CS5401: Authentication and Identification

1
CS5401 Authentication and Identification

• Passwords
• Phishing
• Biometrics
• Combined approaches
• Reading Anderson, chap 2 of 2nd ed (available
  free on web site) also Biometrics (chap 13 of
  1st ed)

2
Identification and Authentication

• How can a person identify himself to a computer?
• I am Ehud Reiter, therefore I have the right to
  see 5401exam.doc, or to transfer money from Ehud
  Reiters bank account
• How can a computer identify itself to a person?
• I am the Bank of Scotland website, you should
  type your password in
• Usually more important than secrecy

3
Person-to-computer Ident

• Being able to identify yourself to a computer is
  absolutely essential
• ATM machines, e-banking
• Access to e-mail, computer accounts
• Access to personal information (eg, student
  portal)

4
Non-computer identification

• Bank teller knows you by sight (good)
• Bank teller checks your picture against a photo
  ID (iffy)
• Bank back office compares cheque signature to one
  on record (iffy)
• All examples of biometric identification

5
Computer Identification

• How identify a human to a computer?
• Crypto challenge-response, if human has hand-held
  cryptographic calculator
• biometrics face recognition, retina/iris
• token eg, ATM card
• Password (most common by far)
• Combinations (eg, token and password)

6
Passwords

• Most common identification technique
• Variants PIN (number), memorable date, etc
• Problem Our brains are not well-suited to
  remembering passwords
• Especially rarely used passwords
• We also confuse passwords used in similar
  contexts

7
Passwords and E-commerce

• A password must be frequently used to be
  remembered
• not an e-commerce site visited once/yr
• Different passwords should have different
  contexts of use
• not amazon.co.uk, blackwells.co.uk, ...

8
Vulnerabilities

• Users reveal passwords to outsiders
• Users reuse passwords
• Users choose easy to guess passwords
• Password observed on entry
• Password obtained from system files

9
Revealing Passwords

• How to get password 1
• Phone sysadmin and pretend to be CEOs new
  secretary
• Phone user and pretend to be sysadmin
• There are professional blaggers who make their
  living doing this!
• Also called social engineering

10
Password Reuse

• How to get a password 2
• Impossible to remember a distinct password for
  each e-commerce site
• cognitively impossible, not just laziness
• So people tend to use the same password at many
  sites
• So, set up an e-commerce site with passwords, and
  use these passwords on other sites

11
Easy to Guess Passwords

• How to get a password 3
• Try dictionaries and other lists of common words
• done by programs such as crack
• if lazy, try 20 most common female names
• or get help from disgruntled ex-wife
• Harder if system limits num of attempts
• but this allows denial of service attacks
• also can try lots of accounts

12
Passwords observed

• How to get a password 4
• Watch over shoulder as user types
• Programs which fake login screens
• Why Windows uses CTRL-ALT-DEL login
• grab password packets from network
• Hide a bug in the users keyboard
• Become a postie, open mail from banks

13
Passwords stored

• How to get password 5
• Passwords must be stored somewhere
• usually encrypted
• get file and run crack on it
• Audit/log files
• eg, of login attempts, since user may type
  password as login name

14
Bypass Passwords

• How to get access 6
• Send user an email, or get him to look at a Web
  page (or advert), which takes over his computer
• Many known vulnerabilities, based on bugs
• Users are vulnerable unless they patch the bugs
  or use high security settings

15
Passwords in E-Commerce

• E-commerce is very bad environment for passwords
• Low usage rate (few times year)
• Passwords not remembered
• Procedures not remembered
• Lots of similar sites (eg, e-bookshops)

16
Single Password?

• Much better if a single password could be used to
  access many sites
• Maintained by a central repository
• Microsoft Windows Live ID
• But people dont trust MS?
• Bug could cause immense damage
• Credit card passwords?
• Authenticated by issuer where-ever used
• Makes sense, if org could be trusted

17
Passwords in E-Commerce

• There is no good solution for pure passwords,
  especially for e-commerce
• expect these not to be secure!
• make appropriate business and legal plans

18
Recommendations users

• Use distinct passwords for important accounts
• Use default for others, and expect to be insecure
• (Anderson) passwords based on abbreviated phrases
• I love books and CDS -IlvbksCDs
• Make sure no ones watches you type a password
• enable security features, such as Ctrl-Alt-Del
  login
• These are personal recommendations!

19
Password constraints

• Windows sysadmin can require
• Minimum length
• Complexity (eg, not just letters)
• Password must change after N days
• Password cannot change for N days
• New password must be different from previous N
  passwords
• UNIX, other OSs similar

20
Password Constraints

• Do constraints help?
• Probably if done in moderation
• Not if sysadmin gets carried away and imposed
  strict constraints which are too difficult
• Eg, change password every 2 weeks (as once
  happened to me!)

21
Recommend sysadmin

• treat log files as sensitive, protected
• Also files of encrypted password files
• Be realistic about what users will do
• Dont expect them to change their password every
  two weeks!
• Watch out for unusual behaviour
• Detect breakins
• Be careful with privileges accounts
• Dont leave a terminal logged into root
  unattended

22
Computer-to-person Ident

• Computer programs and websites need to be able to
  identify themselves to a person
• So users know they can enter confidential
  information into the program/website

23
Phishing

• Attacker pretends to be someone else, gets user
  to enter password or other secret information
• Bank websites are prime target
• Typically user gets email purporting to be from
  bank, asking him to enter details into attackers
  website

24
Example

• Dear Customer, Lloyds TSB has been receiving
  complaints from our customers for unauthorised
  use of the Lloyds TSB Online accounts. As a
  result we are making an extra security check on
  all of our Customers account in order to protect
  their information from theft and fraud.
• Due to this, you are requested to follow the
  provided steps and confirm your Online Banking
  details for the safety of your Accounts. Please
  Click Here To Start /online.lloydstsb.co.uk/customer.ibc.htm .
• However, Failure to do so may result in temporary
  account suspension. Please understand that this
  is a security measure intended to help protect
  you and your account. We apologize for any
  inconvenience.
• Thanks for your co-operation. Fraud Prevention
  Unit Legal Advisor Lloyds TSB.

25
Phish website (1st screen)
26
Real website (1st screen)
27
Phish website (2nd screen)
28
Real website (2nd screen)
29
Phishing

• Difficult to defend against because
• Users arent trained
• Phish emails can look very genuine
• Get data about user, eg from Facebook?
• Even small success rate can do a lot of damage

30
Defenses

• Warn/train customers promise never email
• Difficult to achieve 100 success
• Phish detectors for email, web browser
• Again not 100 reliable
• Ask for part of a password
• So phisher doesnt get all of it
• Confirmation
• Send email or text message with confirmation code
  to registered address, which user must enter

31
Computer-to-Person ID

• Very difficult to reliably identify a computer to
  a person!
• Especially is user is man in the street
• Anderson suggests assume phishing will happen,
  try to minimise damage
• Eg, only allow money transfers to specific
  nominated accounts, with limits

32
Biometric identification

• Passwords are pretty useless at identifying
  people
• Can we identify them by their properties?
• Face, handwriting, retina, DNA, voice, signature,
  fingerprint
• How humans identify other humans

33
Issues types of errors

• False accept (fraud) mistakenly accept intruder
  as legimate
• False reject (insult) mistakenly reject
  legitimate person as intruder
• Usually can tradeoff by tuning matching
  algorithms
• Near-exact match needed low fraud
• Rough match OK low insult

34
Example

• Rough match black hair, brown eyes
• Low insult (will almost always match person)
• High fraud (matches many other people)
• Detailed match black hair, brown eyes, brown
  specs, no beard, shape of mouth
• Higher insult rate (what if specs off, grows
  beard, yawning)
• Lower fraud (matches fewer other people)

35
Error types

• Balance depends on application
• Access to sensitive data, equipment
• Want low fraud rate, so demand good match
• Person can try again if fails first time
• Retail (eg, signatures for credit cards)
• Want low insult rate, so accept rough match
• Customers may never return if theyre incorrectly
  rejected

36
Other issues

• Cost
• Voice recognition is cheap
• Eye (iris) scanning is expensive
• User comfort
• Face recognition is nice (look into camera)
• DNA matching is not (blood/skin sample)
• Theoretical accuracy
• Iris is unique (determined while an embryo)
• DNA is shared by identical twins
• Voice can be imitated

37
Other Issues

• Excluded population
• Voice doesnt work on mute people
• Fingerprints dont work on amputees
• DNA works on everyone!
• Variability
• Dirty fingers for fingerprints
• Sick (cold) for voice

38
Purpose?

• Purpose of biometric identification
• Authorisation (eg, access or change data)
• Identification from group (eg, which of a group
  of suspects committed the crime)
• Scare tactics (eg, the all-powerful computer
  never makes a mistake, so dont even try)

39
Handwriting

• Recognise handwriting or signature
• contracts, cheques,
• widely used
• Human error is at least 5 (high)
• Over 30 if checker is not trained
• Computer signature tablet is better
• records velocity, pen-off-paper
• 1 error rate (OK for some apps)

40
Face recognition

• Recognise someones appearance
• security guards, photo Ids
• Humans
• pretty good with people they know
• poor with other people (eg, photo ID cards)
• Computers
• poor technically (30 error rate)
• but useful deterrent (scare tactics)

41
Fingerprints

• Identify person by patterns on finger
• Forensics (who does print belong to)
• pair error rate of 1 in 10,000,000,000
• sounds good, but means false match 1 of time if
  comparing to 100M people database
• Identification (I am who I say I am)
• error rate of 1 (allows for dirt, pressure)
• Better if multiple fingers scanned
• but can be fooled by molds, etc
• strange fingers scars, amputees,

42
Iris (retina)

• Based on patterns in human eye
• Error rate less than 1 in a million
• Needs good image of eye
• unacceptable in retail use??
• Attacker can distort eye with eyedrops
• Wave of future??
• Once cheaper, more accepted

43
Voice Recognition

• Identify characteristics of a voice
• Very cheap (just a microphone)
• Poor accuracy
• Voices vary a lot anyways (excited, sick)
• What are the invariants?
• Fool with recording

44
Other techniques

• DNA matching
• Hand geometry
• Ear structure
• etc, etc

45
Biometrics

• Less good than many people think
• Problems with unusual people (illiterates cant
  write, amputees have no fingers)
• Collusion if A deliberately writes poorly, she
  can make impersonation easier
• Better for authenticating a person than for
  identifying against a big dbase
• Excellent scare value!

46
Tokens

• Identify yourself via a physical token that you
  possess
• Often magnetic card or smart card
• Can by cryptographic calculator
• Not great by itself (can be stolen)
• Useful when combined with other tech

47
Combine techniques

• Use multiple identification techniques
• Possibly including human identification
• Require multiple people IDd to authorise
• Dual signatures
• Good practical way of reducing attacks

48
ATM

• Token (card) and password needed
• Stealing token (pickpocketing) does no good
  without password
• Stealing password (watching user type) does no
  good without token
• Combining two weak techniques gives a much
  stronger one

49
More than one Person

• Two people must identify themselves to authorise
  an action
• Launching nuclear missiles two keys (tokens)
  needed
• Bank letter of guarantee two signatures

50
Human plus Computer

• Commercial data centers
• Password and/or smart card
• Human guard who knows staff by face
• Biometrics with attendant
• Attendant can stop finger molds, etc
• False alarms keep attendant awake

51
Key Points

• Identifying people to computers is one of the
  most important security tasks
• Passwords have many problems, especially in an
  e-commerce setting
• Biometrics nice idea, not widely used
• Combining several techniques can help a lot, when
  this is possible