Scribd
Upload
7 views12 pages

44

Chapter 3 of CYBR 250 discusses various means of user authentication, including knowledge-based, possession-based, biometric, and behavioral methods. It highlights the risks associated with user authentication, such as eavesdropping and password vulnerabilities, and outlines password security techniques and modern approaches to enhance password strength. The chapter concludes with strategies for effective password selection to mitigate security risks.

Uploaded by

Spencer
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
7 views12 pages

44

Chapter 3 of CYBR 250 discusses various means of user authentication, including knowledge-based, possession-based, biometric, and behavioral methods. It highlights the risks associated with user authentication, such as eavesdropping and password vulnerabilities, and outlines password security techniques and modern approaches to enhance password strength. The chapter concludes with strategies for effective password selection to mitigate security risks.

Uploaded by

Spencer
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 12

CYBR 250 – Information Security

Chapter 3 – User
Authentication

Dr. Kambiz
Ghazinour
Means of authenticating a user's
identity
• Something the individual knows.
• E.g. a password, a personal identification number (PIN), etc.

• Something the individual possesses.


• E.g. a keycards, smart cards, and physical keys. (referred to as a token).

• Something the individual is (static biometrics).


• E.g. fingerprint, retina, and face.

• Something the individual does (dynamic biometrics).


• E.g. recognition by voice pattern, handwriting characteristics, and typing rhythm.

2
Risk Assessment for User
Authentication
• Security risk assessment in general is dealt with in Chapter 14 of your textbook.
• In brief, there are 3 separate concepts:
• Assurance level
• Potential impact
• Areas of risk

3
Potential Impact
• Standards for Security Categorization of Federal Information and Information Systems
(2004) defines three levels of potential impact on organizations or individuals if there is
a security breach:
• Low. Limited impact.
• Moderate. Serious adverse effect.
• High. Catastrophic adverse effect.

4
Password Authentication
• Common way to defend against intruders
• User provides name/login and password
• System compares password with the one stored for that specified login
• The user ID determines that the user is authorized to access the system
• The user ID determines the user’s privileges
• Is mostly used in Discretionary Access Control (DAC) which will be discussed later

5
Authentication Security Issues
• Eavesdropping
• Guessing, masquerading, finding ways to get username and password
• Host attack
• Attack the user’s file at the host where passwords and biometrics are stored
• Replay
• The adversary repeats a previously captured user response
• Client attack
• The adversary looks into the client’s computer to find the password, or some clues
• Trojan horse
• An application or hardware that tries to spy to find username and password.
• Denial of service
• Attacker attempts to disable a user authentication service by flooding the server

6
Password Vulnerabilities
• Offline dictionary attack. The attacker finds the system password file and compares the
password hashes against hashes of commonly used passwords.
• Specific account attack. Repeat guessing password of a particular account.
• Popular password attack. Use a popular password and try it against a wide range of users.
• Password guessing against single user. Use the knowledge about a user to guess password
• Workstation hijacking. The attacker waits until a logged-in workstation is unattended
• Exploiting user mistakes. Such as a user might write the password down.
• Exploiting multiple password use. A user is likely to use the same password on many
accounts/devices.
• Electronic monitoring. Attacker eavesdrop if the password is sent via email/network

7
A Password Security Technique
• UNIX password scheme and other Operating
Systems use this method.
• The user selects or is assigned a password. This
password is combined with a fixed-length salt
value (a pseudorandom or random number).
• The password and salt value are input to the slow
hash algorithm.
• The hashed password is then stored, together with
a plaintext copy of the salt, in the password file for
the corresponding user ID.

Figure 3.2 of your textbook 8


Password Cracking
• Dictionary attacks
• A large dictionary of possible passwords and try each against the password file
• Rainbow table attacks
• Pre-compute tables of hash values for all salt and password values
• Password crackers exploit the fact that people choose easily guessable passwords
• John the Ripper is a good example of open-source password cracking software
developed in 1996 and still in use: https://www.openwall.com/john/
• John the Ripper uses a combination of brute-force and dictionary techniques

9
Modern approaches
• Complex password policies (use of mix of uppercase, lowercase, digits, symbols, etc.)
makes users to pick stronger passwords
• However password-cracking techniques have also improved
• The processing capacity available for password cracking has increased dramatically
• The use of sophisticated algorithms to generate potential passwords
• Studying examples and structures of actual passwords in use

10
Password Selection Strategies
• User education
• Computer generated passwords
• Reactive password checking
• Complex password policy

11
Summary
• User authentication
• Risk assessment
• Authentication security issues
• Password vulnerabilities
• Password cracking
• Password selection strategies

12

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy