AuthenticationAuthentication

DefinitionsDefinitions

Identification - a claim about identityIdentification - a claim about identity– Who or what I am (global or local)Who or what I am (global or local)

Authentication - confirming that claims are trueAuthentication - confirming that claims are true– I am who I say I amI am who I say I am– I have a valid credentialI have a valid credential

Authorization - granting permission based on a valid claimAuthorization - granting permission based on a valid claim– Now that I have been validated, I am allowed to access certain Now that I have been validated, I am allowed to access certain

resources or take certain actionsresources or take certain actions Access control system - a system that authenticates users Access control system - a system that authenticates users

and gives them access to resources based on their and gives them access to resources based on their authorizationsauthorizations– Includes or relies upon an authentication mechanismIncludes or relies upon an authentication mechanism– May include the ability to grant course or fine-grained May include the ability to grant course or fine-grained

authorizations, revoke or delegate authorizationsauthorizations, revoke or delegate authorizations

Slides modified from Lorrie Cranor, CMU

Building blocks of Building blocks of authenticationauthentication FactorsFactors

– Something you know (or recognize)Something you know (or recognize)– Something you haveSomething you have– Something you areSomething you are

MechanismsMechanisms– Text-based passwords Text-based passwords – Graphical passwordsGraphical passwords– Hardware tokensHardware tokens– Public key crypto protocolsPublic key crypto protocols– BiometricsBiometrics

Two factor systemsTwo factor systems

Two factors are better than oneTwo factors are better than one– Especially two factors from Especially two factors from differentdifferent

categoriescategories

Question: What are some examples of Question: What are some examples of two-factor authentication?two-factor authentication?

EvaluationEvaluation

AccessibilityAccessibility MemorabilityMemorability

– Depth of processing, retrieval, meaningfulnessDepth of processing, retrieval, meaningfulness SecuritySecurity

– Predictability, abundance, disclosure, Predictability, abundance, disclosure, crackability, confidentialitycrackability, confidentiality

CostCost Environmental considerationsEnvironmental considerations

– Range of users, frequency of use, type of Range of users, frequency of use, type of access, etc.access, etc.

Typical password Typical password adviceadvice

Typical password Typical password adviceadvice Pick a hard to guess passwordPick a hard to guess password Don’t use it anywhere elseDon’t use it anywhere else Change it oftenChange it often Don’t write it downDon’t write it down

– Do you?Do you? Bank = b3aYZ Amazon = aa66x!Phonebill = p$2$ta1

Problems with Problems with PasswordsPasswords SelectionSelection

– Difficult to think of a good passwordDifficult to think of a good password– Passwords people think of first are easy to guessPasswords people think of first are easy to guess

MemorabilityMemorability– Easy to forget passwords that aren’t frequently usedEasy to forget passwords that aren’t frequently used– Difficult to remember “secure” passwords with a mix of upper & Difficult to remember “secure” passwords with a mix of upper &

lower case letters, numbers, and special characterslower case letters, numbers, and special characters ReuseReuse

– Too many passwords to rememberToo many passwords to remember– A previously used password is memorable A previously used password is memorable

SharingSharing– Often unintentional through reuseOften unintentional through reuse– Systems aren’t designed to support the way people work Systems aren’t designed to support the way people work

together and share informationtogether and share information

How Long does it take How Long does it take to Crack a Password?to Crack a Password? Brute force attackBrute force attack Assuming 100,000 encryption operations per secondAssuming 100,000 encryption operations per second FIPS Password UsageFIPS Password Usage

– 3.3.1 Passwords shall have maximum lifetime of 1 year3.3.1 Passwords shall have maximum lifetime of 1 year

http://geodsoft.com/howto/password/cracking_passwords.htm#howlong

Pa

ssw

ord

L

en

gth

26 Characters 36 Characters 52 Characters 68 Characters 94 Characters

lower case letters and digits mixed case letterssingle case letters with digits,

symbols and punctuation

all displayable ASCII characters

including mixed case letters

3 0.18 seconds 0.47 seconds 1.41 seconds 3.14 seconds 8.3 seconds

4 4.57 seconds 16.8 seconds 1.22 minutes 3.56 minutes 13.0 minutes

5 1.98 minutes 10.1 minutes 1.06 hours 4.04 hours 20.4 hours

6 51.5 minutes 6.05 hours 13.7 days 2.26 months 2.63 months

7 22.3 hours 9.07 days 3.91 months 2.13 years 20.6 years

8 24.2 days 10.7 months 17.0 years 1.45 centuries 1.93 millennia

9 1.72 years 32.2 years 8.82 centuries 9.86 millennia 182 millennia

10 44.8 years 1.16 millennia 45.8 millennia 670 millennia 17,079 millennia

11 11.6 centuries 41.7 millennia 2,384 millennia 45,582 millennia 1,605,461 millennia

12 30.3 millennia 1,503 millennia 123,946 millennia 3,099,562 millennia 150,913,342 millennia

The Password QuizThe Password Quiz

What is your score?What is your score? Do you agree with each piece of Do you agree with each piece of

advice?advice? What is most common problem in What is most common problem in

the class?the class? Any bad habits not addressed?Any bad habits not addressed?

Check your passwordCheck your password

http://www.securitystats.com/tools/password.php

Question: Why don’t all sites do this?

https://www.google.com/accounts/EditPasswd

Text-based passwordsText-based passwords

Random (system or user assigned)Random (system or user assigned) MnemonicMnemonic Challenge questions (semantic)Challenge questions (semantic)

Anyone ever had a system Anyone ever had a system assigned random password? Your assigned random password? Your experience?experience?

FourFourMnemonic PasswordsMnemonic Passwords

First letter of each word First letter of each word (with punctuation)(with punctuation)

fsasya,oFfsasya,oFSubstitute numbers for words Substitute numbers for words or similar-looking lettersor similar-looking letters

4sa7ya,oF4sa7ya,oFSubstitute symbols for words Substitute symbols for words or similar-looking lettersor similar-looking letters

FF

44sasya,oFsasya,oF

FourFour

44sasa77ya,oFya,oF

4s4s&&7ya,oF7ya,oF

scorescore ss andandaaandand sevenseven sssevensevenyearsyearsyy agoago aa ,,,, ourour oo FathersFathers FF

Source: Cynthia Kuo, SOUPS 2006

The Promise?The Promise?

Phrases help users incorporate Phrases help users incorporate different character classes in different character classes in passwordspasswords– Easier to think of character-for-word Easier to think of character-for-word

substitutionssubstitutions Virtually infinite number of phrasesVirtually infinite number of phrases Dictionaries do not contain Dictionaries do not contain

mnemonicsmnemonics

Source: Cynthia Kuo, SOUPS 2006

Memorability of Memorability of Password StudyPassword Study GoalGoal

– examine effects of advice on examine effects of advice on password selection in real worldpassword selection in real world

Method: experimentMethod: experiment independent variables?independent variables?

Advice givenAdvice given Dependent variables?Dependent variables?

Attacks, length, requests, memorability Attacks, length, requests, memorability surveysurvey

Study, cont.Study, cont.

ConditionsConditions– ComparisonComparison– ControlControl– Random passwordRandom password– Passphrase (mnemonic)Passphrase (mnemonic)

Students randomly assignedStudents randomly assigned Attacks performed one month laterAttacks performed one month later Survey four months laterSurvey four months later

ResultsResults

All conditions longer password than All conditions longer password than comparison groupcomparison group

Random & passphrase conditions had Random & passphrase conditions had significantly fewer successful attackssignificantly fewer successful attacks

Requests for password the sameRequests for password the same Random group kept written copy of password Random group kept written copy of password

for much longer than othersfor much longer than others Non-compliance rate of 10%Non-compliance rate of 10%

What are the implications?What are the implications?What are the strengths of the study? What are the strengths of the study?

Weaknesses?Weaknesses?

Source: Cynthia Kuo, SOUPS 2006

Mnemonic password Mnemonic password evaluationevaluation Mnemonic passwords are not a panacea, but Mnemonic passwords are not a panacea, but

are an interesting optionare an interesting option– No comprehensive dictionary todayNo comprehensive dictionary today

May become more vulnerable in future May become more vulnerable in future – Users choose music lyrics, movies, literature, and Users choose music lyrics, movies, literature, and

televisiontelevision– Attackers incentivized to build dictionariesAttackers incentivized to build dictionaries

Publicly available phrases should be avoided!Publicly available phrases should be avoided!

C. Kuo, S. Romanosky, and L. Cranor. Human Selection of C. Kuo, S. Romanosky, and L. Cranor. Human Selection of Mnemonic Phrase-Based Passwords. In Mnemonic Phrase-Based Passwords. In Proceedings of the Proceedings of the 2006 Symposium On Usable Privacy and Security2006 Symposium On Usable Privacy and Security, 12-14 July , 12-14 July 2006, Pittsburgh, PA.2006, Pittsburgh, PA.

Password keeper Password keeper softwaresoftware Run on PC or handheldRun on PC or handheld Only remember one passwordOnly remember one password

How many use one of these?How many use one of these? Advantages?Advantages? Disadvantages?Disadvantages?

““Forgotten password” Forgotten password” mechanismmechanism Email password or magic URL to address on Email password or magic URL to address on

filefile Challenge questionsChallenge questions Why not make this the normal way to access Why not make this the normal way to access

infrequently used sites?infrequently used sites?

Challenge QuestionsChallenge Questions

Question and answer pairsQuestion and answer pairs Issues:Issues:

– Privacy: asking for personal info Privacy: asking for personal info – Security: how difficult are they to guess and Security: how difficult are they to guess and

observe?observe?– Usability: answerable? how memorable? Usability: answerable? how memorable?

How repeatable?How repeatable?

What challenge questions have you seen?What challenge questions have you seen?

Purpose?Purpose?

Challenge questionsChallenge questions

How likely to be guessed?How likely to be guessed? How concerned should we be How concerned should we be

about about – Shoulder surfing?Shoulder surfing?– Time to enter answers?Time to enter answers?– A knowledgeable other person?A knowledgeable other person?– Privacy?Privacy?

Graphical PasswordsGraphical Passwords

We are much better at remembering We are much better at remembering pictures than textpictures than text

User enters password by clicking on on User enters password by clicking on on the screenthe screen– Choosing correct set of imagesChoosing correct set of images– Choosing regions in a particular imageChoosing regions in a particular image

Potentially more difficult to attack (no Potentially more difficult to attack (no dictionaries)dictionaries)

Anyone ever used one?Anyone ever used one?

SchemesSchemes

Choose a series of Choose a series of imagesimages– Random[1]Random[1]– Passfaces[2]Passfaces[2]– Visual passwords (for Visual passwords (for

mobile devices)[3]mobile devices)[3]– Provide your own Provide your own

imagesimages1. R. Dhamija and A. Perrig, "Deja Vu: A User Study Using Images for

Authentication," in Proceedings of 9th USENIX Security Symposium, 2000.2. http://www.realuser.com/3. W. Jansen, et al, "Picture Password: A Visual Login Technique for Mobile Devices," National

Institute of Standards and Technology Interagency Report NISTIR 7030, 2003.

SchemesSchemes

Click on regions of Click on regions of imageimage– Blonder’s original Blonder’s original

idea: click on idea: click on predefined regions predefined regions [1][1]

– Passlogix – click on Passlogix – click on items in order [2]items in order [2]

– Passpoints – click Passpoints – click on any point in on any point in order [3]order [3]

1. G. E. Blonder, "Graphical passwords," in Lucent Technologies, Inc., Murray Hill, NJ, U. S. Patent, Ed. United States, 1996.

2. http://www.passlogix.com/3. S. Wiedenbeck, et al. "Authentication using graphical

passwords: Basic results," in Human-Computer Interaction International (HCII 2005). Las Vegas, NV, 2005.

SchemesSchemes

FreeformFreeform– Draw-a-Secret (DAS)Draw-a-Secret (DAS)I. Jermyn, et al. "The Design and Analysis of

GraphicalPasswords," in Proceedings of the 8th USENIX SecuritySymposium, 1999.

– Signature drawingSignature drawing

Theoretical Theoretical ComparisonsComparisons Advantages:Advantages:

– As memorable or As memorable or more than textmore than text

– As large a password As large a password space as text space as text passwordspasswords

– Attack needs to Attack needs to generate mouse generate mouse outputoutput

– Less vulnerable to Less vulnerable to dictionary attacksdictionary attacks

– More difficult to More difficult to shareshare

DisadvantagesDisadvantages– Time consumingTime consuming– More storage and More storage and

communication communication requirementsrequirements

– Shoulder surfing an Shoulder surfing an issueissue

– Potential interference Potential interference if becomes if becomes widespreadwidespread

See a nice discussion in: Suo and Zhu. “Graphical Passwords: A Survey,” in the Proceedings of the 21st Annual Computer Security Applications Conference, December 2005.

How do they really How do they really compare?compare? Many studies of various schemes…Many studies of various schemes… Faces vs. StoryFaces vs. Story

– Method: experimentMethod: experiment independent – participant race and sex, faces or independent – participant race and sex, faces or

storystory Dependent – types of items chosen, liklihood of Dependent – types of items chosen, liklihood of

attackattack– Real passwords – used to access grades, etc.Real passwords – used to access grades, etc.– Also gathered survey responsesAlso gathered survey responses– Results:Results:

we are highly predictable, particularly for faceswe are highly predictable, particularly for faces Attacker could have succeeded with 1 or 2 guesses Attacker could have succeeded with 1 or 2 guesses

for 10% of males!for 10% of males!

– Implications?Implications?

Other examplesOther examples

Passpoints predictable too!Passpoints predictable too!

Can predict or discover hot spots Can predict or discover hot spots to launch attacks.to launch attacks.

Julie Thorpe and P.C. van Oorschot. Human-Seeded Attacks andExploiting Hot-Spots in Graphical Passwords, in Proceedings of 16th USENIX Security Symposium, 2007.

Other uses of imagesOther uses of images

CAPTCHA – differentiate between CAPTCHA – differentiate between humans and computershumans and computers– Use computer generated image to Use computer generated image to

guarantee interaction coming from a guarantee interaction coming from a humanhuman

– An AI-hard problemAn AI-hard problem

Luis von Ahn, Manuel Blum, Nicholas Hopper and John Langford. “CAPTCHA: Using Hard AI Problems for Security,” In Advances in Cryptology, Eurocrypt 2003.

More food for thoughtMore food for thought

How concerned should we be How concerned should we be about the weakest link/worse about the weakest link/worse case user?case user?– Do we need 100% compliance for Do we need 100% compliance for

good passwords? How do we good passwords? How do we achieve?achieve?

What do you think of “What do you think of “bugmenotbugmenot”” Is it possible to have authorization Is it possible to have authorization

without identification?without identification?

Project GroupsProject Groups

3 groups of 4, 1 group of 33 groups of 4, 1 group of 3 Form your group by the END of class Form your group by the END of class

next weeknext week Preliminary user study of privacy or Preliminary user study of privacy or

security application, mechanism, or security application, mechanism, or concernsconcerns

Deliverables:Deliverables:– IdeaIdea– Initial plan 5 pointsInitial plan 5 points– Plan 20 pointsPlan 20 points– Report 20 pointsReport 20 points– Presentation 5 pointsPresentation 5 points

Project IdeasProject Ideas

Start with a question or problem…Start with a question or problem…– Why don’t more people encrypt their emails?Why don’t more people encrypt their emails?– How well does product X work for task Y?How well does product X work for task Y?– What personal information do people expect to What personal information do people expect to

be protected?be protected? Flip through chapters in the book & papersFlip through chapters in the book & papers

– Follow up on existing studyFollow up on existing study Examine your own product/research/ideaExamine your own product/research/idea Examine something you currently find Examine something you currently find

frustrating, interesting, etc.frustrating, interesting, etc.

Ideas?Ideas?

A Look AheadA Look Ahead

Next week: User studiesNext week: User studies– pay attention to the method of study pay attention to the method of study

in your readingsin your readings– ALSO: observation assignmentALSO: observation assignment

Two weeks – rest of Two weeks – rest of authenticationauthentication– ALSO: project ideas dueALSO: project ideas due

Next week’s Next week’s assignmentassignment Observe people using technologyObserve people using technology

– Public place, observe long enough Public place, observe long enough for multiple usersfor multiple users

– Take notes on what you seeTake notes on what you see Think about privacy and security, but Think about privacy and security, but

observe and note everythingobserve and note everything

– Write up a few paragraphs Write up a few paragraphs describing your observationsdescribing your observations

Don’t forget IRB certification Don’t forget IRB certification