Information Privacy and Security

Identification and Authentication

Control Access
• One of the foundation principles of computer security is controlled
access
• Controlled access: Someone (a person or a system) is authorized to perform
one or more actions on a digital asset
• The success or failure of controlled access hinges on knowing exactly
who a person or system really is
• The controlled access paradigm fails whenever an attacker’s efforts at
impersonation are successful
• Impersonation: The act of pretending to be another person (or entity) for the
purpose of entertainment or fraud
Impersonation/Failed Authentication Attack
• Computer system rely on data in order to recognize users
• An impersonation or failed authentication attack is successful when a
computer system is unable to distinguish between a legitimate user
and an imposter
• We say that authentication has failed because the purpose of authentication
is to prove that a user is who she says she is
• From perspective of someone wanting to be recognized by a system:
• Identification is the action or process of asserting one’s identity

• Authentication is the act of establishing or confirming that one actually is who

he or she claims to be
In general terms…
• Identification is the process of verifying that someone or something is
who they say they are.

• Authentication is the process by which we verify that something is

real, genuine, or authentic.
Identification vs. Authentication
• Markers of a person’s identity are often public, well-known, and
unprotected (or easy to guess)
• e.g., a person name, email address, phone numbers, user IDs, etc.
• These markers are known as identifiers
• Many people could easily obtain this information and claim to be you simply
by using one of your identifiers

• Authentication seeks to confirm that an entity is who he/she/it claims

to be
• Method of authentication should be reliable
• Data used for identification is often public – data used for authentication
purposes should be kept private
Authentication Failures
• Authentication failures can be classified into two categories:
1. False negatives
• A false negative occurs when a system refuse to authenticate a valid identity
2. False positive
• A false positive occurs when a system authenticates an invalid identity

• The rate at which false negatives and false positives occur is often linked
• Decreasing the rate at which one problem occurs often increase the rate at which the
other problem occurs, and vice-versa
Passwords
• A password is an agreed-upon word, phrase, or set of characters that
is presumed to be known only by the user and system.
• Problem with passwords:
1. they can be lost or forgotten
• by either the user or the system
2 they can be inconvenient to use
• e.g., by requiring users to constantly enter or re-enter passwords
3.they can be shared with or disclosed to another entity
• By either the user or the system
4.they can be revoked
• Revoking a password can have cascading effects throughout a system
Attacking Passwords

• Passwords can be cracked in many ways:

• Try all possible password(brute-force attack)

• Try common password(dictionary attack)

• Try password likely for this user Level of Difficulty

• Search through the system password file

• Just ask the user for their password!

Loose-Lipped Systems
• Poorly designed authentication systems can provide attackers with
more information than they should possess:
• e.g., if a username/password pair is required for access, a poorly designed
system may tell the user whether a username is valid

• There is also a danger in making organizational password standards

public
• e.g., “A password must be 8 characters long, must contain at least one letter
and one number, and cannot contain any special characters”
• If this information is available to an attacker, it vastly reduces the password search space!
• e.g., there is no need to search for 7 character or 9 character passwords
Dictionary attacks
• Most passwords are not random sequences of characters and
numbers, but instead are combinations of “normal” words, proper
names, acronym, etc.
• e.g., “Betty23” or “ChocolateFrog”
• Because of this situation, cracking a password does not necessarily
require a brute-force attack
• Instead a dictionary attack can be used
• In dictionary attack a list of possible passwords is used on order to
break into an account
• The list might contain common words, names, acronyms, common passwords,
etc.
• This vastly reduces the search space!
Passwords likely for a Specific User
• Each unique person has a characteristic that can be exploited by savvy
attackers seeking to crack their passwords
• By learning about a person, it is much easier to guess their password
• Is your password related to your life, interest, or personal preferences?
• Example of personal details useful for password cracking:
• Family member’s names, birthdays, etc.
• Pets’ names, favorite TV shows, food, numbers, colors, cars, hobbies, etc.
• As with dictionary attack, this information can help to reduce the search
space for a password cracker

• Note that much of this personal information is now voluntarily

disclosed on people’s social networking pages!
Distribution of Passwords
one character, Two character,
other good passwords, 0% 2%
14% three characters,
14%

words in dictionaries or list

four characters, all leters,
names, 15%
14%

six letters, lower case, 19%

Five letters, all same case,
22%
Brute-Force Attacks
• A brute-force attack (exhaustive attack) involves trying every possible
combination of characters until the correct password is found
• The time required to crack a password depends upon the length of
the password
• e.g., if a password is between 1 and 8 characters long, and is compromised of
upper or lowercase letters (26*2=52 possibilities), numbers (10 possibilities),
or special characters (32 possibilities on an English keyboard) then there are
941+942+943+944+945+946+947+948=1015 possible passwords
• On average, the password will be cracked after trying half of these possibilities
• Note that if the attacker knows that the password is exactly 8
characters long, then over 3.5 trillion of these possibilities can be
immediately discarded from the search space
• Making password standards public can be security risk!
Enhancing Password-Based Security
• Password-based security can be enhanced through the authentication
process itself
• Example
• After providing an incorrect password three times in a row, the system locks
the user’s account, requiring the system administrator to manually reset the
password
• Each failed login attempt has a delay – this prevent automated/brute-force
attacks
• e.g., if each failed login attempt takes 5 second, only 12 attempts can be made per
minute. Testing trillions of possible combinations thus becomes infeasible
Strong Authentication
• Authentication mechanisms utilize one or more of the following to
establish a user’s identity
• Something the user knows
• e.g., password, PIN, mother’s maiden name, etc.
• Something the user has
• e.g., a physical key, ID badge, driver’s license, security token, etc.
• Something the user has
• e.g., voice recognition, biometrics

• Combining two or more of these authentication mechanism

strengthens the authentication process
Biometrics
• Biometrics involve the use if a physical or biological characteristic of a
human body to authenticate a user
• Based upon the assumption that the characteristic being measured is unique
to each person
• Examples include fingerprints, voice recognition, retinal scans, face
recognition, hand recognition, DNA, etc.
Problems with Biometrics
• Psychological issues
• Certain people fear using biometric measurement devices
• Fear of physical harm (e.g., from retinal laser scanner)
• Fear of loss of privact (e.g., “big brother” is watching…)
• Tangible issues
• biometric measurement devise are expensive
• Biometric devices are not 100% accurate, and have an in-built tolerance for
inaccuracies. This can produce false positives and false negative
• Equipment can fail, potentially bringing an organization to a grinding halt
• Forgeries are possible
• In order for biometric authentication to become widespread, the equipment must be
commercially available
• This means that attackers can buy the equipment, study it, and learn how to circumvent
it
Multifactor Authentication
• Security can be enhanced by combining password with other
authentication information
• Temporal access limitations
• System access is limited to specific days/times
• Geographic access limitations
• System access is limited to a specific building, department, workstation, range of IP
addresses, etc.
• Adding additional authentication mechanism may improve security,
but doing so also increases inconvenience and managerial overhead