Lec2 User Authentication

User Authentication VS User Authorization

Who am I ? (Authentication)
What are my functionalities? (Authorization)

What is User Authentication?

Also known as Entity Authentication or Identification.
A process where one party (verifier) confirms the identity of another party (prover) in a
protocol.
It enables access control by ensuring a user’s credentials match those stored in the
system’s authorized user database.

Key Differences: User Authentication vs. Message

Authentication
1. User Authentication:
Verifies the identity of an entity (e.g., a person or a system).
The prover/claimant is actively involved during verification.
2. Message Authentication:
Verifies that the content of a received message has not been altered.
Does not guarantee timeliness or active participation of the sender.

Two Steps of Authentication

1. Identification Step:
The user presents an identifier to the security system.
Example: A user ID.
Characteristics:
Usually unique but not secret.
2. Verification Step:
 The user presents or generates authentication information as evidence to confirm the
identity.
Example: Password, PIN, or biometric data.
Characteristics:
Often secret or cannot be generated by others.

Importance of User Authentication

Acts as the primary line of defense in computer security.
Other security controls depend on its effectiveness.

User Authentication Means (Factors)

There are three general factors for authenticating a user’s identity:

1. Knowledge Factor (Something the Individual Knows)

Examples: Passwords, passphrases, Personal Identification Numbers (PINs).
2. Possession Factor (Something the Individual Possesses)
Examples: Smart cards, USB tokens, QR codes, RFID devices.
3. Inherence Factor (Something the Individual Is or Does)
Characteristics (biometrics) that are unique or almost unique to the individual:
a) Static Physiological Biometrics: Fingerprint, retina, face.
b) Dynamic Behavioral Biometrics: Voice, handwriting, keystroke dynamics.
User Authentication Factors: Properties and Examples

Factor Examples Properties

Knowledge User ID, Password, Can be shared; many passwords are easy to guess;
PIN can be forgotten.
Possession Smart Card, QR Can be shared; may be lost, stolen, or duplicated
Code, RFID (cloned).
Inherence Fingerprint, Face, Cannot be shared; may result in false
Voice positives/negatives; forging is difficult.

Multifactor Authentication (MFA)

Refers to the use of two or more authentication factors (e.g., a PIN and a hardware
token).
Enhances security by requiring different types of credentials.

Password-Based Authentication
Process:
1. User provides a username (ID) and password.
 2. System verifies the password against the one stored for that ID.
User ID Functions:
Identifies the user for authorization.
Determines user privileges.
Used in discretionary access control (DAC).

Password Vulnerabilities and Countermeasures

1. Offline Dictionary Attack
Attack: Attacker accesses ID/password (hash) database and uses a dictionary to
guess passwords.
Countermeasures:
1. Strong access control to protect the password file.
2. Intrusion detection measures.
3. Rapid password reissuance after a breach.
4. Use of strong hashing with salts.
2. Specific Account Attack
Attack: Attacker guesses passwords for a specific account.
Countermeasures:
Lock accounts after multiple failed login attempts (e.g., after 5 attempts).
3. Popular Password Attack
Attack: Attempting common passwords on multiple accounts.
Countermeasures:
1. Control password selection.
2. Block systems that make repeated login attempts on various accounts.
4. Password Guessing Against a Single User
Attack: Using knowledge about the user to guess their password.
Countermeasures:
Enforce strong password policies (e.g., minimum length, character set
requirements).
Regularly change passwords.
5. Computer Hijacking
Attack: Gaining access to a system where the user is logged in.
Countermeasures:
Use auto-logout functionality.
6. Exploiting User Mistakes
 Attack: Users write down passwords, share them, or use default/pre-configured
ones.
Countermeasures:
Provide user training.
Implement multifactor authentication (MFA).
7. Exploiting Multiple Password Use
Attack: Users reuse the same password across different systems/accounts.
Countermeasures:
Enforce unique passwords for each system/account.
8. Electronic Monitoring (Eavesdropping)
Attack: Intercepting passwords transmitted over a network.
Countermeasures:
1. Use encrypted communication channels (e.g., Secure Shell (SSH)).
2. Implement one-time passwords (e.g., token-based authentication).
3. Use challenge-response protocols.

How Should Passwords Be Stored?

1. Storing Passwords in the Clear

Issue:
Insider attack: A regular user can read the database and learn other users'
passwords.
Outsider attack: Unauthorized access to the database exposes all passwords.
Countermeasures:
Access control on the password database.
Do not store passwords in clear text.

2. Encrypting the Passwords

Process:
Encrypted passwords ( E(K, P) ) are stored in the database.
When a user submits a password, it is encrypted using the same key ( K ) and
compared to the stored value.
Drawback:
 The secret key ( K ) must also be stored.
If an attacker gains access to the database, they might also gain access to K .

3. Hashing the Passwords

Process:
Store the hash of passwords ( H(P) ) in the database.
When a user submits a password, it is hashed and compared to the stored hash
value.
Properties of Hash Functions:
Variable-sized input produces a fixed-length output.
No collisions (each input maps to a unique hash).
One-way function (practically impossible to derive the original password from the
hash).
Benefits:
- If an attacker gains access to the database, they cannot easily reverse the hash to obtain
the original password.

Brute Force Attack on Hashed Passwords

Aim:
Given one or more target hash values, find the original password.
Steps:
1. Generate a set of possible passwords (e.g., dictionary words or all possible
combinations).
 2. Calculate the hash of each password and compare it to the target hash.
3. If a match is found, the original password is discovered.
4. If no match, try the next password.
Duration:
Depends on the size of the possible password set.

Pre-calculated Hashes and Rainbow Tables

Speeding Up Brute Force Attacks:
Pre-calculate hashes for all possible passwords up to a certain length.
Store the passwords and corresponding hashes in a database.
Perform a lookup on the database for the target hash.
Challenges:
Storage requirements are massive (hundreds or thousands of TB).
Specialized data structures like Rainbow Tables compress the database size to
manageable levels (e.g., ~1 TB).
Trade-offs:
Reduces search time but increases storage space requirements.
Countermeasures:
Use longer passwords.
Employ slower hash algorithms.
Add salting to passwords before hashing.

Salting Passwords
Process:
Append random data (called a salt) to the user’s password before hashing: H(P ||
Salt) .
Each user has a unique salt.
Benefits:
Produces different hashes for the same password across different users.
Increases the computational work required for rainbow table attacks.
Example in Unix:
Salt is a randomly chosen integer (up to 12 bits).
 Impact:
- Storage space required increases by a factor of 2s, where s is the salt size.

Example: Password Cracking

Scenario:

Given Data
Character set: 95 characters
Password length: 8 characters
Hashing algorithm: SHA-512
Brute force rate: 10^6 (1 million) hashes per second

a) Maximum Time for a Brute Force Attack

1. Total Number of Possible Passwords:

95^8
2. Time to Test All Passwords:
 Total time=95^8 \10^6 seconds
3. Convert to Larger Units (if necessary): This result can then be converted to hours, days,
or years if desired.

b) Size of Database of All 8-Character Password Hashes

1. Total Number of Passwords (same as above):

95^8
2. Size of Each Hash (SHA-512): SHA-512 produces a 512-bit (64-byte) hash.
3. Total Database Size:

Total size=95^8×64 bytes

4. Convert to Terabytes (if necessary): Divide by 10^12 to get the result in terabytes (TB).

c) Rainbow Table Feasibility with 10-bit Salt

1. Effect of Salt:
A 10-bit salt adds 2^10 = 10242 variations per password.
2. Impact on Rainbow Table:
To cover all variations, the attacker would need a separate hash for each possible
password-salt combination.
This increases the table size significantly, making it impractical to store and search
for all combinations efficiently.

Password Cracking
Exploitation: Password crackers leverage users' tendency to choose guessable
passwords.
Vulnerability: Short passwords are easier to crack.
Methods:
1. Dictionary Attacks:
Use a precompiled list of possible passwords and try each against the password
file.
2. Rainbow Table Attacks:
Utilize pre-computed tables of hash values.
Tools:
John the Ripper:
 Open-source password cracker (1996).
Combines brute-force and dictionary techniques.
Countermeasures:
Use large salt values and sufficiently long hash lengths.
Each password must be hashed with each salt value and compared to stored
hashes.

Password Selection Strategies

1. User Education:
Ensure users are aware of the importance of hard-to-guess passwords.
Advise users on strategies for selecting strong passwords.
2. Computer-Generated Passwords:
Generate random or pronounceable passwords.
Note: These passwords are often poorly accepted by users.
3. Proactive Password Checking:
Users can select their own password, but the system checks if the password is
allowable. If not, it is rejected.
This approach should balance user acceptability with password strength.

Proactive Password Checking

Rule Enforcement:
Specify rules for password creation.
Password Checker:
Compile a large dictionary of passwords not to use.
Bloom Filter:
Create a table of hash values to check passwords against.

Token-Based Authentication
Overview
 Token: An object that a user possesses for the purpose of authentication.

Examples:

1. Memory Cards
2. Smart Tokens
Smart Cards
Electronic Identity Cards (eID)

Memory Cards
Characteristics:
Can store data but do not process it.
The most common type is the magnetic stripe card.
May include internal electronic memory.
Applications:
Can be used alone for physical access (e.g., hotel rooms).
Provides greater security when combined with a password or PIN (e.g., ATM).
Drawbacks:
Requires a special reader.
Prone to token loss.
May lead to user dissatisfaction.

Smart Tokens
Physical Characteristics:

Include an embedded microprocessor.

May resemble a bank card.
Can take various forms, such as calculators, keys, or small portable objects.

User Interfaces:

Manual Interfaces: Include a keypad and display for user interaction.

Electronic Interfaces: Communicate with a compatible reader/writer
Contact Interface: Requires insertion into a smart card reader for data transmission.
 Contactless Interface: Requires close proximity to a reader, using antennas for
communication.

Authentication Protocols:

1. Static: Similar to memory tokens.

2. Dynamic Password Generator:
Generates unique passwords (OTP).
Clock-Based OTP: Time-dependent codes synchronized with the system clock.
Counter-Based OTP: Derived from an internal counter function.
3. Challenge-Response:
The system generates a random challenge (e.g., string of numbers).
The smart token computes a response based on the challenge.

Smart Cards
Importance: The most significant category of smart tokens.
Physical Characteristics: Appear similar to credit cards.
Functionality:
Can use any of the smart token protocols.
Contain a complete microprocessor:
Processor
Memory
Input/Output ports or embedded antenna
Memory Types:
1. Read-Only Memory (ROM): Stores unchanging data.
2. Electrically Erasable Programmable ROM (EEPROM): Stores application data and
programs.
3. Random Access Memory (RAM): Holds temporary data generated during
application execution.

Electronic Identity Cards (eID)

Definition: Smart cards used as national identity cards for citizens.
Applications:
 Serve similar purposes as traditional national ID cards.
Provide access to government and commercial services.
Advantages:
Offer stronger proof of identity.
Can be used in a wider variety of applications.

Biometric Authentication
Overview:

Authenticates individuals based on unique physical or behavioral characteristics.

Relies on pattern recognition.
Technically complex and more expensive than passwords and tokens.

Biometrics: Practical Considerations

Key Factors:

1. Accuracy:
The correctness of a biometric system.
2. Performance:
The achievable speed of analysis.
The resources required to achieve the desired speed.
3. Acceptability:
The extent to which people are willing to accept the use of a particular biometric
identifier.
4. Circumvention Resistance:

- The difficulty of fooling the biometric system.

Biometric Accuracy
Authentication Process:
 When a user is to be authenticated, the system compares the stored template
(samples) to the presented template.
A matching score quantifies the similarity between the input and the stored template.
Metrics:
1. False Match Rate (FMR):
Also known as a false positive (FP).
Occurs when the system incorrectly predicts the positive class, i.e., it incorrectly
authenticates a user.
2. False Non-Match Rate (FNMR):
Also known as a false negative (FN).
Occurs when the system incorrectly predicts the negative class, i.e., it incorrectly
rejects a user.