SLIDE 1
- User Authentication
Authentication process Means of authentication
- Passwords
ISE 331 Fundamentals of Computer Security Authentication and - - PowerPoint PPT Presentation
ISE 331 Fundamentals of Computer Security Authentication and - - PowerPoint PPT Presentation
ISE 331 Fundamentals of Computer Security Authentication and Attacks Agenda User Authentication Authentication process Means of authentication Passwords Vulnerabilities of passwords Password Cracking Dictionary Attacks
SLIDE 2
SLIDE 3
User Authentication
Authentication is the process of verifying an identity Authentication process (2 step)
- 1. Identification – User provides a claimed identity
to the system
- 2. Verification – System establishes the validity of
the claim
SLIDE 4
Authentication Process
Eg . Alice is user of system X and has the username Alice123 Alice’s password is a secret between Alice and the System. Identification – Alice provides Alice123 and password to logon into the system. Verification – Combination of Alice123 and password enables the system to verify that the user is indeed Alice.
SLIDE 5
Means of Authentication
There are four general means of authenticating user’s to the
- system. These can be used alone or in combination.
Something the individual knows Password, PIN, answers to prearranged questions Something the individual possesses (token) Memory card, Physical key Something the individual is (static biometrics) Fingerprints, Facial characteristics, Retinal and Iris patterns Something the individual does (dynamic biometrics) Voice, Signature, Typing Rythm
SLIDE 6
Passwords
Passwords are the most widely used authentication mechanism in computers However they are prone to many vulnerabilities
- Offline Dictionary Attacks
- Specific Account Attack
- Workstation Hijacking
- Exploiting User mistakes
An Attack is the act of exploiting the vulnerabilities for malicious intent
SLIDE 7
Vulnerabilities of Passwords
Dictionary Attacks
- Users have a tendency is to use passwords that are
easy to remember
- Dictionary is a collection of commonly used passwords
Example dictionary password 12345678 qwerty football 1234 baseball welcome
SLIDE 8
Vulnerabilities of Passwords
Specific Account Attack Attacker attempts to gain knowledge of a specific user and tries to guess the user’s password. Countermeasures:
- Prohibiting use of well-known user identifiers like name
- Using combination of character sets (combination of
special characters, numbers, letters)
- Regularly changing passwords
SLIDE 9
Vulnerabilities of Passwords
Workstation Hijacking Attacker waits until logged-in workstation is unattended. Countermeasures: Logout after use Automatically log out after certain period
SLIDE 10
Vulnerabilities of Passwords
Exploiting user mistakes Users may write their passwords somewhere Users may sometimes share their password with someone to allow one-time access Countermeasures: 2-step verification
- Eg. When logging into new device, google sends verification
code on your cellphone.
SLIDE 11
Vulnerabilities of Passwords
We discussed the following password vulnerabilities:
- Offline Dictionary Attacks
- Specific Account Attack
- Workstation Hijacking
- Exploiting User mistakes
Despite these vulnerabilities, passwords remain the most widely used authentication mechanism.
SLIDE 12
Password Cracking
Password cracking experiment Tried to crack a password file from a Unix system with 14000 encrypted passwords Initial Dictionary
- Combined words from various dictionaries (60,000
words)
- Transformations on the words
- Permutations of words from dictionaries
- Making some letters uppercase, reversing word,
changing o to zero Final dictionary contained 3 million words They were able to crack 25% of the passwords. Even one is enough to gain access into the system!
SLIDE 13
John-the-Ripper
- John the Ripper is a free password cracking software
tool developed in 1996.
- It can be run against various encrypted password
formats
- Such tools are used to check the strength of passwords
- Also, attackers can use them to crack passwords!
SLIDE 14
Cracking passwords is only getting easier
Increased Processing Capability A PC running a single AMD Radeon HD7920 GPU can try on an average 8.2X10^9 [order of billion] password combinations each second!
SLIDE 15
Cracking passwords is only getting easier
- The graph shows the percentage of passwords that have been recovered
as a function of the number of guesses. As can be seen, over 10% of the passwords are recovered after only 1010 guesses. After 1013 guesses, almost 40% of the passwords are recovered.
SLIDE 16
Password Cracking
- The key to password cracking:
Large Dictionary File High Processing Power
- How to form a dictionary file?
Combine leaked password files
SLIDE 17
Vulnerabilities of Passwords
Dictionary Attacks
- Users tendency is to use passwords that are easy
to remember
- Dictionary is a collection of commonly used
passwords Example dictionary password 12345678 qwerty football 1234 baseball welcome
SLIDE 18
Hash values are used to store passwords
Actual password is never stored Passwords stored in the system are encrypted using some hashing algorithm (MD5, SHA-1) These are prone to dictionary attacks Attacker can easily calculate the hash values for the dictionary
SLIDE 19
Thwarting Dictionary Attack
- To reduce the possibility of dictionary
attacks, widely used password security technique is the use of hashed password and salt value.
- User selects a password. This is
combined with a fixed-length salt value (timestamp, pseudorandom number).
- The combination of password and salt
serve as an input to the hash function.
- The hashed password is then stored in
the password file, together with plaintext salt and corresponding user ID.
SLIDE 20
Thwarting Dictionary Attack
Dictionary Hash value password qwerty football 1234 welcome e10adc d8578e 37b4e2 81dc9 40be4 Password (not stored ) Salt (Stored) Hash value (Stored) qwerty football 1234 1 2 3 6dbd0 80acd 1c104
Benefits of using the salt Increases the difficulty of dictionary attacks The hash values do not match directly Now attacker needs to combine each word in the dictionary with each salt value
SLIDE 21