Chapter 3: Verifying User and Host Identity

Contents
Verifying User and Host Identity
Assessing traditional static password schemes
Authentication
Creating a good quality password policy
The impact of password sniffing
Protecting against social engineering attacks

Evaluating strong authentication methods

 Biometrics

Authenticating hosts
Address-spoofing
Solutions for wireless networks
 Authentication
Authentication is the process of reliably verifying the identity of someone (or
something).
There are lots of examples of authentication in human interaction.
 we recognize each others' faces when we meet.
 we recognize each others' voices on the telephone.
 we are authenticated by the customs official who checks us against the picture on

our passport.
 A guard might authenticate you by comparing you with the picture on your badge.
 A mail order company might accept as authentication the fact that you know the

expiration date on your credit card.

 Creating a good quality password policy
The security provided by a password system depends on the passwords being kept secret at all
times. Thus, a password is vulnerable to compromise whenever it is used, stored, or even known.
In a password-based authentication mechanism implemented on a system, passwords are vulnerable
to compromise due to:
A password must be initially assigned to a user when enrolled on the system.

A user's password must be changed periodically.

The system must maintain a “password database”.

Users must remember their passwords.

Users must enter their passwords into the system at authentication time.

Employees may not disclose their passwords to anyone. This includes administrators and IT

managers.
 Creating a good quality password policy

Password policies can be set depending on the needs of the

organization.
For example, it is possible to specify minimum password length, no

blank passwords, and maximum and minimum password age.

It is also possible to prevent users from reusing passwords and

ensure that users use specific characters in their passwords making

passwords more difficult to crack.
 Authentication Identification

Convince the system of your identity.

Before it can act on your behalf.
Sometimes also require that the computer verify its identity with the users, based
on three methods:
 what you know (eg., passwords)

 what you have (eg., keycards)

 what you are (eg., biometric information)

Verification
Validation of information supplied against a table of possible values based on

users claimed identity.

 Authentication of People

What you Know

Passwords or Pass-phrases
 prompt user for a login name and password.
 verify identity by checking that password is correct.
 on some (older) systems, password was stored clear.

 either takes a fixed sized input (eg 8 chars).

 important that passwords are selected with care to reduce risk of exhaustive

search.
 Authentication of People
Weakness
Traditional password scheme is vulnerable to eavesdropping over an insecure

network.

Solutions?
One-time password (OTP)
 these are passwords used once only.
 future values cannot be predicted from older values.

Password generation
either generate a printed list, and keep matching list on system to be accessed.
or use an algorithm based on a one-way function f.
 Authentication of People
What you Have
Magnetic Card, Magnetic Key
possess item with required code value encoded.

Smart Card or Calculator

may interact with system.
may require information from user.

could be used to actively calculate:

a time dependent password.
a one-shot password.
a challenge-response verification.
 Authentication of People
What you Are
Verify identity based on your physical characteristics, known as biometrics.
Characteristics used include:
Signature
Fingerprint, hand geometry
face or body profile

Speech, retina pattern

How authentication is done depends on capabilities of entity being authenticated.

Two most important capabilities:
 ability to store a high-quality key.
 ability to perform cryptographic operations.
 Authentication of People

High Quality
Secret
Chosen from large space
Computationally infeasible to guess
Computer vs. Person
 Computer has both.
 Person has neither.
 Authentication of People

Who is Being Authenticated?

Humans:
 Short, memorable key.

Computers:
 (Long) high-quality secret
 Hidden key (encrypted by password)
 Types of Authentication
1. Password-based authentication
 Authenticating oneself by showing a secret password to the remote peer (and to the

network).
 Always vulnerable to eavesdropping attack.
Usually protection: limit frequency of incorrect password entries.

2. Address-based authentication
 Authenticating oneself by using a physically-secured terminal/computer.
 Conceptually similar to password-based authentication.

3. Cryptography-based authentication
 authenticating oneself by showing evidence of a secret key to the remote peer (and to the

network) but without exposing the secret to the peer (or to the network).
 Note: secret key can be obtained from a password.
 Password Based Authentication
Passwords
an old idea.
military uses.
everybody knows password of day.
Password Based Authentication
in password based authentication we have a secret quantity.
you have to state it to prove you know it.
has a number of problems.
Problems with Passwords
Eavesdropping
On-line guessing of password
Off-line cracking
 Security of password file
 Problems with Passwords

1. Eavesdropping
passwords must be uttered to be used.
most people don't watch.
but they are not the people you are worried about.
wiretapping is a more sophisticated problem.
if the password is sent from across a network then eavesdropping is possible.
for example, a traditional telnet connection is unsecured – no cryptography. so an
attacker who can eavesdrop, eg., on the port in use, simply gets to see the password.
 Problems with Passwords

2. Trojan Horses
A trojan horse is a useful, or apparently useful, program, which also performs
unwanted/harmful functions.
If a user can be induced to run a trojan horse which mimics the log in program
then the trojan can capture the user’s password.
The password can then be sent to the author of the trojan.
 Problems with Passwords

3. On-Line Guessing
I can impersonate you if I can guess your password.
Some systems enforce easily guessable passwords (not really a good idea, but
some do it – would be better to disallow).
Some people use easily guessable passwords.
With enough guesses even obscure passwords can be guessed.
Executing users who get their password wrong would probably be
unacceptable.
Can make sure that guesses have to be typed.
 Problems with Passwords

4. Locking Accounts
can lock accounts after too many failed attempts.
but then easy for someone to deny access.
can cut-off connection after a number of failed attempts and require it to be
reestablished.
can have system response be very slow.
 Problems with Passwords
5. Off Line Password Guessing
passwords more vulnerable if off-line guessing possible.
off line attack - an intruder captures a quantity that is derived from password.
attacker then takes their time trying to compute password.

Problems
humans usually are not willing to remember 64 bits.
 Problems with Passwords
Memorable Passwords
if the password was pronounceable, rather then fully random.
can get enough randomness in 16 characters.
humans won't remember those either.
User Chosen
humans choose poor passwords.
to be proof against off-line attacks passwords need to be ~32 characters long.
humans certainly won't remember those.
Conclusion
passwords will be vulnerable to off-line guessing.
 Password Based Authentication
Alternatives
One-time passwords.
But then occasionally need new list.
A set of passwords.
Use only some at each login, on a challenge-response basis.
Eavesdropper has to listen many times.
Password Files
If password file disclosed all passwords vulnerable.
Attacker usually wants any password, not a particular one.
Can use dictionary to attempt to crack some passwords.
Password files must be at least as well protected as anything else.
 Password Based Authentication
Other Problems with Passwords
users will give passwords to others.
will write them down.
put them in programs.
will forget them.

Multiple Uses
users may have multiple accounts.
may use same passwords for all.
easier to remember.
break one, break into all.
 Password Based Authentication
In Person
Turn up to administrator's terminal.
Authenticate using documents.
Type in password.
Inconvenient.
Gives access to sensitive terminal.
Administrator Chosen
Administrator chooses good password
Gives it to user
Instructs them to change it immediately
Pre-Expired
As before, but password already expired.
Must be changed immediately.
 Password Based Authentication
Storing User Passwords
How does a server know Alice‘s password?
Alice's authentication information is individually configured into every server.

One location stores Alice's information and servers retrieve it when needed.

One location stores Alice's information and servers which want to authenticate Alice send Alice's

information to the location which replies yes or no.

For the last two the server must be certain of the identity of the node which stores the authentication
information.
Authentication Database
such a database must be secure.
can encrypt passwords.
or hashes of the passwords.
if the key for that node is broken, the whole database will be vulnerable.
 Authentication
Why Use Passwords?
Given that cryptographic authentication is more secure, why use password based
authentication at all?.
Having dumb terminals.
Using a protocol designed without cryptography.
Perhaps protocol would be too expensive if cryptography used.
 Password Based Authentication
Example
Early cellular phones transmitted the telephone number of the phone and a
password when making a call.
If the password corresponds to the telephone number, call is allowed.
Very easy to eavesdrop and clone phone.
A challenge response protocol would have been better.
 Address-Based Authentication
Does not rely on sending passwords.
Assumes identity of source can be determined from network address at
which packets originate.
Each node notes which accounts on other nodes should have access to
its resources.
Implementation
Node B holds a list of network addresses of equivalent machine.
If node A is listed, then any account on A is equivalent to the same
account name on B (or)
Node B might instead have a list address, remote account name, local
account name.
Request from remote account on remote machine is equivalent to same
request coming from local account.
 Security Considerations
Security Considerations
If someone subverts a node, can access resources on other machines open to
accounts on the subverted node.
Of course, attacker needs to know what possibilities exist.
However, access is usually complementary, so only needs to examine database on
subverted node.
If attacker may be able to forge messages so that they appear to be from other
nodes.
Attacker can then access resources reserved for users from those nodes.
 Authentication Tokens
Authentication Tokens
What you have.
Subject to theft.
Generally used either with passwords or biometric checks.
Examples
keys (car, house).
credit cards.
Magnetic Strips
Hold information.
Not trivial to counterfeit.
 Biometric
Disadvantages
Requires custom hardware.
Can be lost, stolen, damaged or destroyed.
Require override when card misplaced.
As vulnerable as password to eavesdropping.
Smart Card
Same size as credit card.
Embedded CPU and memory.
Insert in smart card reader.
Reader and card carry on conversation.
With magnetic strip simply dump information.
 Biometric
PIN Protected Memory Card
Information in memory of card.
Only read after PIN input.
Card locks after some number of wrong guesses.
More secure then magnetic strip.
Cryptographic Challenge/Response Card
Cryptographic key held in card memory.
Card will encrypt or decrypt using key.
Will not reveal key, even after PIN entered.
Challenge/Response
Computer that knows key can authenticate.
Picks random.
Challenges card to encrypt or decrypt.
Cards unreadable for most practical purposes.
Offer protection against eavesdropping.
 Biometric
Problems
Need special devices.
Cards can be lost or stolen.
Cryptographic Calculator
Also called readerless smart card.
Performs cryptographic calculations.
Uses a key it will not disclose.
Needs no reader.
Has a display and keyboard.
All interaction through user.
Popular for remote access to networks.
 Biometric
Physical Access
Provide authentication via human guards.
System authentication distinguishes legitimate users. eg., bank tellers.
Location can be part of authentication process.
Rights granted depend on location.

Biometrics
what you are.
measure physical characteristics.
hard to loan or steal.
 Biometric
Examples
retinal scanner
fingerprint scanner
handprint reader
Voiceprints
keystroke timing
Signatures
Problems
Hard to keep biometric quantities secret.
Reader needs tamper-resistant secret.
 Cryptographic Authentication

Cryptographic Authentication Protocols

can be much more secure than password or address based authentication.
Alice proves her identity to Bob by performing a cryptographic operation on a
quantity Bob supplies.
the cryptographic operation is based on Alice's secret.
Who is Being Authenticated?
A user, eg., when wanting to access the files at a server.
A node, eg., duplicate file servers authenticating each other.
A user and a node, eg., a bank teller at their assigned terminal.
 Cryptographic Authentication
The Difference
A computer can store a high quality secret and do cryptographic operations.
A computer can do these on behalf of a user.
But system has to be designed so that all user has to remember is password.
Password to Key
Use password to decrypt higher quality.
Key, such as RSA private key.
 Cryptographic Authentication
Passwords as Cryptographic Keys
public key cryptographic keys are specially chosen very large numbers.
most users can not remember something like this.
can remember a password.
Much harder to convert it into RSA key.
Authentication Protocol
Alice -> Bob : I'm Alice
Bob -> Alice : random R Alice -> Bob : R signed with Alice‘s private key.
Bob checks using Alice's public key.
Attacks
public key technology makes it easy to do authentication.
secure from both eavesdropping and server database reading.
accessing Bob's database only gives Alice's public key, which everybody knows anyway.
 Cryptographic Authentication
If protocol is
Alice-> Bob : I'm Alice
Bob -> Alice : Random R
Alice -> Bob : X
X is cryptographic function of Alice‘s secret and R, for example [R] KAB.

Attacks
eavesdropper learns nothing.
but Bob must store Alice's secret to check X.
so intruder gets Alice's secret.
 The Impact of Password Sniffing
If a hacker can't guess your password, there are other ways he/she can try to get it. One way which has
become very popular is called “password sniffing”.
A password sniffer is a software application that scans and records passwords, that are used or
broadcasted on a computer or network interface. It listens to all incoming and outgoing network traffic
and records any instance of a data packet that contains a password.
A password sniffer installs on a host machine and scans all incoming and outgoing network traffic. A
password sniffer may be applied to most network protocols, including HTTP, Internet Message Access
Protocol (IMAP), file transfer protocol (FTP), POP3, Telnet (TN) and related protocols that carry
passwords in some format. In addition, a password sniffer that is installed on a gateway or proxy server
can listen and retrieve all passwords that flow within a network.
A password sniffer is primarily used as a network security tool for storing and restoring passwords.
However, hackers and crackers use such utilities to sniff out passwords for illegal and malicious purposes.