Authentication (and Unix Password Security)

Authentication (and Unix Password Security) 2 Authentication means to establish the proof of identity. Authentication techniques may vary depending on

  • View

  • Download

Embed Size (px)

Citation preview

Page 1: Authentication (and Unix Password Security) 2 Authentication means to establish the proof of identity. Authentication techniques may vary depending on

Authentication(and Unix Password Security)

Page 2: Authentication (and Unix Password Security) 2 Authentication means to establish the proof of identity. Authentication techniques may vary depending on


Authentication means

to establish the proof of identity. Authentication techniques may vary

depending on the kind of resource being accessed.

The various kinds of access can be classified into– user-to-host– host-to-host– user(or process) –to – user (process)

Page 3: Authentication (and Unix Password Security) 2 Authentication means to establish the proof of identity. Authentication techniques may vary depending on


Authentication is done by

by something you are (SYA) by something you know (SYK) by something you have (SYH)

– SYA is more reliable and accurate compared to SYH.

Page 4: Authentication (and Unix Password Security) 2 Authentication means to establish the proof of identity. Authentication techniques may vary depending on



SYA authentication applies to humans.– shape of your face, color of the hair), height,

weight, your signature, finger prints, etc.– The last two falls in the category of biometrics

– techniques that measure biological characteristics or physical phenomena (e.g. finger print and hand print analysis, retinal scans, voice, handwriting recognition, etc).

– Signature is not a good SYA, however with the association of time taken for signature is a good SYA!

Page 5: Authentication (and Unix Password Security) 2 Authentication means to establish the proof of identity. Authentication techniques may vary depending on



SYK is the most commonly used end-user authentication (user to systems).– e.g: user name and password.

Can also be applied to programs that exchange the data over the network without human intervention.

The strength of SYK authentication depends on whether what is known is a secret, and can be kept as a secret.

Page 6: Authentication (and Unix Password Security) 2 Authentication means to establish the proof of identity. Authentication techniques may vary depending on



In and of itself, SYH is the least way to authenticate.

The mere possession of an object that can be borrowed, stolen, or duplicated is a poor way to identify its holder.– Key to the computer room

Strength of SYH in greatly improved when combined with SYK.

Page 7: Authentication (and Unix Password Security) 2 Authentication means to establish the proof of identity. Authentication techniques may vary depending on



with respect to accessing computer systems. In other words authenticating users for accessing computer systems.

Page 8: Authentication (and Unix Password Security) 2 Authentication means to establish the proof of identity. Authentication techniques may vary depending on


User-to-Host authentication

Typical methods are– static passwords– challenge and response– one-time passwords– trusted third parties

Page 9: Authentication (and Unix Password Security) 2 Authentication means to establish the proof of identity. Authentication techniques may vary depending on


Static passwords

Most ubiquitous authentication scheme employed on the computer systems (and internet today)– A user chosen or assigned password (or PIN)–

something that only the user should know.

It is an example of SYK An example: /etc/passwd where the

derivative of the password of the users is stored.– refer to the Unix encrypted password system

Page 10: Authentication (and Unix Password Security) 2 Authentication means to establish the proof of identity. Authentication techniques may vary depending on


Unix passwords

derivative of the password is stored in an encrypted (scrambled) form and NOT the plain password itself.– the method of scrambling is known (crypt is

the program that is normally used and the source code of the program is freely available – written in c).

translating from the encrypted to the plain text form is very, very difficult.

Page 11: Authentication (and Unix Password Security) 2 Authentication means to establish the proof of identity. Authentication techniques may vary depending on


Static passwords - problems

A password guesser (also known as cracker) can be used to guess some of the passwords even the passwords (or its derivatives) are stored in encrypted form.

The passwords can be guessed because of their poor choice – such as password is same as the user name

or the actual user name, or the popular words in the dictionary, etc.

How the cracker programs work?

Page 12: Authentication (and Unix Password Security) 2 Authentication means to establish the proof of identity. Authentication techniques may vary depending on


Cracker principle /* single password cracker which checks whether the password is same as user name

* For example, user name is srini and password is srini * scan the password file for the same user name and password*/

#include <stdio.h>#include <pwd.h>

int main(int argc, char **argv) { struct passwd *pw

while (pw=getpwent() ) { char *crypt();

char *result;

result = crypt(pw->pw_name, pw->pw_passwd); if (!strcmp(result, pw->pw_passwd) ) { printf (“%s has the same password \n”, pw->pw_name); } } exit(0);}The principle here is to guess the password, pass though crypt program and get the encrypted version of the guessed password and compare it with the encrypted version of the password stored in the system. If they match, you know the plain text of the password.

Page 13: Authentication (and Unix Password Security) 2 Authentication means to establish the proof of identity. Authentication techniques may vary depending on


Password Crackers – dictionary attack Crackers are known as dictionary attack

because– create a dictionary of possible passwords– generate the corresponding passwords for the

words in the above dictionary (assuming no salt)

– Match the entries in the generated passwords against the actual passwords on the system for a possible match.

– All the above operations can be done off-line!!

Page 14: Authentication (and Unix Password Security) 2 Authentication means to establish the proof of identity. Authentication techniques may vary depending on


Dictionary Attack – How it works?





encry pw-1encry pw-2

encry pw-4encry pw-3

encry pw-n………



Password file which contains users encrypted passwords

Password file which contains users encrypted passwords

DictionaryOf passwords

Page 15: Authentication (and Unix Password Security) 2 Authentication means to establish the proof of identity. Authentication techniques may vary depending on


Educating users Never use a portion or variation of your account name or another account

name. Never use a portion of variation of your real name, office or home address,

or phone number. Never use words or variations of words found in any dictionary,

especially /usr/dict words. Never use pairings of short words found in any dictionary (dogcat) Never use dictionary words or names spelled backwards (like terces) Never use syllables or words from a foreign language. Never use repeated character string (like AAAABBBB, LLOOVVEE) Never use passwords containing only numeric digits. Always use passwords at least seven characters long (how many words

with 7 characters are possible?). Many Unix versions use only 8 characters while some new ones may permit 16 or more characters.

Always use a mixture of upper- and lowercase characters. This is especially valuable rule.

Always use at least one or two non-alphanumeric characters, like numeric digits, punctuation marks, dollar sign, carat, etc.

All these leads to a large number of combinations which may take the cracker program long enough to crack.

Page 16: Authentication (and Unix Password Security) 2 Authentication means to establish the proof of identity. Authentication techniques may vary depending on


Preventing unsecured passwords

Accounts without passwords Managing dormant accounts Not allowing passwords that is similar to

the user names, derivatives or words in /usr/dict file or insisting that the password to contain at least one non-alphabet character (npasswd program on Linux forces this feature).

Maintaing the shadow password and/or enforcing password aging.

Page 17: Authentication (and Unix Password Security) 2 Authentication means to establish the proof of identity. Authentication techniques may vary depending on


Shadow password

Shadow passwords are hidden in shadow, a file that is readable only by the super (administrator) user.

typically it is in /etc/shadow, readable by root. When the shadow password is implemented, then

a “*” or “x” is placed in the password field of the /etc/passwd file.

In Unix, password is used to encrypt a string of 64 bit zeros using the crypt() function, typically 25 times. The final encrypted 64 bits are unpacked into a string of 11 printable characters that are stored in the /etc/passwd or /etc/shadow file.

Page 18: Authentication (and Unix Password Security) 2 Authentication means to establish the proof of identity. Authentication techniques may vary depending on


Adding salt to the password

Although the source code of crypt() is readily available, no technique has been discovered to translate the encrypted password back into the original password.

Only possible attack is via a brute-force attack or by a dictionary attack.

The previous method can allow the attacker to store the pre-encrypted version of the dictionary words and matching it against the passwords stored in the /etc/passwd file.

To over come this problem add a salt to the password.

Page 19: Authentication (and Unix Password Security) 2 Authentication means to establish the proof of identity. Authentication techniques may vary depending on


How adding salt works?

When you change the password, the /bin/passwd program selects a salt based on the time of the day.

The salt is converted into a two-character string (12 bits in fact) and is stored in the /etc/passwd file along with the encrypted “password”

The encryption of the string of 64 bits of zeros is done by the string which is the concatenation of the salt and the user supplied password string!

Having salt means that the same password can encrypt in 4096 different ways! and this makes it much harder for the attacker to build a reverse dictionary for translated encrypted passwords.

Page 20: Authentication (and Unix Password Security) 2 Authentication means to establish the proof of identity. Authentication techniques may vary depending on


Password aging

Forces the user to change the password regularly.– when the allotted lifetime of a password

expires, at the next login the user must change it, or denied access to the system.

– smit is the tool that allows the configuration of the password aging in Linux.

Another strategy of aging is password history.– User is prevented from using one of the earlier

used passwords (thereby repetition of the password is not possible).

Page 21: Authentication (and Unix Password Security) 2 Authentication means to establish the proof of identity. Authentication techniques may vary depending on


Static passwords with one-way hash

When clear text password is passed though a communication channel, it can be snooped.

Using a challenge-response scheme, it is possible for a host to verify a user who knows the password without requiring the user sending the password through the communication channel.

The challenge (or the answer) string is concatenated with the password and a one-way hash of this string is sent to the server for validation.

Page 22: Authentication (and Unix Password Security) 2 Authentication means to establish the proof of identity. Authentication techniques may vary depending on


Challenge-and-response protocol

Alice Bob

K KI am Alice.

A random x(challenge)



z=E(K,x)Accept if y=z.

Page 23: Authentication (and Unix Password Security) 2 Authentication means to establish the proof of identity. Authentication techniques may vary depending on


1-way function


Input (such as a password)

Output (say of 100 bits)




Output (say of 100 bits)


Page 24: Authentication (and Unix Password Security) 2 Authentication means to establish the proof of identity. Authentication techniques may vary depending on


Examples of 1-way functions a 1-way hash function is also a 1-way

function a secret key cipher is a 1-way function

(from key space to ciphertext space, with a fixed plaintext)

RSA encryption algorithm many more ...

Page 25: Authentication (and Unix Password Security) 2 Authentication means to establish the proof of identity. Authentication techniques may vary depending on


One-time passwords

S/key due to Leslie Lamport and implemented by Phil Karn in Unix.

Handheld authenticators. Smart cards

Page 26: Authentication (and Unix Password Security) 2 Authentication means to establish the proof of identity. Authentication techniques may vary depending on


One-time passwords

As the name implies a password is used only once. Typically password is generated by applying repeatedly MD5 algorithm on a secret password.

Let p the password and f is the one-way MD5 function. Initially let n=9, then the first time password transmitted for verification will be f9(p) and next time it will be f 8(p) and so on.

Page 27: Authentication (and Unix Password Security) 2 Authentication means to establish the proof of identity. Authentication techniques may vary depending on


Handheld Authenticators

They are handheld password generators or token and belongs to the category of SYH authentication.

Similar to challenge-response scheme, where the host issues a challenge string that the user keys into the authenticator. The response appears on the authenticator’s display, which the user then sends it to the host.

Page 28: Authentication (and Unix Password Security) 2 Authentication means to establish the proof of identity. Authentication techniques may vary depending on


Authenticating with multiple computers/applications You need one password for each machine

for each user. The number of password can increase if

you include machines, host-to-host authentication, program-to-program authentication.– 10 users – 1 machine 10 passwords– 10 users, 10 machines 100 passwords– 10 users, 10 machines, 10 applications running

on each machines assume that each user need to authenticate to a machine and to each application, then the number of passwords = ?

Page 29: Authentication (and Unix Password Security) 2 Authentication means to establish the proof of identity. Authentication techniques may vary depending on


Trusted third parties

KDC(key distribution





User User


Page 30: Authentication (and Unix Password Security) 2 Authentication means to establish the proof of identity. Authentication techniques may vary depending on


Advanced authentication Kerberos (by MIT) KriptoKnight (by IBM) SPX (by DEC) Lotus Notes DCE Microsoft ......

Page 31: Authentication (and Unix Password Security) 2 Authentication means to establish the proof of identity. Authentication techniques may vary depending on


Host-to-host authentication

IP address/name authentication – can be considered as no authentication

Digital signatures (such as MD5) and encryption can be used to authenticate the identity of the sender.

Page 32: Authentication (and Unix Password Security) 2 Authentication means to establish the proof of identity. Authentication techniques may vary depending on


Authentication Methods in Network & Internet Security

Something you areBiometrics Positive identificationNever lost or stolen

Something you knowPasswordsPINsMother’s maiden name

Something you haveATM cardSmart cardDigital certificate

Page 33: Authentication (and Unix Password Security) 2 Authentication means to establish the proof of identity. Authentication techniques may vary depending on


SKA methods

Page 34: Authentication (and Unix Password Security) 2 Authentication means to establish the proof of identity. Authentication techniques may vary depending on


Biometric Techniques

– Biometrics identify people by measuring some aspect of individual anatomy or physiology (such as your hand geometry or fingerprint), some deeply ingrained skill, or other behavioral characteristic (such as your handwritten signature) or something that is a combination of the two, (such as your voice) Anderson P 261

Handwritten signatures Face Recognition Fingerprints Iris Codes Devices

Page 35: Authentication (and Unix Password Security) 2 Authentication means to establish the proof of identity. Authentication techniques may vary depending on


How do Biometrics Work?

Enrollment: Add a biometric identifier to a database

Fingerprint, Voice, Facial or Iris

Verification: Match against an enrolled record


Capture Process Store


Capture Process




No Match


Page 36: Authentication (and Unix Password Security) 2 Authentication means to establish the proof of identity. Authentication techniques may vary depending on


Handwritten signatures(1)

Basis of western commerce– The electronic replacement, digital signatures,

is a later topic Will a forged signature be accepted ?

– Apparently this depends on the care and skill of the person examining the signature

In Australia, the banks do not automatically check signatures on cheques and etc

There are many different conventions regarding signatures, and in different countries, these are quite different

Page 37: Authentication (and Unix Password Security) 2 Authentication means to establish the proof of identity. Authentication techniques may vary depending on


Handwritten signatures(2)

Signatures can be readily forged There is significant variability between

genuine signatures from the same individual

So here is a weak mechanism that works very well in practice

There appears to be a consensus that the dynamics of a signature are difficult to forge– Using a pressure pad to record the time and

pressure as a signature is formed

Page 38: Authentication (and Unix Password Security) 2 Authentication means to establish the proof of identity. Authentication techniques may vary depending on


Face Recognition(1)

The oldest way ! There is widespread acceptance (and

requirement !) for photo ID The issuing of other authentication devices (like

passwords, key cards, digital signatures) usually depends on facial recognition by the agents of the issuing authority

Anderson points out (p264) that photo-ID is not particularly reliable,– But has a very significant deterrent effect

Basis of the Australian Customs “SmartGate”

Page 39: Authentication (and Unix Password Security) 2 Authentication means to establish the proof of identity. Authentication techniques may vary depending on


Face Recognition(2)

To identify faces in a crowd:– Need to capture a full-face image– Use imaging software to extract the face

proper– Need to locate key features of the face to

provide orientation and scaling (as with all biometric applications)

– Either use global pattern recognition, – Or extract critical dimensions

NOT as reliable as advertised (false positive)

Page 40: Authentication (and Unix Password Security) 2 Authentication means to establish the proof of identity. Authentication techniques may vary depending on



False Negative (rejection) rate– Measures how often an authorized user, who

should be recognized by the system, is not recognized.

– I am not recognised as me!

False Positive (acceptance) rate– Measures how often a non-authorized user, who

should not be recognized by the system, is falsely recognized.

– You are pretending to be me!

Page 41: Authentication (and Unix Password Security) 2 Authentication means to establish the proof of identity. Authentication techniques may vary depending on


Matching vs. Non-Matching Prints




False non-matches False matches


Page 42: Authentication (and Unix Password Security) 2 Authentication means to establish the proof of identity. Authentication techniques may vary depending on



Accounts for the majority of sales of biometric equipment – The ridges that cover the fingertips make

patterns, that were classified in the 1800’s – These patterns have loops of several distinct

types, branches, and endpoints. The details are collectively called minutiae

Fingerprints are the mainstay of criminal systems identification– Because of this association with criminals,

commercial users are very reluctant to impose fingerprinting systems upon their clients

– after 911 – it is becoming a de-facto standard

Page 43: Authentication (and Unix Password Security) 2 Authentication means to establish the proof of identity. Authentication techniques may vary depending on


Fingerprint Image Identification

Page 44: Authentication (and Unix Password Security) 2 Authentication means to establish the proof of identity. Authentication techniques may vary depending on


Iris Codes(1)

Iris patterns believed to be unique– Apparently these patterns are randomly generated, and

so cannot be predicted for any individual– The patterns are easy enough to detect – They do not wear out– They are protected by the eyelids and cornea

Iris images are much easier to capture and process than fingerprints– A processing technique is used to generate a 256 byte

iris code

In tests to date, there have been almost zero false positives rates (although these are under laboratory conditions)

Page 45: Authentication (and Unix Password Security) 2 Authentication means to establish the proof of identity. Authentication techniques may vary depending on


Iris Codes(2)

There are some practical difficulties:– Capturing the iris image is intrusive– The subject has to be co-operative, although

for entry control, this is not an issue

Page 46: Authentication (and Unix Password Security) 2 Authentication means to establish the proof of identity. Authentication techniques may vary depending on



PDA’s and smart cards are being equipped with ‘readers’ to detect a single fingerprint

This combines all three authentication methods:– What is carried – the card or PDA– What is known – the PIN number to open the

card or PDA– What is a characteristic – the fingerprint


Page 47: Authentication (and Unix Password Security) 2 Authentication means to establish the proof of identity. Authentication techniques may vary depending on


Technology Comparison

Iris Face Finger Signature Voice

Accuracy Very HighMedium High High Medium

Ease of Use Medium Medium High High High

Barrier toAttack

Very HighMedium High Medium Medium


Medium MediumMediumVery High High

Long TermStability

High Medium High Medium Medium


Lighting Aging,Glasses,Hair




Page 48: Authentication (and Unix Password Security) 2 Authentication means to establish the proof of identity. Authentication techniques may vary depending on


Accuracy v. Affordability v. Acceptability






Accuracy >>






Courtesy, Veridicom Corp.

Page 49: Authentication (and Unix Password Security) 2 Authentication means to establish the proof of identity. Authentication techniques may vary depending on


Biometrics ? The last word

Anderson p 264

– In general, biometric mechanisms tend to be much more robust in attended operations, where they assist a guard rather that replace him (sic). The false alarm rate may then be actually help by keeping the guard alert.

Page 50: Authentication (and Unix Password Security) 2 Authentication means to establish the proof of identity. Authentication techniques may vary depending on


Selecting a Biometric Solution

Who can help?

Page 51: Authentication (and Unix Password Security) 2 Authentication means to establish the proof of identity. Authentication techniques may vary depending on


Your Vendor / Consultant

Existing relationship Ability to integrate biometrics into existing

platform Ability to draw on other experience

Page 52: Authentication (and Unix Password Security) 2 Authentication means to establish the proof of identity. Authentication techniques may vary depending on


Australian Biometric Testing Organisation

Recently incorporated Impartial tester Education source Government & industry funded

www.biomet.org/abto [email protected]

“Introduction to Biometrics” 1-day course

Page 53: Authentication (and Unix Password Security) 2 Authentication means to establish the proof of identity. Authentication techniques may vary depending on


What problem are we solving?

If biometrics is the answer, what’s the question?

Page 54: Authentication (and Unix Password Security) 2 Authentication means to establish the proof of identity. Authentication techniques may vary depending on


Evaluation Strategy

Define the requirements Testing & trialing Management buy-in Internal champion (not the IT Manager)

Page 55: Authentication (and Unix Password Security) 2 Authentication means to establish the proof of identity. Authentication techniques may vary depending on


Who is using it?

Connecticut Dept Social Welfare Health Application ABN-AMRO

Page 56: Authentication (and Unix Password Security) 2 Authentication means to establish the proof of identity. Authentication techniques may vary depending on


Give Passwords the Finger!