CECS 378 : Final - User Authentication

User Authentication

The process of verifying an identity claimed by or for a system entity

Identification step

Presenting an identifier to the security system

Verification step

presenting or generating authentication information that corroborates the binding between the entity and the identifier

The four means of authenticating user identity are based on:

something the individual knows (passwords, pins)

something the individual possess (key, debit card)

something the individual is (physical features)

something the individual does (handwriting, voice patterns)

static biometrics

Recognition by fingerprint, retina, and face

Dynamic Biometrics

Voice pattern, handwriting characteristics, and typing rhythm.

risk assessment for user auth

Assurance level

potential impact

areas of risk

Assurance Level

Describes an organization's degree of certainty that a user has presented a credential that refers to his or her identity

Potential Impact

The loss of confidentiality, integrity, or availability could be expected to have a limited adverse effect; a serious

adverse effect, or a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.

Password Authentication

- widely used line of defense against intruders

> user provides name/login and password

> system compares password with the one stored for that specified login

- the user ID:

> determines that the user is authorized to access the system

> determines the user's privileges

> is used in discretionary access control

Some password vulnerabilities

Offline dictionary attack

specific account attack

Popular password attack

Password guessing against single user

Unix Implementation:

1.) 12-bit salt to mod DES into 1-way hash

2.) zero value repeated 25 times

3.) output translated into 11 character sequence

Improved Implementations

Recommended hash function is based on MD5

Salt of up to 48-bits

Password length is unlimited

Produces 128-bit hash

Uses an inner loop with 1000 iterations to achieve slowdown

Four Password Cracking

Dictionary Attacks

Rainbow Table Attack

Password crackers

John the Ripper (password cracker in 1996)

Four Password selection Strategies

User education

Computer generated passwords

Reactive password checking

Complex password policy

Proactive Password Checking

Password Cracker

Rule enforcement

Bloom filter

Four card types

Embossed (Old credit card)

Magnetic Stripe (Bank Card)

Memory (Prepaid phone card)

Smart (Biometric ID card)

memory card

Can only store data.

commonly found in magnetic stripe card

Smart Token

A device that is around the same size as a credit card, containing embedded technologies that can store information and small amounts of software to perform some limited processing

Smart Cards

Credit card sized card containing a microchip for data storage and processing.

Electronic Identity Cards (eID)

Use of a smart card as a national identity card for citizens

Biometric Authentication

uses personal physical characteristics such as fingerprints, facial features, and retinal scans to authenticate users

Remote User Authentication

- Authentication over a network, the Internet, or a communications link is more complex

- Additional security threats such as:

eavesdropping, capturing a password, replaying an

authentication sequence that has been observed

- Generally rely on some form of a challenge-response

protocol to counter threats

6 Auth Secuirty Issues

Eavesdropping

Denial-of-Service

Host Attacks

Trojan Horse

Client Attacks

Replay