My topic is………… About the topic……. -It is the fundamental building block and the primary lines of defense in computer security. -It is a basic for access control and for user accountability. -It is a means of identifying the user and verifying that the user is allowed to access some restricted service. RFC 2828 (internet security glossary) definition:->The process of verifying an identifying for a system entity or claimed by a system. ->An Authentication process consists of 2 steps……: Identification step : Presenting an identifier to the security system. Verification step : Presenting or generating Authentication information that corroborates the binding between the entity and the identifier. There are 4 general means of authenticating a user’s identity: Something the individual knows. Something the individual possesses. Something the individual is(static biometrics). Something the individual does(dynamic biometrics). Something the individual knows. Your fb password!!! A password, A personal identification number, Anybody can guess or steal your password. Anybody can forget a password. Answers to a prearranged set of questions. Something the individual possesses. Referred as TOKENS. Electronic keycards, Smart cards, Anybody can forge or steal your token. Anybody can loose a token. Physical keys. Something the individual is (static biometrics). Recognition by • Fingerprint, • Retina, • Face. User acceptance cost and convenience. Something the individual does (dynamic biometrics). Recognition by • Voice pattern, • Handwriting characteristics, • Typing rhythm. User acceptance cost and convenience. There are 3 types of Authentication:- Password-Based Authentication. Token-Based Authentication. Biometric Authentication. 1.Password-Based Authentication. ->It is a widely used line of defense against intruders. ->Virtually all multiuser systems not only require the user name or identifier (ID) but also the password. How does it work??? ->The system compares the password to a previously stored password for that user ID, maintained in a system password file. ->The password serves to authenticate id of the individual logging on to the system . The ID provides the security in the following ways: It determines whether a user is authorized to gain access to the system. It determines the privileges accorded to the user. It is used in discretionary access control. The use of hashed password A widely used password security technique is the use of hashed passwords and a salt value. This scheme is found on virtually all UNIX variants as well as many other operating systems a) Loading a new password Salt Password User id Salt Hash code Slow hash function Password file How a new password is loaded??? The user selects or is assigned a password. This password is combined with a fixed-length salt value [MORR79]. The password and salt serve as inputs to a hashing algorithm to produce a fixed-length hash code. The hash algorithm is designed to be slow to execute to thwart attacks. The hashed password is then stored, together with a plain text copy of the salt, in the password file for the corresponding user ID. b) Verifying a password User id Salt Hash code User id Salt Password select Password file Slow hash function compare How a password is verified??? When a user attempts to log on to a UNIX system, the user provides an ID and a password . The operating system uses the ID to index into the password file and retrieve the plain text salt and the encrypted password. The salt and user-supplied password are used as input to the encryption routine. If the result matches the stored value, the password is accepted. The purpose of salt It prevents duplicate passwords from being visible in the password file. It increases the difficulty of offline dictionary attacks and guessing a password in a dictionary attack. It becomes impossible to find out whether a person with passwords on two or more systems has used the same password on all of them. UNIX Implementations… • Each user selects a password of up to eight printable characters in length. This is converted into a 56-bit value that serves as the key input to an encryption routine. • The hash routine, known as crypt(3), is based on DES. • A 12-bit salt value is used. • The modified DES algorithm is executed with a data input consisting of a 64-bit block of zeros. • The output of the algorithm then serves as input for a second encryption. This process is repeated for a total of 25 encryptions. • The resulting 64-bit output is then translated into an 11character sequence. The modification of the DES algorithm converts it into a one-way hash function. • The crypt(3) routine is designed to discourage guessing attacks. 2.Token-based authentication. It’s an object that the user possesses for the purpose of user authentication. The 2 types of token are: the cards that have the appearance and the size of the bank cards. Memory cards When combined with a pin or password it provides greater security then password alone. Drawbacks are…. o Require special reader. o Token loss. o User dissatisfaction. Smart cards. • These can be categorized along three dimensions that are not mutually exclusive: 1. Physical characteristics: Smart tokens include an embedded microprocessor. • A smart token that looks like a bank card is called a smart card. • Other smart tokens can look like calculators, keys, or other small portable objects. 2. Interface: Manual interfaces include a keypad and display for human/token interaction. Smart tokens with an electronic interface communicate with a compatible reader/writer. 3. Authentication protocol: The purpose of a smart token is to provide a means for user authentication.We can classify the authentication protocols used with smart tokens into three categories: 1. Static 2. Dynamic password generator 3. Challenge-response 3.Biometric authentication. Authenticate an individual based on his/her unique physical characteristics. It is technically complex and expensive. It is based on pattern recognition. It is yet to mature as a standard tool for user authentication to computer system. The physical characteristics used are… Static: Facial characteristics. Fingerprints. Hand geometry. Retinal pattern. Iris. Dynamic: Signature. Voice. Cost verses accuracy of various biometric characteristics. iris cost hand signature face retina finger voice accuracy Questions…… 1. Write a short note on user authentication and characterization of user authentication.(2,5,7,8,9) 2. Define user authentication as per IRC and explain the types of user authentication.(3,4,10,11,20,24) 3. Write short note on the following: -memory cards and smart cards.(21,22,23) -purpose of salt value.(18) 4. Explain loading and verifying hash password with neat diagram.(14,15,16,17) 5. Short note on Unix implementation.(19) ->William Stallings page(668-675)