Authentication Most technical security safeguards have - - PDF document

1

Authentication Authentication

Most technical security safeguards have

authentication as a precondition

How to authenticate:

Location Somewhere you are Biometrie Something you are Smart Card, Token Something you have Password, Secrets Something you know

The authentication process

Authentication

Ask the user for credentials

Verification

Verify this credentials agains something previously

known

Authorization

Mark the user as authenticated Commonly here also the AC rights are assigned

Password

Username

Some name under which the user is known to the

system – hardly secret

Password

A secret (word) know by the user and the system

Bad passwords

Linkable names (own,

child's,...)

Linkable numbers

(telephone, birthdays, …)

Related words (like the

car -> Ferrari)

Because they are

vulnerable to social attacks

Common words from

dictionaries

Common patterns

(qwerty, 123456, …)

Fashion words Because they are

vulnerable to dictonary attacks

God passwords ...

contain big an small letters contain numbers and special characters contain more then 7 characters are not words of natural languages can be written fast

2

Entropy for passwords

Entropy represents the uncertainty of

the password

This represents how likely it is to guess the

password

The entropy is calculated from the

reciprocal probability of each observed character and its probability of apperance

H = -Σ pi * log2 pi

Password verification

Compatre the input with a stored value Passwords need to be stored

Plain Encrypted

One way Bi-directional

Passwords need to be transfered

Plain or Encyrpted

Attacks against passwordsystems

Test all possible passwords – brute

force attack

Guess likely words – lexical attacks Social engineering Looking for the systems password list Attacking the authentication mechanism Ask the user

Ways to harden

Limited number of tries Wrong inputs slow down the process Challenge Respond Authorize also the system Combining different systems Harden the process Require passwords with high entropy

One time passwords

A password is only valid one‘s Technqiues

Transaction numbers (TAN) Hashed with time stamp

Cryptographic techniques

Cryptography for authentication purpose Popular techniques

Kerberos Certificates X.509 Challenge Respond Systems

Problems

Complex Infrastructure dependent

3

Security token

Something you have Popular Representative

Cryptographic Token SmartCards

Problems

Costly Technical Infrastructure

Smart Cards

A card with a chip

Not necessarily for authentication e.g. bank card, phone SIM ...

Different types

ROM Cards EEPROM Cards Microprocessor cards

Attacks against Smart cards

Protocol attacks

the communication between the smart

card and the card reader

Blocking signaling

block Signals (for example erase signals

Freeze or reset the card

make the content of the RAM readable

Attacks against Smart cards

Physical Probing

reading data directly from the hardware

Damage part of the chip

for example the address counter

Reverse engineering

reveal the chip design and gain knowledge

Biometrics

The security relies on the property of a

human being

Measuring some aspects of the human

anatomy or physiology and compare it with previously recorded values

Problems: Humans change over time

Concepts

Physical

DNA Face Fingerprint Iris Hand geometry

Behavioral

Voice Signature Verification

4

Conventional biometrics

Face recognition - ID Cards

The oldest and probably most accepted

method

Average security – result of studies

Handwritten signatures

Is in Europe highly accepted Good enough security

Fingerprints

Look at the friction ridges that cover

fingertips

Branches and end points geometry –

commonly 16 characteristics

Pores of the skin

Easy to deployed and relative limited

resistance

Problems

There is a statistical probability of mismatch –

the number of variation is limited

Fingerprints are mostly „noisy“ Alteration is easy

Iris Scan

Patterns in the Iris are

recognized

Iris codes provide the lowest

false accept rates of any known system – US Study

Problems

Get people to put there eye into

a scanner

Systems might be ulnerable to

simple photographies

Problems with biometrics

Not exact enough

False positives and Positive False are common

Technical difficult

The technology is new

Privacy problems

Sicknesses and pregnacy can be recognized

Social problems

Usage of system

Revelation generates problems

Data leak out incidentally When the use became widespread your data will be known

by a lot of people

Singel Sign-on

Only one sign-on for all applications Techniques

Save password – but how? Issue a ticket

Trends

Passport

Questions ?