1. IT346 Information System Security Week 5-2: Authentication .
Faculty of Information Technology Page
2. Hashed Passwords password hashed passwords salt value. UNIX
password : password. Password salt value : Salt password password :
Salt (random number) Faculty of Information Technology Page 2
3. Hashed Passwords password (): Salt password hash function
hash function crypt(3) hash function ? Hash plaintext salt user ID
password file Faculty of Information Technology Page 3
4. Hashed Passwords Salt: password hash password file offline
dictionary attacks salt b bits password 2b salt password salt
Faculty of Information Technology Page 4
5. Hashed Passwords Log-in Unix User User ID password Operating
system User ID password file plaintext salt hash password+salt salt
password user hash hash password Faculty of Information Technology
Page 5
6. UNIX Implementation Password 8 7-bit ASCII input 56 bit Hash
function crypt(3) DES Salt 12 bit Crypt(3) password Software
implementation DES hardware dictionary attack supercomputer account
management software software Faculty of Information Technology Page
6
7. Implementation hash/salt Unix Hash function MD5 Salt 48-bits
Password hash 128 bits crypt(3) OpenBSD Bcrypt Blowfish block
cipher hash/salt Unix Password 55 salt 128 bit hash 192 bit Faculty
of Information Technology Page 7
8. Password Cracking Dictionary attacks dictionary password
password password file Password hash salt password file hash
password file match dictionary password ( ) Faculty of Information
Technology Page 8
9. Password Cracking Rainbow table attacks Rainbow table hash
dictionary password password hash salts hash salt hash Faculty of
Information Technology Page 9
10. Observed Password Lengths Password crackers password
password Purdue University study on 54 systems and 7000 users
Faculty of Information Technology Page 10
11. Guessing Passwords Cracked Set 13,797 Accounts dictionary 3
Faculty of Information Technology Page 11
12. Password File Access Control Block offline guessing attacks
encrypted passwords (privileged user) Shadow password file user IDs
hashed passwords Faculty of Information Technology vulnerabilities
OS permissions users password Backup password network traffic Page
12
13. Password password password run password cracker password
password password Faculty of Information Technology password
password Page 13
14. Password Proactive password : 8 1 Proactive Password
Checker http://www.openwall.com/passwdqc/ Password cracker
dictionary password Bloom filter hash function password Faculty of
Information Technology Page 14
15. Token Authentication (embossed card) (magnetic stripe card)
memory card smartcard Faculty of Information Technology Page
15
16. Card Token C Type ard D efiningF re eatu E ple xam E bos ed
m s A TM M netics ag tripe pre-paid M ory em pro es o c sr S art m
- (E tric c ntac lec al o t) C ntac s o tles B m IDc io etric ard
(R antenna) adio C ntac o t Faculty of Information Technology Page
16
22. Smart Card Dimensions ISO 7816-2. Faculty of Information
Technology Page 22
23. Smart Card Smart card memory Read-Only Memory (ROM)
Electrically Erasable Programmable ROM (EEPROM) application data
programs ( protocols ) ( EEPROM ) Random Access Memory (RAM)
Faculty of Information Technology Page 23
24. Smart Card Reader Communication Initialization between a
Smart Card and a Reader Faculty of Information Technology Page
24
25. Smart Card Communication smart card reader card reader
reader reset clock Card answer to reset (ATR) message ATR card card
read terminal protocol type selection (PTS) command PTS response
Card terminal card Faculty of Information Technology Page 25
26. Biometric Authentication authenticate (static dynamic)
facial characteristics fingerprints hand geometry retinal pattern
iris signature voiceprint pattern recognition passwords tokens
Faculty of Information Technology Page 26
27. Biometric Authentication Facial Characteristics ():
(relative location) (shape) feature (infrared camera) thermogram
Faculty of Information Technology Page 27
28. Biometric Authentication Fingerprints ( ): fingerprint
match feature pattern Hand geometry ( ): feature - Faculty of
Information Technology Page 28
29. Biometric Authentication Retinal pattern (): Pattern
Retinal biometric system retinal pattern (visual light) (infrared
light) Iris (): Faculty of Information Technology Page 29
30. Biometric Authentication Signature (): match Voice ( ):
Voice pattern Faculty of Information Technology Page 30
31. Faculty of Information Technology Page 31
32. Biometric System Biometric biometric ( password) password
PIN biometric ( ) features biometric users template Faculty of
Information Technology Page 32
33. Biometric System Verification (Identification)
(Verification) PIN biometric sensor feature users template.
authenticate Identification biometric sensor template template
Faculty of Information Technology Page 33
34. Biometric Faculty of Information Technology Page 34
35. Biometric false match rate false non match rate. threshold
false match rate false non-match rate High-security app false match
rate Forensic application false non-match rate Faculty of
Information Technology Page 35
36. Biometric Measurement Faculty of Information Technology
Page 36
37. Remote User Authentication Authentication network, the
Internet, communications link : (Eavesdropping) password Replay
authentication challenge-response protocol Faculty of Information
Technology Page 37
38. Password Protocol identity remote host Host random number (
nonce) r, hash function, h() f() response challenge, {r, h(), f()}
hash password Puser, rreturn f() f(rreturn, h(Puser)) Host hash
password Authentication Password h(Puser @server) Kerberos random
number Host f(r, h(Puser @server)) attacker f(r, h(P )) = f(r , h(P
)), user @server return user authenticate Faculty of Information
Technology Page 38
40. Static Biometric Protocol identity remote host Host nonce
r, encryption function E(). Client biometric D Biometric B
biometric template BT E(rreturn,D, BT) Host decrypts message
rreturn ,D BT Host authenticate device ID D biometric match
(Matching score) BT BT threshold Faculty of Information Technology
Page 40
41. Dynamic Biometric Protocol Sequence challenge x , Static
Biometric Host random sequence random number challenge Faculty of
Information Technology , x, x sequence biometric signal BS(x)
biometric B encryption E(rreturn, BS(x)). Host decrypts BS(x)
BS(x), x BT() Page 41