Authentication New I

INFORMATION SECURITY
Module-II
Arun Anoop M,
Asst. Professor(CSE),
MES College Of Engg.,
Kuttipuram.
02/10/15
ARUN ANOOP M,AP,CSE

dept.,MESCE Kuttipuram
Portions in Authentication
(Module II)
Authentication.
Authentication Methods.
Passwords.
Biometric and examples.
2 factor authentication.
Single sign on
Web cookies.
CAPTCHA
02/10/15
ARUN ANOOP M,AP,CSE

DEMO Section
02/10/15
ARUN ANOOP M,AP,CSE

http://www4.comp.polyu.edu.hk/~csd
zhang/Biocomuting/group09/BA/sysBA
.swf
http://www4.comp.polyu.edu.hk/~cs
dzhang/Biocomuting/group09/BA/wha
tBA.html
zhang/Biocomuting/group09/BA/appB
A.html
zhang/Biocomuting/gp_12/Mm.swf
http://www.godsp.com/apps_presentations/flashcon
02/10/15
ARUN ANOOP M,AP,CSE

Access Control
Two parts
Authentication:
o Determine whether access is allowed

o Authenticate human to machine
o Or authenticate machine to machine
Authorization:
Are you allowed to do that?
ARUN ANOOP M,AP,CSE dept.,MESCE Kuttipuram
Authentication
choose your own method (and strength)
Authentication vs
Authorization
Authentication
Are you who you say you are?
o Restrictions on who (or what) can access system
Authorization
Are you allowed to do that?
o Restrictions on actions of authenticated users
Authorization is a form of access control
Authentication Methods
How
to authenticate human a machine?

Can be based on
o Something you know
For example, a password
o Something you have

For example, a smartcard
o Something you are

For example, your fingerprint
Authentication
Types
Strong
Authentication
KNOW
HAVE
ARE
*******
Something You
Know(example: PASSWORD)
Lots
of things act as passwords!
o PIN
o Social security number
o Mothers maiden name
o Date of birth
o Name of your pet, etc.
Trouble with Passwords
Passwords are one of the biggest practical

problems facing security engineers today.
Humans are incapable of securely storing

high-quality cryptographic keys.
Keys vs Passwords
Crypto keys
64 bits
cryptographic keys
Then 264 keys
Choose key at
random.
Then attacker must
try about 263 keys
Passwords
8 characters long
with 256 possible
choices for each
characters.
264 possible pwds
Users do not select
passwords at random
Attacker has
263pwds to try
Good and Bad Passwords

Bad
o
o
o
o
o
o
o
passwords
Good
frank
Fido
password
4444
Pikachu
102560
AustinStamp
Passwords?
o jfIej,43j-EmmL+y
o 09864376537263
o P0kem0N
o FSa7Yago
o 0nceuP0nAt1m8
o PokeGCTall150
Password File?
Bad
idea to store passwords in a file

But need a way to verify passwords
Cryptographic solution: hash the pwd
o Store y = h(password)
o Can verify entered password by hashing
o If Trudy obtains password file, she
does not obtain passwords
But
Trudy can try a forward search
o Guess x and check whether y = h(x)
Salt
Hash password with salt
Choose random salt s and compute

y = h(password, s)
and store (s,y) in the password file
The salt s is not secret
Easy to verify salted password
Other Password Issues
Too many passwords to remember

o Password reuse
Failure to change default passwords
Bugs(Program errors), keystroke logging,

spyware, etc.
Passwords
Password cracking is too easy

o One weak password may break security
o Users choose bad passwords
o Social engineering attacks, etc.
Password Cracking Tools
Popular password cracking tools

o Password Crackers
o Password Portal
o L0phtCrack and LC4 (Windows)
o John the Ripper (Unix)
Good articles on password cracking

o Passwords - Conerstone of Computer Security
o Passwords revealed by sweet deal
Biometrics
Two categories of
biometrics:
Something You Are
Biometric
o You are your key
Examples
Schneier
o Fingerprint
o Handwritten signature
o Facial recognition
o Speech recognition
o Gait (walking) recognition
Are
Know
Have
Why Biometrics?
More secure replacement for passwords
Biometrics are used in security today

o Thumbprint mouse
o Palm print for secure entry
o Fingerprint to unlock car door, etc.
Biometric Modes
Identification
Who goes there?
o Compare one to many

o Example: The FBI fingerprint database.
o facial recognition is used for identification.
Authentication
Are you who you say you are?
o Compare one to one

o Example: Thumbprint mouse
Identification problem is more difficult

o More random matches since more comparisons
Identification:
is to identify the subject from a list

of many possible subjects.
1 to many.
Example: FBI fingerprint database.
Authentication:
Alice uses thumbprint mouse
biometrics(Captured thumbprint
image==stored thumbprint image).
Enrollment vs Recognition
Enrollment phase
o Subjects biometric info put into database.
o A sample of biometric trait is captured,
processed by a computer , and stored for later

comparison.
Recognition phase
o Biometric system authenticates a person's
claimed identity from their previously enrolled

pattern.
Biometric Errors
Fraud rate versus insult rate

o Fraud
Trudy mis-authenticated as Alice (Rate

at which mis-authentication occurs)
o Insult
Alice not authenticated as Alice (Alice

tries to authenticate herself but system fails to
authenticate her).
For example
o 99% voiceprint match low fraud, high insult
o 30% voiceprint match high fraud, low insult
Equal error rate: rate where fraud == insult
BIOMETRIC EXAMPLES
1)Facial
recognition
2)Finger print verification
3)Hand Geometry
4)Retina Scanning
5)Iris scanning
6)Voice Verification
7)Signature verification
BIOMETRIC EXAMPLES
FINGERPRINTS
HAND
GEOMETRY
IRIS SCAN
BIOMETRIC ERROR RATES
BIOMETRIC CONCLUSION
Fingerprint[1]
Were
used in ancient China as a form

of signature.
Use of fingerprints as a scientific
form of identification.
Fingerprints are routinely used for
identification, particularly in criminal
cases.
Stages
Fingerprint Comparison
Examples of loops, whorls, and arches
Minutia(points) extracted from these
features
Loop (double)
Whorl
Arch
Fingerprint: Enrollment
Capture image of fingerprint
Enhance image
Identify points
Fingerprint: Recognition
Extracted points are compared with

information stored in a database
Do identical twins fingerprints differ?
Hand Geometry[2]
A popular biometric
Measures shape of hand
o Width of hand, fingers

o Length of fingers, etc.
Human hands not unique

Hand geometry sufficient
for many situations
Not suitable for
identification.
Easy & quick to measure.
Measures shape of hand

o Width of hand, fingers
ARUN ANOOP M,AP,CSE dept.,MESCE

Kuttipuram
o Length
of fingers,
etc.
Hand Geometry
Advantages
o Quick
1 minute for enrollment, 5

seconds for recognition
o Hands are symmetric.

Disadvantages
o Cannot use on very young or very old

o Relatively high equal error rate
Iris Scan[3]
Best
for authentication.
Pattern
is stable throughout lifetime.
Captured
Stored Image
Image Pattern
Pattern
Mapping patterns
Iris Patterns
Iris(colored part of eye) is chaotic
Little or no genetic influence
Different even for identical twins
Automated iris scanner

First
locate the iris.

Take black & White photo of eye.
Use polar coordinates.
Resulting image processed using 2D
wavelet transform.
Result: 256byte(2048bit) iris code.
[1]
[2]
[4]
[3]
256Byte
[5]
Measuring Iris Similarity
Iris codes compared Based on Hamming

distance.
X is Alices scanned iris in recognition phase.
Y is Alices iris scan stored in scanners

database from enrollment phase.
X & Y compared by computing the distance

d(X,Y) between X & Y as defined by
d(X,Y)=number of non-match bits/number of

bits compared.
Perfect match, d(X,Y)=0
Match
case: Alices data from

enrollment phase is compared to her
scan data from the recognition phase.
Non-match data
Provides
information on
fraud rate
Match data
Provide
information
on insult
rate
Under laboratory conditions

For
the same iris:

Expected distance->0.08
For different iris:
Expected distance->0.50
Match
if the distance is less than 0.32
Otherwise Non-match.
Match
data provide information on

the insult rate.
Non-match data provide information
on the fraud rate.
Histogram
based
on
million
comparisons.
Overlapping region between match &
non-match-----Misidentification
occurs.
Attack on Iris Scan

Good
photo of eye can be scanned
o Attacker could use photo of eye

Afghan
woman was authenticated by

iris scan of old photo
o Story is here
To
prevent attack, scanner could use

light to be sure it is a live iris
Equal Error Rate Comparison
Equal error rate (EER): fraud == insult rate
Fingerprint biometric has EER of about 5%

Hand geometry has EER of about 10-3
Iris scan has EER of about 10-6
Biometrics is useful for authentication

Not for identification
arunanoopm@gmail.com
+919497394076

Authentication New I

Diunggah oleh

Informasi Dokumen

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

Authentication New I

Diunggah oleh

Hak Cipta:

Format Tersedia

INFORMATION SECURITY

ARUN ANOOP M,AP,CSE

ARUN ANOOP M,AP,CSE

ARUN ANOOP M,AP,CSE

ARUN ANOOP M,AP,CSE

o Determine whether access is allowed

ARUN ANOOP M,AP,CSE dept.,MESCE Kuttipuram

Are you who you say you are?

o Restrictions on who (or what) can access system

Are you allowed to do that?

o Restrictions on actions of authenticated users

Authorization is a form of access control

ARUN ANOOP M,AP,CSE dept.,MESCE Kuttipuram

to authenticate human a machine?

o Something you have

o Something you are

ARUN ANOOP M,AP,CSE dept.,MESCE Kuttipuram

ARUN ANOOP M,AP,CSE dept.,MESCE Kuttipuram

of things act as passwords!

Trouble with Passwords

Passwords are one of the biggest practical

Humans are incapable of securely storing

ARUN ANOOP M,AP,CSE dept.,MESCE Kuttipuram

ARUN ANOOP M,AP,CSE dept.,MESCE Kuttipuram

Good and Bad Passwords

ARUN ANOOP M,AP,CSE dept.,MESCE Kuttipuram

idea to store passwords in a file

does not obtain passwords

Trudy can try a forward search

o Guess x and check whether y = h(x)

ARUN ANOOP M,AP,CSE dept.,MESCE Kuttipuram

Hash password with salt

Choose random salt s and compute

The salt s is not secret

Easy to verify salted password

ARUN ANOOP M,AP,CSE dept.,MESCE Kuttipuram

Other Password Issues

Too many passwords to remember

Failure to change default passwords

Bugs(Program errors), keystroke logging,

ARUN ANOOP M,AP,CSE dept.,MESCE Kuttipuram

Password cracking is too easy

ARUN ANOOP M,AP,CSE dept.,MESCE Kuttipuram

Password Cracking Tools

Popular password cracking tools

Good articles on password cracking

ARUN ANOOP M,AP,CSE dept.,MESCE Kuttipuram

ARUN ANOOP M,AP,CSE dept.,MESCE Kuttipuram

ARUN ANOOP M,AP,CSE dept.,MESCE Kuttipuram

Something You Are

ARUN ANOOP M,AP,CSE dept.,MESCE Kuttipuram

More secure replacement for passwords

Biometrics are used in security today

ARUN ANOOP M,AP,CSE dept.,MESCE Kuttipuram

ARUN ANOOP M,AP,CSE dept.,MESCE Kuttipuram

Who goes there?

o Compare one to many

Are you who you say you are?

o Compare one to one

Identification problem is more difficult

ARUN ANOOP M,AP,CSE dept.,MESCE Kuttipuram

is to identify the subject from a list

processed by a computer , and stored for later

claimed identity from their previously enrolled