User Authentication

Authentication
• The process of verifying an identity claimed by or for
a system entity.
• The authentication process consists of two steps:
o Identification step: Presenting an identifier to the security system.
• (Identifiers should be assigned carefully, because authenticated
identities are the basis for other security services, such as access
control services.)
o Verification step: Presenting or generating authentication information that
corroborates the binding between the entity and the identifier.
• Example:
o user Alice could have the user identifier ALICE123 which is stored in a
database or any computer.
o A typical item of authentication information associated with this user ID is
a password, which is kept secret.
o The combination of Alice’s user ID and password authenticates Alice.
NIST SP 800-63-3 (Digital Authentication
Guideline, October 2016) defines digital user
authentication as:

“The process of establishing

confidence in user identities that
are presented electronically to an
information system.”
 Identification and authentication Security
requirements
Name of the Requirement Requirement definition
1 Uniqueness a Disable password after defined period of inactivity

2 Authentication Factors b Provide ongoing training for users on best practices for password
management and recognizing phishing attempts to enhance overall
3 Credential Protection security awareness.
1
4 Identifiers reuse c If using biometrics, ensure the security of biometric data storage and
2 processing to prevent unauthorized access.
5 Logging and
Monitoring 3 d Prevent reuse of identifiers for a defined period

6 Password Policies 4 e Ensure adherence to relevant standards and regulations related to

identification and authentication processes.
7 User Training 5
f Enforce strong password policies, including complexity
8 Biometric Security 6 requirements and regular password updates.

9 Compliance 7 g Implement multi-factor authentication (MFA) to enhance security.

This may include something the user knows (password), something
10 Inactive account 8 the user has (smart card), and something the user is (biometric).
lockout 9 h Safeguard user credentials by using secure hashing and encryption
methods. This prevents unauthorized access even if the credentials
10 are intercepted.
i Maintain comprehensive logs of authentication events and regularly
monitor them for any unusual or suspicious activities.
j Each user must have a unique identifier, such as a username or
employee ID, to ensure accurate identification.
A Model for User Authentication

Registration, Credential Issuance,

and Maintenance
6
Registration Identity Proofing 1 Subscriber/ Authenticated Session Relying
Authority (RA) User Registration Claimant Party (RP)
Au
th
Registration l e Authenticated
ntia nce nt
i c
Confirmation e Ex at Assertion
2 r ed ssua ch ed 5
C /I an Pr
e n, tion ge oto
k a
To istr 3 4 co
g l
R e
Credential
Token/Credential
Service Verifier
Provider (RA) Validation

E-Authentication using
Token and Credential

Figure 3.1 The NIST SP 800-63-2 E-Authentication Architectural Model

 The four means of authenticating
user identity are based on:

• Password, PIN,
answers to • Smartcard, • Fingerprint,
prearranged electronic retina, face
questions • Voice pattern,
keycard, handwriting,
physical key typing rhythm
 Risk Assessment for
User Authentication

Assurance
• There are
three Level
separate
concepts: Potential
impact

Areas of
risk
 More specifically Four levels of
is defined as: assurance
Describes an
organization’s Level 1
The degree of confidence
degree of in the vetting process
•Little or no confidence in the
asserted identity's validity
used to establish the
certainty that a identity of the individual
to whom the credential Level 2
user has was issued •Some confidence in the asserted

presented a
identity’s validity

credential that Level 3

refers to his or her

•High confidence in the asserted
The degree of confidence identity's validity
that the individual who
identity uses the credential is the
individual to whom the Level 4
credential was issued •Very high confidence in the
asserted identity’s validity
• FIPS 199 defines three levels of potential
impact on organizations or individuals
should there be a breach of security:
o Low
• An authentication error could be expected to have a
limited adverse effect on organizational operations,
organizational assets, or individuals
o Moderate
• An authentication error could be expected to have a
serious adverse effect
o High
• An authentication error could be expected to have a
severe or catastrophic adverse effect
 Table 3.2
Assurance Level Impact Profiles
Potential Impact Categories for Authentication Errors 1 2 3 4
Inconvenience, distress, or damage to standing or Low Mod Mod High
reputation Low Mod Mod High
Financial loss or organization liability None Low Mod High
Harm to organization programs or interests None Low Mod High
Unauthorized release of sensitive information Mod/
Personal safety None None Low
High
Civil or criminal violations None Low Mod High

Maximum Potential Impacts for Each

Assurance Level
 Password-Based
Authentication
• Widely used line of defense against
intruders
o User provides name/login and password
o System compares password with the one stored for that
specified login

• The user ID:

o Determines that the user is authorized to access the system
o Determines the user’s privileges: A few users may have
superuser status that enables them to read files and
perform functions that are specially protected by the
operating system
 Password Vulnerabilities
Vulnerability definition
Vulnerability names a Users may unknowingly provide their passwords in response
to phishing emails or fake websites.
1 Weak Passwords
b Users with inactive accounts may not update their
1 passwords, increasing the risk of compromise
2 Password Reuse
2 c Storing passwords in plaintext or using weak encryption
3 Password Storage methods.
3 d Attackers attempt to guess passwords using methods like
4 Password Guessing
brute force attacks.
4
5 Human Factor e Malicious insiders may misuse their access to compromise
5
passwords.
6 Lack of Password Policies 6 f Passwords transmitted over unsecured networks can be
intercepted
7 Transmission Security 7
g Absence of clear password policies may lead to insecure
8 practices
8 Inactive Account Risks
9 h Reusing passwords across multiple accounts increases the
9 Insider Threats risk if one account is compromised.
i Users often choose weak passwords that are easy to guess.
Countermeasures for Password Security
Countermeasure
Vulnerability names a Encourage users to use unique passwords for each account and
implement multi-factor authentication (MFA) where possible.
1 Weak Passwords
b Enforce password complexity requirements, such as a
minimum length, a mix of uppercase and lowercase letters,
2 Password Reuse
numbers, and special characters.
3 Password Storage c Store passwords securely using strong encryption algorithms
1 and practices, such as hashing with salt.
4 Password Guessing
2 d Implement account lockout policies after a certain number of
failed login attempts to prevent automated attacks.
5 Human Factor 3
e Implement access controls and monitoring systems to detect
6 Lack of Password Policies 4 and respond to suspicious activities.
5 f Establish and communicate password policies, including
7 Transmission Security regular password updates and restrictions on common
6 passwords.
8 Inactive Account Risks
7 g Use secure protocols like HTTPS for transmitting passwords,
9 Insider Threats especially in web applications.
8
h Educate users about phishing risks, use email filtering systems,
9 and implement two-factor authentication (2FA) to add an extra
layer of security.
i Implement policies to force password updates for inactive
accounts.
Authentication in Unix
Password Based Authentication
 Why Salt in Hashes?
• The salt serves three purposes:
• It prevents duplicate passwords from being visible in
the password file.
o Even if two users choose the same password, those passwords will be
assigned different salt values.
o Hence, the hashed passwords of the two users will differ.
• It greatly increases the difficulty of offline dictionary
attacks.
o As the salt, increases the difficulty of guessing a password in a dictionary
attack.
• It becomes nearly impossible to find out whether a
person with passwords on two or more systems has
used the same password on all of them.
 Password
Password File
User ID Salt Hash code
Salt

•
slow hash Load •
function •

(a) Loading a new password

Password File

Use of Hashed Passwords User id

User ID Salt Hash code

Salt

Select Password

slow hash
function

Hashed password
Compare
(b) Verifying a password

Figure 3.3 UNIX Password Scheme

Password Cracking
Traditional Approaches
Dictionary attacks Rainbow table attacks
•Rainbow tables are precomputed
• Develop a large dictionary
tables of hashes for all possible
of possible passwords and combinations of characters up to a
try each against the certain length.
password file •These tables are massive databases
• Each password must be that link each hash to the original
plaintext password.
hashed using each salt value
• An attacker compares stolen or
and then compared to stored intercepted hashed passwords
hash values against the entries in a
precomputed rainbow table.

Password crackers exploit John the Ripper

the fact that people •Open-source password
choose easily guessable cracker first developed
passwords in in 1996
•Shorter password •Uses a combination of
lengths are also easier to brute-force and
crack dictionary techniques
 Modern Approaches
• Complex password policy
o Forcing users to pick stronger passwords

• However password-cracking techniques

have also improved
o The processing capacity available for password cracking has
increased dramatically
o The use of sophisticated algorithms to generate potential
passwords
o Studying examples and structures of actual passwords in use
 An Analysis from Researchers
summarizes a key
result from the paper. 50%

40%
The graph shows the

Percent guessed
percentage 30%
of passwords that have
been recovered as a 20%

function of the number

10%
of guesses.
0%
As can be seen, over 104 107 1010 1013
Number of guesses
10% of the passwords
are recovered after Figure 3.4 The Percentage of Passwords Guessed After
only 1010 guesses. a Given Number of Guesses
After 1013 guesses,
almost 40% of the
passwords were
recovered.
Password File Access
Control
Password File Access Control
Can block offline guessing attacks by denying access to
encrypted passwords:

Still Vulnerabilities Exists

Make
available
only to
privileged
users
Weakness Accident Users with
Sniff
in the OS with same Access from
passwords
that allows permissions password backup
in network
access to the making it on other media
traffic
file readable systems
Shadow
password
file
Thus a password protection policy must
complement access control measures.
Password Checking
Password Selection Strategies
User education
Users can be told the importance of using hard to guess passwords and can be provided with guidelines for selecting strong passwords

Computer generated passwords

Good approach however Users have trouble remembering them

Reactive password checking

System periodically runs its own password cracker to find guessable passwords

Complex password policy

User is allowed to select their own password, however the system Goal is to eliminate guessable passwords while allowing the user to
checks to see if the password is allowable, and if not, rejects it select a password that is memorable
 Token Based
Authentication
Objects that a user possesses for the purpose of user authentication are
called tokens.

In this section, we examine two types of tokens that are widely used.
 Memory Cards
• Can store but do not process data
• The most common is the magnetic stripe card
• Can include an internal electronic memory
• Can be used alone for physical access
o Hotel room
o ATM
• Provides significantly greater security when combined
with a password or PIN
• Drawbacks of memory cards include:
o Requires a special reader
o Loss of token
o User dissatisfaction
 Smart Tokens
• A wide variety of devices qualify as smart tokens. These can be categorized
along four dimensions that are not mutually exclusive:
• Physical characteristics:
o Include an embedded microprocessor
o A smart token that looks like a bank card
o Can look like calculators, keys, small portable objects
• User interface:
o Manual interfaces include a keypad and display for human/token interaction
• Electronic interface
o A smart card or other token requires an electronic interface to communicate with a
compatible reader/writer
o Contact and contactless interfaces
• Authentication protocol:
o The purpose of a smart token is to provide a means for user
authentication.
o We can classify the authentication protocols used with smart tokens
into three categories:
• Static: User authenticates to token and then token authenticates the user to computer.
• Dynamic password generator: Periodically generates unique password.
• Challenge-response: computer generates a challenges and smart token generates
response.
 Smart Cards
• These are physical cards with embedded chips that
provide secure access when inserted into a card reader.
• Most important category of smart token
o Has the appearance of a credit card
o Has an electronic interface
o May use any of the smart token protocols
• Contain:
o An entire microprocessor
• Processor
• Memory
• I/O ports
• Typically include three types of memory:
o Read-only memory (ROM)
• Stores data that does not change during the card’s life
o Electrically erasable programmable ROM (EEPROM)
• Holds application data and programs
o Random access memory (RAM)
• Holds temporary data generated when applications are executed
Biometric Authentication
 Biometric Authentication
• Attempts to authenticate an individual based on
unique physical characteristics
• Based on pattern recognition
• Is technically complex and expensive when
compared to passwords and tokens
• Physical characteristics used include:
o Facial characteristics
o Fingerprints
o Hand geometry
o Retinal pattern
o Iris
o Signature
o Voice
 Biometric Authentication
Enrollment
• The user presents a name and, typically, some type of password or PIN to the
system.
• The system senses some biometric characteristics of this user (e.g., fingerprint of
right index finger).
• The system digitizes the input and then extracts a set of features that can be
stored as a number or set of numbers representing this unique biometric
characteristic; This set of numbers is referred to as the user’s template.

The user is now enrolled in the system, which maintains for the user a
name (ID), perhaps a PIN or password, and the biometric value.
 Biometric Authentication
Verification
• Verification is analogous to a user logging on to a system by using a
memory card or smart card coupled with a password or PIN.
• The user enters a PIN and also uses a biometric sensor. The system
extracts the corresponding feature and compares that to the
template stored for this user.
• If there is a match, then the system authenticates this user.
Authentication over the
Networks
Remote User Authentication
• Authentication over a network, the Internet,
or a communications link is more complex
• Additional security threats such as:
o Eavesdropping, capturing a password,
replaying an authentication sequence that has
been observed

• Generally rely on some form of a challenge-

response protocol to counter threats
 Eavesdropping
Adversary attempts to
learn the password by
some sort of attack that
Host Attacks
Denial-of-Service involves the physical
proximity of user and Directed at the user
Attempts to disable a adversary file at the host where
user authentication passwords, token
service by flooding the passcodes, or
service with numerous biometric templates
authentication are stored
attempts

Trojan Horse Replay

An application or
physical device Adversary repeats a
masquerades as an Client Attacks previously captured
authentic application Adversary attempts to user response
or device for the achieve user
purpose of capturing a authentication
user password, without access to the
passcode, or biometric remote host or the
intervening
communications path
 Summary
• Digital user • Biometric
authentication principles authentication
o A model for digital user
authentication o Physical characteristics used in
o Means of authentication biometric applications
o Risk assessment for user o Operation of a biometric
authentication authentication system

• Password-based • Remote user

authentication authentication
o The vulnerability of passwords
o The use of hashed passwords • Security issues for user
o Password cracking of user- authentication
chosen passwords
o Password file access control
• Token-based
authentication
o Memory cards
o Smart cards