Chapter 3

Authentication
Authentication basics, Password, Challenge response, Biometrics.

• Refer .. Matt. Bishop, “Introduction to Computer Security”,

• The term ‘Access Control’ means the issues regarding to access the system
resources. System resources can be anything.
• The resources may be widely spread and used by many people. The primary
goal of security is to provide proper control over these resources.
• Access Control is providing proper control (control includes implementing
security mechanism and/or using security protocols) over accessing System
resources so that any unauthorized person will not get access over the system.
• Access control has two main parts: Authentication and Authorization.
• Authentication is nothing but identification of users/ entity who is accessing
the resources whereas Authorization is the right defined by the system to
access the resources.
• Ronny is normal user of Facebook. He entered his username and password
and system authenticated him. As per the concept, He can access system
recourses.
• The central question is ‘what Ronny can exactly do and don’t ? well ,Though
Ronny is authenticated person but he should not access over any other
account of his friends .The system has given him list of limited rights. This is
called as authorization. Therefore we can summarize this discussion as:
• Authentication: Is Ronny is Authenticated person?
• Authorization: Is Ronny allowed to do particular action?
Authentication
• To convince machines that you are authenticated humans/entity. If not, deny
the access.
• Something you know:
It is a secret known to claimant as well as verifier. So that during
authentication claimant can request for accessing the resources by using this
secret. The example of something you known is: password
• Something possessed:
It is physical entity that claimant have with him. Uniqueness of physical entity
is preserved. The example of something possessed is: Attendance Card (can be
swapped during office time)
• Something inherent:
It deals with inherent characteristics of the claimant. This is strong
authentication technique. The example of something inherent is: Biometric
devices like iris scanner, fingerprint machine etc.
• Authentication is a binary decision i.e. it only checks whether the
user/entity is granted or not
• Authorization deals with more find-grained restrictions and
limitations on access to various system resources.
• Both authentication and authorization must go hand in hand.
• It is possible that, person/entity might be authenticated but not
authorized – Can you give me example ?
• There should be right balance between both of them.
• Definition 11–1. Authentication is the binding of an identity to a
subject.
• The external entity must provide information to enable the system to
confirm its identity. This information comes from one (or more) of the
following.
• 1. What the entity knows (such as passwords or secret information)
• 2. What the entity has (such as a badge or card)
• 3. What the entity is (such as fingerprints or retinal characteristics)
• 4. Where the entity is (such as in front of a particular terminal)
Data Origin v/s Entity Authentication

Difference 1:
• Data Origin authentication (message authentication) might not be happened in
real time; entity authentication does.
• Example: Sending of Email
• (Message Authentication)
Difference 2:
• Message authentication authenticates one message.
• Process needs to be repeated for each new message.
• Entity authentication authenticates the claimant for entire duration of a session.
• Example: Withdraw cash from ATM
• (Entity Authentication)
Passwords
• Passwords are an example of an authentication mechanism based on
what people know: the user supplies a password, and the computer
validates it. If the password is the one associated with the user, that
user’s identity is authenticated. If not, the password is rejected and
the authentication fails.
• Definition 11–2. A password is information associated with an entity
that confirms the entity’s identity.
• Attacking a Password System
• A dictionary attack is the guessing of a password by repeated trial and
error.
• Password guessing requires either the set of complementation functions
and complementary information or access to the authentication
functions. In both approaches, the goal of the defenders is to maximize
the time needed to guess the password
• Random Selection of Passwords passwords selected at random include
very short passwords. Attackers try short passwords as initial guesses
(because there are few enough of them so that all can be tried).
• Pronounceable and Other Computer-Generated Passwords A
compromise between using random, unmemorizable passwords and
writing passwords down is to use pronounceable passwords

• User Selection of Passwords Rather than selecting passwords for users,

one can constrain what passwords users are allowed to select. This
technique, called proactive password selection enables users to propose
passwords they can remember, but rejects any that are deemed too easy
to guess.
• Password aging is the requirement that a password be changed after
some period of time has passed or after some event has occurred.
Fixed Password based authentication

• Password is used many times for every access.

• There are several schemes have been built.
First Approach:
Fixed Password based authentication

Attacks to First Approach:

• Eavesdropping: Listen to the line and intercept the message and
capturing the password.
• Stealing a password: Physically steal password.
• Accessing a password file: Hack into the system and get access to the
ID/password file.
• Guessing: Using guessing attack, attacker log into the system and try
to guess password
Fixed Password based authentication

Second Approach:
• A more secure approach is to store hash of the password (instead of
plaintext password) in password file.
• Any user can read the contents of file but because of hash function,
impossible to guess the value of password.
Fixed Password based authentication

Attacks to Second Approach:

• Collision attack: Two separate inputs actually do result in the same hash value.
• Hash function should be collision-resistant.
• MD5 and even SHA-1 have been shown to not be completely collision-resistant.
• Dictionary attack: Attacker is interested in finding one password regardless of the user
ID.
• For example, if password is 6 digit, attacker can create list of 6 digit number (000000
to 999999) and apply hash function to every number. So the result is one million
hashes. Attacker can get the password file and search the second column entries to
find a match.
• This could be programed and run offline on attacker's computer.
Fixed Password based authentication

Attacks to Second Approach:

• Dictionary attack: Attacker is interested in finding one password
regardless of the user ID.
• For example, if password is 6 digit, attacker can create list of 6 digit number
(000000 to 999999) and apply hash function to every number. So the result is
one million hashes. Attacker can get the password file and search the second
column entries to find a match.
• This could be programed and run offline on attacker's computer.
Fixed Password based authentication

Third Approach:
• Salting the password
• When password string is created, a random string called salt, is
concatenated to the password.
• Salted password is then hashed.
• ID, salt and hash are stored in the file.
• When user asks for access, the system extracts the salt, concatenates
it with the received password, makes a hash out of the result and
compares it with the hash stored in the file.
Fixed Password based authentication

Third Approach:

• Salting makes dictionary attack more difficult.

• Salting is very effective if the salt is very long random number.
Challenge Response

• Passwords have the fundamental problem that they are reusable. If an attacker
sees a password, she can later replay the password. The system cannot
distinguish between the attacker and the legitimate user, and allows access.

• An alternative is to authenticate in such a way that the transmitted password

changes each time. Then, if an attacker replays a previously used password, the
system will reject it.

• Let user U desire to authenticate himself to system S. Let U and S have an

agreed-on secret function f. A challenge-response authentication system is one
in which S sends a random message m (the challenge) to U, and U replies with
the transformation r = f(m) (the response). S validates r by computing it
separately.
Challenge Response
- Pass Algorithms

1. Let there be a challenge-response authentication system in which

the function f is the secret. Then f is called a pass algorithm.
2. Under this definition, no cryptographic keys or other secret
information may be input to f. The algorithm computing f is itself the
secret.
Challenge Response
- Pass Algorithms

Case Study : Haskett suggests using this scheme in combination with a

standard password scheme. After the user supplies a reusable
password, a second prompt is given (Haskett points out that this could
be the same as the system’s standard prompt, to confuse attackers). At
this point, the user must enter some string based on an algorithm.

For example, if the prompt “abcdefg” were given, the appropriate

response could be “bdf”; if the prompt were “ageksido,” the
appropriate response could be “gkio” (the algorithm is every other
letter beginning with the second). Or, to use Haskett’s example, the
pass algorithm can alter a fixed password.
Challenge Response –
One Time Password
• The ultimate form of password aging occurs when a password is valid
for exactly one use
• A one-time password is a password that is invalidated as soon as it is
used.
• A mechanism that uses one-time passwords is also a challenge-
response mechanism. The challenge is the number of the
authentication attempt; the response is the one-time password.
Challenge Response – One Time
Password
• The problems in any one-time password scheme are the generation of
random passwords and the synchronization of the user and the
system.

• The former problem is solved by using a cryptographic hash function

or enciphering function such as the DES, and the latter by having the
system inform the user which password it expects—for example, by
having all the user’s passwords numbered and the system providing
the number of the one-time password it expects.
T-OTP
• A time-based one-time password (TOTP) – a password that works once and only
for a limited time.
• 2 Factor Authentication (Multifactor Authentication):
• Presenting two or more pieces of evidence to an authentication mechanism.
• 2FA is two step verification or dual factor authentication, in which user provides
two different authentication factors to verify themselves.
• Google Authenticator and 2FA apps implements Time-based one time password
(TOTP) algorithm.
• TOTP generates single use password known as token, which is valid for certain
time password.
• HMAC-based One-Time password (HOTP): OTPs will typically remain valid until
used, with no expiration.
• HOTPs are more secure than passwords but less so than TOTPs. They are vulnerable to
brute force attacks.
SSO (Single Sign On)
• Single sign-on (SSO) is an authentication method that enables users to
securely authenticate with multiple applications and websites by
using just one set of credentials.
• Single Sign On (SSO) login refers to when a user logs in to an
application with a single set of credentials and is then automatically
signed into multiple applications.
Challenge Response – Hardware
Support
• Hardware support comes in two forms: a program for a general-purpose
computer and special-purpose hardware support.
• Both perform the same functions.

First Form
The first type of hardware device, informally called a token, provides
mechanisms for hashing or enciphering information. With this type of device,
the system sends a challenge. The user enters it into the device. The device
returns the appropriate response. Some devices require the user to enter a
personal identification number or password, which is used as a cryptographic
key or is combined with the challenge to produce the response.
Challenge Response – Hardware
Support
Second Form :
The second type of hardware device is temporally based. Every 60
seconds, it displays a different number. The numbers range from 0 to
10n – 1, inclusive. A similar device is attached to the computer. It knows
what number the device for each registered user should display. To
authenticate, the user provides his login name. The system requests a
password. The user then enters the number shown on the hardware
device, followed by a fixed (reusable) password. The system validates
that the number is the one expected for the user at that time and that
the reusable portion of the password is correct.
 • Whether or not a challenge-response technique is
vulnerable to a dictionary attack of type 1 depends
Challenge- on the nature of the challenge and the response. In
general, if the attacker knows the challenge and the
Response response, a dictionary attack proceeds as for a
reusable password system.
and
Dictionary Suppose a user is authenticating herself using a
Attacks challenge-response system. The system generates a
random challenge r, and the user returns the value
Ek(r) of r enciphered using the key k. Then the attacker
knows both r and Ek(r) and can try different values of k
until the en-cipherment of r matches Ek(r).
Challenge-Response and
Dictionary Attacks
• Bellovin and Merritt , propose a technique, called encrypted key
exchange, that defeats dictionary attacks of type 1.

• Basically, it ensures that random challenges are never sent in the

clear (Plain text). Because the challenges are random, and unknown
to the attacker, the attacker cannot verify when she has correctly
deciphered them. Hence, the dictionary attack is infeasible.
Case study -

One person’s **** bank account was hacked by hackers. The amount is
RS. 3,00000/- plus . His mobile number was**********

Fact in Net Banking:-

If someone wants to transfer some money from his account to other, he

will have to add him in his net banking profile as third party and during
this period bank will send a OTP password to his registered mobile
number, which he registered with bank and a person can change this
number only at the time of his personal presence with written
application in bank.

So, the bank thinks their net banking security is very strong as those
can’t be hacked.

29
How Hackers Got Success:-

STEP 1:- The hackers collected the user name password of the
complainant anyhow, may be by using phishing page or remote key logger.
But the complainant did not confess about any phishing link update.

Step 2:- They learnt the details of profile of complainant where his mobile
number were noted.

Step 3:- They learnt from their Indian agent the details of mobile subscriber
and then they reported as a case of mobile lost in a Mobile Service Provider
Store/Web World in Mumbai and deactivated the number (which was in
Other State and used by the complainants daughter) there then they re-
issued the same number from there.

Step 4:- Then they added five accounts as third party (Beneficiary) by
hacking his account and got the OTP password in their mobile and
transferred the amount to those five accounts, who withdrew the amount
from ATM counter.

30
Case study (October 2018)
Aerospace senior systems engineer Nishant in was arrested. Documents
included missile blueprints that investigators say have made their way to an
operative of Pakistan’s agency (ISI) through Nishant laptop.
The next day, on 9 October, the media labelled Nishant a spy and a traitor who
had been honey-trapped by Pakistani agents.
Hitch in the story
Investigators say Nishant was contacted through LinkedIn and enticed with a
job offer. He was allegedly convinced to download an app that contained a
malware, which in turn allowed ISI operatives access important documents
on his laptop.
The engineer, however, allegedly had ‘secret’ files that he should not have had
access to. While in his interrogation Nishant claimed that he accessed the
files for training purposes, he has been charged under sections of the
Official Secrets Act (OSA) for possessing them.

31
 What is Biometric
• Biometrics: Science of identifying, or verifying the identity of, a
person based on physiological or behavioral characteristics.
What is Biometric
 Biometric Authentication
There are two different authentication methods in biometrics

• Verification: Is he/she the person who claims he/she is? Works

with id + biometrics. Thus it is based on a combination of
modes.

• Identification: Who is this person? Uses only the biometrics

and searches the entire database.
Types of Biometric
Authentication
Types of Biometric Authentication
 Overview of Biometric
Systems
• Biometric Identifiers
 Overview of Biometric
Systems
Biometric Subsystems
– Biometric readers (sensors)
– Feature extractors
– Feature Matchers
Characteristics (Physical)
of Biometric
 Characteristics
(Behavioral) of Biometric
 Characteristics
(Behavioral) of Biometric
 Biometric Authentication
Process
• Biometric authentication refers to security processes that
verify a user's identity through unique biological traits such as
retinas, irises, voices, facial characteristics, and fingerprints.
• Process:
– Acquisitions
– Comparisons
– Decision
 Biometric Authentication
Process
• A generalized diagram of a biometric system is as follows:
Fingerprint Recognition
Process
Face Recognition Process
Iris Identification Process
Vein Recognition System
Signature Verification
Process
Application area of
Biometric
Advantages of Biometric
Disadvantages of Biometric