Identity Authentication

8/2/2019 Identity Authentication

1/64

Identity Authentication

Dr. Ron Rymon

Efi Arazi School of Computer ScienceComputer Security Course, 2010/11

Pre-requisites: Basic Cryptography


2/64

Overview

Identity Authentication Principles

Passwords

Challenge-ResponseZero Knowledge Identification Protocols

Authentication Using Physical Devices

Biometrics


3/64

Identity Authentication

Principles

Main Source: Menezes et al


4/64

Main Objectives

If Alice and Bob are both honest, then Aliceshould be able to successfully authenticate herselfto Bob, and vice versa (correctness)

Charles cannot present himself as Alice to Bob(impersonation)

Bob cannot utilize an identification exchange withAlice to impersonate Alice to a third party Charles(transferability)


5/64

Stronger Requirements We require also that all three requirements (correctness,

impersonation prevention, and protection againsttransferability) hold even if Charles was exposed to a large number of previous

authentication exchanges between Alice and Bob

even if Charles has participated in a large number of authenticationexchanges with either or both Alice and Bob

even if Charles is allowed to run a large number of concurrentauthentication attempts

Zero Knowledge protocols require further that even manyexecutions of an authentication protocol provide NOINFORMATION to adversarial impersonator


6/64

Basis of Identification (Factors) Something you know

Passwords, PINs, Secret or key

Something you possess Physical devices: magnetic cards, smart cards, tokens, bluetooth,

password generators, cellphones

Something you are Biometrics (fingerprints, iris recognition, voice, handwriting),

keyboarding characteristics

Others Someplace you are (e.g. GPS location) Some way you behave

Ideally, more than one factor (Two-factor authentication)

In some applications real-time identification is required


7/64

Properties of ID Methods & Protocols

Reciprocity of authentication

Complexity Computational efficiency

Communication efficiency Cost

Use of third party Whether a third party is needed

Whether a third party is needed in real-time Nature of trust required from third party

What security guarantees are made False positive and false negative

How and where secrets and keys are kept


8/64

Passwords

(weak authentication)

Main source: Menezes et al


9/64

Passwords

String of 6-8 characters that allows identification

Fixed password/PINs, one-time passwords

something you know

Properties No reciprocityonly unilateral identification

Low complexityvery efficient, both computationally

and communication-wise

Usually, no third party is used (exception: SSO)

Key is usually kept by user in memory, and by system

in a password file


10/64

Fixed Passwords Attacks

Replay attacks Observe typing, find written or in another system, key loggers

Eavesdropping on a cleartext or hashed communication channel

Exhaustive search Randomly or systematically trying passwords against online

verifier Offline search against password fileenough that one user chose

a weak password

Password guessing or Dictionary attack Assumes that not all passwords are equally likely

Attack password distribution Some systems come with fixed out-of-the-box passwords

Many tools for password cracking/auditing http://www.password-crackers.com

Wireless key logger


11/64

Example: Focused Dictionaries

Use variations on related words


12/64

Password Space

Entropy

(log 2)

Time

To Search

(5000/sec)

n 26

lowcase

36

alphanum

62

mixed case

95

keyboard

5 23.5 25.9 29.8 32.9

6 28.2 31.0 35.7 39.4

7 32.9 36.2 41.7 46.08 37.6 41.4 47.6 52.6

n 26

lowcase

36

alphanum

62

mixed case

95

keyboard

5 0.67hr 3.4hr 51hr 430hr

6 17hr 120hr 130dy 4.7yr

7 19dy 180dy 22yr 440yr

8 1.3yr 18yr 1400yr 42000yr


13/64

Password Space Conclusions

Short, letters-only, passwords are easily breakable Adding to the alphabet is important

Adding to password length is important

Easier password spaces A password from a lower-entropy space (dictionary) reduces the

(expected) size of the search space

Simpler password comparison functions allow more trials persecond

In a simultaneous password file attack, it is enough thatone password is weak

Choose longer random passwords !


14/64

Fixed Passwords Security

Many systems enforce password rules Goal: high-entropy passwords

Usually, syntactic and procedural rules

Password must have at least 8 characters

Password must include digits and special characters Password should not have a meaning (generators of pronounceablebut long and not meaningful passwords)

Must change password every 30 days

Cannot repeat same password in multiple systems

Encrypted password files Goal: avoid making the pwd file itself a target, e.g., to internal staff

Usually, password is not encrypted using symmetric key, but ratherusing a one-way hash function

e.g., Alices password is stored as h(Alice,pwd)


15/64

Fixed Passwords Security (cont.)

Slow down password mapping Goal is to limit the use of exhaustive search programs, and

hardware implementations

Usually achieved by recursively applying a simple hash function

Must be acceptable to legitimate users, e.g., one second

Salting Goal: limit use of simultaneous dictionary attack

Add a few bits to the password before hashing

Usually, a time stamp or something based on the user id Unix takes timestamp-based salt, Novells Netware takes server-

assigned user ID

Salt is kept in cleartext in password file


16/64

Example: Unix Passwords

Unix keeps all passwords in a password file, /etc/passwd

The user password serves as key to encrypt 64 zero bits,and the ciphertext is kept

First 8 characters are used, padded with 0s if needed, andonly first 7 bits of each taken to a create a 56-bit DES key

modified

DES0000ciphertext

truncated/padded

user password


17/64

Example: Unix Password (cont.)

Cryptographically, note that the algorithm isknown and the plaintext is known

DES is repeated 25 times, to slow down breaker

Password is salted 12 randomly chosen bits from system clock are used to

salt the password. They are used in the DES expansionfunction

Thus, 212=4096 variations need checked in anysimultaneous dictionary attack

Because of the internal change to DES, one cannot useoff-the-shelf DES hardware


18/64

Case Study: Password Cracking (Wu)

Tried to crack passwords of 25,000 corporate Kerberos users

In two weeks, using 8 Sun machines, broke 2,045 passwords

Only 4% used at least one non-alphanumeric character

86% did not require using the shift key

Some accounts used dates, telephone numbers

Some passwords were common to more than one account 24% were combinations of two words

25% resulted from simple transformations of single words, e.g.,capitalizing, reversing, or doubling of a word

Lowercasing a word was the most common transformation

1 was the most common suffix/prefix

Length 2 3 4 5 6 7 8 9 10 >10

Percent 0.1 0.6 3.8 7 11 8 54 8 4.5 3


19/64


20/64

Personal ID Number (PIN)

Usually used as a something you know in conjunctionwith a something you possess Most often, a credit card or ATM card

Typically short (4 digits), so that can be memorized

To prevent exhaustive search, account is locked and/orcard is confiscated after 3-4 unsuccessful trials

To enable use of offline machines, the PIN may be stored

on the card, sometimes encrypted by a master key

This is a form of two-stage authentication, where thesecond high-entropy key is stored on the card


21/64

Passphrases and Passkeys

Passphrasecan serve as a long password E.g., this will let me to the dark side of the moon

Pros: long;

Cons: usually simple words and phrases, so effective search spaceis notvery large

Or, a passphrase/sentence can be mapped to a pseudo-random key (passkey) The passkey can then be used as a regular symmetric key, e.g., to

encrypt communication

A userid-based salt may also be added

A running counter may be added to the password to obtain a time-variant passkey

Example: WPA Passphrase is concatenated with SSID and then hashed 4096 times

to create a symmetric key


22/64

One-time Passwords

A solution against eavesdropping and replayattack

Option 1: shared list of one-time passwords

Use password i+k after password i (k can be randomlyagreed in real-time)

Or, Sequentially updated one-time passwords

New password i+1 is agreed after first authenticatingwith password i

E.g., use a one-way hash function to create a sequence Lamport: Pi= H(Pi+1), where H is a OWF

Note 1: authentication requires a counter

Note 2: it would not be secure if sequence was going forward


23/64

Graphical Passwords

Select certain points in a picture

Image can be user-specific

Password=points and click order

To protect from shoulder surfing

Do not select points themselves

Rather, select triangles that contain them

Icons are reordered between selections


24/64

Knowledge of Personal History

Example: In which of the following addresses did you live in the past (or

none of the above)

Which of these places have you visited in the past

What is last transaction made on your credit card

Requires knowledge of a persons history, normally within acertain area

Can serve for a first time authentication (assuming access tohistory data)

Used by service providers in the credit card industry, e.g., creditbureaus, or new credit grantors

Security is reasonable but not substantial, as adversary mayknow or collect information about target


25/64

Challenge-Response

Identification

(strong authentication)



26/64

Challenge-Response

(The Bad Version) In enterprise and web applications, it is common to ask

users to provide one or more pairs of questions andanswers E.g., Q: Name of my dog, A: Saddam

When the user forgets her password, she canauthenticate herself to the system using these questions(and reset her password)

This is a variation on passwords and is considered veryweak authentication Questions are often trivial, with a small set of possible answers,

and the answer may be known to someone who knows the person


27/64

Cryptographic Challenge-Response

Protocols

Structure: Alice wishes to authenticate to Bob Bob sends Alice a challenge

Alice responds to the challenge

Bob verifies the answer

Parties may use time-variant parameters (confounders) forfreshness Confounders are good against replay attacks, chosen-text attacks

Examples: timestamps, random numbers, sequence numbers, other

one-time numbers (nonces), Generated by one party, and then the other party cryptographically

bindsresponse to this number to ensure freshness


28/64

Challenge-Response with

Symmetric Keys Parties may have agreed apriori on a key, or a key may be

provided by trusted server e.g., KDC protocols like Kerberos, Needham-Schroeder

Example 1: one way authentication using a time-stamp Alice authenticates herself to Bob by sending an encryption of her

own time-stamp, using the shared key, EK(tA)

Better yet, Bob sends Alice a challenge tB and she responds EK(tB)

Problem: Eve can get Alice to encrypt a chosen text

So Alice may add a random number and/or her own identifier, e.g.,EK(tB, rA,Alice4Bob).

Example 2: using random numbers First, Bob sends to Alice a random number rB

Then, Alice sends to Bob EK(Alice4Bob, rB)


29/64

Mutual Authentication with

Symmetric Keys

Mutual authentication requires one more step (can be donewith either timestamps or random numbers)

Challenge: rB

A Response: EK (rA , rB ,AlBo)

B Response: EK (rB , rA)

A variation on this authentication could also work withHMAC instead of encryption E.g., when encryption is not available (e.g., export restriction)


30/64

Challenge Response with

Public Keys To authenticate herself, Alice must show knowledge of her private key

Can decrypt a challenge that was encrypted using Alices public key

Or, sign digitally the challenge

Potential issues with digitally signing a challenge

Bob may ask Alice to sign a fraudulent message (pay Bob) Cannot use fixed certificate for risk of replay attack

Solution: use a nonce to foil chosen-text attack in authentication, and a

timestamp to limit lifespan of possible attack

Challenge: H(rB),Bob,EPubA(rB,tB,Bob)

Response: rB

Or, have Alice sign same using her private key


31/64

X.509 Mutual Authentication

Use private/public keys to encrypt/prove and vice versa Use random nonces, time stamps, and public data (certificates)

Alice,EPrivA(rA,tA,Bob,XA,EPubB(YA))

Bob,EPrivB(rB,tB,Alice,rA,XB,EPubA(YB))

EPrivA(rB))

Public data (Xs) can be a certificate that contains the public keyof the user, and are themselves signed by a CA

The Ys correspond to secret information, which may be keys

(Kab and Kba) or key exponents for a key exchange

The third step is required if it is difficult to synchronize clocks,and with it timestamps need not be checked


32/64

Defenses Against Attacks on

Challenge-Response

Replay attack

Use nonces, embed target identity in response

Interleaving attack

Chaining protocol messages

Man-in-the-middle attack

Mutual authentication to foil adversary impersonating system

Reflection attack

Embed target identity, use uni-directional keys

Chosen text attack

Use confounder in each message

Use Zero-knowledge protocols


33/64

Zero-Knowledge

Identification Protocols



34/64

Overview

Passwords may reveal Alices secret to Bob, who may thenimpersonate her

With challenge-response protocols, Alice only revealsknowledge of the secret But, a strategic adversary may choose challenges that would reveal

some aspects of this secret (or may choose from availableinteractions)

ZK protocols allow Alice to prove knowledge of the secret

without fearing that she may be providing anyone (Bobincluded) with any information about it

Note: RSA is also ZK, but most ZK protocols are moreefficient than RSA

On the other hand, they cannot be used for encryption/signature


35/64

ZK Properties and General Structure

Required ZK properties Completeness: all legitimate parties succeed Soundness: non-legitimate parties cannot succeed

(actually: chances to succeed are arbitrarily small)

ZK: the exchange does not reveal the secret

A typical ZK protocol consists ofn iterations Alice presents Bob a witness of her secret (commitment)

Bob presents a challenge to Alice

Alice responds to the challenge Bob checks that the answer is correct

Probability of Alice cheating in each iteration < 1

After n iterations, to get arbitrarily small probability


36/64

Example: Isomorphic Graphs

G1 is isomorphic to G2 iff there is a vertex mapping Really, G2 is just a permutation of the names of G1 nodes

No known polynomial algorithm to reverse engineer

Proposed ZK Protocol

Alice chooses G1, and creates G2 that is isomorphic (using P1) The graphs G1,G2 are public key, P1 is secret

Witness: Alice generates G3 that is isomorphic to G1 (using P2)

Bob chooses Gi randomly and requires Alice to show mapping

Alice responds

If G1, then the mapping is the generating permutation (P2)

If G2, then the mapping requires applying both permutations (P1oP2)

Note: Someone who didnt know P1 could have cheated in half the cases

When run n times chances of cheating is exponentially low


37/64

The Fiat-Shamir ZK Protocol

Setup Trusted server chooses n=pq, primes

Alice selects a secret s


38/64

Properties of ZK Protocols

No degradation of the protocol with usage

No information is revealed in polynomial runs

Compared with Symmetric keys or HMAC Resist chosen-text attacks

Compared to Public-Key

Lower computation costs Usually higher communication costs (# of iterations)

Relies on same unproven math assumptions


39/64

Authentication Using

Physical Devices


40/64

Using Physical Devices

A something you possess identification

Physical keys

Regular keys

Tokens

Credit cards Sometimes with PIN (something you know)

Sometimes with picture ID (for people)

Smartcards and passcode generators

Protected memory Sometimes with CPUchallenge response

Using a computer physical MAC

Combined with passwords

Use computer fingerprint


41/64

Attack on ATM Cards (2003)

Cards must also work in offline mode A Master key is used by ATM and bank

Account number is encrypted using DES

Last 4 digits (decimalized) are PIN

PIN is verified by tamper-proof hardware

Bond (student in Cambridge) has shown that PIN can bediscovered with high likelihood within 15 trials (on avg) Assumes access to a PIN verifier (e.g., corrupt insider)

Manipulates the decimalization table to learn more from each trial Use table with all 0s except i-th place to check if i-th digit is present

Check all remaining possibilities

Worst case is 10+36; average case is 24

Can be improved through adaptation


42/64

Illustration

Encryption

Decimalization

ComparisonKeyedNumber

Scanned Magnetic Stripe

OK/Not

0123456789012345

Encryption

Decimalization

Comparison

Scanned Magnetic Stripe

OK/Not

0000100000000000

0000


43/64

Smartcards and Passcode Generators

Calculators: Devices that store key(s) and can compute a time-variant response to a challenge

Used in physical access and VPN apps, e.g., private banking

Smartcards: used to store identity authentication information, keys,and other crypto applications

Many National ID projects around the world (Israel Mimshal Zamin)

Applications: border control, healthcare system, anti-fraud, and otherauthentication apps

Dual-factor: something you possess and something you know

RFID in Physical Access Control Systems (PACS), as well as toresist counterfeiting of high-ticket items (e.g., luxury watches)

Passcode Generator Smartcard Smartcard Reader


44/64

Biometrics


45/64

Biometrics

Biometrics measure innate characteristics something you are, hence hard to impersonate

Can be Physiological: Fingerprints

Retinal or Iris scanning Face recognition

Hand geometry recognition

Or behavioral

Voice recognition (both physiological and behavioral) Handwriting/signature recognition

Typing dynamics


46/64

Biometrics-based Authentication

Usually uses a pattern recognition approach A profile is constructed for the true person

A matching score is computed in each authentication attempt

Processes


47/64

Threshold-based Decision

Real-time matching score is thresholded (T)

Error types (A) False alarms (False Positive, Type 2 error)

(B) Misidentification (False Negative, Type 1 Error)


48/64

Two Generic Applications

Easier: Verification One-to-One: given a real-time authentication attempt,

try to match to a specific profile

Requires a second form of identification, e.g., login,token.

Harder: Identification Many-to-One: given a real-time authentication attempt,

try to match to one of several profiles in a database

Difficulty stems from birthday paradox unless a highseparation can be attained between candidates

Usually not attempted except in applications wheretwo-factor authentication is not feasible


49/64

Fingerprints Analysis

Shapes:

LOOPWHORLARCH

END BIFURCATION ISLAND LAKEDOT

unique arrangement of

minutiae for different

people

Non-intrusive, Reliable, Inexpensive

Semiconductor or Optical

Useful mostly for verification and less for identification

US stores experimented with payment by fingerprint

Minutiae:


50/64

Hand Geometry

One of the first practically implemented techniques

physical access control: airports, secured corporate areas, etc.

time and attendance monitoring

Reader uses CCD camera and a number of mirrors to

measure the shape of the hand perimeter, in


51/64

Palm Vein Authentication

Vein patterns are unique to an individual (even twins) Scanned with infrared rays, using reflective photography

False rejection rate


52/64

Iris Scanning

Human eye encodes 3.4bits/sqmm Extremely accurate: chance of duplication (including twins) < 1072

Fast comparison: Identification takes 2sec per 100,000 people in DB

Sub-$1000 systems are available, but expensive to enroll many

Considered a little intrusive / dangerous by some people

Growing in market share vs. other solutions (patents expired)


53/64

Retinal Scanning

Works by identifying patterns in retinal blood vessels

Uses light source to take 400 measurements, which are

then reduced to a signature of 96 bytes

Preceded Iris scanning, but is less prevalent

considered more intrusive

requires precise positioning of the eye

requires removal of glasses


54/64

Face Recognition

Controlled sceneaccess control Frontal view, similar distance, reasonable lighting

Compare live image to an original, captured in similar environment

Usually for verification purposes, with another ID

Algorithms extract features, and compare relative positions of eyes,nose, and mouth, nose width, and other factors

Relatively user-friendly

Not very accurate, and requires frequent updates

Very difficult in a random scenestreet, airports

Much more difficult

Law enforcement applications

Privacy issues: a bill that makes this unlawful was shelved in March 2002


55/64

Voice Verification

Principle: speech dynamics are affected by physical

structure of mouth, vocal chords, sinus, etc.

A voice signature can typically be formed from speech

features, with relatively high accuracy

Each syllable typically has few dominant frequencies (formants)

More accurate when user repeats a previously recorded sentence

Weaknesses: taped replay, environmental noise, illness,

richness of spoken language

Applications: access control, call centers

Example: www.verivoice.com

User is requested to spell a random string of digits
http://www.verivoice.com/http://www.verivoice.com/


56/64

Signature Verification

Static verification

Dynamic verification

Curvature, changes in x-y sign, acceleration, pen up time


57/64

Weaknesses of Biometrics

Possibility of false positives, and sometimes

unacceptable FP rate

In identification applications: misidentification

Replay attack, e.g., tape replay, cut finger

Health concerns

Privacy concerns


58/64

Biometric Market

Intl Biometric Group


59/64

The 5th Factor: How you behave

Idea: a users behavior may help identify, or at least authenticate her For example

What time of the day you access a certain application?

At what frequency do you perform a certain operation

What type of access to which information you require?

Did you login from home or work? Premise for authentication: a users behavioral pattern changes only

slowly over time.

Advantage: relatively cheap (software)

Typically shall be used in conjunction with another factor

e.g., use behavior profiling to supplement password authentication

I believe that acceptance to this new form will grow, especially inareas like intrusion detection and access control

It also plays into the general trend of combining physical security and

IT security


60/64

Choosing the Right

Authentication Method


61/64

Choice of Authentication Methods


62/64

CAPTCHA


63/64

CAPTCHAs

Problem: robotic form filling can be used to

Guess passwords

Abuse free services, primarily for spamming and phishing

Goal: Distinguish between a human user and a robot

Method: Completely Automated Public Turing test to tell

Computers and Humans Apart (CAPTCHA)

Usually, asking the user to interpret letters and digits from

an image


64/64

Counter-Captcha Methods

Guessing, e.g., if space is small, e.g., 4 digits

Use OCR to recognize

And the prize goes to a man-in-the-middle

attack, asking a real person to authenticate.

Identity Authentication

Documents

Transcript of Identity Authentication