authentication. most technical security safeguards have authentication as a precondition how to...

Authentication

Authentication Most technical security safeguards have

authentication as a precondition

How to authenticate:

LocationSomewhere you are

BiometrieSomething you are

Smart Card, TokenSomething you have

Password, SecretsSomething you know

The authentication process

Authentication Verification Authorization

Authentication Ask the user for credentials

Verification Verify this credentials agains something

previously known Authorization

Mark the user as authenticated Commonly here also the AC rights are

assigned

Password

A secret (word) know by the user and the system

Password

Username Some name under which the user is

known to the system – hardly secret Secret Password

The secret connected to the user name

Good and bad passwords Linkable names

(own, child's,...) Linkable numbers

(telephone, birthdays, …)

Related words (like the car -> Ferrari)

Common words from dictionaries

Common patterns (qwerty, 123456, …)

Fashion words

Containing big an small letters

Containing numbers and special characters

> 8 characters Can be written fast

First 3 prevent the search

4 is to prevent observation

Password verification Compatre the input with a stored value

Passwords need to be stored Plain Encrypted

One way Bi-directional

Passwords need to be transfered Plain Encyrpted

Security of Passwords

Security is based mainly on the user but also how it is implemented in the system

Systems can implement additional functions to harden passwords

Attacks against passwordsystems

Test all possible passwords Guess likely words – lexical attacks Social engineering Looking for the systems password

list Attacking the authentication

mechanism Ask the user

Ways to harden

Limited number of tries Wrong inputs slow down the process Challenge Respond Authorize also the system Combining different systems Harden the process Require passwords with high

entropy

One time passwords

A password is only valid one‘s

Technqiues Transaction numbers (TAN) Hashed with time stamp

Cryptographic techniques Cryptography for authentication purpose

Popular techniques Kerberos Certificates X.509 Challenge Respond Systems

Problems Complex Infrastructure dependent

Security token Something you have

Popular Representative Cryptographic Token SmartCards

Problems Costly Technical Infrastructure

Smart Cards

A card with a chip Not necessarily for authentication

Different types ROM Cards EEPROM Cards Microprocessor cards

Smart cards

Prominent Examples Bank cards Credit cards Mobile phone cards

Attacks against Smart cards

Protocol attacks the communication between the smart

card and the card reader Blocking signaling

block Signals (for example erase signals Freeze or reset the card

make the content of the RAM readable

Attacks against Smart cards

Physical Probing reading data directly from the

hardware Damage part of the chip

for example the address counter Reverse engineering

reveal the chip design and gain knowledge

Biometrics

The security relies on the property of a human being

Measuring some aspects of the human anatomy or physiology and compare it with previously recorded values

Problems: Humans change over time

Concepts Physical

DNA Face Fingerprint Iris Hand geometry

Behavioral Voice Signature

Verification

Conventional biometrics

Face recognition - ID Cards The oldest and probably most

accepted method Average security – result of studies

Handwritten signatures Is in Europe highly accepted Good enough security

Fingerprints Look at the friction ridges that

cover fingertips Branches and end points geometry –

commonly 16 Pores of the skin

Easy to deployed and relative limited resistance

Problems There is a statistical probability of

mismatch – the number of variation is limited

Fingerprints are mostly „noisy“ Alteration is easy

Iris Scan Patterns in the Iris are

recognized Iris codes provide the

lowest false accept rates of any known system – US Study

Problems Get people to put there eye

into a scanner Systems might be ulnerable

to simple photographies

Problems with biometrics Not exact enough

False positives and Positive False are common Technical difficult

The technology is new Privacy problems

Sicknesses can be recognized Social problems

Usage of system Revelation generates problems

Data leak out incidentally When the use became widespread your data will be

known by a lot of people

Singel Sign-on Only one sign-on for all applications

Techniques Save password – but how Issue a ticket

Trends Identity managment systems

26

Identity Management Types of IdM (Systems)

by user herself/himself supported by

service providers

Management ofown identities:chosen identity

(= Tier1)

Type 3Type 3

by organisationProfiling:

derived identityabstracted identity

(= Tier 3)

Type 2Type 2

by organisationAccount Management:

assigned identity(= Tier 2)

Type 1Type 1

There are hybrid systems that combine characteristics

27

“Identity” is changing

IT puts more HighTech on ID cards Biometrics to bind them closer to a human being Chips to add services (such as a PKI)

Profiles may make the „traditional“ ID concept obsolete People are represented not by numbers or ID keys any more but by data

sets. Identities become “a fuzzy thing”.

New IDs and ID management systems are coming up Mobile communication (GSM) has introduced a globally interoperable „ID

token“: the Subscriber Identity Module Ebay lets people trade using Pseudonyms.

Europe (the EU) consider joint ID and ID management systems European countries have different traditions on identity card use Compatibility of ID systems is not trivial

Work on new standards for Identity management systems and entity authentication are initiated by ISO and ITU

28

Identity Concepts Partial Identities Illustrated

AnonymityAnonymity WorkWork

Public Public AuthorityAuthority

Health CareHealth Care

foreign languages

education address

capabilities salary name income

credit cards tax status denominationaccount number

birthdate marital status

hobbies insurance

nickname (dis)likes

phone number health status blood group

ShoppingShopping

LeisureLeisure

Identities

Manageme

nt

29

Changing borders of (partial) identities




foreign languages

education address




hobbies insurance

nickname (dis)likes


ShoppingShopping

LeisureLeisure

Borders are

blurring

30

Changing borders of (partial) identities (cont.)




foreign languages

education address




hobbies insurance

nickname (dis)likes


ShoppingShopping

LeisureLeisure

Communication and contacts

Questions ?

authentication. most technical security safeguards have authentication as a precondition how to...

Documents