2. Authentication
• Authentication is the binding of an identity to a principal.
• Network-based authentication mechanisms require a
principal to authenticate to a single system, either local
or remote.
• External entity must provide information to enable the• External entity must provide information to enable the
system to confirm its identity.
2
3. Basics continueBasics continue…
• Authentication process consists of obtaining the
information from an entity analyzing the datainformation from an entity, analyzing the data
and determining if it is associated with that
entity.
• Authentication system components are –
Set A – authentication information
Set C – complementary information
Set F – complementation function
S t L th ti ti f tiSet L – authentication functions
Set S – selection functions
3
4. passwordspasswords
• Is an example of an authenticationIs an example of an authentication
mechanism based on what people know.
• User supplies the password, and computerUser supplies the password, and computer
validates it.
• Password spacePassword space
• Verification => one way hash function.
4
5. Authentication system for
password
• Set A – characters ( alphabets + digits +
i l h t ) 8 h tspecial characters) - 8 characters.
• Set C – one way hash function to store
password in a file (UNIX – 13characters)password in a file. (UNIX – 13characters)
/etc/passwd.
• Set F – based on permutation of the DES,p ,
contains 4096. – login, su.
• Set L – system supply proper element of C.
• Set S – passwd, nispasswd.
5
6. Protecting passwordsProtecting passwords
• Hide enough information so that one of aHide enough information so that one of a,
c or f cannot be found.
• Prevent access to the authentication• Prevent access to the authentication
functions L.
6
7. Attacking password systemAttacking password system
• Dictionary attack
f(g) for each f F.(g)
F(g) => complementary information for
entity E, then g authenticates E under fentity E, then g authenticates E under f
=> type 1.
l=> L if g => l results true g is correctl=> L, if g => l results true, g is correct
password. => type 2.
7
8. Countering password guessingCountering password guessing
• P >= TG/NP >= TG/N.
Where P – probability of guessing the
passwordpassword.
T – no. of time units
G – no. of guesses/ unit time.
N – no. of possible passwords.p p
8
9. User Authentication
• In-person identification
• Must be based on some knowledge shared only by the
computing system and the usercomputing system and the user
• Three qualities to confirm user’s identity
1. something the user knows1. something the user knows
2. something the user has
3. something the user is (biometrics)
4. Where the entity is (In front of)
Two or more forms can be combined
9
Two or more forms can be combined
10. Use of Passwords
• Password – a ‘word ‘ known to computer and
user; agreed upon codeword; length and format
varies.varies.
• Humans:
– Short, memorable key (8 characters, 48 bits), directly
or as key for longer keyor as key for longer key
• Computers:
– (Long) high-quality secret( g) g q y
– Hidden key (encrypted by password), directly (e.g.,
hash of the password)
• Key versus passwords.
• Additional Authentication Information
10
11. Attacks on Passwords….
1. Try all possible passwords
2. Try many probable passwords
3. Try passwords likely for the user
4 S h f h li f d4. Search for the system list of password
5. Ask the user
1. Exhaustive Attack
Brute force attack
5 * 10^12 passwords for 26 alphabets
2. Probable Passwords
Think of a wordThink of a word
Length 3 – 18.278 sec.
Length 4 – 8 min.
Length 5 – 3.5 hours
Dictionary
3. Attacking systems via passwords.
Outsider normal user administrator.
11
12. Passwords Likely for a userPasswords Likely for a user
• Password
15 0.5% Were a single
ASCII chara.
Password
something
meaningful
72 2% Were two single
ASCII chara.
464 14% Were three
ASCII chara.ASCII chara.
477 14% Were four
alphabetic letters
W fi
706 21% Were five same
case alphabets
605 18% Were six
lowercaselowercase
alphabets
492 15% Words in
dictionaries or list
12
of names
2831 86% Total of all above
categories
14. Password guessing steps
– On-line: limit tries, alarm
– Off-line: dictionary attack
• No passwordp
• The same as the user ID
• is, or is derived from the user’s name
• Common word list plus common names and patterns
• Short college dictionary
• Common non-English language dictionaries
• Short dictionary with capitalizations and substitutions (PaSsWorD)
C l t E li h ith it li ti d b tit ti• Complete English with capitalizations and substitutions
• Common non-English with capitalizations and substitutions
• Brute force, lowercase alphabets
• Brute force full character set• Brute force, full character set
14
15. Protecting password list file
• Problems:
• OS is not divided, so all its modules have access to all,
privileged information
• An intruder can dump a memory at a convenient time to
access it
• File system can be relocated from a backup
• Password file is a copy of a file stored on a disk
15
16. Encrypted Password File
• Password list is hidden by conventional encryption or
one way ciphers
• One-way encryption
• salt – E(pw+saltB) & saltB is stored
• Indiscreet Users : -- writing down or telling the password
16
17. Password Selection Criteria
• Use characters other than just A-Z – 6 letter word one case – 100
hours, upper and lower – 2 years
• Choose long passwords
A id t l d• Avoid actual names or words
• Choose an unlikely password -- 2Brn2B or I10veu
•
• Change the password regularly
• Don’t write it down
• Don’t tell anyone else
17
18. Password Selection Criteria…..
• Some systems provide meaningful but
pronounceable passwords (“bliptab” as “blaptib”(
or “blabtip”)
• Some systems ask user to change the password
• Why reminder process is not good?
• Group A: 6 characters with at least one non-
letter. 30% are easy to crack.
• Group B: based on passpharses. 10%.
• Group C: 8 randomly selected characters. 10%.
18
p y
19. One-Time Password
• --is one that changes every time it is used
S t i t ti th ti l f ti• System assigns a static mathematical function
• Also called as challenge-response systems• Also called as challenge-response systems
• f(x) = x + 1( )
• f(x) = r(x)
• f(a1a2a3a4a5a6) = a3a1a1a4
• f(E(x)) = E(D(E(x) + 1).
19
20. Password verificationPassword verification
• Store password in a fileStore password in a file.
• Store hashed passwords in a file.
St i d• Storing passwords
– Per-node: /etc/passwd
– Server: authentication storage server,
retrieved by node (yp/NIS)
– Facilitator: server says yes/no
• salt – E(pw+saltB) & saltB is stored.
20
21. Password crackingPassword cracking
• 128 choices128 choices.
• 8 characters => 1288 = 256 possible
passwordspasswords.
• 4 cases of success of password crackes:
– Without using dictionary of likely passwords.
– Using dictionary.
– Without using dictionary from hashed file.
– Using dictionary.
21
22. Other password issuesOther password issues
• Reuse of passwordReuse of password.
• Social engineering
K t k l i ft• Keystroke logging software, spy-ware.
• Password cracking tools.
• Solution: use of biometricsSolution: use of biometrics.
22
23. Fixing flaws in the Authentication
Process
• Challenge-Response systems
• Impersonation of Login
• Authentication other than Passwords –Authentication other than Passwords
handprint detectors, voice recognizers,
identifiers of patterns in the retinaidentifiers of patterns in the retina
23
24. biometricsbiometrics
• Efforts to find physical characteristics
that uniquely identify people include the
Bertillion cranial maps, fingerprints and
DNA liDNA sampling.
• Biometrics is the automated
t f bi l i lmeasurement of biological or
behavioral features that identify a
personperson.
• Common features are fingerprints,
voices face and keystroke dynamics
24
voices, face and keystroke dynamics.
25. User selection of passwordsUser selection of passwords
• Proactive password selectionp
• Passwords based on account names
Account name followed by a number
A t d d b d li itAccount name surrounded by delimiters
• Passwords based on user names
Initials repeated 0 or more timesInitials repeated 0 or more times
All letters lower-or-uppercase
Name reserved
First initial followed by last name reversed.
25
26. Continue…
• Passwords based on computer names
• Dictionary words
• Reversed dictionary words
• Dictionary words with some or all letters
capitalized.
• Patterns form keyboard.
• Only digits
• Acronyms
• Dictionary words with all vowels deleted.
26
28. Backoff techniquesBackoff techniques
• X- parameter selected by system
administrator.
• Waits for x0=1 sec before reprompting for
name and authentication data.
If t f il i it f 1• If system fails, again waits for x1=x sec.
• After n failures, waits for xn-1 sec.
28
29. Other techniquesOther techniques
• Disconnection – after some number of failed
th ti ti tt t th ti iauthentication attempts, the connection is
broken.
Di bli th t i di bl d til• Disabling – the account is disabled until a
security manager can reenable it.
• Jailing the unauthenticated user is given• Jailing – the unauthenticated user is given
access to a limited part of the system and is
gulled into believing that he/she has fullgulled into believing that he/she has full
access. The jail records the attacker’s
actions.
29
30. Summary
• Memory protection : -- fence, base-bound
register, tagged architecture, paging,
segmentationsegmentation
• file protection : three or four level format• file protection : -- three or four level format,
user-group-all
• access control in general : -- access control
matrix, per-object or per-user basis
• user authentication :-- password protection
30
31. Qu. On OS Security
1. Explain different methods for memory and
address protection (183)p ( )
2. Compare Segmentation with Paging (193)
3. Explain different methods to be used to protect3. Explain different methods to be used to protect
objects (196)
4. Explain various schemes for file protection (205)p p ( )
5. Explain ways to determine a user’s password
(212)(212)
31
32. Qu. On OS Security
6. Explain how a fence register is used for
relocating a user's program [MAY-05/IT/5M]relocating a user s program.[MAY 05/IT/5M]
7. Explain why asynchronous I/o activity is . a
problem with many memory Protectionproblem with many memory Protection
schemes, including base/bounds and paging.
Suggest solution to the problem.
[MAY-05/IT/7M]
8. Discuss several guidelines for password8. Discuss several guidelines for password
selection (218)
32
33. Qu. On OS Security
9. Authentication means proving identities between entities
which happens in different layers of network protocol
stack for different reasons Identify these entities andstack for different reasons. Identify these entities and
state them.
10. How does OS protect files in main memory and on
secondary device.
11.Discuss any two techniques of memory and address
protection.
12.Explain the use of temporal separation and physical
separation for security in computing environment.
33
34. Qu. On OS Security
13. (a) Why the user authentication is required?
(b) What techniques are used for the authentication?
( ) f(c) What are the flows in the user authentication
process?
(d) Suggest controls over them.( ) gg
14. Consider a program to accept and tabulate votes in an
elector who might want to attack the program? whatelector. who might want to attack the program? what
types of harm might they want to cause? what kinds of
vulnerabilities might they exploit to cause harm?
34