Chapter 3

User Authentication
© 2016 Pearson Education, Inc., Hoboken, NJ. All rights reserved.
 3.1 - System Access Concepts
• System access is the capability that restricts access to business
applications, mobile devices, systems, and networks to authorized
individuals for specific business purposes
• System access comprises three distinct functions:

o Authentication
• Verifying the identity of a user, process, or device, often as a prerequisite to allowing access to
resources in an information system
• This function is often referred to as user authentication
o Authorization
• The granting of access or other rights to a user, program, or process to access system resources
• Defines what an individual or program can do after successful authentication
o Access control
• The process of granting or denying specific requests for accessing and using information and
related information processing services and for entering specific physical facilities
• Ensures that access to assets is authorized and restricted based on business and security
requirements
 User Authentication
• RFC 4949 defines user authentication as: “The process of verifying an
identity claimed by or for a system entity.”

• NIST SP 800-63-3 (Digital Authentication Guideline, October 2016)

defines digital user authentication as: : “The process of establishing
confidence in user identities that are presented electronically to an
information system.”

• User authentication is one of the most complex and challenging security

functions

• There are a wide variety of methods of authentication

• Three general authentication factors are:
• Password
• Hardware token
• Biometric
 Authentication Process
• Fundamental • Identification step
building block  Presenting an identifier
to the security system
and primary line
of defense • Verification step
 Presenting or generating
authentication
• Basis for access information that
corroborates the binding
control and user between the entity
accountability and the identifier
 The four means of authenticating user
identity are based on:
Something the Something the Something the Something the
individual individual individual is individual does
knows possesses (static (dynamic
• Password, PIN, (token) biometrics) biometrics)
answers to • Smartcard, • Fingerprint, • Voice pattern,
prearranged electronic retina, face handwriting,
questions keycard, physical typing rhythm
key
 Table 10.1
Authentication Factors
 Risk Assessment for
User Authentication

• There are three Assurance

Level
separate
concepts:
Potential
impact

Areas of
risk
 Assurance Level
More specifically Four levels of
is defined as: assurance
Describes an
organization’s Level 1
degree of The degree of confidence • Little or no confidence in the

certainty that a in the vetting process asserted identity's validity

used to establish the
user has identity of the individual
to whom the credential Level 2
presented a was issued • Some confidence in the asserted
identity’s validity

credential that
refers to his or her Level 3

identity
• High confidence in the asserted
The degree of confidence identity's validity
that the individual who
uses the credential is the
individual to whom the Level 4
credential was issued • Very high confidence in the
asserted identity’s validity
 Potential Impact
• FIPS 199 defines three levels of potential impact on
organizations or individuals should there be a breach
of security:
o Low
• An authentication error could be expected to have a limited adverse
effect on organizational operations, organizational assets, or
individuals
o Moderate
• An authentication error could be expected to have a serious adverse
effect
o High
• An authentication error could be expected to have a severe or
catastrophic adverse effect
 Table 3.2

Maximum Potential Impacts for Each

Assurance Level
3.2 - Password Authentication

• Widely used line of defense against intruders

o User provides name/login and password
o System compares password with the one stored for that specified login

• The user ID:

o Determines that the user is authorized to access the system
o Determines the user’s privileges
o Is used in discretionary access control
Password Vulnerabilities
Offline Password
guessing Workstation Electronic
dictionary against hijacking monitoring
attack single user

Exploiting
Specific Popular Exploiting
multiple
account password user
password
attack attack mistakes
use
 THE VULNERABILITY OF
PASSWORDS
• Attack strategies and countermeasures:
• Offline dictionary attack
• Although strong access controls are used to protect a system’s password file, determined hackers frequently
bypass such controls and gain access to password files. An attacker who obtains a system password file compares
the password hashes against hashes of commonly used passwords and if a match is found, the attacker gains
access by using that ID/password combination
• Countermeasures include controls to prevent unauthorized access to the password file, intrusion detection
measures to identify a compromise, and rapid reissuance of passwords in the event that the password file is
compromised

• Specific account attack

• In this type of attack, an attacker targets a specific account and submits password guesses until the correct
password is discovered
• The is an account lockout mechanism, which locks out access to the account after a number of failed login
attempts standard countermeasure

• Popular password attack

• A variation of the preceding attack is to use a popular password and try it against a wide range of user IDs. A
user’s tendency is to choose a password that is easily remembered; this unfortunately makes the password easy
to guess
• Countermeasures include policies to inhibit the selection by users of common passwords and scanning the IP
addresses of authentication requests and client cookies for submission patterns
 THE VULNERABILITY OF
PASSWORDS
• Password guessing against a single user
• An attacker may attempt to gain knowledge about an account holder and system password policies and
uses that knowledge to guess the user’s password
• Countermeasures include training in and enforcement of password policies that make passwords
difficult to guess. Such policies address the secrecy, minimum length of the password, character set,
prohibition against using well-known user identifiers, and length of time before the password must be
changed

• Workstation hijacking
• In this type of attack, an attacker waits until a logged-in workstation is physically unattended
• The standard countermeasure is automatically logging out the workstation after a period of inactivity.
Intrusion detection schemes are used to detect changes in user behavior

• Exploiting user mistakes

• If the system assigns a password, then the user is more likely to write it down because it is difficult to
remember. This situation creates the potential for an adversary to read the written password. A user may
intentionally share a password to enable a colleague to share files, for example. Also, attackers are
frequently successful in obtaining passwords by using social engineering tactics that trick the user or an
account manager into revealing a password. Many computer systems are shipped with preconfigured
passwords for system administrators. Unless these preconfigured passwords are changed, they are easily
guessed
• Countermeasures include user training, intrusion detection, and simpler passwords combined with
another authentication mechanism
 THE VULNERABILITY OF
PASSWORDS
• Exploiting multiple password use
• Attacks become much more effective or damaging if different network devices
share the same or a similar password for a given user
• Countermeasures include a policy that forbids using the same or similar
password on particular network devices

• Electronic monitoring
• If a password is communicated across a network to log on to a remote system, it
is vulnerable to eavesdropping. Simple encryption does not fix this problem
because the encrypted password is, in effect, the password and can be observed
and reused by an adversary
Password Cracking
Dictionary attacks Rainbow table attacks
• Develop a large dictionary • Pre-compute tables of
of possible passwords and hash values for all salts
try each against the • A mammoth table of hash
password file values
• Each password must be • Can be countered by using
hashed using each salt a sufficiently large salt
value and then compared value and a sufficiently
to stored hash values large hash length

Password crackers John the Ripper

exploit the fact that • Open-source password
people choose easily cracker first developed in
guessable passwords in 1996
• Uses a combination of
• Shorter password lengths
brute-force and dictionary
are also easier to crack techniques
Password File Access Control
Can block offline guessing attacks by denying access to
encrypted passwords

Make
available
only to
Vulnerabilities
privileged
users

Weakness Accident Users with

Sniff
in the OS with same Access from
passwords
Shadow that allows permissions password backup
in network
password access to the making it on other media
traffic
file file readable systems
 Modern Approaches
• Complex password policy
o Forcing users to pick stronger passwords

• However password-cracking techniques have also

improved
o The processing capacity available for password cracking has increased
dramatically
o The use of sophisticated algorithms to generate potential passwords
o Studying examples and structures of actual passwords in use
 Password Selection Strategies
User education
Users can be told the importance of using hard to guess passwords and can be provided with guidelines for selecting strong passwords

Computer generated passwords

Users have trouble remembering them

Reactive password checking

System periodically runs its own password cracker to find guessable passwords

Complex password policy

User is allowed to select their own password, however the system Goal is to eliminate guessable passwords while allowing the user to
checks to see if the password is allowable, and if not, rejects it select a password that is memorable
 POPULARITY OF PASSWORD

Despite many security vulnerabilities, passwords remain

the most commonly used user authentication technique

Reasons for the persistent popularity of passwords

are:

Techniques that utilize

Automated password
client-side hardware, such as
managers that relieve users
fingerprint scanners and
Physical tokens, such as of the burden of knowing
smart card readers, require Schemes that rely on a single
smart cards, are expensive and entering passwords have
the implementation of the sign-on to multiple services
and/or inconvenient to carry poor support for roaming
appropriate user create a single point of
around, especially if multiple and synchronization across
authentication software to security risk
tokens are needed multiple client platforms,
exploit this hardware on
and their usability had not
both the client and server
been adequately researched
systems
3.3 – Possession-Based Authentication
Embossed Cards
 Memory Cards
• Can store but do not process data
• The most common is the magnetic stripe card
• Can include an internal electronic memory
• Can be used alone for physical access
o Hotel room
o ATM
• Provides significantly greater security when combined with a
password or PIN
• Drawbacks of memory cards include:
o Requires a special reader
o Loss of token
o User dissatisfaction
 Smart Tokens
• Physical characteristics:
o Include an embedded microprocessor
o A smart token that looks like a bank card
o Can look like calculators, keys, small portable objects
• Interface:
o Manual interfaces include a keypad and display for interaction
o Electronic interfaces communicate with a compatible reader/writer
• Authentication protocol:
o Classified into three categories:
• Static
• Dynamic password generator
• Challenge-response
 Smart Cards
• Most important category of smart token
o Has the appearance of a credit card
o Has an electronic interface
o May use any of the smart token protocols

• Contain:
o An entire microprocessor
• Processor
• Memory
• I/O ports
• Typically include three types of memory:
o Read-only memory (ROM)
• Stores data that does not change during the card’s life
o Electrically erasable programmable ROM (EEPROM)
• Holds application data and programs
o Random access memory (RAM)
• Holds temporary data generated when applications are executed
 Electronic Identity Cards
(eID)
Use of a smart card as a national Most advanced deployment is the
identity card for citizens German card neuer Personalausweis

Can serve the same purposes as other national Has human-readable data printed on its
ID cards, and similar cards such as a driver’s surface
license, for access to government and • Personal data
commercial services • Document number
• Card access number (CAN)
• Machine readable zone (MRZ)

Can provide stronger proof of identity and can

be used in a wider variety of applications

In effect, is a smart card that has been verified

by the national government as valid and
authentic
 Threats to
Possession-Based Authentication
• Hardware tokens are vulnerable to a variety of
threats, including:

o Theft
o Duplication
o Eavesdropping/replaying
o Replay
o Denial of service
o Host attack
3.4 - Biometric Authentication
• Attempts to authenticate an individual based on unique
physical characteristics
• Based on pattern recognition
• Is technically complex and expensive when compared to
passwords and tokens
• Physical characteristics used include:
o Facial characteristics
o Fingerprints
o Hand geometry
o Retinal pattern
o Iris
o Signature
o Voice
 Physical Characteristics Used in Biometric
Applications

• A number of different types of physical characteristics are either in use or under study
for user authentication. The most common are:
o Facial characteristics
• The most common means of human-to-human identification
• The most common approach is to define characteristics based on relative location and shape of key facial
features, such as eyes, eyebrows, nose, lips, and chin shape
• An alternative approach is to use an infrared camera to produce a face thermogram that correlates with the
underlying vascular system in the human face

o Fingerprints
• A fingerprint is the pattern of ridges and furrows on the surface of the fingertip
• In practice, automated fingerprint recognition and matching systems extract a number of features from the
fingerprint for storage as a numerical surrogate for the full fingerprint pattern

o Hand geometry
• Hand geometry systems identify features of the hand, including shapes, lengths, and widths of fingers

o Retinal pattern
• The pattern formed by veins beneath the retinal surface is unique and therefore suitable for identification
• A retinal biometric system obtains a digital image of the retinal pattern by projecting a low-intensity beam of
visual or infrared light into the eye
 Physical Characteristics Used in Biometric Applications

o Iris
• Another unique physical characteristic is the detailed structure of the iris
• There has been a lot of research in this area, with significant gains in recent years in both
capture devices and recognition algorithms
• Newer cameras have much lower failure-to-capture rates and transaction times, and some have
the ability to collect iris images at a distance and in motion
• Recent research indicates that iris patterns change as the eye ages, so the need to retake iris
patterns after a long period may be necessary
o Signature
• Each individual has a unique style of handwriting and this is reflected especially in the
signature
• However, multiple signature samples from a single individual are not identical
• This complicates the task of developing a computer representation of the signature to be
matched to future samples
o Voice
• Voice patterns are closely tied to the physical and anatomical characteristics of the speaker
• Nevertheless, there is still a variation from sample to sample over time from the same speaker,
complicating the biometric recognition task
 Biometric Accuracy
Measurement
False match rate (FMR) False nonmatch rate (FNMR)

• The frequency with • The frequency with which

which biometric samples from the same
samples from different source are erroneously
sources are erroneously assessed to be from
assessed to be from the different sources
same source
An Iris Biometric System
3.5 - Remote User Authentication
• Authentication over a network, the Internet, or a
communications link is more complex
• Additional security threats such as:
o Eavesdropping, capturing a password, replaying an authentication
sequence that has been observed

• Generally rely on some form of a challenge-response protocol

to counter threats
 Eavesdropping
Adversary attempts to
learn the password by
some sort of attack that
Denial-of-Service involves the physical Host Attacks
proximity of user and
Directed at the user
adversary
file at the host where
Attempts to disable a passwords, token
user authentication passcodes, or
service by flooding the biometric templates
service with numerous are stored
authentication AUTHENTICATI
attempts
ON
SECURITY
Trojan Horse ISSUES
An Replay
application or physical Adversary repeats a
device masquerades as Client Attacks previously captured
an authentic user response
application or device Adversary attempts to
for the purpose of achieve user
capturing a user authentication
password, passcode, or without access to the
biometric remote host or the
intervening
communications path
Table 3.4
Some Potential
Attacks,
Susceptible
Authenticators,
and
Typical
Defenses
 Summary
• Electronic user • Biometric
authentication principles authentication
o A model for electronic user o Physical characteristics used
authentication in biometric applications
o Means of authentication o Operation of a biometric
o Risk assessment for user authentication system
authentication o Biometric accuracy

• Password-based • Remote user

authentication authentication
o The vulnerability of passwords o Password protocol
o The use of hashed passwords o Token protocol
o Password cracking of user-chosen o Static biometric protocol
passwords o Dynamic biometric protocol
o Password file access control
o Password selection strategies
• Security issues for user
• Token-based authentication authentication
o Memory cards
o Smart cards