Transcript Document

Security systems need to be able to distinguish the
“white hats” from the “black hats”. This all begins
with identity.
What are some common identifiers used in our world?
What is the problem with using people’s names as identifiers?
Access privileges granted to a user, program, or process.†
Common authorization tokens:
† Definition from National Information Systems Security
Security measure designed to establish the validity of a
transmission, message, or originator,or a means of verifying
an individual’s authorization to receive specific categories
of information.†
Authentication is often necessary to ensure integrity of origin.
† Definition from National Information Systems Security
Authentication
... is a basis for trust
Password -- the most common means of authentication
Uses challenge - reponse protocol
CHALLENGE
password:

RESPONSE

Passwords are vulnerable to attacks. Why?
(Encryption required)
Challenge-response systems fail when responses are efficiently discovered.
cracker algorithm == repeatedly
Give password cracking software a challenge.
The conventional wisdom is as follows...
 Don’t use short passwords (at least 8 symbols).
 Include both lowercase and uppercase and digits.
 Use first letters from some phrase you can remember.
TtlsH1wwya
 Bracket the password with non-alphanumerics.
#TtlsH1wwya&
 Bracket the password with non-printables.
#TtlsH1wwya&
Alt - 0181
HHAD - Hand Held Authentication Device
token -- small device carried by user
(often includes microprocessor, keypad and/or real-time clock)
Challenge-Response Token
1) System displays random number which user enters on keypad.
2) Card uses keypad input to calculate and display number.
3) User enters number in computer which system verifies by same computation.
Time-Based Token
1) Card uses internal real-time clock value to calculate and display number.
2) User enters number in computer which system verifies with its clock.
biometric -- requires special devices to read human features
retinal/iris scans
fingerprints
facial recognition?
voice patterns
Advantages
• nothing to remember or to carry
• promise of simple use
Disadvantages
• imperfect accuracy (1:100,000 at best)
• susceptible to physical injury
• theft possible (even without direct contact)
• not all systems will be consistent
NIST has suggested including two fingerprints and a faceprint on passports.
A few major U.S. airports have tested face recognition software.
In Jan., 2002, a Yokohama math researcher spoofed fingerprints.
A British medical report claims that medications used to treat Glaucoma will
alter iris patterns, rendering iris scans useless.
digital certificate -- a certificate authority performs a security check
on a user and grants an electronic certificate (essentially
encryption keys)
smartcard -- physically requires reader, contains full microprocessor
with cryptographic calculations performed onboard.
Smartcards can store ...
 private keys
 biometric data
 digital certificate
 user data
Tampering with a smartcard typically renders it useless.
Strength of authentication
Vulnerability to attack
Ease of use
Cost to implement
Interoperability with other systems
...what you _______ (password)
...what you _______ (key, token, smartcard)
...what you _____ (biometrics - fingerprints, retinal scan)
..._______ you are (in secure location, at some terminal)
Assurance the sender of data is provided with proof of delivery and
the recipient is provided with proof of the sender’s identity, so
neither can later deny having processed the data.†
Attacker
Access
† Definition from National Information Systems Security
User