User authentication
Download as PPTX, PDF10 likes8,157 views
USER AUTHENTICATION MEANS OF USER AUTHENTICATION PASSWORD AUTHENTICATION PASSWORD VULNERABILITIES USE OF HASHED PASSWORDS – IN UNIX PASSWORD CRACKING TECHNIQUES USING BETTER PASSWORDS TOKEN AUTHENTICATION BIO-METRIC AUTHENTICATION
Ad
More Related Content
What's hot (20)
Similar to User authentication (20)
Ad
More from CAS (20)
Ad
Recently uploaded (20)
User authentication
- 1. COMPUTER SECURITY USERAUTHENTICATION Mr. RAJASEKAR RAMALINGAM Faculty - Department of IT College of Applied Sciences – Sur, Sultanate of Oman. [email protected]
- 2. CONTENT • USER AUTHENTICATION • MEANS OF USER AUTHENTICATION • PASSWORD AUTHENTICATION • PASSWORD VULNERABILITIES • USE OF HASHED PASSWORDS – IN UNIX • PASSWORD CRACKING TECHNIQUES • USING BETTER PASSWORDS • TOKEN AUTHENTICATION • BIOMETRIC AUTHENTICATION USER AUTHENTICATION 2
- 3. 3 1. USER AUTHENTICATION • RFC 2828 defines user authentication as: • “The process of verifying an identity claimed by or for a system entity. • Fundamental security building block • Basis of most types of access control & for user accountability. • User authentication is distinct from message authentication. • User authentication process consists of two steps: 1. Identification: Presenting an identifier to the security system. 2. Verification: Binding entity (person) and identifier USER AUTHENTICATION
- 4. 4 2. MEANS OF USER AUTHENTICATION • Four general means of authenticating a user's identity are • Individual knows: Includes a password, a personal identification number (PIN), or answers to a prearranged set of questions. • Individual possesses: Includes electronic keycards, smart cards, and physical keys. Also known as a token. • Individual is (static biometrics): Includes recognition by fingerprint, retina, and face. • Individual does (dynamic biometrics): Examples include recognition by voice pattern, handwriting characteristics, and typing rhythm. • can use alone or combined • all can provide user authentication & have issues. USER AUTHENTICATION
- 5. 5 3. PASSWORD AUTHENTICATION • Widely used user authentication method – User provides name/login and password – System compares password with that saved for specified login • Authenticates ID of user logging and – That the user is authorized to access system – Determines the user’s privileges – Is used in Discretionary Access Control USER AUTHENTICATION
- 6. 4. PASSWORD VULNERABILITIES Offline dictionary attack Specific account attack Popular password attack Password guessing against single user Workstation hijacking Exploiting user mistakes Exploiting multiple password use Eectronic monitoring USER AUTHENTICATION 6
- 7. 7 Following are the attack strategies: 1. Offline dictionary attack: • A hacker gain access to the system password file. • Compares the password hashes against hashes of commonly used passwords. 2. Specific account attack: • Attacker targets a specific account &submits password guesses until the correct password is discovered. 3. Popular password attack / Against single user: • The attacker chooses a popular password and tries it. • Attacker attempts to gain knowledge about the account holder and system password policies and uses that knowledge to guess the password. USER AUTHENTICATION
- 8. 8 4. Workstation hijacking: • The attacker waits until a logged-in workstation is unattended. 5. Exploiting user mistakes: • User is more likely to write it down passwords, because it is difficult to remember. 6. Exploiting multiple password use. • Similar password for a many applications 7. Electronic monitoring: • If a password is communicated across a network to log on to a remote system, it is vulnerable to eavesdropping. USER AUTHENTICATION
- 9. 9 5. USE OF HASHED PASSWORDS – IN UNIX USER AUTHENTICATION
- 10. • A widely used password security technique. • Use of hashed passwords and a salt value. • Found on all UNIX and other operating systems. 1. Loading a new password: • The user selects or is assigned a password. • Password combined with a fixed-length salt value. • Salt is a pseudorandom or random number. • PW & salt serve as inputs to a hashing algorithm to produce a fixed-length hash code. • Hashed password then stored, together with a plaintext copy of the salt, in the password file for the corresponding user ID. 2. Verifying a password: • When a user attempts to log on to a system, the user provides an ID and a password. • OS uses the ID to retrieve the plaintext salt and the encrypted password. • The salt and user-supplied password are used as input to the encryption routine. • If the result matches the stored value, the password is accepted. 10USER AUTHENTICATION
- 11. 6. PASSWORD CRACKING TECHNIQUES Dictionary attacks • Develop a large dictionary of possible passwords and try each against the password file • Each password must be hashed using each salt value and then compared to stored hash values Rainbow table attacks • Pre-compute tables of hash values for all salts • A mammoth table of hash values • Can be countered by using a sufficiently large salt value and a sufficiently large hash length USER AUTHENTICATION 11
- 12. 12 7. USING BETTER PASSWORDS • Clearly have problems with passwords • Goal to eliminate guessable passwords • At the same time, easy for user to remember • Four basic techniques: 1. User education 2. Computer-generated passwords 3. Reactive password checking 4. Proactive password checking 1. User education: • Users can be told the importance of using hard-to-guess passwords. • Provide users with guidelines for selecting strong passwords. • Can be problematic when have a large user population. • Because many users will simply ignore the guidelines. USER AUTHENTICATION
- 13. 2. Computer-generated passwords: • Poor acceptance by users. • Random in nature, users will not remember. 3. Reactive password checking: • System periodically runs its own password cracker to find guessable passwords. • The system cancels any passwords that are guessed and notifies the user. • Can be costly in resources to implement. 4. Proactive password checking: • User selects own password which the system then checks to see if it is allowable and, if not, rejects it. 13USER AUTHENTICATION
- 14. 14 8. TOKEN AUTHENTICATION • Objects that a user possesses for the purpose of user authentication are called tokens. • Token are of different forms, they are: 1. Embossed: Raised characters only, on front, e.g. Old credit card. 2. Magnetic stripe: Magnetic bar on back, characters on front, e.g. Bank card. 3. Memory: Has Electronic memory inside, e.g. Prepaid phone card. 4. Smartcard: Has Electronic memory and processor inside, e.g. Biometric ID card USER AUTHENTICATION
- 15. 15 8.1 MEMORY CARD / MAGNETIC STRIPS • Store but do not process data • Magnetic stripe card, e.g. bank card • Electronic memory card • Used alone for physical access • With password/PIN for computer use • Drawbacks of memory cards include: – Need special reader – Loss of token issues – User dissatisfaction USER AUTHENTICATION
- 16. 16 8.2 SMARTCARD / EMBOSED • Credit-Card like • Has own processor, memory, I/O ports – Wired or wireless access by reader – May have crypto co-processor – ROM, EEPROM, RAM memory • Executes protocol to authenticate with reader/computer • Also have USB dongles USER AUTHENTICATION
- 17. 17 9. BIOMETRIC AUTHENTICATION • Authenticate user based on one of their physical characteristics • Biometric authentication system authenticates an individual based on unique • Physical characteristics like Fingerprints, hand geometry, facial characteristics, and retinal and iris patterns. • Dynamic characteristics like voiceprint and signature. USER AUTHENTICATION
- 18. 1. Facial characteristics: Characteristics based on location and shape of key facial features, such as eyes, eyebrows, nose, lips, and chin shape. 2. Fingerprints: The pattern of ridges and furrows on the surface of the fingertip. 3. Hand geometry: Identify features of hand,: e.g. shape, lengths & widths of fingers. 4. Retinal pattern: Formed by veins beneath the retinal surface is unique. Uses digital image of the retinal pattern by projecting a low- intensity beam of visual or infrared light into the eye. 5. Signature: Each individual has a unique style of handwriting, especially in signature. 18USER AUTHENTICATION
- 19. 19 9.1 OPERATION OF A BIOMETRIC SYSTEM USER AUTHENTICATION
- 20. Operation of a biometric system. • Each users must first be enrolled in the system. • For biometric system, the user presents a name and a password or PIN. • System senses some biometric characteristic of this user (e.g. fingerprint of right index finger). • The system digitizes the input and then extracts a set of features that can be stored as a number or set of numbers. • This set of numbers is referred to as the user’s template. • User authentication on a biometric system involves either verification or identification. • Verification is similar to a user logging on to a system by using a memory card or smart card coupled with a password or PIN. • In Identification process, the individual uses the biometric sensor but presents no additional information. • The system then compares the presented template with the set of stored templates. If there is a match, then this user is identified. Otherwise, the user is rejected. 20USER AUTHENTICATION