Chapter 4 – Protection in General-Purpose Operating Systems Section 4.5 User Authentication In this section Authentication Passwords Effective passwords Breaking passwords One-Time Systems Biometrics User Authentication Most software and OS base there security on knowing who the user is Authentication based on 1 of 3 qualities: Something the user knows – Passwords, PIN, passphrase Something the user has – Key, license, badge, username Something the user is – physical characteristics or biometrics Two forms of these can be combined together Passwords as Authenticators Most common authentication mechanism Password – a word unknown to users and computers Problems with passwords: Loss Use – time consuming if used on each file or access Disclosure – if Malory finds out the password might cause problems for everyone else. Revocation – revoke one persons right might cause problems with others Additional Authentication Information Placing other condition in place can enforce the security of a password Other methods: Limiting the time of access Limiting the location of access Multifactor Authentication is using additional forms of authentication The more authentication factors cause more for the system and administrator to manage Attacks on Passwords Figuring out a password Try all possible passwords Try frequently used passwords Try passwords likely for the user Search for the system password list Ask the user Loose-Lipped Systems Authentication system leaks information about the password or username Provides information at inconvenient times Exhaustive Attack Brute force attack is when the attacker tries all possible passwords Example: 26 (A-Z)character password of length 1 to 8 characters One password per millisecond would take about two months But we would not need to try every password Password Problems Probable Passwords Passwords Likely for a user Weakness is in the users choice Weakness is in the control of the system Look at table 4-2 on page 225 Figure 4-15 Users’ Password Choices. Password Selection Criteria Use characters other than just A-Z Choose long passwords Avoid actual names or words Choose an unlikely password Change the password regularly Don’t write it down Don’t tell anyone else – beware of Social Engineering One-Time Passwords Password that changes every time Also known as a challenge-response systems F(x)=x+1 - use of a function F(x)=r(x) – Seed to a random number generator F(a b c d e f g) = b d e g f a c – transformation of a character string F(E(x))=E( D (E (x)) + 1 ) – Encrypt value must be decrypted and run through a function The Authentication Process Slow response from system Limited number of attempts Access limitations Fixing Flaws with a second level of protection Challenge-Response Impersonation of Login Biometrics Biometrics are biological authenticators Problems with Biometrics Still a relatively new concept Can be costly Establishing a threshold Single point of failure False positives Speed can limit accuracy Forgeries are possible