ECEG-6530

Computer (and Network) Security

Authentication, Passwords

1
Definition
 Authentication is the process of validating the
identity of someone or something.
 Generally authentication requires the presentation
of credentials or items of value to really prove the
claim of who you are.
 The items of value or credential are based on
several unique factors that show something you
know, something you have, or something you are

2
– Something you know: This may be something you mentally
possess. This could be a password, a secret word known by the
user and the authenticator.
– Something you have: This may be any form of issued or acquired
self identification such as:
• SecurID
• CryptoCard
• Activcard
• SafeWord
• and many other forms of cards and tags.
– Something you are: This being a naturally acquired physical
characteristic such as voice, fingerprint, iris pattern and other
biometrics.
– In addition to the top three factors, another factor, though indirect,
also plays a part in authentication.
• Somewhere you are: This usually is based on either physical
or logical location of the user. The use, for example, may be on
a terminal that can be used to access certain resources.

3
Review: Three Categories
 What you know
– Password
– PIN
 What you have
– e-Token
– RFID (Radio Frequency Identification )
 Who you are
– Biometrics
eToken
 May store credentials
such as passwords,
digital signatures and
certificates, and
private keys
 Can offer on-board
authentication and
digital signing
RFID ( Radio Frequency Identification )
 13.56Mhz read/write
support
 May communicate with
a variety of
transponders
(ISO15693, ISO14443
Type A & B, TagIt,
Icode, etc.)
 Reader is controlled via
PCMCIA interface
using an ASCII protocol
 In general authentication takes one of the
following three forms:
– Basic authentication involving a server. The server
maintains a user file of either passwords and user
names or some other useful piece of authenticating
information. This information is always examined
before authorization is granted.
– Challenge-response, in which the server or any
other authenticating system generates a challenge to
the host requesting for authentication and expects a
response.
– Centralized authentication, in which a central
server authenticates users on the network and in
addition also authorizes and audits them.

7
Multiple Factors and Effectiveness
of Authentication
 To increase authentication effective ness, a
scheme with multiple methods is used.
Systems using a scheme with two or more
methods can result in greater system
security
 The popular technique, referred to as multi-
factor authentication, overcome the
limitations of a specific authentication.

8
Authentication Elements
 An authentication process as is based on the following five
elements:
1. Person or Group Seeking Authentication - usually
users who seek access to a system either individually
or as a group. If individually, they must be prepared to
present to the authenticator evidence to support the
claim that they are actually authorized to use the
requested system resource.
2. Distinguishing Characteristics for Authentication -
User characteristics are grouped into four factors that
include: something you know, something you have,
something you are, and a weaker one somewhere you
are. In each of these factors, there are items that a
user can present to the authenticator for authorization
to use the system.
9
3. The Authenticator - to positively and sometimes
automatically identify the user and indicate whether
that user is authorized to access the requested
system resource.
4. The Authentication Mechanism - consists of three
parts that work together to verify the presence of the
authenticating characteristics provided by the user.
1. the input,
2. the transportation system,
3. and the verifier.
5. Access Control Mechanism - User identifying and
authenticating information is passed to access control
from the transport component. That information is
validated against the information in its database
residing on a dedicated authentication server, if the
system operates in a network, or stored in a file on a
local medium.
10
Types of Authentication
 There are two basic types of authentication. non-repudiable
and repudiable. Other types of authentication include user,
client, and session authentication.
– Non-repudiable Authentication - involves
characteristics whose proof of origin cannot be denied.
Such characteristics include biometrics like iris
patterns, retinal images, and hand geometry and they
positively verify the identity of the individual.
– Repudiable Authentication – involves factors, “what
you know” and “what you have,” that can present
problems to the authenticator because the information
presented can be unreliable because such factors suffer
from several well-known problems including the fact
that possessions can be lost, forged, or easily
duplicated.

11
Authentication Methods
 There are several authentication methods including:
password, public-key, anonymous, remote and certificate-
based authentication.
– Password authentication - the oldest and the
easiest to implement. It includes reusable passwords,
one-time passwords, challenge response passwords, and
combined approach passwords.
– Public Key Authentication – This requires each
user of the scheme to first generate a pair of keys and
store each in a file. Each key is usually between 1024
and 2048 bits in length. Public-private keys pairs are
typically created using a key generation utility. The
server knows the user's public key because it is
published widely. However, only the user has the
private key.
12
– Anonymous Authentication - Clients who do not intend
to modify entries or access protected attributes or entries on a
system typically use anonymous authentication. Mostly these
users are not indigenous users in a sense that they do not have
membership to the system they want access to. They access
the system via a special “anonymous” account.
– Digital Signatures-Based Authentication – is an
authentication technique that does not require passwords and
user names. It consists of an electronic signature that uses
public key infrastructure (PKI) to verify the identity of the
sender of a message or of the signer of a document. The
scheme may include a number of algorithms and functions
including the Digital Signature Algorithm (DSA), Elliptic
Curve Digital Signature and Algorithm (ECDSA), account
authority digital signature, authentication function, and signing
function.

13
– Wireless Authentication –This is an
IEEE’s 802.1X, Extensible Authentication
Protocol (WEP) scheme that authenticates
mobile devices as they connect to fixed
network as well as mobile networks. This
authentication requires Wi-Fi mobile units to
authenticate with network operating systems
such as Windows XP.

14
Developing an Authentication Policy
 In many organizations the type of authentication used is
not part of the security policy, therefore, few have a say in
what authentication policy is used. It is becoming
increasingly popular to involve as wide a spectrum of
users in the development of the authentication policy.
Sometimes it even requires input from business and IT
representative communities that do business with the
organization.
 This is sometimes key to ensuring acceptance and
compliance by those communities.
 Several steps are necessary for a good authentication
policy:

15
– List and categorize the resources that need to be
accessed, whether these resources are data or systems.
Categorize them by their business sensitivity and
criticality.
– Define the requirements for access to each of the above
categories taking into account both the value of the
resource in the category as well as the method of
access.
– Set requirements for passwords and IDs.
– Create and implement processes for the management of
authentication systems.
– Communicate policies and procedures to all concerned
in the organizations and outside it. The creation of
policies

16
PASSWORDS

17
Password-based protocols
 Password-based authentication
– Any system based on low-entropy shared secret
(note: different from book definitions!)
– Dictionary attacks are a problem
 Any password-based protocol is vulnerable
to an “on-line” dictionary attack
– On-line attacks can be detected and limited
Password-based protocols
 Any password-based protocol is vulnerable
to an off-line dictionary attack if server is
compromised (why?)
 Goal: password-based protocol should be
secure against off-line attacks when server
is not compromised
– Unfortunately, this has not been the case in
practice (e.g., telnet, cell phones, etc.)
Password Guessing
 one of the most common attacks
 attacker knows a login (from email/web page etc)
 then attempts to guess password for it
– try default passwords shipped with systems
– try all short passwords
– then try by searching dictionaries of common words
– intelligent searches try passwords associated with the user
(variations on names, birthday, phone, common words/interests)
– before exhaustively searching all possible passwords
 check by login attempt or against stolen password file
 success depends on password chosen by user
 surveys show many users choose poorly
Password Capture
 another attack involves password capture
– watching over shoulder as password is entered
– using a trojan horse program to collect
– monitoring an insecure network login (eg. telnet, FTP,
web, email)
– extracting recorded info after successful login (web
history/cache, last number dialed etc)
 using valid login/password can impersonate user
 users need to be educated to use suitable
precautions/countermeasures
Password selection
 User selection of passwords is typically
very weak
– Lower entropy password makes dictionary
attacks easier
 Typical passwords:
– Derived from account names or usernames
– Dictionary words, reversed dictionary words, or
small modifications of dictionary words
– Etc.
Better password selection
 Non-alphanumeric characters
 Longer phrases
 Can try to enforce good password
selection…
 …but these types of passwords are difficult
for people to memorize and type!
Password storage
 In the clear…
 Hash of password
 “Salt”-ed hash of password
– Makes bulk dictionary attacks harder, but no
harder to attack a particular password
 Centralized server stores password
 Threshold storage of password
Centralized password storage
 Authentication storage node
– Central server stores password; servers request
the password to authenticate user
 Auth. facilitator node
– Central server stores password; servers send
information from user to be authenticated by
the central server
 Note that central server must be
authenticated!
Password Management
 front-line defense against intruders
 users supply both:
– login – determines privileges of that user
– password – to identify them
 passwords often stored encrypted
– Unix uses multiple DES (variant with salt)
– more recent systems use crypto hash function
Managing Passwords
 need policies and good user education
 ensure every account has a default password
 ensure users change the default passwords to
something they can remember
 protect password file from general access
 set technical policies to enforce good passwords
– minimum length (>6)
– require a mix of upper & lower case letters, numbers,
punctuation
– block know dictionary words
Managing Passwords
 may reactively run password guessing tools
– note that good dictionaries exist for almost any
language/interest group
 may enforce periodic changing of passwords
 have system monitor failed login attempts, &
lockout account if see too many in a short period
 do need to educate users and get support
 balance requirements with user acceptance
 be aware of social engineering attacks
Proactive Password Checking
 most promising approach to improving
password security
 allow users to select own password
 but have system verify it is acceptable
– simple rule enforcement (see previous slide)
– compare against dictionary of bad passwords
– use algorithmic (markov model or bloom filter)
to detect poor choices