My topic is…………
About the topic…….
-It is the fundamental building
block and the primary lines of
defense in computer security.
-It is a basic for access control and
for user accountability.
-It is a means of identifying the
user and verifying that the user is
allowed to access some restricted
service.
RFC 2828 (internet security
glossary) definition:->The process of verifying an
identifying for a system entity or
claimed by a system.
->An Authentication process
consists of 2 steps……:
Identification step : Presenting an
identifier to the security system.
Verification step : Presenting or
generating Authentication
information that corroborates the
binding between the entity and the
identifier.
There are 4 general means of
authenticating a user’s identity:



Something the individual knows.
Something the individual possesses.
Something the individual is(static biometrics).
Something the individual does(dynamic
biometrics).
Something the individual knows.
Your fb password!!!
A password,
A personal
identification
number,
 Anybody can guess or steal your password.
 Anybody can forget a password.
Answers to
a
prearranged
set of
questions.
Something the individual possesses.
Referred as TOKENS.
Electronic
keycards,
Smart
cards,
 Anybody can forge or steal your token.
 Anybody can loose a token.
Physical
keys.
Something the individual is
(static biometrics).
Recognition
by
• Fingerprint,
• Retina,
• Face.
 User acceptance cost and convenience.
Something the individual does
(dynamic biometrics).
Recognition
by
• Voice pattern,
• Handwriting characteristics,
• Typing rhythm.
 User acceptance cost and convenience.
There are 3 types of
Authentication:-
Password-Based
Authentication.
Token-Based
Authentication.
Biometric
Authentication.
1.Password-Based Authentication.
->It is a widely used line of defense against intruders.
->Virtually all multiuser systems not only require the user
name or identifier (ID) but also the password.
How does it work???
->The system compares the password to a previously stored
password for that user ID, maintained in a system password
file.
->The password serves to authenticate id of the individual
logging on to the system .
The ID provides the security in
the following ways: It determines whether a user is authorized to gain
access to the system.
 It determines the privileges accorded to the user.
 It is used in discretionary access control.
The use of hashed password
 A widely used password security technique is the
use of hashed passwords and a salt value.
 This scheme is found on virtually all UNIX variants
as well as many other operating systems
a) Loading a new password
Salt
Password
User id
Salt
Hash code
Slow hash
function
Password file
How a new password is loaded???
 The user selects or is assigned a password.
 This password is combined with a fixed-length salt
value [MORR79].
 The password and salt serve as inputs to a hashing
algorithm to produce a fixed-length hash code.
 The hash algorithm is designed to be slow to
execute to thwart attacks.
 The hashed password is then stored, together with
a plain text copy of the salt, in the password file for
the corresponding user ID.
b) Verifying a password
User id
Salt
Hash code
User id
Salt
Password
select
Password file
Slow hash
function
compare
How a password is verified???
 When a user attempts to log on to a UNIX
system, the user provides an ID and a
password .
 The operating system uses the ID to index into
the password file and retrieve the plain text
salt and the encrypted password.
 The salt and user-supplied password are used
as input to the encryption routine.
 If the result matches the stored value, the
password is accepted.
The purpose of salt
 It prevents duplicate passwords from being visible
in the password file.
 It increases the difficulty of offline dictionary
attacks and guessing a password in a dictionary
attack.
 It becomes impossible to find out whether a
person with passwords on two or more systems
has used the same password on all of them.
UNIX Implementations…
• Each user selects a password of up to eight printable
characters in length. This is converted into a 56-bit value
that serves as the key input to an encryption routine.
• The hash routine, known as crypt(3), is based on DES.
• A 12-bit salt value is used.
• The modified DES algorithm is executed with a data input
consisting of a 64-bit block of zeros.
• The output of the algorithm then serves as input for a
second encryption. This process is repeated for a total of 25
encryptions.
• The resulting 64-bit output is then translated into an 11character sequence. The modification of the DES algorithm
converts it into a one-way hash function.
• The crypt(3) routine is designed to discourage guessing
attacks.
2.Token-based authentication.
 It’s an object that the user possesses for the
purpose of user authentication.
 The 2 types of token are:
the cards that have the appearance
and
the size of the bank cards.
Memory cards
 When combined with a pin or password it
provides greater security then password
alone.
Drawbacks are….
o Require special reader.
o Token loss.
o User dissatisfaction.
Smart cards.
• These can be categorized along three
dimensions that are not mutually exclusive:
1. Physical characteristics: Smart tokens include
an embedded microprocessor.
• A smart token that looks like a bank card is
called a smart card.
• Other smart tokens can look like calculators,
keys, or other small portable objects.
2. Interface: Manual interfaces include a keypad
and display for human/token interaction. Smart
tokens with an electronic interface communicate
with a compatible reader/writer.
3. Authentication protocol: The purpose of a
smart token is to provide a means for user
authentication.We can classify the authentication
protocols used with smart tokens into three
categories:
1. Static
2. Dynamic password generator
3. Challenge-response
3.Biometric authentication.
 Authenticate an individual based on his/her unique
physical characteristics.
 It is technically complex and expensive.
 It is based on pattern recognition.
 It is yet to mature as a standard tool for user
authentication to computer system.
The physical characteristics used
are…
 Static:
 Facial characteristics.
 Fingerprints.
 Hand geometry.
 Retinal pattern.
 Iris.
 Dynamic:
 Signature.
 Voice.
Cost verses accuracy of various biometric
characteristics.
iris
cost
hand
signature
face
retina
finger
voice
accuracy
Questions……
1. Write a short note on user authentication and
characterization of user authentication.(2,5,7,8,9)
2. Define user authentication as per IRC and explain
the types of user authentication.(3,4,10,11,20,24)
3. Write short note on the following:
-memory cards and smart cards.(21,22,23)
-purpose of salt value.(18)
4. Explain loading and verifying hash password with
neat diagram.(14,15,16,17)
5. Short note on Unix implementation.(19)
->William Stallings
page(668-675)