View
215
Download
0
Embed Size (px)
Citation preview
Authentication
Authentication Most technical security safeguards have
authentication as a precondition
How to authenticate:
LocationSomewhere you are
BiometrieSomething you are
Smart Card, TokenSomething you have
Password, SecretsSomething you know
The authentication process
Authentication Verification Authorization
Authentication Ask the user for credentials
Verification Verify this credentials agains something
previously known Authorization
Mark the user as authenticated Commonly here also the AC rights are
assigned
Password
A secret (word) know by the user and the system
Password
Username Some name under which the user is
known to the system – hardly secret Secret Password
The secret connected to the user name
Good and bad passwords Linkable names
(own, child's,...) Linkable numbers
(telephone, birthdays, …)
Related words (like the car -> Ferrari)
Common words from dictionaries
Common patterns (qwerty, 123456, …)
Fashion words
Containing big an small letters
Containing numbers and special characters
> 8 characters Can be written fast
First 3 prevent the search
4 is to prevent observation
Password verification Compatre the input with a stored value
Passwords need to be stored Plain Encrypted
One way Bi-directional
Passwords need to be transfered Plain Encyrpted
Security of Passwords
Security is based mainly on the user but also how it is implemented in the system
Systems can implement additional functions to harden passwords
Attacks against passwordsystems
Test all possible passwords Guess likely words – lexical attacks Social engineering Looking for the systems password
list Attacking the authentication
mechanism Ask the user
Ways to harden
Limited number of tries Wrong inputs slow down the process Challenge Respond Authorize also the system Combining different systems Harden the process Require passwords with high
entropy
One time passwords
A password is only valid one‘s
Technqiues Transaction numbers (TAN) Hashed with time stamp
Cryptographic techniques Cryptography for authentication purpose
Popular techniques Kerberos Certificates X.509 Challenge Respond Systems
Problems Complex Infrastructure dependent
Security token Something you have
Popular Representative Cryptographic Token SmartCards
Problems Costly Technical Infrastructure
Smart Cards
A card with a chip Not necessarily for authentication
Different types ROM Cards EEPROM Cards Microprocessor cards
Smart cards
Prominent Examples Bank cards Credit cards Mobile phone cards
Attacks against Smart cards
Protocol attacks the communication between the smart
card and the card reader Blocking signaling
block Signals (for example erase signals Freeze or reset the card
make the content of the RAM readable
Attacks against Smart cards
Physical Probing reading data directly from the
hardware Damage part of the chip
for example the address counter Reverse engineering
reveal the chip design and gain knowledge
Biometrics
The security relies on the property of a human being
Measuring some aspects of the human anatomy or physiology and compare it with previously recorded values
Problems: Humans change over time
Concepts Physical
DNA Face Fingerprint Iris Hand geometry
Behavioral Voice Signature
Verification
Conventional biometrics
Face recognition - ID Cards The oldest and probably most
accepted method Average security – result of studies
Handwritten signatures Is in Europe highly accepted Good enough security
Fingerprints Look at the friction ridges that
cover fingertips Branches and end points geometry –
commonly 16 Pores of the skin
Easy to deployed and relative limited resistance
Problems There is a statistical probability of
mismatch – the number of variation is limited
Fingerprints are mostly „noisy“ Alteration is easy
Iris Scan Patterns in the Iris are
recognized Iris codes provide the
lowest false accept rates of any known system – US Study
Problems Get people to put there eye
into a scanner Systems might be ulnerable
to simple photographies
Problems with biometrics Not exact enough
False positives and Positive False are common Technical difficult
The technology is new Privacy problems
Sicknesses can be recognized Social problems
Usage of system Revelation generates problems
Data leak out incidentally When the use became widespread your data will be
known by a lot of people
Singel Sign-on Only one sign-on for all applications
Techniques Save password – but how Issue a ticket
Trends Identity managment systems
26
Identity Management Types of IdM (Systems)
by user herself/himself supported by
service providers
Management ofown identities:chosen identity
(= Tier1)
Type 3Type 3
by organisationProfiling:
derived identityabstracted identity
(= Tier 3)
Type 2Type 2
by organisationAccount Management:
assigned identity(= Tier 2)
Type 1Type 1
There are hybrid systems that combine characteristics
27
“Identity” is changing
IT puts more HighTech on ID cards Biometrics to bind them closer to a human being Chips to add services (such as a PKI)
Profiles may make the „traditional“ ID concept obsolete People are represented not by numbers or ID keys any more but by data
sets. Identities become “a fuzzy thing”.
New IDs and ID management systems are coming up Mobile communication (GSM) has introduced a globally interoperable „ID
token“: the Subscriber Identity Module Ebay lets people trade using Pseudonyms.
Europe (the EU) consider joint ID and ID management systems European countries have different traditions on identity card use Compatibility of ID systems is not trivial
Work on new standards for Identity management systems and entity authentication are initiated by ISO and ITU
28
Identity Concepts Partial Identities Illustrated
AnonymityAnonymity WorkWork
Public Public AuthorityAuthority
Health CareHealth Care
foreign languages
education address
capabilities salary name income
credit cards tax status denominationaccount number
birthdate marital status
hobbies insurance
nickname (dis)likes
phone number health status blood group
ShoppingShopping
LeisureLeisure
Identities
Manageme
nt
29
Changing borders of (partial) identities
AnonymityAnonymity WorkWork
Public Public AuthorityAuthority
Health CareHealth Care
foreign languages
education address
capabilities salary name income
credit cards tax status denominationaccount number
birthdate marital status
hobbies insurance
nickname (dis)likes
phone number health status blood group
ShoppingShopping
LeisureLeisure
Borders are
blurring
30
Changing borders of (partial) identities (cont.)
AnonymityAnonymity WorkWork
Public Public AuthorityAuthority
Health CareHealth Care
foreign languages
education address
capabilities salary name income
credit cards tax status denominationaccount number
birthdate marital status
hobbies insurance
nickname (dis)likes
phone number health status blood group
ShoppingShopping
LeisureLeisure
Communication and contacts
Questions ?