Chapter User Authentication RFC 4949 RFC 4949 defines user authentication as: “The process of verifying an identity claimed by or for a system entity.” Authentication Process • Fundamental building block and primary line of defense • Basis for access control and user accountability • Identification step Presenting an identifier to the security system • Verification step Presenting or generating authentication information that corroborates the binding between the entity and the identifier Registration, Credential Issuance, and Maintenance Registration Authority (RA) Identity Proofing User Registration l tia nce n e ed ssua r C /I n, tion e k a To istr g Re Registration Confirmation Credential Service Provider (RA) Subscriber/ Claimant Authenticated Session Relying Party (RP) Au th Authenticated en tic Assertion Ex at e ch d an Pr ge oto co l Token/Credential Validation Verifier E-Authentication using Token and Credential Figure3.1 TheNIST SP 800-63-2 E-Authentication Architectural Model The four means of authenticating user identity are based on: Something the individual knows Something the individual possesses (token) • Password, PIN, answers to • Smartcard, prearranged electronic questions keycard, physical key Something the individual is (static biometrics) • Fingerprint, retina, face Something the individual does (dynamic biometrics) • Voice pattern, handwriting, typing rhythm Risk Assessment for User Authentication • There are three separate concepts: Assuranc e Level Potential impact Areas of risk Assurance Level Describes an organization’s degree of certainty that a user has presented a credential that refers to his or her identity More specifically is defined as: The degree of confidence in the vetting process used to establish the identity of the individual to whom the credential was issued The degree of confidence that the individual who uses the credential is the individual to whom the credential was issued Four levels of assurance Level • Little or no confidence in the asserted identity's validity Level • Some confidence in the asserted identity’s validity Level • High confidence in the asserted identity's validity Level • Very high confidence in the asserted identity’s validity Potential Impact • FIPS 199 defines three levels of potential impact on organizations or individuals should there be a breach of security: o Low • An authentication error could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals o Moderate • An authentication error could be expected to have a serious adverse effect o High • An authentication error could be expected to have a severe or catastrophic adverse effect Table 3.1 AssuranceLevel Impact Profiles Potential Impact Categories for Authentication Errors Low Mod Mod High Inconvenience, distress, or damage to standing or reputation Low Mod Mod High Financial loss or organization liability None Low Mod High Harm to organization programs or interests None Low Mod High Unauthorized release of sensitive information Mod/ None None Low Personal safety High Civil or criminal violations None Low Mod High Maximum Potential Impacts for Each Assurance Level st eque r n tio ntica e h t u A ge t chan ques x e e r l N co ct PI roto p n dire e o i r t r a tic t fo then esul u r A n tio ntica e h t u A User enters PIN User requests service (e.g., via Web browser) eID server Se rvic ereq uest R edir ect t o eID A uthe mes ntic sage ation r esul 10 S t for ervi war ceg ded rant ed Host/application server Figure3.6 User Authentication with eID Password Authenticated Connection Establishment (PACE) Ensures that the contactless RF chip in the eID card cannot be read without explicit access control For online applications, access is established by the user entering the 6-digit PIN (which should only be known to the holder of the card) For offline applications, either the MRZ printed on the back of the card or the six-digit card access number (CAN) printed on the front is used Biometric Authentication • Attempts to authenticate an individual based on unique physical characteristics • Based on pattern recognition • Is technically complex and expensive when compared to passwords and tokens • Physical characteristics used include: o o o o o o o Facial characteristics Fingerprints Hand geometry Retinal pattern Iris Signature Voice Name(PIN) Biometric sensor Feature extractor Biometric database User interface (a) Enrollment Name(PIN) Biometric sensor User interface true/false Feature extractor Feature matcher Biometric database Onetemplate (b) Verification Biometric sensor User interface user's identity or "user unidentified" Feature extractor Feature matcher Biometric database N templates (c) Identification Figure 3.8 A Generic Biometric System Enrollment creates an association between a user and the user's biometric characteristics Depending on the application, user authentication either involves verifying that a claimed user is the actual user or identifying an unknown user Probability density function imposter profile decision threshold (t) false nonmatch possible profileof genuineuser false match possible averagematching valueof imposter averagematching valueof genuineuser Matching score(s) Figure 3.9 Profiles of a Biometric Characteristic of an Imposter and an Authorized Users In this depiction, the comparison between presented feature and a reference feature is reduced to a single numeric value If the input value ( s) is greater than a preassigned threshold (t), a match is declared 100% in cr ea se th re sh ol d d se ea y, cr rit d de ecu ase nce s e ie c in ven n co in se crea d c co ecr uri sed nv ea ty, en sed ie nc e equ al e rro rr ate lin e 1% d ol sh re th se ea cr de falsenonmatch rate 10% 0.1% 0.0001% 0.001% 0.01% 0.1% 1% 10% falsematch rate Figure3.10 Idealized Biometric Measurement Operating Characteristic Curves (log-log scale) 100% 100% Face Fingerprint Voice Hand Iris falsenonmatch rate 100% 10% 1% 0.1% 0.0001% 0.001% 0.01% 0.1% 1% 10% falsematch rate Figure 3.11 Actual Biometric Measurement Operating Characteristic Curves, reported in [MANS01] To clarify differences among systems, a log-log scale is used 100% Remote User Authentication • Authentication over a network, the Internet, or a communications link is more complex • Additional security threats such as: o Eavesdropping, capturing a password, replaying an authentication sequence that has been observed • Generally rely on some form of a challengeresponse protocol to counter threats Table 3.4 Some Potential Attacks, Susceptible Authenticators , and Typical Defenses Eavesdropping Adversary attempts to learn the password by some sort of attack that involves the physical Host Attacks Denial-of-Service proximity of user and adversary Directed at the user file at the host where Attempts to disable a user passwords, token authentication service by passcodes, or biometric flooding the service with templates are stored numerous authentication attempts AUTHENTICATION SECURITY ISSUES Trojan Horse Replay An Adversary repeats a application or physical device masquerades as an Client Attacks previously captured user response authentic application or device for the purpose of Adversary attempts to achieve user capturing a user password, passcode, or authentication without access to the remote biometric host or the intervening communications path Iris scanner Iris scanner Iris workstation Iris workstation Iris scanner Iris workstation LAN switch Iris Merge Remote Iris database Iris Engine1 Iris Engine2 Network switch Figure3.13 General Iris Scan Site Architecturefor UAE System Case Study: ATM Security Problems Summary • Electronic user authentication principles o A model for electronic user authentication o Means of authentication o Risk assessment for user authentication • Password-based authentication o The vulnerability of passwords o The use of hashed passwords o Password cracking of user-chosen passwords o Password file access control o Password selection strategies • Token-based authentication o Memory cards o Smart cards o Electronic identity cards • Biometric authentication o Physical characteristics used in biometric applications o Operation of a biometric authentication system o Biometric accuracy • Remote user authentication o o o o Password protocol Token protocol Static biometric protocol Dynamic biometric protocol • Security issues for user authentication ... verifying an identity claimed by or for a system entity.” Authentication Process • Fundamental building block and primary line of defense • Basis for access control and user accountability • Identification... countered by using a sufficiently large salt value and a sufficiently large hash length John the Ripper • Open-source password cracker first developed in in 1996 • Uses a combination of brute-force and. .. as other national ID cards, and similar cards such as a driver’s license, for access to government and commercial services Can provide stronger proof of identity and can be used in a wider variety