1. IT346 Information System Security Week 5-2: Authentication . Faculty of Information Technology Page

2. Hashed Passwords password hashed passwords salt value. UNIX password : password. Password salt value : Salt password password : Salt (random number) Faculty of Information Technology Page 2

3. Hashed Passwords password (): Salt password hash function hash function crypt(3) hash function ? Hash plaintext salt user ID password file Faculty of Information Technology Page 3

4. Hashed Passwords Salt: password hash password file offline dictionary attacks salt b bits password 2b salt password salt Faculty of Information Technology Page 4

5. Hashed Passwords Log-in Unix User User ID password Operating system User ID password file plaintext salt hash password+salt salt password user hash hash password Faculty of Information Technology Page 5

6. UNIX Implementation Password 8 7-bit ASCII input 56 bit Hash function crypt(3) DES Salt 12 bit Crypt(3) password Software implementation DES hardware dictionary attack supercomputer account management software software Faculty of Information Technology Page 6

7. Implementation hash/salt Unix Hash function MD5 Salt 48-bits Password hash 128 bits crypt(3) OpenBSD Bcrypt Blowfish block cipher hash/salt Unix Password 55 salt 128 bit hash 192 bit Faculty of Information Technology Page 7

8. Password Cracking Dictionary attacks dictionary password password password file Password hash salt password file hash password file match dictionary password ( ) Faculty of Information Technology Page 8

9. Password Cracking Rainbow table attacks Rainbow table hash dictionary password password hash salts hash salt hash Faculty of Information Technology Page 9

10. Observed Password Lengths Password crackers password password Purdue University study on 54 systems and 7000 users Faculty of Information Technology Page 10

11. Guessing Passwords Cracked Set 13,797 Accounts dictionary 3 Faculty of Information Technology Page 11

12. Password File Access Control Block offline guessing attacks encrypted passwords (privileged user) Shadow password file user IDs hashed passwords Faculty of Information Technology vulnerabilities OS permissions users password Backup password network traffic Page 12

13. Password password password run password cracker password password password Faculty of Information Technology password password Page 13

14. Password Proactive password : 8 1 Proactive Password Checker http://www.openwall.com/passwdqc/ Password cracker dictionary password Bloom filter hash function password Faculty of Information Technology Page 14

15. Token Authentication (embossed card) (magnetic stripe card) memory card smartcard Faculty of Information Technology Page 15

16. Card Token C Type ard D efiningF re eatu E ple xam E bos ed m s A TM M netics ag tripe pre-paid M ory em pro es o c sr S art m - (E tric c ntac lec al o t) C ntac s o tles B m IDc io etric ard (R antenna) adio C ntac o t Faculty of Information Technology Page 16

17. Memory Cards security code (electronic memory) , ATM password PIN memory cards : token Faculty of Information Technology Page 17

18. Smart Tokens 3 : (Physical characteristics): Smart tokens microprocessor Smart card = smart token card Smart token (Interface): Manual interface keypad display card Electronic interface reader/writer Faculty of Information Technology Page 18

19. Smart Tokens (Authentication protocol): smart token Static: authenticate token; token authenticate Dynamic password generator: Token password . Password authentication electronically token Token synchronized password token. Faculty of Information Technology Page 19

20. Smart Tokens (Authentication protocol): smart token Challenge-response: challenge Smart token response challenge ( symmetric key asymmetric key) Faculty of Information Technology Page 20

21. Smart Card Smart card electronic interface Smart card microprocessor : Processor, memory, I/O ports. co-processing cryptographic encoding/decoding digital signature Card I/O ports reader (electrical contacts) card reader Faculty of Information Technology Page 21

22. Smart Card Dimensions ISO 7816-2. Faculty of Information Technology Page 22

23. Smart Card Smart card memory Read-Only Memory (ROM) Electrically Erasable Programmable ROM (EEPROM) application data programs ( protocols ) ( EEPROM ) Random Access Memory (RAM) Faculty of Information Technology Page 23

24. Smart Card Reader Communication Initialization between a Smart Card and a Reader Faculty of Information Technology Page 24

25. Smart Card Communication smart card reader card reader reader reset clock Card answer to reset (ATR) message ATR card card read terminal protocol type selection (PTS) command PTS response Card terminal card Faculty of Information Technology Page 25

26. Biometric Authentication authenticate (static dynamic) facial characteristics fingerprints hand geometry retinal pattern iris signature voiceprint pattern recognition passwords tokens Faculty of Information Technology Page 26

27. Biometric Authentication Facial Characteristics (): (relative location) (shape) feature (infrared camera) thermogram Faculty of Information Technology Page 27

28. Biometric Authentication Fingerprints ( ): fingerprint match feature pattern Hand geometry ( ): feature - Faculty of Information Technology Page 28

29. Biometric Authentication Retinal pattern (): Pattern Retinal biometric system retinal pattern (visual light) (infrared light) Iris (): Faculty of Information Technology Page 29

30. Biometric Authentication Signature (): match Voice ( ): Voice pattern Faculty of Information Technology Page 30

31. Faculty of Information Technology Page 31

32. Biometric System Biometric biometric ( password) password PIN biometric ( ) features biometric users template Faculty of Information Technology Page 32

33. Biometric System Verification (Identification) (Verification) PIN biometric sensor feature users template. authenticate Identification biometric sensor template template Faculty of Information Technology Page 33

34. Biometric Faculty of Information Technology Page 34

35. Biometric false match rate false non match rate. threshold false match rate false non-match rate High-security app false match rate Forensic application false non-match rate Faculty of Information Technology Page 35

36. Biometric Measurement Faculty of Information Technology Page 36

37. Remote User Authentication Authentication network, the Internet, communications link : (Eavesdropping) password Replay authentication challenge-response protocol Faculty of Information Technology Page 37

38. Password Protocol identity remote host Host random number ( nonce) r, hash function, h() f() response challenge, {r, h(), f()} hash password Puser, rreturn f() f(rreturn, h(Puser)) Host hash password Authentication Password h(Puser @server) Kerberos random number Host f(r, h(Puser @server)) attacker f(r, h(P )) = f(r , h(P )), user @server return user authenticate Faculty of Information Technology Page 38

39. Token Protocol identity remote host Host nonce r, h() f() challenge, {r, h(), f()} password P activate passcode W token f(rreturn, h(W)). token static passcode random passcode Password token remote host Faculty of Information Technology Static passcode: Host h(Wuser @server) f(r, h(Wuser @server)) f(rreturn, h(W)). Dynamic passcode: Host one-time passcode (synchronized token) f(r, h(Wone-time @server)) f(rreturn, h(W)). Page 39

40. Static Biometric Protocol identity remote host Host nonce r, encryption function E(). Client biometric D Biometric B biometric template BT E(rreturn,D, BT) Host decrypts message rreturn ,D BT Host authenticate device ID D biometric match (Matching score) BT BT threshold Faculty of Information Technology Page 40

41. Dynamic Biometric Protocol Sequence challenge x , Static Biometric Host random sequence random number challenge Faculty of Information Technology , x, x sequence biometric signal BS(x) biometric B encryption E(rreturn, BS(x)). Host decrypts BS(x) BS(x), x BT() Page 41