Feb 22, 2014 (7 years and 5 months ago)


Chapter 2
Security of System Resources

Three-step process (AAA)


Positive identification of person/system seeking
access to secured information/services


Predetermined level of access to resources


Logging use of each asset

Process used to identify an agent
requesting the use of resources

Based on something you:

Know –Password or PIN

Are –Biometric Data

Have –Tokens
Authentication Techniques

Usernames and passwords


Challenge Handshake Authentication Protocol

Mutual authentication

Digital certificates



Multifactor authentication
Basic Rules for Password Protection
1.Memorize passwords; do not write them down
2.Use different passwords for different functions
3.Use at least 6 (8) characters
4.Use mixture of uppercase and lowercase letters,
numbers, and other characters
5.Change periodically
6.Should not consist of dictionary words
7.Should never contain the user id
8.Shouldn’t contain anything that is easily
identified with the user.
Strong Password Creation

Easy to remember; difficult to recognize


First letters of each word of a simple phrase (passphrase);
add a number and punctuation


Combine dissimilar words and place a number between

Bad to the Bone –Bad2theB1

Substitute numbers for letters (not obvious numbers)

Don’t use pa55w0rd –these are obviously
Techniques to Use Multiple

Group Web sites or applications by
appropriate level of security

Use a different password for each group –ie

Different passwords for each critical group
such as financial

Another method -cycle more complex
passwords down the groups, from most
sensitive to least
Password Auditing / Cracking

Dictionary (Word lists) –relies on speed and

Brute Force -relies purely on power and
repetition –but slow

Hybrid -combo of both

–Windows -Hybrid

John the Ripper

Linux NT Password Recovery

Single User Mode
Password Problems

“Legacy”Protocols Are Clear Text

FTP, Telnet, POP, etc.

Password Length Totally Ineffective

Most Mail Credentials = LAN Credentials

“Sniffing”LAN Traffic is Trivial

Any Encryption Can be Cracked (if one
has enough time –more on this later)
Authentication -Kerberos
Developed by MIT Project Athena
-a network
authentication protocol. It is designed to provide
strong authentication for client/server
applications by using secret-key cryptography.

Prevent Passwords from Traversing Net

Allow Mutual Authentication

Decrease Access Time

Scale to the Enterprise

Uses Symmetric Key Cryptography

Think about driver’s license. You present
license to prove who you are. Other
entities trust the state the license was
issued in and accept it as prove of identity.
the state is analogous to the kerberos
authentication service.
Kerberos Assumptions

Password guessing and DOS attacks are not
solved by Kerberos.

Assume network devices are physically secure.

Must keep password secret.

Internal clocks of authenticating devices must be

The authentication server (AS) must be secure.
Kerberos in a Simple Environment

Session key (2 copies)

Secret key used during logon session
between client and a service


Set of electronic information used to
authenticate identity of a principal to a


Device (eg, PPP network server) that
requires authentication from a peer
and specifies authentication protocol
used in the configure request during
link establishment phase
Kerberos in a Simple Environment


Small, fixed-length numerical value

Computed as a function of an arbitrary number
of bits in a message

Used to verify authenticity of sender, from
client to server containing service
Kerberos in a More Complex

Ticket-granting ticket

Data structure that acts as
an authenticating proxy to
principal’s master key for
set period of time

Ticket-granting server

Server that grants ticket-
granting tickets to a
Kerberos Components

Kerberos Realm –Administrative

Key Distribution Center –Trusted 3

Authentication Server –Issues Ticket
Granting Tickets (TGT)

Ticket Granting Server –Grants
Session Tickets based on TGT to
Access Resources

Session Ticket Used for Limited

Time Synchronization is Critical
Kerberos in Very Large
Network Systems

Local client must
prove identity to AS
in foreign realm.
Local client uses
TGT to request a
ticket from remote
Kerberos in Very Large
Network Systems

3. Remote AS looks up
cross realm key,
verifies TGT & issues
ticket & session key.
Name of realm and
client are embedded
in ticket.
Security Weaknesses of Kerberos

Does not solve password-guessing attacks

Must keep password secret

Does not prevent denial-of-service attacks

Internal clocks of authenticating devices
must be loosely synchronized

Authenticating device identifiers must not
be recycled on a short-term basis

Function that takes plain text of any length and creates a
unique fixed length output (message digest).

Special mathematical function that performs one-way
encryption (once the algorithm is processed) can’t
retrieve original plaintext.

Common uses are storing passwords and ensuring
message integrity.

2 popular hashing algorithms are SHA and MD.

Essential principle of a cryptographically sound has that
if input were changed by a single bit, the message digest
would be different.
Message Digest -SHA

Message Digest is a generic version of one of three
algorithms, all designed to create a message digestor
hashfrom data input.

MD2 –produces hash of 128 bits, optimized for 8-bit

MD4 –optimized for 32-bitmachines, fast but not

MD5 –created to fix security problems of MD4 and is
slower –still has major flaws

SHA –algorithm modeled on MD4. Accepts an input of
up to 264
bits or less and compresses down to a hash of
160 bits message digest. Most secure.
Challenge Handshake Authentication

Used for PPP (Dialup) Authentication

Replaced PAP (Cleartext)

Uses MD5 Hash Algorithm

Link Control Protocol Authenticates User
Before Establishing Connection

Periodic Challenge-Response Ensures
Session is Not Hijacked
Challenge Handshake Authentication
Protocol (CHAP)

Used to provide
authentication across a
point-to-point link using

Designed to provide
periodically through the
use of a
system (3 way
CHAP Security Benefits

Multiple authentication sequences
throughout Network layer protocol session

Limit time of exposure to any single attack

Variable challenge values and changing

Provide protection against playback attacks
CHAP Security Issues

Passwords should not be the same in both

Not all implementations of CHAP
terminate the link when authentication
process fails, but instead limit traffic to a
subset of Network layer protocols

Possible for users to update passwords

Are susceptableto collision attacks.
Mutual Authentication

Mutual authentication -Process by which
each party in an electronic communication
verifies the identity of the other party


Practice of using a trusted, third-party entity to
verify the authenticity of a party who sends a
Digital Authentication

Certificate Authority (CA) –third party entity
that verifies an identity and provides a digital

Digital Certificate –issues by a CA and signed
with the CA’s private key. Like a passport.

Digital Signature –created using a algorithm to
create a message digest which is encrypted using
a private key.
Digital Certificate

An attachment
to an electronic message used for security
purposes. An individual wishing to send an encrypted
applies for a digital certificate from a Certificate Authority (CA)

The CA issues an encrypteddigital certificate containing the
applicant's public key
and a variety of other identification
information. The CA makes its own public key readily available
through print publicity or perhaps on the Internet

The recipient of an encrypted message uses the CA's public key
to decode the digital certificate attached to the message, verifies
it as issued by the CA and then obtains the sender's public key
and identification information held within the certificate. With
this information, the recipient can send an encrypted reply.
Electronic Encryption and
Decryption Concepts


Converts plain text message into secret message


Converts secret message into plain text message

Symmetric cipher

Uses only one key

More efficient but less secure

Asymmetric cipher

Uses a key pair (private key and public key)
How Much Trust
Should One Place in a CA?

Reputable CAs have several levels of
authentication that they issue based on the
amount of data collected from applicants

Example: VeriSign

Windows 2000 provide a CA service
Security Tokens
Something you have

Authentication devices assigned to specific

Small, credit card-sized physical devices

Incorporate two-factor authentication

Utilize base keys that are much stronger
than short, simple passwords a person can
Types of Security Tokens


Act as a storage device for the base key

Do not emit, or otherwise share, base tokens


Actively create another form of a base key or
encrypted form of a base key that is not
subject to attack by sniffing and replay

Can provide variable outputs in various
One-Time Passwords

Used only once for limited period of time; then is
no longer valid

Uses shared keys and challenge-and-response
systems, which do not require that the secret be
transmitted or revealed

Strategies for generating one-time passwords

Counter-based tokens –combines secret password
with a counter in the server

Clock-based tokens -combines secret password with
the server clock

Biometric authentication

Uses measurements of physical or behavioral
characteristics of an individual

Generally considered most accurate of all
authentication methods

Traditionally used in highly secure areas

How Biometric Authentication Works
1.Biometric is scanned after identity is verified
2.Biometric information is analyzed and put into an
electronic template
3.Template is stored in a repository
4.To gain access, biometric is scanned again
5.Computer analyzes biometric data and compares it to
data in template
6.If data from scan matches data in template, person is
allowed access
7.Keep a record, following AAA model
False Positives and False Negatives

False positive

Occurrence of an unauthorized person being
authenticated by a biometric authentication

False negative

Occurrence of an authorized person not being
authenticated by a biometric authentication
process when they are who they claim to be
Different Kinds of Biometrics

Physical characteristics

Fingerprints –most mature and most widely deployed

Hand geometry –easy to use and integrate

Retinal scanning –highly accurate, difficult to spoof
and measures a stable physiological trait.

Iris scanning –template matching rates are high

Facial scanning –use any image from still or motion

Behavioral characteristics

Handwritten signatures

Voice to print, not voice recognition
Fingerprint Biometrics
Hand Geometry Authentication
Retinal Scanning
Iris Scanning
Signature Verification
General Trends in Biometrics

Generally too expensive for everyday use

Authenticating large numbers of people
over a short period of time (eg, smart

Gaining remote access to controlled areas
Multifactor Authentication

Identity of individual is verified using at
least two of the three factors of

Something you know (eg, password)

Something you have (eg, smart card)

Something about you (eg, biometrics)
Chapter Summary

Authentication techniques

Usernames and passwords



Mutual authentication

Digital certificates



Multifactor authentication