Password Based Authentication Scheme: Safety of Authentication Passwordbased Authentication Existing...

Click here to load reader

  • date post

    03-Apr-2018
  • Category

    Documents

  • view

    219
  • download

    3

Embed Size (px)

Transcript of Password Based Authentication Scheme: Safety of Authentication Passwordbased Authentication Existing...

  • Basics of Authentication Password based Authentication Existing Techniques Conclusions References

    Password Based Authentication Scheme: Safetyand Usability Analysis

    BySamrat Mondal

    Assistant ProfessorIndian Institute of Technology Patna

    Patna, Bihar, India

    By Samrat Mondal () Password Based Authentication Scheme: Safety and Usability Analysis 1 / 93

  • Basics of Authentication Password based Authentication Existing Techniques Conclusions References

    Outline

    1 Basics of AuthenticationTypes of Authentication

    2 Password based AuthenticationTextual PasswordsGraphical PasswordsAttacks on Password Based Scheme

    3 Existing TechniquesDASPassFacesS3PASSSSL

    4 Conclusions

    By Samrat Mondal () Password Based Authentication Scheme: Safety and Usability Analysis 2 / 93

  • Basics of Authentication Password based Authentication Existing Techniques Conclusions References

    Authentication

    Figure: A Password Controlled Login Window Used for Authentication

    Authentication is often the first line of defense against attack

    By Samrat Mondal () Password Based Authentication Scheme: Safety and Usability Analysis 3 / 93

  • Basics of Authentication Password based Authentication Existing Techniques Conclusions References

    Authentication

    Figure: A Password Controlled Login Window Used for Authentication

    Authentication is often the first line of defense against attack

    By Samrat Mondal () Password Based Authentication Scheme: Safety and Usability Analysis 3 / 93

  • Basics of Authentication Password based Authentication Existing Techniques Conclusions References

    Authentication

    Authentication

    confidentially binds an identity to a user.

    deals with the verification of someones identity.

    Authentication is succeeded by the Access Control Mechanism

    By Samrat Mondal () Password Based Authentication Scheme: Safety and Usability Analysis 4 / 93

  • Basics of Authentication Password based Authentication Existing Techniques Conclusions References

    Authentication

    Authentication

    confidentially binds an identity to a user.

    deals with the verification of someones identity.

    Authentication is succeeded by the Access Control Mechanism

    By Samrat Mondal () Password Based Authentication Scheme: Safety and Usability Analysis 4 / 93

  • Basics of Authentication Password based Authentication Existing Techniques Conclusions References

    Types of Authentication

    Outline

    1 Basics of AuthenticationTypes of Authentication

    2 Password based AuthenticationTextual PasswordsGraphical PasswordsAttacks on Password Based Scheme

    3 Existing TechniquesDASPassFacesS3PASSSSL

    4 Conclusions

    By Samrat Mondal () Password Based Authentication Scheme: Safety and Usability Analysis 5 / 93

  • Basics of Authentication Password based Authentication Existing Techniques Conclusions References

    Types of Authentication

    Types of Authentication

    Authentication is based on1 Something the subject knows2 Something that subject has3 Something that the subject is4 Somewhere the subject is

    By Samrat Mondal () Password Based Authentication Scheme: Safety and Usability Analysis 6 / 93

  • Basics of Authentication Password based Authentication Existing Techniques Conclusions References

    Types of Authentication

    Types of Authentication

    Authentication is based on1 Something the subject knows2 Something that subject has3 Something that the subject is4 Somewhere the subject is

    By Samrat Mondal () Password Based Authentication Scheme: Safety and Usability Analysis 6 / 93

  • Basics of Authentication Password based Authentication Existing Techniques Conclusions References

    Types of Authentication

    Types of Authentication

    Authentication is based on1 Something the subject knows2 Something that subject has3 Something that the subject is4 Somewhere the subject is

    By Samrat Mondal () Password Based Authentication Scheme: Safety and Usability Analysis 6 / 93

  • Basics of Authentication Password based Authentication Existing Techniques Conclusions References

    Types of Authentication

    Types of Authentication

    Authentication is based on1 Something the subject knows2 Something that subject has3 Something that the subject is4 Somewhere the subject is

    By Samrat Mondal () Password Based Authentication Scheme: Safety and Usability Analysis 6 / 93

  • Basics of Authentication Password based Authentication Existing Techniques Conclusions References

    Types of Authentication

    Types of Authentication

    Authentication is based on1 Something the subject knows2 Something that subject has3 Something that the subject is4 Somewhere the subject is

    By Samrat Mondal () Password Based Authentication Scheme: Safety and Usability Analysis 6 / 93

  • Basics of Authentication Password based Authentication Existing Techniques Conclusions References

    Types of Authentication

    Something the subject knows

    Deals with the verification of someones secret.Secret such as passwords.

    A password is some sequence of characters.Something that nobody else can guessdifficult in practice

    By Samrat Mondal () Password Based Authentication Scheme: Safety and Usability Analysis 7 / 93

  • Basics of Authentication Password based Authentication Existing Techniques Conclusions References

    Types of Authentication

    Something the subject knows

    Deals with the verification of someones secret.Secret such as passwords.

    A password is some sequence of characters.Something that nobody else can guessdifficult in practice

    By Samrat Mondal () Password Based Authentication Scheme: Safety and Usability Analysis 7 / 93

  • Basics of Authentication Password based Authentication Existing Techniques Conclusions References

    Textual Passwords

    Outline

    1 Basics of AuthenticationTypes of Authentication

    2 Password based AuthenticationTextual PasswordsGraphical PasswordsAttacks on Password Based Scheme

    3 Existing TechniquesDASPassFacesS3PASSSSL

    4 Conclusions

    By Samrat Mondal () Password Based Authentication Scheme: Safety and Usability Analysis 8 / 93

  • Basics of Authentication Password based Authentication Existing Techniques Conclusions References

    Textual Passwords

    Textual Passwords

    Suppose a password is 8 characters long.

    Each character has 256 possible choices.

    Then the possible passwords 2568 = 264.

    To find a password, an attacker will have to explore 264 passwords.

    By Samrat Mondal () Password Based Authentication Scheme: Safety and Usability Analysis 9 / 93

  • Basics of Authentication Password based Authentication Existing Techniques Conclusions References

    Textual Passwords

    Textual Passwords

    Suppose a password is 8 characters long.

    Each character has 256 possible choices.

    Then the possible passwords 2568 = 264.

    To find a password, an attacker will have to explore 264 passwords.

    By Samrat Mondal () Password Based Authentication Scheme: Safety and Usability Analysis 9 / 93

  • Basics of Authentication Password based Authentication Existing Techniques Conclusions References

    Textual Passwords

    Issues with Passwords

    However, the users do not select passwords at random.

    Users must remember their passwords.

    So a user is far more likely to choose an 8 character passwordsuch as security than, say, kfY w [email protected] clever attacker can make far fewer than 264 guesses and have ahigh probability of successfully cracking a password.

    By Samrat Mondal () Password Based Authentication Scheme: Safety and Usability Analysis 10 / 93

  • Basics of Authentication Password based Authentication Existing Techniques Conclusions References

    Textual Passwords

    Issues with Passwords

    However, the users do not select passwords at random.

    Users must remember their passwords.

    So a user is far more likely to choose an 8 character passwordsuch as security than, say, kfY w [email protected] clever attacker can make far fewer than 264 guesses and have ahigh probability of successfully cracking a password.

    By Samrat Mondal () Password Based Authentication Scheme: Safety and Usability Analysis 10 / 93

  • Basics of Authentication Password based Authentication Existing Techniques Conclusions References

    Textual Passwords

    Nonrandomness of Passwords

    Thus a carefully selected dictionary of 220 1, 000, 000passwords would likely give an attacker a reasonable probability ofcracking a password.

    The probability of cracking a randomly selected password from thedictionary is 220/264 = 1/244

    Non randomness is thus a serious problem with passwords.

    By Samrat Mondal () Password Based Authentication Scheme: Safety and Usability Analysis 11 / 93

  • Basics of Authentication Password based Authentication Existing Techniques Conclusions References

    Textual Passwords

    Nonrandomness of Passwords

    Thus a carefully selected dictionary of 220 1, 000, 000passwords would likely give an attacker a reasonable probability ofcracking a password.

    The probability of cracking a randomly selected password from thedictionary is 220/264 = 1/244

    Non randomness is thus a serious problem with passwords.

    By Samrat Mondal () Password Based Authentication Scheme: Safety and Usability Analysis 11 / 93

  • Basics of Authentication Password based Authentication Existing Techniques Conclusions References

    Textual Passwords

    Password

    Ideal passwords should be easy to remember but difficult to