Computer security & Cryptography

Bye

M.O. Odeo
Identification and Authentication

At any time a computer must know with

which other users it is working

 to ensure that only ‘legal’ entities are

having access
 to enforce authorisation (logical access
control)
 to enforce accountability
Identification and Authentication
 in closed systems, ie where all ‘legal’
users are known to the system before
the time
 in open systems, ie where a user is not
known to the system before time, for
eg. In e-commerce
Identification and Authentication
 In whatever environment, a unique identifier
(identity) must be linked to a user
 This linking process consists of the user
offering some id to the system, and the
system requesting (challenging) the user to
prove that the offered identity actually
belongs to the user
 This process is known as identification and
authentication, and usually done during
logon
Purpose of I & A
 To ensure that only ‘legal’, i.e.
authorised users are allowed to access
the system
 I & A easier in closed environment than open
environment
 Pre-known (pre-registered)
The Identification Process
 First step: Identification of user
 User-id not secret
 Can be stolen (misused)
 Proof of ownership of the user-id

 Second step: Authentication

 Verifying that offered user-id belongs to
Person offering id
 Some secret parameters known only to real
owner
Secret Parameters come in 4
Different Forms
 Something user knows

 Something user possesses

 Something user is

 combination
Authentication through something
user knows
 Password stored in user database

 diagram
Password Rules
 Password kept secret

 User database (password file) kept

confidential

 Transfer of password between

workstation and main system must be
secure
Protecting Password during storage
 Scrambling (encryption) of passwords
before storage

 Password file encrypted

 Password file protected against

unauthorised access and manipulation
Protecting Password during
Transmission
 Networks can be tapped

 Password encryption during transmission

(e.g. ATMs and PIN)

 Algorithms and shared key (tackled

later)
First Law of Authentication
 Keep your password secret at all times

 (if your password is compromised, an

impostor can ‘become’ you!!)
Choosing Passwords
 Minimum length

 Not directly related to owner

 Changed regularly

 As random as possible

 No group passwords (accountability??)

Choosing Passwords
 Passwords are not very secure

 Still most widely used form of authentication

 Good procedures

 If password stolen,user may not know it

 We need a better way

Authentication through something
user possesses
 Physical token (magnetic card, smart
card etc)

 If stolen, user will know

 For authentication, token must be

present

 ATM and magnetic card

Authentication through something
user possesses
 Password on token

 Magnetic card not secure

 Smart card secure (I&A offline!!)

 Token can still be stolen, used and replaces

 We need something better

Authentication through something
User Is
 Biometrics
 Finger print, retina, voice print, palm
print, …
 Replaces password
 Token with biometrics on (smart card)
 Cannot be stolen
 More expensive
Management of I & A
 Creation of user/password file
 Adding/deleting new users
 Changing passwords
 Keep password file secure
 User-ids unique
 Management of tokens
 Inactive ids??
 Users leaving
 Monitoring password logs
 Major task if more than one system
I & M in Multi-system Environment
 User can sign on to many systems

 Different passwords and ids

 Major track of user accesses

 When user leaves

Serious Management Problems
 Keeping track of all passwords

 Different password files

 User leaves company (deletions)

Need a Single Sign on System
 One user id and password per user for
different systems
SSO Implementations
 Synchronisation

 Scripting

 Trusted authentication

 Kerberos

 Secure single sign on (SSSO)