UNIT III – AUTHENTICATION

Contents

• Authentication Basics
• Password
• Challenge Response
• Biometrics
Basics

• Authentication: binding of identity to subject

• Identity is that of external entity (my identity, Matt, etc.)
• Subject is computer entity (process, etc.)
• The information comes from one or more of the following
• What entity knows (eg. password)
• What entity has (eg. badge, smart card)
• What entity is (eg. fingerprints, retinal characteristics)
• Where entity is (eg. In front of a particular terminal)

An authentication process consists of obtaining authentication information,

analyzing the data and determining if it is associated with that entity.
Authentication System

• (A, C, F, L, S)
• Set A specific information that proves identity
• Set C complementary information stored on computer
and used to validate authentication information
• Set F complementation functions; f : A  C
• Set L authentication functions that verify identity;
l:A*C{true, false}
• Set S selection functions enabling entity to create, alter
information in A or C
Authentication Mechanisms
Password Authentication

• Widely used User authentication method

• User provides name/login and password
• System compares password with that saved for specified login

• Authenticates ID of user logging and

• that the user is authorized to access system
• determines the user’s privileges
• Used in discretionary access control
 Password vulnerabilities
• offline dictionary attack
• specific account attack (user john)
• popular password attack (against a wide range of IDs)
• password guessing against single user (w/ previous knowledge about the
user)
• workstation hijacking
• exploiting user mistakes
• exploiting multiple password use
• electronic monitoring
Passwords
Password Phishing Problem

Bank A

pwdA pwdA

Fake Site

• User cannot reliably identify fake sites

• Captured password can be used at target site
Common Password Problem

i gh sec urity site Bank A

h
pwdA
pwdA
=

pwdB low sec

u rity site

Site B

• Phishing attack or break-in at site B reveals pwd at A

• Server-side solutions will not keep pwd safe
• Solution: Strengthen with client-side support
Defense: Password Hashing

d , B a nk A) Bank A
hash(pw A
pwdA
=

pwdB
hash(p
wd
B, SiteB) Site B

• Generate a unique password per site

• HMACfido:123(banka.com)  Q7a+0ekEXb
• HMACfido:123(siteb.com)  OzX2+ICiqc
• Hashed password is not usable at any other site
• Protects against password phishing
• Protects against common password problem
Salting

• Salt at its most fundamental level is random data. When a properly

protected password system receives a new password, it will create a
hashed value for that password, create a new random salt value, and
then store that combined value in its database. This helps defend
against dictionary attacks and known hash attacks. For example, if a
user uses the same password on two different systems, if they used
the same hashing algorithm, they could end up with the same hash
value. However, if even one of the systems uses salt with its hashes,
the values will be different.
Message Digest of Password

• Original clear text password is never stored/transmitted

• Message digest of password is stored in the database, and the same
is used for authentication
• Problems: replay attacks
Message Digest of Passwords
1 Login request
Id: Atul
MD:+{:>9mn

2 Random Challenge
encrypted with MD

3
Message Digest of Passwords

• Step 4: Server obtains the MD of the user’s password from the user
database & encrypt the random challenge with this MD & compare
the encrypted original random challenge with the encrypted random
challenge send by the client. If both match, server sends the
appropriate message to the client
Authentication token
1 Login request
2
Id: Atul Id: Atul
Password:101 Seed: ?
Client Server
Login Successful Id seed
Seed found:624
Atul 624
6 Seed: 624 3
Password:101
101
4 Password: Correct
5

Authentication Password
Token Validation
Program
Types of Authentication Tokens

• Challenge/ Response tokens:

• Same as adding randomness in password.
• Instead of Message Digest(MD), we encrypt the challenge by token.
• Time Based Tokens
 Time based Token
2 Login request
3
Id: Atul Id: Atul
Password:101 Seed: ?
Client Server
Login Successful Id seed
Seed found:624
Atul 624
7 Seed: 624 4
1 Password:101
101
5 Password: Correct
6

Authentication Token performs a Password Validation

cryptographic operation & Process with system
generates a Password every 60 sec time
based on the seed & system time
Certificate-Based Authentication

• User’s certificate details need to be stored on the server-side

• CA distributes the certificates to the users also
• Validation between the two takes place at the time of authentication
 Certificate-based Token
Random Challenge
Creation

1 Login request 5 810 2

4 Id: Atul
Id: Atul Valid: ?
Client Server
Random Challenge: 810 Id Public key
User Id valid Atul 624
7 810 6
3
Encryption
Private Key E. Random Challenge: 999
Process
Public Key: 624
9
Id: Atul
Encrypted Random Challenge: 999
10
8 Random Challenge: 810

Decryption Process Public Key

11
Server compare the two Random Challenge, if match then login successful
Biometrics

• Automated measurement of biological, behavioral

features that identify a person
• Fingerprints: optical or electrical techniques
• Maps fingerprint into a graph, then compares with database
• Measurements imprecise, so approximate matching algorithms used
• Voices: speaker verification or recognition
• Verification: uses statistical techniques to test hypothesis that speaker is who is claimed
(speaker dependent)
• Recognition: checks content of answers (speaker independent)
Other Characteristics

• Can use several other characteristics

• Eyes: patterns in irises unique
• Measure patterns, determine if differences are random; or correlate images using
statistical tests
• Faces: image, or specific characteristics like distance from
nose to chin
• Lighting, view of face, other noise can hinder this
• Keystroke dynamics: believed to be unique
• Keystroke intervals, pressure, duration of stroke, where key is struck
• Statistical tests used
Two main process involved in a biometric
system
• Enrollment:
• A Subject’s Biometric Sample is Acquired
• Essential Features of the sample are extracted to create a reference
template
• Recognition:
• A fresh biometric sample of the person is obtained
• As in the enrolment phase, a biometric template of the person is created.
• This is then compared with the reference templates to determine the extent
of a match.
Problems with Biometrics
• Biometrics are relatively new, and some people find their use
intrusive.
• Biometric recognition devices are costly, although as the devices
become more popular, their cost per device should go down.
• Biometric readers and comparisons can become a single point of
failure.
• All biometric readers use sampling and establish a threshold for
acceptance of a close match. The device has to sample the biometric,
measure often hundreds of key points, and compare that set of
measurements with a template.
• A false positive or false accept a reading that is accepted when it
should be rejected (that is, the authenticator does not match) and a
false negative or false reject one that rejects when it should accept