chapter 4 – protection in general-purpose operating systems section 4.5 user authentication
TRANSCRIPT
Chapter 4 – Protection in General-Purpose Operating Systems
Section 4.5 User Authentication
In this sectionAuthenticationPasswords
Effective passwordsBreaking passwords
One-Time SystemsBiometrics
User AuthenticationMost software and OS base there security on
knowing who the user isAuthentication based on 1 of 3 qualities:
Something the user knows – Passwords, PIN, passphrase
Something the user has – Key, license, badge, username
Something the user is – physical characteristics or biometrics
Two forms of these can be combined together
Passwords as AuthenticatorsMost common authentication mechanismPassword – a word unknown to users and
computersProblems with passwords:
LossUse – time consuming if used on each file or
accessDisclosure – if Malory finds out the password
might cause problems for everyone else.Revocation – revoke one persons right might
cause problems with others
Additional Authentication Information Placing other condition in place can enforce
the security of a passwordOther methods:
Limiting the time of accessLimiting the location of access
Multifactor Authentication is using additional forms of authentication
The more authentication factors cause more for the system and administrator to manage
Attacks on PasswordsFiguring out a password
Try all possible passwordsTry frequently used passwordsTry passwords likely for the userSearch for the system password listAsk the user
Loose-Lipped SystemsAuthentication system leaks information about
the password or usernameProvides information at inconvenient times
Exhaustive AttackBrute force attack is when the attacker tries
all possible passwordsExample:
26 (A-Z)character password of length 1 to 8 characters
One password per millisecond would take about two months
But we would not need to try every password
Password ProblemsProbable PasswordsPasswords Likely for a userWeakness is in the users choiceWeakness is in the control of the systemLook at table 4-2 on page 225
Figure 4-15 Users’ Password Choices.
Password Selection CriteriaUse characters other than just A-ZChoose long passwordsAvoid actual names or wordsChoose an unlikely passwordChange the password regularly Don’t write it downDon’t tell anyone else – beware of Social
Engineering
One-Time PasswordsPassword that changes every timeAlso known as a challenge-response
systemsF(x)=x+1 - use of a functionF(x)=r(x) – Seed to a random number
generatorF(a b c d e f g) = b d e g f a c – transformation
of a character string F(E(x))=E( D (E (x)) + 1 ) – Encrypt value must
be decrypted and run through a function
The Authentication ProcessSlow response from systemLimited number of attemptsAccess limitationsFixing Flaws with a second level of protection
Challenge-Response Impersonation of Login
BiometricsBiometrics are biological authenticators Problems with Biometrics
Still a relatively new conceptCan be costlyEstablishing a thresholdSingle point of failureFalse positivesSpeed can limit accuracyForgeries are possible