03 Week3 4 Authentication Compressed

Lecture 3-4 – User
Authentication and Applications

Dr. Cong Wang
CS Department
City University of Hong Kong
CS4293 Topics on Cybersecurity 1

Authentication
• The determination of identity, usually based on a
combination of
– something the person has (like a smart card or a radio key
fob storing secret keys),
– something the person knows (like a password),
– something the person is (like a human with a fingerprint).
password=ucIb()w1V
mother=Jones
human with fingers pet=Caesar
and eyes
Something you are
Something you know
radio token with

secret keys
Something you have
Authentication Process
• fundamental building • identification step
block and primary line • presenting an identifier
to the security system
of defense
• verification step
• presenting or
• basis for access control generating
authentication
and user accountability information that
corroborates the
binding between
the entity and the
identifier

Means of Authentication
• The
the four means of authenticating user
identity are based on:
• password, PIN,
answers to • smartcard, • fingerprint,
prearranged electronic retina, face • voice pattern,
questions keycard, handwriting,
physical key typing rhythm

User Authentication
with passwords

Password Authentication
• widely used line of defense against intruders
– user provides name/login and password
– system compares password with the one stored
for that specified login
• the user ID:
– determines that the user is authorized to access
the system
– determines the user’s privileges
– is used in discretionary access control

Basic Password Protocol (incorrect version)
• PWD: finite set of passwords
• Algorithm G (KeyGen):
• choose rand pw in PWD. output sk = vk = pw.
sk
User P Server V
(prover) (verifier)
vk
yes
sk
iff sk=vk

Basic Password Protocol (incorrect version)
• Problem: VK must be kept secret

• Compromise of server exposes all passwords
• Never store passwords in the clear!
password file on server
Alice pwalice
Bob pwbob
… …

Basic Password Protocol: version 1
H: one-way hash function from PWD to X
Given H(x) it is difficult to find y such that
H(y)=H(x) If u r simply doing like this, hacker can see ur hash,
even he doesnt know the encryption
sk password file on server

User P Server V
(prover) (verifier)
Alice H(pwA)
sk vk = H(sk)
Bob H(pwB)
… …
yes iff H(sk)=vk

Weak Passwords and Dictionary Attacks
• People often choose passwords from a small set:

• The 6 most common passwords (sample of 32×106 pwds):
123456, 12345, Password, iloveyou, princess, abc123
( 123456 appeared 0.90% of the time)

– 23% of users choose passwords in a dictionary
of size 360,000,000
• Online dictionary attacks:

• Defeated by doubling response time after every failure
• Harder to block when attacker commands a bot-net

Offline Dictionary Attacks
• Suppose attacker obtains vk = H(pw) from
server
• Offline attack: hash all words in Dict until a word w
is found such that H(w) = vk
• Time O(|Dict|) per password
• Off the shelf tools

• 2,000,000 brute-force guesses/sec
• Scan through 360,000,000 guesses in few minutes
• Will recover 23% of passwords

Password Crackers
Algorithm Speed/sec
DES 2 383 000
MD5 4 905 000
LanMan 12 114 000
• Many tools for this
– John the ripper
– Cain and Abel
– Passware(Commercial)

Batch Offline Dictionary Attacks
This attack : hash all rows in a dict, then match them
with existing hash from alice and bob, then hacker
can know the real value of hash from A and B Alice H(pwA)
• Suppose attacker steals pwd file F
Bob H(pwB)
• Obtains hashed pwds for all users
… …
• Batch dict. attack:
• Build list L containing (w, H(w)) for all w Î Dict
• Find intersection of L and F
• Total time: O( |Dict| + |F| )
• Much better than a dictionary attack on each password

Preventing Batch Dictionary Attacks
Salt can change the pw, thus after hashing, hA and HB are diff,
and it cant be reverted and cracked
id S h
• Public salt:
Alice SA H(pwA , SA)
• When setting password,
pick a random n-bit salt S Bob SB H(pwB , SB)
• When verifying pw for A,
test if H(pw, SA) = hA … … …
• Recommended salt length, n = 64 bits

• Pre-hashing dictionary does not help Number of pw and factory
• Batch attack time is now: O( |Dict| ´ |F| )

Procedure of Storing Hashed
Passwords with Salt
• To load a new password into the system, this password is
combined with a fixed-length salt value.
– Salt from the time when the password is assigned to the user.
• Some old implementation.
– Salt from a pseudorandom or random number.
• The password and salt serve as inputs to a hashing
algorithm to produce a fixed-length hash code.
– The hash algorithm is designed to be slow to execute to thwart
attacks .
• The hashed password is then stored, together with a
plaintext copy of the salt, in the password file for the
corresponding user ID.

Use of
Hashed
Passwords

When users login…
• To login, the user provides an ID and a password.
– the time at which the password is assigned to the user.
• Some old implementation.
– Or use a pseudorandom or random number.
• The OS uses the ID to index into the password file
and retrieve the plaintext salt and the hashed
password.
• The salt and user-supplied password are used as
input to the slow hash routine.
– the result matches ? à password acceptance.

Summary on Purposes of Using Salt
• It prevents duplicate passwords from being
visible in the password file.
– Even if two users choose the same password, those
passwords will be assigned different salt values.
• Hence, the hashed passwords of the two users

will differ.

Summary on Purposes of Using Salt
(Cont’d)
• It greatly increases the difficulty of offline dictionary
attacks.
– As noted previously, batch attack time is now: O( |Dict| ´ |F| )
• It becomes nearly impossible to find out whether a

person with passwords on two or more systems has
used the same password on all of them.
All sys should use salt also

Further Defenses
Make the hashing slow
• Slow hash function H: (0.1 sec to hash pw)

• Example: H(pw) = SHA1(SHA1( … SHA1(pw) …))
• Unnoticeable to user, but makes offline Add one more r(i) to slow it
dictionary attack harder

Alice SA H(pwA , SA , rA)
• Secret salts: Bob SB H(pwB , SB , rB)
• When setting pwd choose
short random r (8 bits) … … …
• When verifying pw for A,
try all values of rA: 128 times slow down on average
• It also serves for purpose of slowing down attacker.

Case study: UNIX and Windows
• UNIX: 12-bit public salt
• Hash function H:
• Convert pw and salt and a DES key k
• Iterate DES (or DES ) 25 times:
0 h
DES DES DES
k k k
• Windows: NT and later use MD4

• Outputs a 16 byte hash
• No public or secret salts

UNIX Implementation Evolvement
12 bit salt allows for 4096 salt values
original scheme
• up to eight printable characters in length
• 12-bit salt used to modify DES encryption
into a one-way hash function
• zero value repeatedly encrypted 25 times
• output translated to 11 character sequence
now regarded as inadequate

• still often required for compatibility with
existing account management software or
multivendor environments

Improved UNIX Implementations
OpenBSD uses Blowfish

block cipher based hash
algorithm called Bcrypt
much stronger hash/salt • most secure version of Unix
hash/salt scheme
schemes available for • uses 128-bit salt to create
Unix 192-bit hash value
recommended hash
function is based on MD5
• salt of up to 48-bits
• password length is unlimited
• produces 128-bit hash
• uses an inner loop with 1000
iterations to achieve slowdown

Password Cracking/Guessing and
Password Selection
(Optional Reading Materials
from pp. 24-34)

Password Lengths Matters
One study at Purdue University on 54 machines, representing approximately 13,000
user accounts . About 3% of the passwords were three char. or less.
Spafford, E., “ OPUS: PreventingCS4293

Weak Password
Topics on Choices.” Computers and Security, No. 3, 1992.
Cybersecurity 25
Password Complexity also Matters
• Password length is only part of the problem. Many people,
when permitted to choose their own password, pick a
password that is guessable.
– such as their own name, their street name, a common dictionary word,
and so forth.
• General guessing strategy:
– 1. Try the user’s name, initials, account name, and other relevant
personal information
– 2. Try words from various dictionaries (accessible online)
– 3. Try various permutations on the words from step 2.
• first letter uppercase or a control character, making the entire word uppercase,
reversing the word, changing the letter “o” to the digit “zero,” and so on.
– 4. Try various capitalization permutations on the words from step 2 that
were not considered in step 3.

Via the guessing
strategy,
one fourth
passwords from
a sample set of
13,797
Accounts
were guessed.
aComputed as the number of matches divided
by the search size. The more words that need
to be tested for a match, the lower the
CS4293 Topics on Cybersecurity cost/benefit ratio. 27
Lessons Learned
• Keep in mind that such a thorough search could produce
a success rate of about 25% from the sample test,
whereas even a single hit may be enough to gain a wide
range of privileges on a system.
• Suggestion to users: pick a strong password.

• Suggestion to sys. admin.: take good care of password
file.

Password File Access Control
can block offline guessing attacks by denying access to

encrypted passwords
make
available only
vulnerabilities
to privileged
users
shadow users with

weakness in accident with sniff
password file same access from
the OS that permissions passwords in
•a separate file password on backup
allows access making it network
from the user other media
to the file readable traffic
IDs where the systems
hashed
passwords are
kept

Password Selection Techniques
users can be told the importance of using hard to guess passwords and can be provided with guidelines for selecting strong passwords
users have trouble remembering them
system periodically runs its own password cracker to find guessable passwords
user is allowed to select their own password, however the system goal is to eliminate guessable passwords while allowing the user to
checks to see if the password is allowable, and if not, rejects it select a password that is memorable
Proactive Password Checking
password rule
enforcement
cracker
•specific rules that
•compile a large passwords must
dictionary of adhere to
passwords not to
use
Bloom filter
•used to build a
table based on
dictionary using
hashes
•check desired
password against
this table

Selecting Strong Passwords
• A strong password includes characters from at
least three of the following groups:
• Use pass phrases eg. "I re@lly want to buy 11

Dogs!"

One Piece of Advice for Psw. Selection
• A good technique for choosing a password is to use the first
letter of each word of a phrase.
• However, don’t pick a well-known phrase like “An apple a day

keeps the doctor away” ---> (Aaadktda).
• Instead, pick something like

“My dog’s first name is Rex” ---> (MdfniR)
“My sister Peg is 24 years old” ---> (MsPi24yo).
– Studies have shown that users can generally remember such passwords
but that they are not susceptible to password guessing attacks based on
commonly used passwords..
User Authentication via
One-time Passwords

The SecurID system (secret vk, stateful)
• Algorithm G: (setup)
• Choose random key k ¬ K
• Output sk = (k,0) ; vk = (k,0)
vasco
• Identification:
prover verifier
sk = (k,0)
r0 ¬ F(k,0) vk = (k,0) Yes iff
r = F(k,0)
sk = (k,1) r1 ¬ F(k,1) vk = (k,1)

The SecurID system (secret vk, stateful)
• Thm : if F is a secure PRF then protocol

is secure against eavesdropping
• RSA SecurID uses a custom PRF:
64 bit key
F 6 digit output vasco
24 bit ctr
• Advancing state: sk ¬ (k, i+1)

• Time based: every 60 seconds
• User action: every button press
• Both systems allow for skew in the counter value
The S/Key system (public vk, stateful)
(n)
• Notation: H (x) = H(H(…H(x)…))
n times
• Algorithm G: (setup)
• Choose random key k ¬ K
(n+1)
• Output sk = (k,n) ; vk = H (k)
K is random, its hard to guess, not like a pw from dict which is
hackable by matching
• Identification:
k H(k) H(n-2)(k) H(n-1)(k) H(n)(k) H(n+1)(k)
vk
pwd #4 pwd #3 pwd #2 pwd #1
The S/Key system (public vk, stateful)
• Identification (in detail):

• Prover (sk=(k,i)): send t ¬ H(i) (k) ; set sk ¬ (k, i-1)
• Verifier( vk=H(i+1)(k) ): if H(t)=vk then vk¬t, output yes
• Notes: vk can be made public;

but need to generate new sk after n logins (n ≈ 106 )
• Thm : S/Keyn is secure against eavesdropping (public vk)

provided H is one-way on n-iterates

SecurID vs. S/Key
• S/Key: Even you know the vk, you cant find the pw
• public vk, limited number of auths

• often easily implemented (pen and paper suffice)
Only need a hash value ( which cant be marked down on
paper), not a token
• SecurID:
Secret vk must not be exposed
• secret vk, unlimited number of auths

• often implemented using secure token

User Authentication/Identification
with Biometrics

Biometric Authentication
• Attempts to authenticate an individual based on
unique physical characteristics based on pattern
recognition
• Is technically complex and expensive when
compared to passwords and tokens (yet to be introduced)
• physical characteristics used include:

• facial characteristics
• fingerprints
• hand geometry
• retinal pattern
• iris
• signature
• voice
Requirements for Biometrics
• Universality. Almost every person should have
this characteristic.
• Distinctiveness. Each person should have
noticeable differences in the characteristic.
• Permanence. The characteristic should not
change significantly over time.
• Collectability. The characteristic should have
the ability to be effectively determined and
quantified.
Pros and Cons of Using Biometrics
• Benefits:
• hard to forget
• Individually unique
• Problems:
• Biometrics are not generally secret
• Cannot be changed, unlike passwords
• Þ Primarily used as a second factor

authentication

General Operation of a Biometric System
• Each individual who is to be included in the database of
authorized users must first be enrolled in the system.
– analogous to assigning a password to a user.
– The system maintains the user a name (ID), perhaps a PIN or password,
and the biometric value.
• Depending on application, user authentication on a biometric
system involves either verification or identification.
– For biometric verification, the user enters a PIN and also uses a
biometric sensor.
• The system extracts the corresponding feature and compares that to the template.
• Match? ---> the system authenticates the user.
– For an identification system, the individual uses the biometric sensor
but presents no additional information.
• The system then compares the presented template with the set of stored templates.
• Match? ---> the user is identified.

General
Operation of a
Biometric
System
Figure 3.6 A Generic Biometric System Enrollment creates an association

between a user and the user’s biometric characteristics. Depending on the
application, user authentication either involves verifying that a claimed user is
the actual user or identifying an unknown user.
Biometric Authentication Accuracy
from pp. 47-55)

• In any biometric scheme, some physical characteristic of the
individual is mapped into a digital representation.
– For each individual, a single digital representation, or template, is stored
in the computer.
• When the user is to be authenticated, the system compares the

stored template to the presented template.
– Given the complexities of physical characteristics, we cannot expect
that there will be an exact match between the two templates.
• System uses an algorithm to generate a matching score

(typically a single number) that quantifies the similarity
between the input and the stored template.
Reader
Biometric
Feature vector
Comparison algorithm
Reference vector
Distance (feature vector, reference vector) < threshold? matches doesn’t match
Cost Versus Accuracy
• The concept of accuracy does not

apply to user authentication
schemes using passwords.
₋ either matches exactly or not.
• In the case of biometric

parameters, the system instead
must determine how closely a
presented biometric characteristic
matches a stored characteristic.

A Dilemma in Biometric Authentication?
• If a single user is tested by the system numerous times, the
matching score s will vary with a probability density function
typically forming a bell curve.
– Take fingerprint for example, results may vary due to sensor noise;
changes in the print due to swelling, dryness, and so on; finger
placement; etc.
• On average, any other individual should have a much lower
matching score but again will exhibit a bell-shaped probability
density function.
• The difficulty is that the range of matching scores produced by

two individuals, one genuine and one an imposter, compared
to a given reference template, are likely to overlap.
Accuracy: false match vs false non-match

Threshold Adjustment in Biometric
Authentication
• By moving the threshold, left or right, the probabilities can be
altered, but note that a decrease in false match rate necessarily
results in an increase in false nonmatch rate, and vice versa.
• For a given biometric scheme, we can plot the false match

versus false nonmatch rate, called the operating characteristic
curve, as shown next.
– To help us decide the threshold and the tradeoff.

Biometric Measurement Operating
A reasonable tradeoff is to pick a threshold t that corresponds
to a point on the curve where the rates are equal.
Characteristic Curves
A high-security application
may require a very low false
match rate, resulting in a
point farther to the left on
the curve.
For a forensic application, in

which the system is looking
for possible candidates,
to be checked further, the
requirement may be for a
low false nonmatch rate.

Actual Biometric Measurement
Below shows characteristic curves developed from actual product testing. The iris system
had no false matches in over 2 million cross-comparisons. Note that over a broad range of
Operating Characteristic Curves
false match rates, the face biometric is the worst performer.

Remote User Authentication
The simplest form of user authentication is local authentication, in which a user

attempts to access a system that is locally present, such as a stand-alone office PC or
an ATM machine. The more complex case is that of remote user authentication,
which takes place over the Internet, a network, or a communications link.

Remote User Authentication
• authentication over a network, the Internet,
or a communications link is more complex
• additional security threats such as:
– eavesdropping, capturing a password, replaying an
authentication sequence that has been observed
• generally rely on some form of a challenge-
response protocol to counter threats

Remote Authentication via
Password Protocol
• user transmits identity to
remote host
• host generates a random
number (nonce)
• nonce is returned to the user
• host stores a hash code of the
password
h(): hash fcn. • function f in which the password
f(): one-way fcn.
hash is one of the arguments
Example of a • use of a random number helps
challenge-response defend against an adversary
protocol capturing the user’s
transmission
Password Protocol against
several forms of attack
• The host stores not the password but a hash code of the
password.
– As discussed, this secures the password from intruders into the host
system.
• In addition, NOT even the hash of the password is transmitted
directly, but rather a function in which the password hash is
one of the arguments.
– For a suitable function f, e.g., one-way fcn., the password hash cannot
be captured during transmission.
• Finally, the use of a random number as one of the arguments of
f defends against a replay attack.
– Replay attack: an adversary captures the user’s transmission and
attempts to log on to a system in some later session by retransmitting
the user’s messages.

Remarks on the Common
Password Problem
• Users tend to use the same password at many
sites
• Password at a high security site can be exposed by a
break-in at a low security site
• Standard solution:
• Client side software that converts a common
password pw into a unique site password
pw ¬ H( pw, user-id, server-id )
pw is sent to server

Attempts at defeating key-loggers
Bank of Adelaide
Swivel PinSafe
Remote Authentication via
Token Protocol
Recall token is something you possess.
E.g.: RSA SecureID, Magnetic Stripe Cards, Smart card, etc. (yet to be introduced)
• user transmits identity to the

remote host
• host returns a random number
and identifiers
• token either stores a static
passcode or generates a one-
time random passcode
h(): hash fcn.
• user activates passcode by f(): one-way fcn.
entering a password
• password is shared between Example of a
the user and token and does token protocol
not involve the remote host
Static Biometric Protocol
E(): encryption fcn.; for encryption, key pre-setup between client and host is required.
• user transmits an ID to the host

• host responds with a random
number and the identifier for an
encryption
• client system controls biometric
device on user side
• host decrypts incoming
message and compares these to
locally stored values
Example of a • host provides authentication by
static biometric protocol comparing the incoming device
ID to a list of registered devices
exceed a predefined threshold at the host database
Dynamic Biometric Protocol
E(): encryption fcn.; for encryption, key pre-setup between client and host is required.
• host provides a random sequence

and a random number as a challenge Example of a
• sequence challenge is a sequence of dynamic biometric
numbers, characters, or words protocol
• user at client end must then vocalize,
type, or write the sequence to
dynamically generate a biometric
signal
• the client side encrypts the
biometric signal and the random
number
• host decrypts message and
generates a comparison

Potential Attacks,
Susceptible
Authenticators, and
Typical Defenses

eavesdropping
adversary attempts to
learn the password by
some sort of attack that
involves the physical host attacks
denial-of-service proximity of user and
adversary directed at the user file
attempts to disable a at the host where
user authentication passwords, token
service by flooding the passcodes, or biometric
service with numerous templates are stored
authentication attempts
Trojan horse replay

an application or physical adversary repeats a
device masquerades as previously captured
an authentic application client attacks user response
or device for the purpose
adversary attempts to
of capturing a user
password, passcode, or achieve user
authentication without
biometric
access to the remote
host or the intervening
communications path

Practical Application:
Iris Biometric System
Optional material
ATM Security Problems
Case Study:
Optional material
Other
Authentication/Identification
Techniques
from pp. 69-84)

Barcodes
• Developed in the 20th century to
improve efficiency in grocery checkout.
• First-generation barcodes represent data
as a series of variable-width, vertical
lines of ink, which is essentially a one-
dimensional encoding scheme.
• Some more recent barcodes are
rendered as two-dimensional patterns
using dots, squares, or other symbols
that can be read by specialized optical
scanners, which translate a specific type
of barcode into its encoded information.

Authentication via Barcodes
• Since 2005, the airline industry has been incorporating two-dimensional
barcodes into boarding passes, which are created at flight check-in and
scanned before boarding.
• In most cases, the barcode is encoded with an internal unique identifier that
allows airport security to look up the corresponding passenger’s record with
that airline.
• Staff then verifies that the boarding pass was in fact purchased in that
person’s name (using the airline’s database), and that the person can provide
photo identification.
• In most other applications, however, barcodes provide convenience but not
security. Since barcodes are simply images, they are extremely easy to
duplicate.
Two-dimensional
barcode

Public domain image from http://commons.wikimedia.org/wiki/File:Bpass.jpg
Magnetic Stripe Cards
• Plastic card with a magnetic stripe containing personalized
information about the card holder.
• The first track of a magnetic stripe card contains the
cardholder’s full name in addition to an account number, format
information, and other data.
• The second track may contain the account number, expiration
date, information about the issuing bank, data specifying the
exact format of the track, and other discretionary data.

Public domain image by Alexander Jones from http://commons.wikimedia.org/wiki/File:CCardBack.svg
Magnetic Stripe Card Security
• One vulnerability of the magnetic stripe medium is that it is easy
to read and reproduce.
• Magnetic stripe readers can be purchased at relatively low cost,
allowing attackers to read information off cards.
• When coupled with a magnetic stripe writer, which is only a little
more expensive, an attacker can easily clone existing cards.
• So, many uses require card holders to enter a PIN to use their
cards (e.g., as in ATM and debit cards in the U.S.).

Public domain image by Alexander Jones from http://commons.wikimedia.org/wiki/File:CCardBack.svg
Smart Cards
• Smart cards incorporate an integrated circuit, optionally with an
on-board microprocessor, which microprocessor features
reading and writing capabilities, allowing the data on the card to
be both accessed and altered.
• Smart card technology can provide secure authentication
mechanisms that protect the information of the owner and are
extremely difficult to duplicate.
Circuit interface

Public domain image from http://en.wikipedia.org/wiki/File:Carte_vitale_anonyme.jpg
Smart Card Authentication
• They are commonly employed by large
companies and organizations as a means of
strong authentication using cryptography.
• Smart cards may also be used as a sort of
“electronic wallet,” containing funds that can
be used for a variety of services, including
parking fees, public transport, and other small
retail transactions.

SIM Cards
• Many mobile phones use a special smart card called a
subscriber identity module card (SIM card).
• A SIM card is issued by a network provider. It
maintains personal and contact information for a user
and allows the user to authenticate to the cellular
network of the provider.

SIM Card Security
• SIM cards contain several pieces of information that are used to identify
the owner and authenticate to the appropriate cell network.
• Each SIM card corresponds to a record in the database of subscribers
maintained by the network provider.
• A SIM card features an integrated circuit card ID (ICCID), which is a unique
18-digit number used for hardware identification.
• Next, a SIM card contains a unique international mobile subscriber
identity (IMSI), which identifies the owner’s country, network, and
personal identity.
• SIM cards also contain a 128-bit secret key. This key is used for
authenticating a phone to a mobile network.
• As an additional security mechanism, many SIM cards require a PIN before
allowing any access to information on the card.

GSM Challenge-Response Protocol
1. When a cellphone wishes to join a cellular network it connects to a local
base station owned by the network provider and transmits its IMSI.
2. If the IMSI matches a subscriber’s record in the network provider’s database,
the base station transmits a 128-bit random number to the cellphone.
3. This random number is then encoded by the cellphone with the subscriber’s
secret key stored in the SIM card using a proprietary encryption algorithm
known as A3, resulting in a ciphertext that is sent back to the base station.
4. The base station then performs the same computation, using its stored value
for the subscriber’s secret key. If the two ciphertexts match, the cellphone is
authenticated to the network and is allowed to make and receive calls.
IMSI = (this phone’s ID)
R = a 128-bit random number (the challenge)

EK(R) = the 128-bit random number encrypted
using the subscriber’s secret key K
(the response)
RFIDs
• Radio frequency identification, or RFID, is a rapidly
emerging technology that relies on small transponders
to transmit identification information via radio waves.
• RFID chips feature an integrated circuit for storing
information, and a coiled antenna to transmit and
receive a radio signal.

RFID Technology
• RFID tags must be used in conjunction with a
separate reader or writer.
• While some RFID tags require a battery, many
are passive and do not.
• The effective range of RFID varies from a few
centimeters to several meters, but in most
cases, since data is transmitted via radio
waves, it is not necessary for a tag to be in the
line of sight of the reader.

RFID Technology
• This technology is being deployed in a wide
variety of applications.
• Many vendors are incorporating RFID for
consumer-product tracking.
– Car key fobs.
– Electronic toll transponders.

Passports
• Modern passports of several
countries, including the United
RFID chip and
States, feature an embedded antenna is embedded
in the cover
RFID chip that contains

information about the owner,
including a digital facial
photograph that allows airport
officials to compare the e-Passport
passport’s owner to the symbol
person who is carrying the
passport.

Passport Security
• In order to protect the sensitive information on a passport, all
RFID communications are encrypted with a secret key.
• In many instances, however, this secret key is merely the
passport number, the holder’s date of birth, and the
expiration date, in that order.
– All of this information is printed on the card, either in text
or using a barcode or other optical storage method.
– While this secret key is intended to be only accessible to
those with physical access to the passport, an attacker
with information on the owner, including when their
passport was issued, may be able to easily reconstruct this
key, especially since passport numbers are typically issued
sequentially.
Summary
l four means of authenticating a user’s

identity l password selection strategies
l something the individual knows l user education
l something the individual possesses l computer generated passwords
l something the individual is l reactive password checking
l something the individual does l proactive password checking
l vulnerability of passwords l biometric authentication
l offline dictionary attack l General operation procedure.
l popular password attack l Accuracy vs cost
l password guessing against single user l False-match vs false-non-match
l exploiting user mistakes l remote user authentication
l exploiting multiple password use l password protocol
l electronic monitoring l token protocol
l Hashed password and salt value l static biometric protocol
l dynamic biometric protocol
l General procedure
l Salt purposes l Other authentication techniques.
l Further defense l memory cards (token)
l password file access control l smart cards (token)
l One-time passwords authentication

03 Week3 4 Authentication Compressed

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

03 Week3 4 Authentication Compressed

Uploaded by

Copyright:

Available Formats

Lecture 3-4 – User

Authentication and Applications

CS4293 Topics on Cybersecurity 1

Something you are

Something you know

radio token with

CS4293 Topics on Cybersecurity 3

CS4293 Topics on Cybersecurity 4

CS4293 Topics on Cybersecurity 5

CS4293 Topics on Cybersecurity 6

• PWD: finite set of passwords

CS4293 Topics on Cybersecurity 7

• Problem: VK must be kept secret

CS4293 Topics on Cybersecurity 8

sk password file on server

CS4293 Topics on Cybersecurity 9

• People often choose passwords from a small set:

( 123456 appeared 0.90% of the time)

• Online dictionary attacks:

CS4293 Topics on Cybersecurity 10

• Off the shelf tools

CS4293 Topics on Cybersecurity 11

CS4293 Topics on Cybersecurity 12

• Much better than a dictionary attack on each password

CS4293 Topics on Cybersecurity 13

• Recommended salt length, n = 64 bits

• Batch attack time is now: O( |Dict| ´ |F| )

CS4293 Topics on Cybersecurity 14

CS4293 Topics on Cybersecurity 15

CS4293 Topics on Cybersecurity 16

CS4293 Topics on Cybersecurity 17

• Hence, the hashed passwords of the two users

CS4293 Topics on Cybersecurity 18

• It becomes nearly impossible to find out whether a

CS4293 Topics on Cybersecurity 19

• Slow hash function H: (0.1 sec to hash pw)

dictionary attack harder

CS4293 Topics on Cybersecurity 20

• Windows: NT and later use MD4

CS4293 Topics on Cybersecurity 21

now regarded as inadequate

CS4293 Topics on Cybersecurity 22

OpenBSD uses Blowfish

CS4293 Topics on Cybersecurity 23

CS4293 Topics on Cybersecurity 24

Spafford, E., “ OPUS: PreventingCS4293

CS4293 Topics on Cybersecurity 26

• Suggestion to users: pick a strong password.

CS4293 Topics on Cybersecurity 28

can block offline guessing attacks by denying access to

shadow users with

CS4293 Topics on Cybersecurity 29

users have trouble remembering them

CS4293 Topics on Cybersecurity 31

• Use pass phrases eg. "I re@lly want to buy 11

CS4293 Topics on Cybersecurity 33

• However, don’t pick a well-known phrase like “An apple a day

• Instead, pick something like

CS4293 Topics on Cybersecurity 35

CS4293 Topics on Cybersecurity 36

• Thm : if F is a secure PRF then protocol

• Advancing state: sk ¬ (k, i+1)

• Identification (in detail):