Transcript Authentication

COEN 250
Authentication
Authentication
Between human and machine
 Between machine and machine

Human Machine Authentication

Authentication protocols are based on
 What

E.g. password, pass-phrase, (secret key,
private key).
 What

you have.
Physical key, smart card.
 What

you know.
you are.
Biometrics.
 Where

you are.
E.g. trusted machine, access to room, …
Authentication

Passwords
 Predate
computers.
 As do some attacks (stealing, guessing)
Older cell phone technology transmits originating
number with a password.
 Password good, call goes through.
 Eavesdropper receives phone number – password
combination.
 Eavesdropper can now clone the phone.

Authentication

Password Attacks

Guessing

On-line





Off-line



Time consuming.
Authentication attempts are usually logged.
Can detect attack long before it is likely to succeed.
Can disrupt the attack.
Attacker needs to steal relevant data from which password(s) can be
determined.
Attacker can use arbitrary amount of computing power.
Capturing Passwords


Eavesdropping
Login Trojan Horse
Authentication

Passwords are stored
 On
each server Alice uses.
 Centrally: Authentication Storage Node:

Each server retrieves the information when it
wants to authenticate Alice.
 Centrally: Authentication

Facilitator Node:
Each server takes Alice’s data and password and
goes to the AFN.
Authentication

Password can be stored
 Unencrypted
Simple
 Dangerous

 Implicitly

as hashes of passwords
As in UNIX, VMS
 Encrypted
 Hashed
and Encrypted
Authentication


Example: Network Information Service
(Yellow Pages)
 Directory
service is the authentication storage
node.
 Stores hashed passwords of users.
 Typically, hashed passwords list is world readable

Access by claiming to be a server.
 NIS
authentication storage node does not
authenticate itself to users.

Allows impersonation of authentication service.
Authentication

Passwords for machine – machine
communication can be made difficult to
guess.
 Arbitrary
length
 Truly random choice of characters.

Human-machine passwords
 Guessable
 Subject
to dictionary attack.
Authentication

Dictionary attack
 Most
passwords are natural language words.
 Or derived from natural language words.
 Guess the language.
 Use a dictionary to try out all words in the language.
 Start with common passwords first.
 Replace a single character in a word, attach a
random character, etc.
Authentication
Brute-Force Attack
 Generate all possible password.

 Sometimes
make assumptions on the
alphabet
only printable character
 characters on a key-board

Authentication

Salting
 Protects
hashed passwords against an offline
attack.

Brute Force attack attacks all passwords in
password file simultaneously.
Authentication
Salting
 Store a salt with each password
 Hash depends on salt and password.
 Use different salts for different passwords.
 Store salt with password.

Authentication

Salting
 Brute
force attack, dictionary attack can only
attack a single password.
Authentication

Passwords are compromised:
 By

obtaining password file.
Safeguard by
Hashing and Salting
 Encryption

 By

eavesdropping on an exchange
Use one-way passwords:

Lamport Hash
Authentication

Address Based
 Common

Rtools:


in early UNIX
.rhosts
 In user home directory
 (Computer, Account) pairs
 These pairs are allowed access to the user’s account
/etc/hosts.equiv


List of network addresses of “equivalent” machines
Account name on A is equivalent to account name on B.
 Users have to have identical account names.
Authentication

Addressed based authentication
threatened by
 Access
escalation
Attacker gains access to one hosts.
 Access cascades to equivalent hosts / rhosts.

 Spoofing
addresses
Very easy to spoof source address.
 Harder to intercept traffic back.

Authentication

Ethernet network address impersonation
 Easy
on the same link.
 Hubs do not protect.
 Switches can be spoofed through the ARP
protocol.
 Routers are harder to fool, but can be
attacked and provided with misleading routing
data.
Authentication

Cryptographic authentication
 Alice
proves her identity to Bob by proving to
Bob that she knows a secret.
Hashes
 Secret key cryptography
 Public key cryptography.

Human Machine Authentication

Initial password distribution to humans
 Pre-expired,

Through mail
 Derivable

strong passwords
from common knowledge
Student ID
Human Machine Authentication

Authentication Token
 Possession

Magnetic stripe as on credit cards.




Harder to reproduce
“Impossible” to guess
Demand special hardware
Can be lost or stolen


of the token proves right to access.
Add pin or password protection
Are not safe against communication eavesdropping and
forging
Human Machine Authentication

Authentication Token
 Smart Card.
 Needs to be inserted in a smart card reader.
 Card authenticates to the smart card reader.


PIN protected smart cards.
 Stops working after a number of false PINs.
Cryptographic challenge / response cards
 Card contains a cryptographic key.
 Authenticating computer issues a challenge.
 Card solves the challenge after PIN is entered.
 Harder to crack than PIN protected smart cards because
key is never revealed.
Human Machine Authentication

Authentication Token
 Smart

Card.
Readerless smart card (Cryptographic calculator)
Communicates with owner through mini-keyboard and
display.
 Authenticating computer issues a challenge to Alice.
 Alice types in challenge into readerless smart card.
 Readerless smart card solves the challenge.
 After Alice puts in her password.
 Alice transfers the answer to the computer.

Human Machine Authentication

Biometrics
 Retinal
scanner
 Fingerprint reader
 Face recognition
 Iris scanner
 Handprint readers
 Voiceprints
 Keystroke timing
 Signatures
Authentication Security Policy
Defining Protection Levels

Partitioning Computing Resources
 Usually
necessary (law) to have special
security for sensitive areas:
Human Resources
 Accounting
 …

 Network
can be repartitioned using subnets
with special protection and special procedures
Authentication Security Policy
Defining Protection Levels

Partitioning Computing Resources
 Protection

by naming
Increase protection by not making certain systems
visible from the outside
external
firewall
internal DNS
server
internal
firewall
Local LAN
external
DNS server
Internet
Authentication Security Policy
Defining Protection Levels





“Human resources, accounting, and other administrative support
systems shall be physically partitioned from the general network in
such a manner to control the flow of information to and from those
systems”
“Network name services shall be configured to provide Internet
users with generic names to accessible internal systems while
serving meaning full names to internal, organizational users.”
“Network addresses shall be predefined for every system and
network device and may be preloaded or resolved when logged in to
the network.”
“Network address servers and those used to resolve addresses shall
be protected in accordance with best practice appropriate for that
device.”
“Network address servers and those used to resolve addresses shall
be protected in accordance with best practice appropriate for that
device.”
Network Access Control

Typical: One external access point
 Connection

to ISP
Gateways: Points where network traffic is
transferred from the organization’s network to
the internet:
 Dial-in,
Dial-out
 Other external connections
 Internet connections
 Wireless connections
Network Access Control



“All telephone access to the network shall be centrally protected by
strong authentication controls. Modems shall be configured for dialin or dial-out access but not both. The Network Administrator shall
provide procedures to grant access to modem services. Users shall
not install modems at any other location on the network without
appropriate review and authorization.”
“Any gateway proposed to be installed on the company’s network
that would violate policies or procedures established from these
policies shall not be installed without prior approval of the
Information Security Management Committee.”
“Applications that require gateway services shall be authenticated to
the network. If the service itself cannot be authenticated, services
carried through the gateway shall be subject to authentication
policies described in this document.”
Login Policies
User Identification
 Guest accounts
 Login Banners

 Establish
privacy expectation
 Work as “no-trespassing” signs
Login Controls
 Login Reporting

User Accounts

Establishment of special privileges
Password Policies

Policies defining strength of passwords
 Length
of password
 Composition of password
 Storage of passwords by users
 Default passwords for systems / applications

This problem is going away, but still
 Password
Testing
Telecommuting / Remote Access
Policies

Preserve security of IT assets at the
organization
 Employee’s
equipment is probably not well
protected
 Authentication over the internet / dial-up

Protection of organizational data
 Legally
/ Technically
 In Transit / Stored / During Processing
Mobile Equipment
Employees work with company equipment
outside of the perimeter
 Storing data on removable drives

 USB
drives