UNIVERSITAS MULTI MEDIA NUSANTARA

(UMN)

IF 401 - COMPUTER SECURITY

02. USER AUTHENTICATION

Slamet Aji Pamungkas.

Tangerang, Februai 2023
 KECHILAFAN SATU ORANG SAHAJA
TJUKUP SUDAH MENJEBABKAN
KERUNTUHAN NEGARA

Mayjen TNI Dr. Roebiono Kertopati (1914 - 1984)

B apak Persandian Republik Indonesia
INTRODUCTION
Komputer telah menggantikan banyak interaksi
tatap muka dengan interaksi elektronik:
• Sistem komputer tidak memiliki isyarat seperti
komunikasi tatap muka yang memungkinkan
kita mengenali teman-teman kita.
• Sebaliknya komputer bergantung pada data
untuk mengenali orang lain.
Dasar keamanan komputer adalah akses
terkontrol:
• Seseorang diberi wewenang untuk
melakukan suatu tindakan terhadap
sesuatu.
• Agar kontrol akses berfungsi, kita perlu
memastikan siapa “seseorang” itu.
• Jika salah mengonfirmasi identifikasi
seseorang tersebut, kontrol akses tidak
efektif.
FAILED AUTHENTICATION

Impersonation

Sebuah sistem tidak dapat membedakan

pengguna sebenarnya dari penipu.
FAILED AUTHENTICATION

IDENTIFIKASI
1 Tindakan menegaskan/ memastikan
siapa seseorang.
Dua Langkah
menentukan siapa
seseorang?

?? 2
AUTENTIKASI
Tindakan membuktikan identitas yang
ditegaskan itu.
IDENTIFICATION VS AUTHENTICATION

Identifikasi dan otentikasi adalah dua istilah yang menggambarkan fase awal dari
proses yang memungkinkan akses ke suatu sistem.
Identifikasi berkaitan dengan penyediaan identitas, sementara otentikasi berkaitan
dengan pemeriksaan yang dilakukan untuk memastikan validitas identitas yang
diklaim. Sederhananya, proses identifikasi melibatkan membuat klaim ke identitas,
sedangkan proses otentikasi melibatkan membuktikan identitas it

Identitas sering kali diketahui umum.

Otentifikasi bersifat rahasia, kuat dan dapat
diandalkan.
FAULTY OR INCOMPLETE AUTHENTICATION

Contoh:
2 mekanisme otentikasi yang digunakan dalam protokol email:
• Kata sandi yang melindungi akun email.
• Fungsi sistem untuk mengganti kata sandi yang diduga
terlupa.

• Kata sandi menyediakan perlindungan kepada akun email.

• Personil menurunkan kualitas perlindungan sandi.
PASSWORD USE

LOSS
• What if the user loses the password?
• The operators or system administrators cannot determine
what password a user had chosen previously.
Even though they are
widely used, passwords USE
suffer from some Supplying a password for each access to an object can be
difficulties of use. inconvenient and time consuming.

DISCLOSURE
If a user discloses a password to an unauthorized
individual, the object becomes immediately accessible.

REVOCATION
To revoke one user’s access right to an object, someone
must change the password: The user must inform any
other legitimate users of the new password because their
old password will fail.
ATTACKING AND PROTECTING PASSWORD

How secure are passwords themselves?

Passwords are somewhat limited as protection devices because of

the relatively small number of bits of information they contain.
12 steps an attacker might try in order to determine a
password:
1. No password
2. The same as the user ID
3. Is, or is derived from, the user’s name
4. Common word list (password, secret, private) plus
common names and patterns (qwerty, aaaaaa)
5. Contained in a short college dictionary
6. Contained in a complete English word list
7. Contained in common non-English language
dictionaries
8. Contained in a short college dictionary with
capitalizations (PaSsWorD) or substitutions (digit
0 for letter O)
9. Contained in a complete English dictionary with
capitalizations or substitutions
10. Contained in common non-English dictionaries
with capitalization or substitutions
11. Obtained by brute force, trying all possible
combinations of lowercase alphabetic characters
12. Obtained by brute force, trying all possible
combinations from the full character set
DICTIONARY ATTACKS

Beberapa situs jaringan memposting kamus frasa, karakter fiksi

ilmiah, tempat, nama mitologi, kata-kata Cina, kata-kata Yiddish, dan
daftar khusus lainnya.

Semua daftar ini diposting untuk membantu administrator situs

mengidentifikasi pengguna yang memilih kata sandi yang lemah  Kamus
yang sama juga dapat digunakan oleh penyerang situs yang tidak memiliki
administrator yang penuh perhatian.
PASSWORD LIKELY FOR A USER
• People typically choose personal passwords, such as the name of a
spouse, child, brother or sister, pet, street name, or something
memorable or familiar
• A list of only a few hundred possibilities at most
• Takes under a second

• People find something in the password process that is difficult or

unpleasant
• People are unable to choose good passwords, perhaps because of the
pressure of the situation
• They fear they will forget solid passwords
PROBABLE PASSWORD

• Is the word you

thought of long? Probably
• Is it uncommon? NO
Think of a word. • Is it hard to spell or to
pronounce?
PROBABLE PASSWORD
PROBABLE PASSWORD
EXHAUSTIVE ATTACK

Brute Force
The attacker tries all possible passwords,
usually in some automated fashion.

• Menebak semua kemungkinan kombinasi kata sandi (password) yang benar.

• Proses menebak password ini tidak dilakukan secara manual.
• Hacker menggunakan program khusus (script) untuk melakukan proses
tersebut secara otomatis.
PASSWORD STRENGTH OVER TIME
PASSWORD CRACKING RIG: CRACKING ON A BUDGET
PASSWORD CRACKING RIG: CRACKING ON A BUDGET
STRONG AUTHENTICATION
STRONG AUTHENTICATION

Something the user knows Something the user is Something the user has
• Passwords • Fingerprints  Identity badges
• Hand geometry (shape and size of
• PIN numbers fingers)  Physical keys
• Passphrases • Retina and iris (parts of the eye)  Driver’s license
• Secret handshake • Voice
 Uniform
• Handwriting
• Mother’s maiden name
• Blood vessels in the finger or
hand
• Facial features, such as nose
shape
• Keystroke dynamics
KOWLEDGE: SOMETHING YOU KNOW

 Chosen carefully, passwords can be strong authenticators

• If we do use passwords, we can
improve their security by a few
simple practices
• Use character other than just a-z
• Choose long passwords
• Avoid actual names or words
• Choose an unlikely password
• Change the password regularly
• Don’t write it down if physical security
is a serious risk
• Don’t tell anyone else (vs social
engineering)
KOWLEDGE: SOMETHING YOU KNOW

• 2Brn2Bti? (to be or not to be,

that is the question)
• PayTaxesApril5th
• UcnB2s (you cannot be too
secure)
• The first letters of words from
a song
• A few letters from different
words of a private phrase
• Something involving a
memorable basketball score
 KOWLEDGE: SOMETHING YOU KNOW

• Security questions could be improved by choosing something the real user knows but
an imposter would be unlikely to know
• Email account
• From what email address you received frequent messages
• Whether you tended to send 1-10, 10-50, 50-100, or 100+ messages per day
• Whether your account was established before 2006, in 2006, in 2007, or in 2008
• When you last logged in
• When you had a gap of 7 or more days without accessing your account

• Another type of account would have asked different kinds of questions, instead of “mother’s
maiden name” that for a while seemed as if it were going to become the universal
authenticator
KOWLEDGE: SOMETHING YOU KNOW
KOWLEDGE: SOMETHING YOU KNOW
BIOMETRIC: SOMETHING YOU ARE
Biometrics
Biological authenticators,
based on some physical characteristic
of the human body
• Advantages
• Cannot be lost, stolen, forgotten, lent,
and is always available, always at hand
• Several problems
• Intrusive
• Costly
• Single point of failure
• Variation reduces accuracy
• Speed limits accuracy
• False readings
• Forgeries are possible
BIOMETRIC: SOMETHING YOU ARE
Test Is Positive (There is a match)
Test Is Negative (There is no match)
False Positive or False Accept
• A reading that is accepted when it
should be rejected
False Negative or False Reject
• A reading that is rejected when it
should be accepted
Is the Person Claimed Is Not the Person Claimed
True Positive False Positive
False Negative True Negative
 Often, reducing a false positive rate increases
false negatives, and vice versa
 The consequences for a false negative are
usually less than for a false positive
 An acceptable system may have a false
positive rate of 0.001 percent but a false
negative rate of 1 percent
BIOMETRI
C:
SOMETHIN
G YOU ARE
BIOMETRIC: SOMETHING YOU ARE

Semua mesin pembaca biometrik beroperasi dalam 2 fase:

1. Seorang pengguna mendaftar dengan pembaca:
• Karakteristik pengguna ditangkap dan direduksi menjadi sekumpulan titik
data.
• Pengguna mungkin diminta untuk menyajikan karakteristik beberapa kali
sehingga perangkat lunak registrasi dapat menyesuaikan variasinya.
• Registrasi menghasilkan pola, yang disebut templat, dari titik data khusus
untuk pengguna tertentu.
2. Pengguna kemudian mencari otentikasi dari system:
• Sistem mengukur kembali karakteristik pengguna dan membandingkan
pengukuran baru dengan templat yang disimpan.
• Jika pengukuran baru cukup dekat dengan template, sistem menerima
otentikasi.
BIOMETRIC: SOMETHING YOU ARE
TOKEN: SOMETHING YOU HAVE

You have a physical object

in your possession.
TOKEN: SOMETHING YOU HAVE

Another kind of authentication token has data

to communicate invisibly
• Credit cards with a magnetic stripe.
• Credit cards with an embedded
computer chip.
• Access cards with passive or active
wireless technology.
TOKEN: SOMETHING YOU HAVE

Of course, tokens can be LOST and, with appropriate tools and

techniques, COPIED

Skimming
Penggunaan perangkat untuk menyalin data autentikasi secara
diam-diam dan digunakan untuk melakukan kejahatan.

Metode pencurian data yang menggunakan alat khusus, yaitu

skimmer. Cara kerjanya dengan menyalin atau menduplikasi data
strip magnetik di kartu ATM atau kredit.
TOKEN: SOMETHING YOU HAVE

• The value of a static token remains fixed • Remote authentication

• Keys • Being able to prove your identity to
• Identity cards a person or computer somewhere
• Passports else
• Credit and other magnetic stripe
cards • Distance increases the possibility of
• Radio transmitter cards (called RFID forgery
devices)

Static tokens are most useful for onsite Dynamic token generators are useful for
authentication remote authentication, especially of a
person to a computer
 TOKEN: SOMETHING YOU HAVE

Dynamic Authentication Token

A device that generates an unpredictable value that
we might call a pass number
• Some devices change numbers at a particular
interval, for example, once a minute
• Others change numbers when you press a button
• Others compute a new number in response to an
input, sometimes called a challenge
MULTIFACTOR AUTHENTICATION
 MULTIFACTOR AUTHENTICATION

Which value of n
makes n-factor authentication optimal?

As the number of forms increases, From a usability point of view,

so also does the user’s inconvenience large values of n may lead to
user frustration and reduced security
SECURE AUTHENTIFICATION

Suppose Adams works in

the accounting department The system protects against 2 problems
during the shift between 1. Someone from outside might try to
8:00 a.m. and 5:00 p.m., impersonate Adams.
Monday through Friday. 2. Adams might attempt to access the
Any legitimate access system from home or on a weekend,
attempt by Adams should
be made during those
planning to use resources not
times, through a allowed or to do something that
workstation in the would be too risky with other people
accounting department around.
offices.
SECURE AUTHENTIFICATION

• Limiting users to certain workstations or certain

times of access can cause complications
• When a user legitimately needs to work
overtime
• A person has to access the system while out
of town on a business trip
• A particular workstation fails

• However, some companies use these

authentication techniques because the added
security they provide outweighs inconvenience
NEXT WEEK PROGRAM

• Threat • Ineffective Countermeasure

• Program Flaw Leads to Security • Penetrate-and-Patch
Failing
• Countermeasure
• Vulnerability • Identifying and Classifying Faults
• Incomplete Mediation • Secure Software Design Elements
• Race Condition • Secure Software Development
• Time-of-Check to Time-of-Use Process
• Undocumented Access Point • Testing
• Defensive Programming
CYBER SECURITY

As the world is increasingly

interconnected,
everyone shares the responsibility of
securing cyberspace.
TERIMA KASIH
Slamet Aji Pamungkas
Tangerang, Februai 2023