Chapter-2

Identification & Authentication

 Introduction
 To secure a network the first step is to avoid unauthorized
access to the network.

 This can be achieved with any type of authentication

mechanisms.

 When one node wants to communicate with the other node in

a network in a secure manner they use an authentication
mechanism:
 the node that wants to communicate has to prove its

identity in the network so that its right to access the

network resources can be determined.
 Types of Authentication
Authentication Methods

Knowledge based Artifact based Biometric based

authentication authentication authentication

Usernames
and passwords
Smart cards Digital
signatures

Certificates, tokens
 Types of Authentication
 All of the above can be briefly identified as:

 Knowledge based Authentication is based on “What you know” i.,e what

the users know for eg, user names, passwords, keys etc.

 Artifact Based Authenticatiobn is based on “ What you possess” i.e what

the user possess such as Certificates , tokens, smart cards etc.

 Biometric based Authentication is based on “ What you are “i.e what the
user inherits for eg biometric techniques
 Password Based Authentication
 The popular mechanism of knowledge based authentication is passwords
 In this method of authentication the user who wants to communicate with
the server has to provide its username and password to the server in order
to prove his identity in the network.
 Password : can be defined as a character string used to authenticate an
identity(of a user).

 The passwords can be of one of the types:

 Plain-text password based systems
 Encrypted Passwords
 One time passwords
 Challenge and Response based systems
 Password Policy

 A good password is one that is easy to remember but difficult to

guess.

 Password should not be Dictionary Words, Proper Nouns, or

Foreign Words.

 Password should be mixture of upper and lowercase characters

along with numbers.

 Users should never disclose their passwords to anybody unless

they know them to be authorized.

 Systems administrators should implement safeguards to ensure that

people on their systems are using adequately strong passwords.

 They should set password expiration dates on all programs being

run on the organization’s systems.
 Password Based Systems
 Plain-text password based systems: These systems are
not secure enough as the passwords can be hacked by a
man in the middle attack easily.

 Encrypted Passwords: In this method various encryption

algorithms can be used to encrypt the passwords traveling
over the wires in the network. Therefore the password
becomes unreadable and difficult for the intruder to get it.

 Few of the algorithms that are used for password

encryption are:
• SHA, MD5, RSA
 One Time Passwords

 Even encrypted passwords if decrypted once by the

intruder can be used for hacking critical data. One idea is
to use a new password every time the user logs in.

 One time password systems can be of two types:

 Challenge Response e.g. RSA SecurID system

 Codebook e.g. S/Key

 One Time Passwords
 Challenge Response authentication :

 When the new session is being established by the

server it issues a challenge string to the client, which
is different every time.

 After receiving this challenge string the user types in

his or her pass phrase for the session.

 Then the secure hash is calculated for the pass

phrase using one of the MD4, MD5, or SHA1 hashing
algorithms.
 One Time Passwords

 The variables that are required for the calculating the

secure hash are hidden in the challenge string issued
by the server.

 When the server receives the hash value sent by the

client it matches it with the password (hash value) it
has calculated using the same hashing algorithm.

 If there is a match, the user is authenticated.

 One Time Passwords
 Code Book Scheme:
 A codebook is a list of passwords that are used, one at
a time, and then never reused.

 With the system each user is given a mathematical

algorithm, which is used to generate a sequence of
passwords.

 The user can either run this algorithm on a portable

computer when needed, or can print out a listing of
generated passwords as a paper codebook.
 Code Book Scheme

 When a user wants to login to a system,the user either

looks up the next password in the codebook, or
generates the next password in the virtual codebook.

 This password is then used as the password to give to

the system.

 The user may also need to specify a fixed password

along with the codebook entry.
 Code Book Scheme
The
Sendpassword
me new
The password
matches me
Send with new
my
password
matches withfor
password
code book
my
for
entry.
code book entry.
authenticatio
You
Youare
authenticatio
are
authenticated
nauthenticated. .
n

User sends next password from code book

Server’s code book

Client’s Code book
…………
…………
………….
………….
………….
………….
………….
………….
…………..
…………..
………….
………….
 Weak versus Strong Passwords
 Weak Passwords may be of one of the types:

 User’s personal information like name, vehicle

number, phone number.

 A dictionary word.

 An easy to remember sequence of characters or

alphanumeric characters like qwerty, abc123.
 Weak versus Strong Passwords

 If supplied in plain text, weak passwords are easy to

hack or crack by nature using any of these methods:

 Brute-force attack

 Dictionary attack etc.

 Weak versus Strong Passwords
 Strong Passwords: As weak passwords are easy to
guess, it is recommended to use a password which:
 is of at least 8 characters length.

 contains at least one numeric character.

 contains at least one special character.

 Doesn't contain any dictionary word.

 They should also be easy to remember otherwise this may result

in users writing a difficult to remember password near to his/her
desk.
 Password selection strategies

 Password selection strategies :

 User Education
 Computer generated passwords
 Reactive password checking
 Proactive password checking

 The most secured method of good and strong password selection is

the proactive pwd checking method, in which user selects his own
password and at the time of selection, the system checks to see if
password is allowable or not.
 Password vulnerabilities & attacks
 Possible Vulnerabilities of passwords are
 Guessing, cracking & spoofing
 Testing the pwd files
 Proactive pwd checkers
 Shadow password files

 Password related attacks :

 Password cracking
 Brute force attack
 Dictionary attack
 Artifact Based Authentication
 This method deals with the possession of an artifact i.e an item by the
user, display of which enables the user to be authenticated.
 Popular examples of this method are smart cards, digital signatures,
certificates etc.
 Digital Signatures
 Digital signatures are based on Public Key
Cryptography.

 Digital signatures are used to verify whether a document

sent by a person is really sent by him and has not been
changed in the route through which it came.

 We try to show with an example that how digital

signatures work.

 A digital signature user must have a key pair:

 Public Key: Known to all (made public).
 Private key: Only known to the key pair owner.
 Smart Cards
 Smart cards are hardware devices that provide a much
secure authentication for storing and transferring the
important information.

 They are of the size of a credit card containing a small

chip which stores the private key and a copy of the
certificate.

 A PIN (Personal Identification Number) is used in

association with smart card, to provide more secure
authentication.
 Smart Cards
 A smart card looks like:  Card readers are
used to read the
information from a
smart card.

Smart card
Card reader
 Working of smart cards
 The authentication method used in smart is Challenge
Response type of authentication.

 When the user inserts his smart in a card reader, the the
program that is stored in the client system asks the user
for his unique PIN.

 The user enters the PIN and if the PIN is correct the
communication between the client application and the
smart card starts.
 Working of smart cards
 A challenge response procedure takes place between
the client and the server.

 Private key on the card is used to encrypt the data and

encrypted data is then transferred to the server.

 The public key stored on the server is used to decrypt

the data.

 If the data gets successfully decrypted, the user is

authenticated.
 Advantages of Smart Cards
 This is a very secure authentication mechanism
because:

 the process works on a two-factor authentication -

what you know (PIN) and what you have (smart card
or private key).

 Brute force attacks and Dictionary attacks don’t work

here as only a limited number of PIN entries are
allowed for the smart card holder.
 Applications of Smart Cards
 Although smart cards are new in India, in many other
countries they are used extensively for applications like:

 Electronic toll collection.

 Financial Services
 Healthcare services
 Cellular phones
 Set-top boxes
 Secure network access
 Biometric Techniques
 Biometrics comprise the techniques for measuring human beings and the
statstical methods of processing these measurements. In the field of
identification biometrics uses computers to identify or authenticate the
identity of a person based on the measurement of at least physical
characteristic for eg, fingerprint, retinal image, DNA etc.

 Biometric Identification : consists in finding one person out of a no. of people
based on the analysis of a physical characteristic such as a fingerprint or an
image of the iris. Te characteristic is collected by a sensor, analyzed and
compared by software to previously collected personal data.

 Working of biometric techniques : It basically works in three steps:

 Capturing of a biometric sample from an individual
 Storing the captured sample as reference sample
 Match the current captured sample with the stored reference sample.
 Biometrics can be classified into two categories :Physiological biometric
techniques such as fingerprints, hand geometry, palm recognition, iris
recog.,DNA analysis etc.
 Types of Biometric techniques
 Biometrics can be classified into two categories :
 Physiological biometric techniques such as fingerprints, hand
geometry, palm recognition, iris recognition, DNA analysis etc.

 Behavioral techniques which depend on the behaviour of a person

such as signature dynamics, keystroke dynamics etc.

 Signature Dynamics : is a technique that is based on the dynamics of

making a signature rather than a direct comparison of a written
signature with a stored one.

 Factors that are measured for signature dynamics are acceleration

rates, directions, pressure, stroke length etc.
 Effectiveness of biometric techniques
 Biometric techniques are evaluated on three basic criteria :

i) False Rejection Rate : this is the percentage of authorized users

that are denied access due to failure of the biometric device.

ii) False Acceptance Rate : the percentage of unauthorized users

allowed access

iii) Cross over error rate : is the point at which the no. of false
rejections equal the false acceptances .It is also known as the
equal error rate