AuthenticationWho’s There?

Nicholas A. DavisInformation Systems 365

University of Wisconsin-Madison

Today’s Chocolate Bar• Baby Ruth• Created in 1920 by the Curtiss

Candy Company, in Chicago, now made by Nestle

• Originally named Kandy Kake• Named after President Grover

Cleveland’s daughter, Ruth Cleveland, not after baseball player, Babe Ruth

Passwords – Reading Discussion

• Define the root of a password?• Define the appendage of a

password• ! % & $ _zipcode have gotten too

easy for password crackers• Mix upper and lower case in the

middle of password• Put the appendage in the middle of

your root

University Networks -- Reading

• Centralized vs. decentralized

• Faculty and Staff demand freedom

• Central data handling policies are weak

• What should universities do to make their network more secure?

Overview• Authentication defined• Different types of electronic authentication factors• Username and Password• Dialog Spoofing Authentication Attacks• One Time Password devices (OTP), how they work and don’t work• Biometrics• Digital Certificates• Existing devices which can be used for authentication, Blackberry, Mobile Phone• Shared Secret/Ticket based authentication systems• Knowledge Based Authenticaition• The Initial Credentialing Challenge• Review of Key Concepts• Who is to Blame For This Authentication Mess?• SSO Authentication, the realities• Federated Authentication• Wireless Authentication issues• Remaining Issues With Authentication• What Does the Future Hold?

Authentication Defined“Electronic authentication provides a level

of assurance as to whether someone or something is who or what it claims to be in a digital environment. Thus, electronic authenticationplays a key role in the establishment of trust relationships for electronic commerce, electronic government and many other social interactions. It is also an essential component of any strategy to protect information systems and networks, financial data, personal information and other assets from unauthorised access or identity theft. Electronic authentication is therefore essential for establishing accountability online.”

Authentication Factors

• Three types of electronic authentication

• Something you know – username/password

• Something you have – One time password device

• Something you are – Voiceprint or retinal scan

Single Factor vs. Multifactor vs Dual Factor

• Single Factor – Using one method to authenticate.

• Dual Factor – Using two different types of authentication mechanism to authenticate

• Multifactor – Using multiple forms of the same factor. (Password + identifying an image)

• Some people claim multi factor is just a way around industry regulations. Good test is to ask, could I memorize both of these?

Username and Password - Benefits

• Most widely used electronic authentication mechanism in the world

• Low fixed cost to implement and virtually no variable cost

• Fairly good for low assurance applications

• No physical device required

Username and Password - Drawbacks

• Can be easily shared on purpose

• Can be easily stolen via Shoulder Surfing, Keyboard Logger Packet Sniffer

• Can be guessed• Can be hard to

remember• Password code is

easy to hack• Video 3

If You Choose to Use Passwords..

• Be as long as possible (never shorter than 6 characters).

• Include mixed-case letters, if possible. • Include digits and punctuation marks, if possible. • Not be based on any personal information. • Not be based on any dictionary word, in any

language. • Expire on a regular basis and may not be reused• May not contain any portion of your name,

birthday, address or other publicly available information

Dialog Spoofing Authentication Attacks

• The biggest threat to authentication security is users unintentionally giving away their credentials to a “harvester”

• Dialog spoofing attack makes the user think they are communicating with a trusted source, but actually grabs the credentials for its own malicious use

One Time Password Devices Demystified

• Have an assigned serial number which relates to user-id. For example, ndavis = serial QB43

• Device generates a new password every 30 seconds

• Server on other end knows what to expect from serial QB43 at any point in time

One Time Password Devices

• Time based• Event based• Sold by RSA,

Vasco, Verisign, Aladdin, Entrust and others

• How can event based OTPs be defeated?

Entrust Identity Guard Can Be Beaten With a Photocopier!

One Time Passwords - Benefits

• Provides true Dual Factor authentication, making it very difficult to share

• Constantly changing password means it can’t be stolen, shoulder surfed or sniffed

• Coolness factor!

One Time Passwords - Drawbacks

• Cost!• Rank very low on

the washability index

• Uncomfortable• Expiration• Battery Life• Can be forgotten

at home• Video 1

Biometrics

• Use a unique part of your body to authenticate you, such as your voice pattern, your retina, or your fingerprint

Biometrics Benefits

• Harder to steal than even a One Time Password since it is part of the user, not simply in their possession like and OTP device

• Absolute uniqueness of authentication factor

• Coolness factor

Biometrics Drawbacks

• Cost• Complexity of

Administration• Highly invasive• Not always

reliable – false negatives

• Not foolproof• The Gummi Bear

thief!

Other Biometric Methods and Associated Issues

• comparing the face with that on a passport photograph

• fingerprints • DNA fingerprinting • Iris scan • Retina scan • other biometrics • signature • Birthmarks - May be duplicated cosmetically • Dentition - Identity may be mistaken by lack of or

falsification of dental X-ray records

Today’s Agenda

• Collect homework!

• Look at a few password cracking tools, demonstrating why username and password is weak!

• Finish lecture on Authentication!

• Class Discussion!

• Maybe Start Lecture on Cryptography!

Today’s Chocolate Bar! - Twix• Made by Mars• Called “Raider” in Europe until 1991• First produced in the UK in 1967• Introduced to the US in 1979• Twix, Peanut Butter Twix, Cookies –

n- Cream Twix, Chocolate Fudge Twix, Triple Chocolate Twix, Choc –n- Orange Twix

• Not suitable for strict vegetarians!

Digital Certificates

• A digital passport, either contained on a secure device, or on a hard disk

• Secured with a password, making them truly a dual factor solution

• Can be used to authenticate machines as well as humans

Digital Certificate Benefits

• True Dual Factor Authentication

• Low variable cost to produce

• Can contain authorization data as well as authentication data

Digital Certificate Drawbacks

• High fixed cost to build initial infrastructure

• Can be copied and shared if not properly stored

• Expiration

• Often require access to an interface such as a card reader of USB port, not always available at kiosks

Taking Advantage of Existing Technology

• Your mobile phone can serve as a powerful dual factor authentication device

Shared Secret Based Authentication Mechanisms

• Kerberos • Needham-Schroeder protocol • Secure Shell • Encrypted key exchange (EKE) • Secure remote password protocol (SRP) • Closed-loop authentication • RADIUS • Diameter (protocol) • HMAC • EAP • Authentication OSID • CAPTCHA • Java Authentication and Authorization Service • Chip Authentication Program

Knowledge Based Authentication

• Authenticates the user via verification of life events, usually financial in nature, such as:

• Looks great at first!• However, most of this is

public information and that which isn’t public can be easily stolen

• The credit reports on which this knowledge based authentication is based are often contain factual errors

• Cost!

Initial Credentialing• The verification of an individual’s or

machine’s identity prior to assignment of an authentication identifier (DMV, Passport Agency, Library Card, Credit Card Application)

• An authentication credential is only as trustworthy as the underlying credentialing process

• SSN# often serves as base identifier• What do you think about that?• Can you think of a more secure base

identifier than SSN#? When would It have to be assigned and by whom?

Key Concepts

• Current online authentication techniques are weak at best: Most rely on multiple single factors

• Credentials are easily stolen from consumers and rarely change

• Lack of consistency in authentication processes confuse consumers

Who Is to Blame For the State of Digital Authentication?• No individual contributor is at fault• This is really a failure of multiple parties• OS Providers• Browser Providers• Financial & Commerce • Software Providers• Security Vendors• The Financial and Commerce Institutions

It All Starts With a Better OS

• OS Must have security/auth services baked-in

• Must not rely on 3rd party applications to enforce security/auth processes

• Best position within the consumer access stack to enforce consistency

Unified Browser and Web Design Standards Needed

• The Internet access browser must contain consistent security/auth processes and indicators for consumers

• Must not try and re-invent the security wheel continuously

• This is usually why users pick weak passwords – to preserve their sanity and avoid “token necklace” or “fat wallet syndrome”

Single Sign On (SSO), More like RSO

• Single Sign On (SSO) (also known as Enterprise Single Sign On or "ESSO") is the ability for a user to enter the same id and password to logon to multiple applications within an enterprise.

• True SSO is rare, but Reduced Sign On is quite workable

Single Sign On Benefits

• Ability to enforce uniform enterprise authentication and/or authorization policies across the enterprise

• End to end user audit sessions to improve security reporting and auditing

• Removes application developers from having to understand and implement identity security in their applications

• Usually results in significant password help desk cost savings

Document Authentication

• Humans and machines are easy to authenticate, but what about documents?

• Digital certificates to the rescue• A digital signature, generated by a

private key can prove who authored the document and can verify that the contents have not been altered from their original form

Authentication Federation

• The average user today interacts with all sorts of social, business, financial and government agencies digitally.

• Each of these requires their own id and password as user authentication.

• As a result, the user is increasingly frustrated with:

• Having to remember multiple user id and passwords

• Providing more identity information than they would otherwise chose to each entity

Authentication Federation

• Allows transitional trust among institutional membership

• For example, If Nick wants to look up a scholarly article at Penn State, UW can tell Penn State that this request comes from an authenticated and authorized user without giving out my name, etc.

• Hard to enforce credentialing standards• Relies a LOT on trusting that the other

institution did the right thing

Wireless Authentication

• Wiring actually provides an additional layer of protection, requiring physical access

• Once this goes away, as is the case on a wireless network, you need to find another method to make up for the loss of physical security which best emulates physical access

• Authenticate with username/password + MAC address, for example.

• Put the wireless network on a firewalled subnet• WPA is better than WEP, but not the answer to

everything.• “Opportunity to Authenticate” is the principle to

keep in mind here as the most serious threat…

Securing Wireless Network Authentication

• All wireless LAN devices need to be secured, MAC address, static IP address, secure subnet, etc.

• All users of the wireless network need to be educated in wireless network security

• All wireless networks need to be actively monitored for weaknesses and breaches

Wireless is Still Too New to Be Trusted

• Too many competing protocols, each of which can have its own set of security risks

• WEP encryption, WPA, WPA2, 802.1X, LEAP, PEAP, TKIP, RADIUS, WAPI…The list goes on!

Remaining Issues With Authentication

• Authenticating the originator is as important as authenticating the receiver, but few people pay attention to this issue

• Currently, when we send email, we simply trust that george.bush@whitehouse.gov really is the President…This isn’t sufficient

• We need a method to lookup people in a trustworthy manner

• Trusted and centralized LDAP to the rescue!• Sadly, inter-organizational trusted LDAP access

isn’t used.

The Best Solution is a Hybrid Solution• No, not that kind of

hybrid! Way overused term

• Passwords can be guessed or hacked

• Physical devices can be stolen

• Biometrics are costly and unreliable

• Use a mix of the above technologies to achieve the best authentication security

• Audit, Audit, Audit!!!

What Does the Future Hold?

• Will the federal government get involved with **official** electronic credentials such as a “U.S. Citizen Digital Identity”?

• Benefits of a federal digital identity system?

• Drawbacks of a federal digital identity system?

• How do you feel about the current state of electronic authentication systems?