Computer Security:

Principles and Practice

Fourth Edition, Global Edition

By: William Stallings and Lawrie Brown

Chapter 3
User Authentication
NIST SP 800-63-3 (Digital Authentication
Guideline, October 2016) defines digital user
authentication as:

“The process of establishing

confidence in user identities that
are presented electronically to an
information system.”
(Table can be found on page 65 in the textbook)
 The four means of authenticating
user identity are based on:
Something Something Something Something
the the the the
individual individual individual is individual
knows possesses (static does
• Password, PIN, (token) biometrics) (dynamic
answers to • Smartcard, • Fingerprint, biometrics)
prearranged electronic retina, face • Voice pattern,
questions keycard, handwriting,
physical key typing rhythm
 Risk Assessment for
User Authentication

• There are Assurance

three Level
separate
concepts:
Potential
impact

Areas of
risk
 Assurance Level
More specifically Four levels of
is defined as: assurance
Describes an
organization’s Level 1
degree of The degree of confidence
•Little or no confidence in the
asserted identity's validity
certainty that a in the vetting process used
to establish the identity of
user has the individual to whom the
credential was issued
Level 2
•Some confidence in the asserted
presented a identity’s validity

credential that
Level 3
refers to his or her •High confidence in the asserted
identity The degree of confidence
that the individual who uses
identity's validity

the credential is the

individual to whom the Level 4
credential was issued •Very high confidence in the
asserted identity’s validity
 Potential Impact
• FIPS 199 defines three levels of potential
impact on organizations or individuals should
there be a breach of security:
o Low
• An authentication error could be expected to have a
limited adverse effect on organizational operations,
organizational assets, or individuals
o Moderate
• An authentication error could be expected to have a
serious adverse effect
o High
• An authentication error could be expected to have a
severe or catastrophic adverse effect
 Table 3.2

Maximum Potential Impacts for Each

Assurance Level
 Password-Based
Authentication
• Widely used line of defense against
intruders
o User provides name/login and password
o System compares password with the one stored for that
specified login
• The user ID:
o Determines that the user is authorized to access the system
o Determines the user’s privileges
o Is used in discretionary access control
 Password Vulnerabilities
Offline Password
guessing Workstation Electronic
dictionary against single hijacking monitoring
attack user

Exploiting
Specific Popular password Exploiting user
multiple
account attack attack mistakes
password use
 UNIX Implementation

•Original scheme
•Up to eight printable characters in length
•12-bit salt used to modify DES encryption into a one-way hash function
•Zero value repeatedly encrypted 25 times
•Output translated to 11 character sequence
•Now regarded as inadequate
•Still often required for compatibility with existing account management
software or multivendor environments
 Improved
Implementations

•Much stronger hash/salt schemes available for Unix

•Recommended hash function is based on MD5

•Salt of up to 48-bits
•Password length is unlimited
•Produces 128-bit hash
•Uses an inner loop with 1000 iterations to achieve slowdown
•OpenBSD uses Blowfish block cipher based hash algorithm called
Bcrypt
•Most secure version of Unix hash/salt scheme
•Uses 128-bit salt to create 192-bit hash value
 Password Cracking

•Dictionary attacks
•Develop a large dictionary of possible passwords and try each against the
password file
•Each password must be hashed using each salt value and then compared to
stored hash values
•Rainbow table attacks
•Pre-compute tables of hash values for all salts
•A mammoth table of hash values
•Can be countered by using a sufficiently large salt value and a sufficiently large
hash length
•Password crackers exploit the fact that people choose easily guessable passwords
•Shorter password lengths are also easier to crack
•John the Ripper
•Open-source password cracker first developed in in 1996
•Uses a combination of brute-force and dictionary techniques
 Modern Approaches
• Complex password policy
o Forcing users to pick stronger passwords

• However password-cracking techniques

have also improved
o The processing capacity available for password cracking has
increased dramatically
o The use of sophisticated algorithms to generate potential
passwords
o Studying examples and structures of actual passwords in use
Password File Access Control

•Can block offline guessing attacks by denying access to encrypted

passwords
•Make available only to privileged users
• Shadow password file

• Vulnerabilities
•Weakness in the OS that allows access to the file
•Accident with permissions making it readable

•Users with same password on other systems

•Access from backup media

•Sniff passwords in network traffic
Password Selection Strategies
 Proactive Password
Checking
• Rule enforcement
o Specific rules that passwords must adhere to

• Password checker
o Compile a large dictionary of passwords not to use

• Bloom filter
o Used to build a table based on hash values
o Check desired password against this table
 Table 3.3

Types of Cards Used as Tokens

 Memory Cards
• Can store but do not process data
• The most common is the magnetic stripe card
• Can include an internal electronic memory
• Can be used alone for physical access
o Hotel room
o ATM
• Provides significantly greater security when combined
with a password or PIN
• Drawbacks of memory cards include:
o Requires a special reader
o Loss of token
 Smart Tokens
• Physical characteristics:
o Include an embedded microprocessor
o A smart token that looks like a bank card
o Can look like calculators, keys, small portable objects

• User interface:
o Manual interfaces include a keypad and display
for human/token interaction

• Electronic interface
o A smart card or other token requires an electronic interface to
communicate with a compatible reader/writer
o Contact and contactless interfaces

• Authentication protocol:
o Classified into three categories:
• Static
• Dynamic password generator
 Smart Cards
• Most important category of smart token
o Has the appearance of a credit card
o Has an electronic interface
o May use any of the smart token protocols

• Contain:
o An entire microprocessor
• Processor
• Memory
• I/O ports

• Typically include three types of memory:

o Read-only memory (ROM)
• Stores data that does not change during the card’s life
o Electrically erasable programmable ROM (EEPROM)
• Holds application data and programs
o Random access memory (RAM)
• Holds temporary data generated when applications are executed
Electronic Identity Cards
(eID)
Use of a
smart card
Can asserve
a
the same
national Most advanced
purposes
identity deployment is the
as
card other
for German card neuer
national
citizensID Personalausweis
cards, and
similar
cards such
as a
Can
driver’s
providefor
license,
stronger
access to
proof
governmen of Has human-readable
identity
t andand data printed on its
can be
commercial surface
used in a •Personal data
Inservices
effect,
wider is •Document number
a smartof
variety •Card access
card that
application number (CAN)
has sbeen •Machine readable
verified by zone (MRZ)
the national
governmen
 Table 3.4

Electronic
Functions
and Data
for
eID Cards

CAN = card access number

MRZ = machine readable zone
PACE = password authenticated connection establishment
PIN = personal identification number
 Password Authenticated
Connection Establishment (PACE)

•Ensures that the contactless RF chip in the eID card cannot be read without
explicit access control

•For online applications, access is established by the user entering the 6-digit
PIN (which should only be known to the holder of the card)

•For offline applications, either the MRZ printed on the back of the card or the
six-digit card access number (CAN) printed on the front is used
 Biometric Authentication
• Attempts to authenticate an individual based on
unique physical characteristics
• Based on pattern recognition
• Is technically complex and expensive when
compared to passwords and tokens
• Physical characteristics used include:
o Facial characteristics
o Fingerprints
o Hand geometry
o Retinal pattern
o Iris
o Signature
o Voice
Remote User Authentication
• Authentication over a network, the Internet,
or a communications link is more complex
• Additional security threats such as:
o Eavesdropping, capturing a password,
replaying an authentication sequence that has
been observed

• Generally rely on some form of a

challenge-response protocol to counter
threats
 Table 3.5
Some Potential
Attacks,
Susceptible
Authenticators,
and
Typical Defenses

(Table is on page 96 in the textbook)

•AUTHENTICATION SECURITY ISSUES
•Eavesdropping
• Adversary attempts to learn the password by some sort of attack that involves the physical
proximity of user and adversary
•Host Attacks
• Directed at the user file at the host where passwords, token passcodes, or biometric templates are
stored
•Replay
• Adversary repeats a previously captured user response
•Client Attacks
• Adversary attempts to achieve user authentication without access to the remote host or the
intervening communications path
•Trojan Horse An application or physical device masquerades as an
authentic application or device for the purpose of capturing a user password, passcode, or
biometric
•Denial-of-Service
• Attempts to disable a user authentication service by flooding the service with numerous
authentication attempts
Case Study:

ATM

Security

Problems
 Summary
• Digital user authentication • Biometric
principles
o A model for digital user authentication
authentication o Physical characteristics used in
o Means of authentication biometric applications
o Risk assessment for user o Operation of a biometric
authentication
authentication system
• Password-based o Biometric accuracy
authentication
o The vulnerability of passwords • Remote user
o The use of hashed passwords authentication
o Password cracking of user-chosen
passwords o Password protocol
o Password file access control o Token protocol
o Password selection strategies o Static biometric protocol
• Token-based o Dynamic biometric protocol
authentication • Security issues for user
o Memory cards
o Smart cards authentication
o Electronic identity cards