Authentication Authentication Most technical security safeguards have authentication

  • Slides: 31
Download presentation
Authentication

Authentication

Authentication Most technical security safeguards have authentication as a precondition How to authenticate: Something

Authentication Most technical security safeguards have authentication as a precondition How to authenticate: Something you know Something you have Something you are Somewhere you are Password, Secrets Smart Card, Token Biometrie Location

The authentication process Identify Either by claim or by recognizing Authenticate Prove Ask the

The authentication process Identify Either by claim or by recognizing Authenticate Prove Ask the user for credentials Verification Verify this credentials. Authorization Mark the user as authenticated Commonly here also the AC rights are assigned

Password A secret (word) know by the user and the system

Password A secret (word) know by the user and the system

Password Username Some name under which the user is known to the system –

Password Username Some name under which the user is known to the system – hardly secret Secret Password The secret connected to the user name

Entropy for passwords Entropy represents the uncertainty of the password This represents how likely

Entropy for passwords Entropy represents the uncertainty of the password This represents how likely it is to guess the password The entropy is calculated from the reciprocal probability of each observed character in the password H = -Σ pi * ld pi

Good and bad passwords Linkable names (own, child's, . . . ) Linkable numbers

Good and bad passwords Linkable names (own, child's, . . . ) Linkable numbers (telephone, birthdays, …) Related words (like the car -> Ferrari) Common words from dictionaries Common patterns (qwerty, 123456, …) Fashion words Containing big an small letters Containing numbers and special characters > 8 characters Can be written fast First 3 prevent the search 4 is to prevent observation

Password verification Compare the input with a stored value Passwords need to be stored

Password verification Compare the input with a stored value Passwords need to be stored Plain Encrypted One way Bi-directional Passwords need to be transferred Plain Encrypted

Security of Passwords Security is based mainly on the user but also how it

Security of Passwords Security is based mainly on the user but also how it is implemented in the system Systems can implement additional functions to harden passwords

Attacks against passwordsystems Test all possible passwords Guess likely words – lexical attacks Rainbow

Attacks against passwordsystems Test all possible passwords Guess likely words – lexical attacks Rainbow tables Social engineering Looking for the systems password list Attacking the authentication mechanism Ask the user

Ways to harden Limited number of tries Wrong inputs slow down the process Challenge

Ways to harden Limited number of tries Wrong inputs slow down the process Challenge Respond Authorize also the system Combining different systems Harden the process Require passwords with high entropy

One time passwords A password is only valid one‘s Technqiues Transaction numbers (TAN) Hashed

One time passwords A password is only valid one‘s Technqiues Transaction numbers (TAN) Hashed with time stamp

Cryptographic techniques Cryptography for authentication purpose Popular techniques Kerberos Certificates X. 509 Challenge Respond

Cryptographic techniques Cryptography for authentication purpose Popular techniques Kerberos Certificates X. 509 Challenge Respond Systems Problems Complex Infrastructure dependent

Security token Something you have Popular Representative Cryptographic Token Smart. Cards Problems Costly Technical

Security token Something you have Popular Representative Cryptographic Token Smart. Cards Problems Costly Technical Infrastructure

Smart Cards A card with a chip Not necessarily for authentication Different types ROM

Smart Cards A card with a chip Not necessarily for authentication Different types ROM Cards EEPROM Cards Microprocessor cards

Smart cards Prominent Examples Bank cards Credit cards Mobile phone cards

Smart cards Prominent Examples Bank cards Credit cards Mobile phone cards

Attacks against Smart cards Protocol attacks the communication between the smart card and the

Attacks against Smart cards Protocol attacks the communication between the smart card and the card reader Blocking signaling block Signals (for example erase signals) Freeze or reset the card make the content of the RAM readable

Attacks against Smart cards Physical Probing reading data directly from the hardware Damage part

Attacks against Smart cards Physical Probing reading data directly from the hardware Damage part of the chip for example the address counter Reverse engineering reveal the chip design and gain knowledge Power analysis Measure the difference in powerconsumption

Biometrics The security relies on the property of a human being Measuring some aspects

Biometrics The security relies on the property of a human being Measuring some aspects of the human anatomy or physiology and compare it with previously recorded values Problems: Humans change over time

Concepts Physical DNA Face Fingerprint Iris Hand geometry Behavioral Voice Signature Verification

Concepts Physical DNA Face Fingerprint Iris Hand geometry Behavioral Voice Signature Verification

Conventional biometrics Face recognition - ID Cards The oldest and probably most accepted method

Conventional biometrics Face recognition - ID Cards The oldest and probably most accepted method Average security – result of studies Handwritten signatures Is in Europe highly accepted Good enough security

Fingerprints Look at the friction ridges that cover fingertips Branches and end points geometry

Fingerprints Look at the friction ridges that cover fingertips Branches and end points geometry – commonly 16 Pores of the skin Easy to deployed and relative limited resistance Problems There is a statistical probability of mismatch – the number of variation is limited Fingerprints are mostly „noisy“ Alteration is easy

Iris Scan Patterns in the Iris are recognized Iris codes provide the lowest false

Iris Scan Patterns in the Iris are recognized Iris codes provide the lowest false accept rates of any known system – US Study Problems Get people to put there eye into a scanner Systems might be vulnerable to simple photography's

Problems with biometrics Not exact enough False positives and Positive False are common Technical

Problems with biometrics Not exact enough False positives and Positive False are common Technical difficult The technology is new Privacy problems Sicknesses can be recognized Social problems Usage of system Revelation generates problems Data leak out incidentally When the use become widespread your data will be known by a lot of people

Singel Sign-on Only one sign-on for all applications Techniques Save password – but how

Singel Sign-on Only one sign-on for all applications Techniques Save password – but how Issue a ticket Trends Identity managment systems

Identity Management Types of Id. M (Systems) Type 1 Type 2 Type 3 Account

Identity Management Types of Id. M (Systems) Type 1 Type 2 Type 3 Account Management: assigned identity (= Tier 2) Profiling: derived identity abstracted identity (= Tier 3) Management of own identities: chosen identity (= Tier 1) There are hybrid systems that combine characteristics 26 by organisation by user herself/himself supported by service providers

“Identity” is changing IT puts more High. Tech on ID cards Biometrics to bind

“Identity” is changing IT puts more High. Tech on ID cards Biometrics to bind them closer to a human being Chips to add services (such as a PKI) Profiles may make the „traditional“ ID concept obsolete People are represented not by numbers or ID keys any more but by data sets. Identities become “a fuzzy thing”. New IDs and ID management systems are coming up Mobile communication (GSM) has introduced a globally interoperable „ID token“: the Subscriber Identity Module Ebay lets people trade using Pseudonyms. Europe (the EU) consider joint ID and ID management systems European countries have different traditions on identity card use Compatibility of ID systems is not trivial Work on new standards for Identity management systems and entity authentication are initiated by ISO and ITU 27

Identity Concepts Partial Identities Illustrated Anonymity Work foreign languages education address s e i

Identity Concepts Partial Identities Illustrated Anonymity Work foreign languages education address s e i t n e t Id n e m e g a n a M capabilities Shopping salary name credit cards account number tax status birthdate income denomination Public Authority marital status hobbies insurance Leisure 28 nickname (dis)likes phone number health status blood group Health Care

Changing borders of (partial) identities Anonymity Work foreign languages education address capabilities Shopping salary

Changing borders of (partial) identities Anonymity Work foreign languages education address capabilities Shopping salary name credit cards account number tax status birthdate Public Borders Authority are blurring income denomination marital status hobbies insurance Leisure 29 nickname (dis)likes phone number health status blood group Health Care

Changing borders of (partial) identities (cont. ) Anonymity Work foreign languages education Shopping address

Changing borders of (partial) identities (cont. ) Anonymity Work foreign languages education Shopping address Communication and contacts capabilities salary name credit cards account number tax status birthdate income denomination Public Authority marital status hobbies insurance Leisure 30 nickname (dis)likes phone number health status blood group Health Care

Questions ?

Questions ?