COEN 250 Authentication. Between human and machine Between machine and machine.

COEN 250

Authentication

Authentication

Between human and machine Between machine and machine

Human Machine Authentication

Authentication protocols are based onWhat you know.

E.g. password, pass-phrase, (secret key, private key).

What you have. Physical key, smart card.

What you are. Biometrics.

Where you are. E.g. trusted machine, access to room, …

Authentication

PasswordsPredate computers.As do some attacks (stealing, guessing)

Older cell phone technology transmits originating number with a password.

Password good, call goes through. Eavesdropper receives phone number – password

combination. Eavesdropper can now clone the phone.

Authentication

Password Attacks Guessing

On-line Time consuming. Authentication attempts are usually logged. Can detect attack long before it is likely to succeed. Can disrupt the attack.

Off-line Attacker needs to steal relevant data from which password(s) can be

determined. Attacker can use arbitrary amount of computing power.

Capturing Passwords Eavesdropping Login Trojan Horse

Authentication

Passwords are storedOn each server Alice uses.Centrally: Authentication Storage Node:

Each server retrieves the information when it wants to authenticate Alice.

Centrally: Authentication Facilitator Node: Each server takes Alice’s data and password and

goes to the AFN.

Authentication

Password can be storedUnencrypted

Simple Dangerous

Implicitly as hashes of passwords As in UNIX, VMS

EncryptedHashed and Encrypted

Authentication

Example: Network Information Service (Yellow Pages)

Directory service is the authentication storage node.

Stores hashed passwords of users. Typically, hashed passwords list is world readable

Access by claiming to be a server.

NIS authentication storage node does not authenticate itself to users.

Allows impersonation of authentication service.

Authentication

Passwords for machine – machine communication can be made difficult to guess.Arbitrary lengthTruly random choice of characters.

Human-machine passwordsGuessableSubject to dictionary attack.

Authentication

Dictionary attack Most passwords are natural language words. Or derived from natural language words. Guess the language. Use a dictionary to try out all words in the language. Start with common passwords first. Replace a single character in a word, attach a random

character, etc.

Authentication

Brute-Force Attack Generate all possible password.

Sometimes make assumptions on the alphabet

only printable character characters on a key-board

Authentication

Salting Protects hashed passwords against an offline

attack.

Brute Force attack attacks all passwords in password file simultaneously.

Authentication

Salting Store a salt with each password Hash depends on salt and password. Use different salts for different passwords. Store salt with password.

Authentication

Salting Brute force attack, dictionary attack can only

attack a single password.

Authentication

Passwords are compromised:By obtaining password file.

Safeguard by Hashing and Salting Encryption

By eavesdropping on an exchange Use one-way passwords:

Lamport Hash

Authentication

Address Based Common in early UNIX

Rtools: .rhosts

In user home directory (Computer, Account) pairs These pairs are allowed access to the user’s account

/etc/hosts.equiv List of network addresses of “equivalent” machines Account name on A is equivalent to account name on B.

Users have to have identical account names.

Authentication

Addressed based authentication threatened byAccess escalation

Attacker gains access to one hosts. Access cascades to equivalent hosts / rhosts.

Spoofing addresses Very easy to spoof source address. Harder to intercept traffic back.

Authentication

Ethernet network address impersonationEasy on the same link.Hubs do not protect.Switches can be spoofed through the ARP

protocol.Routers are harder to fool, but can be

attacked and provided with misleading routing data.

Authentication

Cryptographic authenticationAlice proves her identity to Bob by proving to

Bob that she knows a secret. Hashes Secret key cryptography Public key cryptography.

Human Machine Authentication

Initial password distribution to humansPre-expired, strong passwords

Through mail

Derivable from common knowledge Student ID

Human Machine Authentication

Authentication Token Possession of the token proves right to access.

Magnetic stripe as on credit cards. Harder to reproduce “Impossible” to guess

Demand special hardware Can be lost or stolen

Add pin or password protection Are not safe against communication eavesdropping and

forging

Human Machine Authentication

Authentication Token Smart Card.

Needs to be inserted in a smart card reader. Card authenticates to the smart card reader.

PIN protected smart cards. Stops working after a number of false PINs.

Cryptographic challenge / response cards Card contains a cryptographic key. Authenticating computer issues a challenge. Card solves the challenge after PIN is entered. Harder to crack than PIN protected smart cards because

key is never revealed.

Human Machine Authentication

Authentication TokenSmart Card.

Readerless smart card (Cryptographic calculator) Communicates with owner through mini-keyboard and

display. Authenticating computer issues a challenge to Alice. Alice types in challenge into readerless smart card. Readerless smart card solves the challenge.

After Alice puts in her password. Alice transfers the answer to the computer.

Human Machine Authentication Biometrics

Retinal scannerFingerprint readerFace recognition Iris scannerHandprint readersVoiceprintsKeystroke timingSignatures

Authentication Security PolicyDefining Protection Levels Partitioning Computing Resources

Usually necessary (law) to have special security for sensitive areas:

Human Resources Accounting …

Network can be repartitioned using subnets with special protection and special procedures

Authentication Security PolicyDefining Protection Levels Partitioning Computing Resources

Protection by naming Increase protection by not making certain systems

visible from the outside

Local LANInternet

external firewall

external DNS server

internal firewall

internal DNS server

Authentication Security PolicyDefining Protection Levels “Human resources, accounting, and other administrative support

systems shall be physically partitioned from the general network in such a manner to control the flow of information to and from those systems”

“Network name services shall be configured to provide Internet users with generic names to accessible internal systems while serving meaning full names to internal, organizational users.”

“Network addresses shall be predefined for every system and network device and may be preloaded or resolved when logged in to the network.”

“Network address servers and those used to resolve addresses shall be protected in accordance with best practice appropriate for that device.”

“Network address servers and those used to resolve addresses shall be protected in accordance with best practice appropriate for that device.”

Network Access Control

Typical: One external access point Connection to ISP

Gateways: Points where network traffic is transferred from the organization’s network to the internet: Dial-in, Dial-out Other external connections Internet connections Wireless connections

Network Access Control

“All telephone access to the network shall be centrally protected by strong authentication controls. Modems shall be configured for dial-in or dial-out access but not both. The Network Administrator shall provide procedures to grant access to modem services. Users shall not install modems at any other location on the network without appropriate review and authorization.”

“Any gateway proposed to be installed on the company’s network that would violate policies or procedures established from these policies shall not be installed without prior approval of the Information Security Management Committee.”

“Applications that require gateway services shall be authenticated to the network. If the service itself cannot be authenticated, services carried through the gateway shall be subject to authentication policies described in this document.”

Login Policies

User Identification Guest accounts Login Banners

Establish privacy expectationWork as “no-trespassing” signs

Login Controls Login Reporting

User Accounts

Establishment of special privileges

Password Policies

Policies defining strength of passwordsLength of passwordComposition of passwordStorage of passwords by usersDefault passwords for systems / applications

This problem is going away, but still

Password Testing

Telecommuting / Remote Access Policies Preserve security of IT assets at the

organizationEmployee’s equipment is probably not well

protectedAuthentication over the internet / dial-up

Protection of organizational dataLegally / Technically In Transit / Stored / During Processing

Mobile Equipment

Employees work with company equipment outside of the perimeter

Storing data on removable drivesUSB drives