Upload
others
View
4
Download
0
Embed Size (px)
Citation preview
CS 356 – Lecture 5More User Authentication
Fall 2013
Tuesday, September 10, 13
CyberSecurity in the News!(again)
2
Tuesday, September 10, 13
Review• Chapter 1: Basic Concepts and Terminology
– Integrity, Confidentiality, Availability, Authentication, and Accountability
– Types of threats: active vs. passive, insider/outsider– Lots of terminology and general concepts
• Chapter 2: Basic Cryptographic Tools – Symmetric key encryption and secure hashing– Public key cryptography– Random Numbers
• Chapter 3 – User Authentication– Passwords– Checking passwords and other user auth techniques
Tuesday, September 10, 13
Proactive Password Checking• Rule Enforcement Plus User Advice, e.g.
– 8+ chars, upper/lower/numeric/punctuation– may not suffice
• Password Cracker– time and space issues
• Markov Model– generates guessable passwords– hence reject any password it might generate
• Bloom Filter– use to build table based on dictionary using hashes– check desired password against this table
Tuesday, September 10, 13
Token Authentication(Something You Possess)
• Object user possesses to authenticate, e.g.– embossed card– magnetic stripe card– memory card– smartcard
Tuesday, September 10, 13
Types of Cards Used as Tokens
Tuesday, September 10, 13
Tuesday, September 10, 13
Memory Cards
• can store but do not process data• the most common is the magnetic stripe card• can include an internal electronic memory• can be used alone for physical access
– hotel room– ATM
• provides significantly greater security when combined with a password or PIN
• drawbacks of memory cards include:– requires a special reader– loss of token– user dissatisfaction
Tuesday, September 10, 13
Smartcard physical characteristics:
include an embedded microprocessora smart token that looks like a bank card can look like calculators, keys, small portable objects
interface:manual interfaces include a keypad and display for interactionelectronic interfaces communicate with a compatible reader/
writer
authentication protocol: classified into three categories: static, dynamic password
generator and challenge-response
Tuesday, September 10, 13
Tuesday, September 10, 13
Communication Initialization
between a Smart Card and a
Reader
•Figure 3.4 Communication Initialization• between a Smart Card and a Reader•Source: Based on [TUNS06].
Tuesday, September 10, 13
Biometric Authentication• attempts to authenticate an individual based on
unique physical characteristics• based on pattern recognition• is technically complex and expensive when
compared to passwords and tokens• physical characteristics used include:
• facial characteristics• fingerprints• hand geometry• retinal pattern • iris • signature • voice
Tuesday, September 10, 13
Biometric Authentication(something you are or do)
• Authenticate User Based On One Of Their Physical Characteristics
Tuesday, September 10, 13
Common Biometrics
•Fingerprint •Face•Iris
•Signature •Voice PrintTuesday, September 10, 13
Uncommon Biometrics
•DNA •Gait
•Ear•Retina
Tuesday, September 10, 13
Fingerprints
• Analysis based on discrete features – Crossover– Island– Etc.
• Discrimination power based on combinatorics– More matches, more
confidence
Tuesday, September 10, 13
Fingerprints (II)• Oldest biometric technology
– Trained experts / court-approved– Automatic data base retrieval
• Advantages– Reliable, unique (even identical twins)– Inexpensive scanners– Cooperative subjects good fingerprints– Non-cooperative subjects latent prints
• Disadvantages– 5% of world population has no usable fingerprints– Mask-able (gloves / abrasion)– Can be faked
Tuesday, September 10, 13
Tuesday, September 10, 13
Iris Analysis based on
discrete features Polar striations Also neoplasms, etc.
Discrimination power based on combinatorics Similar to fingerprints
Infra-red lighting
Otherwise dark-eyed people can’t be matched
Tuesday, September 10, 13
Iris
• New biometric technology• Advantages
– Reliable /unique (even identical twins)– Relatively inexpensive scanners
• Disadvantages– No human experts (hard to audit)– Cooperative subjects with active sensors
only– Behavior over time is unclear
Tuesday, September 10, 13
Tuesday, September 10, 13
Face
•Fiducial Points •Eigenvectors
Tuesday, September 10, 13
Face
• Newest technology / least mature• Advantages
– Most people are experts– Inexpensive sensors– Cooperative subjects fairly reliable
(99%)• Disadvantages
– Non-cooperative subjects less reliable– Operates at a distance
Tuesday, September 10, 13
Tuesday, September 10, 13
Tuesday, September 10, 13
Other Biometrics• DNA
– Slow, costly– Ultra-reliable
• Retina– Reliable– Too burdensome, even for cooperative subjects
• Gait – Supports recognition from a distance– Currently unreliable
• Ear– Supports recognition from the side– Currently unreliable
Tuesday, September 10, 13
Tuesday, September 10, 13
Uses of Biometrics
• Forensics (post-hoc identity)– Non-cooperative subjects– Latent / accidental data– Identity search
• Verification (security)– Cooperative subjects – Verify/reject a single identity
• Intelligence / Surveillance– Non-cooperative subjects– Biometrics at a distance– Watch list
Tuesday, September 10, 13
Fearless Predictions• Currently…
1.Forensics: Fingerprints, DNA2.Security: Fingerprint, Signature, Iris, 2D
Face3.Intelligence: Human face recognition
• In the near future….– Forensics : DNA, Fingerprints, Face– High-end Security: Iris, 3D Face– Low-end security: Fingerprint, 2D Face– Intelligence: Face, gate, ear…
Tuesday, September 10, 13
Operation of a Biometric
System
Tuesday, September 10, 13
Biometric Accuracy
• Never Get Identical Templates• Problems Of False Match/False Non-Match
Tuesday, September 10, 13
Biometric Accuracy• Can Plot Characteristic Curve• Pick Threshold Balancing Error Rates
Tuesday, September 10, 13
Remote User Authentication• Authentication Over Network More Complex
– problems of eavesdropping, replay• Generally Use Challenge-Response
– User Sends Identity– Host Responds With Random Number
(nonce challenge)– User Computes f(r,h(P)) and Sends Back– Host Compares Value From User With Own
Computed Value, • If match user authenticated
• Protects Against A Number of Attacks
Tuesday, September 10, 13
Remote User Authentication• authentication over a network, the Internet,
or a communications link is more complex– additional security threats such as:
– eavesdropping, capturing a password, replaying an authentication sequence that has been observed
• generally rely on some form of a challenge-response protocol to counter threats
Tuesday, September 10, 13
Authentication Security Issues• Client Attacks• Host Attacks• Eavesdropping• Replay• Trojan Horse• Denial-Of-Service
Tuesday, September 10, 13
Password Protocol
• Example of a • challenge-response
protocol
user transmits identity to remote host
host generates a random number (nonce)
nonce is returned to the user host stores a hash code of the
password function in which the password
hash is one of the arguments use of a random number helps
defend against an adversary capturing the user’s transmission
Tuesday, September 10, 13
Token Protocol
• Example of a • token protocol
user transmits identity to the remote host
host returns a random number and identifiers
token either stores a static passcode or generates a one-time random passcode
user activates passcode by entering a password
password is shared between the user and token and does not involve the remote host
Tuesday, September 10, 13
Static Biometric Protocol
• Example of a • static biometric
protocol
user transmits an ID to the host
host responds with a random number and the identifier for an encryption
client system controls biometric device on user side
host decrypts incoming message and compares these to locally stored values
host provides authentication by comparing the incoming device ID to a list of registered devices at the host database
Tuesday, September 10, 13
Dynamic Biometric Protocol
• Example of a • dynamic biometric
protocol
host provides a random sequence and a random number as a challenge
sequence challenge is a sequence of numbers, characters, or words
user at client end must then vocalize, type, or write the sequence to generate a biometric signal
the client side encrypts the biometric signal and the random number
host decrypts message and generates a comparison
Tuesday, September 10, 13
Potential Attacks, Susceptible
Authenticators, and Typical Defenses
Tuesday, September 10, 13
Practical Application
:Iris
Biometric System
Tuesday, September 10, 13
Case Study: ATM
Security Problems
Tuesday, September 10, 13
Summary• four means of authenticating a user’s
identity• something the individual knows• something the individual possesses• something the individual is• something the individual does
• vulnerability of passwords• offline dictionary attack• specific account attack• popular password attack• password guessing against single user• workstation hijacking• exploiting user mistakes• exploiting multiple password use• electronic monitoring
• hashed password and salt value• password file access control
password selection strategiesuser educationcomputer generated passwordsreactive password checkingproactive password checking
Bloom filtertoken based authentication
memory cardssmart cards
biometric authenticationremote user authentication
password protocoltoken protocolstatic biometric protocoldynamic biometric protocol
Tuesday, September 10, 13
What’s Next• Read Chapter 1, 2, and 3
– Chap 1: Focus on big picture and recurring concepts– Chap 2: Identify cryptographic tools and properties– Chap 3: How can you authenticate a user?
• Homework Posted on Course Website – Due Tuesday
• Next Lecture Topics from Chapter 4– Access Control
Tuesday, September 10, 13