AuthenticationAuthentication

Lecture 4Prof. S.M.Chaware

1

Authentication• Authentication is the binding of an identity to a principal.

• Network-based authentication mechanisms require a principal to authenticate to a single system, either local or remote.

• External entity must provide information to enable the• External entity must provide information to enable the system to confirm its identity.

2

Basics continueBasics continue…• Authentication process consists of obtaining the

information from an entity analyzing the datainformation from an entity, analyzing the data and determining if it is associated with that entity.

• Authentication system components are –Set A – authentication informationSet C – complementary informationSet F – complementation functionS t L th ti ti f tiSet L – authentication functionsSet S – selection functions

3

passwordspasswords

• Is an example of an authenticationIs an example of an authentication mechanism based on what people know.

• User supplies the password, and computerUser supplies the password, and computer validates it.

• Password spacePassword space • Verification => one way hash function.

4

Authentication system for password

• Set A – characters ( alphabets + digits + i l h t ) 8 h tspecial characters) - 8 characters.

• Set C – one way hash function to store password in a file (UNIX – 13characters)password in a file. (UNIX – 13characters) /etc/passwd.

• Set F – based on permutation of the DES, p ,contains 4096. – login, su.

• Set L – system supply proper element of C.• Set S – passwd, nispasswd.

5

Protecting passwordsProtecting passwords

• Hide enough information so that one of aHide enough information so that one of a, c or f cannot be found.

• Prevent access to the authentication• Prevent access to the authentication functions L.

6

Attacking password systemAttacking password system

• Dictionary attackf(g) for each f F.(g)F(g) => complementary information for entity E, then g authenticates E under fentity E, then g authenticates E under f => type 1.l=> L if g => l results true g is correctl=> L, if g => l results true, g is correct password. => type 2.

7

Countering password guessingCountering password guessing

• P >= TG/NP >= TG/N.Where P – probability of guessing the

passwordpassword.T – no. of time unitsG – no. of guesses/ unit time.N – no. of possible passwords.p p

8

User Authentication• In-person identification• Must be based on some knowledge shared only by the

computing system and the usercomputing system and the user• Three qualities to confirm user’s identity

1. something the user knows1. something the user knows

2. something the user has

3. something the user is (biometrics)

4. Where the entity is (In front of)Two or more forms can be combined

9

Two or more forms can be combined

Use of Passwords• Password – a ‘word ‘ known to computer and

user; agreed upon codeword; length and format varies.varies.

• Humans:– Short, memorable key (8 characters, 48 bits), directly

or as key for longer keyor as key for longer key• Computers:

– (Long) high-quality secret( g) g q y– Hidden key (encrypted by password), directly (e.g.,

hash of the password)

• Key versus passwords.• Additional Authentication Information

10

Attacks on Passwords….1. Try all possible passwords

2. Try many probable passwords3. Try passwords likely for the user4 S h f h li f d4. Search for the system list of password5. Ask the user

1. Exhaustive AttackBrute force attack5 * 10^12 passwords for 26 alphabets2. Probable PasswordsThink of a wordThink of a wordLength 3 – 18.278 sec.Length 4 – 8 min.Length 5 – 3.5 hoursDictionary

3. Attacking systems via passwords.Outsider normal user administrator.

11

Passwords Likely for a userPasswords Likely for a user

• Password15 0.5% Were a single

ASCII chara.Password something meaningful

72 2% Were two single ASCII chara.

464 14% Were three ASCII chara.ASCII chara.

477 14% Were four alphabetic letters

W fi706 21% Were five same case alphabets

605 18% Were six lowercaselowercase alphabets

492 15% Words in dictionaries or list

12

of names

2831 86% Total of all above categories

Passwords Likely for a user

13

Password guessing steps– On-line: limit tries, alarm– Off-line: dictionary attack

• No passwordp• The same as the user ID• is, or is derived from the user’s name• Common word list plus common names and patterns• Short college dictionary• Common non-English language dictionaries• Short dictionary with capitalizations and substitutions (PaSsWorD)

C l t E li h ith it li ti d b tit ti• Complete English with capitalizations and substitutions • Common non-English with capitalizations and substitutions• Brute force, lowercase alphabets• Brute force full character set• Brute force, full character set

14

Protecting password list file• Problems:• OS is not divided, so all its modules have access to all ,

privileged information

• An intruder can dump a memory at a convenient time to access it

• File system can be relocated from a backup

• Password file is a copy of a file stored on a disk

15

Encrypted Password File• Password list is hidden by conventional encryption or

one way ciphers

• One-way encryption

• salt – E(pw+saltB) & saltB is stored

• Indiscreet Users : -- writing down or telling the password

16

Password Selection Criteria• Use characters other than just A-Z – 6 letter word one case – 100

hours, upper and lower – 2 years

• Choose long passwords

A id t l d• Avoid actual names or words

• Choose an unlikely password -- 2Brn2B or I10veu •• Change the password regularly

• Don’t write it down

• Don’t tell anyone else

17

Password Selection Criteria…..• Some systems provide meaningful but

pronounceable passwords (“bliptab” as “blaptib” (or “blabtip”)

• Some systems ask user to change the password• Why reminder process is not good?

• Group A: 6 characters with at least one non-letter. 30% are easy to crack.

• Group B: based on passpharses. 10%.• Group C: 8 randomly selected characters. 10%.

18

p y

One-Time Password• --is one that changes every time it is used

S t i t ti th ti l f ti• System assigns a static mathematical function

• Also called as challenge-response systems• Also called as challenge-response systems

• f(x) = x + 1( )• f(x) = r(x)• f(a1a2a3a4a5a6) = a3a1a1a4• f(E(x)) = E(D(E(x) + 1).

19

Password verificationPassword verification

• Store password in a fileStore password in a file.• Store hashed passwords in a file.

St i d• Storing passwords– Per-node: /etc/passwd– Server: authentication storage server,

retrieved by node (yp/NIS)– Facilitator: server says yes/no

• salt – E(pw+saltB) & saltB is stored.

20

Password crackingPassword cracking

• 128 choices128 choices.• 8 characters => 1288 = 256 possible

passwordspasswords.• 4 cases of success of password crackes:

– Without using dictionary of likely passwords.– Using dictionary.– Without using dictionary from hashed file.– Using dictionary.

21

Other password issuesOther password issues

• Reuse of passwordReuse of password.• Social engineering

K t k l i ft• Keystroke logging software, spy-ware.• Password cracking tools.

• Solution: use of biometricsSolution: use of biometrics.

22

Fixing flaws in the Authentication Process

• Challenge-Response systems

• Impersonation of Login

• Authentication other than Passwords –Authentication other than Passwords handprint detectors, voice recognizers, identifiers of patterns in the retinaidentifiers of patterns in the retina

23

biometricsbiometrics• Efforts to find physical characteristics

that uniquely identify people include the Bertillion cranial maps, fingerprints and DNA liDNA sampling.

• Biometrics is the automated t f bi l i lmeasurement of biological or

behavioral features that identify a personperson.

• Common features are fingerprints, voices face and keystroke dynamics

24

voices, face and keystroke dynamics.

User selection of passwordsUser selection of passwords• Proactive password selectionp• Passwords based on account names

Account name followed by a numberA t d d b d li itAccount name surrounded by delimiters

• Passwords based on user namesInitials repeated 0 or more timesInitials repeated 0 or more timesAll letters lower-or-uppercaseName reservedFirst initial followed by last name reversed.

25

Continue…• Passwords based on computer names• Dictionary words• Reversed dictionary words• Dictionary words with some or all letters

capitalized.• Patterns form keyboard.• Only digits• Acronyms• Dictionary words with all vowels deleted.

26

Guessing through authentication functions

• Solution: Backoff techniques.Expontial backoffDisconnectionDisablingjailing

27

Backoff techniquesBackoff techniques

• X- parameter selected by system administrator.

• Waits for x0=1 sec before reprompting for name and authentication data.If t f il i it f 1• If system fails, again waits for x1=x sec.

• After n failures, waits for xn-1 sec.

28

Other techniquesOther techniques• Disconnection – after some number of failed

th ti ti tt t th ti iauthentication attempts, the connection is broken.Di bli th t i di bl d til• Disabling – the account is disabled until a security manager can reenable it.

• Jailing the unauthenticated user is given• Jailing – the unauthenticated user is given access to a limited part of the system and is gulled into believing that he/she has fullgulled into believing that he/she has full access. The jail records the attacker’s actions.

29

Summary• Memory protection : -- fence, base-bound

register, tagged architecture, paging, segmentationsegmentation

• file protection : three or four level format• file protection : -- three or four level format, user-group-all

• access control in general : -- access control matrix, per-object or per-user basis

• user authentication :-- password protection

30

Qu. On OS Security1. Explain different methods for memory and

address protection (183)p ( )2. Compare Segmentation with Paging (193)3. Explain different methods to be used to protect3. Explain different methods to be used to protect

objects (196)4. Explain various schemes for file protection (205)p p ( )5. Explain ways to determine a user’s password

(212)(212)

31

Qu. On OS Security6. Explain how a fence register is used for

relocating a user's program [MAY-05/IT/5M]relocating a user s program.[MAY 05/IT/5M]7. Explain why asynchronous I/o activity is . a

problem with many memory Protectionproblem with many memory Protection schemes, including base/bounds and paging. Suggest solution to the problem. [MAY-05/IT/7M]

8. Discuss several guidelines for password8. Discuss several guidelines for passwordselection (218)

32

Qu. On OS Security9. Authentication means proving identities between entities

which happens in different layers of network protocol stack for different reasons Identify these entities andstack for different reasons. Identify these entities and state them.

10. How does OS protect files in main memory and on secondary device.

11.Discuss any two techniques of memory and address protection.

12.Explain the use of temporal separation and physical separation for security in computing environment.

33

Qu. On OS Security13. (a) Why the user authentication is required?

(b) What techniques are used for the authentication?( ) f(c) What are the flows in the user authentication

process?(d) Suggest controls over them.( ) gg

14. Consider a program to accept and tabulate votes in an elector who might want to attack the program? whatelector. who might want to attack the program? what types of harm might they want to cause? what kinds of vulnerabilities might they exploit to cause harm?

34