Identity Authentication
-
Upload
shradha-chougule -
Category
Documents
-
view
232 -
download
0
Transcript of Identity Authentication
-
8/2/2019 Identity Authentication
1/64
Identity Authentication
Dr. Ron Rymon
Efi Arazi School of Computer ScienceComputer Security Course, 2010/11
Pre-requisites: Basic Cryptography
-
8/2/2019 Identity Authentication
2/64
Overview
Identity Authentication Principles
Passwords
Challenge-ResponseZero Knowledge Identification Protocols
Authentication Using Physical Devices
Biometrics
-
8/2/2019 Identity Authentication
3/64
Identity Authentication
Principles
Main Source: Menezes et al
-
8/2/2019 Identity Authentication
4/64
Main Objectives
If Alice and Bob are both honest, then Aliceshould be able to successfully authenticate herselfto Bob, and vice versa (correctness)
Charles cannot present himself as Alice to Bob(impersonation)
Bob cannot utilize an identification exchange withAlice to impersonate Alice to a third party Charles(transferability)
-
8/2/2019 Identity Authentication
5/64
Stronger Requirements We require also that all three requirements (correctness,
impersonation prevention, and protection againsttransferability) hold even if Charles was exposed to a large number of previous
authentication exchanges between Alice and Bob
even if Charles has participated in a large number of authenticationexchanges with either or both Alice and Bob
even if Charles is allowed to run a large number of concurrentauthentication attempts
Zero Knowledge protocols require further that even manyexecutions of an authentication protocol provide NOINFORMATION to adversarial impersonator
-
8/2/2019 Identity Authentication
6/64
Basis of Identification (Factors) Something you know
Passwords, PINs, Secret or key
Something you possess Physical devices: magnetic cards, smart cards, tokens, bluetooth,
password generators, cellphones
Something you are Biometrics (fingerprints, iris recognition, voice, handwriting),
keyboarding characteristics
Others Someplace you are (e.g. GPS location) Some way you behave
Ideally, more than one factor (Two-factor authentication)
In some applications real-time identification is required
-
8/2/2019 Identity Authentication
7/64
Properties of ID Methods & Protocols
Reciprocity of authentication
Complexity Computational efficiency
Communication efficiency Cost
Use of third party Whether a third party is needed
Whether a third party is needed in real-time Nature of trust required from third party
What security guarantees are made False positive and false negative
How and where secrets and keys are kept
-
8/2/2019 Identity Authentication
8/64
Passwords
(weak authentication)
Main source: Menezes et al
-
8/2/2019 Identity Authentication
9/64
Passwords
String of 6-8 characters that allows identification
Fixed password/PINs, one-time passwords
something you know
Properties No reciprocityonly unilateral identification
Low complexityvery efficient, both computationally
and communication-wise
Usually, no third party is used (exception: SSO)
Key is usually kept by user in memory, and by system
in a password file
-
8/2/2019 Identity Authentication
10/64
Fixed Passwords Attacks
Replay attacks Observe typing, find written or in another system, key loggers
Eavesdropping on a cleartext or hashed communication channel
Exhaustive search Randomly or systematically trying passwords against online
verifier Offline search against password fileenough that one user chose
a weak password
Password guessing or Dictionary attack Assumes that not all passwords are equally likely
Attack password distribution Some systems come with fixed out-of-the-box passwords
Many tools for password cracking/auditing http://www.password-crackers.com
Wireless key logger
-
8/2/2019 Identity Authentication
11/64
Example: Focused Dictionaries
Use variations on related words
-
8/2/2019 Identity Authentication
12/64
Password Space
Entropy
(log 2)
Time
To Search
(5000/sec)
n 26
lowcase
36
alphanum
62
mixed case
95
keyboard
5 23.5 25.9 29.8 32.9
6 28.2 31.0 35.7 39.4
7 32.9 36.2 41.7 46.08 37.6 41.4 47.6 52.6
n 26
lowcase
36
alphanum
62
mixed case
95
keyboard
5 0.67hr 3.4hr 51hr 430hr
6 17hr 120hr 130dy 4.7yr
7 19dy 180dy 22yr 440yr
8 1.3yr 18yr 1400yr 42000yr
-
8/2/2019 Identity Authentication
13/64
Password Space Conclusions
Short, letters-only, passwords are easily breakable Adding to the alphabet is important
Adding to password length is important
Easier password spaces A password from a lower-entropy space (dictionary) reduces the
(expected) size of the search space
Simpler password comparison functions allow more trials persecond
In a simultaneous password file attack, it is enough thatone password is weak
Choose longer random passwords !
-
8/2/2019 Identity Authentication
14/64
Fixed Passwords Security
Many systems enforce password rules Goal: high-entropy passwords
Usually, syntactic and procedural rules
Password must have at least 8 characters
Password must include digits and special characters Password should not have a meaning (generators of pronounceablebut long and not meaningful passwords)
Must change password every 30 days
Cannot repeat same password in multiple systems
Encrypted password files Goal: avoid making the pwd file itself a target, e.g., to internal staff
Usually, password is not encrypted using symmetric key, but ratherusing a one-way hash function
e.g., Alices password is stored as h(Alice,pwd)
-
8/2/2019 Identity Authentication
15/64
Fixed Passwords Security (cont.)
Slow down password mapping Goal is to limit the use of exhaustive search programs, and
hardware implementations
Usually achieved by recursively applying a simple hash function
Must be acceptable to legitimate users, e.g., one second
Salting Goal: limit use of simultaneous dictionary attack
Add a few bits to the password before hashing
Usually, a time stamp or something based on the user id Unix takes timestamp-based salt, Novells Netware takes server-
assigned user ID
Salt is kept in cleartext in password file
-
8/2/2019 Identity Authentication
16/64
Example: Unix Passwords
Unix keeps all passwords in a password file, /etc/passwd
The user password serves as key to encrypt 64 zero bits,and the ciphertext is kept
First 8 characters are used, padded with 0s if needed, andonly first 7 bits of each taken to a create a 56-bit DES key
modified
DES0000ciphertext
truncated/padded
user password
-
8/2/2019 Identity Authentication
17/64
Example: Unix Password (cont.)
Cryptographically, note that the algorithm isknown and the plaintext is known
DES is repeated 25 times, to slow down breaker
Password is salted 12 randomly chosen bits from system clock are used to
salt the password. They are used in the DES expansionfunction
Thus, 212=4096 variations need checked in anysimultaneous dictionary attack
Because of the internal change to DES, one cannot useoff-the-shelf DES hardware
-
8/2/2019 Identity Authentication
18/64
Case Study: Password Cracking (Wu)
Tried to crack passwords of 25,000 corporate Kerberos users
In two weeks, using 8 Sun machines, broke 2,045 passwords
Only 4% used at least one non-alphanumeric character
86% did not require using the shift key
Some accounts used dates, telephone numbers
Some passwords were common to more than one account 24% were combinations of two words
25% resulted from simple transformations of single words, e.g.,capitalizing, reversing, or doubling of a word
Lowercasing a word was the most common transformation
1 was the most common suffix/prefix
Length 2 3 4 5 6 7 8 9 10 >10
Percent 0.1 0.6 3.8 7 11 8 54 8 4.5 3
-
8/2/2019 Identity Authentication
19/64
-
8/2/2019 Identity Authentication
20/64
Personal ID Number (PIN)
Usually used as a something you know in conjunctionwith a something you possess Most often, a credit card or ATM card
Typically short (4 digits), so that can be memorized
To prevent exhaustive search, account is locked and/orcard is confiscated after 3-4 unsuccessful trials
To enable use of offline machines, the PIN may be stored
on the card, sometimes encrypted by a master key
This is a form of two-stage authentication, where thesecond high-entropy key is stored on the card
-
8/2/2019 Identity Authentication
21/64
Passphrases and Passkeys
Passphrasecan serve as a long password E.g., this will let me to the dark side of the moon
Pros: long;
Cons: usually simple words and phrases, so effective search spaceis notvery large
Or, a passphrase/sentence can be mapped to a pseudo-random key (passkey) The passkey can then be used as a regular symmetric key, e.g., to
encrypt communication
A userid-based salt may also be added
A running counter may be added to the password to obtain a time-variant passkey
Example: WPA Passphrase is concatenated with SSID and then hashed 4096 times
to create a symmetric key
-
8/2/2019 Identity Authentication
22/64
One-time Passwords
A solution against eavesdropping and replayattack
Option 1: shared list of one-time passwords
Use password i+k after password i (k can be randomlyagreed in real-time)
Or, Sequentially updated one-time passwords
New password i+1 is agreed after first authenticatingwith password i
E.g., use a one-way hash function to create a sequence Lamport: Pi= H(Pi+1), where H is a OWF
Note 1: authentication requires a counter
Note 2: it would not be secure if sequence was going forward
-
8/2/2019 Identity Authentication
23/64
Graphical Passwords
Select certain points in a picture
Image can be user-specific
Password=points and click order
To protect from shoulder surfing
Do not select points themselves
Rather, select triangles that contain them
Icons are reordered between selections
-
8/2/2019 Identity Authentication
24/64
Knowledge of Personal History
Example: In which of the following addresses did you live in the past (or
none of the above)
Which of these places have you visited in the past
What is last transaction made on your credit card
Requires knowledge of a persons history, normally within acertain area
Can serve for a first time authentication (assuming access tohistory data)
Used by service providers in the credit card industry, e.g., creditbureaus, or new credit grantors
Security is reasonable but not substantial, as adversary mayknow or collect information about target
-
8/2/2019 Identity Authentication
25/64
Challenge-Response
Identification
(strong authentication)
Main source: Menezes et al
-
8/2/2019 Identity Authentication
26/64
Challenge-Response
(The Bad Version) In enterprise and web applications, it is common to ask
users to provide one or more pairs of questions andanswers E.g., Q: Name of my dog, A: Saddam
When the user forgets her password, she canauthenticate herself to the system using these questions(and reset her password)
This is a variation on passwords and is considered veryweak authentication Questions are often trivial, with a small set of possible answers,
and the answer may be known to someone who knows the person
-
8/2/2019 Identity Authentication
27/64
Cryptographic Challenge-Response
Protocols
Structure: Alice wishes to authenticate to Bob Bob sends Alice a challenge
Alice responds to the challenge
Bob verifies the answer
Parties may use time-variant parameters (confounders) forfreshness Confounders are good against replay attacks, chosen-text attacks
Examples: timestamps, random numbers, sequence numbers, other
one-time numbers (nonces), Generated by one party, and then the other party cryptographically
bindsresponse to this number to ensure freshness
-
8/2/2019 Identity Authentication
28/64
Challenge-Response with
Symmetric Keys Parties may have agreed apriori on a key, or a key may be
provided by trusted server e.g., KDC protocols like Kerberos, Needham-Schroeder
Example 1: one way authentication using a time-stamp Alice authenticates herself to Bob by sending an encryption of her
own time-stamp, using the shared key, EK(tA)
Better yet, Bob sends Alice a challenge tB and she responds EK(tB)
Problem: Eve can get Alice to encrypt a chosen text
So Alice may add a random number and/or her own identifier, e.g.,EK(tB, rA,Alice4Bob).
Example 2: using random numbers First, Bob sends to Alice a random number rB
Then, Alice sends to Bob EK(Alice4Bob, rB)
-
8/2/2019 Identity Authentication
29/64
Mutual Authentication with
Symmetric Keys
Mutual authentication requires one more step (can be donewith either timestamps or random numbers)
Challenge: rB
A Response: EK (rA , rB ,AlBo)
B Response: EK (rB , rA)
A variation on this authentication could also work withHMAC instead of encryption E.g., when encryption is not available (e.g., export restriction)
-
8/2/2019 Identity Authentication
30/64
Challenge Response with
Public Keys To authenticate herself, Alice must show knowledge of her private key
Can decrypt a challenge that was encrypted using Alices public key
Or, sign digitally the challenge
Potential issues with digitally signing a challenge
Bob may ask Alice to sign a fraudulent message (pay Bob) Cannot use fixed certificate for risk of replay attack
Solution: use a nonce to foil chosen-text attack in authentication, and a
timestamp to limit lifespan of possible attack
Challenge: H(rB),Bob,EPubA(rB,tB,Bob)
Response: rB
Or, have Alice sign same using her private key
-
8/2/2019 Identity Authentication
31/64
X.509 Mutual Authentication
Use private/public keys to encrypt/prove and vice versa Use random nonces, time stamps, and public data (certificates)
Alice,EPrivA(rA,tA,Bob,XA,EPubB(YA))
Bob,EPrivB(rB,tB,Alice,rA,XB,EPubA(YB))
EPrivA(rB))
Public data (Xs) can be a certificate that contains the public keyof the user, and are themselves signed by a CA
The Ys correspond to secret information, which may be keys
(Kab and Kba) or key exponents for a key exchange
The third step is required if it is difficult to synchronize clocks,and with it timestamps need not be checked
-
8/2/2019 Identity Authentication
32/64
Defenses Against Attacks on
Challenge-Response
Replay attack
Use nonces, embed target identity in response
Interleaving attack
Chaining protocol messages
Man-in-the-middle attack
Mutual authentication to foil adversary impersonating system
Reflection attack
Embed target identity, use uni-directional keys
Chosen text attack
Use confounder in each message
Use Zero-knowledge protocols
-
8/2/2019 Identity Authentication
33/64
Zero-Knowledge
Identification Protocols
Main source: Menezes et al
-
8/2/2019 Identity Authentication
34/64
Overview
Passwords may reveal Alices secret to Bob, who may thenimpersonate her
With challenge-response protocols, Alice only revealsknowledge of the secret But, a strategic adversary may choose challenges that would reveal
some aspects of this secret (or may choose from availableinteractions)
ZK protocols allow Alice to prove knowledge of the secret
without fearing that she may be providing anyone (Bobincluded) with any information about it
Note: RSA is also ZK, but most ZK protocols are moreefficient than RSA
On the other hand, they cannot be used for encryption/signature
-
8/2/2019 Identity Authentication
35/64
ZK Properties and General Structure
Required ZK properties Completeness: all legitimate parties succeed Soundness: non-legitimate parties cannot succeed
(actually: chances to succeed are arbitrarily small)
ZK: the exchange does not reveal the secret
A typical ZK protocol consists ofn iterations Alice presents Bob a witness of her secret (commitment)
Bob presents a challenge to Alice
Alice responds to the challenge Bob checks that the answer is correct
Probability of Alice cheating in each iteration < 1
After n iterations, to get arbitrarily small probability
-
8/2/2019 Identity Authentication
36/64
Example: Isomorphic Graphs
G1 is isomorphic to G2 iff there is a vertex mapping Really, G2 is just a permutation of the names of G1 nodes
No known polynomial algorithm to reverse engineer
Proposed ZK Protocol
Alice chooses G1, and creates G2 that is isomorphic (using P1) The graphs G1,G2 are public key, P1 is secret
Witness: Alice generates G3 that is isomorphic to G1 (using P2)
Bob chooses Gi randomly and requires Alice to show mapping
Alice responds
If G1, then the mapping is the generating permutation (P2)
If G2, then the mapping requires applying both permutations (P1oP2)
Note: Someone who didnt know P1 could have cheated in half the cases
When run n times chances of cheating is exponentially low
-
8/2/2019 Identity Authentication
37/64
The Fiat-Shamir ZK Protocol
Setup Trusted server chooses n=pq, primes
Alice selects a secret s
-
8/2/2019 Identity Authentication
38/64
Properties of ZK Protocols
No degradation of the protocol with usage
No information is revealed in polynomial runs
Compared with Symmetric keys or HMAC Resist chosen-text attacks
Compared to Public-Key
Lower computation costs Usually higher communication costs (# of iterations)
Relies on same unproven math assumptions
-
8/2/2019 Identity Authentication
39/64
Authentication Using
Physical Devices
-
8/2/2019 Identity Authentication
40/64
Using Physical Devices
A something you possess identification
Physical keys
Regular keys
Tokens
Credit cards Sometimes with PIN (something you know)
Sometimes with picture ID (for people)
Smartcards and passcode generators
Protected memory Sometimes with CPUchallenge response
Using a computer physical MAC
Combined with passwords
Use computer fingerprint
-
8/2/2019 Identity Authentication
41/64
Attack on ATM Cards (2003)
Cards must also work in offline mode A Master key is used by ATM and bank
Account number is encrypted using DES
Last 4 digits (decimalized) are PIN
PIN is verified by tamper-proof hardware
Bond (student in Cambridge) has shown that PIN can bediscovered with high likelihood within 15 trials (on avg) Assumes access to a PIN verifier (e.g., corrupt insider)
Manipulates the decimalization table to learn more from each trial Use table with all 0s except i-th place to check if i-th digit is present
Check all remaining possibilities
Worst case is 10+36; average case is 24
Can be improved through adaptation
-
8/2/2019 Identity Authentication
42/64
Illustration
Encryption
Decimalization
ComparisonKeyedNumber
Scanned Magnetic Stripe
OK/Not
0123456789012345
Encryption
Decimalization
Comparison
Scanned Magnetic Stripe
OK/Not
0000100000000000
0000
-
8/2/2019 Identity Authentication
43/64
Smartcards and Passcode Generators
Calculators: Devices that store key(s) and can compute a time-variant response to a challenge
Used in physical access and VPN apps, e.g., private banking
Smartcards: used to store identity authentication information, keys,and other crypto applications
Many National ID projects around the world (Israel Mimshal Zamin)
Applications: border control, healthcare system, anti-fraud, and otherauthentication apps
Dual-factor: something you possess and something you know
RFID in Physical Access Control Systems (PACS), as well as toresist counterfeiting of high-ticket items (e.g., luxury watches)
Passcode Generator Smartcard Smartcard Reader
-
8/2/2019 Identity Authentication
44/64
Biometrics
-
8/2/2019 Identity Authentication
45/64
Biometrics
Biometrics measure innate characteristics something you are, hence hard to impersonate
Can be Physiological: Fingerprints
Retinal or Iris scanning Face recognition
Hand geometry recognition
Or behavioral
Voice recognition (both physiological and behavioral) Handwriting/signature recognition
Typing dynamics
-
8/2/2019 Identity Authentication
46/64
Biometrics-based Authentication
Usually uses a pattern recognition approach A profile is constructed for the true person
A matching score is computed in each authentication attempt
Processes
-
8/2/2019 Identity Authentication
47/64
Threshold-based Decision
Real-time matching score is thresholded (T)
Error types (A) False alarms (False Positive, Type 2 error)
(B) Misidentification (False Negative, Type 1 Error)
-
8/2/2019 Identity Authentication
48/64
Two Generic Applications
Easier: Verification One-to-One: given a real-time authentication attempt,
try to match to a specific profile
Requires a second form of identification, e.g., login,token.
Harder: Identification Many-to-One: given a real-time authentication attempt,
try to match to one of several profiles in a database
Difficulty stems from birthday paradox unless a highseparation can be attained between candidates
Usually not attempted except in applications wheretwo-factor authentication is not feasible
-
8/2/2019 Identity Authentication
49/64
Fingerprints Analysis
Shapes:
LOOPWHORLARCH
END BIFURCATION ISLAND LAKEDOT
unique arrangement of
minutiae for different
people
Non-intrusive, Reliable, Inexpensive
Semiconductor or Optical
Useful mostly for verification and less for identification
US stores experimented with payment by fingerprint
Minutiae:
-
8/2/2019 Identity Authentication
50/64
Hand Geometry
One of the first practically implemented techniques
physical access control: airports, secured corporate areas, etc.
time and attendance monitoring
Reader uses CCD camera and a number of mirrors to
measure the shape of the hand perimeter, in
-
8/2/2019 Identity Authentication
51/64
Palm Vein Authentication
Vein patterns are unique to an individual (even twins) Scanned with infrared rays, using reflective photography
False rejection rate
-
8/2/2019 Identity Authentication
52/64
Iris Scanning
Human eye encodes 3.4bits/sqmm Extremely accurate: chance of duplication (including twins) < 1072
Fast comparison: Identification takes 2sec per 100,000 people in DB
Sub-$1000 systems are available, but expensive to enroll many
Considered a little intrusive / dangerous by some people
Growing in market share vs. other solutions (patents expired)
-
8/2/2019 Identity Authentication
53/64
Retinal Scanning
Works by identifying patterns in retinal blood vessels
Uses light source to take 400 measurements, which are
then reduced to a signature of 96 bytes
Preceded Iris scanning, but is less prevalent
considered more intrusive
requires precise positioning of the eye
requires removal of glasses
-
8/2/2019 Identity Authentication
54/64
Face Recognition
Controlled sceneaccess control Frontal view, similar distance, reasonable lighting
Compare live image to an original, captured in similar environment
Usually for verification purposes, with another ID
Algorithms extract features, and compare relative positions of eyes,nose, and mouth, nose width, and other factors
Relatively user-friendly
Not very accurate, and requires frequent updates
Very difficult in a random scenestreet, airports
Much more difficult
Law enforcement applications
Privacy issues: a bill that makes this unlawful was shelved in March 2002
-
8/2/2019 Identity Authentication
55/64
Voice Verification
Principle: speech dynamics are affected by physical
structure of mouth, vocal chords, sinus, etc.
A voice signature can typically be formed from speech
features, with relatively high accuracy
Each syllable typically has few dominant frequencies (formants)
More accurate when user repeats a previously recorded sentence
Weaknesses: taped replay, environmental noise, illness,
richness of spoken language
Applications: access control, call centers
Example: www.verivoice.com
User is requested to spell a random string of digits
http://www.verivoice.com/http://www.verivoice.com/ -
8/2/2019 Identity Authentication
56/64
Signature Verification
Static verification
Dynamic verification
Curvature, changes in x-y sign, acceleration, pen up time
-
8/2/2019 Identity Authentication
57/64
Weaknesses of Biometrics
Possibility of false positives, and sometimes
unacceptable FP rate
In identification applications: misidentification
Replay attack, e.g., tape replay, cut finger
Health concerns
Privacy concerns
-
8/2/2019 Identity Authentication
58/64
Biometric Market
Intl Biometric Group
-
8/2/2019 Identity Authentication
59/64
The 5th Factor: How you behave
Idea: a users behavior may help identify, or at least authenticate her For example
What time of the day you access a certain application?
At what frequency do you perform a certain operation
What type of access to which information you require?
Did you login from home or work? Premise for authentication: a users behavioral pattern changes only
slowly over time.
Advantage: relatively cheap (software)
Typically shall be used in conjunction with another factor
e.g., use behavior profiling to supplement password authentication
I believe that acceptance to this new form will grow, especially inareas like intrusion detection and access control
It also plays into the general trend of combining physical security and
IT security
-
8/2/2019 Identity Authentication
60/64
Choosing the Right
Authentication Method
-
8/2/2019 Identity Authentication
61/64
Choice of Authentication Methods
-
8/2/2019 Identity Authentication
62/64
CAPTCHA
-
8/2/2019 Identity Authentication
63/64
CAPTCHAs
Problem: robotic form filling can be used to
Guess passwords
Abuse free services, primarily for spamming and phishing
Goal: Distinguish between a human user and a robot
Method: Completely Automated Public Turing test to tell
Computers and Humans Apart (CAPTCHA)
Usually, asking the user to interpret letters and digits from
an image
-
8/2/2019 Identity Authentication
64/64
Counter-Captcha Methods
Guessing, e.g., if space is small, e.g., 4 digits
Use OCR to recognize
And the prize goes to a man-in-the-middle
attack, asking a real person to authenticate.