Computer Security: Principles and

Practice

Chapter 3: User Authentication

User Authentication
• Fundamental security building block
– basis of access control & user accountability
• The process of verifying an identity claimed by or for a
system entity
• Two steps:
– identification: specify identifier
– verification: bind entity (person) and identifier
• Distinct from message authentication (when communicating
parties are concerned with the integrity of the exchanges messages)

2
Means of user authentication

• Four means of authenticating user's identity

• Based one something the individual
– knows, e.g. password, PIN
– possesses, e.g. key, token, smartcard
– is (static biometrics), e.g. fingerprint, retina
– does (dynamic biometrics), e.g. voice, sign
• Can use alone or combined
• All can provide user authentication
• All have issues

3
Password authentication
• Widely used user authentication method
– user provides name/login and password
– system compares password with that saved for specified
login
• Authenticates ID of user logging and
– that the user is authorized to access system
– determines the user’s privileges
– is used in discretionary access control

4
Password vulnerabilities
• offline dictionary attack
• specific account attack
• popular password attack (against a wide range of IDs)
• password guessing against single user (w/ previous
knowledge about the user)
• workstation hijacking
• exploiting user mistakes
• exploiting multiple password use
• electronic monitoring

5
Countermeasures
• stop unauthorized access to password file
• intrusion detection measures
• account lockout mechanisms
• policies against using common passwords but
rather hard to guess passwords
• training & enforcement of policies
• automatic workstation logout
• encrypted network links

6
Use of hashed
passwords

7
Why a salt value?
• Prevents duplicate passwords from being visible in
the password file
• Increases the difficulty of offline dictionary attacks
• Nearly impossible to tell if a person used the same
password on multiple systems

8
Improved implementations
• Have other, stronger, hash/salt variants
• Many systems now use MD5
– with 48-bit salt
– password length is unlimited
– is hashed with 1000 times inner loop
– produces 128-bit hash

• OpenBSD uses Blowfish block cipher based and hash

algorithm called Bcrypt
– uses 128-bit salt to create 192-bit hash value

9
Password Cracking
• Dictionary attacks
– try each word then obvious variants in large
dictionary against hash in password file
• Rainbow table attacks
– a large dictionary of possible passwords
– for each password:
• Pre-compute tables of hash values for all salts
• a mammoth table of hash values: e.g. 1.4GB table cracks
99.9% of alphanumeric Windows passwords in 13.8 secs
– not feasible if larger salt values used
– entire rainbow table must be calculated

10
Password choices/concerns
• Study in Purdue University
• users may pick short passwords
– e.g. 3% were 3 chars or less, easily guessed
– system can reject choices that are too short
• users may pick guessable passwords
– so crackers use lists of likely passwords
– e.g. one study of 14000 encrypted passwords guessed nearly
1/4 of them
– would take about 1 hour on fastest systems to compute all
variants

11
Another case study
• An analysis of passwords used by 25,000 students
• Over 10% recovered after 10^10 guesses

12
Using Better Passwords
• Clearly have problems with passwords
• Goal to eliminate guessable passwords
– Still easy for user to remember
• Techniques
– user education
– computer-generated passwords
– reactive password checking (periodic checking)
– proactive password checking (at the time of selection)

13
Proactive Password Checking
• Rule enforcement plus user advice, e.g.
– 8+ chars, upper/lower/numeric/punctuation
– may not suffice
• Password cracker
– list of bad passwords
– time and space issues
• Markov Model
– generates guessable passwords
– hence reject any password it might generate
• Bloom Filter
– use to build table based on dictionary using hashes
– check desired password against this table

14
Token-based authentication
• Objects user possesses to authenticate, e.g.
– memory card (magnetic stripe)
– smartcard

15
Memory Card
• store but do not process data
• magnetic stripe card, e.g. bank card
• electronic memory card
• used alone for physical access (e.g., hotel rooms)
• some with password/PIN (e.g., ATMs)
• Drawbacks of memory cards include:
– need special reader
– loss of token issues
– user dissatisfaction (OK for ATM, not OK for computer
access)

16
Smartcard
• credit-card like
• has own processor, memory, I/O ports
– ROM, EEPROM, RAM memory
• executes protocol to authenticate with reader/computer
– static: similar to memory cards
– dynamic: passwords created every minute; entered
manually by user or electronically
– challenge-response: computer creates a random number;
smart card provides its hash
• also have USB dongles (YubiKey 5 NFC)
– https://www.theverge.com/2019/2/22/18235173/the-best-hardware-
security-keys-yubico-titan-key-u2f

17
Biometric authentication
• Authenticate user based on one of their physical
characteristics:
– facial
– fingerprint
– hand geometry
– retina pattern
– iris
– signature
– voice

18
Operation of a
biometric
system

Verification is analogous to
user login via a smart card
and a PIN

Identification is biometric info

but no IDs; system compares
with stored templates

19
Biometric Accuracy
• The system generates a matching score (a number) that quantifies
similarity between the input and the stored template
• Concerns: sensor noise and detection inaccuracy
• Problems of false match/false non-match

20
Remote User Authentication
• Authentication over network more complex
– Problems of eavesdropping, replay
• Generally use challenge-response
– user sends identity
– host responds with random number r
– user computes f(r,h(P)) and sends back
– host compares value from user with own computed value,
if match user authenticated
• Protects against a number of attacks

22
Protocol for a password verification
• Similar approach for
token and biometric
verification

23
Authentication Security Issues

• Client attacks: attacker attempts to achieve user

authentication without access to the remote host
– Masquerade as a legitimate user (e.g., guess the password
or try all passwords)
– Countermeasure: strong passwords; limit number of
attempts

24
Authentication Security Issues

• Host attacks: attacker attacks the host where

passwords/passcodes are stored
– Countermeasure: hashing, protect password databases

25
Authentication Security Issues

• Eavesdropping: attacker attempts to learn

passwords by observing the user, finding written
passwords, keylogging
– Countermeasures
• diligence to keep passwords
• multifactor authentication
• admin revoke compromised passwords

26
Authentication Security Issues

• Replay: attacker repeats a previously captured user

response
– Countermeasure
• Challenge-response
• 1-time passcodes

27
Authentication Security Issues

• eavesdropping
• replay
• trojan horse

28
Authentication Security Issues

• Trojan horse: an application or physical device

masquerades as an authentic application or device
– Countermeasure: authentication of the client within a
trusted security environment
• Denial of service: attacker attempts to disable a user
authentication service (via flooding)
– Countermeasure: a multifactor authentication with a
token

29
Summary
• Introduced user authentication
– using passwords
– using tokens
– using biometrics
• Remote user authentication issues
• Example application and case study

30