Authentication

• Identification is the act of asserting who a person is.
• Authentication is the act of proving that asserted identity.
  • How does this relate to you in person on campus?
  • How about in a traffic stop?
  • How does this work on cslab103?
• Frequently identification is public or semi public
  • Your name and home address are, for the most part, known.
  • Credit card and bank account numbers are presented for transactions.
  • Your username is in the password file.
  • It is used in email.
• Authentication is usually private, unknown.
  • Your PIN at a bank.
  • The chip in your credit card.
  • The password on your account.
• There are multiple examples of where this is not the case or the authentication process is not strong.
  • Someone "hacked" Sara Palin's yahoo account by
    • Getting her email address from news stories.
    • Using this to ask for a password reset
      • Using information from the web to answer security questions.
    • This allowed them to reset the password on the account.
    • And the entire CIA triad was broken.
    • (Sidebar 2-1)
  • Sidebar 2-2 is similar but much more heinous.
• Authentication can be based on
  • Something you know: your password
  • Something you have: the chip in your credit card
  • Something you are: your fingerprint.
• Passwords
  • This is probably the most common authentication method.
  • But they are incredably vulnerable to "human practices" degrading the integrety of the method.
• How are password used for authentication?
  • The user normally intiaiates the process with a form of identification (user name, email address, account name, ...)
  • The system prompts for a password
  • The system then compares the user supplied password to a stored password.
  • If the two match, the user is authenticated and allowed access to the resources/assets.
• The book identifies the following problems.
  • use: passwords are inconvenient and take time.
    • In zoom authentication times out after about an hour.
    • I end up typing my password back into zoom constantly.
  • Disclosure: someone other than the password holder gains access to the password
  • Revocation: the password expires.
  • Loss: the user forgets their password
    • Frequently passwords are one way encodings so the original can not be recovered.
• Attacking passwords.
  • There are numerous papers investigating weak passwords.
  • Password problems are listed on page 42.
• In short these are some common problems
  • Having no password
    • This is frequently overcome by not allowing accounts with no password.
    • Or not allowing such accounts to log in.
    • Or forcing a user to give a passsword as soon as they log on.
  • Using the default password
    • This is generally known by everyone in the orginization.
    • This is overcome by forcing a reset on first log in.
  • Username and password the same
  • Something knowable about the user
    • Name of spouse, child, friend, dog
    • hobby or activity.
  • From a common list/dictionary.
  • From a common list/dictionary with simple modifications.
• Passwords from social research
  • As mentioned above, a huge number of passwords have been found to be something identified with a person.
  • Their name
  • Their spouse's name
  • Their children's name
  • Their pet's name
  • Something they are proud of (PhD00)
• Dictionary attacks
  • Given a dictionary, try every word in it.
    • Here is a BBC article that attemps to answer how many words (200,000 in english)
    • But most people use far fewer (15,000)
  • But we can do better
  • Build a rule based system.
    • Allow substitution (replace all occurences of o with 0)
    • Allow additons (add 0, 1, 2, ... to the end of each word)
    • Allow letter shifts upper to lower (add becomes Add, aDd, ADd, ...)
    • Multiples of these.
  • Dictionary attackes with modifications can be quite efficient and efective.
• Concealment of Passwords
  • It is very rare for passwords to be stored in clear text.
  • Anyone with high level access to a system would have all of the users passwords.
  • So passwords are normally stored encrypted
    • These are normally one way hash functions
    • A plain text password is turned into a non-reversable collection of letters.
    • This algorithm is slow.
• Raninbow Tables
  • This is a table of passwords and their hashes
  • And can be defeated by salts
    • A salt is a random component added to the user's clear text password.
    • This allows for more variation in passwords
    • So all plaintext - encrypted passwords can not be stored in a table.
    • There are too many salt+plain text password pairs.
• A brute force attack
  • This means to try every possible password.
  • Let's do a quick calculation.
    • I can perform a password check in about .1 ms.
      • Encrypt a password
      • Compare it to an existing password.
    • Let's double the time to create a new word to try.
  • Build a spread sheet.
• Good Passwords
  • Make the alphabet large. (a-z, A-Z, 1-9, + specials), A big
  • Make the password large (many characters) n $A^n$ very big.
  • Defeat dictionary searches, no single words, even modified!
  • Make it something you can remember, no writing it down.
  • Change it regularly.
  • Don't write it down!
  • Don't share it, EVER