User Authentication Flashcards
Name the three general credential categories, also called authentication factors.
Knowledge
Ownership
Inherence (biometrics)
Give examples for a wide-spread commercial 2-factor authentication system, and name the involved factors.
ATM (card + pin)
Google (password + phone)
User authentication credentials
A credential is the ‘thing’ used for authentication.
Credential categories (“factors”) and typical examples: 1.Knowledge-based (“something you know”): fex Passwords
- Ownership-based (“something you have”): Fex Tokens
- Inherence-based (“something you are/do”): Fex Biometrics, physiological, biometric characteristics, behavioural biometric characteristics
4.Secondary channel (a channel you control): SMS, email, etc.
Combinations, called multi-factor authentication
How is passwords stored? (Hash function)
Passwords are typically stored as hash values.
A hash function is easy to compute but hard to invert.
The authentication function first computes the hash of received password, then compares against the stored hash value.
3 strategies for cracking passwords
Cracking hashed passwords:
The attacker hashes a possible password and checks if the hash value is found in the password file. The password has been cracked if the hash value is found.
Brute-force search:
Hash and check all possible passwords (a powerful GPU computer can test passwords up to 8 characters in 1 day)
Intelligent search:
- User names
- Names of friends/relatives
- Phone numbers
- Birth dates
- Dictionary attack
- Try all words from a dictionary
Password salting
Appending random data (salt) to a users password before hashing.
- In Unix: a randomly chosen integer from 0 to 4095.
- Different salt for each user
- Produces different hashes for equal passwords
- Prevents that users with identical passwords get the same password hash-value
- Increases the amount of work for hash precomputation
- Makes it necessary to compute new table for each user
- Makes hash tables and rainbow tables impractical for password cracking
BruteForce Attacks
The effort of bruteforce attacks depends on:
- The length and complexity of passwords
- The complexity of the hash algorithm
Bcrypt
Special hashing algorithm.
Has high memory consumption.
Scrypt
Special hashing algorithm.
Has a very high memory consumption.
Argon2
Currently the best password hashing function.
Password Do’s and Dont’s
Never send unprotected passwords in clear.
A password sent “in clear” can be captured during transmission, so an attacker may reuse it. An attacker setting up a fake server can get the password from the user (E.g. phishing attack).
Solutions to these problems include:
- Encrypted communication channel
- One-time passwords (token-based authentication)
- Challenge-response protocols
OTP Token
A one-time password (OTP) is type of password that is valid for only one use.
A OTP is a security technique that provides protection against various password-based attacks, specifically password sniffing and replay attacks.
It provides more enhanced protection than static passwords, which remain the same for multiple login sessions. OTP works through randomness algorithms that generate a new and random password each time they are used.
Comparison characteristics
False positives etc
Coming
E-authentication for e-Gov.
Trust in identity is a requirement for e-Government
Authentication assurance produces identity trust.
Authentication depends on technology, policy, standards, practice, awareness and regulation.
Common e-authentication frameworks allow cross-national and cross-organisational solutions that give convenience, cost savings and security.
RAU Norway 2008
Rammeverk for Autentisering og Uavviselighet(Framework for Authentication and Non-Repudiation)
RAU AAL-4: High authentication assurance
E.g. two-factor, where at least one must be dynamic, and at least one is provisioned in person RAU AAL-3: Moderate authentication assurance
E.g. OTP calculator with PIN provisioned by mail to user’s official address RAU AAL-2: Low authentication assurance
E.g. fixed password provisioned in person or by mail to user’s official address RAU AAL-1: Little or no authentication assurance :
E.g. Online self-registration and self-chosen password Norway has adopted eIDASin 2018 (RAU will no longer be used)
Authentication Assurance
Authentication assurance = robustness of authentication
Resources have different sensitivity levels
High sensitivity gives high risk in case of authentication failure
Authentication has a cost
Unnecessary authentication assurance is a waste of money
Authentication assurance should balance authentication risk
Biometrics requirements
Universality: Each person should have the characteristic;
Distinctiveness: Any two persons should be sufficiently different in terms of the characteristic;
Permanence: The characteristic should be sufficiently invariant (with respect to the matching criterion) over a period of time;
Collectability: The characteristic should be measurable quantitatively.
Biometrics practical considerations
Accuracy: –The correctness of a biometric system, expressed as ERR (Equal Error Rate), where a low ERR is desirable.
Performance: –the achievable speed of analysis,–the resources required to achieve the desired speed,
Acceptability:–the extent to which people are willing to accept the use of a biometric identifier (characteristic)
Circumvention resistance:–The difficulty of fooling the biometric system
Safety:–Whether the biometric system is safe to use
Biometric examples
fingerprint facial recognition eye retina/iris scanning hand geometry written signature voice print keystroke dynamics
Biometric safety
Biometric authentication can be safety risk.
Attackers might want to “steal” body parts
Subjects can be put under duress to produce biometric authenticator
Necessary to consider the physical environment where biometric authentication takes place.
Car thieves chopped off part of the driver’s left index finger to start S-Class Mercedes Benz equipped with fingerprint key. Malaysia, March 2005(NST picture by Mohd Said Samad).
Biometrics: modes of operation
Enrolment:–analog capture of the user’s biometric attribute.
processing of this captured data to develop a template of the user’s attribute which is stored for later use.
Verification of claimed identity (1:1, one-to-one):
capture of a new biometric sample.
comparison of the new sample with that of the user’s stored template.
Identification(1:N, one-to-many)
capture of a new biometric sample.
search the database of stored templates for a match based solely on the biometric.
Evaluating Biometrics
Features from captured sample are compared against those of the stored template sample
Score s is derived from the comparison.
Better match leads to higher score.
The system decision is tuned by threshold T:
System gives a match (same person) when the sample comparison generates a score s where s ≥T
System gives non-match (different person) when the sample comparison generates a score s where s< T
