Authentication CNT4406/5412 Network Security Authentication Zhi Wang Florida State University Fall 2014 Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 1 / 43 Authentication mechanisms « password-based authentication « address-based authentication « cryptographic authentication protocols Authentication Introduction Introduction Authentication is the process of reliably verifying an entity’s identity « e.g., user/computer authentication, message authentication... Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 2 / 43 « password-based authentication « address-based authentication « cryptographic authentication protocols Authentication Introduction Introduction Authentication is the process of reliably verifying an entity’s identity « e.g., user/computer authentication, message authentication... Authentication mechanisms Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 2 / 43 Authentication Introduction Introduction Authentication is the process of reliably verifying an entity’s identity « e.g., user/computer authentication, message authentication... Authentication mechanisms « password-based authentication « address-based authentication « cryptographic authentication protocols Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 2 / 43 Threats: eavesdropping, password guessing (dictionary attack) Authentication Introduction Password-based Authentication Password-based authentication uses a secret quantity that you state to prove you know it « “It’s not who you know. It’s what you know.” I’m Alice, the password is fiddlesticks Bob Alice Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 3 / 43 Authentication Introduction Password-based Authentication Password-based authentication uses a secret quantity that you state to prove you know it « “It’s not who you know. It’s what you know.” Threats: eavesdropping, password guessing (dictionary attack) I’m Alice, the password is fiddlesticks Bob Alice Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 3 / 43 It was adopted in early UNIX systems such as Berkeley rtools « /etc/hosts.equiv: computers with identical user accounts « Per-user .rhosts: a list of <computer, account> pairs allowed to access the user’s account Threats: network address spoofing Authentication Introduction Address-based Authentication Address-based authentication assumes the identity of the source can be inferred based on the address (network address/email address) from which messages arrive « “It’s not what you know. It’s where you are.” Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 4 / 43 « /etc/hosts.equiv: computers with identical user accounts « Per-user .rhosts: a list of <computer, account> pairs allowed to access the user’s account Threats: network address spoofing Authentication Introduction Address-based Authentication Address-based authentication assumes the identity of the source can be inferred based on the address (network address/email address) from which messages arrive « “It’s not what you know. It’s where you are.” It was adopted in early UNIX systems such as Berkeley rtools Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 4 / 43 Threats: network address spoofing Authentication Introduction Address-based Authentication Address-based authentication assumes the identity of the source can be inferred based on the address (network address/email address) from which messages arrive « “It’s not what you know. It’s where you are.” It was adopted in early UNIX systems such as Berkeley rtools « /etc/hosts.equiv: computers with identical user accounts « Per-user .rhosts: a list of <computer, account> pairs allowed to access the user’s account Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 4 / 43 Authentication Introduction Address-based Authentication Address-based authentication assumes the identity of the source can be inferred based on the address (network address/email address) from which messages arrive « “It’s not what you know. It’s where you are.” It was adopted in early UNIX systems such as Berkeley rtools « /etc/hosts.equiv: computers with identical user accounts « Per-user .rhosts: a list of <computer, account> pairs allowed to access the user’s account Threats: network address spoofing Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 4 / 43 Threats: brute-force, eavesdropping, server database breach R picks random R R signed with Alice’s private key checks result using Alice’s public key Authentication Introduction Cryptographic Authentication Protocol Cryptographic authentication proves one’s identity by performing a cryptographic operation on a quantity the verifier supplies « secret key cryptography, public key cryptography, hash function I’m Alice knows Alice’s public key Bob Alice Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 5 / 43 Threats: brute-force, eavesdropping, server database breach R signed with Alice’s private key checks result using Alice’s public key Authentication Introduction Cryptographic Authentication Protocol Cryptographic authentication proves one’s identity by performing a cryptographic operation on a quantity the verifier supplies « secret key cryptography, public key cryptography, hash function I’m Alice knows Alice’s public key R picks random R Bob Alice Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 5 / 43 Threats: brute-force, eavesdropping, server database breach Authentication Introduction Cryptographic Authentication Protocol Cryptographic authentication proves one’s identity by performing a cryptographic operation on a quantity the verifier supplies « secret key cryptography, public key cryptography, hash function I’m Alice knows Alice’s public key R picks random R Bob Alice R signed with Alice’s private key checks result using Alice’s public key Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 5 / 43 Authentication Introduction Cryptographic Authentication Protocol Cryptographic authentication proves one’s identity by performing a cryptographic operation on a quantity the verifier supplies « secret key cryptography, public key cryptography, hash function Threats: brute-force, eavesdropping, server database breach I’m Alice knows Alice’s public key R picks random R Bob Alice R signed with Alice’s private key checks result using Alice’s public key Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 5 / 43 What the user has (possession factor) « ATM card, keys, USB token What the user is (inherence factor) « bio-metrics such as voice, fingerprint, iris pattern « benefits and problems? Authentication User Authentication User Authentication User authentication can be based on: What the user knows (knowledge factor) « passwords, personal information, credit card numbers... Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 6 / 43 What the user is (inherence factor) « bio-metrics such as voice, fingerprint, iris pattern « benefits and problems? Authentication User Authentication User Authentication User authentication can be based on: What the user knows (knowledge factor) « passwords, personal information, credit card numbers... What the user has (possession factor) « ATM card, keys, USB token Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 6 / 43 Authentication User Authentication User Authentication User authentication can be based on: What the user knows (knowledge factor) « passwords, personal information, credit card numbers... What the user has (possession factor) « ATM card, keys, USB token What the user is (inherence factor) « bio-metrics such as voice, fingerprint, iris pattern « benefits and problems? Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 6 / 43 Threats to password-based authentication? « eavesdropping, leaking of stored passwords, online/offline password guessing, memorizing user-unfriendly passwords, password reuse Authentication Passwords Password-based User Authentication Password-based authentication uses a secret quantity that you state to prove you know it « most command method of user authentication I’m Alice challenge Bob Alice response based on passwords Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 7 / 43 « eavesdropping, leaking of stored passwords, online/offline password guessing, memorizing user-unfriendly passwords, password reuse Authentication Passwords Password-based User Authentication Password-based authentication uses a secret quantity that you state to prove you know it « most command method of user authentication Threats to password-based authentication? I’m Alice challenge Bob Alice response based on passwords Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 7 / 43 Authentication Passwords Password-based User Authentication Password-based authentication uses a secret quantity that you state to prove you know it « most command method of user authentication Threats to password-based authentication? « eavesdropping, leaking of stored passwords, online/offline password guessing, memorizing user-unfriendly passwords, password reuse I’m Alice challenge Bob Alice response based on passwords Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 7 / 43 Passwords should be securely stored « always assume stored passwords can and will be leaked!! Passwords shall not be reused among accounts « bad idea for services to use email address as user name! Authentication Passwords Issues for Password-based Systems Passwords should be easy to remember but hard to guess, so « users can memorize their passwords (instead of writing them down) « online/offline password guessing won’t be effective Zhi Wang (FSU) CNT4406/5412 Network Security Fall