Chapter-2 Identification & Authentication. Introduction To secure a network the first step is to avoid unauthorized access to the network. This can.

Chapter-2Chapter-2

Identification & Authentication Identification & Authentication

IntroductionIntroduction

To secure a network the first step is to avoid unauthorized To secure a network the first step is to avoid unauthorized access to the network.access to the network.

This can be achieved with any type of authentication This can be achieved with any type of authentication mechanisms.mechanisms.

When one node wants to communicate with the other node When one node wants to communicate with the other node in a network in a secure manner they use an authentication in a network in a secure manner they use an authentication mechanism:mechanism: the node that wants to communicate has to prove its the node that wants to communicate has to prove its

identity in the network so that its right to access the identity in the network so that its right to access the network resources can be determined.network resources can be determined.

Types of Authentication Types of Authentication

Authentication Methods

Biometric basedauthentication

Artifact basedauthentication

Smart cards Digitalsignatures

Certificates, tokens

Knowledge basedauthentication

Usernames and passwords

Types of AuthenticationTypes of Authentication

All of the above can be briefly identified as:All of the above can be briefly identified as:

Knowledge based Authentication is based on “What you know” i.,e what Knowledge based Authentication is based on “What you know” i.,e what the users know for eg, user names, passwords, keys etc. the users know for eg, user names, passwords, keys etc.

Artifact Based Authenticatiobn is based on “ What you possess” i.e what Artifact Based Authenticatiobn is based on “ What you possess” i.e what the user possess such as Certificates , tokens, smart cards etc.the user possess such as Certificates , tokens, smart cards etc.

Biometric based Authentication is based on “ What you are “i.e what the Biometric based Authentication is based on “ What you are “i.e what the user inherits for eg biometric techniques user inherits for eg biometric techniques

Password Based AuthenticationPassword Based Authentication

The popular mechanism of knowledge based authentication is passwordsThe popular mechanism of knowledge based authentication is passwords In this method of authentication the user who wants to communicate with In this method of authentication the user who wants to communicate with

the server has to provide its username and password to the server in order the server has to provide its username and password to the server in order to prove his identity in the network.to prove his identity in the network.

Password : can be defined as a character string used to authenticate an Password : can be defined as a character string used to authenticate an identity(of a user). identity(of a user).

The passwords can be of one of the types:The passwords can be of one of the types: Plain-text password based systemsPlain-text password based systems Encrypted PasswordsEncrypted Passwords One time passwordsOne time passwords Challenge and Response based systemsChallenge and Response based systems

Password Policy Password Policy

A good password is one that is easy to remember but difficult to A good password is one that is easy to remember but difficult to guess.guess.

Password should not be Dictionary Words, Proper Nouns, or Password should not be Dictionary Words, Proper Nouns, or Foreign Words.Foreign Words.

Password should be mixture of upper and lowercase characters Password should be mixture of upper and lowercase characters along with numbers.along with numbers.

Users should never disclose their passwords to anybody unless Users should never disclose their passwords to anybody unless they know them to be authorizedthey know them to be authorized. .

Systems administrators should implement safeguards to ensure that Systems administrators should implement safeguards to ensure that people on their systems are using adequately strong passwords. people on their systems are using adequately strong passwords.

They should set password expiration dates on all programs being They should set password expiration dates on all programs being run on the organization’s systems. run on the organization’s systems.

Password Based SystemsPassword Based Systems

Plain-text password based systems:Plain-text password based systems: These systems are These systems are not secure enough as the passwords can be hacked by a not secure enough as the passwords can be hacked by a man in the middle attack easily.man in the middle attack easily.

Encrypted Passwords:Encrypted Passwords: In this method various encryption In this method various encryption algorithms can be used to encrypt the passwords traveling algorithms can be used to encrypt the passwords traveling over the wires in the network. Therefore the password over the wires in the network. Therefore the password becomes unreadable and difficult for the intruder to get it.becomes unreadable and difficult for the intruder to get it.

Few of the algorithms that are used for password Few of the algorithms that are used for password encryption are:encryption are:

• SHA, MD5, RSASHA, MD5, RSA

One Time PasswordsOne Time Passwords

Even encrypted passwords if decrypted once by the Even encrypted passwords if decrypted once by the intruder can be used for hacking critical data. One idea is intruder can be used for hacking critical data. One idea is to use a new password every time the user logs in.to use a new password every time the user logs in.

One time password systems can be of two types:One time password systems can be of two types: Challenge Response e.g. RSA SecurID systemChallenge Response e.g. RSA SecurID system Codebook e.g. S/KeyCodebook e.g. S/Key

One Time PasswordsOne Time Passwords

Challenge Response authenticationChallenge Response authentication : :

When the new session is being established by the When the new session is being established by the server it issues a challenge string to the client, which server it issues a challenge string to the client, which is different every time.is different every time.

After receiving this challenge string the user types in After receiving this challenge string the user types in his or her pass phrase for the session.his or her pass phrase for the session.

Then the secure hash is calculated for the pass Then the secure hash is calculated for the pass phrase using one of the MD4, MD5, or SHA1 hashing phrase using one of the MD4, MD5, or SHA1 hashing algorithms.algorithms.

One Time PasswordsOne Time Passwords

The variables that are required for the calculating the The variables that are required for the calculating the secure hash are hidden in the challenge string issued secure hash are hidden in the challenge string issued by the server.by the server.

When the server receives the hash value sent by the When the server receives the hash value sent by the client it matches it with the password (hash value) it client it matches it with the password (hash value) it has calculated using the same hashing algorithm.has calculated using the same hashing algorithm.

If there is a match, the user is authenticated.If there is a match, the user is authenticated.

One Time PasswordsOne Time Passwords

Code Book Scheme:Code Book Scheme: A codebook is a list of passwords that are used, one A codebook is a list of passwords that are used, one

at a time, and then never reused.at a time, and then never reused.

With the system each user is given a mathematical With the system each user is given a mathematical algorithm, which is used to generate a sequence of algorithm, which is used to generate a sequence of passwords.passwords.

The user can either run this algorithm on a portable The user can either run this algorithm on a portable computer when needed, or can print out a listing of computer when needed, or can print out a listing of generated passwords as a paper codebook.generated passwords as a paper codebook.

Code Book SchemeCode Book Scheme

When a user wants to login to a system,the user either When a user wants to login to a system,the user either looks up the next password in the codebook, or looks up the next password in the codebook, or generates the next password in the virtual codebook.generates the next password in the virtual codebook.

This password is then used as the password to give to This password is then used as the password to give to the system.the system.

The user may also need to specify a fixed password The user may also need to specify a fixed password along with the codebook entry.along with the codebook entry.

Code Book SchemeCode Book Scheme

Client’s Code book

…………

………….

………….

………….

…………..

………….

Server’s code book

…………

………….

………….

………….

…………..

………….

User sends next password from code book

Send me new password for authentication

Send me new password for authentication

The password matches with my code book entry. You are authenticated.

The password matches with my code book entry. You are authenticated.

Weak versus Strong PasswordsWeak versus Strong Passwords

Weak Passwords Weak Passwords may be of one of the types:may be of one of the types:

User’s personal information like name, vehicle User’s personal information like name, vehicle number, phone number.number, phone number.

A dictionary word.A dictionary word.

An easy to remember sequence of characters or An easy to remember sequence of characters or alphanumeric characters like qwerty, abc123.alphanumeric characters like qwerty, abc123.

Weak versus Strong PasswordsWeak versus Strong Passwords

If supplied in plain text, weak passwords are easy to If supplied in plain text, weak passwords are easy to hack or crack by nature using any of these methods:hack or crack by nature using any of these methods:

Brute-force attackBrute-force attack

Dictionary attack etc.Dictionary attack etc.

Weak versus Strong PasswordsWeak versus Strong Passwords

Strong Passwords:Strong Passwords: As weak passwords are easy to As weak passwords are easy to guess, it is recommended to use a password which:guess, it is recommended to use a password which:

is of at least 8 characters length.is of at least 8 characters length.

contains at least one numeric character.contains at least one numeric character.

contains at least one special character.contains at least one special character.

Doesn't contain any dictionary word.Doesn't contain any dictionary word.

They should also be easy to remember otherwise this may result They should also be easy to remember otherwise this may result in users writing a difficult to remember password near to his/her in users writing a difficult to remember password near to his/her desk.desk.

Password selection strategies Password selection strategies

Password selection strategies :Password selection strategies : User EducationUser Education Computer generated passwordsComputer generated passwords Reactive password checkingReactive password checking Proactive password checkingProactive password checking

The most secured method of good and strong password selection is The most secured method of good and strong password selection is the proactive pwd checking method, in which user selects his own the proactive pwd checking method, in which user selects his own password and at the time of selection, the system checks to see if password and at the time of selection, the system checks to see if password is allowable or not. password is allowable or not.

Password vulnerabilities & attacks Password vulnerabilities & attacks Possible Vulnerabilities of passwords are Possible Vulnerabilities of passwords are

Guessing, cracking & spoofingGuessing, cracking & spoofing Testing the pwd files Testing the pwd files Proactive pwd checkersProactive pwd checkers Shadow password filesShadow password files

Password related attacks :Password related attacks : Password crackingPassword cracking Brute force attackBrute force attack Dictionary attackDictionary attack

Artifact Based AuthenticationArtifact Based Authentication This method deals with the possession of an artifact i.e an item by the This method deals with the possession of an artifact i.e an item by the

user, display of which enables the user to be authenticated. user, display of which enables the user to be authenticated. Popular examples of this method are smart cards, digital signatures, Popular examples of this method are smart cards, digital signatures,

certificates etc. certificates etc.

Digital SignaturesDigital Signatures

Digital signatures are based on Public Key Digital signatures are based on Public Key Cryptography.Cryptography.

Digital signatures are used to verify whether a document Digital signatures are used to verify whether a document sent by a person is really sent by him and has not been sent by a person is really sent by him and has not been changed in the route through which it came.changed in the route through which it came.

We try to show with an example that how digital We try to show with an example that how digital signatures work.signatures work.

A digital signature user must have a key pair:A digital signature user must have a key pair: Public Key: Known to all (made public).Public Key: Known to all (made public). Private key: Only known to the key pair owner.Private key: Only known to the key pair owner.

Smart CardsSmart Cards

Smart cards are hardware devices that provide a much Smart cards are hardware devices that provide a much secure authentication for storing and transferring the secure authentication for storing and transferring the important information.important information.

They are of the size of a credit card containing a small They are of the size of a credit card containing a small chip which stores the private key and a copy of the chip which stores the private key and a copy of the certificate.certificate.

A PIN (Personal Identification Number) is used in A PIN (Personal Identification Number) is used in association with smart card, to provide more secure association with smart card, to provide more secure authentication.authentication.

Smart CardsSmart Cards

A smart card looks like:A smart card looks like: Card readers are Card readers are used to read the used to read the information from a information from a smart card.smart card.

Smart cardCard reader

Working of smart cardsWorking of smart cards

The authentication method used in smart is Challenge The authentication method used in smart is Challenge Response type of authentication.Response type of authentication.

When the user inserts his smart in a card reader, the the When the user inserts his smart in a card reader, the the program that is stored in the client system asks the user program that is stored in the client system asks the user for his unique PIN.for his unique PIN.

The user enters the PIN and if the PIN is correct the The user enters the PIN and if the PIN is correct the communication between the client application and the communication between the client application and the smart card starts.smart card starts.

Working of smart cardsWorking of smart cards

A challenge response procedure takes place between A challenge response procedure takes place between the client and the server.the client and the server.

Private key on the card is used to encrypt the data and Private key on the card is used to encrypt the data and encrypted data is then transferred to the server.encrypted data is then transferred to the server.

The public key stored on the server is used to decrypt The public key stored on the server is used to decrypt the data.the data.

If the data gets successfully decrypted, the user is If the data gets successfully decrypted, the user is authenticated.authenticated.

Advantages of Smart CardsAdvantages of Smart Cards

This is a very secure authentication mechanism This is a very secure authentication mechanism because:because:

the process works on a two-factor authentication - the process works on a two-factor authentication - what you know (PIN) and what you have (smart card what you know (PIN) and what you have (smart card or private key).or private key).

Brute force attacks and Dictionary attacks don’t work Brute force attacks and Dictionary attacks don’t work here as only a limited number of PIN entries are here as only a limited number of PIN entries are allowed for the smart card holder.allowed for the smart card holder.

Applications of Smart CardsApplications of Smart Cards

Although smart cards are new in India, in many other Although smart cards are new in India, in many other countries they are used extensively for applications like:countries they are used extensively for applications like:

Electronic toll collection.Electronic toll collection. Financial ServicesFinancial Services Healthcare servicesHealthcare services Cellular phonesCellular phones Set-top boxesSet-top boxes Secure network accessSecure network access

Biometric TechniquesBiometric Techniques Biometrics comprise the techniques for measuring human beings and the Biometrics comprise the techniques for measuring human beings and the

statstical methods of processing these measurements. In the field of statstical methods of processing these measurements. In the field of identification biometrics uses computers to identify or authenticate the identification biometrics uses computers to identify or authenticate the identity of a person based on the measurement of at least physical identity of a person based on the measurement of at least physical characteristic for eg, fingerprint, retinal image, DNA etc. characteristic for eg, fingerprint, retinal image, DNA etc.

Biometric Identification : consists in finding one person out of a no. of people Biometric Identification : consists in finding one person out of a no. of people

based on the analysis of a physical characteristic such as a fingerprint or an based on the analysis of a physical characteristic such as a fingerprint or an image of the iris. Te characteristic is collected by a sensor, analyzed and image of the iris. Te characteristic is collected by a sensor, analyzed and compared by software to previously collected personal data. compared by software to previously collected personal data.

Working of biometric techniques : It basically works in three steps:Working of biometric techniques : It basically works in three steps: Capturing of a biometric sample from an individual Capturing of a biometric sample from an individual Storing the captured sample as reference sampleStoring the captured sample as reference sample Match the current captured sample with the stored reference sample. Match the current captured sample with the stored reference sample.

Biometrics can be classified into two categories :Physiological biometric Biometrics can be classified into two categories :Physiological biometric techniques such as fingerprints, hand geometry, palm recognition, iris techniques such as fingerprints, hand geometry, palm recognition, iris recog.,DNA analysis etc. recog.,DNA analysis etc.

Types of Biometric techniquesTypes of Biometric techniques Biometrics can be classified into two categories :Biometrics can be classified into two categories : Physiological biometric techniques such as fingerprints, hand Physiological biometric techniques such as fingerprints, hand

geometry, palm recognition, iris recognition, DNA analysis etc. geometry, palm recognition, iris recognition, DNA analysis etc.

Behavioral techniques which depend on the behaviour of a person Behavioral techniques which depend on the behaviour of a person such as signature dynamics, keystroke dynamics etc. such as signature dynamics, keystroke dynamics etc.

Signature Dynamics : is a technique that is based on the dynamics of Signature Dynamics : is a technique that is based on the dynamics of making a signature rather than a direct comparison of a written making a signature rather than a direct comparison of a written signature with a stored one. signature with a stored one.

Factors that are measured for signature dynamics are acceleration Factors that are measured for signature dynamics are acceleration rates, directions, pressure, stroke length etc. rates, directions, pressure, stroke length etc.

Effectiveness of biometric techniquesEffectiveness of biometric techniques Biometric techniques are evaluated on three basic criteria :Biometric techniques are evaluated on three basic criteria :

i)i) False Rejection Rate : this is the percentage of authorized users False Rejection Rate : this is the percentage of authorized users that are denied access due to failure of the biometric device.that are denied access due to failure of the biometric device.

ii)ii) False Acceptance Rate : the percentage of unauthorized users False Acceptance Rate : the percentage of unauthorized users allowed accessallowed access

iii)iii) Cross over error rate : is the point at which the no. of false Cross over error rate : is the point at which the no. of false rejections equal the false acceptances .It is also known as the rejections equal the false acceptances .It is also known as the equal error rate equal error rate