreptitiously and convey it to an
attacker.
• One form of copying occurs with passwords. If you have to enter or speak
your password, someone else can look over your shoulder or overhear you,
and now that authenticator is easily copied or forged. To overcome copying
of physical tokens or passwords, we can use dynamic tokens.
Dynamic tokens
• A dynamic token is one whose value changes.
• a dynamic authentication token is essentially a device that generates an
unpredictable value that we might call a pass number.
• Some devices change numbers at a particular interval, for example, once a minute;
others change numbers when you press a button, and others compute a new
number in response to an input, sometimes called a challenge.
• Dynamic token generators are useful for remote authentication, especially of a
person to a computer.
• even if someone else gets the
token, it is valid for only one
access and knowing that one
value will not allow the outsider to
guess or generate the next pass
number.
 4. Location Factors
• Somewhere the user is.
• Geolocation services to verify that the user is accessing
the system from an expected or approved location.
• IP Address Verification: Allows access only from
certain IP addresses, often used in corporate
settings.
• Geo-Fencing: Grants access only when the user is in a
specific geographical area.
• Three main difficulties around the use of location to
help give confidence that an identity is authentic are
• Specificity - How much space do you occupy at any
one time
• Accuracy - consumer hardware is affected by so
many variables, that we can’t trust any location data is
accurate at this level of resolution with current
technology.
• Reliability - we need to know that the data
provided, even if really accurate, is authoritative.
Location data as it stands is often trivial to spoof, there
are also issues with GPS jamming.
 5. Behavioral Factor
• Related to the user's behaviour or patterns of interaction.
• e.g., typing speed, mouse movement patterns, and other
behavioural characteristics.
• Uses unique data points to continuously authenticate a user.
• Preserves privacy
• Behavioral biometrics authentication does not reveal user
identity like traditional authentication methods.
• More secure than traditional security measures since it is
almost impossible to replicate.
• Evaluation of user interaction with the device in real time
• Behavioral biometrics authentication evaluates a user’s
ongoing interaction with their device in real time, making it
harder for hackers to get around security measures
 Multi-factor Authentication

•When implementing MFA, it's

recommended to use a combination of
these factors to ensure a higher level of
security.
•e.g., a common MFA setup might involve a
password (knowledge factor) and a one-time
code from an authenticator app (possession
factor).
•This way, even if one factor is compromised, the
attacker would still need the other factor to gain
access
 Brute Force Hacking
• This method does not rely on any specialized knowledge or vulnerabilities in
the system; instead, it relies on the sheer computational power and
persistence of the attacker.
1. Selection of Target: The attacker identifies a target (like an email or social
media account, website, server, or application) that they want to access.
2. Credential List: The attacker compiles a list of potential usernames and
passwords. e.g., common passwords, dictionary words, or by harvesting data
from previous breaches.
3.Iteration: Attacker uses a program to automate the process of attempting to log
in. The program iterates through the list of usernames and tries each one
with every password.
4. Testing Credentials: For each combination of username and password, the
program sends a login request to the target system. If correct, the attacker gains
access.
5.Iterative Process: continues until the correct combination or end of the list
6.Time and Resources: The success of a brute force attack depends on the
strengthand complexity of the passwords, the computational power available to
the attacker, and the effectiveness of any countermeasures in place (such as
account lockouts after a certain number of failed login attempts).
 Brute Force Hacking
7.Variations:
1. Simple Brute Force: This involves systematically trying every possible
combination of characters until the correct one is found.
2. Dictionary Attacks: Attacker uses a list of commonly used passwords
or dictionary words, potentially supplemented with variations (e.g.,
"password123")
3. Hybrid Attacks: These combine elements of dictionary attacks with
variations and patterns that users commonly use to create passwords.

8.Countermeasures:
1. Account Lockouts: After a certain number of failed login attempts, an
account may be temporarily locked to prevent further unauthorized
access attempts.
2. CAPTCHA: CAPTCHA challenges can be used to differentiate between
human users and automated scripts.
3. Strong Password Policies: Requiring complex passwords with a
combination of uppercase, lowercase, numbers, and special
characters can significantly increase the difficulty of a successful brute
force attack.
4. Multi-Factor Authentication (MFA)