Chapter 4 – Protection in General-Purpose Operating
Section 4.5 User Authentication
In this section
 Authentication
 Passwords
 Effective passwords
 Breaking passwords
 One-Time Systems
 Biometrics
User Authentication
 Most software and OS base there security on knowing
who the user is
 Authentication based on 1 of 3 qualities:
 Something the user knows – Passwords, PIN, passphrase
 Something the user has – Key, license, badge, username
 Something the user is – physical characteristics or
 Two forms of these can be combined together
Passwords as Authenticators
 Most common authentication mechanism
 Password – a word unknown to users and computers
 Problems with passwords:
 Loss
 Use – time consuming if used on each file or access
 Disclosure – if Malory finds out the password might
cause problems for everyone else.
 Revocation – revoke one persons right might cause
problems with others
Additional Authentication
 Placing other condition in place can enforce the
security of a password
 Other methods:
 Limiting the time of access
 Limiting the location of access
 Multifactor Authentication is using additional
forms of authentication
 The more authentication factors cause more for the
system and administrator to manage
Attacks on Passwords
 Figuring out a password
 Try all possible passwords
 Try frequently used passwords
 Try passwords likely for the user
 Search for the system password list
 Ask the user
 Loose-Lipped Systems
 Authentication system leaks information about the
password or username
 Provides information at inconvenient times
Exhaustive Attack
 Brute force attack is when the attacker tries all possible
 Example:
 26 (A-Z)character password of length 1 to 8 characters
 One password per millisecond would take about two
 But we would not need to try every password
Password Problems
 Probable Passwords
 Passwords Likely for a user
 Weakness is in the users choice
 Weakness is in the control of the system
 Look at table 4-2 on page 225
Figure 4-15 Users’ Password Choices.
Password Selection Criteria
 Use characters other than just A-Z
 Choose long passwords
 Avoid actual names or words
 Choose an unlikely password
 Change the password regularly
 Don’t write it down
 Don’t tell anyone else – beware of Social Engineering
One-Time Passwords
 Password that changes every time
 Also known as a challenge-response systems
 F(x)=x+1 - use of a function
 F(x)=r(x) – Seed to a random number generator
 F(a b c d e f g) = b d e g f a c – transformation of a
character string
 F(E(x))=E( D (E (x)) + 1 ) – Encrypt value must be
decrypted and run through a function
The Authentication Process
 Slow response from system
 Limited number of attempts
 Access limitations
 Fixing Flaws with a second level of protection
 Challenge-Response
 Impersonation of Login
 Biometrics are biological authenticators
 Problems with Biometrics
 Still a relatively new concept
 Can be costly
 Establishing a threshold
 Single point of failure
 False positives
 Speed can limit accuracy
 Forgeries are possible