1

Identification

Who are you?

How do I know you are who you say you are?

2

Process of Identification

There are typically two stages:

1. Username for identification

2. Password for verification of identification (authentication)

3

Threats

There are various ways in which a username/password identification system can be abused:

• Password guessing

• Password spoofing

• Reading the password file

4

Password Guessing

This term refers to exhaustive and intelligent searches to try and determine the password of a user.

How can these attacks be prevented

-by the user,

-by the system?

5

Spoofing Attacks

The system verifies that the user is who they say they are. BUT does the user verify the system?

A typical spoof attack is to create a program which pretends to be the system inviting the user to enter their username and password.

6

Reading the Password File

• The password file, where the system stores the data for verifying passwords is very sensitive to attacks.

• In an insecure system the password file will be a list of passwords indexed by username. An attacker with access to this file has potential knowledge of every password.

7

Protecting the Password File

There are essentially two ways to secure the file:

1. Cryptographic protection

2. Access control over the file which is imposed by the operating system.

8

Cryptographic Protection

This makes use of a one-way function which is defined as follows:

A one-way function is a function f: XY such that

• given x in X it is “easy” to compute y=f(x) in Y

BUT• given y in Y it is “difficult” to find an x in X such

that y=f(x).

9

The password file is protected using a one-way function as follows:

1. The system receives the username and password (x) from the user.

2.It uses the one-way function on the password to transform it into a set of characters y=f(x).

3. The system does not store the password but instead stores y indexed by the username.

4. To verify a user, the system asks for the username and password (x’) and computes y’=f(x’).

5. If the value of y indexed by the username is the same as y’ then the user is authenticated.

10

Which function to use?

• The security of such a system relies on the one-way function used.

• In general the function should not be too efficient!

11

Password Salting

• This process overcomes certain problems associated with a large user base where it is possible that two users may have the same password

• Before the password is (encrypted and) stored, the system adds some “salt” such as appending the username. Now all passwords should be unique.

12

Alternative methods for authentication There are many alternatives used. Some are for

situations where risk is low and others where security is paramount.

• Something only you are likely to know such as your mother’s maiden name, date of birth or postcode.

• Something you have such as a credit card.• Fingerprints, retina patterns, palmprints…• where you are - access may only be available in a

secured area

13

Authentication Failure

The system can fail in two ways:

1. It can accept an unauthorised user

2. It can reject an authorised user

14

SummaryBy now you should be familiar with:

• The process of identification and authentication

• Threats such as password guessing and password spoofing and ways the user and the system can protect themselves against these threats

• Protection of the password file using a one-way function