Information System Information System SecuritySecurity

Lecture 5Lecture 5

User Authentication and User Authentication and Cryptographic Key InfrastructureCryptographic Key Infrastructure

22

OutlineOutline

Entity AuthenticationEntity Authentication Entity Authentication FunctionsEntity Authentication Functions

– Something you haveSomething you have

– Something you areSomething you are

– Something you knowSomething you know PasswordsPasswords OTPOTP Challenge-Response Challenge-Response

Cryptographic Key InfrastructureCryptographic Key Infrastructure

33

1. Entity Authentication1. Entity Authentication

The aim of this lecture is to present some techniques that allows The aim of this lecture is to present some techniques that allows one party (the one party (the verifierverifier) to gain assurances that the identity of ) to gain assurances that the identity of another (the another (the claimantclaimant) is as declared, thereby preventing ) is as declared, thereby preventing impersonation.impersonation.

These techniques are referred to asThese techniques are referred to as identificationidentification, , entity entity authenticationauthentication, and, and identity verificationidentity verification. .

Entity authentication is the process whereby one party is assured Entity authentication is the process whereby one party is assured of the identity of a second party involved in a protocol, and that of the identity of a second party involved in a protocol, and that the second has actually participated.the second has actually participated.

44

Entity authentication: UsesEntity authentication: Uses

1.1. Access controlAccess control– An entity, often human user, must provide assurance of their identity in An entity, often human user, must provide assurance of their identity in

real time in order to have access to either physical or virtual resources. real time in order to have access to either physical or virtual resources.

2.2. As part of a more complex cryptographic process:As part of a more complex cryptographic process:– Typically established at the start of a connection: an entity must provide Typically established at the start of a connection: an entity must provide

assurance of their identity in real time in order for the extended process assurance of their identity in real time in order for the extended process to complete satisfactorily.to complete satisfactorily.

– For example, the process of establishing a symmetric key that two users For example, the process of establishing a symmetric key that two users can use to immediately communicate with one another commonly can use to immediately communicate with one another commonly involves mutual entity authentication in order to provide the two users involves mutual entity authentication in order to provide the two users with sufficient assurance that they have agreed a key with the “correct” with sufficient assurance that they have agreed a key with the “correct” person.person.

55

Entity authentication: TypesEntity authentication: Types

Types of entity authentication:Types of entity authentication:– Unilateral entity authentication is assurance of the identity of one entity

to another (and not vice-versa). Examples:

– Online shopping

– File downloading

– Mutual entity authentication occurs if both communicating entities provide each other with assurance of their identity.

Examples:Examples:

– Online BankingOnline Banking

– E-learning E-learning

66

2. Entity Authentication 2. Entity Authentication FunctionsFunctions The most common ways of providing entity authentication are

by using (a combination of) the following:– Something that you have

– Something that you are

– Something that you know

77

Something you haveSomething you have

Dumb tokens:Dumb tokens:– Any physical device without a memory that can be used as a type of Any physical device without a memory that can be used as a type of

electronic key. electronic key.

– Dumb tokens typically operate with a reader that extracts some Dumb tokens typically operate with a reader that extracts some information from the token and then indicates whether the information information from the token and then indicates whether the information authenticates the entity or not.authenticates the entity or not.

– A good example of a dumb token is a plastic card with a magnetic stripe. A good example of a dumb token is a plastic card with a magnetic stripe. The security of the card is based entirely on the difficulty of extracting The security of the card is based entirely on the difficulty of extracting the information from the magnetic stripe.  the information from the magnetic stripe.  

– It is common to combine the use of a dumb token with another entity It is common to combine the use of a dumb token with another entity authentication technique, such as one based on something you know.  authentication technique, such as one based on something you know.  

88

Something you haveSomething you have

Smart cards:Smart cards:– A plastic card that contains a chip, which gives the card a limited amount A plastic card that contains a chip, which gives the card a limited amount

of memory and processing power. of memory and processing power.

– A smart card can store secret data more securely, and can also engage in A smart card can store secret data more securely, and can also engage in cryptographic processes that require some computations to be performed cryptographic processes that require some computations to be performed (e.g. challenge/response).(e.g. challenge/response).

– Smart cards have limited memory and processing power, thus restricting Smart cards have limited memory and processing power, thus restricting the types of operation that they can comfortably perform.the types of operation that they can comfortably perform.

– Smart cards are widely used in most countries for banking operations, Smart cards are widely used in most countries for banking operations, electronic ticketing applications, etc.electronic ticketing applications, etc.

99

Something you areSomething you are

BiometricsBiometrics – Techniques for human user authentication that are based on physical Techniques for human user authentication that are based on physical

characteristics of the human body.characteristics of the human body.

– A biometric control typically converts a physical characteristic into a A biometric control typically converts a physical characteristic into a digital template that is stored on a database. When the user physically digital template that is stored on a database. When the user physically presents themselves for entity authentication, the physical characteristic is presents themselves for entity authentication, the physical characteristic is measured by a reader, digitally encoded, and then compared with the measured by a reader, digitally encoded, and then compared with the template. template. 

1010

Something you areSomething you are

Biometric system modelBiometric system model

Raw dataExtractedfeatures Template

Authentication decision

Data collection Signal

processingMatching Storage

Match score

DecisionApplication

1111

Something you areSomething you are

BiometricsBiometrics – StaticStatic (unchanging) measurements include fingerprints, hand geometry, (unchanging) measurements include fingerprints, hand geometry,

face recognition, retina scan. face recognition, retina scan.

– Dynamic Dynamic (changing) measurements include handwriting measurements (changing) measurements include handwriting measurements and voice recognition.and voice recognition.

– There are many implementation issues and as yet entity authentication is There are many implementation issues and as yet entity authentication is not widely provided using these techniques. not widely provided using these techniques.

1212

Something you areSomething you are

Optical fingerprint sensor[Fingerprint Identification Unit

FIU-001/500 by Sony]

Fingerprints

1313

Something you knowSomething you know

Passwords:– Passwords are probably the most popular technique for providing entity

authentication, despite concerns about how secure they actually are. A password may be a sequence of charactersA password may be a sequence of characters

– Examples: 10 digits, a string of letters, Examples: 10 digits, a string of letters, etcetc..– Generated randomly, by user, by computer with user inputGenerated randomly, by user, by computer with user input

A password may be a sequence of wordsA password may be a sequence of words– Examples: pass-phrasesExamples: pass-phrases– A A pass-phrase pass-phrase is a sequence of characters that it is too long to be a is a sequence of characters that it is too long to be a

password and it is thus turned into a shorter virtual password by the password and it is thus turned into a shorter virtual password by the password systempassword system

AlgorithmsAlgorithms– Examples: one-time passwords, challenge-response.Examples: one-time passwords, challenge-response.

1414

Password storagePassword storage

Passwords stored in plaintext filesPasswords stored in plaintext files– If password file compromised, all passwords are revealedIf password file compromised, all passwords are revealed

– Usually password files are read- and write- protectedUsually password files are read- and write- protected

Passwords stored in encrypted filePasswords stored in encrypted file– Encrypted/hashed versions of passwords are stored in a password fileEncrypted/hashed versions of passwords are stored in a password file

Examples:Examples:– A Windows password is stored as a MD4 hash value.A Windows password is stored as a MD4 hash value.

– A Unix password is stored as a Unix DES Encryption.A Unix password is stored as a Unix DES Encryption.

1515

Unix PasswordUnix Password

Example: Original Unix Example: Original Unix – A password is up to eight charactersA password is up to eight characters

– The password is truncated to its first 8 ASCII characters, forming the The password is truncated to its first 8 ASCII characters, forming the Unix DES keyUnix DES key

– The key is used to encrypt the 64-bit constant 0.The key is used to encrypt the 64-bit constant 0.

– The Unix DES is a variation of the standard DES.The Unix DES is a variation of the standard DES. A 12-bit A 12-bit saltsalt is used to modify the expansion function in DES, is used to modify the expansion function in DES, Then DES is iterated 25 timesThen DES is iterated 25 times

– Thus the UNIX password is referred to as Thus the UNIX password is referred to as salted passwordsalted password

– Unix passwords are stored in file Unix passwords are stored in file /etc/passwd/etc/passwd

1616

Attack on passwordsAttack on passwords

Replay of passwordsReplay of passwords– Specially when passwords are transmitted in cleartextSpecially when passwords are transmitted in cleartext

Exhaustive password searchExhaustive password search– Trying all possible passwords Trying all possible passwords

Dictionary attackDictionary attack– Most users select passwords from a small subset of the password space Most users select passwords from a small subset of the password space

(e.g., short passwords, dictionary words, proper names)(e.g., short passwords, dictionary words, proper names)

– Dictionary attack: the attacker tries all possible words, found in an Dictionary attack: the attacker tries all possible words, found in an available or on-line listavailable or on-line list

1717

Password selectionPassword selection

Problem: people pick easy to guess passwordsProblem: people pick easy to guess passwords– Based on account names, user names, computer names, place namesBased on account names, user names, computer names, place names

– Too short, digits only, letters onlyToo short, digits only, letters only

– License plates, acronyms, social security numbersLicense plates, acronyms, social security numbers

– Personal characteristics (nicknames, job characteristics, Personal characteristics (nicknames, job characteristics, etcetc.).)

Good passwords can be constructed in several waysGood passwords can be constructed in several ways– Example: A password containing at least one digit, one letter, one Example: A password containing at least one digit, one letter, one

punctuation symbol, and one control character is usually a strong punctuation symbol, and one control character is usually a strong password password

1818

One-Time PasswordsOne-Time Passwords

Problem with fixed passwords:Problem with fixed passwords:– If an attacker sees a password, he/she can later If an attacker sees a password, he/she can later replay replay the passwordthe password

A partial solution: one-time passwordsA partial solution: one-time passwords– Password that can be used exactly Password that can be used exactly onceonce

– After use, it is immediately invalidatedAfter use, it is immediately invalidated

ProblemsProblems– Synchronization of user and systemSynchronization of user and system

– Generation of good random passwordsGeneration of good random passwords

– Password distribution problemPassword distribution problem

1919

Challenge-Response Challenge-Response (Strong authentication)(Strong authentication)

Another alternative is to authenticate in such a way that the Another alternative is to authenticate in such a way that the transmitted password changes each timetransmitted password changes each time

Let a user Let a user u u wishing to authenticate himself to a system wishing to authenticate himself to a system SS. Let . Let u u and and S S have an agreed-on secret function have an agreed-on secret function ff. A . A challenge-responsechallenge-response authentication system is one in which authentication system is one in which S S sends a random message sends a random message m m (the (the challengechallenge) to ) to uu, and , and u u replies with the transformation replies with the transformation rr = = ff((mm) (the ) (the responseresponse). ). S S then validates then validates r r by computing it by computing it separately.separately.

The The challengechallenge may be a nonce, timestamp, sequence number, or may be a nonce, timestamp, sequence number, or any combination.any combination.

2020

Challenge-ResponseChallenge-Response ((by symmetric-key techniques)

The user and system share a secret function f (in practice, f can be a known function with unknown parameters, such as a cryptographic key).

This called challenge-response by symmetric-key techniques.

user systemrequest to authenticate

user systemrandom message r

(the challenge)

user systemf(r)

(the response)

2121

Challenge-ResponseChallenge-Response(by public-key techniques)(by public-key techniques)

A A identifies identifies B B by checking whether by checking whether B B holds the secret (private) holds the secret (private) key key KRKRBB that matches the public key that matches the public key KUKUBB

A A chooses a random challenge (nonce) chooses a random challenge (nonce) rrAA. . B B uses its random uses its random

nonce nonce rrBB. . B B applies its public-key system for authenticationapplies its public-key system for authentication

Message sequence:Message sequence:1.1. A → BA → B:: r rAA..

2.2. B → AB → A: : rrBB,, EEKRKRBB( ( rrAA,r,rBB))

2222

Cryptographic Key Cryptographic Key InfrastructureInfrastructure

2323

Cryptographic Key Cryptographic Key InfrastructureInfrastructure

Goal: bind identity to keyGoal: bind identity to key Symmetric Cryptography: Symmetric Cryptography:

– Not possible as all keys are sharedNot possible as all keys are shared Public key Cryptography: Public key Cryptography:

– Bind identity to public keyBind identity to public key

– Crucial as people will use key to communicate with principal whose Crucial as people will use key to communicate with principal whose identity is bound to keyidentity is bound to key

– Erroneous binding means no secrecy between principalsErroneous binding means no secrecy between principals

– Assume principal identified by an acceptable nameAssume principal identified by an acceptable name

2424

CertificatesCertificates

A certificate is a token (message) containingA certificate is a token (message) containing– Identity of principal (e.g., Alice)Identity of principal (e.g., Alice)

– Corresponding public keyCorresponding public key

– Timestamp (when issued)Timestamp (when issued)

– Other information (perhaps identity of signer)Other information (perhaps identity of signer)

– Signature of a trusted authority (e.g., Cathy)Signature of a trusted authority (e.g., Cathy)

CCAA = = DDkvkv((KKpp || Alice || || Alice || TT ) )

DDkv kv is Cathy’s private keyis Cathy’s private key

CCA A is A’s certificateis A’s certificate

2525

Certificate UseCertificate Use

Bob gets Alice’s certificateBob gets Alice’s certificate– If he knows Cathy’s public key, he can validate the certificateIf he knows Cathy’s public key, he can validate the certificate

When was certificate issued?When was certificate issued? Is the principal Alice?Is the principal Alice?

– Now Bob has Alice’s public keyNow Bob has Alice’s public key Problem: Problem:

– Bob needs Cathy’s public key to validate Bob needs Cathy’s public key to validate AliceAlice’s certificate’s certificate

– Many solutions: Many solutions: Public Key Infrastructure (PKI), Public Key Infrastructure (PKI), Trust-based certificatesTrust-based certificates

2626

X.509 certificateX.509 certificate

Key certificate fields in X.509v3:Key certificate fields in X.509v3:– VersionVersion– Serial number (unique)Serial number (unique)– Signature algorithm identifier: hash algorithmSignature algorithm identifier: hash algorithm– Issuer’s name; uniquely identifies issuerIssuer’s name; uniquely identifies issuer– Interval of validityInterval of validity– Subject’s name; uniquely identifies subjectSubject’s name; uniquely identifies subject– Subject’s public keySubject’s public key– Signature: Signature:

Identifies algorithm used to sign the certificateIdentifies algorithm used to sign the certificate Signature (enciphered hash)Signature (enciphered hash)

Issuer is called Certificate Authority (CA)Issuer is called Certificate Authority (CA)