User Authentication

Question 1

Name the three general credential categories, also called authentication factors.

Answer 1

Knowledge
Ownership
Inherence (biometrics)

Question 2

Give examples for a wide-spread commercial 2-factor authentication system, and name the involved factors.

Answer 2

ATM (card + pin)

Google (password + phone)

Question 3

User authentication credentials

Answer 3

A credential is the ‘thing’ used for authentication.

Credential categories (“factors”) and typical examples:
1.Knowledge-based (“something you know”): fex Passwords

2. Ownership-based (“something you have”): Fex Tokens
3. Inherence-based (“something you are/do”): Fex Biometrics, physiological, biometric characteristics, behavioural biometric characteristics

4.Secondary channel (a channel you control): SMS, email, etc.
Combinations, called multi-factor authentication

Question 4

How is passwords stored? (Hash function)

Answer 4

Passwords are typically stored as hash values.
A hash function is easy to compute but hard to invert.

The authentication function first computes the hash of received password, then compares against the stored hash value.

Question 5

3 strategies for cracking passwords

Answer 5

Cracking hashed passwords:
The attacker hashes a possible password and checks if the hash value is found in the password file. The password has been cracked if the hash value is found.

Brute-force search:
Hash and check all possible passwords (a powerful GPU computer can test passwords up to 8 characters in 1 day)

Intelligent search:

• User names
• Names of friends/relatives
• Phone numbers
• Birth dates
• Dictionary attack
• Try all words from a dictionary

Question 6

Password salting

Answer 6

Appending random data (salt) to a users password before hashing.

• In Unix: a randomly chosen integer from 0 to 4095.
• Different salt for each user
• Produces different hashes for equal passwords
• Prevents that users with identical passwords get the same password hash-value
• Increases the amount of work for hash precomputation
• Makes it necessary to compute new table for each user
• Makes hash tables and rainbow tables impractical for password cracking

Question 7

BruteForce Attacks

Answer 7

The effort of bruteforce attacks depends on:

• The length and complexity of passwords
• The complexity of the hash algorithm

Question 8

Bcrypt

Answer 8

Special hashing algorithm.

Has high memory consumption.

Question 9

Scrypt

Answer 9

Special hashing algorithm.

Has a very high memory consumption.

Question 10

Argon2

Answer 10

Currently the best password hashing function.

Question 11

Password Do’s and Dont’s

Answer 11

Never send unprotected passwords in clear.
A password sent “in clear” can be captured during transmission, so an attacker may reuse it. An attacker setting up a fake server can get the password from the user (E.g. phishing attack).

Solutions to these problems include:

• Encrypted communication channel
• One-time passwords (token-based authentication)
• Challenge-response protocols

Question 12

OTP Token

Answer 12

A one-time password (OTP) is type of password that is valid for only one use.

A OTP is a security technique that provides protection against various password-based attacks, specifically password sniffing and replay attacks.
It provides more enhanced protection than static passwords, which remain the same for multiple login sessions. OTP works through randomness algorithms that generate a new and random password each time they are used.

Question 13

Comparison characteristics

Answer 13

False positives etc

Coming

Question 14

E-authentication for e-Gov.

Answer 14

Trust in identity is a requirement for e-Government
Authentication assurance produces identity trust.
Authentication depends on technology, policy, standards, practice, awareness and regulation.
Common e-authentication frameworks allow cross-national and cross-organisational solutions that give convenience, cost savings and security.

Question 14

RAU Norway 2008

Answer 14

Rammeverk for Autentisering og Uavviselighet(Framework for Authentication and Non-Repudiation)

RAU AAL-4: High authentication assurance
E.g. two-factor, where at least one must be dynamic, and at least one is provisioned in person RAU AAL-3: Moderate authentication assurance

E.g. OTP calculator with PIN provisioned by mail to user’s official address RAU AAL-2: Low authentication assurance
E.g. fixed password provisioned in person or by mail to user’s official address RAU AAL-1: Little or no authentication assurance :
E.g. Online self-registration and self-chosen password Norway has adopted eIDASin 2018 (RAU will no longer be used)

Question 15

Authentication Assurance

Answer 15

Authentication assurance = robustness of authentication
Resources have different sensitivity levels
High sensitivity gives high risk in case of authentication failure
Authentication has a cost
Unnecessary authentication assurance is a waste of money
Authentication assurance should balance authentication risk

Question 16

Biometrics requirements

Answer 16

Universality: Each person should have the characteristic;

Distinctiveness: Any two persons should be sufficiently different in terms of the characteristic;

Permanence: The characteristic should be sufficiently invariant (with respect to the matching criterion) over a period of time;

Collectability: The characteristic should be measurable quantitatively.

Question 17

Biometrics practical considerations

Answer 17

Accuracy: –The correctness of a biometric system, expressed as ERR (Equal Error Rate), where a low ERR is desirable.
Performance: –the achievable speed of analysis,–the resources required to achieve the desired speed,
Acceptability:–the extent to which people are willing to accept the use of a biometric identifier (characteristic)
Circumvention resistance:–The difficulty of fooling the biometric system
Safety:–Whether the biometric system is safe to use

Question 18

Biometric examples

Answer 18

fingerprint
facial recognition
eye retina/iris scanning
hand geometry
written signature
voice print
keystroke dynamics

Question 19

Biometric safety

Answer 19

Biometric authentication can be safety risk.
Attackers might want to “steal” body parts
Subjects can be put under duress to produce biometric authenticator
Necessary to consider the physical environment where biometric authentication takes place.
Car thieves chopped off part of the driver’s left index finger to start S-Class Mercedes Benz equipped with fingerprint key. Malaysia, March 2005(NST picture by Mohd Said Samad).

Question 20

Biometrics: modes of operation

Answer 20

Enrolment:–analog capture of the user’s biometric attribute.
processing of this captured data to develop a template of the user’s attribute which is stored for later use.

Verification of claimed identity (1:1, one-to-one):
capture of a new biometric sample.
comparison of the new sample with that of the user’s stored template.

Identification(1:N, one-to-many)
capture of a new biometric sample.
search the database of stored templates for a match based solely on the biometric.

Question 21

Evaluating Biometrics

Answer 21

Features from captured sample are compared against those of the stored template sample

Score s is derived from the comparison.

Better match leads to higher score.

The system decision is tuned by threshold T:
System gives a match (same person) when the sample comparison generates a score s where s ≥T

System gives non-match (different person) when the sample comparison generates a score s where s< T