Computer Security

SEHS4515
Lesson Five

Understanding User Authentication

Dr. Umair Mujtaba Qureshi
Note: Most of the teach materials has been taken from the lectures of Dr. Adam Wong
User Authentication
Authentication? User Authentication
• Authentication is a security process of verifying an entity based on
the entity’s credentials or given information.
• User authentication: It is a security process of verification a user
through its credentials i.e., given information.
Authentication? User Authentication
• User authentication is important for every human-computer
interactions
User Authentication: Email account
• When a user registers for an
account, they must create a
unique ID and key that will
allow them to access to
millions of applications and
services
• Generally, a username and
password are used as the ID
and key, but the credentials
can include other forms of
keys as well such as ?
User Authentication
• Authentication occurs when an entity presents
credentials, and the credentials are verified as
valid.
• For example, when a user logs on with a username Note:
and password, the system checks to ensure that the There is a difference between
username and password are valid and, if so, authentication and authorization. Just
authenticates the user.
because a user can prove their identify by
• Essentially, the user authentication process logging on doesn't necessarily mean they
provides users to access to their own accounts have the authority to access resources on
(in case of email) while attempting to block a system. However, authentication is the
any unauthenticated users from gaining access first step in the process.
• This means that User A can log in to their own
account, while User B would be denied access.
Conversely, User B could access their own
account, while User A would be unable to.
Four Means of User Authentication
* Difference between password & PIN
• A PIN is by definition a number
• To authenticate user, the user must provide a • A password may be a word or a number
piece of information that can be used to verify
user’s identity
• The four means of authenticating user identity are
based on
• Something the individual knows
• e.g., Password*, Personal Identification Number (PIN)*,
answers to pre-arranged questions
• Something the individual has (token)
• e.g., Smartcard, electronic keycard, physical key
• Something the individual is (static biometrics)
• e.g., Fingerprint, retina, face
• Something the individual does (dynamic
biometrics)
• e.g., Voice pattern, handwriting, typing rhythm, gesture
recognition and geo-trapping
User Authentication Significance
• A user authentication is a key step in the different processes (such as
transmission, reception of data, accessing applications and services and
much more) that keeps unauthorized users from gaining access to sensitive
information
• A strengthened authentication process ensures that User A only has access
to the information they need and can’t see the sensitive information of
User B.
• When your user authentication isn’t secure, however, cybercriminals can
hack the system and gain access, taking whatever information the user is
authorized to access.
• Websites like Yahoo, Equifax, and Adobe have fallen victim to data breaches in the
past and are prime examples of what happens when organizations fail to secure their
websites.
Authentication factor for authorization
• To confirm their user identity, the user must provide a piece of information that
only the user and the server knows. This information is called an authentication
factor, and there are three types:
• Knowledge factors. Factors the user must know in order to log in are considered
a knowledge factor. This can be anything from a username, password, or pin
number. The challenge with these factors is that they can be weak in terms of
security because they can be shared or guessed.
• Possession factors. Anything that the user must have in order to log in is known
as a possession factor. One-time password tokens such as a Magic Link™, key
fobs, ID cards, and physical tokens are all considered possession factors.
• Inheritance factors. Using a person’s biological characteristics is known as an
inheritance factor. Any biometric authentication process, such as fingerprint
scanning and facial recognition, would fall into this category.
Something the individual knows
Password Authentication Something the individual knows

• Password authentication is widely used as a primary line of defense against

intruders
• User provides name/login and password
• System compares password with the one stored for that specified login
• Password selection strategies
• User education
• Users can be told the importance of using hard to guess passwords and
can be provided with guidelines for selecting strong passwords
• Computer generated passwords
• Users have trouble remembering them
• Reactive password checking
• System periodically runs its own password cracker to find guessable
passwords
• Complex password policy
• User is allowed to select their own password; However, the system checks
to see if the password is allowable, and if not, reject it
• Goal is to eliminate guessable passwords while allowing the user to select
a password that is memorable
How is Password Stored?
Something the individual knows

• Hash function h: strings à strings

• Given h(password), hard to find password
• No known algorithm better than trial and error
• User password stored as h(password)
How Does System Check Password?
• When user enters password Something the individual knows

• System computes h(password)

• Compares with entry in password file
Password Attacks
Something the individual knows

• Types of password attacks

• Brute force attack
• Dictionary attack
• Rainbow table attack
• Replay attack
• Phishing attack
• Key loggers
Strong Passwords
Something the individual knows
Strong Passwords
• Creating a strong password Something the individual knows
• I will be certified !W!llB3C3rtifi3d
• I love technology!Lov3T3chnology
• Start with a phrase that includes at least
14 characters
• Remove the spaces, and change the first
letter in each word to uppercase
• Convert each letter "e" to the number 3
• Convert each letter "i" to an exclamation
mark (!)
Brute Force Attack
Something the individual knows

• The first way of attack to password system is to use brute force

approach
• Brute-force attack consists of an attacker submitting many passwords
or passphrases with the hope of eventually guessing correctly. The
attacker systematically checks all possible passwords and passphrases
until the correct one is found.
• Brute force aims at trying all possible combinations in the password
space
• Conditions for success
• Direct access to the password file
• A lot of computing power
Brute Force Attack Something the individual knows
Dictionary Attack Something the individual knows

• The second way of attack is to use typical password dictionary

• A dictionary attack is an attack using a restricted subset of a key space to defeat
an authentication mechanism by trying to determine its password or phrase by
trying thousands or millions of likely possibilities often obtained from lists of past
security breaches
• 1,000,000 entries of common passwords
• People’s names, common pet names, and ordinary words
• Suppose you generate and analyze 10 guesses per second
• This may be reasonable for a website; offline is much faster
• Dictionary attack in at most 100,000 seconds = 28 hours, or 14 hours on average
• If passwords were random
• Assume 6-charcter password
• Upper and lowercase letters, digits, 32 punctuation characters
• 689,869,781,056 password combinations
• Exhaustive search requires 1,093 years on average
Rainbow Table Attack
Something the individual knows

• In dictionary attack, we need to spend time either sending our guess

to the real system to running through the algorithm offline
• Given a slow hashing or encryption algorithm, this wastes time. Also,
the work being done cannot be reused
• So, we have third way of attack using rainbow table
• A rainbow table is pre-computed listing, which the attacker will run
through the algorithm to get every possible output given every
possible input.
Video Tutorial

https://www.youtube.com/watch?v=SaAwW-6wV_Q&t=15s
Protect Against Attacks
Something the individual knows

• From the slide about dictionary attack, we can see the password would be more
secure if it is random
• However, random password would be difficult to memorize
• So, what to do? Use salt
• Salt is a random data that is used as additional input to a one-way function that
hashes a password
• The salt is stored somewhere for use to be hashed together with the user
password for checking
• Typically, the salt just being tacked right next to the hash, usually with some
delimiter
• Example:
• $1$oaagVya9$NMvf1IyubxEYvrZTRSLgk0
• 3 sections separated by $
• 1 means “algorithm number 1”, i.e. uses MD5
• oaagVya9 is our salt
• NMvf1IyubxEYvrZTRSLgk0 is the actual MD5 sum, base64-encoded
Password File Access Control
Something the individual knows

• Password file should be protected from illegal access

• It should only be made available to privileged users
• Possible vulnerabilities
• Weakness in the OS that allows access to the file
• Accident with permissions making it readable
• Users with same password on other systems
• Access from backup media
• Sniff passwords in network traffic
Something the individual has
Token Something the individual has

Card Type Defining Feature Example

Embossed cards Raised characters only, on front Old credit card

Magnetic stripe Magnetic bar on back, characters Bank card

cards on front

Memory cards Electronic memory inside Prepaid phone card

Smart cards Electronic memory and Biometric ID card

• Contact preprocessor inside
• Contactless • Electrical contacts exposed
on surface
• Radio antenna embedded
inside
Memory Cards Something the individual has

• Can store but do not process data

• The most common is the magnetic stripe card
• Can include an internal electronic memory
• Can be used alone for physical access
• Hotel room
• ATM
• Provides significantly greater security when combined with a password or
PIN
• Drawbacks of memory cards include:
• Requires a special reader
• Loss of token
• User dissatisfaction
Smart Tokens
Something the individual has
• Physical characteristics
• Include an embedded microprocessor
• A smart token that looks like a bank card
• Can look like calculators, keys, small portable objects
• Interface
• Manual interfaces include a keypad and display for interaction
• Electronic interfaces communicate with a compatible reader / writer
• Authentication protocol
• Static
• With the protocol, the user authenticates himself / herself to the token and then the token authenticates the
user to the computer
• Dynamic password generator
• Token generates a unique password periodically , e.g. every minute. This password is then entered into the
computer system for authentication, either manually by the user or electronically via the token
• Challenge-response
• The computer system generates a challenge, such as a random string of numbers. The smart token generates a
response based on the challenge. For example: public-key cryptography could be used and the token could
encrypt the challenge string with the token’s private key
Something the individual is / does
Biometric Authentication
• Attempts to authenticate an individual based on
unique physical characteristics
• Based on pattern recognition
• It is technically complex and expensive when
compared to passwords and tokens
• Biometric Technologies
• Facial characteristics (Static biometric)
• Fingerprints (Static biometric)
• Hand geometry (Static biometric)
• Retinal pattern (Static biometric)
• Iris (Static biometric)
• Signature (Dynamic biometric)
• Voice (Dynamic biometric) https://github.com/google/mediapipe
Comparison of Biometric Technologies
Something the individual is/does

Requirement Fingerprints Hand Retina Iris Face Signature Voice

Geometry
Ease of use High High Low Medium Medium High High
Factors Lighting,
Dryness, Dirt, Hand injury, Glasses Lighting Changing Noise, Colds
increasing error Age, Signatures
Age Age
incidence Glasses,
Hair
Accuracy High High Very high Very high High High High
User Medium Medium Medium Medium Medium High High
Acceptance
Long-term High Medium High High Medium Medium Medium
Stability
Two-factor Authentication
• Two-factor authentication is a combination of any two authentication
modes
• Example: Bankcard
• Something the user has – the card
• Something the user knows – a PIN
Security Issues for User Authentication
• Eavesdropping
• Adversary attempts to learn the password by some sort of attack that involves the physical
proximity of user and adversary
• Host attacks
• Directed at the user file at the host where passwords, token, passcodes, or biometric
templates are stored
• Replay
• Adversary repeats a previously captured user response
• Trojan Horse
• An application or physical device masquerades as an authentic application or device for the
purpose of capturing a user password, passcode, or biometric
• Denial-of-Service
• Attempts to disable a user authentication service by flooding the service with numerous
authentication attempts
Wireless Authentication Prospects
• Authentication is an important factor before two entities share
information
• Authenticating proximity is even more challenging
• Harsh environments makes wireless authentication even more problematic

Human – Device Authentication

Device – Device Authentication

Proximity Proximity

33
 Wireless Authentication Prospects: Secure
Localization
𝑭𝑷𝑹𝑷
𝑨𝑷𝟏
𝟐

𝑭𝑷𝑹𝑷 𝟐 𝑹𝑷 𝟑
𝑨𝑷𝟏 ≅ 𝑭𝑷𝑨𝑷𝟏
#" , 𝑭𝑷𝑹𝑷
𝑨𝑷𝟏
𝟑
𝑑!"!
𝑹𝑷𝟐 𝑹𝑷𝟑
#" %
𝑑!"!
𝑨𝑷𝟏
#" $
𝑑!"!
Proximity Proximity
ROOM 1 ROOM 2
𝑹𝑷𝟏
LOS 𝑭𝑷𝑹𝑷
𝑨𝑷𝟏
𝟏
NLOS

Access Point (AP) IoT Device Adversary device

Read if interested:
1.https://scholar.google.com.pk/citations?view_op=view_citation&hl=en&user=iZhnPyUAAAAJ&sortby=pubdate&citation_for_
34
view=iZhnPyUAAAAJ:PELIpwtuRlgC
Wireless Authentication Types
• There are many different possibilities for wireless proximity based
authentication mechanism
• Interest in secure localisation/authenticating proximity
• Wire based authentication mechanism
• Radio based authentication mechanism
• Sound based authentication mechanisms
• Light based authentication mechanisms
• Image based authentication mechanisms
• Gesture &Biometrics based authentication mechanisms
Read if interested:
1.https://ieeexplore.ieee.org/abstract/document/8057145?casa_token=Pi7lN8wdXhAAAAAA:kWFc377zm5WFPfiDufLxIOik2f9x
RQfR8vMdVgklHueCZrzQZZag1oX78j15VYhA_6UPk-7r
2.https://ieeexplore.ieee.org/abstract/document/7945214?casa_token=qkah-b_LhncAAAAA:TK-
yAOoCPOkEvUI35g070g35uahVLAuqBOOwkXPWeTMLY6HKFPQclX1049iieQNaPxR4WXLu
Participation Exercise 02 – Multifactor
Authentication
• What is multifactor authentication? Explain multifactor authentication with
a help of an example scenario. Make sure that the example scenario that
you develop should have more than 2 factors, used for authentication.
• Deadline: Next Thursday 17-03-22, 9:00pm. To be submitted on Moodle
• You are allowed to search online or use any resource for your example
scenario
• What is expected?
• It be 2 pages, if more that is ok, otherwise 2 pages is more than enough
• Explain in your own words with a suitable example – adding figures
• Advice: Write in simple words and straightforward such that anyone who read your
answer, after reading it he should be able to explain what is multifactor
authentication to others. For that you can try it with your parents or siblings at
home. If they understand so will I.