Authentication 2: Passwords and Biometrics

1
Authentication 2 Passwords and Biometrics
2
Readings

• Read article on password security
  http//netsecurity.about.com/library/weekly/aa0217
  03a.htm
• SANS on biometrics http//www.sans.org/rr/authenti
  c/parts_online.php
• Universities are targets http//www.wired.com/new
  s/culture/0,1284,42063,00.html
• SANS on passwords http//www.sans.org/rr/authentic
  /lazy_user.php

3
Ways to Identify

• Something you have (the garage door opener)
• Something you know (passwords, mothers maiden
  name)
• Something you are (fingerprint, iris scan)

4
Passwords

• User identity most often established through
  passwords. Easy to implement in the system.
• Passwords must be kept secret.
• Frequent change of passwords.
• Use of non-guessable passwords.
• Passwords may also either be encrypted or allowed
  to be used only once.

5
Passwords

• System maintains a file that associates a
  password with each authorized user.
• Password file can be protected with
• One-way encryption
• Access Control
• salt

6
Guessing passwords

• Try default passwords.
• Try all short words, 1 to 3 characters long.
• Try all the words in an electronic
  dictionary(60,000).
• Collect information about the users hobbies,
  family names, birthday, etc.
• Try users phone number, ssn, street address,
  etc.
• Try all license plate numbers (MUP103).
• Use a Trojan horse
• Tap the line between a remote user and the host
  system.
• Prevention Enforce good password selection
  (Ij4Gf4Sef)

7
Often Overlooked

• Common technique for getting passwords spy on
  or ask the user.
• Study at the University of Sydney sent email to
  336 computer science students asking them their
  password saying it was needed to verify the
  password database after a break-in.
• 138 returned a valid password
• 30 returned an invalid password
• 200 immediately changed their password
• Few reported it (who would you report it to)

8
User Compliance Problems

• If users are forced to remember complicated
  passwords, they will often use them for several
  accounts. An attacker who learns your computer
  password may have your on-line banking password.
• Users forced to change password and not use one
  of the previous 3 would have 4 passwords and
  quickly cycle through them to their favorite.
• Users forced to change passwords every month
  choose mary01 for Jan, mary02 for Feb, etc.

9
Loading a New Password in Unix
10
Verifying a Password in Unix
11
The Purpose of Salt

• The salt serves three purposes
• Prevents duplicate passwords.
• Effectively increases the length of the password.
• Prevents the use of hardware implementations of
  DES

12
Simple Intrusion Detection

• Unsuccessful login attempts are recorded.
• Successful login should include report of recent
  unsuccessful attempts.
• WELCOME JHOLLIDAY
• 2 unsuccessful attempts since last login
• Last login from 129.54.255.12

13
Other Password Issues

• Always change the default system or support
  administrator password. Many system compromises
  happen because the software defaults are not
  changed.
• If you are given a difficult to remember password
  write it down and put it in a secure location
  use physical security to enforce password
  security.
• If you can pick the password compose it from a
  favorite phrase our school is the best around
  results in the password ositba

14
Why Protect Your Password

• In multilateral security, the system is designed
  so that knowledge of one users password will not
  allow another users account to be compromised.
  User who chooses easy password harms only
  himself.
• Most systems have poor multilateral security.
  They are designed to protect users only from
  accidental interference from others.
• Typical attacker path outsider to normal user to
  sysadmin (and first step is the hardest).

15
Biometrics

• Biometrics identify people by measuring some
  aspect of individual physiology (fingerprint or
  hand geometry), deeply ingrained behavioral
  characteristic (signature) or a combination
  (voice).

16
Biometrics

• Specified by fraud and insult rates (called type
  1 and type 2 errors).
• Many systems can be tuned to favor one over the
  other.
• Fraud rate is the rate of false accept My
  forgery was accepted as the bank managers
  signature.
• Insult rate is the rate of false reject I signed
  your add-drop form for my class but the registrar
  wouldnt accept it because I signed it in a
  hurry.

17
Handwritten Signature

• Widely used in this country for authentication.
  Good forgery is not that difficult.
•  
• Banking signatures are not verified on small
  amounts. Larger checks are verified by sight.
•  
• Attempts to computerize Signature tablet

18
Signature Tablet

• Can catch speed and pressure info as well as size
  and contour. More accurate than ordinary
  signature, but not perfect.
•  
• Signature tablet scheme tried in U.K bank.
  Cannot be totally automated currently. If fraud
  rate is set low, then insult rate is unacceptably
  high and vice versa. What works Set fraud rate
  low, then when signature is rejected, instruct
  staff to ask for photo ID or do additional
  checks.

19
Face Recognition

• Humans are very good at recognizing people they
  know. They are not so good at identifying
  strangers from photo ID. Neither are computers.
• Photo ID experiment at University of Westminster
  in England. 44 Students given 4 credit cards
  with different photos. 1.genuine and recent,
  2.genuine but old so that persons hairstyle or
  clothing had changed, 3.not genuine but of a
  person that looked similar (hairstyle, clothing),
  and 4.not genuine/doesnt look like.
• Conducted in a supermarket with experienced
  cashiers who know the purpose of the experiment.
  None of the cashiers could tell the difference
  between type 2 and type 3, they had the same
  error rate. The difference between type 1 and
  type 4 was not as great as authenticators might
  like.

20
Face Recognition

• Conclusion requiring photo ID is more of a
  psychological deterrent than a fraud detection
  mechanism.
• Trying to automate the process computers do
  reasonably well with facial geometry if subject
  looks straight at the camera and the lighting is
  controlled. Anything less controlled has very
  high error rates.

21
Fingerprints

• Fingerprint patterns have been used for a long
  time 7th century China.
• Modern forensic use mid 1800.
• Classified as to loops, whorls, arches, and
  tents.
• Error rate is low and in forensics is limited by
  the quality of the print.

22
Fingerprints

• Fairly good computer systems are available for
  fingerprint ID. If prints are taken under good
  conditions, error rate is extremely low and
  depends on number of match points needed to make
  a match. Equal error rate is below 1.
• Problems finger damage - scar on finger. Can be
  transferred using adhesive tape or molds.

23
Iris Scan

• Every human iris is measurably unique. Even
  twins have different codes. Can reach good
  recognition with zero fraud rate.
• Problem is getting user cooperation. Future
  should be possible to get non-intrusive scan with
  pan and zoom.
•  
• Attacks Photo of targets eyes. Counter
  measure the natural 0.5 Hz fluctuation in the
  diameter of the pupil.

24
Speaker (Voice) Recognition

• Most current systems are text dependent and
  background noise is a problem.
• Can be forged with recordings.
• Sickness or alcohol intake affects recognition.

25
Other Biometrics

• Facial thermograms
• Retinal scan (low equal error rate, but invasive)
• Hand geometry (equal error rate under good
  conditions of 0.2)
• DNA (too slow, twin problem, privacy problemDNA
  reveals more about you than just your identity)
•  Digital Doggie - recognize smell

26
Problems with Biometrics

• Environment - dust, vibration, noise, lighting.
• Unattended op - attack with suitable recording.
• Forcing weak recognition Alice Betty
  cooperate in bank fraud - Alice opens a bank
  account, she given 3 signature samples using
  different styles (this forces the machine to
  accept a lower threshhold) - Betty withdraws all
  the money easily forging Alices signature -
  Alice complains of theft and produces a
  watertight alibi - Alice gets her money back.
• Can assist human authenticators but not replace
  them.

27
For Further Information

• http//www.sans.org/rr/authentic/
• http//www.identix.com
• http//www.biometrics.org/
• http//www.password-crackers.com/