Tuomas Aura
T-110.4206 Information security technology
User authentication
Outline
1. Passwords
2. Physical security tokens and two-method authentication 3. Biometrics
User authentication can be based on
– something you know
– something you have
– something you are
PASSWORDS
Username and password
Passwords are used for entity authentication
– Needed for access control and auditing:
access control = authentication + authorization – Entity authentication vs. message authentication
Password is a shared secret between the user and computer system
– Limitations arise from the reliance on of human memory and input
What attacks are there against passwords?
Sniffing and key loggers
Password sniffing on the local network used to be a major problem; mostly solved by
cryptographic authentication:
– SSH, SSL, HTTP Digest Authentication, MS-CHAPv2
Key logger: software or hardware that stores all key strokes (including passwords) typed on a computer
– Particular danger in public-access computers e.g. at libraries and cafes
– Why do some bank web sites ask you to use the
mouse to enter the PIN code?
Password recovery
Humans are prone to forget things need a process for recovering from password loss
What the advantages and disadvantages of the following recovery mechanisms?
– Security question or memorable secret, e.g. birth place, mother’s maiden name, pet’s name
– Emailing password to another user account – Physical visit to customer support
– Yellow sticky on the back of the keyboard
Password reuse
How many different user accounts and passwords do you have? Ever used the same password on two accounts?
Using the same or related passwords on multiple accounts means that one corrupt sysadmin or compromised account can lead to compromise of the other accounts
Adminsitrative countermeasures:
– Passwords chosen by the service, not set by users – Exotic password format requirements
Personal countermeasures:
– Generating service-specific passwords from one master password
– Password wallet that helps the memory, encrypted with a master password
Shoulder surfing
Keyboards and screens are highly visible
others may see what you are typing
Password and PIN prompts usually do not show the characters
– Does this make sense for all secrets?
*******
Password guessing
Intelligent vs. brute-force guessing
– dictionary attack
Countermeasures
– Limit the number or rate of login attempts
– Minimum password length and complexity, passwrod quality check
– Preventing reuse of old passwords
– System-generated random passwords
– Password aging i.e. mandatory periodic password
changes (typically every three months)
Password entropy
Entropy = the amount of information the attacker is missing about the password
Entropy ≤ log
2(number of possible passwords)
Examples:
– Random 8-character 7-bit passwords have 56 bits of entropy
– 8-character alphanumeric passwords have at most 8 × log
2(26+26+10) ≈ 48 bits
– 4-digit PIN codes have about 13 bits of entropy
Passwords rely on human memory entropy
cannot grow over time any system that relies
on high password entropy to beat brute-force
attacks will eventually fail
Password database storage
Safer to assume that the database is public
– Unix /etc/password is traditionally world readable
– Attacks on web servers often manage to dump any file or database on the server; e.g. SQL injection
How to store passwords in a public file?
– Store a hash (i.e. one-way function) of the password – When user enters a password, hash and compare
– Use a slow hash (many iterations of a hash function) to make brute-force cracking more difficult
– Include random account-specific “salt”:
show_hash( password | salt)
to prevent simultaneous brute-force cracking of many passwords, precomputation attacks and equality
comparison between passwords
Password hashing
Password-based key derivation function PBKDF2 [PKCS#5,RF
– Good practical guide; uses any standard hash function, at least 64-bit salt, any number of iterations
Unix crypt(3) [Morris and Thompson
– Historical function for storing passwords in /etc/passwd
aura:lW90gEpaf4wuk:19057:100:Tuomas Aura:/home/aura:/bin/zsh
– Eight 7-bit characters = 56-bit DES key, e.g. ½=(
– Encrypt a zero block 25 times with modified DES – 12-bit salt used to make slight modifications to DES – Stored value includes the salt and encryption result
– Very slowly replaced with more modern hash functions
Online and offline guessing attacks
In an online attack, target system can limit the number of guesses
– Login prompt at the console – PIN code on a phone
– Network login to an authenticated server over SSH or SSL – Firewall to block client IP address after some failed attempts
In an offline attack, the attacker can perform an exhaustive brute-force search
– Attacker who has the hash values from the password database – Older challenge-response network authentication, e.g. MS-
CHAPv2 or HTTP digest authentication without SSL
Big difference in the required password entropy:
– Online attack success probability ≈ number of allowed guesses / number of possible passwords
– Offline attack requires cryptographic password strength, e.g.
Botnets and online guessing
10 banks, each with 10
6customer accounts
– 4-digit PIN or one-time code required to log in
– Client IP address blocked after 3 failed login attempts
Attacker has a botnet of 10
5computers
– Each bot makes one login attempt to one account in each bank every day 10
6login attempts in a day
~100 successful break-ins in a day
Countermeasures:
– Make user IDs hard to guess; long, different from account numbers, and not assigned sequentially – Ask a “salt” question, e.g. memorable word, in
addition to user ID and PIN
increased entropy reduces attacker success rate
One-time passwords
Use each password only once to thwart password sniffers and key loggers
Lamport hash chain:
H1 = hash (secret seed); Hi+1= hash (Hi)
– Server stores initially H100 and requires user to enter H99. Next stores H99 and requires H98, and so on.
Unix S/KEY or OTP [RFC1938]
1: HOLM BONG VARY TIP JUT ROSY 2: LAIR MEMO BERG DARN ROWE RIG 3: FLEA BOP HAUL CLAD DARK ITS 4: MITT HUM FADE CREW SLOG HAST
Hash-based one-time passwords HOTP [RFC4226]
HOTP(K,C) = HMAC-SHA-1(K,C) mod 10D
– Produces a one-time PIN code of D decimal digits
Time-based one-time passwords
– E.g. RSA SecurID: one of many commercial products
Which attacks are prevented by one-time passwords and which are
Spoofing attacks
Attacker could spoof the login dialog; how do you
know when it is safe to type in the password?
│
Trusted path
Attacker could spoof the login dialog; how do you know when it is safe to type in the password?
Trusted path is a mechanism that ensures direct and secure communication between the user and a specific part of the system
– Crtl+Alt+Del in Windows takes to a security screen that cannot be spoofed
– Web browser window shows the URL in the address bar in a way that cannot be spoofed by the web server
With malware and virtualization, it is increasingly
hard to know what is real
Other threats
No system is perfectly secure:
system designers have a specific threat model in mind, but the attacker can break these rules
– “The attacker does not agree with the threat model.” (Bruce Christinson)
Examples of unexpected attacks:
– Phishing and social engineering – Heat camera can detect recently
pressed keys
– Acoustic emanations from the keyboard
PHYSICAL SECURITY TOKENS AND
TWO-METHOD AUTHENTICATION
Physical security tokens
Smart card is a typical physical security token
– Holds cryptographic keys to prove its identity – Tamperproof: secret keys will stay inside
Used for door keys, computer login, ATM
PIN entry is often also required two- method authentication
– Attacker needs to both steal the card and learn the PIN clear qualitative increase in security
Other form factors: button, USB stick, mobile
phone
Issues with security tokens
Physical tokes require distribution and recovery process when tokens are lost
Computers (or doors etc.) must have readers
Some systems and protocols not compatible with cryptographic tokens
– E.g. applications that depend on a cached password
Process needed for recovering from the loss of tokens
Are smart card+PIN really two factors?
One alternative is two-channel authentication:
– Confirmation via telephone: callback
– Sending a second secret to a known address: text message, email, post
BIOMETRICS
Biometric authentication
Biometric authentication means verifying some physical feature of the user
– Physiological characteristic: photo, signature, face geometry, fingerprint, iris scan, DNA
– Behavioral characteristic: voice, typing, gait
Biometrics are not 100% reliable:
– False acceptance rate FAR – False rejection rate FRR
FAR FRR
50%
EER
Issues with biometrics
Biometrics require enrollment and readers
Unsupervised vs. supervised readers have a big difference in security
– E.g. fingerprints, face recognition
Suitability for security architectures:
– Are biometric characteristics secrets?
– Can they be copied?
– How to revoke biometrics?
What if enrollment fails?
– Some people have no fingerprints, or no fingers
Reading material
Dieter Gollmann: Computer Security, 2nd ed., chapter 3
Matt Bishop: Introduction to computer security, chapter 11
Ross Anderson: Security Engineering, 2nd ed., chapters 2, 15
Edward Amoroso: Fundamentals of Computer
Security Technology, chapters 18-19
Exercises
Why do you need both the username and password? Wouldn’t just one secret identifier (password) be sufficient for logging in?
What effect do strict guidelines for password format (e.g. eight
characters, use at least two capitals, at least two digits, at least one special symbol) have on the password entropy?
What is the success probability of guessing a 4-digit PIN code on a phone that locks up after three failed login attempts?
Why may mandatory password changes increase security? What is the optimal interval?
How to limit the number of login attempts without creating a DoS vulnerability?
Learn about graphical passwords and compare their entropy to different length passwords and PIN codes.
In a social network, could authentication be based on who you know (or who knows you), or where you are?
What advantages and disadvantages might a fingerprint reader have in a car lock?