Authentication Systems: Passwords, Challenge-Response, Biometrics, and Security - Prof. Da, Study notes of Electrical and Electronics Engineering

An overview of authentication systems, focusing on passwords, challenge-response mechanisms, and biometrics. It covers various aspects such as password storage, selection, and breaking, as well as the use of one-time passwords and biometric authentication. The document also discusses the importance of complementation functions, authentication functions, and update functions in an authentication system.

Typology: Study notes

Pre 2010

Uploaded on 02/24/2010

koofers-user-m2k-2
koofers-user-m2k-2 🇺🇸

10 documents

1 / 39

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
1
Authentication
CS461/ECE422
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21
pf22
pf23
pf24
pf25
pf26
pf27

Partial preview of the text

Download Authentication Systems: Passwords, Challenge-Response, Biometrics, and Security - Prof. Da and more Study notes Electrical and Electronics Engineering in PDF only on Docsity!

Authentication

CS461/ECE

Reading

• Chapter 4.5 from Security in Computing

• Chapter 10 from Handbook of Applied

Cryptography

http://www.cacr.math.uwaterloo.ca/hac/abo

ut/chap10.pdf

Ivanhoe, Sir Walter Scott

  • Paraphrased: (Wamba gains entry to the castle dressed as a friar) Wamba: Take my disguise and escape, I will stay and die in your place. Cedric: I can’t possibly impersonate a friar, I only speak English. Wamba: If anyone says anything to you, just say “ Pax vobiscum .” Cedric: What does that mean? Wamba: I don’t know, but it works like a charm!

Basics

• Authentication: binding of identity to

subject

  • Identity is that of external entity (my identity,

the Illini Union Bookstore, etc .)

  • Subject is computer entity (process, network

connection, etc .)

Authentication System

  • ( A , C , F , L , S )
    • A : information that proves identity
    • C : information stored on computer and used to validate authentication information
    • F : set of complementation functions that generates C ; f : AC
    • L : set of authentication functions that verify identity; l : A × C → { true , false }
    • S : functions enabling entity to create, alter information in A or C

Authentication System

A: identity proving info Computer F:Complementation C: identity validating info L: Authentication True or False S: Update

Storage

  • Store as cleartext
    • If password file compromised, all passwords revealed
  • Encipher file
    • Need to have decipherment, encipherment keys in memory
    • Reduces to previous problem
  • Store one-way hash of password
    • If file read, attacker must still guess passwords or invert the hash

Example

  • Original UNIX system standard hash function
    • Hashes password into 11 char string using one of 4096 hash functions
  • As authentication system:
    • A = { strings of 8 chars or less }
    • C = { 2 char hash id || 11 char hash }
    • F = { 4096 versions of modified DES }
    • L = { login , su , … }
    • S = { passwd , nispasswd , passwd+ , … }

Preventing Attacks

  • How to prevent this:
    • Hide information so that either A , F , or C cannot be found - Prevents obvious attack from above - Example: UNIX/Linux shadow password files - Hides C
    • Block access to all lL or result of l ( a,c )
      • Prevents attacker from knowing if guess succeeded
      • Example: preventing any logins to an account from a network
        • Prevents knowing results of l (or accessing l )

Using Time

Anderson’s formula:

  • P probability of guessing a password in specified period of time
  • G number of guesses tested in 1 time unit
  • T number of time units
  • N number of possible passwords (| A |)
  • Then If passwords are chosen randomly, how many (required) characters r make a brute force attach fail with probability at least 1-P? With an n character alphabet, so

Approaches: Password Selection

  • Random selection
    • Any password from A equally likely to be selected
    • See previous example
    • Make sure it’s random! (e.g. period of 2 32 is not enough for (26+10) 8 passwords)
  • Key crunching ( e.g. hashing) a long key to a

sequence of shorter keys

  • Pronounceable passwords
  • User selection of passwords

Pronounceable Passwords

• Generate phonemes randomly

  • Phoneme is unit of sound, e.g. cv , vc , cvc , vcv
  • Examples: helgoret, juttelon are; przbqxdfl,

zxrptglfn are not

• ~ 440 possible phonemes

6

possible keys with 6 phonemes (12-

characters long), about the same as 96

8

• Used by GNU Mailman mailing list

software (?)

Picking Good Passwords

  • Examples from textbook
    • “LlMm*2^Ap”
      • Names of members of 2 families
    • “OoHeO/FSK”
      • Second letter of each word of length 4 or more in third line of third verse of Star-Spangled Banner, followed by “/”, followed by author’s initials
  • What’s good here may be bad there
    • “DMC/MHmh” bad at Dartmouth (“Dartmouth Medical Center/Mary Hitchcock memorial hospital”), ok here
  • Why are these now bad passwords? 

Proactive Password Checking

  • Analyze proposed password for “goodness”
    • Always invoked
    • Can detect, reject bad passwords for an appropriate definition of “bad”
    • Discriminate on per-user, per-site basis
    • Needs to do pattern matching on words
    • Needs to execute subprograms and use results
      • Spell checker, for example
    • Easy to set up and integrate into password selection system