Identity Authentication

Authentication
• Basics
• Passwords
• Challenge-Response
• Biometrics
• Location
• Multiple Methods

3 Info-Sec 2023
Basics
• Authentication: binding of identity to subject
• Identity is that of external entity (my identity, Van,
etc.)
• Subject is computer entity (process, etc.)
• Note:
• message authentication is a different topic and
already mentioned in the applications of hash
functions

4 Info-Sec 2023
Establishing Identity
• One or more of the following
• What entity knows (eg. password)
• What entity has (eg. Identity card, smart card)
• What entity is (eg. fingerprints, retinal
characteristics)
• Where entity is (eg. In front of a particular terminal)

5
Authentication System
• We need a formal definition, rather abstract view,
of an AS
• A 5-tuple (A, C, F, L, S)
• A – a set: information that proves identity
• C – a set: information stored on computer and used to
validate authentication information
• F: a set of complementation functions; f : A  C
• To compute complement information from identity
information
• L: authentication functions that prove identity
• S: functions enabling entity to create, alter information in
A or C
6 Info-Sec 2023
Example
• Password system, with passwords stored on
line in clear text
• A set of strings making up passwords
• C=A
• F singleton set of identity function { I }
• L single equality test function { eq }
• S function to set/change password

7 Info-Sec 2023
Passwords
• Sequence of characters
• Examples: 10 digits, a string of letters, etc.
• Generated randomly, by user, by computer with user
input
• Sequence of words
• Examples: pass-phrases
• Algorithms
• Examples: challenge-response, one-time passwords

8 Info-Sec 2023
Storage
• Store as cleartext
• If password file compromised, all passwords revealed
• Encipher file
• Need to have decipherment, encipherment keys in
memory
• Reduces to previous problem  need something else
• Solution: Instead store one-way hash of password
• Got the file, attacker must still guess passwords or invert
the hash values

9 Info-Sec 2023
 Example: Unix
• By definition, a 5-tuple (A, C, F, L, S)
• A – a set: information that proves identity
• A = { strings of 8 chars or less }
• C – a set: information stored on computer and used to
validate authentication information
• C = {hash values of password}
• F: a set of complementation functions; f : A  C
• F = { versions of modified DES }
• L: authentication functions that prove identity
• L = { login,
login, su,
su, … }
• S: functions enabling entity to create, alter information in A
or C
• S = { passwd,
passwd, nispasswd,
nispasswd, passwd+,
passwd+, … }

10 Info-Sec 2023
 Example: Unix
• By definition, a 5-tuple (A, C, F, L, S)
• A – a set: information that proves identity
• A = { strings of 8 chars or less }
• C – a set: information stored on computer and used to
validate authentication information
• C = {hash values of password}
• F: a set of complementation functions; f : A  C
• F = { versions of modified DES }
• L: authentication functions that prove identity
• L = { login, su, … }
• S: functions enabling entity to create, alter information in A
or C
• S = { passwd, nispasswd, passwd+, … }

11 Info-Sec 2023
Attacking passwords
• Goal: find a  A such that:
• For some f  F, f(a) = c  C
• c is associated with entity
• Two ways to determine whether a meets these
requirements:
• By trying computing f(a) for a set of a values until
succeed
• By trying calling I(a) until succeed (I(a) returns true)

12 Info-Sec 2023
Preventing Attacks
• How to prevent this:
• Hide one of a, f, or c
• Prevents obvious attack from above
• Example: UNIX/Linux shadow password files
• Hides the c’s
• Block access to all l  L or result of l(a)
• Prevents attacker from knowing if guess succeeded
• Example: preventing any logins to an account from a
network
• Prevents knowing results of l (or accessing l)

13 Info-Sec 2023
Dictionary Attacks
• Trial-and-error from a list of potential
passwords
• Off-line: know f and c’s, and repeatedly try different
guesses g  A until the list is done or passwords
guessed
• Examples: crack, john-the-ripper
• On-line: have access to functions in L and try
guesses g until some l(g) succeeds
• Examples: trying to log in by guessing a password

14 Info-Sec 2023
Success probability over a time
period
Anderson’s formula:
• P probability of guessing a password in
specified period of time
• G number of guesses tested in 1 time unit
• T number of time units
• N number of possible passwords (|A|)
• Then P ≥ TG/N

15 Info-Sec 2023
Example
• Goal
• Passwords drawn from a 96-char alphabet
• Can test 104 guesses per second
• Probability of a success to be 0.5 over a 365 day period
• What is minimum password length?
• Solution
• N ≥ TG/P = (365246060)104/0.5 = 6.311011
• Choose s such that sj=0 96j ≥ N
• So s ≥ 6, meaning passwords must be at least 6 chars
long

16 Info-Sec 2023
Exercise
X = number defined by last 2 digits of your student ID; Y = X mod 4
Assume that H is a cryptographic hash function with output size (Y+2)*16
bits. Assume that Scorpion-i (i=1-9) is a specifically designed line of hardware
chips for computing H, where Scorpion-i can create 10i * 1000 hash values a
second (e.g. Scorpion-2 can do 100,000 hashes/sec). This product line is the
best, fastest and affordable, in the market, priced at ii/2 *$1000 (e.g $2000 for
i=2, $16000 for i=4).

An authentication system requires its users to pick their passwords of length

exactly 6 from an alphabet of size N=(X mod 50)+ 40. Using H, this system
maintains the hash values of the passwords of all the users. An enemy, who has
gained access to this hashed password file, aims to launch an off-line attack to
break the password of an important user. Using the Scorpion chips, how much
the enemy has to spend in order to finish within a month with success
probability (6+Y)*10%?

17
On password selection
• Random selection
• Any password from A equally likely to be selected
• Pronounceable passwords
• User selection of passwords

18 Info-Sec 2023
Pronounceable Passwords
• Generate phonemes randomly
• Phoneme is unit of sound, eg. cv, vc, cvc, vcv
• Examples: helgoret, juttelon are; przbqxdfl, zxrptglfn are not
• Problem: too few
• Solution: key crunching
• Run long key through hash function and convert to printable
sequence
• Use this sequence as password

19 Info-Sec 2023
User Selection
• Problem: people pick easy to guess passwords
• Based on account names, user names, computer names,
place names
• Dictionary words (also reversed, odd capitalizations, control
characters, “elite-speak”, conjugations or declensions, swear
words, Torah/Bible/Koran/… words)
• Too short, digits only, letters only
• License plates, acronyms, social security numbers
• Personal characteristics or foibles (pet names, nicknames, job
characteristics, etc.

20 Info-Sec 2023
Picking Good Passwords
• “LlMm*2^Ap”
• Names of members of 2 families
• “OoHeO/FSK”
• Second letter of each word of length 4 or more in third line of
third verse of Star-Spangled Banner, followed by “/”, followed
by author’s initials
• What’s good here may be bad there
• “DMC/MHmh” bad at Dartmouth (“Dartmouth Medical
Center/Mary Hitchcock memorial hospital”), ok here
• Why are these now bad passwords? 

21 Info-Sec 2023
Proactive Password Checking
• Analyze proposed password for “goodness”
• Always invoked
• Can detect, reject bad passwords for an appropriate
definition of “bad”
• Discriminate on per-user, per-site basis
• Needs to do pattern matching on words
• Needs to execute subprograms and use results
• Spell checker, for example
• Easy to set up and integrate into password selection
system

22 Info-Sec 2023
Salting
• Goal: slow dictionary attacks
• Method: perturb hash function so that:
• Parameter controls which hash function is used
• Parameter differs for each password
• So given n password hashes, and therefore n salts,
need to hash guess n

23 Info-Sec 2023
Examples
• Vanilla UNIX method
• Use DES to encipher 0 message with password as
key; iterate 25 times
• Perturb E table in DES in one of 4096 ways
• 12 bit salt flips entries 1–11 with entries 25–36
• Alternate methods
• Use salt as first part of input to hash function

24 Info-Sec 2023
Unix actually is …
• UNIX system standard hash function
• Hashes password into 11 char string using one of 4096
hash functions
• As authentication system:
• A = { strings of 8 chars or less }
• C = { 2 char hash id || 11 char hash }
• F = { 4096 versions of modified DES }
• L = { login, su, … }
• S = { passwd, nispasswd, passwd+, … }

25 Info-Sec 2023
 Exercise
Assume that H is a cryptographic hash function with output size (Y+2)*16 bits.
Assume that Scorpion-i (i=1-9) is a specifically designed line of hardware chips for
computing H, where Scorpion-i can create 10i * 1000 hash values a second, priced
at ii/2 *$1000.
1. An authentication system requires its users to pick their passwords of length
exactly 6 from an alphabet of size N=(X mod 50)+ 40. Using H, this system
maintains the hash values of the passwords of all the users. An enemy, who has
gained access to this hashed password file, aims to launch an off-line attack to break
the password of an important user. Using the Scorpion chips, how much the enemy
has to spend in order to finish within a month with success probability (6+Y)*10%?
2. The owner decides to enhance the above password system by using salt so that
the enemy will need to spend at least 10 times the above mentioned amount of
money to achieve the same goal. How many salt bits he/she need to use to achieve
this purpose ?

26
Salt with slow hash
• Hash password with salt
• Choose random salt s and compute
y = h(password, s)
and store (s,y) in the password file
• Note that the salt s is not secret
• Analogous to IV
• Still easy to verify salted password
• But lots more work for Hacker
• Why?
Part 2  Access Control

27
Password Cracking:
Do the Math – Homework
• Assumptions:
• Pwds are 8 chars, 128 choices per character
• Then 1288 = 256 possible passwords
• There is a password file with 210 pwds
• Attacker has dictionary of 220 common pwds
• Probability 1/4 that password is in dictionary
• Work is measured by number of hashes

Part 2  Access Control

28
Password Cracking: Case I
• Attack 1 specific password without using a
dictionary
• E.g., administrator’s password
• Must try 256/2 = 255 on average
• Like exhaustive key search
• Does salt help in this case?

Part 2  Access Control

29
Password Cracking: Case II
• Attack 1 specific password with dictionary
• With salt
• Expected work: 1/4 (219) + 3/4 (255) ≈ 254.6
• In practice, try all pwds in dictionary…
• …then work is at most 220 and probability of
success is 1/4
• What if no salt is used?
• One-time work to compute dictionary: 220
• Expected work is of same order as above
• But with precomputed dictionary hashes, the “in
practice” attack is essentially free…
Part 2  Access Control

30
Password Cracking: Case III
• Any of 1024 pwds in file, without dictionary
• Assume all 210 passwords are distinct
• Need 255 comparisons before expect to find pwd
• If no salt is used
• Each computed hash yields 210 comparisons
• So expected work (hashes) is 255/210 = 245
• If salt is used
• Expected work is 255
• Each comparison requires a hash computation
Part 2  Access Control

31
Password Cracking: Case IV
• Any of 1024 pwds in file, with dictionary
• Prob. one or more pwd in dict.: 1 – (3/4)1024 ≈ 1
• So, we ignore case where no pwd is in dictionary
• If salt is used, expected work less than 222
• See book, or slide notes for details
• Work ≈ size of dictionary / P(pwd in dictionary)
• What if no salt is used?
• If dictionary hashes not precomputed, work is about
219/210 = 29
Part 2  Access Control

32
Guessing Through L
• Cannot prevent these
• Otherwise, legitimate users cannot log in
• Make them slow
• Backoff
• Disconnection
• Disabling
• Be very careful with administrative accounts!
• Jailing
• Allow in, but restrict activities

33 Info-Sec 2023
Password Aging
• Force users to change passwords after some
time has expired
• How do you force users not to re-use passwords?
• Record previous passwords
• Block changes for a period of time
• Give users time to think of good passwords
• Don’t force them to change before they can log in
• Warn them of expiration days in advance

34 Info-Sec 2023
Challenge-Response

• User, system share a secret function f (in practice, f is a

known function with unknown parameters, such as a
cryptographic key)

request to authenticate
user system
random message r
user (the challenge)
system

f(r)
user (the response)
system

Info-Sec 2023 35
 Pass Algorithms
• Challenge-response with the function f itself a secret
• Challenge is a random string of characters
• Response is some function of that string
• Usually used in conjunction with fixed, reusable password

36 Info-Sec 2023
One-Time Passwords
• Password that can be used exactly once
• After use, it is immediately invalidated
• Challenge-response mechanism
• Challenge is number of authentications; response is password
for that particular number
• Problems
• Synchronization of user, system
• Generation of good random passwords
• Password distribution problem

37 Info-Sec 2023
S/Key
• One-time password scheme based on idea of
Lamport
• h one-way hash function (MD5 or SHA-1, for
example)
• User chooses initial seed k
• System calculates:
h(k) = k1, h(k1) = k2, …, h(kn–1) = kn
• Passwords are reverse order:
p1 = kn, p2 = kn–1, …, pn–1 = k2, pn = k1

38 Info-Sec 2023
S/Key Protocol
System stores maximum number of authentications n, number
of next authentication i, last correctly supplied password pi–1.
{ name }
user system
{i}
user system

{ pi }
user system

System computes h(pi) = h(kn–i+1) = kn–i+2 = pi–1. If match with

what is stored, system replaces pi–1 with pi and increments i.

Info-Sec 2023 39
Hardware Support
• Token-based
• Used to compute response to challenge
• May encipher or hash challenge
• May require PIN from user
• Temporally-based
• Every minute (or so) different number shown
• Computer knows what number to expect when
• User enters number and fixed password

40 Info-Sec 2023
C-R and Dictionary Attacks
• Same as for fixed passwords
• Attacker knows challenge r and response f(r); if f
encryption function, can try different keys
• May only need to know form of response; attacker can tell
if guess correct by looking to see if deciphered object is of
right form
• Example: Kerberos Version 4 used DES, but keys had 20
bits of randomness; Purdue attackers guessed keys
quickly because deciphered tickets had a fixed set of bits
in some locations

41 Info-Sec 2023
Encrypted Key Exchange
• Defeats off-line dictionary attacks
• Idea: random challenges enciphered, so attacker cannot verify
correct decipherment of challenge
• Assume Alice, Bob share secret password s
• In what follows, Alice needs to generate a random public key p
and a corresponding private key q
• Also, k is a randomly generated session key, and RA and RB
are random challenges

42 Info-Sec 2023
EKE Protocol
Alice || Es(p)
Alice Bob
Es(Ep(k))
Alice Bob
Now Alice, Bob share a randomly generated
secret session key k
Ek(RA)
Alice Bob
Ek(RARB)
Alice Bob
Ek(RB)
Alice Bob

Info-Sec 2023 43
Biometrics
• Automated measurement of biological, behavioral
features that identify a person
• Fingerprints: optical or electrical techniques
• Maps fingerprint into a graph, then compares with
database
• Measurements imprecise, so approximate matching
algorithms used
• Voices: speaker verification or recognition
• Verification: uses statistical techniques to test hypothesis
that speaker is who is claimed (speaker dependent)
• Recognition: checks content of answers (speaker
independent)

44 Info-Sec 2023
Other Characteristics
• Can use several other characteristics
• Eyes: patterns in irises unique
• Measure patterns, determine if differences are random; or
correlate images using statistical tests
• Faces: image, or specific characteristics like distance
from nose to chin
• Lighting, view of face, other noise can hinder this
• Keystroke dynamics: believed to be unique
• Keystroke intervals, pressure, duration of stroke, where
key is struck
• Statistical tests used

45 Info-Sec 2023
Cautions
• These can be fooled!
• Assumes biometric device accurate in the environment it
is being used in!
• Transmission of data to validator is tamperproof, correct

46 Info-Sec 2023
Location
• If you know where user is, validate identity by
seeing if person is where the user is
• Requires special-purpose hardware to locate user
• GPS (global positioning system) device gives location
signature of entity
• Host uses LSS (location signature sensor) to get
signature for entity

47 Info-Sec 2023
Multiple Methods
• Example: “where you are” also requires entity to have LSS and
GPS, so also “what you have”
• Can assign different methods to different tasks
• As users perform more and more sensitive tasks, must
authenticate in more and more ways (presumably, more
stringently) File describes authentication required
• Also includes controls on access (time of day, etc.), resources,
and requests to change passwords

• Pluggable Authentication Modules

48 Info-Sec 2023
PAM
• Idea: when program needs to authenticate, it checks central
repository for methods to use
• Library call: pam_authenticate
• Accesses file with name of program in /etc/pam_d
• Modules do authentication checking
• sufficient: succeed if module succeeds
• required: fail if module fails, but all required modules executed
before reporting failure
• requisite: like required, but don’t check all modules
• optional: invoke only if all previous modules fail

49 Info-Sec 2023
Example PAM File
auth sufficient /usr/lib/pam_ftp.so
auth required /usr/lib/pam_unix_auth.so use_first_pass
auth required /usr/lib/pam_listfile.so onerr=succeed \
item=user sense=deny
file=/etc/ftpusers

For ftp:
1. If user “anonymous”, return okay; if not, set
PAM_AUTHTOK to password, PAM_RUSER to name, and
fail
2. Now check that password in PAM_AUTHTOK belongs to
that of user in PAM_RUSER; if not, fail
3. Now see if user in PAM_RUSER named in /etc/ftpusers; if
so, fail; if error or not found, succeed

50 Info-Sec 2023
Key Points
• Authentication is not cryptography
• You have to consider system components
• Passwords are here to stay
• They provide a basis for most forms of authentication
• Protocols are important
• They can make masquerading harder
• Authentication methods can be combined
• Example: PAM

51 Info-Sec 2023
Kerberos
• A computer network authentication protocol
• which allows nodes communicating over a non-
secure network to prove their identity to one
another in a secure manner.
• Details:
• Self-study materials from Internet

52 Info-Sec 2023
http://pc.vietica.com/van.nguyen/InfoSec-
VietNhat/InfoSec.htm