Authentication

nauseatingcynicalΑσφάλεια

22 Φεβ 2014 (πριν από 3 χρόνια και 3 μήνες)

59 εμφανίσεις

Authentication
Chapter 2
Security of System Resources

Three-step process (AAA)

Authentication

Positive identification of person/system seeking
access to secured information/services

Authorization

Predetermined level of access to resources

Accounting

Logging use of each asset
Authentication

Process used to identify an agent
requesting the use of resources

Based on something you:

Know –Password or PIN

Are –Biometric Data

Have –Tokens
Authentication Techniques

Usernames and passwords

Kerberos

Challenge Handshake Authentication Protocol
(CHAP)

Mutual authentication

Digital certificates

Tokens

Biometrics

Multifactor authentication
Basic Rules for Password Protection
1.Memorize passwords; do not write them down
2.Use different passwords for different functions
3.Use at least 6 (8) characters
4.Use mixture of uppercase and lowercase letters,
numbers, and other characters
5.Change periodically
6.Should not consist of dictionary words
7.Should never contain the user id
8.Shouldn’t contain anything that is easily
identified with the user.
Strong Password Creation
Techniques

Easy to remember; difficult to recognize

Examples:

First letters of each word of a simple phrase (passphrase);
add a number and punctuation

Asb4M?

Combine dissimilar words and place a number between
them

Bad to the Bone –Bad2theB1

Substitute numbers for letters (not obvious numbers)

Don’t use pa55w0rd –these are obviously
Techniques to Use Multiple
Passwords

Group Web sites or applications by
appropriate level of security

Use a different password for each group –ie
newsgroups

Different passwords for each critical group
such as financial

Another method -cycle more complex
passwords down the groups, from most
sensitive to least
Password Auditing / Cracking

Dictionary (Word lists) –relies on speed and
guile

Brute Force -relies purely on power and
repetition –but slow

Hybrid -combo of both

L0phtCrack
–Windows -Hybrid

John the Ripper
–Unix

Linux NT Password Recovery
(linnt)

Single User Mode
Password Problems

“Legacy”Protocols Are Clear Text

FTP, Telnet, POP, etc.

Password Length Totally Ineffective

Most Mail Credentials = LAN Credentials

“Sniffing”LAN Traffic is Trivial

Any Encryption Can be Cracked (if one
has enough time –more on this later)
Authentication -Kerberos
Developed by MIT Project Athena
-a network
authentication protocol. It is designed to provide
strong authentication for client/server
applications by using secret-key cryptography.

Prevent Passwords from Traversing Net

Allow Mutual Authentication

Decrease Access Time

Scale to the Enterprise

Uses Symmetric Key Cryptography
Kerberos

Think about driver’s license. You present
license to prove who you are. Other
entities trust the state the license was
issued in and accept it as prove of identity.
the state is analogous to the kerberos
authentication service.

http://web.mit.edu/is/help/kerberos/.
Kerberos Assumptions

Password guessing and DOS attacks are not
solved by Kerberos.

Assume network devices are physically secure.

Must keep password secret.

Internal clocks of authenticating devices must be
“loosely”synchronized.

The authentication server (AS) must be secure.
Kerberos in a Simple Environment

Session key (2 copies)

Secret key used during logon session
between client and a service

Ticket

Set of electronic information used to
authenticate identity of a principal to a
service

Authenticator

Device (eg, PPP network server) that
requires authentication from a peer
and specifies authentication protocol
used in the configure request during
link establishment phase
continued…
Kerberos in a Simple Environment

Checksum

Small, fixed-length numerical value

Computed as a function of an arbitrary number
of bits in a message

Used to verify authenticity of sender, from
client to server containing service
Kerberos in a More Complex
Environment

Ticket-granting ticket
(TGT)

Data structure that acts as
an authenticating proxy to
principal’s master key for
set period of time

Ticket-granting server
(TGS)

Server that grants ticket-
granting tickets to a
principal
Kerberos Components

Kerberos Realm –Administrative
Domain

Key Distribution Center –Trusted 3
rd
Party

Authentication Server –Issues Ticket
Granting Tickets (TGT)

Ticket Granting Server –Grants
Session Tickets based on TGT to
Access Resources

Session Ticket Used for Limited
Time

Time Synchronization is Critical
Kerberos in Very Large
Network Systems

Cross-realm
authentication
1.
Local client must
prove identity to AS
in foreign realm.
2.
Local client uses
TGT to request a
ticket from remote
AS.
http://www.faqs.org/rfcs/rfc1510.html
Kerberos in Very Large
Network Systems

Cross-realm
authentication
3. Remote AS looks up
cross realm key,
verifies TGT & issues
ticket & session key.
Name of realm and
client are embedded
in ticket.
http://www.faqs.org/rfcs/rfc1510.html
Security Weaknesses of Kerberos

Does not solve password-guessing attacks

Must keep password secret

Does not prevent denial-of-service attacks

Internal clocks of authenticating devices
must be loosely synchronized

Authenticating device identifiers must not
be recycled on a short-term basis
Hashing

Function that takes plain text of any length and creates a
unique fixed length output (message digest).

Special mathematical function that performs one-way
encryption (once the algorithm is processed) can’t
retrieve original plaintext.

Common uses are storing passwords and ensuring
message integrity.

2 popular hashing algorithms are SHA and MD.

Essential principle of a cryptographically sound has that
if input were changed by a single bit, the message digest
would be different.
Message Digest -SHA

Message Digest is a generic version of one of three
algorithms, all designed to create a message digestor
hashfrom data input.

MD2 –produces hash of 128 bits, optimized for 8-bit
machine

MD4 –optimized for 32-bitmachines, fast but not
secure

MD5 –created to fix security problems of MD4 and is
slower –still has major flaws

SHA –algorithm modeled on MD4. Accepts an input of
up to 264
bits or less and compresses down to a hash of
160 bits message digest. Most secure.
Challenge Handshake Authentication
Protocol

Used for PPP (Dialup) Authentication

Replaced PAP (Cleartext)

Uses MD5 Hash Algorithm

Link Control Protocol Authenticates User
Before Establishing Connection

Periodic Challenge-Response Ensures
Session is Not Hijacked
Challenge Handshake Authentication
Protocol (CHAP)

Used to provide
authentication across a
point-to-point link using
PPP.

Designed to provide
authentication
periodically through the
use of a
challenge/response
system (3 way
handshake).
CHAP Security Benefits

Multiple authentication sequences
throughout Network layer protocol session

Limit time of exposure to any single attack

Variable challenge values and changing
identifiers

Provide protection against playback attacks
CHAP Security Issues

Passwords should not be the same in both
directions

Not all implementations of CHAP
terminate the link when authentication
process fails, but instead limit traffic to a
subset of Network layer protocols

Possible for users to update passwords

Are susceptableto collision attacks.
Mutual Authentication

Mutual authentication -Process by which
each party in an electronic communication
verifies the identity of the other party

Nonrepudiation

Practice of using a trusted, third-party entity to
verify the authenticity of a party who sends a
message
Digital Authentication

Certificate Authority (CA) –third party entity
that verifies an identity and provides a digital
certificate.

Digital Certificate –issues by a CA and signed
with the CA’s private key. Like a passport.

Digital Signature –created using a algorithm to
create a message digest which is encrypted using
a private key.
Digital Certificate

An attachment
to an electronic message used for security
purposes. An individual wishing to send an encrypted
message
applies for a digital certificate from a Certificate Authority (CA)
.

The CA issues an encrypteddigital certificate containing the
applicant's public key
and a variety of other identification
information. The CA makes its own public key readily available
through print publicity or perhaps on the Internet
.

The recipient of an encrypted message uses the CA's public key
to decode the digital certificate attached to the message, verifies
it as issued by the CA and then obtains the sender's public key
and identification information held within the certificate. With
this information, the recipient can send an encrypted reply.
Electronic Encryption and
Decryption Concepts

Encryption

Converts plain text message into secret message

Decryption

Converts secret message into plain text message

Symmetric cipher

Uses only one key

More efficient but less secure

Asymmetric cipher

Uses a key pair (private key and public key)
continued…
How Much Trust
Should One Place in a CA?

Reputable CAs have several levels of
authentication that they issue based on the
amount of data collected from applicants

Example: VeriSign

Windows 2000 provide a CA service
Security Tokens
Something you have

Authentication devices assigned to specific
user

Small, credit card-sized physical devices

Incorporate two-factor authentication
methods

Utilize base keys that are much stronger
than short, simple passwords a person can
remember
Types of Security Tokens

Passive

Act as a storage device for the base key

Do not emit, or otherwise share, base tokens

Active

Actively create another form of a base key or
encrypted form of a base key that is not
subject to attack by sniffing and replay

Can provide variable outputs in various
circumstances
One-Time Passwords

Used only once for limited period of time; then is
no longer valid

Uses shared keys and challenge-and-response
systems, which do not require that the secret be
transmitted or revealed

Strategies for generating one-time passwords

Counter-based tokens –combines secret password
with a counter in the server

Clock-based tokens -combines secret password with
the server clock
Biometrics

Biometric authentication

Uses measurements of physical or behavioral
characteristics of an individual

Generally considered most accurate of all
authentication methods

Traditionally used in highly secure areas

Expensive
How Biometric Authentication Works
1.Biometric is scanned after identity is verified
2.Biometric information is analyzed and put into an
electronic template
3.Template is stored in a repository
4.To gain access, biometric is scanned again
5.Computer analyzes biometric data and compares it to
data in template
6.If data from scan matches data in template, person is
allowed access
7.Keep a record, following AAA model
False Positives and False Negatives

False positive

Occurrence of an unauthorized person being
authenticated by a biometric authentication
process

False negative

Occurrence of an authorized person not being
authenticated by a biometric authentication
process when they are who they claim to be
Different Kinds of Biometrics

Physical characteristics

Fingerprints –most mature and most widely deployed

Hand geometry –easy to use and integrate

Retinal scanning –highly accurate, difficult to spoof
and measures a stable physiological trait.

Iris scanning –template matching rates are high

Facial scanning –use any image from still or motion
camera

Behavioral characteristics

Handwritten signatures

Voice to print, not voice recognition
Fingerprint Biometrics
Hand Geometry Authentication
Retinal Scanning
Iris Scanning
Signature Verification
General Trends in Biometrics

Generally too expensive for everyday use

Authenticating large numbers of people
over a short period of time (eg, smart
cards)

Gaining remote access to controlled areas
Multifactor Authentication

Identity of individual is verified using at
least two of the three factors of
authentication

Something you know (eg, password)

Something you have (eg, smart card)

Something about you (eg, biometrics)
Chapter Summary

Authentication techniques

Usernames and passwords

Kerberos

CHAP

Mutual authentication

Digital certificates

Tokens

Biometrics

Multifactor authentication