Computer Security:

Principles and
Practice
Fourth Edition, Global Edition

By: William Stallings and Lawrie Brown

Chapter 3
User Authentication
NIST SP 800-63-3 (Digital
Authentication Guideline, October
2016) defines digital user
authentication as:

“The process of establishing

confidence in user identities that
are presented electronically to
an information system.”
(Table can be found on page 65 in the textbook)
 The four means of authenticating
user identity are based on:
Something Something Something Something
the the the the
individual individual individual is individual
knows possesses (static does
• Password, PIN, (token) biometrics) (dynamic
answers to • Smartcard, • Fingerprint, biometrics)
prearranged electronic retina, face • Voice pattern,
questions keycard, handwriting,
physical key typing rhythm
 Risk Assessment for
User Authentication

• There are Assurance

Level
three
separate
concepts:
Potential
impact

Areas of
risk
 Assurance Level
More specifically Four levels of
is defined as: assurance
Describes an
organization’s Level 1
degree of The degree of confidence
• Little or no confidence in the
asserted identity's validity
certainty that a in the vetting process used
to establish the identity of
user has the individual to whom the Level 2
credential was issued
presented a • Some confidence in the asserted
identity’s validity

credential that
refers to his or Level 3
• High confidence in the asserted
her identity The degree of confidence identity's validity
that the individual who uses
the credential is the
individual to whom the Level 4
credential was issued • Very high confidence in the
asserted identity’s validity
 Potential Impact
• FIPS 199 defines three levels of potential
impact on organizations or individuals
should there be a breach of security:
o Low
• An authentication error could be expected to have a
limited adverse effect on organizational operations,
organizational assets, or individuals
o Moderate
• An authentication error could be expected to have a
serious adverse effect
o High
• An authentication error could be expected to have a
severe or catastrophic adverse effect
 Table
3.2

Maximum Potential Impacts for Each

Assurance Level
 Password-Based
Authentication
• Widely used line of defense against
intruders
o User provides name/login and password
o System compares password with the one stored for that
specified login
• The user ID:
o Determines that the user is authorized to access the
system
o Determines the user’s privileges
o Is used in discretionary access control
 Password
Vulnerabilities
Offline Password
guessing Workstation Electronic
dictionary against single hijacking monitoring
attack user

Exploiting
Specific Popular password Exploiting user
multiple
account attack attack mistakes
password use
UNIX Implementation

•Original scheme
•Up to eight printable characters in length
•12-bit salt used to modify DES encryption into a one-way hash function
•Zero value repeatedly encrypted 25 times
•Output translated to 11 character sequence
•Now regarded as inadequate
•Still often required for compatibility with existing account management
software or multivendor environments
 Improved
Implementations

•Much stronger hash/salt schemes available for Unix

•Recommended hash function is based on MD5

•Salt of up to 48-bits
•Password length is unlimited
•Produces 128-bit hash
•Uses an inner loop with 1000 iterations to achieve slowdown

•OpenBSD uses Blowfish block cipher based hash algorithm called

Bcrypt
•Most secure version of Unix hash/salt scheme
•Uses 128-bit salt to create 192-bit hash value
 Password Cracking

• Dictionary attacks
• Develop a large dictionary of possible passwords and try each against the
password file
• Each password must be hashed using each salt value and then compared to
stored hash values
• Rainbow table attacks
• Pre-compute tables of hash values for all salts
• A mammoth table of hash values
• Can be countered by using a sufficiently large salt value and a sufficiently large
hash length
• Password crackers exploit the fact that people choose easily guessable passwords
• Shorter password lengths are also easier to crack
• John the Ripper
• Open-source password cracker first developed in in 1996
• Uses a combination of brute-force and dictionary techniques
 Modern Approaches
• Complex password policy
o Forcing users to pick stronger passwords

• However password-cracking techniques

have also improved
o The processing capacity available for password cracking has
increased dramatically
o The use of sophisticated algorithms to generate potential
passwords
o Studying examples and structures of actual passwords in use
Password File Access
Control

• Can block offline guessing attacks by denying access to encrypted

passwords
•Make available only to privileged users
• Shadow password file

• Vulnerabilities
• Weakness in the OS that allows access to the file

• Accident with permissions making it readable

• Users with same password on other systems

• Access from backup media

• Sniff passwords in network traffic

Password Selection Strategies
 Proactive Password
Checking
• Rule enforcement
o Specific rules that passwords must adhere to

• Password checker
o Compile a large dictionary of passwords not to use

• Bloom filter
o Used to build a table based on hash values
o Check desired password against this table
 Table 3.3

Types of Cards Used as

 Memory Cards
• Can store but do not process data
• The most common is the magnetic stripe card
• Can include an internal electronic memory
• Can be used alone for physical access
o Hotel room
o ATM
• Provides significantly greater security when combined
with a password or PIN
• Drawbacks of memory cards include:
o Requires a special reader
o Loss of token
o User dissatisfaction
 Smart Tokens
• Physical characteristics:
o Include an embedded microprocessor
o A smart token that looks like a bank card
o Can look like calculators, keys, small portable objects
• User interface:
o Manual interfaces include a keypad and display
for human/token interaction

• Electronic interface
o A smart card or other token requires an electronic interface to
communicate with a compatible reader/writer
o Contact and contactless interfaces
• Authentication protocol:
o Classified into three categories:
• Static
• Dynamic password generator
• Challenge-response
 Smart Cards
• Most important category of smart token
o Has the appearance of a credit card
o Has an electronic interface
o May use any of the smart token protocols

• Contain:
o An entire microprocessor
• Processor
• Memory
• I/O ports

• Typically include three types of memory:

o Read-only memory (ROM)
• Stores data that does not change during the card’s life
o Electrically erasable programmable ROM (EEPROM)
• Holds application data and programs
o Random access memory (RAM)
• Holds temporary data generated when applications are executed
Electronic Identity
Cards (eID)
Use of a
smart card
Can serve
as a
the same Most advanced
national
purposes deployment is the
identity
as other German card neuer
card for
national ID Personalausweis
citizens
cards, and
similar
cards such
as a
Can
driver’s
provide
license, for
stronger
access to Has human-readable
proof of
governmen data printed on its
identity and
t and surface
can be
commercial
used in a • Personal data
Inservices
effect, is • Document number
wider
a smart • Card access
variety of
card that number (CAN)
application
has been • Machine readable
s
verified by zone (MRZ)
the national
governmen
 Table 3.4

Electronic
Functions
and Data
for
eID Cards

CAN = card access number

MRZ = machine readable zone
PACE = password authenticated connection establishment
PIN = personal identification number
 Password Authenticated
Connection Establishment
(PACE)

• Ensures that the contactless RF chip in the eID card cannot be read without
explicit access control
• For online applications, access is established by the user entering the 6-digit
PIN (which should only be known to the holder of the card)
• For offline applications, either the MRZ printed on the back of the card or the
six-digit card access number (CAN) printed on the front is used
 Biometric
Authentication
• Attempts to authenticate an individual based on
unique physical characteristics
• Based on pattern recognition
• Is technically complex and expensive when
compared to passwords and tokens
• Physical characteristics used include:
o Facial characteristics
o Fingerprints
o Hand geometry
o Retinal pattern
o Iris
o Signature
o Voice
 Remote User
Authentication
• Authentication over a network, the
Internet, or a communications link is more
complex
• Additional security threats such as:
o Eavesdropping, capturing a password,
replaying an authentication sequence that
has been observed

• Generally rely on some form of a

challenge-response protocol to counter
threats
 Table 3.5
Some Potential
Attacks,
Susceptible
Authenticators,
and
Typical Defenses

(Table is on page 96 in the

•AUTHENTICATION SECURITY ISSUES
• Eavesdropping
• Adversary attempts to learn the password by some sort of attack that involves the physical
proximity of user and adversary
• Host Attacks
• Directed at the user file at the host where passwords, token passcodes, or biometric templates are
stored
• Replay
• Adversary repeats a previously captured user response
• Client Attacks
• Adversary attempts to achieve user authentication without access to the remote host or the
intervening communications path
• Trojan Horse An application or physical device masquerades as an
authentic application or device for the purpose of capturing a user password, passcode, or
biometric
• Denial-of-Service
• Attempts to disable a user authentication service by flooding the service with numerous
authentication attempts
 Case

Study:

ATM

Security

Problems
 Summary
• Digital user • Biometric
authentication principles authentication
o A model for digital user
o Physical characteristics used
authentication
o Means of authentication in biometric applications
o Risk assessment for user o Operation of a biometric
authentication authentication system
o Biometric accuracy
• Password-based
authentication • Remote user
o The vulnerability of passwords authentication
o The use of hashed passwords o Password protocol
o Password cracking of user-chosen o Token protocol
passwords o Static biometric protocol
o Password file access control
o Dynamic biometric protocol
o Password selection strategies

• Token-based • Security issues for

authentication user authentication
o Memory cards
o Smart cards
o Electronic identity cards