Chapter 03:

Authentication
&
Access Control
Information Security
Nguyễn Đăng Quang
 Understand
Understand the importance of
authentication,
Learn
Learn how authentication can be
Goals implemented,
Understand
Understand threats to the
authentication.
What is Authentication?

Authentication Authorization
Computer
Who are you? Does this person Resources
Prove it have permission
You are
to access the
who you
requested You have
say you
resource? permission
are
to access
these
resources
What is Authentication?

• Authentication helps us to answer the question:

on whose behalf the requesting process runs?
• Includes claims about an identity and
verification of the claimed identity of the user
who wants to gain access to system and
resource.
Authentication goals
• User/principal associated with an identity
should be able to successfully authenticate
itself
• Availability
• No false negatives
• User/principal not associated with an identity
should not be able to authenticate itself
• Authenticity
• No false positives
Three types of Authentication

• Knowledge-based:
Something a user knows

• Possession-based:
Something a user has

• Inheritance-based:
Something a user is
Authentication factors

• Single-factor authentication

• Two-factor authentication

• Two-factor authentication
The Importance of a Trusted Path
• The path connecting you and the TCB
• Trusted path is provided by
The OS
Or
The combination of hardware and OS
Example:
Ctrl – Alt –Del
Keyboard + Display + OS ➔ Trusted path
 Password
authentication
Something you know
What is password authentication?
• Password authentication is a process that involves a
user inputting a unique ID and key that are then
checked against stored credentials.

• Why is “something you know” more popular than

“something you have” and “something you are”?

• Cost: passwords are free

• Convenience: easier for system administrator to

reset password than to issue a new thumb
Trouble with Passwords?

“PASSWORDS ARE ONE OF THE BIGGEST PRACTICAL “HUMANS ARE INCAPABLE OF SECURELY STORING HIGH-
PROBLEMS FACING SECURITY ENGINEERS TODAY.” QUALITY CRYPTOGRAPHIC KEYS, AND THEY HAVE
UNACCEPTABLE SPEED AND ACCURACY WHEN
PERFORMING CRYPTOGRAPHIC OPERATIONS”
 Keys vs Passwords
Crypto keys Passwords
• Passwords are 8
• Key is 64 bits
characters, and 256
• Then 264 keys different characters
• Then 2568 = 264 pwds
• Choose key at
• Users do not select
random…
passwords at random
• …then attacker must • Attacker has far less
try about 263 keys than 263 pwds to try
(dictionary attack)
 Three groups of users ⎯ each group advised to
select passwords as follows

Group A: At least 6 chars, 1 non-letter

Password •

Experiment • Group B: Password based on passphrase

• Group C: 8 random characters

Results

• Group A: About 30% of passwords easy to

crack

• Group B: About 10% cracked, passwords

easy to remember

• Group C: About 10% cracked, Passwords

hard to remember
Best Advice

• Choose passwords based on

passphrase
• Use password cracking tools to test
for weak passwords
What are • Any sort of authentication
protocol that doesn’t utilize a
password
typical ID and key to grant user’s
alternatives
access
• Often fall into possession or
inheritance-based methods
 Implementing
Password Authentication
 Method 1:
• Store a list of passwords, one for
Password-based each user in a system file.
• The file is readable only by
Authentication
root/admin account.
Disadvantages
• If the permissions are set
incorrectly, another person can
read it.
• If the security is breached, the
passwords are exposed to the
attacker.
 Method 2:
• Do not store passwords but
Password-based stored something derived from

Authentication them.
Implementation

• Use one-way hash function and

store the result.
• The password file is only
readable to root/admin
Cryptographic Hash function

A string of
Password H(password)
fixed length
 • Pre-Image resistance:
Its inverse should be very hard to
compute.
Features of
• Collision Resistance (Collision Free):
hash function It should be hard to find two
different inputs of any length that
result in the same hash.
How hashes are cracked
Dictionary & Brute Force
How hashes are cracked
Lookup An extremely effective method for cracking many hashes

table of the same type very quickly.

The general idea is to pre-compute the hashes of the

passwords in a password dictionary and store them, and
their corresponding password, in a lookup table data
structure. A good implementation of a lookup table can
process hundreds of hash lookups per second, even when
they contain many billions of hashes
Brute Force Guessing of
Passwords

A 2013 attack by Xie Tao, Fanbao Liu, and

Dengguo Feng breaks MD5 collision resistance in
218 time (128-bit hash value). This attack runs in
less than a second on a regular computer.

Password with 6 random uppercase, lowercase,

and digits, there will be 62^6 possible passwords
and can be guessed in about 10 minutes.

Password with 8 random characters will require

about six days to guess the password.
Salt
Hash password with salt
Choose random salt s and compute
Uname Password
y = h(password, s) user1 password123

and store (s,y) in the password file user2 password123

Uname Salt Value Hashed Value = SHA256 (Password + Salt Value)

72ae25495a7981c40622d49f9a52e4f1565c90f048f5902
user1 E1F53135E559C253
7bd9c8c8900d5c3d8
b4b6603abc670967e99c7e7f1389e40cd16e78ad38eb14
user2 84B03D034B409D4E
68ec2aa1e62b8bed3a
Password vulnerabilities

Offline dictionary attack

Specific account attack (user john)

Popular password attack (against a wide range of IDs)

Password guessing against single user (w/ previous

knowledge about the user)
Workstation hijacking

Exploiting user mistakes

Exploiting multiple password use

Electronic monitoring (eavesdropping)

Password vulnerabilities

Stop unauthorized access to password file

Intrusion detection measures

Account lockout mechanisms

Policies against using common passwords but

rather hard to guess passwords
Training & enforcement of policies

Automatic workstation logout

Encrypted network links

Other password issues

Too many passwords to remember:

Results in password reuse
Failure to change default
passwords
Social engineering

Error logs may contain “almost”

passwords
Bugs, keystroke logging, spyware,
etc.
Passwords

The bottom line…

• Password attacks are too easy

• Often, one weak password will
break security
• Users choose bad passwords
• Social engineering attacks, etc.
• Passwords are a BIG security
problem
• And will continue to be a problem
Password Cracking Tools
• Popular password cracking tools
• Password Crackers
• Password Portal
• L0phtCrack and LC4 (Windows)
• John the Ripper (Unix)
• Admins should use these tools to test for weak
passwords since attackers will
• Good articles on password cracking
• Passwords - Conerstone of Computer Security
• Passwords revealed by sweet deal
Biometrics
Something You Are
• Biometric
– “You are your key” ⎯ Schneier

Examples
o Fingerprint Are

o Handwritten signature Know Have

o Facial recognition

o Speech recognition

o Gait (walking) recognition

o ...
Enrollment vs Recognition

Enrollment phase Recognition phase

Subject’s biometric info put into Biometric detection, when used in
database practice
Must carefully measure the required Must be quick and simple
info But must be reasonably accurate
OK if slow and repeated
measurement needed
Must be very precise
May be a weak point in real-world
use
Performance

False accept rate (FAR), or fraud rate: what percentage of

times an invalid user is accepted by the system (false
accept):
e.g. Trudy mis-authenticated as Alice
False rejection rate (FRR) or insult rate: the percentage
of times a valid user is rejected by the system (false
reject):
e.g. Alice not authenticated as Alice
Failure to enroll rate (FTE or FER).
slide 34

Problems with Biometrics

Biometric passports,
Private, but not secret fingerprints and DNA
on objects…

Even random-looking
biometrics may not be
Birthday paradox!
sufficiently unique for
authentication

Potentially forgeable
slide 35

Forging Handwriting
[Ballard, Monrose, Lopresti]

Generated by computer algorithm trained

on handwriting samples
slide 36

Biometrics

Face recognition (by a

Fingerprints
computer algorithm)

• Error rates up to 20%, given • Traditional method for

reasonable variations in identification
lighting, viewpoint and • 1911: first US conviction on
expression fingerprint evidence
• U.K. traditionally requires
16-point match
• Probability of a false
match is 1 in 10 billion
• No successful challenges
until 2000
slide 37

Biometrics Iris scanning

• Irises are very random, but stable

through life
• Different between the two eyes of the
same individual
• 256-byte iris code based on concentric
rings between the pupil and the outside
of the iris
• Equal error rate better than 1 in a
million

Voice, ear shape, vein pattern,

face temperature
slide 38

Biometrics • Identifies wearer

• By his/her unique heartbeat pattern
slide 39

Biometrics
[Advanced Institute of
“All you need Industrial Technology,
Japan]
to do is sit”

“Forget Fingerprints:
Car Seat IDs Driver’s
Rear End”

360 disc-shaped sensors

identify a unique “buttprint”
with 98% accuracy
¥70,000
slide 41

Risks of
Biometrics
slide 42

Surgical Change
slide 43

Stealing Biometrics
slide 44

Involuntary Cloning

Clone a biometric without victim’s knowledge or assistance

“my voice is my
cloned retina Fingerprints from
password”
beer bottles
Bad news: it works! Eye laser scan
slide 45

Cloning Process (Involuntary)

slide 46

Molding (Involuntary)
Making a Mold (Voluntary)
Making a Finger (Voluntary)
Iris Patterns

• Iris pattern development is “chaotic”

• Little or no genetic influence
• Even for identical twins, uncorrelated
• Pattern is stable through lifetime
Iris Scan
• Scanner locates iris
• Take b/w photo
• Use polar coordinates…
• 2-D wavelet transform
• Get 256 byte iris code
Measuring Iris Similarity
• Based on Hamming distance
• Define d(x,y) to be
– # of non-match bits / # of bits compared
– d(0010,0101) = 3/4 and d(101111,101001) = 1/3
• Compute d(x,y) on 2048-bit iris code
– Perfect match is d(x,y) = 0
– For same iris, expected distance is 0.08
– At random, expect distance of 0.50
– Accept iris scan as match if distance < 0.32
Iris Scan Error Rate
distance Fraud rate

0.29 1 in 1.31010
0.30 1 in 1.5109
0.31 1 in 1.8108
0.32 1 in 2.6107
0.33 1 in 4.0106
0.34 1 in 6.9105
0.35 1 in 1.3105
== equal error rate

distance
Attack on Iris Scan

• Good photo of eye can be scanned

– Attacker could use photo of eye
❑ Afghan woman was authenticated by iris
scan of old photo
o Story can be found here
❑ To prevent attack, scanner could use light
to be sure it is a “live” iris
Equal Error Rate Comparison
• Equal error rate (EER): fraud == insult rate
• Fingerprint biometrics used in practice have EER
ranging from about 10-3 to as high as 5%
• Hand geometry has EER of about 10-3
• In theory, iris scan has EER of about 10-6
– Enrollment phase may be critical to accuracy

• Most biometrics much worse than fingerprint!

 Biometrics: The Bottom Line
• Biometrics are hard to forge
• But attacker could
– Steal Alice’s thumb
– Photocopy Bob’s fingerprint, eye, etc.
– Subvert software, database, “trusted path” …
• And how to revoke a “broken” biometric?
• Biometrics are not foolproof
• Biometric use is relatively limited today
• That should change in the (near?) future