1

Authentication

2

Authentication

• Strong passwords

• Kerberos

• CHAP

• Digital Certificates

• Biometrics

3

Strong Passwords

• Minimum 6 to 8 characters in password• At least one letter and one digit• Case sensitive• Avoid well-known substitutions

– 0 for letter ‘O’– 2 for ‘to’– 4 for ‘for’– 5 for ‘S’

• Set expiration date for password

4

Kerberos

• Developed at MIT in 1983• Meant for internal networks• Passwords are sent in cleartext• Developed for authenticating users in a single or

multi-server environment• Current version # is 5• Freeware (http://web.mit.edu/is/help/kerberos)• Sets up a key for every specified service for the

authenticated user

5

Kerberos• How authentication works?

– User logs in with userid and password

– User wants access to use a service (e.g. FTP)

– Request goes to an Authentication Server (AS) in encrypted form using the password of user

– AS verifies the user using the password associated with the userid

– AS sends two data items back to user. One of the data items is encrypted with user’s password. It is called the Ticket. The other data item is encrypted with the requested service’s master key, called the Session key.

6

Kerberos• The user decrypts the ticket with their

password to verify that the response came from AS. Then the user creates an authenticator using their userid and timestamp. Finally, the user encrypts the authenticator with the session key and sends it to the service. The service decrypts the information with its master key and identifies the authenticator. Then the user is allowed to use the service.

7

Kerberos – Single service diagram

Key Distribution Center

Authentication Server (AS)

User

Service

1

2

3

4

8

Kerberos

• The previous description is suited for a single-server single-service environment. For multi-server multi-service environment a different authentication process is used.

• Upon initial login, the user is automatically authenticated and a Ticket-Granting Ticket (TGT) is created. The user sends the TGT for any service needed to the Ticket Granting Server (TGS) and obtains the necessary key to access the service.

9

Kerberos

• Assumptions made by Kerberos systems:– User has the correct password. Does not

prevent dictionary attack to guess password– Assumes physical security of all devices on the

network– Does not prevent denial of service attacks– All authenticating devices must have their

clocks synchronized in order for time stamps to match

10

Challenge Handshake Authentication Protocol

• CHAP is a point-to-point protocol• Used where hosts are connected to routers using

switched circuits or dial-up lines• Host asks the AS permission to use CHAP• AS responds with permission to use CHAP• AS sends a challenge message to host

11

Challenge Handshake Authentication Protocol

• Host selects a one-way hash function and hashes the message from AS. The hashed value is sent to AS. AS calculates the same hash value using the same hash function. If the values match then connection is maintained, otherwise the connection is terminated.

• Under CHAP, AS periodically sends challenge sequences to verify authenticity of host

12

Digital Certificates• Issued by trusted third parties known as Certificate

Authorities (CAs)• Verisign is a trusted third party• Used to authenticate an individual or an

organization• Digital Certificates are usually given for a period

of one year• They can be revoked• It is given at various security levels. Higher the

security level, the CA verifies the authenticity of the certificate seeker more.

13

Digital Certificates

• Digital Certificates can be issued by any one as long as there are people willing to believe them

• Major CAs are:– Verisign– GeoTrust– BeTrusted– Thawte

14

Digital Certificates

• Digital Certificates are part of the authentication mechanism. The other part is Digital Signature.

• When a user uses the digital signature, the user starts with their private key and encrypts the message and sends it. The receiver uses the sender’s public key and decrypts the message

• In traditional encryption, the sender uses the public key of the receiver and encrypts the message and sends it and the receiver decrypts the message with their private key

15

Digital Certificates

• Additional authentication means used by CAs are:– Security token– Passive token– Active token– One time password

16

Digital Certificates

• Security token is usually a hardware device such as a Smart Card

• If the security token is a software token, it is usually associated with a particular workstation

• Security tokens use two-factor authentication using a password and a device (or an appropriate hardware identifier)

17

Digital Certificates

• Passive token is a storage device that holds multiple keys. Appropriate key is transmitted using the transmission device used.

• Inexpensive to manufacture• Sometimes an extra PIN is required to use the

passive token• Examples:

– Garage door opener

– ATM card

18

Digital Certificates

• An Active token does not transmit any data, unlike a passive token

• Active tokens create another form of the base key (such as one-time password) or an encrypted form of the base key

• Smart cards are commonly used for active tokens

19

Digital Certificates

• A One-time password has a limited duration validity on a single use

• Generated using a counter-based token or a clock-based token

• Counter-based token is an active token that generates a one-time password based on a counter in the server and the secret key of the user

• Clock-based token is an active token that generates one-time passwords based on the server clock

20

Biometrics

• Biometric authentication involves unique physical or behavioral characteristics of individuals– Example: finger print, retinal scan, facial

recognition– Finger print authentication has matured as a

reliable technology– Retinal scan and facial recognition are yet to

come to a level of reliability

21

Biometrics

• How biometric authentication works?– Take the example of finger print. To authenticate a user,

biometric is used as a secondary validation tool.– First, a database of fingerprints of valid users is built– When access is needed to a facility or system, then the user

provides the fingerprint– The fingerprint matching system uses numeric values of

measurement based on ridges and valleys in the fingerprint. The user has to set acceptable level of matching. Matching returns a successful percentage of mapping. Based on the level set, the fingerprint is considered matched or not. The system does not provide level of matching, rather provides an YES or NO answer for the match

– Authenticated user information is kept for audit trail

22

Biometrics

• Potential problems with Biometrics:– False positives

• Means that an unauthorized person is granted access

• This can happen when the level of match expected is set low in the program

– False negatives• Means that an authorized person is not granted

access

• One possible reason is that the biometric might have changed since the data was input, such as surgery in a finger

23

Biometrics

• Other forms of biometrics in use:– Palm scan. This method uses the ridges and

valleys in the entire palm in a manner similar to fingerprint.

– Retinal scan. This method uses an analysis of blood vessels located in the back of eye. Fairly reliable but time consuming.

– Iris scan. This method uses an analysis of the colored part surrounding the pupil in the eye. Not easy to use, especially with many people having contact lenses of various colors.

24

Biometrics– Facial scan. This method uses an analysis of the

contours of the face. Technically, a grown person’s facial contours do not change in spite of appearances such as a beard or aging. The skin is just a cover over the bones and so this scan uses the underlying bone structure. Reliability is not high.

– Signature verification. This method uses pattern recognition in matching a signature. Very reliable and easy to use but not secure since the signature forgery is hard to detect.

– Voice authentication. This method uses pattern recognition based on conversion of spoken words into digital signals based on speech characteristics. Fairly reliable but not widely used as it is difficult to control background noise for a highly reliable authentication.

25

Biometrics

• Advantages– Second tier authentication tool– Reliability can be enhanced in authentication

• Disadvantages– Costly– Time consuming at the point-of-use– Bulky equipment may be needed at point-of-

use

26

Security Scenarios to Solve

1. Biometric technology is constantly improving. Your manager has asked you to examine two different biometric technologies as authentication tools to access confidential data. Develop a report that identifies the equipment, suppliers, reliability, cost, ease of use (at data gathering time and at point-of-use). The report should be in a tabular form so that the manager can easily compare your research and make a decision.