Section 4.5 User Authentication

utterlypanoramicSecurity

Nov 30, 2013 (3 years and 8 months ago)

81 views

Chapter 4


Protection in General
-
Purpose Operating
Systems

Section 4.5 User Authentication

In this section



Authentication


Passwords


Effective passwords


Breaking passwords


One
-
Time Systems


Biometrics


User Authentication


Most software and OS base there security on knowing
who the user is


Authentication based on 1 of 3 qualities:


Something the user knows


Passwords, PIN, passphrase


Something the user has


Key, license, badge, username


Something the user is


physical characteristics or
biometrics


Two forms of these can be combined together

Passwords as Authenticators


Most common authentication mechanism


Password


a word unknown to users and computers


Problems with passwords:


Loss


Use


time consuming if used on each file or access


Disclosure


if Malory finds out the password might
cause problems for everyone else.


Revocation


revoke one persons right might cause
problems with others

Additional Authentication
Information


Placing other condition in place can enforce the
security of a password


Other methods:


Limiting the time of access


Limiting the location of access


Multifactor Authentication
is using additional
forms of authentication


The more authentication factors cause more for the
system and administrator to manage

Attacks on Passwords


Figuring out a password


Try all possible passwords


Try frequently used passwords


Try passwords likely for the user


Search for the system password list


Ask the user


Loose
-
Lipped Systems


Authentication system leaks information about the
password or username


Provides information at inconvenient times


Exhaustive Attack


Brute force attack is when the attacker tries all possible
passwords


Example:


26 (A
-
Z)character password of length 1 to 8 characters




One password per millisecond would take about two
months


But we would not need to try every password


Password Problems


Probable Passwords


Passwords Likely for a user


Weakness is in the users choice


Weakness is in the control of the system


Look at table 4
-
2 on page 225

Figure 4
-
15

Users’ Password Choices.

Password Selection Criteria


Use characters other than just A
-
Z


Choose long passwords


Avoid actual names or words


Choose an unlikely password


Change the password regularly


Don’t write it down


Don’t tell anyone else


beware of Social Engineering

One
-
Time Passwords


Password that changes every time


Also known as a
challenge
-
response systems


F(x)=x+1
-

use of a function


F(x)=r(x)


Seed to a random number generator


F(a b c d e f g) = b d e g f a c


transformation of a
character string


F(E(x))=E( D (E (x)) + 1 )


Encrypt value must be
decrypted and run through a function

The Authentication Process


Slow response from system


Limited number of attempts


Access limitations


Fixing Flaws with a second level of protection


Challenge
-
Response


Impersonation of Login

Biometrics


Biometrics

are biological authenticators


Problems with Biometrics


Still a relatively new concept


Can be costly


Establishing a threshold


Single point of failure


False positives


Speed can limit accuracy


Forgeries are possible