Section 2 3 authentication technologies
1 / 41

Section 2.3 – Authentication Technologies - PowerPoint PPT Presentation

  • Uploaded on

Section 2.3 – Authentication Technologies. Authentication. password=ucIb()w1V mother=Jones pet=Caesar. human with fingers and eyes. The determination of identity , usually based on a combination of something the person has (like a smart card or a radio key fob storing secret keys),

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about ' Section 2.3 – Authentication Technologies' - shasta

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript





human with fingers

and eyes

  • The determination of identity, usually based on a combination of

    • something the person has (like a smart card or a radio key fob storing secret keys),

    • something the person knows (like a password),

    • something the person is (like a human with a fingerprint).

Something you are

Something you know

radio token with

secret keys

Something you have


CIT 380: Securing Computer Systems


Classic: only allow access from a particular terminal or a particular set of remote hosts.

Modern: GPS-based

  • Location Signature Sensor (LSS) for host and user.

  • Access rules permit user only to access host with specific LSS values.

  • Cell-phones track location, and some states use them to track drivers’ speed and locations.

Classic unix passwords

CIT 380: Securing Computer Systems

Classic UNIX Passwords

Format: Up to 8 ASCII characters

  • A contains 6.9 x 1016 possible passwords

  • C contains crypt hashes, strings of length 13 chosen from alphabet of 64 characters, 3.0 x 1023 strings


  • /etc/passwd (0644) was traditionally used

  • /etc/shadow (0600) in modern systems


CIT 380: Securing Computer Systems


Adds a 2-character (12-bit) random, public data to password to create key.

Any word may be encrypted in 4096 possible ways (i.e., there are 4096 f  F).

  • Your password always uses same salt.

  • Someone else with same password (a) probably has different salt, and thus different c = f(a).

    Number of possible keys increased to 266

  • Too small for today; modern UNIX doesn’t use crypt.

Modern unix passwords

CIT 380: Securing Computer Systems

Modern UNIX Passwords

  • Format: long ASCII string

  • Hashing techniques:

    • MD5 (unlimited length, 12-48 bit salt)

    • SHA1 (unlimited length, 12-48 bit salt)

    • Bcrypt (55 chars, 128-bit salt, adjustable cost)

Online hash calculator

CIT 380: Securing Computer Systems

Online Hash Calculator


Password cracking

CIT 380: Securing Computer Systems

Password Cracking

Get Hashed Password pwhash

word = Next word from list

List of potential


wordhash = Hash(word)

wordhash == pwhash



word is pw

Cracking methods

CIT 380: Securing Computer Systems

Cracking Methods

  • List of common passwords

  • List of English/foreign words

  • Permutation rules

    • Substitute numbers/symbols for letters

    • Change case, pluralize, reverse words, character shifts, digit/symbol prefix/postfix,joining words

  • Brute force

    • All possible passwords

Making password guessing easier

CIT 380: Securing Computer Systems

Making Password Guessing Easier

Web sites will e-mail you password if you answer a simple “secret” question:

  • What is your favorite color?

  • What is your pet’s name?

  • What is your mother’s maiden name?

    Violation of fail-safe defaults

    Failover to less secure protocol.

    How many favorite colors are there?

Countering password guessing

CIT 380: Securing Computer Systems

Countering Password Guessing

Select suitably low probability P(T) of guessing in time T.

P(T) >= TG / N

  • G is number of guess per time unit T

  • T is number of time units in attack

  • N is number of possible passwords

Calculating minimum password length

CIT 380: Securing Computer Systems

Calculating Minimum Password Length

Password System

  • There are 96 allowable characters in password.

  • System allows 106 guesses/second.

  • Requirement: probablility of success guess should be 0.5 over 365-day period.

    What should the minimum password length be?

  • N >= TG/P

  • N >= (365 x 24 x 60 x 60) x 106 / 0.5 = 6.31 x 1013

  • N =S96i, where i ranges from 1 to length of password

  • S96i >= N = 6.31 x 1013 is true when largest i >= 8

  • The minimum required password length is 8.

Password selection

CIT 380: Securing Computer Systems

Password Selection

  • Random Selection

  • Pronounceable Passwords

  • User Selection

Random selection

CIT 380: Securing Computer Systems

Random Selection

Yields equal distribution of passwords for maximum difficulty in cracking

  • What about short passwords?

    Random passwords aren’t easy to remember

  • Short term memory holds 7 +/- 2 items

  • People have multiple passwords

  • Principle of Psychological Acceptability

    Requires a good PRNG

Pronounceable passwords

CIT 380: Securing Computer Systems

Pronounceable Passwords

Generate passwords from random phonemes instead of random characters.

  • People can remember password as sequence of audible phonemes instead of characters, allowing easy recall of longer passwords.

  • Fewer pronounceable passwords exist than random passwords.

User selection

CIT 380: Securing Computer Systems

User Selection

Allow users to choose passwords.

Reject insecure passwords based on ruleset:

  • Based on account, user, or host names

  • Dictionary words

  • Permuted dictionary words

  • Patterns from keyboard

  • Shorter than 6 characters

  • Digits, lowercase, or uppercase only passwords

  • License plates or acronyms

  • Based on previously used passwords

Bad passwords

CIT 380: Securing Computer Systems





























Bad Passwords

  • prince

  • beach

  • amateur

  • ncc1701

  • tennis

  • startrek

  • swimming

  • kitty

  • rainbox

  • 112233

  • 232323

  • giants

  • enter

  • 0

  • cupcake

  • 8675309

  • marlboro

  • newyork

  • diablo

  • sexsex

  • access14

  • abgrtyu

  • 123123

  • dragon123

  • applepie

  • 31415926

  • 99skip

  • just4fun

  • xcvb

  • typewriter

Password generators

CIT 380: Securing Computer Systems

Password Generators



How to select good passwords

CIT 380: Securing Computer Systems

How to Select Good Passwords

  • Long passwords, consisting of multiple words..

    Use nth letter of each word if phrase too long.

  • Themes:

    • Word combinations: 3 blind katz

    • E-mail or URL: [email protected]

    • Phone number: (888) 888-eight eight

    • Bracketing: Starfleet -> *!-Starfleet-!*

    • Add a word: shopping -> Goin’ shopping

    • Repetition: Pirate--PirateShip

    • Letter swapping: Sour Grape -> Gour Srape

Guessing via authentication fns

CIT 380: Securing Computer Systems

Guessing via Authentication Fns

If complements not accessible, attacker must use authentication functions.

Cannot be prevented.

Increase difficulty of auth function attack:

Backoff: increasing wait before reprompting.

Disconnection: disconnect after n failures.

Disabling: disable account after n failures.

Jailing: permit access to limited system, so admins can observe attacker.

Password aging

CIT 380: Securing Computer Systems

Password Aging

Requirement that password be changed after a period of time or after an event has occurred

If expected time to guess is 180 days, should change password more frequently than 180 days

  • If change time too short, users have difficulty recalling passwords.

  • Cannot allow users to change password to current one.

  • Also prevent users from changing passwords too soon.

  • Give notice of impending password change requirement.

Graphical passwords

CIT 380: Securing Computer Systems

Graphical Passwords

  • Face Scheme: Password is sequence of faces, each chosen from a grid of 9 faces.

  • Story Scheme: Password is sequence of images, each chosen from a grid of 9, to form a story.


  • Developed in the 20th century to improve efficiency in grocery checkout.

  • First-generation barcodes represent data as a series of variable-width, vertical lines of ink, which is essentially a one-dimensional encoding scheme.

  • Some more recent barcodes are rendered as two-dimensional patterns using dots, squares, or other symbols that can be read by specialized optical scanners, which translate a specific type of barcode into its encoded information.

Authentication via barcodes
Authentication via Barcodes

  • Since 2005, the airline industry has been incorporating two-dimensional barcodes into boarding passes, which are created at flight check-in and scanned before boarding.

  • In most cases, the barcode is encoded with an internal unique identifier that allows airport security to look up the corresponding passenger’s record with that airline.

  • Staff then verifies that the boarding pass was in fact purchased in that person’s name (using the airline’s database), and that the person can provide photo identification.

  • In most other applications, however, barcodes provide convenience but not security. Since barcodes are simply images, they are extremely easy to duplicate.



Public domain image from

Magnetic stripe cards
Magnetic Stripe Cards

  • Plastic card with a magnetic stripe containing personalized information about the card holder.

  • The first track of a magnetic stripe card contains the cardholder’s full name in addition to an account number, format information, and other data.

  • The second track may contain the account number, expiration date, information about the issuing bank, data specifying the exact format of the track, and other discretionary data.

Public domain image by Alexander Jones from

Magnetic stripe card security
Magnetic Stripe Card Security

  • One vulnerability of the magnetic stripe medium is that it is easy to read and reproduce.

  • Magnetic stripe readers can be purchased at relatively low cost, allowing attackers to read information off cards.

  • When coupled with a magnetic stripe writer, which is only a little more expensive, an attacker can easily clone existing cards.

  • So, many uses require card holders to enter a PIN to use their cards (e.g., as in ATM and debit cards in the U.S.).

Public domain image by Alexander Jones from

Smart cards
Smart Cards

  • Smart cards incorporate an integrated circuit, optionally with an on-board microprocessor, which microprocessor features reading and writing capabilities, allowing the data on the card to be both accessed and altered.

  • Smart card technology can provide secure authentication mechanisms that protect the information of the owner and are extremely difficult to duplicate.

Circuit interface

Public domain image from

Smart card authentication
Smart Card Authentication

  • They are commonly employed by large companies and organizations as a means of strong authentication using cryptography.

  • Smart cards may also be used as a sort of “electronic wallet,” containing funds that can be used for a variety of services, including parking fees, public transport, and other small retail transactions.

Sim cards
SIM Cards

  • Many mobile phones use a special smart card called a subscriber identity module card (SIM card).

  • A SIM card is issued by a network provider. It maintains personal and contact information for a user and allows the user to authenticate to the cellular network of the provider.

Sim card security
SIM Card Security

  • SIM cards contain several pieces of information that are used to identify the owner and authenticate to the appropriate cell network.

  • Each SIM card corresponds to a record in the database of subscribers maintained by the network provider.

  • A SIM card features an integrated circuit card ID (ICCID),

  • which is a unique 18-digit number used for hardware identification.

  • Next, a SIM card contains a unique international mobile subscriber identity (IMSI), which identifies the owner’s country, network, and personal identity.

  • SIM cards also contain a 128-bit secret key. This key is used for authenticating a phone to a mobile network.

  • As an additional security mechanism, many SIM cards require a PIN before allowing any access to information on the card.

Gsm challenge response protocol
GSM Challenge-Response Protocol

  • When a cellphone wishes to join a cellular network it connects to a local base station owned by the network provider and transmits its IMSI.

  • If the IMSI matches a subscriber’s record in the network provider’s database, the base station transmits a 128-bit random number to the cellphone.

  • This random number is then encoded by the cellphone with the subscriber’s secret key stored in the SIM card using a proprietary encryption algorithm known as A3, resulting in a ciphertext that is sent back to the base station.

  • The base station then performs the same computation, using its stored value for the subscriber’s secret key. If the two ciphertexts match, the cellphone is authenticated to the network and is allowed to make and receive calls.

IMSI = (this phone’s ID)

R = a 128-bit random number (the challenge)

EK(R) = the 128-bit random number encrypted

using the subscriber’s secret key K

(the response)


  • Radio frequency identification, or RFID, is a rapidly emerging technology that relies on small transponders to transmit identification information via radio waves.

  • RFID chips feature an integrated circuit for storing information, and a coiled antenna to transmit and receive a radio signal.

Rfid technology
RFID Technology

  • RFID tags must be used in conjunction with a separate reader or writer.

  • While some RFID tags require a battery, many are passive and do not.

  • The effective range of RFID varies from a few centimeters to several meters, but in most cases, since data is transmitted via radio waves, it is not necessary for a tag to be in the line of sight of the reader.

Rfid technology1
RFID Technology

  • This technology is being deployed in a wide variety of applications.

  • Many vendors are incorporating RFID for consumer-product tracking.

  • Car key fobs.

  • Electronic toll transponders.


  • Modern passports of several countries, including the United States, feature an embedded RFID chip that contains information about the owner, including a digital facial photograph that allows airport officials to compare the passport’s owner to the person who is carrying the passport.

RFID chip and

antenna is embedded

in the cover



Passport security
Passport Security

  • In order to protect the sensitive information on a passport, all RFID communications are encrypted with a secret key.

  • In many instances, however, this secret key is merely the passport number, the holder’s date of birth, and the expiration date, in that order.

    • All of this information is printed on the card, either in text or using a barcode or other optical storage method.

    • While this secret key is intended to be only accessible to those with physical access to the passport, an attacker with information on the owner, including when their passport was issued, may be able to easily reconstruct this key, especially since passport numbers are typically issued sequentially.


  • Biometric refers to any measure used to uniquely identify a person based on biological or physiological traits.

  • Generally, biometric systems incorporate some sort of sensor or scanner to read in biometric information and then compare this information to stored templates of accepted users before granting access.

Image from used with permission under the Creative Commons Attribution 3.0 Unported license

Requirements for biometric identification
Requirements for Biometric Identification

  • Universality. Almost every person should have this characteristic.

  • Distinctiveness. Each person should have noticeable differences in the characteristic.

  • Permanence. The characteristic should not change significantly over time.

  • Collectability. The characteristic should have the ability to be effectively determined and quantified.

Biometric identification
Biometric Identification



Feature vector

Comparison algorithm

Reference vector


doesn’t match

Candidates for biometric ids
Candidates for Biometric IDs

  • Fingerprints

  • Retinal/iris scans

  • DNA

  • “Blue-ink” signature

  • Voice recognition

  • Face recognition

  • Gait recognition

  • Let us consider how each of these scores in terms of universality, distinctiveness, permanence, and collectability…

Public domain image from

Public domain image from

Public domain image from