Authentication February 2002

SECURE
COMPUTING

An Overview of Authentication
Techniques

Richard E. Smith, Ph.D., CISSP

Author of
Authentication: From Passwords to Public Keys

February 2002 Rick Smith 1

Just bits on a wire…

Cover art from

Authentication: From
Passwords to Public Keys
by Richard E. Smith © 2002,
Addison Wesley.
Illustration by Peter Steiner,
The Cartoon Bank. Used by
permission.

February 2002 Rick Smith 2

Rick Smith 's site at [Link] 1

Authentication February 2002

The Password Tradition

From Authentication © 2002. Used by permission

• 1963: a substitute for student lockers at MIT

• Works by proving ownership of a personal secret
• Attack: Steal the password file from the hard drive
• Defense: “Hash” each password irreversibly
February 2002 Rick Smith 3

Attack: Sniffing

From Authentication © 2002. Used by permission

February 2002 Rick Smith 4

Rick Smith 's site at [Link] 2

Authentication February 2002

Defense: Challenge Response

From Authentication © 2002. Used by permission

• Secret password + cryptography to protect the

password from sniffing
• MS Windows, Novell, Apple, etc.
February 2002 Rick Smith 5

Password Ping-Pong

Attacks Defenses
?? One-Time Passwords

Network Sniffing Password Tokens

Mouse Pad Searches Password Rules

Off-Line Guessing Guess Detection

On-Line Guessing Challenge Response

Sniffing Password Hashing

Steal the Password File Passwords

February 2002 Rick Smith 6

Rick Smith 's site at [Link] 3

Authentication February 2002

Off-Line Attacks Work

%
Incident Year Guessed
Internet Worm 1988 ~50%

Klein’s Study 1990 24.2%

Spafford’s Study 1992 20%

CERT Incident IN-1998-03 1998 25.6%

Cambridge study by Yan, et al. 2000 35%

February 2002 Rick Smith 7

Strong Password Rules

• Block off-
off-line attacks with strong password rules
• Such rules are usually generalized as follows:
The password must be impossible to memorize.

• The Result of Strong Password Rules

– look under some mouse pads and find ---

From Authentication © 2002. Used by permission

February 2002 Rick Smith 8

Rick Smith 's site at [Link] 4

Authentication February 2002

Strength in Practice

Type of Average
Example Attack Attack
Space
Random 8-character Interactive 245
password or Off-Line
15 23
Dictionary Attack Interactive 2 to 2
or Off-Line
Mouse Pad Search Interactive 21 to 24

Practical Off-Line Attacks Off-Line 240 to 2 63

February 2002 Rick Smith 9

Tokens: Something You Have

From Authentication © 2002. Used by permission

• Each carries a large, hard to guess secret

• Portable, usually tamper resistant
• Some implemented in software
February 2002 Rick Smith 10

Rick Smith 's site at [Link] 5

Authentication February 2002

One-Time Password Tokens

From Authentication © 2002. Used by permission

Attacker can’t reuse a sniffed password

February 2002 Rick Smith 11

Tokens Resist Attacks

Type of Average
Example Attack Attack
Space
Password Off-Line 215 to 223
One-Time Password Token Interactive 219 to 223
54 63
One-Time Password Token Off-Line 2 to 2
63 116
Token with Public Key Off-Line 2 to 2

February 2002 Rick Smith 12

Rick Smith 's site at [Link] 6

Authentication February 2002

Biometrics: Things you are

From Authentication © 2002. Used by permission

• Measures user’s physical trait (signature

(signature))
against a previously established pattern
• Users rarely lose or damage their biometrics
• But – matches are only approximate!
February 2002 Rick Smith 13

Biometrics in Practice

Type of Average
Example Attack Attack
Space
Random 8-Char Password Interactive 2 45

Dictionary Attack Off-Line 215 to 223

6
Biometric with 1% FAR Team 2

Biometric with 0.01% FAR Team 2 12

February 2002 Rick Smith 14

Rick Smith 's site at [Link] 7

Authentication February 2002

Sniffing & Biometric Encryption

From Authentication © 2002. Used by permission

• Q: What if someone sniffs a biometric reading?

• A: They can replay it and masquerade!
• Defense: use cryptography to protect the data
• Problem: we have to manage another secret!
February 2002 Rick Smith 15

SECURE
COMPUTING

Thank You!

Questions? Concerns? Comments?

My e-
e -mail:
Rick_Smith@[Link]
[Link]

February 2002 Rick Smith 16

Rick Smith 's site at [Link] 8

Authentication February 2002

Security Books

• Authentication.. Richard E. Smith. Addison-

Authentication Addison- Wesley: 2001. [Link]
[Link]
.com/crypto/

• Computer Security Basics,.

Basics,. Deborah Russell & G. T. Gangemi Sr. O’Reilly &
Associates: 1991

• Web Security & Commerce.

Commerce. Simson Garfinkelwith
Garfinkel with Gene Spafford
Spafford.. O’Reilly &
Associates: 1997

• Internet Cryptography.
Cryptography. Richard E. Smith. Addison-
Addison - Wesley: 1997.

• Computer Crime: A Crimefighter’s Handbook

Handbook.. Icove , Seger & VonStorch
VonStorch.. O’Reilly &
Associates: 1995

• Web Security: A Step-

Step-by
by-- Step Reference Guide.
Guide. Lincoln D. Stein, Addision
Addision-- Wesley:
1998

February 2002 Rick Smith 17

Security Resources

• Information Security Magazine

([Link]
[Link]))
• Packet Storm
([Link]
[Link]))
• 2600
([Link]
[Link]))
• ATTRITION
([Link]
[Link]))
• Hackers Club
([Link]
[Link]))

February 2002 Rick Smith 18

Rick Smith 's site at [Link] 9

Authentication February 2002

Security E-
E -Mail Lists

– CERT-
CERT- advisory
advisory--request@[Link]: The Computer Emergency Response Team
(CERT) issues advisories for security holes

– CERT-
CERT- tools -request@[Link]: CERT’s tools mailing list keeps subscribers up-
up-
to--date on security tool news.
to

– ntbugtraq
ntbugtraq@listserv.
@[Link]
[Link]:
.com: Moderated list of NT bugs

– firewall-
firewall-wizards@
wizards@nfr
[Link]:
.net: The Firewall Wizards Mailing List moderated by
Marcus J. Ranum.

– cryptography@
cryptography@wasabisystems
[Link]:
.com: Cryptography mailing list

– microsoft_security@announce.
microsoft_security@[Link]:
[Link]: to keep track of Microsoft
security bug announcements

February 2002 Rick Smith 19

Rick Smith 's site at [Link] 10